responsible for managing, monitoring, and generating reports for enterprise-wide messaging applications.
How This Book Is Organized
Chapter 1, “Introduction,” provides a product overview.
Chapter 2, “Deployment and Installation,” describes various scaling and tuning factors when deploying Proofpoint Protection Servers in a multi-server environment.
Chapter 3, “End User Digests,” provides suggestions on educating the user community and specific instructions for localization of end user Digests.
Chapter 4, “Security,” provides recommendations for securing the Proofpoint Protection Server or appliance.
Chapter 5, “Tuning and Configuration,” provides recommendations for miscellaneous system and cluster performance issues.
Chapter 6, “Maintenance and Troubleshooting,” provides recommendations specific to Quarantine and disk space management issues. The log database schema is covered in this chapter for administrators who import the Proofpoint log database into other databases for analysis.
Chapter 7, “Message Filtering,” describes how the filtering engines determine the final disposition of a message.
Chapter 8, “Command Line Interface,” describes the command line interface for several server and module management tasks.
Appendix A, “Log File Format,” describes the format for the log files.
Appendix B, “Alerts,” lists alert messages.
Conventions
This book uses the following typographic conventions:
• New terms and book titles appear in italic type.
Preface
• Text that you type is shown in bold courier font.
• Names of buttons, links, and interface elements appear in thisfont.
• Text that appears on the screen is shown in courier font.
• Names of keys on the keyboard appear with initial capitalization, such as the Enter key.
• Simultaneous keystrokes are joined with a hyphen. For example, “Press Alt-a.”
• Consecutive keystrokes are joined with a plus sign (+). For example, Esc+m.
Documentation Feedback
Please send your comments and feedback about this manual via email to [email protected].
Proofpoint strives to produce high-quality and technically accurate documentation. Please include the name of the document and the revision date with your email. Your feedback is greatly appreciated and will help us maintain our high standards for our product documentation.
Contents
Preface . . . 7
How This Book Is Organized . . . 7
Conventions . . . 7
Documentation Feedback . . . 8
Chapter 1 – Introduction . . . 15
Filtering Order for the Modules . . . 17
Message Processing Hub . . . 17
Interface Hub . . . 18
Message Disposition Hub . . . 18
Modules, Rules, Conditions, and Dispositions . . . 19
Terminology . . . 19
Message Connection State . . . 21
Quarantine and Incident Queue . . . 21
End User Digest . . . 21
Web Application . . . 21
Safe Senders/Blocked Senders List . . . 21
Spam Polices and Rules . . . 22
Centralized Management . . . 22
Chapter 2 – Deployment and Installation . . . 23
High Availability . . . 23
Deployment Options . . . 24
Master-Agent Cluster Architecture . . . 24
Use Case – Multiple Clusters in a University . . . 25
Full Redundancy with Directory Protection . . . 25
No Redundancy . . . 26
Redundancy without Directory Protection . . . 27
Scaling . . . 27
Failover Support . . . 27
Chapter 3 – End User Digests . . . 29
Educate the User Community . . . 29
Customize Digest Labels and Select a Language for Ease of Use . . . 31
Customize the Digest Layout . . . 32
Customize Digest Labels and Help . . . 32
Creating Unique Translations for the Digest . . . 32
Editing a .cfg file with a UTF-8 Compliant Editor . . . 33
POP3 Links versus HTTP Links for Digest Actions . . . 34
Contents
Contents
Contents
Contents
Commands for the Log Collection Service . . . .110
log_upload Usage . . . .110
Options. . . 110
Commands for Buffer Queue Management . . . .112
queued Usage . . . .112
Options . . . .112
Cloning an Agent . . . .112
clone_config Usage . . . .112
Options . . . .113
Publishing URLs to an External Web Page . . . .113
Embedding Report Data in an HTML Page . . . .113
Enabling a Quarantine Node . . . .115
Enable the Management Interface . . . .115
Add the Quarantine Node . . . .116
Performance Optimization . . . .116
Recovering a Quarantine Node . . . .116
Recovering a Master Proofpoint Protection Server . . . .117
Appendix A – Log File Format . . . 119
Log Entry Format . . . .119
Log File Naming . . . 120
Log Detail . . . 120
Service Level . . . 121
Session Level . . . 121
Message Level . . . 121
Encryption . . . 122
Appendix B – Alerts . . . 123
Glossary . . . 131
Index . . . 135
Chapter 1
Introduction
The Proofpoint Protection Server is a powerful software application that integrates virus protection, spam detection, message encryption, regulatory compliance, and digital asset protection technologies into an extensible message management platform. The Proofpoint Protection Server is designed to fit seamlessly into your corporate environment, taking advantage of the existing corporate messaging infrastructure. It provides efficient performance, accurate message analysis, and a web-based interface (the management interface) for configuration, management, and reporting tasks.
