Symantec Mail Security Administration Guide

(1)

Symantec Mail Security

Administration Guide

(2)

Symantec Mail Security Administration Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Legal Notice

Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions.

Symantec, the Symantec Logo, Brightmail, LiveUpdate, and Norton AntiVirus are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Other names may be trademarks of their respective owners.

Symantec Mail Security is protected under U.S. Patent Nos. 6,052,709; 5,999,932; and 6,654,787.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com

(3)

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ A telephone and web-based support that provides rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection ■ Global support that is available 24 hours a day, 7 days a week worldwide.

Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program

■ Advanced features, including Technical Account Management

For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:

www.symantec.com/techsupp/ent/enterprise.html

Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using.

Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support information at the following URL:

www.symantec.com/techsupp/ent/enterprise.html Select your region or language under Global Support.

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

(4)

When you contact Technical Support, please have the following information available:

■ Product release level ■ Hardware information

■ Available memory, disk space, and NIC information ■ Operating system

■ Version and patch level ■ Network topology

■ Router, gateway, and IP address information ■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec ■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

www.symantec.com/techsupp/ent/enterprise.html

Select your region or language under Global Support, and then select the Licensing and Registration page.

Customer service

Customer service information is available at the following URL: www.symantec.com/techsupp/ent/enterprise.html

Select your country or language under Global Support.

Customer Service is available to assist with the following types of issues: ■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers) ■ Latest information about product updates and upgrades

■ Information about upgrade insurance and maintenance contracts ■ Information about the Symantec Value License Program

(5)

■ Advice about Symantec's technical support options ■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:

■ Asia-Pacific and Japan: [email protected] ■ Europe, Middle-East, and Africa: [email protected]

■ North America and Latin America: [email protected]

Additional Enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions

These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. Educational Services

(6)

To access more information about Enterprise services, please visit our Web site at the following URL:

www.symantec.com

(7)

Symantec Software License Agreement

Symantec Mail Security or SMTP

1. License:

You may:

You may not:

2. Limited Warranty:

3. Disclaimer of Damages:

4. U.S. Government Restricted Rights:

5. Export Regulation:

6. General:

(8)

(9)

Technical Support

Chapter 1 About Symantec Mail Security

Key features ... 15

New features ... 16

Functional overview ... 18

Architecture ... 19

Where to get more information ... 20

Chapter 2 Configuring system settings

Configuring certificate settings ... 23

Manage certificates ... 24

Configuring host (Scanner) settings ... 25

Working with Services ... 26

HTTP proxies ... 27

SMTP Scanner settings ... 27

Configuring Default SMTP Settings ... 31

Configuring internal mail hosts ... 35

Testing Scanners ... 35

Configuring LDAP settings ... 36

Configure LDAP settings ... 37

Synchronization status information ... 43

Replicating data to Scanners ... 45

Starting and stopping replication ... 46

Replication status information ... 46

Troubleshooting replication ... 47

Configuring Control Center settings ... 48

Control Center administration ... 49

Control Center certificate ... 50

Configuring, enabling and scheduling Scanner replication ... 50

Control Center Settings ... 51

System locale ... 52

(10)

Chapter 3 Configuring email settings

Configuring address masquerading ... 53

Importing masqueraded entries ... 54

Configuring aliases ... 55

Managing aliases ... 56

Importing aliases ... 57

Configuring local domains ... 58

Importing local domains and email addresses ... 59

Understanding spam settings ... 60

Configuring suspected spam ... 61

Choosing language identification type ... 61

Software acceleration ... 62

Configuring spam settings ... 62

Configuring virus settings ... 62

Configuring LiveUpdate ... 63

Excluding files from virus scanning ... 64

Configuring Bloodhound settings ... 64

Configuring invalid recipient handling ... 65

Configuring scanning settings ... 66

Configuring container settings ... 66

Configuring content filtering settings ... 67

Chapter 4 Configuring email filtering

About email filtering ... 69

Notes on filtering actions ... 78

Multiple actions per verdict ... 79

Multiple group policies ... 81

Security risks ... 81

About precedence ... 83

Creating groups and adding members ... 84

Add or remove members from a group ... 84

Assigning filter policies to a group ... 87

Selecting virus policies for a group ... 87

Selecting spam policies for a group ... 89

Selecting compliance policies for a group ... 89

Enabling and disabling end user settings ... 90

Allowing or blocking email based on language ... 92

Managing Group Policies ... 92

Manage Group Policies ... 93

Creating virus, spam, and compliance filter policies ... 94

Creating virus policies ... 94

Creating spam policies ... 96 Contents

(11)

