Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Email Firewall
Administrator’s Guide
Release 6.2
Trademarks
Tumbleweed®, is a registered trademark, and Integrated Messaging Exchange™, IME™, Messaging Management
System (MMS)™, Secure Inbox™, Secure Envelope™, Secure Redirect™, Secure Response™, IME Statements™,
IME Developer™, IME Messenger™, Tumbleweed Secure Mail™, Tumbleweed Dynamic Anti-spam Service™,
Tumbleweed Email Firewall™ (EMF™), Tumbleweed Message Protection Lab™, Tumbleweed Active Agents™,
Tumbleweed SecureTransport™, Tumbleweed Validation Authority™ and Tumbleweed Valicert Validation
Authority™ are trademarks of Tumbleweed Communications Corp.
Contents
Preface xxv
Chapter 1 Introduction 1
Contents iii
Queues .........................................................................................25
Policies ........................................................................................25
Policy Modules ............................................................................25
Directory .....................................................................................26
Logs and Reports .........................................................................26
Setup and Configuration .............................................................26
2.4.2 Assigning and Creating Admin Roles ...............................................27
2.4.3 Creating New Administrator Accounts .............................................29
2.4.4 Preferences ........................................................................................31
2.5 Setting Up Relays .........................................................................................32
2.5.1 Relay Settings Configuration ............................................................33
2.5.2 Global Relay Settings .......................................................................34
Stopping Inbound or Outbound Mail ..........................................34
Enabling and Disabling Preprocessing and Policy Engine .........35
2.5.3 Limit Settings ....................................................................................36
Maximum Connections and Delay Settings ................................36
Network Connections and Replication Environments ................37
Message Size and Recipient Limits ............................................37
2.5.4 Identity Settings ................................................................................38
Setting the SMTP Port ................................................................38
Specifying the Relay Host Name ................................................39
Specifying the SMTP Greeting and Postmaster Information ......39
Hiding Email Firewall Version Number in Message Headers ....40
Local MX Hosts Configuration ...................................................41
2.5.5 Specifying the DNS Servers .............................................................41
2.5.6 Specifying DNSBL Settings .............................................................42
2.5.7 Exceptions to Mail Delivery .............................................................43
Specifying Illegal Characters in Email Address Formats ...........43
Dropping Mailbox-Only Recipients ............................................44
Deleting Bounced Notifications ..................................................44
2.5.8 Miscellaneous Relay Settings ...........................................................45
Delivery Status Notifications ......................................................46
Alternate Lookups .......................................................................46
Load Balancing by Randomizing Order of MX Hosts ................47
Received Headers Content ..........................................................47
SMTP Relay Delay and Non-Delivery Notifications Sent .........48
2.5.9 Network Connections Concepts ........................................................49
Understanding Internal vs. External Networks ...........................50
Rejecting Connections From Malicious Clients .........................50
2.5.10 Domain-Based Authentication Protocols ..........................................51
Sender Policy Framework ...........................................................52
Microsoft’s Caller ID ..................................................................53
2.5.11 Setting Up Network Connections .....................................................54
Editing Network Connections .....................................................57
2.5.12 Mail Routing Rules Overview ..........................................................57
iv Contents
Servers, Routing Rules and TLS ................................................. 58
Configuring Email Firewall To Prevent Open Relaying ............ 59
2.5.13 Setting Up Mail Routing Rules ......................................................... 60
Setting Up Exact Matching for a Domain ................................... 65
Best Match Algorithm and Wildcards ........................................ 66
Editing Routing Rules ................................................................. 66
2.5.14 Address Rewriting Concepts ............................................................ 67
Address Rewriting Rules ............................................................ 68
Match Specifiers ......................................................................... 68
Rewrite Actions ........................................................................... 69
Matching and Substitution Examples ......................................... 70
A Complete Example .................................................................. 70
2.5.15 Setting Up Address Rewriting .......................................................... 71
Creating Custom Address Rewriting Rules ................................ 74
2.5.16 Testing Address Rewriting ............................................................... 75
2.5.17 SMTP Relay and Message Retry Configuration .............................. 76
2.5.18 Troubleshooting the SMTP Relay Service ....................................... 76
SMTP Relay Service Not Accepting Messages .......................... 76
Email Firewall Relay Not Identifying Itself Properly ................. 77
Troubleshooting Outbound Message Backlogs .......................... 78
Troubleshooting TLS .................................................................. 80
2.6 Setting Up Anti-virus and Anti-spam ........................................................... 80
2.6.1 Setting Up Anti-virus and Anti-spam Downloads ............................ 82
Virus Scanning Heuristics ........................................................... 84
2.6.2 Setting Up Dynamic Anti-spam Service Settings ............................. 84
Adding Spam Categories to Scanned Messages ......................... 85
Do Not Scan Messages Received From Internal Networks ........ 86
Do Not Scan Messages Larger Than 200 KB In Size ................. 86
2.7 Setting Up Global Policy Settings ................................................................ 87
2.7.1 Setting Up Peak Time for Policy Actions ......................................... 87
2.7.2 Setting Up Archive for Policy Actions ............................................. 88
Archiving Options for Virus-Infected Messages ........................ 90
2.7.3 Setting Up Other Global Policy Options .......................................... 91
Scanning Bytes of Non-Text Attachments .................................. 93
Limitations in Scanning Non-Text Attachments ........................ 93
Marking Text Parts That Use Unsupported Character Sets ........ 94
Marking Messages With Invalid MIME Structure or Illegal
Character Encoding as Decomposition Failures ............................ 94
Isolating BCC recipients on Separate Copies of the Message .... 95
Quarantining Messages That Grow to Excessive Size ................ 96
Quarantining Deeply Nested MIME Messages .......................... 96
2.7.4 Setting Up Policy-based Routing ...................................................... 97
Avoiding Infinite Message Looping ........................................... 99
2.8 Setting Up Event Logging .......................................................................... 100
2.8.1 Setting Up Event Logging .............................................................. 101
Contents v
2.8.2 Setting Up Centralized Event Logging and Reporting ...................101
Prerequisites to Enabling Centralized Event Logging and Reporting
for Email Firewall Systems in a Domain .....................................101
Prerequisites to Enabling Centralized Event Logging and Reporting
for Email Firewall Systems in Workgroups .................................102
Enabling and Setting Up Centralized Event Logging
and Reporting ...............................................................................103
2.9 Other Setup Tasks .......................................................................................105
2.9.1 Setting Up Message Queues ...........................................................105
What is the Personal Quarantine Manager? ..............................106
2.9.2 Setting Up Reporting ......................................................................106
2.9.3 Setting Up Policies ..........................................................................106
2.9.4 Setting Up the Directory .................................................................107
2.9.5 Setting Up Security .........................................................................107
2.9.6 What is the Dynamic Anti-spam Service? ......................................107
2.9.7 What is Secure Redirect? ................................................................108
2.9.8 What is Secure Messenger? ............................................................108
2.9.9 Setting Up Proxy Servers ................................................................109
Setting up HTTP Proxy Server .................................................111
Setting up FTP Proxy Server .....................................................111
vi Contents
3.5.2 Additional Queue Management Tips .............................................. 134
Use Bulk Actions on Messages ................................................. 134
Use Quarantine Queue Threshold Actions ................................ 135
Use Quarantine Queue Aging ................................................... 135
Create Quarantine Queue Custom Queues ................................ 135
3.5.3 Checking the Quarantine Queue for Inbound Messages ................ 135
3.5.4 Stopping Inbound Message Acceptance ......................................... 136
3.5.5 Getting Rid of Undeliverable Bounced Messages .......................... 137
3.6 Troubleshooting Inbound and Outbound Queues ...................................... 138
Stopping the SMTP Relay From Accepting More Messages ... 138
3.6.1 Troubleshooting Inbound Queue Backups -- Full File Groups ...... 139
3.6.2 Troubleshooting Outbound Queue Backups ................................... 141
3.7 Using Personal Quarantine Manager .......................................................... 142
3.7.1 Personal Quarantine Manager Server ............................................. 143
3.7.2 Quarantine Summary Notification Messages ................................. 144
QSNs and Quarantine Queue Aging ......................................... 144
User Requests for Access to Quarantined Messages ................ 145
Identifying QSN Message Headers ........................................... 145
PQM Server Responses ............................................................. 146
3.7.3 Setting Up PQM Server Settings .................................................... 147
Testing the PQM Server ............................................................ 148
3.7.4 Specifying User Domains To Receive QSNs ................................. 149
Editing and Removing User Domains ...................................... 150
3.7.5 Setting Up the QSN Format and Schedule ..................................... 151
Enabling QSN On-demand Access and White-listing .............. 154
Turning Off QSN Deliveries ..................................................... 155
QSN Format Issues with Outlook Express 6 on
Windows 2003 ............................................................................. 156
3.7.6 Setting Up QSN Access Restrictions .............................................. 156
Tags and Outbound Security Policies ....................................... 157
Procedures for Setting Up QSN Tags ....................................... 158
Editing and Deleting QSN Access Tags ................................... 160
3.8 PQM Reports Sent to Users ....................................................................... 161
3.8.1 HTML Format QSN Blocked Messages Reports ........................... 161
3.8.2 Text Format QSN Blocked Messages Reports ............................... 165
3.8.3 User Requests for QSNs “On-Demand” ......................................... 166
3.8.4 User Requests for “White List” ...................................................... 168
3.8.5 Bookmarking the QSN Update URL .............................................. 168
3.8.6 PQM and Message Security Concerns ........................................... 169
Sending QSNs in the Clear ....................................................... 169
Message Contents Not Displayed ............................................. 170
3.9 Using Policies with PQM ........................................................................... 171
3.9.1 Policies to Prevent QSNs from Being Sent to Specific Users ........ 173
3.9.2 QSNs for Recipients with Multiple Aliases .................................... 174
3.10 Personal Quarantine Manager Maintenance .............................................. 175
Contents vii
3.10.1 Changing the PQM Server Account Password ...............................175
3.10.2 PQM Tables that Must Not be Replicated ......................................175
3.10.3 PQM and IIS Server Configuration Issues ......................................176
Authentication Methods ............................................................176
PQM Server Anonymous Account ............................................177
Application Protection ..............................................................177
Secure HTTP Access .................................................................178
PQM Server Logging ................................................................179
Diagnosing Authentication Problems .......................................179
3.11 Troubleshooting the PQM ..........................................................................181
3.11.1 PQM Notification Service “Not Running” or Not Shown ..............181
3.11.2 Localization Issues and PQM Message Display .............................182
3.11.3 Duplicate Notifications from Notification Service .........................182
3.11.4 Personal Quarantine Manager FAQs ..............................................183
viii Contents
5.1.2 Example .......................................................................................... 205
Name ......................................................................................... 206
Catch Conditions ....................................................................... 206
Exclude Conditions ................................................................... 207
Actions ...................................................................................... 208
Backup Actions ......................................................................... 209
Summary ................................................................................... 209
5.2 Policy Categories and Types ...................................................................... 210
5.2.1 Basic Mail Filtering Policy Types .................................................. 211
Random Selection ..................................................................... 213
5.2.2 Attachments Policy Types .............................................................. 215
File Attachment Stripping ......................................................... 215
Convert UUencoded Attachments to MIME Format. ............... 216
5.2.3 LDAP Policy Types ........................................................................ 216
5.2.4 Virus Policy Types ......................................................................... 217
Infected Message ....................................................................... 217
Clean Stamp Uninfected Messages ........................................... 217
5.2.5 Security Policy Types ..................................................................... 217
5.2.6 SPN Policy Types ........................................................................... 218
5.2.7 Headers Type Policies .................................................................... 218
Remove MIME Headers ........................................................... 219
Remove Hostnames and Subdomains From MIME Headers ... 219
Normalize Email Addresses in MIME Headers ........................ 219
Message Header Fields ............................................................. 219
5.3 Email Firewall Directory ........................................................................... 220
5.3.1 Directory Objects ............................................................................ 220
Folders ....................................................................................... 221
Domain Records ........................................................................ 221
Default Domain Record ............................................................ 221
User Records ............................................................................. 222
5.3.2 Default Directory Structure ............................................................ 222
All Folder .................................................................................. 223
External Folder .......................................................................... 223
Internal Folder ........................................................................... 224
5.3.3 Viewing Policies Applied to Directory Objects ............................. 224
5.3.4 Adding New Directory Objects ...................................................... 224
Adding Folders .......................................................................... 225
Adding Domain Records ........................................................... 227
Adding User Records ................................................................ 228
5.3.5 How Policies and User Records Work Together ............................ 231
5.3.6 Using LDAP Import ....................................................................... 232
5.4 How Email Firewall Applies Policies ........................................................ 233
5.4.1 Hierarchy of Message Actions ........................................................ 233
Non-hierarchical Policy Actions ............................................... 235
Timing and Ordering of Policy Action Application ................. 235
Contents ix
5.4.2 How Severity of Action Affects Policy Enforcement .....................235
5.4.3 Understanding Policy Inheritance and Overrides ...........................237
5.4.4 Policy Inheritance Example ............................................................237
5.4.5 Policy Override Example ................................................................238
5.4.6 Preventing Policy Overrides ...........................................................238
5.5 General Policy Planning Considerations ....................................................240
5.5.1 Inheritance Is From Parent Folders Only ........................................240
5.5.2 When to Use Sender Polices ...........................................................240
5.5.3 When to Use Recipient Policies ......................................................241
5.5.4 Where To Apply Anti-spam Policies ..............................................241
Using a Recipient Policy for Spam Example ............................243
5.5.5 Use Directory Folder Policies Whenever Possible .........................243
5.6 Default Policies and Folders .......................................................................245
5.6.1 General Rules About Policy Application ........................................245
5.6.2 Policies Applied to the All Folder ..................................................246
Decompression Errors ...............................................................246
Decomposition Errors ..............................................................246
Partial Message Block ...............................................................247
Virus Hoax Block ......................................................................247
5.6.3 Additional Policies Applied to the External Folder ........................248
Outbound Size Deferral .............................................................248
5.6.4 Additional Policies Applied to the Internal Folder .........................248
EXE Blocking ...........................................................................250
Inbound Size Deferral ...............................................................250
Infected Message (Recipient) ....................................................250
Infected Message (Sender) ........................................................250
Long Filename Quarantine ........................................................251
Multimedia Attachments Deferral .............................................251
Outbound Message Archival .....................................................251
Résumé Block ...........................................................................251
Sensitive Info Review ...............................................................252
5.6.5 HIPAA Compliance Policy .............................................................252
5.6.6 Dynamic Anti-spam Service Policies .............................................252
Spam - DAS: Adult ...................................................................252
Spam - DAS: High Confidence .................................................253
Spam - DAS: Moderate Confidence .........................................253
5.7 Policy Building Tools .................................................................................253
x Contents
Chapter 6 Creating and Editing Policies 255
Contents xi
6.4 Notifications ...............................................................................................287
6.4.1 Global Notification Settings ...........................................................288
Notification Routing ..................................................................289
Default Global Notification Settings .........................................289
6.4.2 Creating a New Notification for a Policy Action ............................290
Avoiding Duplicate Notifications .............................................292
Dropped or Returned Message Notification Option .................293
Virus in Message Notification Option ......................................293
6.5 Using Events as Policy Actions ..................................................................295
6.6 Creating Policies .........................................................................................296
6.6.1 Viewing the Default Policies ..........................................................296
Editing Default Policies to Scan HTML Tags ..........................296
6.6.2 Creating a New Policy Example .....................................................298
6.7 Applying the Policy to a Directory Object .................................................301
6.7.1 Adding Policies to Directory Objects .............................................302
6.8 Using Virus- and File-Stripping Policies ...................................................303
6.8.1 How Virus-Stripping Policies Work ...............................................303
6.8.2 How File-Stripping Policies Work ..................................................304
6.9 Policy Protection Against New Viruses .....................................................305
6.9.1 Defining Content-Based Policies for Viruses .................................305
Creating the New Policy ...........................................................305
Applying the New Policy to the Directory ................................308
Testing the New Policy .............................................................309
6.9.2 Using Policies to Detect HTML Mobile Code ...............................310
Catching Script Tags .................................................................310
6.9.3 Troubleshooting Virus Protection ...................................................311
Common Ways Email Firewall is Misconfigured .....................311
Other Channels for Virus Infiltration ........................................312
6.10 Using Headers Type Policies ......................................................................313
6.11 Using DAS Message Properties .................................................................315
6.11.1 Default Dynamic Anti-spam Service Policies ................................315
6.11.2 What a DAS Policy Should Look For .............................................316
DAS Message Properties Added ...............................................317
DAS Message X-headers Added ...............................................317
Acting on Spam Messages ........................................................318
6.11.3 Using the Broadcast Content Rating in Policies .............................319
6.11.4 Applying the Anti-spam Policy to the Directory ............................319
6.11.5 Testing the Anti-spam Policy ..........................................................320
Special Test Keywords for Testing an Anti-spam Policy .........321
6.11.6 Creating a Broadcast Exception Policy ...........................................321
6.12 Troubleshooting Policy Enforcement .........................................................324
6.12.1 Policy Configuration Errors ............................................................324
Policy Applied to Wrong Folder ...............................................324
Policy Enabled at Wrong Directory Level ................................324
Policy Disabled .........................................................................324
xii Contents
Conditions Not Configured Properly ........................................ 324
Directory Object Has Not Inherited a Policy ............................ 324
Exclude Conditions Not Configured Properly .......................... 325
Two Similar Policies Specify Different Actions ....................... 325
Policy Should Be Recipient (or Sender) ................................... 325
Address List Uses Non-Word Characters ................................. 325
Annotations Not Skipped .......................................................... 325
Signed Messages Not Being Caught ......................................... 326
6.12.2 Other Problems ............................................................................... 326
Virus Pattern File Needs to Be Updated ................................... 326
Virus Scan Engine Needs to Be Updated .................................. 326
SMTP Relay Service Is Stopped ............................................... 326
Policy Enforcement Not Enabled .............................................. 326
List Not Configured Correctly .................................................. 327
Notification Address Is Incorrect .............................................. 327
Queue Backups ......................................................................... 327
Contents xiii
7.6 Dynamic Anti-spam Service Administration .............................................343
7.6.1 Spam Analysis Engine Maintenance ..............................................344
7.6.2 SMTP Relay Routing Option Behavior ..........................................344
7.6.3 Enabling and Disabling the Service ................................................344
Moving All Messages Out of the Spam Analysis Queue ..........345
7.6.4 Enabling DAS X-headers ................................................................345
Spam Filter Version Identifier ..................................................345
7.6.5 Removing Internal Mail From Engine Processing ..........................346
7.6.6 Adding Large Messages to Engine Processing ...............................346
7.6.7 License Changes And License Events ............................................347
7.6.8 Error Handling in the Spam Analysis Engine .................................347
7.6.9 Performance Counters .....................................................................348
Preliminary Steps Required for Log Mode ...............................349
Setting Up a Spam Analysis Engine Counter ...........................349
Starting a Spam Analysis Engine Counter ................................350
Stopping a Spam Analysis Engine Counter ..............................350
7.6.10 Spam Analysis Engine Event Log Events ......................................351
7.7 Dynamic Anti-spam Filter Downloads .......................................................351
7.7.1 Downloading Filter Data From the FTP Server ..............................351
7.7.2 Updating the Email Firewall Database Tables ................................352
7.8 Download Service Maintenance .................................................................353
7.8.1 Manually Checking for Updates .....................................................353
7.8.2 Rolling Back To An Earlier Filter Data Version ............................353
7.8.3 Removing A Corrupted Filter Version ..........................................353
7.8.4 Increasing MMSConfigData Filegroup Size ..................................354
7.8.5 Troubleshooting Updates ................................................................354
7.9 The Tumbleweed Message Protection Lab ................................................355
7.9.1 Message Protection Lab Tools ........................................................356
7.9.2 Submitting Examples To the Lab ...................................................356
How To Forward Unmarked Spam ...........................................357
Microsoft Outlook and Netscape Users ....................................357
Automating Spam Submittal For Your Users ...........................357
Submitting False Positives ........................................................359
Submitting False Positives Using Email Firewall Web Admin 359
7.10 The Anti-spam Toolbox .............................................................................360
xiv Contents
Chapter 8 Email Encryption and Authentication Overview
363
Contents xv
8.7 The Sender Signature Policy Type .............................................................391
8.7.1 Background .....................................................................................391
8.7.2 Conceptual Overview ......................................................................392
8.7.3 Email Firewall Signing Certificate Validation ...............................393
8.8 Understanding Certificate Harvesting ........................................................394
8.8.1 S/MIME Certificate Harvesting ......................................................394
8.8.2 OpenPGP Key Harvesting ..............................................................394
8.9 Understanding Certificate and PGP Key Responders ................................395
8.9.1 Certificate Responder and Server Certificates ................................395
8.9.2 Certificate Responder and Proxy Certificates .................................396
8.9.3 Understanding PGP Key Responder ...............................................396
8.10 Third-Party Certificates and Email Firewall ..............................................397
8.10.1 Supported Third-Party Server S/MIME Certificates ......................398
8.10.2 Third Party TLS Certificate Requirements .....................................399
8.10.3 SMG Mode Certificates ..................................................................400
8.11 Third Party PGP Keys and Email Firewall .................................................400
8.12 Understanding Certificate Rollovers ..........................................................401
8.12.1 Server Certificate Expiration and Proxy Security ...........................402
8.12.2 Certificate Rollover Coordination Required ...................................403
8.12.3 Certificate Rollover Preparation Checklist .....................................404
8.12.4 Certificate Rollover Process Concepts ............................................404
Generate or Import the New Certificate ....................................404
Distribute The New Certificate .................................................405
Associate the New Certificate with the Local Secure Domain .405
Complete the Rollover ..............................................................406
Certificate Rollover Completion Wrap-Up and Consequences 407
8.12.5 Proxy PGP Key Rollover ................................................................407
8.13 The PGP Trust Model .................................................................................408
8.14 Trust and Interoperability of S/MIME Certificates ....................................408
8.14.1 Understanding Key Size Issues .......................................................409
8.14.2 Understanding Root Key Purposes .................................................411
8.14.3 Understanding S/MIME Interoperability Issues .............................412
Trusting a Certificate .................................................................412
Trusting Self-Signed Certificates ..............................................412
Associating an Email Address with a Certificate ......................413
Associating Self-Signed Certificates .........................................413
Understanding Server or Role Certificates in Email Firewall ..413
Understanding Proxy Certificates in Email Firewall ................414
8.14.4 Email Firewall S/MIME Certificate Verification ...........................416
8.14.5 Establishing Trust Relationships .....................................................416
8.14.6 Certificate Authorities .....................................................................417
8.14.7 Certificate Revocation Lists ............................................................419
Obtaining CRLs ........................................................................419
Scheduling CRL Downloads .....................................................420
xvi Contents
8.14.8 Email Firewall and CRL Distribution Points .................................. 420
8.14.9 Email Firewall and CRL Processing Precedence ........................... 421
8.15 Frequently Asked Questions ...................................................................... 422
8.16 Commonly Used Security Terms ............................................................... 424
Certificate .................................................................................. 424
Certificate Authority ................................................................. 424
Certification Practice Statement ................................................ 424
Certificate Revocation List (CRL) ............................................ 424
CRL Distribution Point ............................................................. 424
Chain Trust, or Trust According to Certificate Status .............. 425
Decryption ................................................................................. 425
Digital Signature ....................................................................... 425
Encryption ................................................................................. 425
Fingerprint ................................................................................. 425
Key ............................................................................................ 425
OpenPGP ................................................................................... 425
Private Key ................................................................................ 426
Public Key ................................................................................. 426
S/MIME .................................................................................... 426
SMG .......................................................................................... 426
SPN ........................................................................................... 426
TLS ........................................................................................... 427
Contents xvii
9.2.6 Obtaining Certificate Authority Root Certificates ..........................440
Obtaining Entrust Root Certificates ..........................................441
Obtaining Verisign Root Certificates ........................................441
9.3 Setting Up PGP Keys .................................................................................442
9.3.1 Generating a PGP Proxy Domain Key ............................................443
9.3.2 Enabling Email Firewall PGP Key Responder ...............................444
What an External User Must Do to Invoke
PGP Key Responder .....................................................................444
9.3.3 Importing PGP Keys Into Email Firewall .......................................445
9.4 Setting Up Certificates for TLS ..................................................................445
9.4.1 Creating a TLS Message Exchange Policy .....................................448
9.5 Setting Up for Sender Signature Policies ...................................................451
9.5.1 Administrator Actions Required .....................................................451
9.5.2 Expected Signing Behaviors ...........................................................454
9.5.3 Troubleshooting Sender Signature Policies ....................................456
9.6 Setting Up a Secure Public Network ..........................................................458
9.6.1 Defining and Associating Local Secure Domains ..........................458
Editing a Local Secure Domain ................................................460
9.6.2 Enabling SPN Links ........................................................................461
Requesting an SPN Link From External
Email Firewall Servers .................................................................461
9.6.3 Setting Up Email Firewall to Respond to SPN Links .....................463
Checking For and Accepting SPN Links ..................................465
9.6.4 Verifying the SPN and Security for the Domain ............................466
9.6.5 Creating a Policy to Check for Successful SPN .............................467
9.7 Setting Up for SMG Mode .........................................................................471
9.7.1 Set Up Differences in SMG Mode ..................................................471
9.8 Setting Up S/MIME Proxy Security ...........................................................474
9.8.1 Configuring S/MIME Proxy Security Checklist .............................474
9.8.2 Configuring S/MIME Proxy Security Example ..............................476
9.8.3 Generating a Key Pair and Certificate ............................................476
9.8.4 Configuring Email Firewall to Use the New Certificate ................477
9.8.5 Exporting and Publishing the Root Certificate ...............................478
9.8.6 Enabling S/MIME Proxy Certificate Usage and Responder ...........479
9.8.7 Creating the S/MIME Proxy Security Policies ...............................480
Creating a Client Encryption and Signature Policy ..................480
Creating a Detect Cert-query Policy for the External Folder ....482
Creating a Proxy Decrypt and Verify Policy ............................484
Creating a Proxy Encrypt and/or Sign Policy ...........................485
9.8.8 Enabling Automatic Certificate Association ..................................490
Setting Root Key Purposes ........................................................492
9.8.9 Creating the User Records ..............................................................494
9.8.10 Exchanging and Verifying Certificates ...........................................495
9.8.11 Completing the Association ............................................................496
9.8.12 Dynamic Lookups in S/MIME Proxy Security ...............................496
xviii Contents
9.9 Rolling Over S/MIME Certificates ............................................................ 497
9.9.1 Rolling Over a Certificate ............................................................... 497
Generating or Importing The New Certificate .......................... 497
Distributing The New Certificate .............................................. 498
Associating The Server Certificate With the Local Domain .... 499
Enabling Proxy Partners To Obtain The Proxy Certificates ..... 499
Completing the Certificate Rollover ......................................... 500
9.10 Downloading Certificate Revocation Lists ................................................ 500
9.10.1 Specifying CRL Source and Download Schedule .......................... 501
9.10.2 Specifying the HTTP Proxy Server for Downloads ....................... 502
9.10.3 Manually Invoking CRL Downloads .............................................. 502
9.11 Specifying the CRL DP LDAP Lookup ..................................................... 503
9.12 Setting Up OpenPGP Proxy Security ........................................................ 504
9.12.1 Configuring OpenPGP Proxy Security Checklist ........................... 504
9.12.2 Configuring OpenPGP Proxy Security Example ............................ 506
9.12.3 Generating an Internal PGP Key (Local Key) ................................ 506
9.12.4 Configuring Email Firewall to Use the New PGP Key .................. 507
9.12.5 Creating the OpenPGP Proxy Security Policies ............................. 507
Create a Policy to Detect PGP Keys Sent to EMF Server ........ 508
Creating an Proxy Decrypt and Verify Policy .......................... 509
Creating a Proxy Encrypt and/or Sign Policy ........................... 511
9.12.6 Creating the User Records .............................................................. 516
9.12.7 Exchanging and Verifying PGP Keys ............................................ 517
9.12.8 Completing the Association ............................................................ 518
9.12.9 Putting It All Together .................................................................... 518
9.13 Rolling Over OpenPGP Proxy Domain Keys ............................................ 519
9.13.1 Rolling Over a PGP Key ................................................................. 519
Generating the New PGP Key .................................................. 519
Distributing the New PGP Key ................................................. 520
Associating the Server PGP Key With the Local Domain ........ 520
Enabling Proxy Partners To Obtain The Proxy PGP Key ........ 520
9.14 Setting Up S/MIME and OpenPGP
Client-to-Client Security 521
9.14.1 Creating Plaintext Access Policies ................................................. 521
9.14.2 Creating Allow Security Stripping Policies .................................... 524
9.14.3 Creating an Unencrypted Message Filter Policy ............................ 525
Sender-Based Unencrypted Message Filter Solution ................ 527
9.14.4 Creating a Client Encryption and Signature Policy ........................ 528
Contents xix
Chapter 10 Administrative Tools 531
xx Contents
10.8 Using the EMFDebugLogCapture Tool ..................................................... 590
10.9 Using EMFSave ......................................................................................... 592
10.9.1 EMFSave and Administration Data ................................................ 592
10.9.2 EMFSave and Replication .............................................................. 593
10.9.3 Starting EMFSave ........................................................................... 593
10.9.4 Restoring EMFSave Files ............................................................... 599
Missing Data and Restore Errors .............................................. 601
10.9.5 Using EMFSave in a Cluster Environment .................................... 601
10.10 Using the Email Firewall Update Service .................................................. 602
10.11 Using the Configuration Editor .................................................................. 609
Contents xxi
11.4.5 Message Volume for Specific Sender .............................................628
11.4.6 Policy Violation for Specific Sender ..............................................628
11.4.7 Virus Detected for Specific Sender .................................................628
11.5 Audit Reports ..............................................................................................629
11.5.1 Directory and Policy Audit .............................................................629
11.5.2 Directory Audit ...............................................................................629
11.5.3 Policy Audit ....................................................................................629
11.5.4 Directory and Policy Audit for a Single User .................................629
11.5.5 Directory Audit for a Single User ...................................................630
11.5.6 Policy Audit for a Single User ........................................................630
11.6 Customizing Email Firewall Reports .........................................................630
11.6.1 Customizing Volume Reports .........................................................631
11.6.2 Customizing Frequency Reports .....................................................632
11.6.3 Customizing User Reports ..............................................................633
11.6.4 Customizing Audit Reports .............................................................634
11.7 Printing and Saving Reports .......................................................................635
11.7.1 Printing Reports ..............................................................................635
11.7.2 Saving Reports ................................................................................636
xxii Contents
A.3.3 AutoCAD ........................................................................................ 651
A.3.4 Corel Draw ...................................................................................... 651
A.3.5 Help Files ........................................................................................ 651
A.3.6 Lotus 123 ........................................................................................ 652
A.3.7 Microsoft Excel .............................................................................. 652
A.3.8 Microsoft PowerPoint ..................................................................... 652
A.3.9 Microsoft PowerPoint with Macros ................................................ 652
A.3.10 Microsoft Word .............................................................................. 652
A.3.11 Paradox ........................................................................................... 653
A.3.12 Quattro/Quattro Pro ........................................................................ 653
A.3.13 Windows Bitmap (BMP) ................................................................ 653
A.3.14 WordPerfect .................................................................................... 653
A.4 File Types Recognized ............................................................................... 655
A.5 File Types Scanned .................................................................................... 659
A.5.1 Word Processing Formats ............................................................... 659
Adobe Portable Document Format (PDF) ................................ 660
A.5.2 Picture Formats ............................................................................... 660
A.5.3 Presentation Formats ...................................................................... 661
A.5.4 Spreadsheet Formats ....................................................................... 661
A.5.5 Multimedia Formats ........................................................................ 661
A.5.6 Compression Formats ..................................................................... 662
Contents xxiii
B.4.2 Notifications ....................................................................................672
B.4.3 Events ..............................................................................................672
B.4.4 Subject Alteration ...........................................................................673
B.4.5 MIME Header Field Policies ..........................................................673
B.5 International Text Usage ............................................................................674
Japanese Character Issues .........................................................675
B.6 Message Body and Attachments ................................................................677
B.7 Message Subject .........................................................................................678
B.8 ISO Tables ..................................................................................................679
xxiv Contents
Preface
xxv
Conventions Used in this Guide
The following type and style conventions are used in this guide.