Note: This Guide contains topics that apply to the Proofpoint Protection Server and the
Proofpoint Messaging Security Gateway and some topics that are product-specific. Topics that are product-specific are noted as such in the topic heading. Topics that do not specifically refer to one product or the other apply to both products. For the sake of brevity, appliance refers to the Proofpoint Messaging Security Gateway throughout this manual.
The Proofpoint Protection Server is comprised of these components:
Filtering modules – the Email Firewall, Virus Protection, Spam Detection, and Regulatory Compliance Modules filter SMTP messages for envelope criteria, connection criteria, virus infections, spam, and message content. The Digital Assets Module protects your organization from accidental or deliberate disclosure of confidential information or trade secrets.
The Data Loss Prevention (DLP) dashboard provides a centralized and consolidated overview of DLP activity across your organization with custom views of DLP reports and an incident manager console.
Administrators and security practitioners can view real-time DLP statistics and trends as well as manage current incidents. Data can be viewed in high level reports or as detailed incidents so that administrators can quickly focus on the critical areas of interest. The DLP dashboard consolidates data from the
Regulatory Compliance Module and the Digital Assets Module. You will not see the DLP Dashboard in the management interface if you have not licensed the Regulatory Compliance and Digital Assets modules.
If you have an ICAP-enabled web proxy server (Internet Content Adaptation Protocol) on your network, you can also filter HTTP content by enabling rules for HTTP content in the Regulatory Compliance and Digital Assets modules.
Proofpoint Encryption – provides a fully integrated message encryption and decryption solution based on symmetric-key algorithms.
Administrators have granular control over the filtering policies and dispositions of messages that are infected, designated as spam, or contain inappropriate or confidential content. Messages designated as suspicious can be stored in a Quarantine folder or an Incident Queue for further analysis and disposition.
Message Processing Hub – this multi-protocol hub accepts all incoming messages and commands, passes messages to the Analysis Modules, exposes the functions of the Management Services, and handles final message dispositions.
Chapter 1 - Introduction
Management Services – centralized management services include message tracing, administration, reporting, and monitoring.
You can deploy several Proofpoint Protection Servers to provide different services. For example, you can install the Server Protection software on three systems, deploy one system as the master Management Services console (Config Master), and deploy the other two systems as the filtering agents – one running the Secure Reader service and one running the ICAP service (agents). You must designate or configure the agents from the master system using the management interface. The master Proofpoint Protection Server pushes the configuration changes to the agents.
This section describes the path of a message through the Proofpoint Protection Server.
The Proofpoint Protection Server can either integrate into an existing gateway sendmail server, or can be deployed with a sendmail server on the same host. In either case, the sendmail server acts as the MTA (Mail Transfer Agent) – either as the MX host or an internal MTA.
As sendmail processes SMTP (Simple Mail Transfer Protocol) connections, it passes message content to the Proofpoint Protection Server using the sendmail Milter (mail filter) interface, then waits for instructions on what to do with the message. The message state is changed, tracked, and logged at every point in the path.
Figure 1. Path of a message through the Proofpoint Protection Server
Spam
Chapter 1 - Introduction
Filtering Order for the Modules
Every message follows this path through the Proofpoint Protection Server:
• The message is routed to the Message Processing Hub. The Message Processing Hub contains the intelligence of the system and is comprised of three components: the Interface Hub, the Message Disposition Hub, and the current Message Connection State.
• Email Firewall Module. The Email Firewall Module filters messages for envelope criteria, content, and message attributes. This module also compares the contents of a message to dictionaries and assigns weights to the words in the message when it finds a match. You create rules to apply delivery
dispositions to the messages based upon the conditions found by the filtering module. Administrators can restrict and manage IP connection traffic using the Email Firewall Module with the SMTP Rate Control feature.
• The optional Virus Protection Module uses an embedded antivirus engine to scan the message and attachments, if any, for virus infection. The optional Zero-Hour Anti-Virus Module scans messages looking for “virus-like” patterns and protects your organization from a virus infection during the first critical hours before new virus signatures have been released.