Creating compliance policies ... 98

Managing Email Firewall policies ... 107

Configuring attack recognition ... 107

Configuring sender groups ... 108

Configuring Sender Authentication ... 119

Managing policy resources ... 120

Annotating messages ... 120

Archiving messages ... 122

Configuring attachment lists ... 124

Configuring dictionaries ... 126

Adding and editing notifications ... 128

Chapter 5 Working with Spam Quarantine

About Spam Quarantine ... 131

Delivering messages to Spam Quarantine ... 132

Working with messages in Spam Quarantine for administrators ... 132

Accessing Spam Quarantine ... 132

Checking for new Spam Quarantine messages ... 133

Administrator message list page ... 133

Administrator message details page ... 135

Searching messages ... 137

Configuring Spam Quarantine ... 140

Delivering messages to Spam Quarantine from the Scanner ... 140

Configuring Spam Quarantine port for incoming email ... 141

Configuring Spam Quarantine for administrator-only access ... 141

Configuring the Delete Unresolved Email setting ... 142

Configuring the login help ... 142

Configuring recipients for misidentified messages ... 142

Configuring the user and distribution list notification digests ... 143

Configuring the Spam Quarantine Expunger ... 149

Specifying Spam Quarantine message and size thresholds ... 150

Troubleshooting Spam Quarantine ... 150

Chapter 6 Working with Suspect Virus Quarantine

About Suspect Virus Quarantine ... 157

Routing messages to Suspect Virus Quarantine ... 157

Accessing Suspect Virus Quarantine ... 158

Checking for new Suspect Virus Quarantine messages ... 158

Suspect Virus Quarantine messages page ... 158

Searching messages ... 160

Configuring Suspect Virus Quarantine ... 162 11 Contents

(12)

Configuring Suspect Virus Quarantine port for incoming

email ... 162

Configuring the size for Suspect Virus Quarantine ... 163

Chapter 7 Testing Symantec Mail Security

Verifying normal delivery ... 165

Verifying spam filtering ... 165

Testing antivirus filtering ... 166

Verifying filtering to Spam Quarantine ... 167

Chapter 8 Configuring alerts and logs

About alerts ... 169

Configuring alerts ... 171

Viewing logs ... 171

Working with logs ... 172

About logs ... 173

Configuring logs ... 173

Chapter 9 Working with Reports

About reports ... 177

Selecting report data to track ... 178

Choosing a report ... 178

About charts and tables ... 188

Setting the retention period for report data ... 188

Running reports ... 189

Saving and editing Favorite Reports ... 190

Running and deleting favorite reports ... 190

Troubleshooting report generation ... 191

No data available for the report type specified ... 191

Sender HELO domain or IP connection shows gateway information ... 191

Reports presented in local time of Control Center ... 191

By default, data are saved for one week ... 192

Processed message count recorded per message, not per recipient ... 192

Recipient count equals message count ... 193

Deferred or rejected messages are not counted as received ... 193

Reports limited to 1,000 rows ... 193

Printing, saving, and emailing reports ... 193

Print, save, or email reports ... 194

Scheduling reports to be emailed ... 194 Contents

(13)

Schedule, Edit, or Delete Reports ... 194

Chapter 10 Administering the system

Getting status information ... 197

Overview of system information ... 198

Message status ... 198 Host details ... 203 LDAP Synchronization ... 204 Log details ... 204 Version Information ... 204 Scanner replication ... 205 Managing Scanners ... 205 Editing Scanners ... 205

Enabling and disabling Scanners ... 206

Deleting Scanners ... 207

Administering the system through the Control Center ... 208

Managing system administrators ... 208

Managing software licenses ... 209

Administering the Control Center ... 209

Starting and stopping the Control Center ... 209

Checking the Control Center error log ... 210

Increasing the amount of information in BrightmailLog.log ... 211

Starting and stopping UNIX and Windows services ... 213

Starting and stopping Windows services ... 213

Starting and stopping UNIX services ... 215

Periodic system maintenance ... 215

Backing up logs data ... 216

Backing up the Spam and Virus Quarantine databases ... 216

Maintaining adequate disk space ... 219

Appendix A

Integrating Symantec Mail Security with Symantec

Security Information Manager

About Symantec Security Information Manager ... 221

Interpreting events in the Information Manager ... 222

Configuring data sources ... 223

Firewall events that are sent to the Information Manager ... 224

Definition Update events that are sent to the Information Manager ... 224

Message events that are sent to the Information Manager ... 225

Administration events that are sent to the Information Manager ... 226

13 Contents

(14)

Glossary

Index

Contents 14

(15)

About Symantec Mail

Security

This chapter includes the following topics: ■ Key features

■ New features ■ Functional overview ■ Architecture

■ Where to get more information

Key features

Symantec Mail Security offers enterprises an easy-to-deploy, comprehensive gateway-based email security solution through the following features:

■ Antispam technology – Symantec's state-of-the-art spam filters assess and classify email as it enters your site.