Convention Meaning
1., 2., 3., ... Bold blue numbers indicate steps in a proce-
dure.
xxvi Preface
Contact Information and Support
The following modes of contact can be used for Tumbleweed Global Support
assistance.
xxvii
For General Information
The following modes of contact can be used for general information.
World Wide Web Visit the Tumbleweed Web site for general informa-
tion and current issues.
http://www.tumbleweed.com
xxviii Preface
1 Introduction
1
1.1 Intended Audience
This guide is intended for the people who design, plan, and administer email
messaging solutions. It outlines the capabilities of Tumbleweed Email Firewall,
describes how it works, and provides instructions for deployment and effective
use in today’s business organizations. This guide assumes a working familiarity
with messaging systems, networking concepts, and server administration.
This guide describes what the Tumbleweed Email Firewall is and how to use its
features. Included are discussions of email security options, descriptions of the
default policies and what they do, and examples designed to help you to
understand how to create, apply, and test your own policies.
This guide also provides instructions for customizing Email Firewall policies
specifically for your organization, and provides examples of such policies at
work. Also included are instructions on maintenance administration,
troubleshooting, and an overview of the Email Firewall reporting features.
2 Chapter 1: Introduction
1.2 Overview of Email Firewall 6.2
Organizations use Tumbleweed Email Firewall for a variety of reasons. You can
use Email Firewall to:
• exchange secure email
• protect against threats introduced by viruses and executable files
• quarantine suspicious email
• reduce or eliminate spam and hoax traffic
• prevent leakage of sensitive and confidential information
• establish conformance to corporate policy
• defer large messages to off-peak hours
• redirect messages to secure Tumbleweed Secure Messenger or IME
servers.
• archive messages for a detailed audit trail of email communication
The administrative functions of Tumbleweed Email Firewall support
deployment and management of Email Firewall in large enterprises. The
browser-based Web Admin component provides centralized administration of
all of the Email Firewall components. Web Admin provides fully functional
remote administration, authentication of administrators, and auditing of
administrators’ actions. Administrator accounts are role-based to provide
multiple levels of administration with granular access to sensitive controls or
data. Secure access by multiple remote administrators with only the access
privileges specifically granted provides a highly flexible overall enterprise
security solution.
The modular, Microsoft SQL Server-based architecture allows Email Firewall
to be deployed across multiple machines and in multiple remote locations. The
SQL Server database management system enables enhanced throughput and
centralized management of all Email Firewall data resources. Email Firewall
configuration data, policies, certificates, directory information, event log data,
and message meta-data are stored on a central SQL Server database server using
its relational database.
Complete directory support allows policies to be applied globally, to groups, or
to individual users. Information stored in LDAP-compliant directories can be
easily imported and updated, and used to define to whom email usage policies
apply.
S/MIME security enables email encryption and authentication using digital
certificates and standards, such as S/MIME and Transport Layer Security
4 Chapter 1: Introduction
• Tumbleweed Email Firewall Anti-spam Best Practices Guide
This document provides additional information about setting up Email
Firewall to combat spam.
• Secure Redirect Administrator’s Guide
This Administrator’s Guide describes how to set up the Secure Redirect
service to transparently redirect email to a Tumbleweed IME server.
If you are installing Secure Messenger 6.2 with EMF 6.2, see the following
sources for information about how to install, configure, and administer Secure
Messenger 6.2:
• Tumbleweed Secure Messenger 6.2 Release Notes
The Release Notes include up-to-date information related to hardware and
software requirements, additional pre-installation instructions, licensing
information and known limitations.
• Tumbleweed Secure Messenger 6.2 Administrator’s Guide
This guide presents an overview of Email Firewall and describes
configuration procedures and administration functions. It describes various
use cases, and provides troubleshooting tips for operating Email Firewall
6.2.
• Tumbleweed Secure Messenger Help
The online help in the Secure Messenger 6.2 Web Admin component
contains context-sensitive information as well as a Table of Contents and
Index available from every page.
You can access the Help by clicking the Help button in the Web Admin
user interface. The Help also contains troubleshooting information and
step-by-step instructions for configuration tasks.
• Tumbleweed Secure Messenger 6.2 Developer’s Guide
This document provides information about branding the Secure Messenger
end-user interfaces and integrating third party authentication
infrastructure.
• Tumbleweed Email Firewall 6.2 Administrator's Guide
This guide must be read and understood before deployment of
Tumbleweed Secure Messenger 6.2 to obtain a comprehensive
understanding of the entire Tumbleweed secure email solution.
This chapter describes many of the features and tools in the Email Firewall
Status page and the Setup links in Web Administration. Use this chapter as a
road map for setting up, administering and monitoring Email Firewall.
This chapter also contains references to other sections of this guide containing
more detailed information about each administrative task. This chapter contains
the following sections:
2.1 Overview of Administrator Setup Tasks...................................... 8
2.2 Administrative Security............................................................... 9
2.3 System Status ............................................................................ 14
2.4 Setting Up Admin Roles and Accounts ..................................... 21
2.5 Setting Up Relays ..................................................................... 32
2.6 Setting Up Anti-virus and Anti-spam........................................ 80
2.7 Setting Up Global Policy Settings ............................................ 87
2.8 Setting Up Event Logging....................................................... 100
2.9 Other Setup Tasks ................................................................... 105
7
2.1 Overview of Administrator Setup Tasks
Table 2.1 lists the tasks that should be performed to set up and administer Email
Firewall in its entirety. It is recommend that you review the concepts and
overview sections before performing these tasks.
1 Create additional administra- 2.4 Setting Up Admin Roles and Accounts on page 21
tors
2 (Optional) Set up Centralized 2.8.2 Setting Up Centralized Event Logging and Report-
Event Logging and Reporting ing on page 101
4 Set up global policy settings 2.7 Setting Up Global Policy Settings on page 87
7 Set up Personal Quarantine 3.7 Using Personal Quarantine Manager on page 142
Manager
8 Set up the Dynamic Anti-spam 7.2 Dynamic Anti-spam Service Overview on page 332
Service
9 Set up the Event Log 4.1 Setting Up Email Firewall Event Logging on page 186
10 Set up the Directory 10.2 Setting Up LDAP Directory Imports on page 534
2.2.2 Logging In
During Email Firewall installation, an administrator account consisting of name
and password is set up. This default admin account with SuperAdmin role is
automatically granted the necessary privileges to set up additional administrator
accounts and to administer Email Firewall. For instructions on creating
additional admin accounts, see 2.4.3 Creating New Administrator Accounts on
page 29.
To administer Email Firewall you must login to Email Firewall Web Admin. To
access the login page, open your browser and type one of the following URLs
in the browser address field:
When the login page opens, see Figure 2.1, type your Username and Password
in the fields and click Login. While logged in you can customize your account
preferences, including identity, password, and how many lines are displayed in
your browser pages. For instructions, see 2.4.4 Preferences on page 31.
Using multiple browser sessions is supported. However, you should start a new
instance of the browser to do so. Do not attempt to open multiple browser
windows using the same Web Administration session.
The Email Firewall Service Update heading provides a link to a page that provides
all available Email Firewall updates (versions, patches or hot fixes) for this
system.
The Email Firewall Knowledge Base heading provides a link to the Tumbleweed
Knowledge Portal where you access Tumbleweed Knowledge Base articles.
This page requires a user name and password. To obtain a user name and
password, click the New users click here to register for access link.
The Email Firewall Services heading provides a quick reference to the status of
the services and a convenient link to the Email Firewall Services tab.
The Errors & Warnings heading lists the number of errors and warnings
generated during the last 24 hours. Click the link after Errors or Warnings to
open the Event Log to view, filter and sort these events. The Event Log can be
filtered so that only those warning and error events you select are shown in the
Event Log. For more information on creating and configuring Event Log filters,
see 4.2 Searching the Event Log on page 190.
The queues contain messages that are inbound to or outbound from Email
Firewall, messages awaiting preprocessing by the Dynamic Anti-spam Service
(if installed), awaiting redirection to a secure Tumbleweed IME server (if
installed), awaiting preprocessing by the Secure Messenger (if installed),
awaiting retry, and messages that were quarantined, detained, deferred,
archived, returned or could not be delivered. The Partition queue contains
messages requiring delivery to multiple recipients.
For more detailed information on the queues, including how to set them up, see
3.2 Setting Up Message Queues on page 116 and the Email Firewall Help. For
a more detailed description of each queue, see Table 3.1 on page 116.
Email Firewall is an active system and the Message Count displayed shows the
number of messages in the queues when the System Status page was last
accessed. The current message count may differ from the number displayed.
Use Refresh to update the page to show the most current message count.
From the Message Queues tab you can click an underlined queue name to access
that queue’s main page and view the messages in that queue. Although the
Return, Archive and Partition queues are not configurable, it is useful to
occasionally note the number of messages in those queues. An excessive
number of messages in those queues could indicate a processing problem that
should be investigated.
If you notice a large number of messages in the Quarantine Queues, see 3.5.3
Checking the Quarantine Queue for Inbound Messages on page 135 for
troubleshooting information.
One admin account with the SuperAdmin role assigned, and two administrator
roles, SuperAdmin and GeneralAdmin, are installed by default. Additional roles
and accounts can be created by any account that is assigned the SuperAdmin
role.
Admin roles should be created first, because an admin account must be assigned
a role when it is created. See 2.4.2 Assigning and Creating Admin Roles on page
27 for instructions. While an admin account can be created with no role, the
account when logged on has no capabilities to manage Email Firewall.
Once an admin account is created, that account cannot change its own role.
Only administrators who are specifically granted the high security Full Access
privilege can create, edit and delete roles and accounts. The Full Access
privilege also has the capability of setting up Centralized Event Logging and
Reporting. Only administrators who are specifically granted the high security
Delete Audit Events can modify the audit log retention time that automatically
deletes audit events.
To add back the sysadmin Fixed Server Role, follow this procedure:
1. Open Enterprise Manager.
2. Select the Security folder for the SQL Server in the tree view.
3. Select Logins.
4. Select Properties for the login account to be edited.
5. Select the Server Roles tab.
6. Mark System Administrators to upgrade privileges.
7. Click OK.
The standard access and capabilities categories are described in the following
sections.
Policies
Policies define which messages are caught, excluded and acted upon by the
Email Firewall.
Policy access is granted to allow access to all policies.
Policy capabilities are granted to allow either policy-modify or read-only
capabilities.
Policy Modules
Policy modules are the building blocks for creating policies.
Policy module access is granted to allow access to:
• All Word Lists
• All Address Lists
• All Attachment Lists
• All Tags
• All Annotations
• All Notifications
• All Custom Events
Policy module capabilities allow the role to modify or read-only the specified
policy modules.
Once an admin account is created, that account cannot change its assigned role.
1. In the Set Up > Relay Centers page, mark the Stop all Outbound Mail
checkbox.
2. Click Save.
To resume outbound mail flow, unmark the Stop all Outbound Mail checkbox.
To enable processing by the Policy Engine and SAE (if DAS is installed):
1. Verify that the checkbox beside the Route messages... option is marked.
The checkbox is marked by default.
If you have not installed the Dynamic Anti-spam Service, messages are not
preprocessed by the SAE before being sent to the Policy Engine.
2. Click Save to commit any changes.
You must also restart the SMTP Relay service if you change the SMTP Port
setting on the Identity tab.
For more information about using Email Firewall with replication, see the
Tumbleweed Email Firewall Best Practices Guide.
If more than one SMTP Relay service is installed and all hosts should identify
themselves by a common name:
1. Mark the Relay Host Name checkbox.
2. Type the Host Name in the field.
3. Click Save to commit the changes.
1. To allow the SMTP Relay to identify itself using a different greeting than
the default greeting, in the Session Welcome Message field, type the
message connecting relays should see.
2. To allow the SMTP Relay to identify itself differently from the default
settings, type the information in the Postmaster Mailbox and Postmaster
Domain fields. It may be useful to use the address of a postmaster mailbox
or distribution list here.
3. Click Save to commit the new information to the database.
Some organizations prefer not to have their SMTP relay product version
information exposed in the Received header, for security or other reasons. The
product version number in message headers can be hidden by unmarking the
Include Email Firewall version information in message Received headers
checkbox. When this option is enabled (by unmarking the checkbox), the
product version is not included in the Received header. The following example
illustrates the hiding option:
Received: from 10.11.60.100 by baseball.tumbleweed.com with
SMTP (Tumbleweed Email Firewall SMTP Relay); Fri, 26 Sep
2003 13:45:50 -0700
To perform a DNSBL:
1. In the DNSBL Source Domain fields, enter up to three DNSBL hosts.
For the DNSBL Source Domain, you can specify an IP address or a host
name, such as blackholes.mail-abuse.org. However, you must subscribe to
the DNSBL hosts to use this feature. One such DNSBL host is Mail Abuse
Prevention System (MAPS) at www.mailabuse.org; The DNSBL hosts are
checked in order of appearance with the top being checked first. If the IP
address is found, the DSNBL hosts below are skipped
2. For each DNSBL source domain you enter, indicate how the EMF relay
will handle connections from any IP address that appears on the specified
DNSBLs. For the Response to client, select one of the three options:
• If you select Refuse connection with a permanent error response,
messages from this connection are not accepted with the permanent
negative completion reply (5xy), and the senders are discouraged
from repeating the exact connection.
• If you select Refuse connection with a transient error response,
messages from this connection are not accepted with the transient
negative completion reply (4xy). However, the error condition is
temporary and the connection may be requested again.
To enable the relay to drop undeliverable mail with a null SMTP sender
address:
1. In the Bounced Notifications heading, mark the Drop undeliverable mail with
a null SMTP sender address checkbox.
2. Click Save.
Alternate Lookups
SMTP relays use the Domain Name Service (DNS) to help with message
routing. DNS uses the components listed below to help route messages from one
email server to another.
• A records map hostnames to IP addresses:
NT01 to 192.9.200.201
• MX records map mail domains to hosts that accept mail for that domain:
tumbleweed1.com to NT01
The notification regarding recipients whose messages are affected states: “The
delay affects the following recipients:” followed by the address of the affected
recipients.
The apparent cause of delivery failure included in the delivery notification, and
the reason that specific notification was sent, is listed in Table 2.2.
For a more general overview of SMTP and the Email Firewall SMTP Relay
Service, see the Email Firewall 6.2 Installation and Upgrade Guide.
If you have a network where both of the above rules apply, you should see if you
can identify the specific hosts within that network can be designated as internal
or external. If you have an individual host for which both rules apply, this
indicates a problem that requires a change to the way SMTP mail is routed into
or out of your organization. A single host cannot be designated as both internal
and external.
These rules must be applied correctly to prevent your Email Firewall system
from being used as an open relay. An open relay is a host on the Internet that
can accept SMTP mail and relay it to any other domain. Spammers seek out
such hosts in order to relay their spam messages using the open relay's network
identity instead of the originator's network identity. See Configuring Email
Firewall To Prevent Open Relaying on page 59 for more information.
Microsoft’s Caller ID
Caller ID for E-Mail is the Microsoft draft specification to address the problem
of domain spoofing and email forgery. Caller ID verifies that each message
originates from the Internet domain it claims to come from. Caller ID checking
is based on addresses found in the message headers, not the SMTP envelope.
The Caller ID mechanism is achieved by having administrators of domains
publish the Internet addresses of their outgoing email servers in the Domain
Name System (DNS) in addition to the incoming email servers that they list
there today. When email is transmitted from one organization to another, the
computers of the sending organization need to determine which computer the
receiving organization has designated as the one that handles its incoming mail.
With the information listing outgoing mail servers in place, software that
receives an incoming message can now verify that the computer used to send
the message was in fact under the control of the domain from which the message
purports to have originated.
Additional information about Microsoft’s Caller ID specification can be found
at http://www.microsoft.com/mscorp/twc/privacy/spam_callerid.mspx.
Before making changes to these settings, you should review the conceptual
information in 2.5.9 Network Connections Concepts on page 49.
10. Optionally, mark the RDNS checkbox to require reverse DNS checking.
11. Click Add.
12. In the Network Connections table, verify the new network appears with the
correct settings.
Figure 2.11: Mail Routing Rules Details: Inbound Mail Acceptance Rules
7. Use the Bounce Action drop-down list to select what to do when Email
Firewall is returning a message that had been previously accepted by
Email Firewall. See Figure 2.12.
Figure 2.12: Mail Routing Rules Details: Inbound Mail Bounce Actions
For example, suppose you set the External Senders match requirement to
2, and the sender’s email address was mike@example.com. If the RDNS
lookup revealed mail was sent from mail.example.com there would be
a match of the two right-most components, and the mail would be accepted
by the Email Firewall SMTP Relay. However, if the machine’s RDNS host
is something other than example.com, for example, alternate.com,
there is no match and the mail would be rejected by the Email Firewall
SMTP Relay.
9. Click Next.
10. Configure the rule’s Outbound Mail delivery options. See Figure 2.14.
Mark the appropriate radio button to use the Same as Default, DNS, DNS +
10a. If you marked the either of the options to use relays, under the
Enter the Relays in the order of priority heading, use the Relay Type
drop-down list to select whether relay is a static Relay Host or MX
for Domain.
10b.Complete the Relay Host or Domain Name field, and the port it
connects on.
10c. Click Add to add it to the list. Repeat this process for additional
relays to use.
10d.If there are multiple relays specified, mark the checkbox and use
the Up and Down buttons to prioritize them.
11. Click Next.
12. Specify the TLS routing rules.
The Email Firewall SMTP Relay uses a “best match” algorithm (see Best Match
Algorithm and Wildcards on page 66), so an email address like
user@mydomain.com will match the first rule, while an email address like
user@host.mydomain.com will match the second rule. This configuration
allows you to have specific routing rules for a domain without matching on
subdomains of that domain.
For example:
Example.com = 10.10.10.10
*.Example.com = DNS
Match Specifiers
A rewrite rule match specifier is a US-ASCII string literal that may include the
wildcard characters. (US-ASCII strings are used because legal SMTP addresses
are limited to this character set.) The wildcard characters are the asterisk (*),
which will match one or more characters, and the question mark('?), which will
match exactly one character. All matching is performed case-insensitively.
Using this same list of match specifiers, consider the address user@foo.com.
Look at rules 3 and 4. Either of these rules could match this address. But
specifier 4 is used in this case because the exact match is preferred over the
wildcard in specifier 3.
Rewrite Actions
A rewrite action is a US-ASCII string literal that specifies how an address that
matches the match specifier should be rewritten. Within the rewrite action
string, substitutions may be made by specifying the percent sign (%) followed
by a number. The number represents the character or characters that matched the
corresponding wildcard in the match specifier. (Two consecutive percent signs
Table 2.4 shows how some sample addresses would be modified by the
“Sample” rule set.
Before After
user@host.example.com user@host.widget.com
joe@example.com joe@widget.com
jane@a.b.c.example.com jane@a.b.c.widget.com
ralph@foo.com ralph@foo.com
A Complete Example
In this example, suppose that we would like to configure the SMTP Relay to do
the following transformations on any SMTP messages received.
1. Change any messages sent to any host within the domain abc.com to be
changed so the domain name is simply xyz.com.
2. For any address sent to a specific host within the domain xyz.com,
remove the hostname so that the domain specifier is simply xyz.com.
3. For any addresses sent to domain xyz.com with an underscore in the
mailbox name, replace the underscore with a period.
5. Verify the new rule appears in the Rule Name column and that the type of
rule is correct. See Figure 2.16.
5. Click Save.
If the used space of any of these file groups is greater than 80%, the SMTP
Relay service will temporarily stop accepting incoming messages until the used
To adjust the host name identification, you may need to adjust the TCP/IP
properties. In particular, Email Firewall looks for the Windows Registry values
named Hostname and Domain under the following key:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
When the Email Firewall server is located behind a firewall there may be issues
with virus pattern file downloads and anti-spam filter updates. A Use Passive
Mode option for updates is available for this case. Enabling passive mode may
allow the anti-virus downloads and anti-spam updates to work for Email
Firewall without having to request that changes be made to the local firewall
configuration.
Occasionally, virus outbreaks occur extremely rapidly. In these cases the virus
scanner may require extra pattern files, called extra.dat files. An extra.dat
3a. If the FTP server should use passive mode, mark the Use Passive
Mode checkbox.
3b. To manually start a virus scanning engine update, click Update
Scan Engine Now.
When the archive file size reaches a configurable limit, the global File Archive
option can be set to:
If you need to keep copies of all messages sent regardless of delivery status, you
can enable the option to archive messages even if they were not delivered.
However, there is a special consideration to be aware of when configuring the
Do not archive undelivered messages option. When the option to archive
undelivered messages is enabled (i.e., when the checkbox is not marked), if an
archiving policy is set to archive the original or decomposed message and the
message gets quarantined or detained, on release from the quarantine or
detention queue the message is archived “as sent” and not original/decomposed
as specified in the archiving policy.
When the option to archive undelivered messages is enabled (i.e., when the
checkbox is not marked), Email Firewall archives messages “as per policy,”
which means that if the archive policy action was set to archive the original or
decomposed message, an infected message is archived if the original message
has a virus.
2. Click Save.
1a. To modify the policy, click Edit and proceed to edit the policy,
then click Save.
1b. To remove the policy, click Policies in the main menu, then click
Remove.
2. In the domain’s row, click Remove.
To enable MS DTC:
1. Starting from your Windows Desktop, click Start and then click Run.
2. In the Run dialog box, type dcomcnfg.exe, and then click OK.
3. In the Component Services window, expand Component Services, expand
Computers, and then expand My Computer.
4. Right-click My Computer, and then click Properties.
5. In the My Computer Properties dialog box, select the MSDTC tab and then
click Security Configuration.
6. Within the Security Settings area of the Security Configuration dialog box,
mark the Network DTC Access and Network Transactions checkboxes to
select these options.
The Network DTC Access option allows DTC transactions over a network
and the Network Transactions option allows distributed transactions over a
network.
Figure 2.24 shows the Centralized Event Log and Reporting tab within the Event
Logging page.
To set up the HTTP Proxy server to obtain the Email Firewall Update Service
updates:
1. In the Set Up > Proxy Servers page, mark the Use HTTP Proxy Server
checkbox.
2. In the Address field, enter the hostname of the HTTP proxy the Email
Firewall will use.
3. In the Port field, enter the port number of the HTTP proxy the Email
Firewall will use. The default port number is 80.
4. If required by your environment, mark the Use Authenticated Access to
HTTP Proxy Server checkbox, and then enter your user name and password.
5. Click Save to save changes.
This chapter describes the features and tools used in setting up and managing
the message queues. It also describes how to configure the Personal Quarantine
Manager (PQM) feature that allows message recipients to access copies of their
quarantined messages.