• The Spam Detection Module checks the connection information, sender, recipient(s), domain, sub-domain, header, and body information of the message. The MLX Engine™ examines and scores a message for spam. The Pornographic Spam detection module examines and scores a message for pornographic spam.
• The optional Regulatory Compliance Module examines the message specifically for Protected Health Information (PHI) as regulated by the Health Insurance Portability and Accountability Act (HIPAA) and for Personal Financial Information (PFI) as regulated by the Gramm-Leach Bliley Act (GLBA).
• The optional Digital Assets Module scans messages and attachments for text or information that should not leave your organization. Proofpoint’s MLX technology “trains” on confidential documents that you provide to it. For example, these documents can be press releases, internal memos, or specifications. After training on the documents, the Digital Assets Module scans all outgoing email and attachments for content that includes the confidential information or even fragments of the information.
Administrators can create policies and rules to place copies of these messages in the Quarantine, discard them, or re-route them to the appropriate personnel for review.
• Proofpoint Encryption is a fully integrated encryption and decryption solution. Once it is licensed, all administration and key management is accomplished using the management interface. Authenticated users can decrypt, forward, and reply to encrypted messages using a browser-based interface.
Each module applies its own set of rules (default or configured by the administrator) to assign a disposition to a message. As the message is filtered by each module, every rule is executed based upon the
conditions found by the module. Disposition options are aggregated for the message. For example, if a message scores high enough to be classified as “spam” and contains an attachment that sends it to the Quarantine, the message in the Quarantine will include a spam score header as well as a subject header
“policy violation.” There are many levels of control for assigning dispositions to messages, which you can configure through the management interface.
Message Processing Hub
All inbound messages pass through the Message Processing Hub before reaching their final destinations – the recipient’s inbox, copied to the Quarantine, or deleted without further analysis.
Chapter 1 - Introduction
The Message Processing Hub is comprised of an Interface Hub, a Message Disposition Hub, and the current message connection state maintained in memory.
Interface Hub
The Interface Hub bridges the sendmail messaging APIs to the modules for further processing.
Message Disposition Hub
The Message Disposition Hub resolves the handling of messages based on a set of configured rules. As a message passes through the filtering modules, it accumulates results such as a spam score, virus
detection, and a score based upon adherence to corporate policies regarding content.
The Message Disposition Hub interprets the results and classifies the message into the following dispositions:
• Continue – continue to process the message through all other filtering modules.
• Deliver Now – deliver the message to the intended recipient without further processing. This disposition applies only to the Email Firewall Module.
• Reject – permanently reject the message.
• Retry – temporarily reject the message due to resource constraints.
• Discard – accept the message, then delete the message without further processing.
• Re-route – route the message to an SMTP host.
• Secure – encrypt the message using Proofpoint Encryption.
Important: The Email Firewall and Spam Detection modules are the only modules that provide the option to stop processing a message once the message receives a disposition of Deliver Now (Email Firewall only) Reject, Retry, Discard, or Re-route. For all other modules, the Proofpoint Protection Server will continue to process the message through all filtering modules if these dispositions are applied to the message.
Each disposition offers several options to apply to messages. Delivery options will vary for SMTP messages and HTTP content. The following list describes some of the delivery options:
• Place a copy of the message in a folder in the Quarantine or Incident Queue.
• Reply to the original sender with a new custom message.
• Replace the subject of the message with new text. You can optionally include the original subject line.
• Replace the body of the original message with new text, and attach the original message.
• Add X-headers to the message.
• Add new recipients to the original message.
• Send a new message to the original recipient or to a new list of recipients, and include the original message as an attachment.
• Accept the original message, but silently reject it from the original sender. The original sender cannot obtain any more information about your mail system.
• Reject the message with an SMTP error code.
Chapter 1 - Introduction
Modules, Rules, Conditions, and Dispositions
At each step of the SMTP protocol, a message is processed by the Proofpoint Protection Server modules.
Each module adds disposition options to the message, based upon the information it gathers about the message. The message header reflects all the rules that were executed during the processing of the message.
Terminology
A module is an application that performs a specific filtering task.
A condition is a message attribute. For example, in the Email Firewall Module an example of a condition is
“the message is from sender HELO domain name example.com.” As another example, in the Spam Detection Module, a condition is “the message has a spam score of 65.”
A disposition is what happens to the message after the Proofpoint Protection Server finishes filtering it.
Deliver the message to the mail infrastructure, reject it, continue filtering it, or re-route the message to another server on the network are examples of dispositions. Each disposition provides several options. For example, a disposition option is “place a copy of the message in a Quarantine folder, and send a copy of it to another recipient.”