■ Antivirus technology – Virus definitions and engines protect your users from email-borne viruses.

■ Content Compliance – These features help administrators enforce corporate policies, reduce legal liability, and ensure compliance with regulatory requirements.

■ Group policies and filter policies – An easy-to-use authoring tool lets administrators create powerful, flexible ad hoc filters for users and groups.

1

(16)

New features

The following table lists the features that have been added to this version of Symantec Mail Security:

Table 1-1 New features for Symantec Mail Security (all users)

Description Features

Functional overview

You can deploy Symantec Mail Security in different configurations to best suit the size of your network and your email processing needs.

Each Symantec Mail Security host can be deployed in the following ways: Deployed as a Scanner, a Symantec Mail Security host filters email for viruses, spam, and noncompliant messages. You can deploy Scanners on exisiting email or groupware server(s).

Scanner

Deployed as a Control Center, a Symantec Mail Security host allows you to configure and manage email filtering, SMTP routing, system settings, and all other functions from a Web-based interface. Multiple Scanners can be configured and monitored from your enterprise-wide deployment of Symantec Mail Security, but only one Control Center can be deployed to administer all the Scanner hosts.

The Control Center provides information on the status of all Symantec Mail Security hosts in your system, including system logs and extensive customizable reports. Use the Control Center to configure both system-wide and host-specific details. The Control Center provides the Setup Wizard, for initial configuration of all Symantec Mail Security instances at your site, and also the Add Scanner Wizard, for adding new Scanners. The Control Centrer also hosts the Spam and Suspect Virus Quarantines to isolate and store spam and virus messages, respectively. End users can view their quarantined spam messages and set their preferences for language filtering and blocked and allowed senders. Alternatively, you can configure Spam Quarantine for administrator-only access.

Control Center

A single Symantec Mail Security host performs both functions. Scanner and Control

Center

Note:Symantec Mail Security provides neither mailbox access for end users nor message storage. It is not intended for use as the only MTA in your email infrastructure.

About Symantec Mail Security Functional overview 18

(19)

Note:Symantec Mail Security does not filter messages that don't flow through the SMTP gateway. For example, when two mailboxes reside on the same MS Exchange Server, or on different MS Exchange Servers within an Exchange organization, their messages will not pass through the Symantec Mail Security filters.

Architecture

Figure 1-1shows how a Symantec Mail Security installation processes an email message, assuming the sample message passes through the Filtering Engine to the Transformation Engine without being rejected.

Figure 1-1 Symantec Mail Security architecture

Messages proceed through the installation in the following way: ■ The incoming connection arrives at the inbound MTA via TCP/IP.

19 About Symantec Mail Security

(20)

■ The inbound MTA accepts the connection and moves the message to its inbound queue.

■ The Filtering Hub accepts a copy of the message for filtering.

■ The Filtering Hub consults the LDAP SyncService directory to expand the message's distribution list.

■ The Filtering Engine determines each recipient's filtering policies. ■ The message is checked against Blocked/Allowed Senders Lists defined by

administrators.

■ Virus and configurable heuristic filters determine whether the message is infected.

■ Content Compliance filters scan the message for restricted attachment types, regular exessions, or keywords as defined in configurable dictionaries. ■ Spam filters compare message elements with current filters published by

Symantec Security Response to determine whether the message is spam. At this point, the message may also be checked against end-user defined Language settings.

■ The Transformation Engine performs actions per recipient based on filtering results and configurable Group Policies.

Where to get more information

The Symantec Mail Security documentation set consists of the following manuals: ■ Symantec Mail Security Administration Guide

■ Symantec Mail Security Planning Guide ■ Symantec Mail Security Installation Guide ■ Symantec Mail Security Getting Started

Symantec Mail Security also includes a comprehensive help system that contains conceptual and procedural information.