This chapter contains the following sections:
3.1 Message Queues Status .......................................................... 114
3.2 Setting Up Message Queues ................................................... 116
3.3 Setting Up Queue Searches .................................................... 126
3.4 Working With Messages in the Queues................................... 131
3.5 Quarantine Queue Management............................................. 133
3.6 Troubleshooting Inbound and Outbound Queues ................... 138
3.7 Using Personal Quarantine Manager .................................... 142
3.8 PQM Reports Sent to Users ................................................... 161
3.9 Using Policies with PQM ....................................................... 171
3.10 Personal Quarantine Manager Maintenance ......................... 175
3.11 Troubleshooting the PQM....................................................... 181
113
3.1 Message Queues Status
The Message Queues tab on the Status page displays the number of messages
currently in the Email Firewall mail queues. See Figure 3.1. The queues contain
messages that are inbound to or outbound from Email Firewall, messages
awaiting preprocessing by the Dynamic Anti-spam Service (if installed),
awaiting redirection to a secure Tumbleweed IME server (if installed), awaiting
preprocessing by the Secure Messenger (if installed), awaiting retry, and
messages that were quarantined, detained, deferred, archived, returned or could
not be delivered. The Partition queue contains messages that require delivery to
multiple recipients.
Queues listed under the Processing Queues heading contain messages that are
in transit through Email Firewall. Queues listed under the Static Queues heading
contain messages that Email Firewall has finished processing. Messages in the
static queues will remain there until acted on by an administrator or are
Email Firewall services regularly poll the database for messages to work on. If
there are no messages to work on, the polling process sleeps. This can lead to
latency in transferring a single message, but when messages are arriving
regularly, as is the case in most organizations, the process does not go to sleep.
For more detailed information on the queues, including how to set them up, see
3.2 Setting Up Message Queues on page 116 and the Email Firewall Help. For
a summary description of each queue, see Table 3.1 on page 116.
Quarantine The Quarantine queues contain messages that triggered a policy that
checks for spam messages, potentially harmful messages, or nonse-
cure messages. These messages are set aside for the mail adminis-
trator to examine. For example, the default Virus scanning policies
detect and quarantine all infected messages. Messages in this queue
remain here until released or otherwise acted upon by an administra-
tor, or until expired. The length of time messages remain here is
defined in the Set Up > Quarantine Queue Configuration Aging tab.
The Quarantine queue contains a Default queue that cannot be
deleted, and up to ten quarantine custom queues can be created.
Detention The Detention queue contains messages that triggered a policy requir-
ing administrative review prior to delivery. Messages are detained here
temporarily, until the detention period (a configurable period) expires,
or an administrator takes some other action first.
Retry The Retry queue contains messages that the SMTP Relay cannot
deliver immediately. Messages are stored in this queue while Email
Firewall attempts to deliver them according to the retry interval. The
retry interval and message expiration are specified in the Set Up >
Retry Queue Configuration Retry tab.
Dead Letter The Dead Letter queue contains messages that Email Firewall cannot
deliver to its intended recipient and cannot return to the sender. For
example, messages that the SMTP Relay receives that it has already
attempted to return to the sender would be placed in this queue. The
length of time messages remain here is defined in the Set Up > Dead
Letter Queue Configuration Aging tab.
Defer The Defer queue contains messages that are set aside until off-peak
hours. For example, the default Inbound Size Deferral policy detects
messages larger than 10MB and defers delivery until after peak time.
Peak time is configured in the Set Up > Policies Peak Time tab.
Secure Messenger The Secure Messenger queue contains messages that will be redi-
rected to Secure Messenger, if this software is installed run with Email
Firewall. These messages have triggered a policy that encrypts and
delivers the message via Secure Messenger. If you have not installed
the Secure Messenger component but have created a policy that uses
the Redirect delivery action, messages sent to this queue will remain
here unless manually removed by the administrator. Also, a message
that is subject to both a defer action and a redirect action will be placed
in the Secure Messenger queue, and not the Defer queue, to wait dur-
ing peak time.
Spam Analysis When the Dynamic Anti-spam Service (DAS) is installed, messages
from both internal and external hosts that have been accepted by the
SMTP Relay service are placed in this queue. These messages will be
processed and tagged by the Spam Analysis Engine and then sent to
the Inbound queue. For information about the Dynamic Anti-spam Ser-
vice, see Chapter 7, Dynamic Anti-Spam Service.
Inbound The Inbound queue contains messages that will be routed to the Email
Firewall Policy Engine for processing. If the Dynamic Anti-spam Ser-
vice is installed, messages arrive here after processing by the Spam
Analysis Engine. If the Dynamic Anti-spam Service is not installed,
messages from both internal and external hosts that have been
accepted by the SMTP Relay service are placed in this queue. (Mes-
sages bypass the Spam Analysis queue if the Dynamic Anti-spam Ser-
vice is not installed.)
Outbound The Outbound queue contains messages from internal hosts that have
been routed through the Email Firewall Policy Engine and are in the
SMTP relay awaiting delivery to the next destination.
Return Messages are placed in the Return queue by the Relay when it sends
a Delay DSN to the sender. The Redirect service also places mes-
sages in the Return queue on failed redirect attempts. The Relay picks
up messages from this queue and re-sends them.
Archive The Archive Queue contains messages placed there by policies with a
policy action to archive. The queue is read and processed by the
Archive Service.
Partition The Partition queue contains messages waiting to be copied and sent
to different recipients to whom different outbound routing rules apply.
The relay’s Partition function examines the recipient list and splits up
the message as necessary based on the routing rule that needs to be
applied for each recipient. If different recipients require different rout-
ing rules, then multiple partitions of the message are created and each
partition is placed in the Outbound queue separately. Recipients for
whom the same routing rule applies are kept together on the same
partition of the message.
The Reset tab feature allows the queue actions to be automatically reset when
the queue shrinks to or falls below a configurable number of messages. See
Resetting Queue Actions on page 121.
In addition to the Actions and Reset tabs:
• the Quarantine and Dead Letter queues have an Aging tab for configuring
how long to hold messages in the queue before they expire and are
automatically deleted. Optionally, audit events can be logged when
messages are deleted. See 3.2.3 Setting Up Queue Aging on page 122. Any
Quarantine custom queues created also have this aging action option.
4. Click Save.
After the new custom queues are created, a policy using the Quarantine action
can specify into which Quarantine custom queue messages meeting the policy
catch conditions should be placed.
5b. If you did not select a list, in the text field, type the search words.
5c. If you did select a list, click Select word list to open the Select
Word Lists pop-up page and either create a new word list, or
select an existing list. For more information on creating word
lists, see 6.2.2 Word Lists on page 258.
6. Optionally, specify the Message Properties Sender to filter for messages
sent by specified senders:
6a. Use one of the drop-down lists to select inclusively is any of the
following or is any on the list, or to select exclusively is none of the
following or is not on the list.
6b. If you did not select a list, in the text field, type the search words.
6c. If you did select a list, click Select address list to open the Select
Address Lists pop-up page and either create a new address list, or
select an existing list. See 6.2.6 Address Lists on page 265 for
more information on creating address lists.
7. Optionally, specify the Message Properties Recipient:
7a. Use one of the drop-down lists to select inclusively is any of the
following or is any on the list, or to select exclusively is none of the
following or is not on the list.
7b. If you did not select a list, in the text field, type the search words.
7c. If you did select a list, click Select address list to open the Select
Address Lists pop-up page and either create a new address list, or
select an existing list. See 6.2.6 Address Lists on page 265 for
more information on creating address lists.
8. Optionally, specify the Message Properties Message ID to filter for a
specific message identified by message ID and enter the message ID in the
field.
9. Optionally, in the Tags section, use the Message includes drop-down list to
search inclusively for any or all messages marked with specified tags. Use
the does not include drop down list to exclude messages that are marked
with specified tags.
If the Policy Engine service detects that the used space of any of these file
groups is greater than 90%, the Policy Engine service will temporarily stop
processing messages from any of the message queues until the used space goes
below 85%. A warning will be logged with the list of file groups and the
percentage of space used.
This problem can be solved by increasing the file size of the file group. Before
doing so, you need to determine which file group size needs to be increased.
You can use SQL Server Enterprise Manager to find which file group size needs
to be increased.
This special X-header is used to easily distinguish QSN messages from other
messages. The X-header value identifies the QSN release, patch, and build
number used to generate the message.
• Server Settings
• Users
2. On the Notification Options tab, Notification Format heading, mark the Text-
based email radio button to send QSN messages in plain text. Using this
To make best use of the PQM, include and exclude quarantine tags should be
used thoughtfully in quarantine policies so that each message can be easily
identified by PQM for whether the message should or should not be included in
the QSN. For example, tags signifying that a message has a virus should
probably be on the “exclude” list, so that even if a message also includes a
spam-type quarantine tag, the virus-infected message will not be included in a
QSN.
When selecting include and exclude tags, be sure not to include the same tag in
both lists. If an attempt is made to do this, an error appears advising that the tag
is already in use, and stating “A tag cannot be used to both allow and disallow
access to quarantined messages.”
If the message is still on the Email Firewall server, a copy of the message is sent
from the Quarantine queue to the Policy Engine, where only security policies
are applied, and then to the Outbound queue for delivery to recipient.
If the User Requests option to prevent blocking is enabled, when a recipient
wants messages from this sender to not be blocked in the future, recipient can
click White List on the Message Request Received message. See Figure 3.12.
Enabling QSN On-demand Access and White-listing on page 154 and 3.8.4
User Requests for “White List” on page 168 provide information on how to
enable recipient access and how to determine which messages have been
requested for no blocking.
If the request has already been made not to block the sender’s message, recipient
is informed. See Figure 3.14.
When a release request is made and the message is not still on the Email
Firewall server, a message indicating that the message is no longer available is
displayed. See Figure 3.15. A message may be unavailable because it was
already deleted by an automatic aging action or administrator intervention. A
slightly different message is sent when a message is unavailable because it was
already released to the recipient. In this case the response informs the user that
When no messages for recipient are in the Quarantine queue when recipient
clicks Request Now, that status is displayed in the browser. See Figure 3.20
If the User Requests option is not enabled, then the QSN does not include the
option to request an updated QSN. In HTML format QSNs, the sentence “Click
here to find out how you can have a report of all your blocked messages sent to
you at any time” does not appear in the message. In text format QSNs, the
sentence “To have a report of all your blocked messages, such as this, sent to
Policies that you want to use with PQM must be applied to folders, domain
records, or user records in the EMF directory in order to create the policy
coverage and exception cases required by your organization.
For this example, we assume that the organization would want to quarantine for
recipient release all messages that are identified as Spam_Moderate. It is
expected that these messages are the most likely to be messages recipients
would not consider spam (false positives).
We also assume that the organization:
• would not want recipients to have access to messages identified as
containing adult content or adult business-inappropriate language, without
administrative review.
• would not want recipients to have access to messages identified as
containing a virus that was not cleaned.
It is also assumed that the organization would want this policy applied to the
Internal folder.
If you are currently using some type of encryption policy (for example, proxy
encryption) between Email Firewall and the internal recipients who are not
allowed to receive QSNs, this approach will not work. This is because the
message will be encrypted and therefore will not be caught by the Unencrypted
Message Filter policy.
Also, if you are unable to create user records for the forbidden recipients, you
must fine-tune the example policy. In this case, the policy should be changed to
a sender-based policy applied to a single user record in the directory, created for
the Email Firewall notifier sender email address. This address is configured in
the Notifications setup. See 6.4.1 Global Notification Settings on page 288. You
must add another condition on the policy to check when the recipient is on an
address list of forbidden recipients. This approach works because QSNs never
have more than one recipient; so there is no concern about all recipients being
blocked because of the presence of one forbidden recipient.
Authentication Methods
By default, the PQM Server supports anonymous access and integrated
Windows authentication. In the case of anonymous access, the PQM Server
uses a configured NT account to access the Email Firewall database.
Application Protection
By default, the PQM Server is configured to be run by IIS as “out-of-process
medium isolated application.” This is configured by setting Medium(Pooled) as
the value for Application Protection, on the EMFPQMServer IIS virtual
directory Properties page. However, you can change this setting to
High(Isolated), if desired.
PQM can run as either a high isolated or medium isolated (pooled) process.
Both high and medium are “out-of-process” and safe. However, running as a
high isolated process guarantees that PQM will run in a separate process,
whereas running as a medium isolated process means that PQM will run in a
common process along with other Web applications.
Running PQM as a high isolated process is the most effective. However,
running PQM as a high isolated process is possible only if MSDTC service is
installed and running. If MSDTC is not installed, then running PQM as a
medium isolated process is an alternative. On Windows 2003, the Com+ System
IIS Logging
The location of the IIS Log files is set using the IIS Web Site Properties.
This location of the latest log file containing a log of HTTP requests received
by the Web Site is usually:
C:/WINNT/System32/LogFiles/W3SVC1
In this case, PQM Server does send the generic Unable to Complete
Request page.
The Email Firewall Event Logs shows how Email Firewall is operating in your
environment. Filtered event log files show only the information that is important
to you.
This chapter contains the following sections:
4.1 Setting Up Email Firewall Event Logging ............................. 186
4.2 Searching the Event Log......................................................... 190
4.3 Using Event Log Filters ......................................................... 192
4.4 Searching for Message Events................................................ 199
For information on Centralized Event Logging and Reporting, see 2.8.2 Setting
Up Centralized Event Logging and Reporting on page 101.
185
4.1 Setting Up Email Firewall Event Logging
The Event Log is the Email Firewall component that stores and displays events
logged by Email Firewall. An event is any significant occurrence in Email
Firewall, such as initialization of services, process failure, or defined policy
events. Use the event logging options to configure how Email Firewall will
record events.
The importance level of events from the Policy Engine and SMTP Relay can be
configured using these options. Events can be held indefinitely or can be deleted
after a configurable number of days. Automated event log export is available to
save the log events to a location other than the database.
See 4.2 Searching the Event Log on page 190 for more detailed information on
how to define the event log information that is collected and how it is displayed.
Global configuration setup allows you to specify these logging levels for the
Policy Engine and SMTP Relay:
• Major
• Normal
• Trace
• Debug
Whenever a message is handled by the Email Firewall Policy Engine and the
logging level is set to Normal, an event is logged. The Email Firewall reporting
tool uses these Normal event log files to produce the email-usage reports
described in Chapter 11, Email Firewall Reports.
Global configuration setup allows you to define when to delete logged events
for the following:
• Policy Engine
• SMTP Relay
• Audits
• Report Summary Tables
• Report Detail Tables
Automated event log export is available to save the log events in a location other
than the database.
Custom events can be created that record specific system events that you may
want to monitor. See 4.3.2 Creating Custom Events on page 194.
There are two ways to access the global settings for the Event Log:
• In the Email Firewall main menu, click Set Up to open the Set Up page,
then click Event Logging to open the Set Up > Event Logging page.
• In the left menu, click Event Log to open the Event Log page, then click
Setup Event Logging to open the Event Log > Event Logging page.
When the Policy Engine logging level is set to Major, only the
Audit reports and single user audit reports show the events.
For each of these, you can select to delete after a specified number of days, or
choose to never delete the events. The log files to produce email-usage reports
are based on the Normal events logged by the Policy Engine. However, the
Event Log data and Report Log data do not depend on each other, so you do not
need to synchronize the data expiration actions when setting up event logging
for the Policy Engine and for the Reports Detailed and Summary Tables.
To understand how event log aging affects performance, review 4.1.5 Cleanup
Jobs and Message Processing on page 189 before making these selections.
Message event searches use the data in the EventDetails tables. You can only
search on the data based on the retention period for the Report Detail Tables. To
ensure accurate searches, be sure the Report Detail Tables deletion time is the
same or longer than the deletion time for the Policy Engine and SMTP Relay
events. See 4.1 Setting Up Email Firewall Event Logging on page 186 for more
information.
When Centralized Event Log and Reporting is setup, the Event Log Search page
shows all logged events for the central and satellite machines. The user can
distinguish where this event has taken place by the information in the Machine
column.
The more specific the filter query, the faster the results will
return. If a query is taking too long to return, click Cancel and
refine the filter.
When creating a filter, you can select to filter for specific Event IDs. You can
create your own custom Event IDs to log events that keep track of policy
violations, and then filter for them. See 4.3.2 Creating Custom Events on page
194.
5. Mark the radio button to select either Event IDs or Message IDs or with All
the following event properties.
5a. If you selected Event IDs or Message IDs, type the IDs you want to
search in the corresponding fields. Be sure to enter multiple IDs as
a comma-separated list of IDs or ID ranges, ex. 1,3-5.
5b. If you selected event properties, make your selections from some
or all of the following:
• Event Type that occurred: Information, Warning, or Error events.
• Logging Level that was logged: Major, Normal, Trace, or Debug.
• Email Firewall Component you want to monitor, or All Components.
• Email Firewall Category you want to monitor: Services, SMTP Relay,
Policy Engine, Policy Manager, Directory, or All Categories.
The global Event Log settings affect whether the custom events you create for
policy violations are displayed in the Event Log. See 4.1 Setting Up Email
Firewall Event Logging on page 186.
For example, if your Policy Engine Logging Level is set to Normal and you
create a custom Event with the logging level set to Major, the custom Event will
not be displayed in the Event Log, even though the policy may have been
violated, because your global setting is to show only Normal events.
3. In the Severity column, use the drop-down arrow to select a severity level:
Information, Warning or Error.
4. In the Level column, use the drop-down arrow to select a logging level:
Major, Normal, Trace or Debug.
7. In the Events > Edit Event page, type an explanation for the Event ID in
the Detail field. You can use placeholders in the Detail field. Table 4.1 lists
the event detail text placeholders and what they invoke. (You can use
either upper or lower case.)
8. Click Update.
See 4.3.1 Creating Event Log Filters on page 192 for information on creating
and using filters to organize how log events are displayed.
This chapter gives an overview of Email Firewall policies and how they work.
It is recommended that you review these concepts carefully before editing the
default policies or defining new ones.
Instructions and examples for creating policies are provided in Chapter 6,
Creating and Editing Policies.
Global Email Firewall policy settings for Peak Time, Archive, Options and
Policy-based Routing that apply to all Email Firewall policies that use any of
these policy actions are configured in the Setup > Policies page. See 2.7 Setting
Up Global Policy Settings on page 87.
This chapter contains the following sections:
5.1 Policy Overview...................................................................... 204
5.2 Policy Categories and Types .................................................. 210
5.3 Email Firewall Directory........................................................ 220
5.4 How Email Firewall Applies Policies .................................... 233
5.5 General Policy Planning Considerations ............................... 240
5.6 Default Policies and Folders.................................................. 245
5.7 Policy Building Tools ............................................................. 253
203
5.1 Policy Overview
Policies provide the message security measures available to Email Firewall after
a message has been accepted by the Email Firewall SMTP Relay. This section
explains how Email Firewall policies are structured.
Before you attempt to create any new policies, you should understand the
concepts described in this chapter. You should also understand how the Email
Firewall directory works. See 5.3 Email Firewall Directory on page 220. No
policy is in effect for any user until the policy is applied to an Email Firewall
directory object.
5.1.1 Definitions
Policy
A policy is a set of rules and actions.
Rules
Rules define to whom a policy applies, and the selected catch and exclude
conditions that constitute a policy violation that triggers the policy action.
Actions
Actions are the response to the policy violation. Some policies may also include
backup actions stating which further actions to take should the initial action fail.
Basic Mail Filtering dispositive policy actions include:
• Drop/Delete Message
• Return Message to Sender
• Quarantine (with Spam tags) (message remains in quarantine until action
performed by reviewer)
• Detain for X minutes/hours/days (with Spam tags)
• Redirect Message to a secure IME server
• Defer Delivery to off-peak hours
• Deliver Normally
5.1.2 Example
Each policy begins with a simple phrase; for example, “Catch messages where
ALL of the following are true.” To this phrase, you add a context
(sender/recipient/this user) in which the policy operates, what conditions the
policy looks for, what conditions are excluded from triggering the policy, what
actions follow when the policy conditions are met, and sometimes backup
actions to complete the policy. All policies have one or more of the following
components:
• Name
• Catch Conditions
• Exclude Conditions
• Actions
Name
Each policy should have a simple and descriptive name. For example, the
default Virus policy that detects viruses in outbound messages is named
Infected Message (Sender), as that best describes its function.
Catch Conditions
Catch conditions state the conditions under which a policy will be invoked.
Available conditions vary among the policy categories and policy types. Some
policies require that the sender or recipient be identified; others look only at
content, attachment, or type of message.
Exclude Conditions
Exclude conditions state what will prevent a policy from being invoked though
it otherwise meets the policy catch conditions.
For example (exception in bold):
Policy Name: Large Attachments Deferral
Policy Type: Basic Mail Filtering
Applies To: Recipient
Summary
While not a discrete component of a policy, the policy summary is the textual
statement of the complete policy, including its name, catch conditions,
exclusion conditions, and actions. Every policy type has a summary page where
you can view the policy while you are creating it, and when it is complete.
These general-purpose policies are well suited to preventing junk mail and spam
from entering or leaving your organization. They can also be very precisely
defined to catch mail containing specific harmful, objectionable or confidential
content.
Policy actions specify what Email Firewall should do with messages that meet
the catch conditions. For information about how policy actions are applied, see
5.4 How Email Firewall Applies Policies on page 233.
Random Selection
In the Basic policy category you can also specify that a random selection (by
percentage) of messages normally caught by the policy be caught. This can
assist in performance and reporting functions. Each time a “random policy” is
evaluated, the server calls a random number generator to produce a random
integer. Then, Email Firewall calculates the percentile of that integer in the
range of legal values that can be returned by the random number generator. If
In the above example, there is no way to determine whether this policy will
catch 75% of the messages from this sender and then check the subject for
keywords, or whether it will it catch 75% of the messages that have the keyword
in the subject. While Email Firewall will always do one or the other, there is no
way to tell ahead of time which it will do.
If you want to create a policy that will catch 75% of the messages that have the
keyword in the subject, it could be written like this example:
Policy Name: Random Sample Plus
Policy Type: Basic Mail Filtering
Applies To: Sender
This policy will be triggered for 75% of the messages that have the keyword in
the subject.
Infected Message
Use this policy to detect messages with infected attachments, disinfect them,
and forward a clean copy of the message to the recipient.
cc Resent-bcc
Comments Resent-cc
Content-Description Resent-Date
Content-Disposition Resent-From
Content-ID Resent-Message-ID
Content-MD5 Resent-Precedence
Content-Transfer-Encoding Resent-Reply-To
Content-Type Resent-Sender
Date Resent-To
Encrypted Return-path
From Return-Receipt-To
In-Reply-To Sender
Keywords Subject
Message-ID To
MIME-Version X-Advertisement
Precedence X-Mailer
Received X-MMS-Redirect-To
References X-MSMail-Priority
Reply-to X-Priority
X-MMS-Spam-Confidence X-Urgent
X-MMS-Content-Rating X-MMS-Spam-Filter-ID
Domain Records
Domain records represent users in a common domain who have no individual
user records in the Email Firewall Directory. If your domains are consistent
with logical or functional groups within your organization, you can use domain
records to assign specific policies to those groups.
A domain record inherits policies from the folder in which it resides. A domain
record can also have its own set of policies. You can avoid unnecessary
maintenance by structuring your Directory and policies around specific
domains rather than creating multiple duplicate policies for specific users. The
recommended strategy for assigning a policy to a domain is to create a folder
for the domain, add the domain record to the folder, and assign the policy to the
folder. This strategy makes it easier to define additional policies for specific
users within the domain, without those users losing the protection of the
domain-level policies.
User records represent specific users who require distinct policies. User records
can be used for the following:
• Creating an individualized policy for one unique user.
• Creating an individualized policy for one or more groups of individual
users with similar security needs.
• Defining exceptions to policies defined at the folder level.
User records inherit policies and permissions from the folders in which they
reside. The recommended strategy for assigning a policy to an individual user
is to create a folder for the user, add the user record to the folder, and assign the
policy to the folder. This strategy makes it easier to assign the same policy to
other users in the future simply by adding other user records to the same folder.
If Email Firewall will be performing encryption, a user record is required for a
person who is not part of an SPN but to whom you plan to send signed or
encrypted mail.
All Folder
By default, this folder contains:
• policies that apply to all users and domains.
• the External and Internal folders and all the objects that they contain.
Policies applied to the All folder apply to all inbound and outbound mail traffic
in your organization. Use this folder to create umbrella policies that you want to
apply to all email traffic entering or leaving your organization.
External Folder
By default, this folder contains:
• the default domain record, which represents all email domains that are
unknown to your organization.
• policies that apply to users in external organizations. These policies apply
to users in external organizations because the default domain record is in
this folder. It is not a property of the folder itself.
Use the External folder to apply policies to mail to and from users outside your
mail domain who do not have an Email Firewall directory record, and to store
records for any external domain or users with which you regularly exchange
mail. This folder inherits the policies applied to the All folder.
Adding Folders
8. In the Notes field, type any information about the folder’s intended
purpose or contents (optional).
9. Click Save.
10. Verify the new folder appears in the directory hierarchy in the proper
location.
Suppose this SPAM Quarantine policy is also in place for all users:
Policy Name: SPAM Quarantine
Policy Type: Basic Mail Filtering
Applies To: Recipient
Summary of policy, ready to save:
Catch messages where...
The message text has a “spam keywords” score of at least 9
Take the following actions...
Quarantine the message with the tag: “Spam”
and Send the notification “Manager Note - SPAM”
If a message that has an attachment larger than 10KB and also contains words
from the SPAM list is sent to one of these users, it invokes both policies.
Quarantining the message is more severe than deferring it, and the following
actions occur:
1. The message is quarantined, not deferred.
2. The mail administrator receives a “Manager Note - SPAM” notification.
3. The intended message recipient receives a “Large Attachment Message
Deferral” notification.
Although the action specified in the SPAM Quarantine policy was enforced, any
nonconflicting (informational or transformational) actions in all policies that
apply to the message are performed as well. These actions include sending
notifications, annotating messages, logging events, and adding recipients.
An example of a conflicting action that could prevent an informational or
transformational action from being applied is if either of the “Don’t send”
Notification options have been selected for the Notification policy action and
are triggered. See Dropped or Returned Message Notification Option on page
293 and Virus in Message Notification Option on page 293.
• Policies can be enabled or disabled at any level (unless they were locked at
the level at which they are owned) without affecting application at other
levels.
• Policies can be removed only at the level at which they are owned.
• Policies owned at a higher level and disabled at a lower level are retained
at the lower level even if the policy is removed from a higher level (though
not enforced if disabled).
However, once the policy is removed at the higher level, the lower level
directory object becomes the owner of the policy as though it had
originally been added at that level.
The following procedures show how policy inheritance works, and shows how
to create policy overrides using the Lock, Enable and Disable features. These
exercises assume you have installed the Email Firewall default policies and
directory objects.
How Users Are Exempted From What Happens If There Are Multiple
Type Of Policy Defined
The Policy Recipients On The Message?
Sender- or recipient - Modify the policy to exclude If the message is sent to any address
based policy to drop, messages where the message on the exempted user list, all recipi-
return, quarantine or is sent to exempted recipients, ents will receive the message
detain the message. who are listed on an address (including the non-exempted recipi-
list. ents.)
Sender-based policy to Make sure that the policy is not If the message is sent to at least one
drop, return, quarantine, applied to the exempted recipi- non-exempted recipient, no recipi-
or detain the message. ents in the Email Firewall direc- ents will receive the message
tory. (because the sender’s disposition is
more severe than the recipients’.)
Recipient-based policy Make sure that the policy is not If the message is sent to exempted
to drop, return, quaran- applied to the exempted recipi- users and non-exempted users, the
tine, or detain the mes- ents in the Email Firewall direc- message is partitioned so that the
sage. tory. exempted recipients get the mes-
sage, but the others do not.