A rule is comprised of a condition and a disposition. When all of the conditions are met, the rule is triggered, and the disposition is enforced.
A policy is a collection of rules. For example, a spam policy for your organization can include one or more rules for managing spam.
After a message has been filtered by all the modules the Hub makes the final judgement for the message disposition. Messages pass through the filters in this order: Email Firewall Module, Virus Protection Module, Spam Detection Module, Digital Assets Module, and finally Regulatory Compliance Module.
Messages continue to process through all modules, in order, executing all the rules that apply. The disposition with the highest priority is applied to the message after all processing is finished.
The following table describes the internal sequence of events:
Priority Sequence of Events
1 Execute the rule. Execute the internal function within the Proofpoint Protection Server code.
2 Make a copy of the message and place it in the Quarantine.
3 Secure. Encrypt the message.
4 Reject the message with an SMTP return code.
5 Retry. Reject the message temporarily; try to re-send later.
6 Redirect. Send the message to another recipient.
7 Discard. Reject the message silently.
Chapter 1 - Introduction
For example, if the Virus Protection Module assigns a disposition of Quarantine and Continue to a message, and the Spam Detection Module assigns a disposition of Quarantine and Reject to the same message, the final disposition of the message is Quarantine and Reject, because Reject is a higher priority than Continue in the disposition hierarchy.
Figure 2. Message Dispositions
8 Deliver Now. Accept the message for filtering but do not pass it back to Milter.
9 Continue processing the message and continue processing Milter calls.
Message state - the information each module collects about the message is stored in memory
Email Firewall
Chapter 1 - Introduction
Message Connection State
Per-connection and per-message state information is preserved in memory and passed to each module in a shared and collaborative fashion. Message parsing is enacted on an as-needed basis and is then available for subsequent use without re-parsing. Annotations and other message modifications are aggregated during each processing phase, but reconstruction of the message is deferred until final delivery.
Quarantine and Incident Queue
Copies of messages can be placed in a Quarantine folder or an Incident Queue folder for further analysis and disposition. The Quarantine and the Incident Queue are accessible through the management
interface. Administrators have the option of adding unique folders to the Quarantine and Incident Queue and organizing messages into these folders.
When several Proofpoint Protection Servers are deployed in a cluster, each agent system maintains a local Quarantine Queue and a Quarantine Consolidator. The Quarantine Consolidator is a program that checks for messages in the Quarantine Queue and transfers any messages it finds to the master Proofpoint Protection Server Quarantine. The master Proofpoint Protection Server maintains a consolidated Quarantine that contains the messages from all the systems in a cluster.
If for any reason the master Proofpoint Protection Server is off-line for a temporary period of time, messages continue to be saved in the agent Quarantine Queue until the master Proofpoint Protection Server is back on-line. When the master Proofpoint Protection Server is enabled, the Quarantine
Consolidator will then transfer all messages to the consolidated Quarantine maintained by the Proofpoint Protection Server.
End User Digest
Administrators can configure the master Proofpoint Protection Server to send a list of quarantined messages (a digest) to end users. Users can view the list of messages they have in the Quarantine or Incident Queue, and request that the messages are released, or request that the messages are released and the sender of the message be added to a personal Safe Senders list. The Command Processor on the master Proofpoint Protection Server handles these requests and processes them according to policies set up by the administrator.
Web Application
The Web Application allows users to view messages in the Quarantine or Incident Queue using a browser.
They can also manage Proofpoint tasks such as creating Safe Senders and Blocked Senders list, choosing a language, and selecting a policy for filtering spam.
Safe Senders/Blocked Senders List
Administrators can allow users to add senders to a personal Safe Senders list or Blocked Senders list. If enabled, users receive an email message that lists the Safe Senders, Blocked Senders, and email aliases for the user, giving them an opportunity to add, delete, or modify the list. Users cannot modify email aliases—they can only view them.
Chapter 1 - Introduction
Spam Polices and Rules
Administrators can create and apply spam policies at a global, group, or end user level. If allowed, users can view a list of available spam policies in their Digests and select a spam policy from this list. When a user selects and applies a spam policy from the list to their email, this policy overrides any other policy that
Administrators can create and apply spam policies at a global, group, or end user level. If allowed, users can view a list of available spam policies in their Digests and select a spam policy from this list. When a user selects and applies a spam policy from the list to their email, this policy overrides any other policy that