You can visit the Symantec Web site for more information about your product. The following online resources are available:

www.symantec.com/enterprise/support Provides access to the technical support Knowledge

Base, newsgroups, contact information, downloads, and mailing list subscriptions

About Symantec Mail Security Where to get more information 20

(21)

www.symantec.com

/licensing/els/help/en/help.html Provides information about registration, frequently

asked questions, how to respond to error messages, and how to contact Symantec License Administration

www.enterprisesecurity.symantec.com Provides product news and updates

www.symantec.com/security_response Provides access to the Virus Encyclopedia, which

contains information about all known threats; information about hoaxes; and access to white papers about threats

21 About Symantec Mail Security Where to get more information

(22)

About Symantec Mail Security Where to get more information 22

(23)

Configuring system settings

This chapter includes the following topics:

■ Configuring certificate settings ■ Configuring host (Scanner) settings ■ Testing Scanners

■ Configuring LDAP settings ■ Replicating data to Scanners ■ Configuring Control Center settings

Configuring certificate settings

Manage your certificates using the Certificate Settings page. The two types of certificates are as follows:

This is the TLS certificate used by the MTAs in each Scanner. Every Scanner has separate MTAs for inbound messages, outbound messages, and message delivery. Assign this certificate from the Inbound Mail Settings and Outbound Mail Settings portions of the SMTP tab on the Settings > Hosts > Edit Host Configuration page.

MTA TLS certificate

This is the HTTPS certificate used by the Control Center for secure Web management. Assign this certificate from the Settings > Control Center > Control Center Settings page using the Control Center Certificate drop-down menu.

User interface HTTPS certificate

You can add certificates to the certificate list in the following two ways: ■ Add a self-signed certificate by adding the certificate and filling out the

requested information as presented to you at the time.

2

(24)

■ Add a Certification Authority Signed certificate by submitting a certificate request to a Certification Authority. When you receive the certificate back from the Certification Authority, you then import the certificate into the Control Center.

Manage certificates

Follow these steps to add either self-signed or Certification Authority Signed certificates and to assign certificates.

To add a self-signed certificate to the list

1

In the Control Center, click Settings > Certificates.

2

Click Add.

3

In the Certificate type drop-down list, choose Self-Signed Certificate.

4

Complete the information on the Add Certificate page.

Some Certificate Authorities may not support certificates created using an IP address instead of a domain name. Check with your Certificate Authority, or use a domain name to be sure.

5

Click Create.

To add a Certification Authority Signed certificate to the list

1

2

Click Add.

3

In the Certificate type drop-down list, choose Certificate Authority Signed.

4

Fill in the information on the Add Certificate page.

5

Click Request.

A new page is displayed, showing the certificate information in a block of text, designed for use by the Certification Authority.

6

Copy the block of text that appears and submit it to the Certification Authority. Each Certification Authority has its own set of procedures for granting certificates. Consult your Certificate Authority for details.

7

When you receive the certificate file from the Certification Authority, place the file in an easily accessed location on the computer from which you are connecting to the Control Center.

8

On the Certificate Settings page, click Import. Configuring system settings

Configuring certificate settings 24

(25)

9

On the Import Certificate page, type the full path and filename or click Browse and choose the file.

10

Click Import.

To view or delete a certificate

1

2

Check the box next to the certificate to be viewed or deleted.

3

Click View to read the certificate.

4

Click Delete to remove the certificate.

To assign an MTA TLS certificate

1

In the Control Center, click Settings > Hosts.

2

Select a host and click Edit.

3

Click the SMTP tab.

4

Check Accept TLS encryption as appropriate.

5

Choose the TLS certificate from the Certificate drop-down list for the inbound or outbound MTA.

6

Click Save.

To assign a user interface HTTPS certificate

1

In the Control Center, click Settings > Control Center.

2

Select a certificate from the User interface HTTPS certificate drop-down list.

3

Click Save.

Configuring host (Scanner) settings

The following sections describe changes that can be made to individual hosts using the tabs on the Edit Host Configuration page, under Settings > Hosts: ■ Working with Services

■ HTTP proxies

■ SMTP Scanner settings

■ Configuring Default SMTP Settings ■ Configuring internal mail hosts

25 Configuring system settings Configuring host (Scanner) settings

(26)

Working with Services

You can stop or start the following services on a Scanner using the Services tab on the Edit Host Configuration page, under Settings > Hosts.

■ Conduit ■ LiveUpdate ■ Filter Engine ■ MTA

Note:If you stop the filter engine or the MTA service and wish to continue receiving alerts, specify an operating MTA IP address under Control Center Settings on the Settings > Control Center > Control Center Settings page.

In addition, you can enable or disable individual Scanner replication and configure MTA settings that can help you take a Scanner offline from the Services tab at Settings > Hosts > Edit Host Configuration.

Work with the Services tab

Use the following procedures from the Services tab to manage individual Scanner services, replication, and stop the flow of messages through a Scanner. Replication synchronizes Scanner directory data with LDAP directory data stored on the Control Center.

To start and stop services

1

2

Check the Scanner to edit.