Decompression Errors
This sender policy detects attachments on outgoing messages that failed to be
decompressed by the Email Firewall decompression libraries. These messages
are quarantined with the tag Decompression errors.
Decomposition Errors
This sender policy detects all MIME parts, including text/plain and text/html, in
outgoing messages that could not be processed correctly by the Email Firewall
Figure 5.10 shows the default policies that apply to the Internal folder. These
policies perform the following general actions:
• Prevent users from sending or receiving viruses, offensive material, or
large attachments.
• Protect users from spam, unsolicited advertisements, or attachments with
long file names (sometimes used to conceal viruses).
• Prevent users from sending sensitive material such as résumés or
confidential information.
EXE Blocking
This recipient policy detects incoming messages with executable attachments.
It attempts to strip the attachment. If successful, the message is annotated,
archived with the tag Executable, and then delivered. If unsuccessful, the
message is quarantined with the tag Executable Not Stripped, and a notification
is sent to the Email Firewall administrator. See A.2.5 All Supported Executable
Files on page 647 for a list of the executable files included in the All Executable
Files attachment list.
Résumé Block
This sender policy checks the content of outgoing messages against a list of
known résumé keywords, each weighted with a numerical value. Messages with
a cumulative value of at least 9 are quarantined with the tag Resume.
This chapter describes how to create effective Email Firewall policies that will
protect your organization’s email communications. The information in this
chapter builds on the information and procedures described in Chapter 5,
Understanding Policies. For additional information and instructions on security
type policies, see Chapter 8, Email Encryption and Authentication Overview
and Chapter 9, Security Configuration.
This chapter contains the following sections:
6.1 Introduction to Policy Building .............................................. 256
6.2 Lists and Tags ......................................................................... 257
6.3 Annotations ............................................................................. 278
6.4 Notifications ........................................................................... 287
6.5 Using Events as Policy Actions .............................................. 295
6.6 Creating Policies .................................................................... 296
6.7 Applying the Policy to a Directory Object ............................. 301
6.8 Using Virus- and File-Stripping Policies ............................... 303
6.9 Policy Protection Against New Viruses .................................. 305
6.10 Using Headers Type Policies.................................................. 313
6.11 Using DAS Message Properties.............................................. 315
6.12 Troubleshooting Policy Enforcement ...................................... 324
Global Email Firewall policy settings for Peak Time, Archive, and other Options
that apply to all Email Firewall policies that use any of these policy actions are
configured in the Setup > Policies page. See 2.7 Setting Up Global Policy
Settings on page 87.
255
6.1 Introduction to Policy Building
Email Firewall provides a number of tools for creating and editing Email
Firewall policies. Most tools are available directly from the Email Firewall main
menu. These policy building tools include:
• Lists - address, attachment, and word lists are used to specify conditions or
exceptions in a policy. You can customize the default lists included with
your Email Firewall installation, or create customized lists that meet the
specific needs of your organization.
• Tags - archive and queue tags are used in policies that specify an archive or
send to queue action.
• Annotations - add text to specified outgoing messages.
• Notifications - are SMTP messages sent to a specified recipient when a
policy violation requires a notification action.
• Events - keep track of specified policy violations.
The remainder of this chapter describes these tools and provides instructions
and examples showing how to use them.
It is often useful to know where lists are used. The Show Where Used button in
each list opens a new page containing a list of policies where the specific list is
used. You can navigate to the policy edit pages from this list and modify or
remove the list from the policy.
The ? character matches any one character (A-Z, a-z, 0-9) in a word.
For example, B?ll matches Ball, Bill, and Bull. It does not match white space or
punctuation.
You cannot escape text wildcards in text searches. If you need to search for
either the * or ? character itself, use a regular expression. See Appendix C, Using
Regular Expressions for more information on using regular expressions.
already use the UTF-8 encoding. If you are manually editing such word list files,
remember to use the UTF-8 encoding when saving the file.
For additional information about encoding and Email Firewall, see Appendix B,
Code Set Support.
To illustrate a variety of word list creation options, in this example the word list
uses the Advanced Add function to import an external file containing the words
in the list, and uses keyword weighting.
8. Verify the words in the list appear in the Word List page. (Click Edit in any
row if you need to a word or phrase’s weight. After changing any weight,
click OK. Click Save.
9. Verify the new “Company Sensitive List” appears in the Word Lists page.
The new word list can now be used in a Company Sensitive List policy, or in
any other Email Firewall policy.
See A.2 “All Supported” File Types on page 645 for a list of the file types
included in the “All...” file types. See A.3 Groups on page 651 for a list of the
files included in the groups listed here.
You can also use Advanced Add to add attachment names and types from a plain
text file, or to add attachments using existing attachment lists.
8. Click Save.
9. Verify the new “Company Spreadsheets” list appears in the Attachment
Lists page.
6.2.11 Tags
Tags are used when creating policies that specify an archive or queue action.
You can create tags that tell you why a message was archived, or why it was sent
to the queue.
To add, modify, or delete tags, in the left menu, click Tags to open the Tags
page. Figure 6.8 shows the Tags selection page.
Tags are also used with the Personal Quarantine Manager feature. See 3.7.6
Setting Up QSN Access Restrictions on page 156.
If you also had a policy, such as the “Company Sensitive” policy created in the
examples in 6.6 Creating Policies on page 296, which uses a weighted word list
that contains the words “merger” and “confidential,” then your annotation text
would match the words “merger” and “confidential” on the Company Sensitive
word list. In this case, the annotation words together with the message text could
trigger the Company Sensitive policy in circumstances where the message text
alone might not.
They decided the text of the Outbound Disclaimer annotation should read as
follows:
The opinions expressed in this message are the opinions solely
of the author, and do not represent the opinions or positions
of the author’s organization.
They decided that they would want the Email Firewall Policy Engine to Skip the
annotation text when scanning for policy violations, to avoid unintentionally
triggering other Email Firewall word-scanning policies.
They decided the annotation should appear as an Information type, to indicate
the intent of the annotation.
They also decided that the annotation should be an in-line annotation, appearing
of the original message.
inline at bottom
2. For this example, in the Annotation column field, type Outbound Disclaimer
as the name of the new annotation.
Use the drop-down arrow for Select Not Skip/Skip. Select Skip, so the
Email Firewall Policy Engine will overlook the words in the Outbound
Disclaimer annotation when scanning for policy violations in policies that
use weighted word lists.
3. Click Create to open the Annotations > Edit Annotations page. (Because
you selected Skip, the checkbox beside Skip this text during any scan for
words or phrases is marked.)
4. In the Text field, type the annotation text you want to appear. Click Save to
commit the new annotation to the database.
5. Verify that the new Outbound Disclaimer annotation appears in the
Annotations page list.
6. Review the information in the In-Line Annotation Settings tab. Any text in
the global annotation Preface and Epilog fields will appear in all messages
using an in-line annotation as a policy action. See 6.3.1 Global Settings for
In-line Annotations on page 279 for more information.
Notification Routing
Critical notifications can be sent using an alternate host and port in the event the
Email Firewall Relay is down or the Outbound queue is backlogged or not
processing messages.
Email Firewall Web Admin displays the SMTP address (RFC 2821)
sender/recipient address (envelope address) and not the MIME (RFC 2822)
sender/recipient address when notifications are placed in an Email Firewall
queue. You should keep this distinction in mind when creating notifications and
when using them as policy actions. See the Email Firewall 6.1 Installation and
Upgrade Guide for more detailed information about RFC 2821 and RFC 2822
address definitions.
$SERVER The name of the Email Firewall server that sent the noti-
fication
6. In the Send To heading, indicate to whom you want the notification sent. In
this case, mark the Original Message Sender radio button.
7. In the Send From heading, indicate from whom you want the notification
sent. For this example, mark the Administrator radio button.
8. Mark the checkboxes provided for the Options heading as shown in
Figure 6.14.
9. Click Save.
10. Verify the Company Sensitive List notification appears in the Notifications
page.
For a notification that is associated with a sender policy, the notification will be
sent if none of the sender's policies drop or return the message, and if there is at
least one recipient whose policies do not drop or return the message. So if the
disposition taken for the sender is to drop or bounce, or the disposition taken for
all recipients is to drop or bounce, the notification will not be sent.
For a notification that is associated with a recipient policy, the notification will
be sent if none of that particular recipient's policies drop or return the message,
and if none of the sender's policies drop or return the message.
For example: A message is sent to 2 recipients, A and B. Both A and B trigger
a policy that will quarantine the message and send a notification to the
administrator and a notification to the recipient. Both notifications have the
option enabled to not send the notification if the message is dropped or returned
by any policy. B also triggers a policy that drops the message. In this case, the
administrator notification will be sent, and the recipient notification will be sent
to recipient A. Recipient B will not receive a notification.
If the message sender triggered a policy that returned or dropped the message,
then the administrator notification will not be sent, nor will the recipient
notification be sent to either A or B.
The default setting of this option for all existing notifications is disabled.
All the default policies, as well as any policies you may have created after
installation, are listed on the Policies page.
Click any policy name link to open the Policies > Edit Summary page where you
can review the complete policy.
Or, if you know the name of the policy you want to view, type all or part of the
policy name, then click Find to jump to the page with the policy name link.
To apply the Company Sensitive List policy to the Internal folder and to all its
objects:
1. On the Email Firewall main menu, click Directory to open the Directory
page.
2. Click the All folder and then the Internal folder.
3. Beside the Internal folder, click Edit to open the Directory > Edit Folder
page.
4. On the Policies on this Folder tab, click Add Policy.
5. In the Select Policies page, mark the Company Sensitive List checkbox and
click Add Checked Policies.
6. Verify the new policy now shows on the Policies on this Folder tab.
7. Click Lock if you do not want the policy to be disabled at a lower level.
10. In the Policies > Edit Actions page, click Summary to open the Policies >
Edit Summary page. See Figure 6.19.
11. Review your policy, then click Save to commit the new policy to the
database and close the Policies > Edit Policies page.
12. In the Policies page, verify your new policy appears in the list of policies.
These policies need only be enabled on the correct Email Firewall Directory
object to begin enforcing the DAS policies. See 6.11.4 Applying the Anti-spam
Policy to the Directory on page 319.
Additional policies can be created to filter messages based on other properties
added by the Spam Analysis Engine.
Policy Disabled
Check the status of the policy in the directory object that inherits the policy.
Queue Backups
Full SQL Server file groups can cause the Policy Engine to stop processing
messages from the queues.
The Policy Engine service checks for available space in seven of the file groups
configured for the Email Firewall database. These file groups are:
MMSBodyChunk
MMSBodyChunkStatic
MMSEventData
MMSMessageData
MMSMessageDataStatic
MMSMessageDataPropertiesStatic
MMSTransactionLog
If the Policy Engine service detects that the used space of any of these file
groups is greater than 90%, the Policy Engine service will temporarily stop
processing messages from any of the message queues until the used space goes
below 85%. A warning will be logged with the list of file groups and the
percentage of space used.
This chapter describes the Dynamic Anti-spam Service (DAS) and how to use
it. It also describes strategies to protect your organization from unwanted email
communications.
When DAS is installed, the Status page shows the Email Firewall Spam Analysis
service in the list of Email Firewall services.
Engine
329
7.1 Introduction to Stopping Spam
“Spamming” refers to the Internet version of junk mail. If your site is being
“spammed,” it is the recipient of unwanted, usually large volumes, of
advertisement or other bothersome email, generically called “spam.”
Enterprises have a number of legitimate reasons to be worried about spam
entering their organizations:
• Employees receiving email containing offensive content may give rise to
hostile work environment claims against the employer.
• Employees receiving spam email in their desktop inboxes can result in a
substantial drain on workplace productivity.
• Enterprise IT and computer resources are being over-extended due to the
incremental traffic volume that is not adding value to the business.
Spam is very dynamic and changes rapidly, often on a message-by-message
basis. Spammers routinely investigate new and innovative ways to avoid having
their emails blocked. The best solution is one that presents a flexible approach
combining multiple strategies and countermeasures, giving you a series of
options that allow you to customize an anti-spam arsenal to control and limit
spam.
While there is no way to permanently stop your site from being spammed
because spammers continuously vary their techniques, you can take appropriate
countermeasures. Spam can and must be defended against on a number of
fronts. Once identified, spam messages must be acted upon. A varied approach
is required. Tumbleweed’s gateway-based anti-spam solution combines a
powerful, service-based spam identification capability with configurable anti-
spam tuning and disposition. This section briefly describes this gateway-based
approach, and where the Dynamic Anti-spam Service fits into the Email
Firewall solution. For a more detailed discussion of Tumbleweed’s approach to
anti-spam product design and the tools available using Tumbleweed’s anti-
spam products, see the Tumbleweed Anti-spam Best Practices Guide.
Email
Firewall
Policy
Email Firewall Engine
Web Admin
4
Email
Firewall
Spam
Analysis
3 Engine
Email SQL Server Database Service
Firewall Message Queues
5
SMTP
Relay Email
Service 2 Firewall
Archive
Service
6 1 Secure
Redirect
Secure
Response
Services
Internet Download
SMTP Email Service
FTP Server
Internal messages are processed and analyzed by default by the Spam Analysis
Engine; however, this analysis is optional. For performance reasons, you may
want to omit internal message analysis. For more information, see7.4.3 Internal
Message Analysis on page 339. For information on how to enable the option to
omit internal message analysis, see 2.6.1 Setting Up Anti-virus and Anti-spam
Downloads on page 82.
Large Messages
By default, messages that are larger than 100KB are not analyzed by the Spam
Analysis Engine. This large message bypass is an optimization which assumes
that most spam messages are relatively small in size, and research by the
Message Protection Lab supports this assumption.
If this assumption is not valid for your organization, or if you want the message
analysis performed for all messages regardless of size, this limit value is
configurable. For more information, see 7.6.6 Adding Large Messages to
Engine Processing on page 346.
The reason that the content property priority is ordered this way is because
Tumbleweed Message Protection Lab testing has found that there is a high
possibility that newsletters contain adult content, especially medical and legal
newsletters. If the adult content rating we given a higher priority, these types of
newsletters would not be recognized as such.
At the same time, testing has found that the possibility that newsletter-type
content is also found in adult messages is very low. In other words, while many
broadcast messages include content that could trigger the adult content rating,
the opposite is rarely true. So there is very little risk that adult messages are
missed or improperly categorized with the current priority ordering.
When Disabled, all messages bypass the Spam Analysis Engine. This means that
messages will be passed to the Inbound queue without Spam Analysis Engine
analysis or header modification.
To prevent the Spam Analysis Engine from scanning messages received from
internal networks:
1. On the Set Up > Dynamic Anti-spam Service Settings page, DAS Settings
tab, mark the Do not scan messages received from internal networks
checkbox.
2. Click Save.
To re-enable scanning of internal messages, unmark the checkbox and click
Save.
To start the log file of the performance counters, perform one of the following
steps:
• Select the log file and go to Action and select Start.
• Select the log file and right-click, and in the pop-up menu click Start.
• Select the log file and click the right-arrow button (looks like a “Play”
button on a tape player).
To stop the log file of the performance counters, perform one of the following
steps:
• Select the log file and go to Action and select Stop.
• Select the log file and right-click, and in the pop-up menu click Stop.
• Select the log file and click the square button.
The new database rows are added in a single transaction, with no partial updates.
An Event is logged on the status (successful/failed) of the download and loading
to the database. After download, the Download service cleans up intermediate
files at the end of the process, whether the update was successful or failed.
In the case of a download failure or database failure, there are retries between
preconfigured intervals. The default is three tries each with five minute
intervals. Both settings are configurable, as described in 2.6.1 Setting Up Anti-
virus and Anti-spam Downloads on page 82.
A finite number of old filters are left in the table to allow rollback to an earlier
filter set. At least five sets of filter data are always left in the tables (five rows
in AntiSpamFilters and the corresponding rows in
AntiSpamFilterData).
and
DELETE AntiSpamFilters
WHERE version = 'A2003031401'
Spam
Comments
Identification Tool
Address Lists Allow you to check inbound traffic against address lists
of known valid (or bad) recipients. Prevents spammers
from performing dictionary attacks to find valid
addresses, and from penetrating the corporate email
system.
Spam
Comments
Identification Tool
Relay and Server Attack detection and blocking capabilities are needed
Protection Heuris- both at the relay and server level to prevent Denial of
tics Service attacks, email born threats, and Directory Har-
vesting (DH) attacks.
Spam Auditing Ser- Optional spam Quickstart service to assist with upfront
vices setup and ongoing system tuning and maintenance.
Variable Match Combining the Exact Match Lexical Analysis with Vari-
Lexical Analysis able Matching capability allows you to catch spam by
evaluating a number of variables within the message. If
any of these variables or a combination of variables
appear in a message, you can decide what disposition to
place on the message. This also lets you establish
exceptions so that something you classify as valid email
is not accidentally dropped/deleted.
Spam
Comments
Identification Tool
Email Firewall can encrypt, decrypt, digitally sign, and verify incoming and
outgoing messages using policies and security integration features. The security
settings protect senders and recipients of email sent to and from the SMTP
Relay. Email Firewall allows you to manage local, external, and root
certificates; manage local and external PGP keys; create Secure Public
Network (SPN™) links between different Email Firewall systems; establish an
email gateway in S/MIME Gateway (SMG) mode; create TLS message
exchange links with partners; and provide proxy security for users with desktop
encryption. These security features allow businesses to automatically and
transparently secure and manage communications with partners, suppliers and
customers.
This chapter contains the following sections:
8.1 Introduction to Email Encryption and Authentication in EMF364
8.2 S/MIME and OpenPGP Overview .......................................... 365
8.3 Email Firewall Gateway-to-Gateway Security ....................... 369
8.4 Email Firewall Security using TLS......................................... 373
8.5 Email Firewall Server-to-Client Proxy Security..................... 375
8.6 Email Firewall Client-to-Client Security................................ 385
8.7 The Sender Signature Policy Type.......................................... 391
8.8 Understanding Certificate Harvesting.................................... 394
8.9 Understanding Certificate and PGP Key Responders............ 395
8.10 Third-Party Certificates and Email Firewall ......................... 397
8.11 Third Party PGP Keys and Email Firewall ........................... 400
8.12 Understanding Certificate Rollovers ...................................... 401
8.13 The PGP Trust Model............................................................. 408
363
8.14 Trust and Interoperability of S/MIME Certificates ................ 408
8.15 Frequently Asked Questions ................................................... 422
8.16 Commonly Used Security Terms ............................................ 424
Internet
Tumbleweed
Tumbleweed Email Firewall
Email Firewall Server
Server
Once certificates have been exchanged you can begin creating Email Firewall
SPN policies to implement secure messaging.
The Email Firewall implementation complies with RFC 3207 and therefore
should be interoperable with other vendor's implementations of this standard.
Email Firewall supports remote hosts using both SSL 3.0 and TLS 1.0. TLS
interoperability with clients and servers using older versions of SSL is not
supported. The Email Firewall implementation uses OpenSSL.
TLS can be used for a variety of purposes. For use with Email Firewall, these
include:
• to secure communications with a specific external domain. For example, to
secure all SMTP communications with an external business partner (using
server-to-server security).
• to encrypt internal mail sent to (or from) the Email Firewall SMTP Relay.
For example, to ensure that all SMTP traffic is encrypted between the
internal mail systems and the Email Firewall Relay.
Internet
Tumbleweed
Tumbleweed Email Firewall
Email Firewall Server
Server
0122
The Email Firewall key pair and/or certificate are used to represent the users in
your organization. While some email clients allow users to associate any key or
certificate with any correspondent, many do not. Therefore, most external users
who use S/MIME or OpenPGP clients will not be able to use the Email Firewall
certificate or PGP key to encrypt mail for your local users. However, Email
Firewall can generate proxy certificates or proxy PGP keys that associate the
Email Firewall public key with the local user’s email address. When external
users encrypt mail for your users with proxy certificates or proxy PGP keys,
Email Firewall can decrypt it.
Before a local user can exchange secure mail with an external user, you can
exchange certificates/keys with the external user and then associate the
certificates/keys with their user records in the Email Firewall Directory. With
S/MIME, you can also configure Email Firewall to look up an external user’s
certificate from an LDAP server using the Automatic Certificate Lookup
functionality. See Automatic Lookup of User Certificates on page 381 for more
information. With OpenPGP, you will have to manually associate the external
users’ keys to their records.
When using a trusted Certificate Authority, Email Firewall can be configured to
allow the automatic association of S/MIME certificates to user records.
When you use proxy security, you should make sure your
relay is not configured as an open relay, so that external
sources cannot use Email Firewall as a relay host to send
nonsecure or nonauthentic mail to your secure
correspondents. You should also make sure that none of
your internal hosts are automatically forwarding external
mail to Email Firewall.
Email Firewall can perform the following proxy security services. When it
cannot properly execute the operation, it performs the alternative actions you
specify in your security policies.
Proxy Encryption
To encrypt messages to a specific recipient, Email Firewall finds a user record
in the Email Firewall Directory that corresponds to the recipient, and encrypts
the message with the certificate or PGP key associated with that record. For the
operation to be successful, all of the following must be true:
• The message recipient must have a user record in the Email Firewall
directory.
• The recipient’s user record must be associated with a certificate or PGP
key.
• The certificate or key must be valid.
• A Proxy Encrypt and/or Sign policy must be in effect on the external
recipient’s user record.
Proxy Decryption
To decrypt messages addressed to Email Firewall users, Email Firewall uses the
private key (stored encrypted in the Email Firewall database) that corresponds
to the public key used to encrypt the message. If the message is encrypted for
any private key in the Email Firewall database, the message is successfully
decrypted. A Proxy Decrypt and Verify policy must be in effect.
Proxy Signature
To digitally sign outgoing messages on behalf of Email Firewall users, Email
Firewall signs the message with its own private key and for S/MIME uses the
proxy certificate in the digital signature. In the case of OpenPGP, Email
Firewall will sign with the imported internal user's PGP private key or generate
a new proxy PGP private key if the internal user does not have one imported. A
Proxy Encrypt and/or Sign policy must be in effect on the external recipient’s
user record.
Proxy Verification
To verify a digital signature on an incoming message, Email Firewall finds a
user record in the Email Firewall Directory that corresponds to the sender. If the
record exists, Email Firewall verifies that the incoming certificate or signing
PGP key is associated with the sender’s user record and uses the certificate or
key to verify the digital signature. For the operation to be successful, all of the
following must be true:
• The message sender must have a user record in the Email Firewall
directory.
• The sender’s user record must be associated with a certificate or PGP key.
• The e-mail address associated with the PGP key must match the e-mail
address associated with the external user's record.
Similarly, the manual association of a certificate may cause the proxy encrypt
and sign policy to fail if the manually associated certificate is not enabled for
automatic association or if that certificate becomes invalid.
Care must also be taken when applying this automatic lookup feature because a
user record for a particular user may not be in the same location in the Email
Firewall directory hierarchy as a domain record for users of that domain. If this
is the case, and the policy using this feature is only added to the domain record
or to a superior folder of the domain record, the policy may not be applied to the
user.
Policy Usage
The most common use for this policy is where an organization’s partner,
customer or client has S/MIME enabled at the desktop, and communication
between the Email Firewall-enabled organization and the external organization
is with a select set of people. In this case, the Email Firewall administrator can
create a folder for that external partner with this policy applied. The
administrator can then import the root certificate for the external partner’s CA.
The administrator then creates user records in this folder for the set of users for
which secure communication is required. Those external users are then required
to send a signed message to Email Firewall, and the certificate association is
automatically made.
Care must be taken when applying this policy because a user record for a
particular user may not be in the same location in the Email Firewall directory
hierarchy as a domain record for users of that domain. If this is the case, and the
New Certificates
The policy will reset the default encryption certificate if a new appropriate
certificate is found. However, it will not remove any of the current certificate
associations. When a certificate is received that meets the proxy certificate
criteria (i.e., chains to trusted root, appropriate purpose enabled), when other
certificates are already associated with a user record, the new certificate is
associated to the user and becomes the default certificate. This allows external
users to change certificates without any intervention by the Email Firewall
administrator.
Policy Limitations
This policy has several limitations.
• The policy set that is selected must be the result of finding a user record
from the email address in the mail message being processed.
• Only the primary email address for the Email Firewall user record is used
in certificate auto association; none of the configured alternate aliases are
used.Therefore, the primary email address must match the email address in
the certificate for the policy to succeed. The email address in the certificate
can be specified in either the subject field or in the subjectAltName
certificate extension.
• Email Firewall will search for a valid certificate. i.e., one that is suitable
for encryption, that has not expired and that has not been revoked. If no
valid certificate is found, then no association is made.
• Automatic certificate association can be used for user records only, not for
domain records.
Plaintext Access
Plaintext access policies are useful when you do not want email users to send or
receive encrypted mail that cannot be reviewed by Email Firewall for content
scanning for sensitive information, viruses, spam, etc. If Email Firewall
receives an encrypted message that requires a private key that it cannot access
(for example the private key of a particular user), then it cannot decrypt the
message and none of the email scanning policies can be applied. A Plaintext
Access policy is used to ensure that mail is encrypted not only for the sender and
recipient, but also for Email Firewall. This type of policy is applied when the
message is encrypted but the Email Firewall server does not have the key to
decrypt it, and can apply to either sender or recipient.
Use this sender or recipient policy to ensure that messages are encrypted for
Email Firewall in addition to the intended recipients. Encrypting a message for
Email Firewall means that security policies can decrypt them. Once decrypted,
the Policy Engine can process them and apply any other policy actions the
message may invoke.
With a plaintext access policy in place, when an S/MIME or OpenPGP sender
encrypts a message to an S/MIME or OpenPGP recipient on the opposite side
of the Email Firewall Server but does not include the Email Firewall server as a
recipient of the message, the message is received by Email Firewall and,
because the plaintext access policy is enabled, it automatically returns the
message with instructions on how to send encrypted email through Email
Firewall.
These instructions explain that the message must also be encrypted for Email
Firewall and the Email Firewall secure server’s email address (in the format
secure-server@domainname.com) is provided. This address must be
identical to the Email Firewall secure server address; it cannot be changed by
the administrator. The Email Firewall public key certificate and/or details of
how to obtain the server’s PGP key are also included for the user to associate to
the Email Firewall secure server email address.
At this point the sender now understands the corporate encryption policy and
can send encrypted email to the intended recipient as before, but now also cc:
the Email Firewall Server email address. When the message is received, Email
Firewall can hold the message, decrypt its copy, process the plaintext through
By default, Security policy types preserve the security of the message. In other
words, they will allow other policies to examine the contents of an encrypted
message (provided you have a plaintext access policy in place), but not modify
them. If you want other policies (such as virus policies) to be able to modify the
contents of secure messages, you must explicitly create an Allow Security
Stripping policy for both the sender and the recipient.
This policy Sender Signature Policy type provides digital signatures on behalf
of message senders. Digital signatures provide the highest level of email sender
authentication possible. By deploying policies that use this feature, an
organization can provide an authenticate email to its email recipients. The
organization can thus protect itself from spammers and phishers who spoof their
domain in their attacks.
8.7.1 Background
Email Firewall has always supported signing of outbound messages. However,
the Proxy Encrypt and/or Sign policy type that supports this feature is a recipient-
based policy. In order for this policy to be used to sign all outbound mail, an
administrator would have to create a user record for all recipients. In addition,
the signature applied by this policy type can only be one that uses a proxy
certificate that is chained to the root certificate associated with the Email
Firewall server. These types of proxy certificates do not chain to the root
certificates of well-known certificate authorities (CAs) such as VeriSign Class
1, 2, or 3 or GTE Cyber Trust. These limitations are addressed by the Sender
Signature policy type.
The old local server certificate should not be deleted until all
SPN and proxy partners have switched to use the new
certificate. Otherwise Email Firewall will be unable to
decrypt mail from that partner.
Email Firewall certificates currently expire ten years after they are generated.
Certificates generated by previous versions of Email Firewall may expire in two
years, so those certificates need to be updated more often. Certificates imported
from external PKIs will vary with regard to their expiration time. See 9.9
Rolling Over S/MIME Certificates on page 497 for information and
instructions.
Email Firewall has tested and supports use of certificates from two third-party
vendors, Entrust and VeriSign. Their certificates are imported using the
PrivateKeyWizard utility. See 10.6 Using the PrivateKeyWizard Tool on page
568 for more information.
Use of third-party certificates is only supported for server-to-server SPNs and
SMG mode; it is not supported for proxy usage. For Entrust certificates, only
single keys are supported. The single key option must be configured properly to
be used with Email Firewall. For more information, see 8.10.1 Supported Third-
Party Server S/MIME Certificates on page 398.
A PGP Key has a public and a private key part. The Public Key is self signed,
and can be signed by other parties that trust this key, to make the PGP equivalent
of a certificate. This is known as the PGP Public Key.
Trusting a Certificate
Before an S/MIME application will use a certificate, it requires that the user
establish trust of the certificate, to ensure that the certificate actually belongs to
the person it is supposed to. There are two ways to establish trust:
• Trust According to Certificate Status, where the certificate is digitally
signed by a certificate authority (CA) and the S/MIME application
contains the CA’s root key. When an S/MIME application contains a root
key, it trusts the root key and, by association, trusts all certificates issued
by that CA. This is also known as chain trust.
• Direct Trust, where the user contacts the owner of the certificate and
verifies the certificate fingerprint.
Direct trust is useful when a certificate is self-signed, rather than signed by
a certificate authority, or is signed by a certificate authority that you do not
know.
The SPN server certificates generated and used by Email Firewall are self-
signed. For imported certificates, Trust According to Certificate Status is used.
Obtaining CRLs
CRLs are usually distributed in one of two ways. In the “pull” model, verifiers
download the CRL from the CA, as needed. In the “push” model, the CA sends
the CRL to the verifiers at regular intervals. A hybrid approach can also be used,
where the CRL is pushed to several intermediate repositories from which the
verifiers may retrieve it as needed. For example of a site from which CRLs can
be pulled, Verisign CRLs are public information and can be seen and
downloaded from <http://crl.verisign.com>.
Although CRLs are maintained in a distributed manner, there may be central
repositories for CRLs, such as network sites containing the latest CRLs from
many organizations. A large enterprise might establish an in-house CRL
repository to make CRL searches on every transaction feasible.
Email Firewall supports importing CRLs by allowing you to:
• specify the location from which to download CRLs
• store the CRLs in the Email Firewall database for reference
• schedule recurring, automatic CRL imports
If a user record is present for the email address and an external certificate is
associated with the user record, the certificate is added in the response as an
attachment named cert.p7c.
Q: Can I use the same certificate for an Email Firewall SPN and TLS?
A: No. A separate certificate for TLS must be obtained from a third-party CA
and specifically enabled for TLS.
Q: Is there a difference between an Email Firewall that sets up S/MIME to other
domains in SPN mode versus SMG mode?
A: Yes; the main difference is interoperability with other vendor’s gateways
that support S/MIME. Setting up S/MIME in SMG mode guarantees
interoperability with the other vendor's gateway if they are also SMG compliant.
Setting up an S/MIME connection in SPN mode may provide interoperability
with another vendor’s gateway, but is it not guaranteed. There are also several
minor differences between SPN and SMG in the way certificates are generated
and exchanged. See 8.3 Email Firewall Gateway-to-Gateway Security on page
369 for more information.
Certificate
An electronic document that has been digitally signed by an individual or a
certificate authority who will vouch for its authenticity, and which links a public
key to a person or a company. Certificates help to ensure that the public key you
are using to encrypt a message to an individual is actually the recipient’s public
key, and that no one has tampered with it. The email address of the certificate
holder is located in the SubjectAltName field of a typical certificate.
Certificate Authority
An entity whose primary responsibility is issuing and signing public key
certificates. A certificate is authentic to the extent specified by the certificate
authority’s issuing policy.
Decryption
The process of decoding information.
Digital Signature
An algorithm applied to a file that gives correspondents a verifiable way to
ensure that a file or a message they receive from you did in fact come from you
and that it has not been altered.
Encryption
The process of encoding information so that it is unreadable without a
decryption key.
Fingerprint
A unique hash value that identifies a certificate and can be used to verify its
authenticity.
Key
Random or pseudorandom strings, generated by an automatic process, that
allow a user to encrypt and decrypt secure messages. A key is what locks and
unlocks S/MIME and OpenPGP messages.
OpenPGP
A standard for encrypting and signing e-mails using digital certificates based on
PGP (Pretty Good Privacy) keys.
Public Key
One of a pair of digital keys that you use to encrypt and decrypt messages. This
is the key you send to correspondents so that they can encrypt messages to you
and decrypt your signature.
The security of a message is determined by the length of the key used to encrypt
the message. The longer the key, the more complex the algorithm. The more
complex the algorithm, the more secure the message. While key lengths inside
the United States are not restricted, the U.S. Government does not allow the
export of some key lengths to listed terrorist nations.
S/MIME
Secure Multipurpose Internet Mail Extension: A standard for encrypting and
signing e-mails using digital certificates based on X.509v3.
SMG
S/MIME Gateway (SMG) is the specification for interoperability among
gateway-to-gateway S/MIME vendors - http://www.opengroup.org/smg/cert.
When email domains have exchanged SMG mode-compliant, S/MIME Version
3.1 certificates, a secure messaging link is established between the two email
domains. When an S/MIME Gateway is established, Email Firewall
automatically encrypts and optionally digitally signs the mail that flows
between the two domains. You should consider configuring the Email Firewall
in SMG mode with all new domains for which an S/MIME encrypted link is
desired.
SPN
A Secure Public Network (SPN) is a secure messaging link between two Email
Firewall domains or an Email Firewall domain and a non-SMG compliant
domain that supports S/MIME at the gateway. When you establish an SPN,
Email Firewall automatically encrypts and digitally signs the mail that flows
between the two domains. SPN pre-dates the SMG standard and is the
TLS
Transport Layer Security (TLS) is a protocol that ensures privacy and optionally
two-way authentication between communicating clients and servers on the
Internet.
This chapter describes how to set up and use cryptography, digital signatures,
certificates, keys and Email Firewall policies to implement secure messaging
policies in your organization. It provides instructions for configuring a server-
to-server Secure Public Network (SPN™), a server-to-server S/MIME Gateway
(SMG mode), server-to-client proxy security, client-to-client security, and a
sender signature policy. It provides procedures for automating certificate
associations with user records, automating certificate lookups, and managing
Certificate Revocation Lists and accessing CRL Distribution Points. It also
provides instructions for setting up certificates for use with Transport Layer
Security (TLS).
For overview information about S/MIME and OpenPGP security and SMTP
over TLS in general, and about how Email Firewall implements these security
features, see Chapter 8, Email Encryption and Authentication Overview.
This chapter contains the following sections:
9.1 Setting Up Email Firewall Security........................................ 430
9.2 Setting Up Key Pairs and Certificates for S/MIME ............... 433
9.3 Setting Up PGP Keys ............................................................. 442
9.4 Setting Up Certificates for TLS .............................................. 445
9.5 Setting Up for Sender Signature Policies............................... 451
9.6 Setting Up a Secure Public Network ...................................... 458
9.7 Setting Up for SMG Mode...................................................... 471
9.8 Setting Up S/MIME Proxy Security ........................................ 474
9.9 Rolling Over S/MIME Certificates ......................................... 497
9.10 Downloading Certificate Revocation Lists ............................. 500
9.11 Specifying the CRL DP LDAP Lookup................................... 503
429
9.12 Setting Up OpenPGP Proxy Security..................................... 504
9.13 Rolling Over OpenPGP Proxy Domain Keys ........................ 519
9.14 Setting Up S/MIME and OpenPGP Client-to-Client Security 521
To generate a certificate and key pair for an Email Firewall SPN or S/MIME
Gateway:
1. In the left menu, click Set Up to open the Set Up page.
2. Under the Security heading, click Secure Domains and Local Certificates to
open the Set Up > Secure Domains & Local Certificates (and SPN Setup)
page.
3. On the Local Certificates tab, click Generate to open the Generate Key pop-
up.
4. Type a name in the Organization Name field that will differentiate this
certificate from others.
The name of your organization is a useful name. However, if you will be
establishing SPNs or S/MIME Gateways for different departments or for
multiple locations, additional distinguishing information may be useful;
for example, the location or department name.
5. Type in the Email Domain information. The generated certificate will
belong to this domain name.
6. Select a Key Length using the drop-down arrow, and click Generate.
If this certificate will be used for an S/MIME Gateway, the key length
must be Commercial Grade 1024-bits. In this case, the Key Length option is
greyed-out and cannot be changed.
Depending on the key size, the key generation may take a few moments.
7. Verify that the new certificate appears in the Local Certificates tab.
Do not manually import the certificate; it cannot be used without its associated
key pair. Instead, import the key pair using the PrivateKeyWizard tool. Note
that other applications, such as a browser, may use the term certificate to refer
to a private key file (.p12, .pfx, or .key file).
A server certificate should have an email address like secure-
server@<domain_name>, where the secure-server@ specification is
hardcoded. This is useful when Email Firewall plaintext access policies are
used.
The instructions for purchase are explained in the VeriSign Website. When you
perform the certificate purchase, the specific process depends on which web
server you use to request the certificate.
You can obtain Entrust root certificates using the Entrust GUI or the Entrust
Master Control Command Shell.
To use the Entrust Master Control Command Shell command to export the
CA certificate:
ca cert export -binary -x509 -pkcs7 “c:/program
files/entrust/cacert.der”
To obtain the Entrust Root Certificate from a user or server certificate issued
by the Entrust Root Certificate:
1. Obtain any user or server certificate issued by the Entrust CA in .p7c
format.
2. Open the certificate using Microsoft tools (typically by double clicking on
the file).
3. Go to Certification Path.
4. Open the root certificate.
5. Copy it into a file.
To obtain the Verisign Root Certificate from a user or server certificate issued
by Verisign:
1. Obtain any user or server certificate issued by the Verisign CA in .p7c
format.
2. Open the certificate using Microsoft tools (typically by double clicking on
the file).
If you select the DSA algorithm, the key length size is limited
to 1024 bits.
7. Select the PGP algorithm in the PGP algorithm drop-down menu. The
following are your PGP algorithm options:
• DSA—Digital Signature algorithm
• RSA—RSA algorithm
8. Click Generate. Depending on the selected key size and algorithm, the key
generation may take a few moments.
9. Verify that the newly generated PGP key appears under the PGP Keys ID
heading within the PGP Keys tab.
10. In the row for the new PGP key, click View to open the PGP Key Properties
page to review the details of the key.
11. Scroll to the Local Secure Domains tab.
Email Firewall does not support the use of multiple key rings.
If you need to import key pairs of multiple users, export each
key-pair to a separate ASCII-armored file and import the
files one by one.
The following example shows how to create a local secure domain and associate
a certificate with it. Before proceeding, if you have not done so already, you
should create a certificate to use with SPN. To create a certificate, follow the
procedure outlined in 9.2 Setting Up Key Pairs and Certificates for S/MIME on
page 433.
6. Click Create.
7. Verify the new local secure domain appears on the Local Secure Domains
tab associated with the certificate you selected.
Before you perform this step, make sure that the external
Email Firewall server has generated a local certificate for its
primary Local Secure Domain. The external Email Firewall
server should also have Auto-Respond to SPN link requests
enabled. See 9.6.3 Setting Up Email Firewall to Respond to
SPN Links on page 463.
3. If you want to customize the default message, type any changes in the
field. It is recommended that you change the default text to include the
name of the domain from which the response is being sent. This will
identify you more accurately to the external domain.
4. By default, the Forward SPN link requests to checkbox is marked. Marking
this checkbox ensures that you receive email notification that an SPN link
request has been received.
4a. In the Name field, type the name you want to appear on the request
notification.
4b. In the Email Address field, type the email address to which the
SPN link request notification should be sent.
5. Click Update to commit the new configuration information to the database.
Now when an SPN link request is received, Email Firewall will automatically
respond to the request to provide the certificate for the local domain, and will
notify the administrator that the link has been requested.
This selection ensures that mail sent from this domain is only
accepted if it is signed and encrypted. It is recommended
that you wait 24 hours before selecting this option to allow
for receipt of unencrypted messages that may have been
sent before the SPN was established.
When Email Firewall receives an SPN message (or VPN message, if the
message is from a previous version of Email Firewall), it adds the X-SMIME-
VPN: Processed header to the message after decrypting it. One way to
determine whether an SPN messages is successful is to create a policy to scan
for the existence of the X-SMIME-VPN header so that when triggered, the
policy verifies a successful SPN. Figure 9.7 shows what the policy will look
like when completed.
Figure 9.8: Creating a Custom Header Field to Check for Successful SPN
4. Review your new header under the Header Field column, then click OK.
5. In the Policies > Edit Summary page, click Action to open the Policies >
Edit Actions page.
6. Under the Deliver heading, verify the Deliver Normally radio button is
marked (it should be marked by default; if it is not, mark it now).
SMG SPN
Remote server Any S/MIME gateway from an Ideally a Tumbleweed Email Firewall 6.0,
SMG certified vendor MMS 5.6.3 or earlier gateway. Interoper-
ability with other vendors’ gateways has
been demonstrated in the field, but not
guaranteed
For conceptual and background information about SMG mode, see 8.3 Email
Firewall Gateway-to-Gateway Security on page 369.
This selection ensures that mail sent from this domain is only
accepted if it is signed and encrypted. It is recommended
that you wait 24 hours before selecting this option to allow
for receipt of unencrypted messages that may have been
sent before the SPN was established.
13a. Select the policy for non SPN messages received from SPN
domains. By default, the SPN: Non-SPN Message policy is
selected.
13b. Select the policy for imperfect SPN messages received from SPN
domains. by default, the SPN: Imperfect SPN Message is selected.
14. Click Select Certificate and select the SMG certificate for use with this
domain.
15. The Encryption Algorithm for SMG must be Commercial Grade 112-bit Triple
DES (3DES).
16. The Signing Algorithm if signing is required must be SHA1.
17. Click Save.
1. Generate a key pair and certificate for the local secure domain, if one has
not already been created, and configure Email Firewall to use the
certificate as the proxy signing certificate.
2. Export and publish the root key. See 9.8.5 Exporting and Publishing the
Root Certificate on page 478.
3. Enable Proxy Certificate Usage and Certificate Responder to automate the
proxy security process. See 9.8.6 Enabling S/MIME Proxy Certificate
Usage and Responder on page 479.
4. Create the necessary directory folders and proxy security policies, and
apply them to the appropriate directory folders:
4a. Client Encryption and Signature policy for the External folder.
4b. Detect cert-query policy with root key instructions to the
External folder.
When you use proxy security, be sure that your relay is not
configured as an open relay. See 2.5 Setting Up Relays on
page 32 for more information.
If you need to configure Email Firewall to use the new certificate as the
S/MIME proxy signing certificate:
1. Scroll to the Local Secure Domains tab.
2. To create a new local secure domain, see 9.6.1 Defining and Associating
Local Secure Domains on page 458.
3. Under the SPN Signing Certificate heading, verify the certificate is
associated with the appropriate local secure domain, for this example,
localdomain.com. If it is not, edit the local secure domain and select the
required SPN signing certificate.
To trust a proxy certificate, some S/MIME clients must contain the root
certificate that issued the proxy certificate. The Email Firewall server certificate
that issues a proxy certificate acts as its root key. To accomplish this for this
example, the server certificate that you use for S/MIME proxy security for John
must be made available to Selena, the S/MIME proxy security external user. See
9.2.2 Sharing the Certificate and Root Key on page 435 for instructions on how
to make the certificate available.
For this example, assume that the server certificate, if needed, has been shared
with Selena.
A proxy certificate enables email security with external users whose S/MIME
clients require that the email address in a certificate exactly match the email
address in the header of the email. For this example, Selena needs this type of
certificate to communicate securely with John.
The Email Firewall Certificate Responder automatically locates and sends
proxy certificates when requested. When the certificate responder options are
selected, if a proxy certificate does not exist, Email Firewall creates one. If a
certificate is requested, Email Firewall automatically provides it. See 9.2.3
Enabling Email Firewall Certificate Responder on page 437 for additional
information.
1. Create a Basic Mail Filtering Detect cert-query policy to notify the sender,
in this example Selena, when Email Firewall detects inbound messages
addressed to any domain on the address list cert-query.
2. Create the notification Email Firewall Root Key to inform senders how to
obtain your root key. The notification should include the instructions for
how to obtain your root key, for example, instructions to go to your web
site, or instructions for how to send the cert-query email to obtain the
root key. See 9.2.2 Sharing the Certificate and Root Key on page 435.
See 6.4.2 Creating a New Notification for a Policy Action on page 290 for
general instructions on creating notifications.
3. As a policy action, send the notification Email Firewall Root Key.
4. Click Save to commit the policy to the database.
5. Add the policy to the External folder. Review the previous procedure for
instructions on adding policies to the Email Firewall Directory.
5. To define the policy failure actions, click these actions to open the Actions
for Original Message page. See Figure 9.15.
8. Create a new folder named External S/MIME Proxy Security in the External
folder. This is the folder where you will place the user records of all
external S/MIME users who use S/MIME proxy security.
8a. In the Email Firewall main menu, click Directory to open the
Directory page.
Your directory environment is now set up for the example user, Selena, and for
any other external S/MIME proxy users.
5. Review the requirements that allow the policy to succeed and be sure to
create the appropriate environment. These requirements are set out in
Figure 9.17.
6. Click OK and review the policy summary. See Figure 9.18.
For purposes of the example S/MIME proxy security between Selena, the
external user, and John, the local user, we want to enable the root key purposes
for auto-association.
For the example External User, Selena, create a user record for Selena Garcia
in the External S/MIME Proxy Security folder:
1. In the External S/MIME Proxy Security folder row, click Open.
2. In the Entry field, type Selena Garcia.
3. In the Type column, use the drop-down arrow to select User.
4. Click Create.
5. In the User Properties tab, Public Email Address field, type
selena.garcia@externaldomain.com.
6. Click Save.
For the example Local User, John, create a user record for John Snyder in the
Internal S/MIME Proxy Security folder:
1. In the Directory page, click the All folder and then the Internal folder.
2. In the Local S/MIME Proxy Users folder row, click Open.
3. In the Entry field, type John Snyder.
4. In the Type column, use the drop-down arrow to select User.
5. Click Create.
6. In the User Properties tab, Public Email Address field, type
jsnyder@localdomain.com.
7. Click Save.
2. When the rollover period has started, use any of several ways to distribute
the new certificate to your SPN and proxy partners:
• Issue new SPN link requests to all SPN partners with a message that
explains that the old certificate is being replaced. The SPN partner
must then accept this request in the normal way. Once accepted, the
new certificate is automatically associated with your domain
record.
When issuing new SPN link requests, in order for the SPN link
request to be signed by the new server certificate, you must
temporarily associate the new server certificate as the SPN signing
certificate for the primary local secure domain. Since you have not
yet rolled over the old certificate, after the SPN Link request is sent,
you should re-associate the old server certificate as the SPN signing
certificate for the local secure domain.
• Send the new certificate by email to all SPN and proxy partners,
with instructions on how to replace the old certificate with the new
one.
• Send a message with a link to your web site that contains the
certificate and instructions.
The instructions sent to SPN partners should advise them to:
2a. Import the new certificate in the S/MIME Certificates list.
2b. Establish that it is a Trusted certificate.
2c. Associate the new certificate with your domain record in their
Email Firewall database.
The instructions sent to proxy partners should advise them to import the
new server certificate as a Trusted Root certificate in their email client.
3. Advise SPN partners that after they have successfully imported the new
certificate and associated it with your domain record, they should keep
your old certificate in their Email Firewall database until after the end of
the rollover period.
To identify the HTTP Proxy Server through which to access the CRL source:
1. In the left menu, click Set Up to open the Set Up page.
2. Click Proxy Servers to open the Proxy Servers page.
3. In the HTTP Proxy tab, mark the Use HTTP Proxy Server checkbox.
3a. In the Address field, enter the hostname of the HTTP proxy the
Email Firewall will use to access and download the CRLs.
3b. In the port field, enter the port number of the of the HTTP proxy
the Email Firewall will use to access and download the CRLs. The
default port number is 80.
4. If you require authenticated access to the HTTP Proxy Server, mark the
Use Authenticated Access to HTTP Proxy Server checkbox.
4a. In User Name field, enter your user name.
4b. In the Password field, enter your password.
5. Click Save.
To identify the LDAP Data Source for CRL Distribution Point host informa-
tion:
1. If you are not already viewing the Setup > CRL Download page:
1a. In the left menu, click Setup.
1b. Under the Security heading, click CRL Download.
2. In the CRL Distribution Point LDAP Lookup tab, use the drop-down list
beside the LDAP Data Source heading to select the correct data source, then
click Save.
If you have not previously configured a data source for CRL Distribution
Point LDAP lookups, proceed to the next step.
3. To configure a data source for CRL Distribution Point LDAP lookups,
click (add new data source).
4. Proceed to 10.2.3 Identifying the Data Source for LDAP Import on page
540 for information and instructions on how to identify a data source for
LDAP import. Figure 9.20 shows the LDAP Import page where you
configure the data source.
Figure 9.20: Specifying an LDAP Import Data Source for CRL Distribution Point
6. Click Save.
To generate a PGP key for the local domain to be used for OpenPGP proxy
security:
1. In the left menu, click Set Up to open the Set Up page.
2. Under the Security heading, click Secure Domains & Local Certificates to
open the Set Up > Secure Domains & Local Certificates (and SPN Setup)
page.
3. On the PGP Keys tab, click Generate to open the Generate Key page.
Review and follow the procedure described in 9.3 Setting Up PGP Keys on
page 442 to generate a key pair for this exercise.
4. Verify that the new PGP key appears in the PGP Keys tab.
To configure Email Firewall to use the new PGP as the proxy PGP key:
1. Go to the Local Secure Domains tab of the Secure Domains & Local
Certificates (and SPN Setup) page.
To create a new local secure domain, see 9.6.1 Defining and Associating
Local Secure Domains on page 458.
2. Select the local secure domain and edit it. Under the Proxy PGP Keys
heading, select the PGP key associated with domain email address and
click Update.
3. Under the Proxy PGP Keys heading, verify the key is associated with the
appropriate local secure domain. For this example, localdomain.com.
The local PGP key is now associated with the local secure domain
localdomain.com.
5. To define the policy failure actions, click these actions to open the Actions
for Original Message page. See Figure 9.25.
Your directory environment is now set up for the example user, Selena, and for
any other external OpenPGP proxy users.
For the example External User, Selena, create a user record for Selena Garcia
in the External OpenPGP Proxy Security folder:
1. In the External OpenPGP Proxy Security folder row, click Open.
2. In the Entry field, type Selena Garcia.
3. In the Type column, use the drop-down arrow to select User.
4. Click Create.
For the example Local User, John, create a user record for John Snyder in the
Internal OpenPGP Proxy Security folder:
1. In the Directory page, click the All folder and then the Internal folder.
2. In the Local OpenPGP Proxy Users folder row, click Open.
3. In the Entry field, type John Snyder.
4. In the Type column, use the drop-down arrow to select User.
5. Click Create.
6. In the User Properties tab, Public Email Address field, type
jsnyder@localdomain.com.
7. Click Save.
The following steps show what happens when John now sends a message to
Selena:
1. John composes a message to Selena and sends it to her at her fully
qualified email address.
2. Email Firewall checks to see if John already has a proxy PGP key. If not,
Email Firewall creates a proxy PGP key for him.
3. Email Firewall signs the message with the proxy PGP key.
4. Email Firewall finds the Selena’s Email Firewall Directory record and
associated PGP key, and encrypts the message with this key.
5. Email Firewall sends the message.
The following steps show what happens when Selena sends a message to John:
1. Selena composes the message in her email client and chooses to encrypt to
John using his proxy PGP key.
2. The encrypted message arrives at Email Firewall.
3. Email Firewall decrypts the message using John’s proxy PGP key.
4. The message is forwarded in the clear to John who can open it in his
standard email client.
To create a plaintext access policy based on the recipient of the encrypted mes-
sage:
1. In the left menu, click Policies.
2. In the Policies page, click Create.
8. In the Notification Text field, type the message text you want the message
sender to read and act upon. For example:
You cannot send encrypted messages to this domain
unless you send an encrypted copy of the message to the
service itself. You should first request the S/MIME
certificate or PGP key associated with the domain. If
you are using S/MIME, this message will be signed with
the S/MIME key. If you are using PGP, you should request
the PGP key for the server by sending an email to pgp-
keys@domain.com with subject line of domain.com. Once
you have obtained the S/MIME certificate or PGP key,
you should cc: encrypted messages to
secure-server@domain.com.
9. Click OK and review the policy summary. If it is correctly defined, click
Save.
10. Apply the policy to the appropriate location in the Email Firewall
directory. For this example, apply it to the Internal folder so that all email
users who attempt to send encrypted messages to your organization are
prevented from doing so unless the message is also encrypted for Email
Firewall, so that the message contents can be scanned prior to delivery
within your organization.
11. Test the policy.
8. In the Notification Text field, type the message text you want the message
sender to read and act upon. For example:
You must install the attached Email Firewall Public Key
and cc: <secure-server@domain.com> when sending
encrypted mail.
9. Click OK and review the policy summary. If it is correctly defined, click
Save.
10. Apply the policy to the appropriate location in the Email Firewall
directory. For this example, apply it to the Internal folder so that messages
that Email Firewall cannot decrypt are returned to the sender with the
information that in order to send encrypted messages from your
organization, the message must also be encrypted for Email Firewall so
that the message contents can be scanned.
11. Test the policy.
Both the sender and the recipient must have a Security Stripping policy in place
before the policy will take effect.
Verify the message is returned to you with the Not Signed notification.
The Tumbleweed Email Firewall program provides tools that perform a variety
of administrative functions. These tools include directory tools used to find and
import new users into the Email Firewall Directory, tools to help with security
administration, updates, and troubleshooting. This chapter describes these tools
and instructions for how to use them.
All tools that access the Email Firewall database rely on the role capabilities
granted to the admin account. An administrator who wants to use these tools
must have the appropriate role capabilities. For this reason, many of the tools
require entry of a user name and password to use the tool. For LDAP Import,
the administrator must have a role with access to the Email Firewall Directory.
This chapter contains the following sections:
10.1 Email Firewall Directory Tools .............................................. 532
10.2 Setting Up LDAP Directory Imports ...................................... 534
10.3 Performing the LDAP Import ................................................. 552
10.4 Using the Command Line Program Tools .............................. 560
10.5 Using the Word List Tester ..................................................... 564
10.6 Using the PrivateKeyWizard Tool........................................... 568
10.7 Using the Email Firewall Diagnostics Utility ........................ 582
10.8 Using the EMFDebugLogCapture Tool .................................. 590
10.9 Using EMFSave ...................................................................... 592
10.10 Using the Email Firewall Update Service.............................. 602
10.11 Using the Configuration Editor.............................................. 609
531
10.1 Email Firewall Directory Tools
A default directory structure is set up during installation. See 5.3 Email Firewall
Directory on page 220 for information. The two tools described here assist in
using and setting up the Directory. They are:
• Find User
• Import Directory
In the left menu, click Directory to open the Directory page. The buttons for
these directory tools are found at the top of every Directory page. See
Figure 10.1.
A mandatory attribute of each directory entry, called an object class, defines the
specific set of required and optional attributes the entry contains. An entry can
belong to one or more standard or auxiliary (user-defined) object classes. For
example, if the object class is person, the attributes for that entry must include
the user’s first and last name, and may include others such as telephone number
and password.
For additional information about the LDAP protocol, see
<http://www.imc.org/rfc2251>. RFC 2849 provides information about the LDIF
format, which is also used by Email Firewall for directory import. See 10.3.2
Creating LDIF Files on page 555 for more information on using LDIF files in
LDAP Import.
Last Name sn sn
The Directory > Import Directory > Data Source > Edit Source page has three
columns under the Custom Filter Attribute Mapping heading:
• Attribute Name: This column is for display purposes only. The value typed
in this column will appear as an available selection when mapping the
named attribute when creating a query filter.
• Internal Source Identifier: The Internal Source Identifier column represents
the actual attribute names in the LDAP source. Before adding an attribute,
you must know the internal attribute name from the LDAP source. In
many instances, the LDAP attribute display name is different from the
actual internal LDAP attribute name.
• Action:
• Use Add to add additional custom filter attributes and internal
source identifiers.
• Use Edit to change the Attribute Name or Internal Source Identifier.
• Use Remove to delete an attribute you do not want to use. Note that
the first five attributes in the list cannot be removed, only modified.
These attributes are used only to define an import query filter. The Email
Firewall Directory Import tool allows filtering on attributes that are defined
An import will fail if any mapping does not work. Often, the
cause of this failure is an inaccessible or invalid data source.
It is recommended that the data source be tested before
using it in a query.
4. In the Data Source Type column, use the drop-down list to select the data
source type you will be using, either an LDAP Server or an LDIF File. For
this example, select LDAP Server.
5. In the Data Source Name column, type a descriptive name for the name of
the data source in the field, usually the name of the server or the name of
the LDIF file. For this example, type test.
6. In the LDAP Schema Type column, use the drop-down arrow to select the
schema type. The currently supported schemas include:
• Microsoft Active Directory
• Exchange 5.5
• Lotus Notes
• Sun One
For this example, select Exchange 5.5.
8. If you selected an LDAP Server as the data source type, define the
following parameters as shown in Figure 10.5.
9. Verify the correct LDAP Schema Type is showing. If it is not, use the drop-
down arrow to make your selection now.
10. Type the name or IP address of the Directory Host for the LDAP Server.
Use the server_name.domain.com format for the directory host name.
11. Type the port number on which the LDAP Server connects. The default
port is 389.
13. Click Update to save the data to the session and close the pop-up page.
14. In the Directory > LDAP Sources > Edit Source page, see Figure 10.5,
beside the Login heading, mark the Anonymous radio button if your LDAP
server does not require authentication to connect.
Or, mark the Authenticated Account radio button if you are connecting to
an LDAP server that requires authentication, and type the Account and
Password information in the fields provided.
14a. If you marked the Authenticated Account radio button, you can
enter the Account information using distinguished name attributes.
Click Enter as Distinguished Name to open the Edit Distinguished
Name pop-up page to enter distinguished name attributes. See
Figure 10.6.
Note that in addition to the fields shown in Figure 10.6, you can
also define distinguished name attributes by common name. Type
the attributes in the Common Name: CN1= and CN2= fields.
2. In the LDAP Query Name column, type a descriptive name in the field. For
administrative ease, it makes sense to type a name similar to the name of
the Data Source that will be invoked by the query. For this example, type
7c. In the Value column, type the value for which you want to filter.
7d. Click Add and verify the new filter attribute appears in the Filter
Specification list.
7e. Optionally, repeat steps 7a through 7d to add additional filter
attributes. If you do so:
In the Conjunction column, use the drop-down arrow to select And
or Or, to include or exclude against the other selected attributes.
See Figure 10.10.
7f. Click Preview to view the filtered results, to be sure you have
caught or excluded the intended users. Use Edit and Delete if you
need to modify a filter attribute, condition, value or conjunction
value.
8. Click Save to commit the new query to the database and close the page.
9. In the Directory > LDAP Queries page, verify the new query appears in
the LDAP Query Name column.
• Email Firewall will read all previously imported users from the
directory.
• Email Firewall will generate Delete modifications for user records
not found in the query results.
1. In the Directory > Directory Import page, Scheduled Imports tab, use the
Sequence drop-down list to select the sequence to import.
2. Click Create.
5. In the Directory > Directory Import page, verify the new schedule appears
on the Scheduled Imports tab.
Cleanup will delete user records previously imported by the sequence that are
no longer returned by that sequence (not all imported records), if they are not
found in the current import results. A user will not be deleted if it is still
imported by another sequence.
If your directory includes a large number of user records, directory cleanup
could take some time.
If you do not want particular user records deleted during cleanup, be sure to
prevent an update on the user record first. See 10.3.3 Stopping Updating of User
Records on page 557.
10.4.1 MMSLDIFImportConfig
This tool is used when an organization wants to set up Email Firewall Directory
Import to use an LDIF file stored in the Email Firewall database as a data
source. The tool is not needed when the data source is configured to use an LDIF
file specified as a file path.
The MMSLDIFImportConfig command line tool enables dynamic updates to
the LDIF file content. The tool uploads the data used in the LDIF source file to
the Email Firewall database. This ensures that the LDIF data used for directory
import is current with the version of the data in the organization’s LDIF file.
However, any subsequent changes to the original LDIF file are not reflected in
the previously uploaded file.
To use this tool, the organization’s LDAP server is set up so that a script
dynamically generates an LDIF file from the organization’s LDAP server data.
Then, the Email Firewall Directory Import is set up to use that LDIF file as a
data source for LDAP import. See 10.2 Setting Up LDAP Directory Imports on
page 534 for information. This tool allows updates to the LDIF file content in
the Email Firewall database. It provides a way for the Email Firewall LDAP
10.4.2 EMFSave
The EMFSave command line tool is a command line version of the EMFSave
tool described in 10.9 Using EMFSave on page 592. It is provided for
administrators who want to create scripts to perform the EMFSave. It supports
all the options available in the EMFSave UI version.
The following commands can be executed from the command prompt:
• Copy
• Restore
To invoke the tool, in the command window type C:\Program
Files\Tumbleweed\Email Firewall> EMFSave /?
A valid User name and Password are required to access the Email Firewall
database.
The database name, zip file name and path and the temp directory must be
specified. Password is optional. Other options supported are described in the
following table.
Option Description
Option Description
Some word lists, especially those using multiple wildcard characters (*) in text
strings or in regular expressions, can result in long processing times and
effectively cause Email Firewall to hang. To avoid this performance penalty,
check your word list processing time with the tool.
To specify a new password with which to protect the private keys in the data-
base:
1. Start the PrivateKeyWizard tool to open the Choose a Private Key
Operation dialog. See Figure 10.17.
2. Mark the Specify a new password with which to protect the private keys in
the database radio button and click Next.
5. In the Change Protection Password dialog, type the Old Password, New
Password, and type the new password again in the Confirm New Password
field.
6. Click Finish.
This option should be used as part of general good security practice of changing
passwords at regular intervals.
To input the password used to protect the private keys in the database:
1. Start the PrivateKeyWizard tool to open the Choose a Private Key
Operation dialog.
2. Mark the Input the password used to protect the private keys in the database
radio button, see Figure 10.20, and click Next.
3. In the Select the Email Firewall Database dialog, see Figure 10.18,
complete the Server and Catalog fields to identify the database in which to
perform the private key operations. Complete the Username and Password
fields using the username and password that are used to logon to the
specified database.
The Database access information is requested to check whether the given
password is the correct one that was used to protect the private key in the
database.
4. Click Next.
7. In the PKCS 12 Import Options dialog, see Figure 10.25, optionally mark
the Trust root keys imported from file checkbox to specify that the root keys
imported from the file should be trusted. If you select this option, the
certificate of the CA or the issuer, also known as the Root certificate, is
also imported as a “Trusted Root,” if the Root certificate is available in the
PKCS#12 file.
7a. If you marked the Trust root keys imported from file checkbox,
mark the checkbox(es) to specify the purposes for which this Root
certificate should be used to trust certificates.
8. Click Next.
Figure 10.27: Selecting the Import PGP Secret Key File Option
Figure 10.28: Selecting the Import PGP Secret Key File Option
5. In the Open dialog, navigate to the PGP key file that contains the PGP key
that you want to import, and select it.
6. In the PGP Secret File Passwords dialog, enter the password used to
protect the PGP Secret Key and the password that is used to protect the
private keys in the database. See Figure 10.29.
Figure 10.29: Selecting the Import PGP Secret Key File Option
7. Click Finish.
The PGP key is imported and shown in the Set Up > Secure Domains &
Local Certificates (and SPN Setup) page on the PGP Keys tab.
For database diagnostic work the utility uses Windows Authentication. This
means that the administrator who starts the testing must have permissions to
browse the Email Firewall database, as well as check SQL server settings.
The EMFDiagnostics utility runs the following diagnostic tests sequentially:
• SQL Server Related Tests - tests diagnosing the database or any SQL
Server settings.
• Email Firewall Related Test - tests that test Email Firewall settings.
• Windows Related Test - Performance Counter.
In addition to the previous three test categories, which are available through the
Diagnostic Utility’s user interface, there are additional tests that are performed
only when the Diagnostic Utility is run in automated mode. Their purpose is to
generate additional information which can be reviewed by Tumbleweed’s
Global Support team when there is an unresolved problem.
4. Review the results listed and take appropriate action. Each error or
warning message is followed by suggestions on how it can be fixed.
Figure 10.31 shows a sample Diagnostic Utility message.
Figure 10.33 shows the initial EMFSave fields for Database Name, User-
name, Password, EMF Save File location, and Temp Directory location.
The Private Keys are saved in the EMFSave database protected by the
same password as they were in the EMFMail database. When restoring the
Private Keys, the same password should be set in the Email Firewall com-
ponent machines that access this Private Key data.
5. Figure 10.34 shows the types of data that can be copied or restored. Mark
the checkboxes in the Copy and Restore Options group box to specify what
type of data is saved. Note that if you select Security Data, you can
optionally select to save Private Keys data.
6. To ensure that all of the required data is saved, in some cases you must
select more than one Copy and Restore data option.
6a. If you have set up any queues to send a notification and to log an
event, in order for EMFSave to copy the correct configuration
data for copy and restore, you must mark both the Configuration
Data and the Directory Data checkboxes.
6b. If you have set up global options for Annotations (In-line
Annotation Settings) or Notifications (Global Notification
Settings), in order for EMFSave to copy the correct configuration
data for copy and restore, you must mark both the Configuration
Data and the Directory Data checkboxes.
6c. If you have installed the Dynamic Anti-spam Service, in order for
EMFSave to copy the correct configuration data for copy and
restore, you must mark both the Configuration Data and the
Directory Data checkboxes.
6d. In order to copy messages in the queues, you must mark the
Messages checkbox in the Copy and Restore group box, see
Figure 10.34, and then also mark the checkbox for the specific
13. Check the file location and verify the emfsave.zip file appears in the
directory folder.
14. Extract the emfsave.zip file and open the contents.txt file to verify
that the data you wanted to copy was successfully copied.
5. If you receive an error message, take specific note of the error message and
your actions preceding the message, and contact Tumbleweed Technical
Support.
When there are updates available, you can either install them immediately,
or download them for installation at a later date.
If there are messages, the Learn More button is displayed. Click Learn More
to view the informational messages.
7. Click Save to save the new Key Name and configuration value.
The Email Firewall reporting tool creates reports that show how Email Firewall
is operating in your environment. These reports are based on events logged to
the Email Firewall Event Log. Whenever a message is handled by the Email
Firewall Policy Engine or Relay and the logging level is set to Normal, an event
is logged. The Email Firewall reporting tool uses this Event Log data to produce
the reports described in this chapter.
Several of these reports are based on weekly or monthly statistics. When setting
up or running reports, keep in mind that the reports do not use standard calendar
weeks or months. Instead, they report on weeks or months that start on the day
that your selected time range starts.
Yearly ranges are based on the calendar year, but monthly and weekly ranges
are not calendar based, but based on the week or month starting when the
selected time range starts. For example, if you choose the time range of “This
Year” when running the report, then the week starts on Wednesday because
January 1, 2003 is a Wednesday.
This chapter contains the following sections:
11.1 Setting Up Email Firewall Reports ........................................ 612
11.2 Volume Reports ....................................................................... 616
11.3 Frequency Reports.................................................................. 624
11.4 User Reports ........................................................................... 627
11.5 Audit Reports .......................................................................... 629
11.6 Customizing Email Firewall Reports...................................... 630
11.7 Printing and Saving Reports .................................................. 635
611
11.1 Setting Up Email Firewall Reports
Select Reports from the left Menu to view the list of reports.
The first time you click Show Report after logging in, a
security warning may appear. Click Yes to view the reports.
(This gives the permissions needed by the downloaded
applet to render the reports.) If you do not want to see this
warning every time you access reports after logging in, mark
the Always trust... checkbox.
Volume reports use data from the Report Summary Events table. All reports that
use data from the Report Summary Events table are not realtime reports. By
default, the database table that is used to create this report is configured to
update every hour. For example, messages sent between 1:01 pm and 1:59 pm
will not appear on the report until 2:01 pm. The update interval can be
configured through the SQL database.
For Spam Volume report will show ALL inbound messages, if the option Do not
scan messages received from internal networks on the Set Up > Dynamic Anti-
spam Service Settings is ENABLED. This means A + D and should match the
numbers on the Message Volume and Size report. If this option is DISABLED,
the Spam Volume report will show A + B + C + D.
These two error conditions are included together in the report’s Untestable
statistics. By default, Email Firewall will accept mail that invokes an error
during SPF testing. However, there is a Relay configuration option
available to change this, so that messages experiencing an error will be
rejected with code 450. This option is not exposed in Web Admin but can
be modified using the Configuration Editor.
• None
The domain does not publish SPF data.
This test result is not included in the report.
In addition to the SPF protocol specification tests, the SPF Volume Report
includes the total number of messages processed for clients that publish SPF
data.
For Specific Sender reports you can generate reports for a domain. To report
against all senders in a domain, just enter the sending domain name instead of
the sender email address in the field. For example, to generate a report on all
senders from a specific domain (which would be the equivalent of
*@tumbleweed.com), enter the domain name in the format
tumbleweed.com.
• Date Range
• Subtotals
• Title and Text
Each volume report presents the data in two charts and one table format.
Because the data will be displayed in a chart format, when selecting the date
range and subtotals, a reasonable subtotal period in relation to the total period
selected will yield the most useful charts.
• Date Range
• Record Selection, Sorting
• Title and Text
Each frequency report presents the data in one chart and one table format. To
make most effective use of the charting function, it is recommended that no
more than 15 records be selected. Also note that the records can be selected to
display in ascending or descending order.
• Specific user
• Date Range
• Title and Text
Each user report presents the data in either one or two charts and one table
format, depending on the underlying report type (volume, frequency, or policy
violation).
• Date Range
• Title and Text
To print reports:
8. When viewing a report, click the Printer icon to open the Print Options
pop-up page.
9. Make your selection among the radio buttons and options shown in
Figure 11.7.
2. Use the drop-down arrow to select the format and click OK.
3. Click Search to select a location to save the file.
4. Click OK.
This appendix describes the file-type scanning performed by Email Firewall and
lists the types of files recognized. File scanning consists of four types of actions:
• Decompression of compressed files
• Decomposition of embedded files
• Scanning for recognized file types
• Scanning for words, phrases, strings or tags
This appendix contains the following sections:
A.1 General Overview .................................................................... 640
A.2 “All Supported” File Types ..................................................... 645
A.3 Groups...................................................................................... 651
A.4 File Types Recognized ............................................................. 655
A.5 File Types Scanned .................................................................. 659
639
A.1 General Overview
Email Firewall can recognize and act upon a wide variety of file types. It can
also scan a subset of these file types for specific words, phrases, or strings,
analyze their content, and act upon them.
To invoke file type recognition, Email Firewall policies can be written to scan
for particular file types, for file types embedded in other files, and for
attachments by file type.
To invoke content analysis, policies can be written to scan for words, phrases,
or strings in most of the popular word processing, graphics, spreadsheet,
database, multimedia, compressed and presentation formats. Policies can also
specify that HTML tag names and tag attributes be included in addition to tag
values when scanning message body content and attachments.
On a global basis, Email Firewall can physically scan attachment files and then,
prior to scanning for text, replace all sequences of non-printable characters with
a single whitespace character in the text that is extracted for content analysis.
See Scanning Bytes of Non-Text Attachments on page 93 for more information.
640 Appendix A
Figure A.1: Email Firewall Attachment Lists
Figure A.2 shows the file types used in the default Multimedia Attachments
attachment list. This list is used in the default Multimedia Attachments Deferral
policy, but you can also use this list to create new policies to scan for
multimedia file types, and then block them, quarantine them, or specify any of
the other Email Firewall policy actions when these file types are detected.
641
Figure A.2: Multimedia Files Attachment List
642 Appendix A
define policies to detect and block these file types. See Adobe Portable
Document Format (PDF) on page 660 for more information.
Similarly, Email Firewall cannot check for specific words, phrases, or strings in
password-protected files. However, you can define policies to detect and block
password-protected file types.
643
Limitations in File Type Decompression and Decomposition
Email Firewall policies that detect executable files do not detect self-extracting
zip files. Although self-extracting zip files have an .exe extension, Email
Firewall classifies them as compressed rather than as executable.
To enforce policies for all executable files, including self-extracting .zip
archives, create a policy to check for files named *.exe in addition to all
attachments whose file type is “executable file.”
Email Firewall allows three minutes for decomposition of an embedded
message or document. If decomposition takes longer than three minutes, Email
Firewall logs a decomposition failure event instead of performing the action
specified in the policy.
You can catch messages that create this type of decomposition problem using
the Basic Mail Filtering policy Decomposition errors. If you do not want
messages that cause decomposition failures to be delivered normally, modify
the default policy to specify a different policy action, or create a new policy, and
then apply the policy to the appropriate directory object.
RAR Compressed Archive (.rar) files version 3.3 or higher are detected.
However, support has not been added for decompressing these very large files.
Email Firewall also cannot distinguish between password protected and
unprotected .rar files. Therefore, a policy to detect password protected files will
not be triggered by a password protected .rar file.
644 Appendix A
A.2 “All Supported” File Types
Email Firewall provides a list of attachment file types that can be used in
policies that scan for particular file types. The file types preceded by the word
“All” in the Email Firewall Attachments File Types drop-down list contain the
files listed in the sections below. Other file type groups that appear on this drop-
down list are described in A.3 Groups on page 651.
645
A.2.3 All Supported Document Files
• Adobe Acrobat (PDF, PS) (*)
• Adobe FrameMaker (*)
• Ami Pro
• FrameMaker MIF (text only)
• IBM DCA/FFT
• IBM DCA/RFT
• Ichitaro 8
• Interleaf 6
• Lotus WordPro 97 (Win32 only)
• Lotus WordPro for SmartSuite for the Millennium (Win32 only)
• Lotus WordPro 96 (Non-Windows platforms - text only)
• MacWrite II
• Microsoft Word (*)
• Microsoft Works DOS 1.0 WP
• Microsoft Works DOS 2.0 WP
• Microsoft Works Win 3.0 WP
• Microsoft Works Win 4.0 WP
• MultiMate 3.6
• MultiMate 4.0
• MultiMate Advantage 2
• MultiMate Note
• Navy DIF
• PerfectWorks for Windows
• PostScript (*)
• Professional Write 2
• Q&A Write 3
• Rainbow
• Rich Text Format
• Samna
• Wang PC (IWP)
• WordPerfect (*)
• WordPro 96/97
• Wordstar 2000
646 Appendix A
• Wordstar 3.0, 4.0, 5.0, 6.0, 7.0
• XyWrite / Nota Bene
Some old .exe files that use an old DOS format will not be
detected. Nor will self-extracting .zip files with a .exe
extension. However, you can create policies that check for
these extensions. See Special Considerations for File
Names and File Types on page 271 for a more detailed
discussion of this topic.
• .com
• .exe
• .dll
647
• .scr
648 Appendix A
• Macromedia Director
• MIDI File
• MPEG 6
• MPEG Audio MP2
• MPEG Audio MP3
• Quicktime Movie
• RealAudio
• RealMedia
• Windows Audio (WAV)
• Windows Video (AVI)
649
A.2.11 All Supported Spreadsheet Files
• Enable Spreadsheet
• Lotus 123 (*)
• Microsoft Excel (*)
• Multiplan 4
• Quattro/Quattro Pro (*)
• SuperCalc 5
• Symphony
650 Appendix A
A.3 Groups
Email Firewall provides a list of attachment file types. The file types listed in
the Email Firewall Attachments File Types drop-down list contain both the
“All” groups listed in A.2 “All Supported” File Types on page 645, and the
following groups that are limited to a specific file type. The groups include the
file type and version listed in this section.
A.3.3 AutoCAD
• AutoCAD DXF (Binary)
• AutoCAD DXF (ASCII)
• AutoDesk Drawing (DWG)
• AutoDesk WHIP
651
A.3.6 Lotus 123
• Lotus Notes Bitmap
• Lotus Notes CDF
• Lotus 1-2-3
• Lotus 1-2-3 Formatting
• Lotus 1-2-3 97
• Lotus 1-2-3 Release 9
652 Appendix A
• Word for DOS 6.x
• Microsoft Word for PC
• Microsoft Word for PC Style
• Microsoft Word for PC Glossary
• Microsoft Word for PC Driver
• Microsoft Word for PC Miscellaneous File
• Microsoft Word UNIX
• WriteNow MAC
• Microsoft Word 95
• Microsoft Word 97/98
• Microsoft Pocket Word
• Microsoft Word 2000
A.3.11 Paradox
• Paradox
A.3.14 WordPerfect
• Mac WordPerfect 1.x
• WordPerfect
• WordPerfect VAX
• WordPerfect Macro
• WordPerfect Spelling Dictionary, Thesaurus, Driver
653
• WordPerfect Resource File
• WordPerfect Configuration File, Hyphenation Dictionary
• WordPerfect Miscellaneous File
654 Appendix A
A.4 File Types Recognized
Ability (SS, DB, GR, WP, COM) Audio Interchange File Format (AIFF) Sound
Adobe Maker Interchange Format (MIF) AutoDesk Animator Pro FLIC Animation
AES Multiplus Comm Format word processor AutoShade Rendering File Format
Amiga MOD Sound Convergent Tech DEF Comm. format word processor
ASCII File word processor/MS DOS Batch File format Curses Screen Image (UNIX/VAX/SUN)
655
Table A.2: File Types Recognized D - J
Framework II
656 Appendix A
Table A.3: File Types Recognized K - U
KW ODA Internal G32D Raster Image (G32) PC Paint Brush Graphics (PCX)
KW ODA Internal Raw Bitmap (RBM) Raster Image PC True Type Font
657
Table A.4: File Types Recognized U - X
Windows Micrografx Draw (DRW) Xerox 860 Comm. format word processor
658 Appendix A
A.5 File Types Scanned
This section lists the formats supported for text filtering by Email Firewall.
Even if a file type is listed here, text can only be filtered for
supported code sets.
659
• WordPerfect for DOS through v6.1
• WordPerfect for Macintosh v1.02 to 3.1
• WordPerfect for Windows v5.x, 6, 7, 8, 9, 10
• WordPerfect for Linux v6.0
• XyWrite V4.12
660 Appendix A
• MacPaint (Macintosh)
• Microsoft Excel Charts
• Microsoft Windows Animated Cursor
• Microsoft Windows Bitmap (BMP)
• Microsoft Windows Cursor/Icon
• Microsoft Windows Metafile (WMF) V3.0
• PC PaintBrush (PCX)
• Portable Network Graphics (PNG)
• Sun Raster SGI RGB
• Tagged Image File (TIFF) (filters summary information) v3.0 to 6.0
• Truevision Targa
• WordPerfect Graphics (WPG) v1.0, 2.0, 7.0
661
A.5.6 Compression Formats
• PKZip ZIP archive format
662 Appendix A
B Code Set Support
663
B.1 Definitions and Concepts
The following sections provide a brief overview of some of the definitions and
concepts relevant to this document.
664 Appendix B
Unicode is a character mapping. The goal of the Unicode is to provide a number
for every character, no matter what language is being written. Unicode is widely
accepted as the standard way to store international text data. There are several
standard character-encoding schemes for Unicode including UTF-8, UCS-2,
and UCS-4.
665
language, locality, and character set that should be assumed for recipients in the
Email Firewall user’s organization. This configuration parameter is not exposed
in the Web Administrator user interface. The default value for this parameter
declares that the default language is English, the default locality is the United
States, and the default code set is ISO-8859-1 (which is widely used in the US
and Western Europe and is handled correctly by most email clients).
The default recipient code set affects several Policy Engine behaviors as
described in B.3.2 Handling Text From Unsupported or Unidentified Code Sets
on page 669.
666 Appendix B
Special Treatment of Japanese Text On Word Lists
When considering text entries (not regular expressions) on a word list, the
Policy Engine examines the characters to determine whether or not the text may
be Japanese. If the text is Japanese, the compiled regular expression does not
indicate that white space or punctuation characters must delimit the words.
This is done because the words in a Japanese sentence are not normally
separated by spaces as is common in western languages.
However, there is a known limitation with respect to the scanning of Japanese
text in email messages. When Japanese text is entered into an email client
application, the client may be required to break up that text into multiple lines
in order meet the line length requirements of SMTP. Since there may be no
white space characters in a sequence of Japanese characters, there is no natural
place to insert the line break. Thus, it is possible that the line break will be
inserted in the middle of a word.
When a line break is inserted in the middle of a word, it will cause a policy that
is scanning for that word to fail to be triggered. This is because the Policy
Engine normally considers line breaks to be word separators and it does not
know whether the line breaks in that message body part were intentionally
inserted by the author or automatically inserted by the email client.
Email client applications may avoid breaking up words by using one of the
standard content transfer encoding methods (quoted-printable or base64) when
Japanese text is written in a message body part. However, it is not currently
possible to configure the Policy Engine to enforce the use of a particular transfer
encoding for message text parts.
667
For another example, normally if you enter the word “rich” on a word list, the
policy should only fire if it finds those four characters in sequence with a word
separator before the ‘r’ and after the ‘h’. But because of the way word separator
characters are considered, this means that the policy will trigger on a word that
has a non-supported character immediately before “rich” when it should not.
Note that this is only a problem at the end of words, not at the beginning. So in
the first example, a word like “efran” would not match.
All letters in the following code sets are treated as letters, and not as word
separators:
• ISO 8859-1 (Latin 1)
• ISO 8859-2 (Latin 2)
• ISO 8859-3 (Latin 3)
• ISO 8859-4 (Latin 4)
• ISO 8859-8 (Hebrew)
• ISO 8859-9 (Latin 5)
• ISO 8859-10 (Latin 6)
• ISO 8859-13 (Latin 7)
• ISO 8859-14 (Latin 8)
• ISO 8859-15 (Latin 9)
A weakness also exists with the regular expression capabilities. The operators
\w and \W are provided as conveniences meaning “any word character” or “any
non-word character” respectively. But they do not take non-English words into
account since they only include (or exclude) the letters A through Z. There are
no alternative operators that would include or exclude letters from other
languages. You can avoid this limitation, but doing so involves writing long and
complex regular expressions.
668 Appendix B
B.3 Extraction of Text From Message Content
As mentioned in the B.2 Data In The Email Firewall Database on page 666,
Email Firewall word lists are stored as Unicode characters. The regular
expression processor in the Policy Engine works on Unicode data that will be
compared against a sequence of Unicode-based regular expressions.
Consequently, the Policy Engine must be able to map the characters extracted
from a message to Unicode in order to compare the text against the contents of
a word list.
In order to map text to Unicode, the Policy Engine must know the code set of
the content in the message. For the text/plain parts of an email message, the
charset parameter is used to determine the code set. Similarly, when text is
extracted from an attachment, it is necessary for the Policy Engine to know the
code set of that text in order to convert it to Unicode.
669
• A text/plain part with no charset parameter contains non-ASCII characters.
• A subject header contains non-ASCII characters (not RFC 2047 encoded).
All of these cases are handled exactly the same. The Email Firewall Policy
Engine will attempt to map the bytes to Unicode assuming that the bytes are
using the default recipient code set. This code set is ISO-8859-1.
You may need to know when a message contains text that cannot be reliably
mapped to Unicode by the Policy Engine. For this case, there is an option in the
Policy Engine that indicates that a message should be marked as having an
attachment causing a decomposition error whenever it contains text that cannot
be reliably mapped to Unicode. By marking messages this way, you can write a
policy to treat these messages differently (e.g., using quarantine or detention) if
necessary. This option is enabled using Web Admin on the Setup > Policies
page. See 2.7.3 Setting Up Other Global Policy Options on page 91 for
instructions.
When this Policy Engine option has been enabled, all of the cases described
above cause the message to be marked as having an attachment with a
decomposition error. An exception is made when a text/plain part has no charset
parameter and all of the bytes in the text are safe ASCII codes. The safe ASCII
codes are the printable characters (values 33 through 126) plus these control
codes: horizontal tab (9), carriage return (10), form feed (12), line feed (13), and
white space (32).
Assuming the decomposition error option has been enabled, the Policy Engine
will log an event with an ID value of 6082 whenever a text part is encountered
that cannot be reliably mapped to Unicode.
670 Appendix B
B.4 Policy Engine Expected Behaviors
This section describes the expected behaviors of the Policy Engine features
when non-ASCII-7 text is used in the following areas:
• Annotations
• Notifications
• Events
• Subject Header Alterations
• MIME Header Policies
B.4.1 Annotations
As mentioned earlier, annotation text is stored as Unicode in the Email Firewall
database and may therefore include characters from practically all written
languages. If there are characters in the annotation text that have no
representation in the target character set, none of the text from that annotation
will be added. A warning event will be logged in the Email Firewall Event Log.
This may result in some empty attachments.
Inline Annotations
Expected behavior is that the inline annotation text will be mapped from
Unicode to the character set specified in the inline text/plain and text/html parts
containing the message text.
When there is no inline text part in the message, a new one is added for the inline
annotation and the character set on that part will be the default recipient
character set.
Attached Annotations
Expected behavior is that the attached annotation will be a text/plain part with
a charset value equal to the default recipient character set. The annotation text
will be mapped to the default recipient character set before it is written into the
attachment.
Even assuming that all characters were successfully mapped from Unicode to
the default recipient character set, whether the attachment is viewable on the
recipient’s desktop depends on factors beyond control of Email Firewall. You
671
may also have no control over which application the recipient uses to view that
attachment or what code sets are supported on that desktop.
B.4.2 Notifications
Expected behavior for all notifications generated by Email Firewall is that the
body of the notification message will be an inline text/plain part with a charset
value equal to the default recipient character set.
As mentioned earlier, notification text is stored as Unicode in the Email
Firewall database and may therefore include characters from practically all
written languages.
If there are characters in the notification text that have no representation in the
target character set, none of the text from that notification will be added. A
warning event will be logged in the Email Firewall Event Log. This may result
in some empty notifications.
B.4.3 Events
Since event text is saved in the database as Unicode and the Email Firewall
event log is in also in the database, no code set conversions are required to use
the event text in the event. As a result, any user-defined events should be logged
to the event log with the description text exactly as the user has defined it.
When an event is logged at level major, the event is recorded in the Windows
Event Log in addition to the Email Firewall event database. The Unicode
characters from the user’s description are passed unchanged to the Windows
event logging API. However, whether or not all characters will be correctly
displayed by the Windows Event Viewer application is beyond the control of
Email Firewall. What one sees in the Windows event viewer is likely to be
dependent upon the “Regional Settings” on the machine where the event log is
being viewed.
672 Appendix B
B.4.4 Subject Alteration
For subject headers with no RFC 2047 encoded words, the expected behavior is
that any added text will be mapped to the default recipient character set and
then, if necessary, RFC 2047 encoded. A warning event can be logged if the text
cannot be RFC 2047 encoded.
For subject headers that originally included RFC 2047 encoded words when the
message was received, the expected behavior is that any added text will be
mapped to the character set already in use within that subject header. If a
character in the text to be added has no mapping to the target character set,
character code 63 is used – which is the question mark character in all western
language code sets.
In the cases where the original subject has RFC 2047 encoded words using an
unsupported character set, Email Firewall logs a warning event (level = normal)
and no subject alterations are made to the original subject. The same behavior
occurs when the original subject has multiple RFC 2047 encoded words using
different character sets, even if those character sets are supported.
When the original subject includes non-ASCII characters that have not been
RFC 2047 encoded, subject alterations will work as follows:
• Any words added to the subject will be RFC 2047 encoded if necessary
(using the default recipient character set) but the original subject text will
not be modified or re-encoded.
• No text deletion actions will be performed on the original subject. A
warning will be logged (level = normal).
673
For headers that contain non-ASCII characters that have not been RFC 2047
encoded, expected behavior is that the header contents will be mapped to
Unicode in a byte-wise manner (each byte is directly converted to the
numerically equivalent Unicode character) and the policy condition will attempt
the text matching on that Unicode string.
Code set specifications are supported for:
• Message body and attachments
• Message subject
• Notification and annotation generation
674 Appendix B
For example, Big5 is not a supported character set. When this unsupported
character set is encountered, no annotation is appended to the message.
6. The Euro symbol is not fully supported by Netscape Mail 4.77 and 4.79.
675
characters. To avoid this, always log in to Web Admin using
English ASCII characters.
• Email Firewall reports do not display organization names properly
if they have been specified using Japanese Kanji characters. To
avoid this, always specify organization names using English ASCII
characters.
• Email Firewall report titles do not display properly if they have
been specified using Japanese Kanji characters. To avoid this,
always specify report titles using English ASCII characters.
• Japanese text is corrupted in exported reports. This applies to all
exported formats (.html, .pdf and .rtf) and affects the directory
name and am/pm time indication.
9. When the text message format and encoding are NONE, and where the
email client has inserted a line break in a Japanese word string, the Email
Firewall Policy Engine cannot read the word properly.
In the Japanese language (and some other languages), words are comprised
of sequences of characters, but the words in a sentence or phrase are not
normally separated by a space as is common in western languages. How-
ever, when Japanese text is entered into an email client application, the cli-
ent may be required to break up that text into multiple lines in order meet
the line length requirements of SMTP (RFC 2821). Since there may be no
white space characters in a sequence of Japanese characters, there is no
natural place to insert the line break. Thus, it is possible that the line break
will be inserted in the middle of a word.
When a line break is inserted in the middle of a word, it will cause an
Email Firewall policy that is scanning for that word to fail to be triggered.
This is because Email Firewall normally considers line breaks to be word
separators and it does not know whether the line breaks in that message
body part were intentionally inserted by the author or automatically
inserted by the email client.
Email client applications may avoid breaking up words by using one of the
standard content transfer encoding methods (quoted-printable or base64)
when Japanese text is written in a message body part. However, it is not
currently possible to configure Email Firewall to enforce the use of a par-
ticular transfer encoding for message text parts.
676 Appendix B
B.6 Message Body and Attachments
Message content is converted directly to Unicode. Code set support for message
body and attachments includes the following:
• US ASCII: 7-bit, US-only.
• ISO 8859-1: 8-bit. See Table B.1.
Also known as Latin-1, covers most West European languages
• ISO 8859-2: 8-bit
Also known as Latin-2, covers the languages of Central and Eastern
Europe. See Table B.2.
• ISO 8859-3: 8-bit
Also known as Latin-3. See Table B.3.
• ISO 8859-4: 8-bit
Also known as Latin-4. See Table B.4.
• ISO 8859-5: 8-bit
Also known as Latin/Cyrillic. See Table B.5.
• ISO 8859-6: 8-bit
Also known as Latin/Arabic, covers only the basic alphabet for the Arabic
language.
• ISO 8859-7: 8-bit
Also known as Latin/Greek, covers modern Greek.
• ISO 8859-8: 8-bit
Also known as Latin/Hebrew, covers Hebrew.
• ISO 8859-9: 8-bit
Also known as Latin-5. See Table B.6.
• ISO 8859-15: 8-bit
Also known as Latin-9
Contains the EURO sign and some important national letters.
• ISO 2022-JP: Japanese
Covers a mixture of ASCII and JIS (Japanese Industrial Standard) X.
• SJIS: Japanese
Also known as MS Kanji, covers the most common encoding method used
on Japanese PCs.
677
• EUC JP
Extended Unix Code (EUC) for Japan. Supports JIS X 0201-1997, JIS X
0208:1997, and JIS X 0201-1990 character sets.
• UCS-2
Uniform Character Set-2 encoding. This is Unicode using 16-bit encoding.
• UTF-8
UCS Transformation Format-8. Also known as Unicode. UTF is a method
for encoding 16-bit or 32-bit (UCS-4) representations so that data can be
passed more reliably as text streams or in email messages. UTF-8 is the
way in which Unicode is used under Unix, Linux, and similar systems
designed around ASCII.
• UTF-7
A Mail-Safe Transformation Format of Unicode. UTF-7 transforms UCS
encoded characters to a 7-bit encoding.
• UNICODE-1-1-UTF-7
7-bit encoding that is used to represent Unicode 1.1, as opposed to
Unicode 1.0.
• UTF-16
The ISO/IEC encoding that is equivalent to the Unicode Standard with the
use of surrogates. Allows the inclusion of certain UCS-4 codes in a UCS-2
encoded string.
• Windows-1252
Microsoft Windows Code Page 1252 for Western European languages.
• Windows-1255
Microsoft Windows Code Page 1255. Support for Latin/Hebrew.
678 Appendix B
• ISO 8859-4
• ISO 8859-5
• ISO 8859-6
• ISO 8859-7
• ISO 8859-8
• ISO 8859-9
• ISO 8859-15
• ISO 2022-JP
• SJIS
• EUC-JP
• UCS-2
• UTF-7
• UTF-8
• UNICODE-1-1-UTF-7
• UTF-16
• Windows-1252
• Windows-1255
679
Table B.1: ISO 8859-1 and 15
Languages
Danish
Dutch
English
Faroese
Finnish
French
German
Icelandic
Irish
Italian
Norwegian
Portuguese
Spanish
Swedish
Languages
Albanian
Czech
English
German
Hungarian
Polish
Rumanian
Serbo-Croatian
Slovak
Slovene
680 Appendix B
Table B.3: ISO 8859-3
Languages
Afrikaans
Catalan
Dutch
English
Esperanto
German
Italian
Maltese
Spanish
Turkish
Languages
Danish
English
Estonian
Finnish
German
Greenlandic
Lappish
Latvian
Lithuanian
Swedish
Norwegian
Languages
Bulgarian
Byelorussian
English
681
Table B.5: ISO 8859-5
Languages
Macedonian
Russian
Serbo-Croatian
Ukrainian
Languages
Danish
Dutch
English
Finnish
French
German
Irish
Italian
Norwegian
Portuguese
Spanish
Swedish
Turkish
682 Appendix B
C Using Regular Expressions
683
C.1 General Issues
In regular expressions, the backslash (\) and quote (“”) characters let you escape
operators such as * or ? and do a search for special characters, \* or \], for
example.
In regular expressions, the blank character falls under the category of
whitespace, and needs to be specially handled in order for the regular expression
to be correctly recognized. For example, to specify the string “hi steve” as a
regular expression, it must be specified as: “hi steve” enclosed in double quotes
OR hi\ steve (blank explicitly escaped) OR hi\ssteve (blank specified as the
whitespace \s).
684 Appendix C
Using Question Marks
In regular expressions, the ? character matches 0 or 1 occurrences of an
expression. It cannot be used as a text wildcard in a regular expression;
however, the expression \w would be its equivalent.
Error:
Description: Internal Processing Error
Details: An internal error has occurred; this message
is being quarantined.
685
C.2 Operators
The following table lists the Email Firewall regular expression operators and
their function.
686 Appendix C
C.3 Character Class Operators
The following table lists the character class operators, including special
characters, and the actions they perform. Characters beginning with the forward
slash character (\)must be escaped.
Character
Will match this
Class
. match any single character that is not a line break. The only
two characters not matched by the regular expression (.)
are the carriage return (\x0D) and line feed (\x0A) charac-
ters.
687
Table C.2: Email Firewall Regular Expressions - Character Class (Continued)
Character
Will match this
Class
\w match [_A-Za-z0-9]
\W match [^_A-Za-z0-9]
\d match [0-9]
\D match [^0-9]
[c1c2c3c4-c5] match either c1, c2, c3, or any character in the range c4 to
c5
688 Appendix C
Table C.2: Email Firewall Regular Expressions - Character Class (Continued)
Character
Will match this
Class
Expression Structure
begin-line expression end-of-line-expression
begin-line (optional)
^exp match exp if it is at the beginning of a line
expression
REGULAR-EXPRESSION (character classes and operators)
end-of-line-expression (optional)
exp$ match exp if it is at the end of the line (note: the new line characters are
not consumed by the scanner)
689
C.4 Tutorial Examples
These samples are not meant to be exhaustive, but are illustrative examples of
what will (or will not) be matched when a policy is defined using regular
expressions. Note the case sensitivity effect of enclosing the expression in
square brackets, as shown in row 5.
(house)|(HOUSE) exactly the same as previous exactly the same as previous row
row of this table of this table
690 Appendix C
Table C.3: Email Firewall Regular Expressions Tutorial Examples (Continued)
abc* ab acb
abc
abcabc
abccCd
xyzabc
a(bc)* a bc
ad
abc
abcbc
abcbcd
xyzabc
a(bc)? a ad
abc
abcd
abcbcbcbc
xyzabc
a(bc)?d ad abcbcd
abcd
(abc)+ abc
abcabcd
mabcabc
691
Table C.3: Email Firewall Regular Expressions Tutorial Examples (Continued)
692 Appendix C
D Creating Custom Reports
This appendix provides information about how Email Firewall reports interact
with the SQL Server database in generating reports, and provides procedures for
how to add new reports based on the specific needs of an organization.
The information provided here requires advanced-level understanding of SQL
Server concepts and programming. To best apply the information described
here, you should also be thoroughly familiar with the Email Firewall Policy
Engine, Email Firewall default reports, and SQL Server database
administration. These procedures are not intended for use by an administrator
who is unfamiliar with SQL Server administration.
This appendix contains the following sections:
D.1 Creating and Installing a New Report ...................................... 694
D.2 Report Customization Section Selection ................................... 698
D.3 Parameter Field Order in the Report ....................................... 699
D.4 Report Categories ..................................................................... 701
693
For information on how to create reports and/or how to
interface these reports with the SQL database, refer to the
appropriate administrator’s guide for either Crystal Clear or
Crystal Reports depending on which reporting toolkit vendor
you are using.
694 Appendix D
3a. call the following script using the stored procedure
mmsSpAddReportEntry:
exec mmsSpAddReportEntry 'name.Email
Firewall.report.myReport', 'file.Email
Firewall.report.myReport', 21
go
3b. mmsSpAddReportEntry:
Insert/update the report entry in the ReportList table. It takes
the parameters shown in :
Parameter Description
4. Whenever you add a report entry in the database with the resource string in
it, you must also add the string map to report.properties.
For design reasons, the locale string and the resource string are added to
the database, and the string maps must be placed in the resource files.
695
D.1.3 Example SQL Server Script for Adding Reports
Following is an example of a script used to add reports to the Email Firewall
database.
696 Appendix D
go
exec mmsSpAddReportEntry 'name.Email
Firewall.report.specificSenderPolicyViolation', 'file.Email
Firewall.report.specificSenderPolicyViolation', 37, 5,
'show.report.forThisSender'
go
-- Audit Reports
exec mmsSpAddReportEntry 'name.Email
Firewall.report.directoryAndPolicyAudit', 'file.Email
Firewall.report.directoryAndPolicyAudit', 5, 1
go
exec mmsSpAddReportEntry 'name.Email
Firewall.report.singleUserDirectoryAndPolicyAudit',
'file.Email
Firewall.report.singleUserDirectoryAndPolicyAudit', 37, 2,
'show.report.forThisAuditor'
go
697
D.2 Report Customization Section Selection
A single .jsp page is used to customize all the different kinds of Email Firewall
reports. The customization page is summarized to different sections, so for
different reports, the customization page will contain different combinations of
the different sections.
REPORT_CUSTOM_SECTION_DATE_RANGE (0x01): This section is
for the user to choose date range for the report. This field is generally used for
all the reports.
REPORT_CUSTOM_SECTION_SUBTOTAL (0x02): This section is for
the user to choose the interval period (by hour, day, week, etc.) This section is
often used for the volume report.
REPORT_CUSTOM_SECTION_TITLE_TEXT (0x04): This section is for
the user to input the title and organization information for the report. This
section is generally used in every report.
REPORT_CUSTOM_SECTION_VIEWER_TYPE (0x08): This section is
currently not used, because Crystal Clear only supports one viewer type.
REPORT_CUSTOM_SECTION_RECORD_SELECTION_SORTING
(0x10): This section is for the user to choose the sort order. It is often used in
the FrequentXXX type report.
REPORT_CUSTOM_SECTION_SINGLE_FIELD (0x20): This section is
for the user to input the specific field information for doing the report. For
example, “Message Volume Report for a Specific Recipient”, is for the user
to input the recipient’s email address for the report.
When adding the new custom report:
1. decide what sections you want to display
2. add up each section’s value to provide the value
@customizationSection parameter for mmsSpAddReportEntry.
698 Appendix D
D.3 Parameter Field Order in the Report
The reporting commands Email Firewall passes to Crystal Clear use URL
commands. In the URL, the parameters are passed through index but not named.
The parameters are like: prompt0=xxx&prompt1=xxx, etc., so it is very
IMPORTANT that the parameters passed through URL match the parameters
in the report. Otherwise, you will run into unexpected errors.
Following is an example of the algorithm used in the Web Administration
service to build the parameters.
StringBuffer parameters = new StringBuffer (
900 );
int promptIndex = 0;
if ( hasTitleSection ) {
String prompt = "&prompt" + promptIndex++;
parameters.append( prompt )
.append( "=" )
.append( companyName);
prompt = "&prompt" + promptIndex++;
parameters.append( prompt )
.append( "=" )
.append( reportTitle);
}
if ( hasDateRangeSection ) {
String prompt = "&prompt" + promptIndex++;
parameters.append( prompt )
.append( "=" )
.append( startTime );
prompt = "&prompt" + promptIndex++;
parameters.append( prompt )
.append( "=" )
.append( endTime);
}
if ( hasSubtotalSection ) {
String prompt = "&prompt" + promptIndex++;
parameters.append( prompt )
.append("=" )
.append( interval);
}
if ( hasSortSection ) {
String promptRowCount = "&prompt" + promptIndex++;
699
parameters.append( promptRowCount )
.append( "=" )
.append( recordCount );
String promptSortOrder = "&prompt" + promptIndex++;
parameters.append( promptSortOrder )
.append( "=" )
.append( sortOrder );
}
if ( hasSingleFieldSection ) {
String promptSingleField = "&prompt" +
promptIndex++;
parameters.append( promptSingleField )
.append( "=" )
.append( singleFieldValue);
}
return parameters.toString();
For this example, a custom report has a title, date range and subtotal section. The
report’s internal parameters are named. Based the above algorithm, the named
parameter fields in the report template must be in the following order:
1. CompanyName
2. ReportTitle
3. StartTime
4. EndTime
5. IntervalPeriod
If you need additional information to interpret this example, please consult your
organization’s SQL Server administrator or your Tumbleweed Technical
Support representative.
700 Appendix D
D.4 Report Categories
There are different type of reports, categorized into the following categories:
• Volume Report: Attachment, Message Volume, Virus Type and Count, and
Attachment Volume for a specific extension type.
These reports are based on the summary tables. The summary tables are
the data Email Firewall summarizes on an hourly basis from the report
detail tables. The intention is for the summary table to persist without
taking up too much disk space.
701
702 Appendix D
Index
Symbols address lists
advanced add 266
"A" records, searching for 47 creating 265
.rar file detection, limitations 644 defined 265
example 266
A format required 267
wildcards 266
A records 46 wildcards caution 266
accepting SPN links 465 administration overview 7
accounts administrative security 9
setting up administrator accounts 21
administrative tasks, generally 343
actions
administrator accounts
backup actions in policies 209
preferences 31
dispositive actions in policies 208
setting up 21
in policies 208
Adobe 651
in policies, defined 204
informational actions in policies 208 Advanced Add
message action hierarchy 233 attachment lists names and types 270
resetting queue actions 121 character set required 262
setting up quarantine queue aging actions 122 in address lists 266
setting up queue actions 120 in word lists 263
setting up retry intervals 124 using with tags 277
severity of 235 Advanced Add, word lists and regular expressions 260
severity, affects of 235 aging, in quarantine queue 119
transformational actions in policies 208 aging, quarantine queue 122
active content in html, detecting 310 aging, specifying in quarantine queue 122
Active Directory, only Authenticated Account access All folder
540 described 223
adding an alternate DNS server 41 function and policies 246
adding custom X-headers to messages 315 Allow Security Stripping policy 388
adding policies to directory objects 302 alternate host for critical notifications 289
address annotating all outbound mail with a disclaimer,
using as catch or exclude condition 211 example 282
703
annotations automatic lookup of user certificates 381
"Outbound Disclaimer" example 284 auto-responding to SPN link requests 461
clean stamp 217 auto-responding to SPN link requests, steps 463
defined 278
global 279 B
skipping annotation text 281
using placeholders in annotation text 281 Backup Actions, in policies 209
using placeholders in global annotations 280 backups in queues, troubleshooting 327
annotations not skipped 325 Basic Mail Filtering - Outbound Size Deferral 248
anti-spam strategies, generally 329 Basic Policy Types 211
applying policies, general rules 245 BCC recipients, isolating on separate copies of message
Archive, setting up 88 95
ASCII armored key file 400 best match algorithm 66
associating an email address with a certificate 413 best match algorithm and wildcards, for SMTP Relay
associating self-signed certificates 413 66
attachment lists bounce action 62
described 268 bounced notifications, deleting 44
file types 269 browser sessions, using multiple instances 11
wildcards 270 browser settings preferences 32
wildcards caution 270
Attachment Volume and Size 617 C
Attachment Volume for Attachment Type 619
cached CRL DPs 421
Attachment Volume for Specific Recipient 627
Catch Conditions, in policies 206
Attachment Volume for Specific Sender 628
catch conditions, using address 211
attachments
catching mail that is not encrypted but should be 525
detection of infected 217
categorization of spam 340
detection of long file names in 251
Centralized Event Logging and Reporting 101
EXE block policy 250
file-stripping policies, using 303 certificate responder, enabling for proxy security 479
Multimedia Attachments Deferral policy 251 certificate SubjectAltName field, email address in 424
security stripping of 388 certificates
using file stripping policy on 215 associating email address with 413
Attachments Policy Types 215 associating self signed 413
automatic certificate association 382
Attribute Mapping
automatic lookup 381
in LDAP import 536
cached CRL DPs 421
Audit Reports 629 certificate responder 479
Audits, setting logging for 188 CRL checking 500
Authenticated Account access for Active Directory Direct Trust, defined 412
540
authenticity of certificates 495
auto certificate association policy, usage 382
auto certificate association, and new certificates 383
AutoCAD 651
automatic certificate association, overriding 493
automatic certificate lookup, overriding 381
automatic downloads, virus pattern files 83
704
dynamic lookup 496 cluster environment EMFSave requirement 594
exchange and verify certificates for proxy code sets and word lists 666
security, example 495, 517 command line program tools 560
exporting 435 Compressed Files 645
exporting certificates and root keys 436 conditions not configured properly 324
generating 433, 442
conditions, using in policies 206
how they become invalid 401
confidence level 340
importing 495
confidence X-headers 341
new, and auto certificate association 383
obtaining CRLs overview 419 configuring
overrides of LDAP lookup certificates 381 a mapping for LDAP Import 548
overriding automatic certificate association 493 a query for LDAP Import 545
overriding automatic certificate lookup 381 a Secure Public Network 458
PrivateKeyWizard, using the tool 438 proxy security, example 474, 504
proxy security and invalid server certificates, SPNs 458
effects 402 Contact Information, Tumbleweed xxviii
proxy security, exporting certificate root key 478 content type 340
proxy, overview 414 content X-header 341
publishing as a root key 436 Convert UUencoded Attachments to MIME Format
removing or renewing 582 216
rolling over invalid or expired certificates 497, copy and restore options, required selections 595
519 copying messages with EMFSave 595
rollover checklist overview 404 Corel Draw 651
rollover of local certificates 497, 519 corrupted filter, removing 353
rollover overview 403 create and manage security 432
self-signed 412
creating a custom header 469
server, use in proxy security 413
creating a new Local Secure Domain, steps 459
third party certificate requirements 398
third-party 398 creating a new policy, example 296
TLS and MX record issues 55 creating a plaintext access policy for recipient 521
Trust According to Certificate Status, defined 412 creating a plaintext access policy for sender 523
trust concepts 412 creating a policy to check for successful SPN 467
updating local certificates 497, 519 creating an Event ID 194
usage in proxy security 479 creating and editing policies, generally 255, 329
verifying authenticity 495 Creating LDIF Files 555
character sets and importing lists 262 creating proxy security policies, examples 480, 507
characters and code sets, defined 664 critical notifications, specifying an alternate host 289
checking for SPN link requests 465 CRL checking 500
checking for SPN link response 465 CRL downloads
Clean Stamp policies 217 specifying the HTTP Proxy Server 502
cleaning up the directory CRL source and download schedule 501
for LDAP Import 558
client encryption and signature policies, creating 528
Client Encryption and Signature policy 385
Client Encryption and Signature policy, example 480
client-to-client security 385
how to set up 521
plaintext access policies 387
705
CRLs deferring message delivery 248, 250
checking order 421 defining Local Secure Domains 458
downloads overview 420 definitions, policy 204
manually downloading 502 delay and non-delivery notifications from SMTP relay
models for obtaining 419 48
overview of scheduling downloads 420 delayed messages, notifying sender 124
precedence of CRLs 421 deleting bounced notifications 44
scheduled downloads and the Download service
deleting quarantined messages 145
420
Delivery Status Notifications (DSNs) 46
trusted root key required 420
denial of service attacks, and SMTP relay settings 37
custom header, creating for SPN policy 469
Detect cert-query policy 482
custom reports 693
Detention queue 116
Customizing Audit Reports 634
digital signatures 495
Customizing Frequency Reports 632
Directory
Customizing Reports 630
default structure 223
Customizing User Reports 633 folders in 223
Customizing Volume Reports 631 importing users 532
objects contained 220
D Directory and Policy Audit 629
Directory and Policy Audit by Administrator 629
data in the EMF database, how stored 666
Directory Audit 629
data sources, in LDAP import 535
Directory Audit by Administrator 630
database
Directory Import
tables affected by updates 351
Active Directory Authenticated Account access
tables updated 352
540
database connection, Quarantine queue and inbound attribute mapping 536
messages 135 cleanup 551
database data, how stored 666 cleanup directory 552
Database Files 645 configuring a query 545, 548
Dead Letter queue 116 internal source identifier 538
decomposition error event ID 6082 670 LDIF files 555
decomposition errors 246 mappings 535
decomposition failures and large embedded files 644 overview 534
decomposition of embedded files, time limitation 644 performing the import 552
preview changes 550, 552
Decompression Errors policy 246
process 550
Default Directory Structure 222
process of events 550
default domain record saving the import log 553
location in External folder 223 scheduling imports 553
using 220 sequence 539
default domain records 221 tools 532
default policies viewing the import log 553
described 245 Directory Import, using Clean Up Directory checkbox
Default Policies and Folders, overview 245 558
default policies, viewing 296 directory object has not inherited a policy 324
default recipient locale, explained 665 directory tool, find user 532
Defer queue 116 Directory Tools 532
706
directory, entries for proxy security 494, 516 E
disabling policies 237
disabling the policy engine 35 Email Firewall Main Menu 12
disclaimers embedded files too large cause decomposition failure
adding to all messages 279 644
annotating all outbound mail, example 282 EMF Administration overview 7
using placeholders in 280 EMF Directory
disclaimers in outbound mail, example procedure 284 objects in 220
dispositions policy inheritance in 324
applying most severe, in policy actions 235 EMF events, when logged as Windows event 198
dispositive actions, in policies 208 EMF service restarts, set to automatic 21
DNS Blackhole Lookups (DNSBLs), specifying 42 EMF Services Status 19
DNS server, adding 41 EMFSave
Document Files 646 saving messages in the queues 595
domain record EMFSave and missing files 601
using 220 EMFSave copy and restore options, required selections
domain records 595
default 221 EMFSave database temporary files, and cluster
location in Internal folder 223 environments 594
overview 221 EMFSave in a cluster environment 601
domains enabling and disabling the policy engine 35
records for 220 enabling policies 237
setting security for, in SPNs 466 encrypted messages
download analysis of 339
events 352 encryption and digital signatures, creating stripping
failures 352 policies 524
files and database tables 352 encryption and signature, policies to monitor message
manual downloads 353 state 528
Download service and CRLs 420 error handling 347
downloading CRLs 501 internal error and message disposition 340
Drawing Files 647 errors, decomposition 246
duplicate notifications, how to prevent 292 errors, decompression 246
Dynamic Anti-spam service Event IDs
manual updates 353 creating 194
performance counters 348 defined 295
Dynamic Anti-spam Update Service using placeholders in 197
maintenance 353
Dynamic Anti-spam Update service
download file format 351
overview 351
purpose 351
dynamic lookup of certificates 496
707
event log
audits 188
configuration 187
custom event IDs for 194
filters for 192
filters, creating 192
logging level for reporting 186
overview 190
policy action events 194
policy engine options 187
setting up event logging 186
settings 194
events
downloads 352
logging 351
when logged as Windows events 198
exact matching, setting up in SMTP relay 65
exchange and verify certificates, example for proxy
security 495, 517
exclude condition, using address 211
Exclude Conditions, in policies 207
EXE Blocking policy 250
Executable Files 647
expected behaviors with non-ASCII text 671
exporting the certificate and root key 435, 436
exporting the Certificate Root Key, for proxy security
478
External Folder 223
External folder
described 223
function and policies 248
External-to-External mail routing, disallowing 59
extraction of text and unmapped characters 670
extraction of text from message content 669
F
false positives
how to submit to the lab 359
how to submit using Web Admin 359
false positives, submitting samples generally 356
File 655, 656, 657, 658
file attachment stripping
and viruses 215
policy, defined 215
708
File Attachment Stripping – Decompression Errors 246 G
File names and file types, understanding in attachment
gateway-to-gateway security 369
lists 271
general rules about applying policies 245
file type lists provided 640
generating a certificate 433, 442
file types
global annotations 279
limitations 644
global policy settings
file types for attachment lists 269 archive 88
file types recognized 655 isolating BCC recipient messages 95
file types scanned 639 limitations in physical file scanning 93
files scanned marking text parts that use unsupported character
compressed files and embedded objects, issues sets 94
643 peak time 87
limitations 642 text scanning options 91
password protection and 649 Groups 651
files types recognized
default lists provided 640 H
file-stripping policies, how they work 304 harvesting
filters S/MIME certificates 394
corrupted filter removal 353 headers
filter version 353 added by the engine 340
troubleshooting update failures 354 message categorization 340
using 192 Headers Type Policies 218
Find user 532 health information, preventing inadvertent sending 252
Find User tool 532 hiding the product name and version number 40
finding policies 296 Hierarchy of Message Actions 233
Folders 221 HIPAA lexicon 252
hoaxes, blocking 247
folders
host name, where used 77
All folder 223, 246
How Severity of Action Affects Policy Enforcement
External folder 223, 248
235
Internal folder 223, 248
HTML Mobile Code, detecting with policies 310
objects in directory 220
html tags, scanning 296
forwarding SPN link requests 464
HTTP Proxy server, specifying for CRL downloads
Frequency Reports 624 502
Frequent Policy Violation 624
Frequent Receiving Domains 624 I
Frequent Recipient Policy Violation 624
Frequent Sender Policy Violation 625 Image Files 648
Imperfect SPN Message Received policy 372
Frequent Sending Domains 625
Import Directory, overview of LDAP Import 534
Frequent Virus Sender 625
Import, performing the LDAP import 552
Frequently Detected Virus 624
importing
full filegroups, increasing size 139 certificates 495
full SQL filegroups, and SMTP relay 76 PGP keys 579
full SQL Server file groups 327 private keys from a PKCS#12 file 574
709
importing LDAP users 532 K
importing lists 262
importing third-party certificates, concepts 397 key pair and certificate, generating 433, 442
importing third-party certificates, using key pairs
PrivateKeyWizard tool 438 determining size 409
importing third-party PGP key pair, concepts 400 private key 408
public key 408
importing user records, limitation 540
inbound mail
how to stop 34 L
stopping 36 large message processing 338
Inbound Mail Characteristics 624, 625
LDAP
Inbound Mail Characteristics report 627 source for certificate lookup 381
Inbound Policy Violations report 628 LDAP Import
Inbound queue Applying Directory Modifications 553
troubleshooting backups 139 Clean Up Directory 551
Inbound queue, stopping the relay from accepting cleaning up the directory 558
messages 119 cleanup directory 552
Inbound Size Deferral policy 250 Currently Requested Directory Modifications tab,
increasing the file size for full filegroups 139 information in 552
Infected Message (Recipient) policy 250 default attribute mapping 536
Infected Message (Sender) policy 250 Import Now 552
Infected Message policy 217 import steps, configuring a query 545, 548
informational actions, in policies 208 internal source identifier 538
inheritance, how policy inheritance works, example LDAP Import Log File tab, information in 553
237 limitation on importing 540
installation overview 534
recovery options set 348 Preview Changes 550
Intended Audience 2 preview changes 552
process 550
internal error, message disposition 340
Saving Log as File 553
Internal Folder 224
scheduling 553
Internal folder
sequence 539
described 223
using 532
function and policies 248
using LDIF files in 555
internal networks
View import log 553
message processing 340
what happens 550
Internal Source Identifier, in mappings 538
LDAP import
Introduction 1 performing the import 552
LDIF files
J attribute filtering 555
Japanese text on word lists, word lists steps in creating 555
Japanese text treatment 667 using 555
using in LDAP Import, steps 556
license and version number, location 14
licking policies, caveat 238
line breaks in a Japanese word string, and encoding
NONE 676
710
lists Message Volume for Specific Sender 628
address lists 265 message/partial MIME type 247
and character sets 262 messages
attachment lists 268 adding internal mail to processing 346
attachment lists file types 269 address as a catch or exclude condition 211
behavior in queue filtering 128 automating spam submittals 357
creating a new tag 275 avoiding loops in policy-based routing 99
double-checking configuration 327 encrypted or SPN 339
importing 262 enhanced content scanning 93
not configured correctly 327 from internal networks, processing 340
overview 256 from Secure Response, processing 338
types of 257 headers added 340
updating 327 how to submit false positives 359
Local MX Hosts configuration 41 how to submit false positives using Web Admin
local secure domain, defining 458 359
Local Secure Domains, overview 370 large message processing 338
locking policies 237 moving from quarantine queue 134
logging events moving from spam queue 345
filters for 192 notification to sender of message delay 124
settings 194 processing by the engine, overview 337
Logging In 10 processing large messages 346
logging level for reports 186 processing time for 348
refused by the Policy Engine 139
Long Filename Quarantine policy 251
stopping inbound messages 138
Lotus 123 652
stuck in the Outbound queue 141
submitting unmarked spam generally 357
M Microsoft DTC, enabling 102
mail Microsoft Excel 652
queues, described 116 Microsoft Network DTC Access, enabling 102
mail routing rules Microsoft PowerPoint 652
setting up exact matching 65 Microsoft PowerPoint with Macros 652
manual CRL downloads 502 Microsoft Word 652
Mappings, in LDAP import 535 mobile code, detecting 310
Mappings, internal source identifier 538 modifying the SMTP Relay Session Welcome and
Melissa virus, quarantining 305 Postmaster information 40
message actions, hierarchy 233 monitoring messages based on their state of security
message backlogs, increasing filegroup size 139 528
message content, how extracted 669 Most Frequent External Receiving Domains 619
message disposition Most Frequent External Receiving Domains report 619
and internal errors 340 Most Frequent External Sending Domains 619
Message Header Fields, list of 219 Most Frequent External Sending Domains report 619
message headers, removing 219 Most Frequent Internal Recipients 617
Message Protection Lab overview 355 Most Frequent Internal Recipients report 617
Message Queues Status 17, 114 Most Frequent Internal Senders 617
message size limit, setting in SMTP Relay 37 Most Frequent Internal Senders report 617
Message Volume and Size 617 Multimedia Attachments Deferral policy 251
Message Volume for Specific Recipient 627 Multimedia Files 648
711
multipart/partial messages, policy to block 247 outbound mail
multipart/signed messages not caught 326 how to stop 34
multiple browser sessions, how to use 11 Outbound Mail Characteristics 627
multiple word lists, cautions 260 Outbound Mail Characteristics report 627
MX record and TLS validation 55 Outbound Message Archival policy 251
MX records 46 Outbound Policy Violations 628
Outbound Policy Violations report 628
N Outbound queue
troubleshooting backups 141
Naming policies 206
Outbound Size Deferral policy 248
negative weights in word lists 261
Overview of anti-spam methods 330
non-English text, issues 667
non-spam, submitting samples generally 356
Non-SPN Message Received From a SPN Domain
P
(Inbound) policy 372 Paradox 653
Normalize Email Addresses in MIME Headers policy Partial Message Block policy 247
219 Partition relay, function 33
notifications
password protected files, and scanning 649
alternate host for critical notifications 289
Password-Protected Files 649
avoiding duplicates 292
Bcc message recipients, and Original Message pattern files 326
Recipients option 291 pattern files updating 326
creating 290 Peak Time, setting up 87
defined 287 performance counters
deleting bounced notifications 44 messages processed 348
double-checking address 327 setting up 349
from the SMTP relay 48 starting and stopping 350
Original Message Recipients, how determined performing the LDAP Import 552
291 Personal Quarantine Manager 142
placeholders 291
PGP
text length 290
trust model 408
using placeholders in 291
PGP key
importing 579
O removal or renewal 582
off-peak hours 248, 250 PGP keys
open relay, preventing 50 default expiration 407
OpenPGP harvesting 394
and Email Firewall 368 rollover 407
ASCII armored key file 400 placeholders
harvesting PGP keys 394 in annotation text 281
PGP Key Responders overview 395 in Event IDs 197
OpenPGP Overview 365 in global annotations 280
OpenPGP overview 368 in notifications 291
OpenPGP proxy security Plaintext Access policies 387
sample procedures 504 plaintext access policy, creating for recipient 521
Other Documentation 4 plaintext access policy, creating for sender 523
712
policies Detect cert-query, for proxy security, example
action, severity of 235 482
actions, types of 208 disabled 324
actions, using 208 disabling 237
adding custom X-headers to messages 315 dispositive actions 208
adding to directory objects 302 editing default policies to scan html tags 296
All folder 246 enforcement of 235
applying to directory objects 319
event log actions 194
applying to internal users, example 301
exclude conditions 207
attachments types, overview 215
backup actions 209 exclude conditions not configured properly 325
basic types, overview 211 External folder 248
building blocks 256, 330 file-stripping, using 303
catch conditions 206 general example 205
catching health information 252 general rules about applying 245
checking actions in 325 HIPAA Compliance 252
checking conditions in 324 how severity of action affects 235
checking exceptions in 325 how to test 320
clean stamp uninfected messages 217 imperfect SPN message received 372
conditions not configured properly 324 infected message 217
conditions, using 206 informational actions 208
configuration errors 324
inheritance 324
creating a custom header for SPN 469
inheritance example 237
creating a new policy example 296
creating with X-headers 315 inheritance, explained 237
default policies 296 Internal folder 248
default, described 245 locking 237
locking, caveat 238
log actions 194
Melissa virus text policy 305
multiple policies invoked 235
multiple policy actions, hierarchy 235
new viruses 305
Non-SPN Message Received from SPN Domain
(inbound) 372
normalize email aliases in MIME headers 219
override example 238
overrides, explained 237
overview 204
plaintext access 387
planning considerations 253
policy applied to wrong folder 324
policy enabled at wrong directory level 324
preventing overrides, example 238
protection against new viruses 305
Proxy Decrypt and Verify, for proxy security,
example 484, 510
random selection 213
713
recipient versus sender 325 PQM
remove hostnames and subdomains from MIME Quarantine Summary Notifications, see also,
headers 219 QSNs 144
remove MIME headers 219 server health check for administrators 146
security types list 217 PQM Server
should be recipient (or sender) 325 overview 143
similar actions in 325 protocols 143
SPN types 372 Presentation Files 649
summary of 209 preventing non-secure messages from being sent 525
to check for successful SPN 467 preventing policy overrides, example 238
transformational actions 208 Printing and Saving Reports 635
troubleshooting 324 Printing Reports 635
unable to encrypt and sign to SPN domain 372 private keys, size limit 438
using address as catch or exclude condition 211
PrivateKeyWizard tool 397, 400
using Find 296
PrivateKeyWizard tool, using 568
using X-headers in 316
PrivateKeyWizard, using the tool 438
virus-stripping, using 303
processing time for messages 348
Policies Applied to the All Folder 246
Product Updates 109
Policies Applied to the External Folder 248
program tools
Policies Applied to the Internal Folder 248
command line tools 560
Policy Action Events, setting logging for 194
EMF Update Service 602
policy applied to wrong folder 324 EMFSave 592
Policy Audit 629 EMFSave in a cluster environment 601
Policy Audit by Administrator 630 MMSLDIFImportConfig 560
policy building blocks 256, 330 PrivateKeyWizard 568
policy building tools 253 protocol, SMTP over TLS 374
policy definitions 204 proxy certificate usage and certificate responder,
policy disabled 324 enabling 479
policy enabled at wrong directory level 324 proxy certificates 495
Policy Engine use in proxy security 414
enabling and disabling 35 Proxy Decrypt and Verify policy 384
setting logging for 187 Proxy Decrypt and Verify policy, example 484, 510
policy engine proxy decryption, in security 380
and troubleshooting policy enforcement 326 Proxy Encrypt and/or Sign policy 384
Policy example 205 proxy encryption, in security 379
policy inheritance, example 237 proxy security
policy override, example 238 associating email addresses in 413
associating self-signed certificates 413
policy overview 204
checklist for setting up 474, 504
Policy Violation for Specific Recipient 628
Client Encryption and Signature policy example
Policy Violation for Specific Sender 628 480
Policy, defined 204 completing, example 496
policy-based routing creating a folder for user record 494, 516
and infinite message loops 99 creating a user record 494, 517
Postmaster Information, modifying 40 creating user records for 494, 516
714
Detect cert-query policy, example 482 queues
exchange and verify certificates, example 495, configuration 119
517 limitation on search results 126
exporting certificate root key 478 quarantine queue aging 122
invalid server certificates, effect 402 resetting queue actions 121
policy examples 480, 507 retry queue, setting retry intervals 123
proxy certificates in 414 retry queue, setting up retry intervals 124
Proxy Decrypt and Verify policy example 484, setting up quarantine queue aging actions 122
510 setting up queue actions 120
proxy decryption 380 troubleshooting backups 327
proxy encryption 379 Queues, status 17, 114
proxy signature 380
proxy verification 380
sample procedures 474
R
server certificates in 413 random selection 213
proxy signature, in security 380 randomize order of MX hosts 47
proxy verification, in security 380 recipient policies, applying 325
publishing the server certificate as a root key, steps 436 recovery options 348
Redirect queue 116
Q regular expressions 683
QSNs regular expressions, incorrect usage events 685
message content 144 regular expressions, operators and their function 686
message X-header added 145 relay
messages included in 144 stopping the relay from accepting incoming
new, contents of 145 messages 119
recipient access to quarantined messages 145 Relay Host name
reply address displayed 144 specifying a common name 39
Web responses to requests 146 relay messages 77
Quarantine queue relay service host name, where used 77
moving messages 134 relay, adding a DNS server 41
quarantine queue Remove Host Names and Subdomains from MIME
specifying aging parameters 122 Headers policy 219
Quarantine queue, about 116 Remove MIME Headers policy 219
quarantined messages removing or renewing a certificate or PGP key 582
when deleted 145
reports
quarantined messages, recipient access to 145 event logging level required 611
Quattro/Quattro Pro 653 Inbound Mail Characteristics 627
queries, in LDAP import 535 Inbound Policy Violations 628
queue filtering, using lists in 128 logging level required 186
queue, moving messages out of 345 Most Frequent External Receiving Domains 619
Most Frequent External Sending Domains 619
Most Frequent Internal Recipients 617
Most Frequent Internal Senders 617
Outbound Mail Characteristics 627
Outbound Policy Violations 628
spam volume 621
Requesting an SPN Link, steps 461
715
requirements for third-party server certificates 398 certificate rollover overview 403
resetting queue actions 121 Client Encryption and Signature policy example
responding to SPN link requests, steps 463 480
client-to-client 385
restore components missing from backup file 601
client-to-client, setting up 521
Resume Block policy 251
completing the proxy security exchange, example
retry interval, in retry queue 120 496
Retry queue 116 creating a recipient plaintext access policy 521
retry queue creating a sender plaintext access policy 523
notification to sender of message delay 124 Detect cert-query policy, example, for proxy
retry queue, setting retry intervals 123 security 482
rolling back filter version 353 enabling certificate responder 479
exporting certificate and root key 435
rollover of expired certificates 497, 519
gateway-to-gateway 369
root key, exporting 435 generating a certificate 433, 442
root key, publishing 436 LDAP lookup and manual association of
root keys certificates 381
purpose 383 OpenPGP overview 365
root keys, exporting 436 PGP key removal or renewal 582
Rules, in policies, defined 204 policies to monitor messages based on security
state 528
policy types, listed 217
S prerequisites 431
S/MIME private key size limitation 438
and Email Firewall 366 Proxy Decrypt and Verify policy example, for
Certificate Responders overview 395 proxy security 484, 510
harvesting certificates 394 proxy decryption 380
proxy encryption 379
S/MIME Overview 365
proxy security, proxy certificates in 414
S/MIME security proxy security, server certificates in 413
Certificate Authorities 417 proxy signature 380
establishing trust relationships 416 proxy verification 380
saving configuration and directory data 595 rolling over certificates 497, 519
saving messages in the queues 595 S/MIME overview 365
Saving Reports 636 server-to-client, overview 375
scanning html tags 296 server-to-client, setting up 474, 504
setup questions 431
scanning limitations 642
setup, overview 430
scheduling CRL downloads 501
UI functions 432
scheduling CRL downloads, overview 420 unencrypted message filter policy issues 527
scheduling LDAP imports 553 updating local certificates 497, 519
search queues limitation 126 user records in proxy security 494, 516
Secure Messenger description 108 see also, PQM 142
Secure Response service message processing 338 self-extracting zip files, limitation in scanning 644
security self-monitoring of services 348
administrative 9 sender policies, applying 325
certificate removal or renewal 582 sender-based unencrypted message filter issues 527
certificate rollover checklist 404 Sensitive Info Review policy 252
716
server certificate, exporting 435 service not accepting messages, troubleshooting
server certificate, publishing 436 steps 76
server certificates, using third-party 398 Session Welcome and Postmaster Information,
server-to-client PGP security, configuring 504 modifying 40
server-to-client proxy security setting message size limit 37
understanding 375 setting up bounce action 62
setting up exact matching for a domain 65
server-to-client security, configuring 474
specifying the Relay Host Name 39
server-to-client security, understanding 375
SMTP relay
service
recovery options 348 partition function 33
self-monitoring 348 preventing open relays 50
settings to prevent DoS attacks 37
Session Welcome, modifying 40
stopping inbound messages 138
setting security for the domain 466
spam
Setting Up Administrator Accounts 21
anti-spam strategies, generally 329
Setting Up Administrator Preferences 31
automating spam submittals to the lab 357
Setting up Centralized Event Logging and Reporting
categorization and message headers 340
101
confidence 340
Setting Up Global Policy Settings 87
confidence X-headers 341
Setting up Product Updates 109
content 340
Setting Up Queues 105, 109, 116
content rating X-headers 341
Setting Up Relay Centers
non-spam samples 356
Relay Centers, setting up 32
policies, creating 316
Setting Up Virus Scanning Options 80 relay settings to prevent DoS attacks 37
signed messages not caught 326 samples, submitting 356
slack space, scanning of 93 Spam Analysis queue, moving messages 345
SMTP submitting unmarked messages generally 357
A records 46 Spam Analysis Engine
MX records 46
error handling 347
SMTP and SSL 373 event log events 351
SMTP Relay message processing 337
adding an alternate DNS server 41 messages not analyzed by 338
delay and non-delivery notifications 48 processing internal mail 346
delay and non-delivery notifications, explained 48
processing large messages 346
enabling Delivery Status Notifications (DSNs) 46
rolling back a filter version 353
full SQL Server file groups 76
scan performed 340
hiding the product name and version number 40
three-strikes rule 347
Host Name configuration parameter, effect 77
identification errors, troubleshooting 77 spam volume report 621
illegal characters, using to avoid open relay SPN
blacklisting 43 configuring 458
Local MX Hosts configuration 41 creating a policy to check for, steps 467
mail routing rules best match algorithm 66 link requests, responding to, steps 465
randomize MX hosts option 47 policies 372
recipient limit, setting 37 server-to-client, setting up 474, 504
search for ’A’ records option 47 setting security for domain 466
717
SPN link requests third-party certificates, import tool 438
accepting 465 third-party certificates, using for security 398
auto-responding to requests 463 three-strikes rule 347
checking for 465 TLS
forwarding requests 464 certificate domain name match 80
setting up EMF to respond 463 MX record with domain name required to validate
steps 461 certificate 55
SPN link requests and auto-respond 461 troubleshooting 80
SPN links TLS and SSL 373
enabling 461 TLS protocol 374
SPN or encrypted message analysis 339 tools, find user 532
Spreadsheet Files 650 tools, for policy creation 253
SQL Server
transformational actions, in policies 208
full file groups 327
troubleshooting
full filegroups stopping message processing 139
annotations not skipped 325
SMTP Relay and full file groups 76
checking policy actions 325
SSL and TLS 373
checking policy conditions 324
Stop the relay from accepting incoming messages 119 checking policy exceptions 325
stopping inbound mail 36 common lists 327
Stopping Inbound or Outbound Mail Inbound queue backups 139
how to 34 inbound queue backups 139
stopping the relay from accepting more messages 138 inheritance 324
SubjectAltName field, in certificates 424 notification address 327
Summary, of policy 209 notification address is incorrect 327
support, technical xxvii Outbound queue backups 141
System Status 14 policy applied to wrong folder 324
system status policy configuration errors 324
Email Firewall Services 20, 104 policy disabled 324
Info and Alerts 15 policy enabled at wrong level 324
Message Queues 17 policy enforcement problems 324
policy should be recipient (or sender) 325
T queue backups 327
recipient versus sender policies 325
tags SMTP Relay identification errors 77
Advanced Add 277 SMTP Relay policy enforcement not enabled 326
archive tag 274 SMTP Relay service 76
creating 275 SMTP Relay service is stopped 326
queue tag 274 virus pattern needs updating 326
technical support xxvii virus scan engine needs updating 326
testing policies, procedure 320 troubleshooting policy enforcement 324
text extraction 669 troubleshooting TLS 80
text extraction and non-ASCII text, how handled 671 troubleshooting update failures 354
text extraction and unmapped characters 670 trust
text extraction and unsupported or unidentified code according to certificate status 412
sets 669 direct 412
text extraction, from attachments 669 trusted root keys and CRLs 420
Text Scanning Options, setting up 91 trusting self-signed certificates 412
718
Tumbleweed contact information xxviii V
tutorials
verifying authenticity of a certificate 495
action, severity of 235
virus- and file-stripping policies 303
policy enforcement 235
Virus Detected for Specific Sender 628
Types of Reports 616
Virus Hoax Block policy 247
virus pattern file 80
U virus pattern files
Unable to Encrypt and Sign to SPN Domain policy 372 enabling updates 83
Virus Policy Types, overview 217
Understanding Policy Inheritance and Overrides 237
virus scan engine 80
unencrypted message filter policies, troubleshooting
Virus Type and Volume 619
527
viruses
Unencrypted Message Filter policy 385 and file attachment stripping 215
unencrypted message filter policy, creating 525 defining policies for new viruses 305
uninfected messages, clean stamp 217 Melissa 305
UNIX regular expressions 683 new, defining policies for 305
unmapped characters, how handled 670 text filtering policies to protect against 305
virus-stripping policies, using 303
updates
virus-stripping policies, using 303
and database tables 352
Volume Reports 616
database tables affected 351
download file format 351
failure due to MMSConfigData filegroup size 355
W
failure due to transaction log size 355 weighted word list, format required 260
frequency 351 weighted word lists
manually checking for 353 and Advanced Add 260
purpose 351 construction 260
troubleshooting 354 wildcards
updating local certificates 497, 519 caution using in address lists 266
caution using in attachment lists 270
user certificates
caution using in word lists 260
automatic lookup 381
in SMTP Relay best match algorithm 66
user records using in address lists 266
and automatic certificate association, policy using in attachment lists 270
explained 382 using in word lists 259
creating for proxy security 494, 516 Windows Bitmap (BMP) 653
in proxy security 494, 516 Word Lists
objects in directory 220 HIPAA lexicon 252
overview 222
User Reports 627
users
importing 532
records for 220
using 303
using folders 221
UUencode to MIME, policy conversion 216
719
word lists
advanced add 263
creating 263
defined 258
how data is stored 666
regular expressions and illegal formatting 685
using multiple lists 260
using negative word weights 261
weighted, construction 260
weighted, format required 260
weighted, using Advanced Add 260
wildcards 259
wildcards caution 260
wordlist compilation error 685
word separators, limitations on handling non-English
text 667
WordPerfect 653
X
X.509 certificates 367
X-headers
applying policies to directory 319
confidence 340
content 340
creating a policy using 315
using in policies 316
X-headers, adding to messages 315
720