3

Click Edit.

4

Select the services to be started or stopped.

5

Click Stop to stop a running service or Start to start a stopped service.

To enable or disable Scanner replication for a host

1

2

3

Click Edit.

4

Using the Scanner Replication portion of the page, check Enable Scanner

Replication for this host to enable Scanner replication. (Replication is enabled

by default.) Configuring system settings

Configuring host (Scanner) settings 26

(27)

5

Using the Scanner Replication portion of the page, uncheck Enable Scanner

Replication for this host to disable Scanner replication. The Control Center

will not update the directory for this Scanner when the box is not checked.

6

Click Save to store your changes.

To take a Scanner out of service

1

2

3

Click Edit.

4

On the MTA Operation portion of the page, check Do not accept incoming

messages.

All messages in Scanner queues are processed as needed, but no new messages will be received.

5

Click Save to store your changes.

HTTP proxies

The Conduit and Symantec LiveUpdate services run on each Scanner and receive filter updates from Symantec. If you need to add proxy and/or other security settings to your server definition, follow the steps below.

To change or add proxy information

1

2

3

Click Edit.

4

Click the Proxy tab.

5

Check Use proxy server.

6

Specify the proxy host name and port on this panel. In addition to this information, you can include a user name and password as needed.

7

Click Save to store your information.

SMTP Scanner settings

A full complement of SMTP settings has been provided to help you define internal and external SMTP configurations for Scanners. Inbound SMTP settings determine how the inbound MTA processes inbound messages. Outbound SMTP settings determine how the outbound MTA processes outbound messages.

(28)

Note:For incoming messages, you can conserve computing resources by blocking messages from undesirable domains and IP addresses using SMTP Scanner settings rather than by configuring content filtering policies from the Policies > Sender Groups page. SMTP Scanner settings effectively block unwanted messages before they are filtered by Content Compliance policies, resulting in fewer messages filtered through Content Compliance policies.

To modify SMTP settings for a Scanner

1

2

3

Click Edit.

4

Click SMTP.

5

As appropriate, complete the SMTP definition for the scanner. The following parameters are included:

Determines if the Scanner is used for Inbound mail filtering only, Outbound mail filtering only, or Inbound and outbound mail filtering.

Scanner Role Configuring system settings

(29)

Provides settings for inbound messages. In this area, you can provide the following information:

■ Inbound mail IP address – Location at which inbound messages will be received. You can ping this address by pressing Test.

■ Inbound mail SMTP port – Port on which inbound mail is received, typically port 25.

■ Accept TLS encryption – Indicates if TLS encryption is accepted. Check the box to accept encryption. You must have a certificate defined for MTA TLS certificate in Settings > Certificates to accept TLS encryption.

■ Certificate – Specifies an available certificate for TLS encryption.

■ Accept inbound mail connections from all IP addresses – Indicates that all connections for inbound messages are accepted. This is the default.

■ Accept inbound mail connections from only the following IP addresses and domains – Indicates that only the addresses or domain names entered in the checked IP Address/Domains box are accepted. Click Add to add an entry or Remove to delete one.

If you specify one or more IP addresses, you must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages. After you add the first entry, the IP address of the Control Center is added automatically and selected. If you are using a different IP address for the Control Center, or have the Control Center and Scanner installed on different machines, you must add the new IP address and disable the one that was added automatically.

Warning:If you deploy this Scanner behind a gateway and specify one or more IP addresses instead of All IP addresses, you must add the IP addresses of ALL upstream mail servers in use by your organization. Upstream mail servers that are not specified here may be classified as spam sources.

■ Relay local domain mail to – Gives the location where inbound mail is sent after being received on the inbound port. Click Add to add an entry.

Inbound Mail Settings*

(30)

Provides settings for outbound mail characteristics. In this area, you can provide the following information:

■ Outbound mail IP address – Specifies the IP address on which outbound messages are sent. You can ping this address by pressing Test.

■ Outbound mail SMTP port – Specifies the port on which outbound mail is sent, typically port 25.

■ Accept TLS encryption – Indicates if TLS encryption is accepted. Check the box to accept encrypted information. You must have a certificate defined for MTA TLS certificate in Settings > Certificates to accept TLS encryption.

■ Certificate – Specifies an available certificate for TLS encryption.

■ Accept outbound mail connections from the following IP addresses and domains – Only the addresses entered in the checked IP Address/Domains box are accepted. Click Add to add an entry or Remove to delete one. If you specify one or more IP addresses, you must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages. After you add the first entry, the IP address of the Control Center is added automatically and selected. If you are using a different IP address for the Control Center, or have the Control Center and Scanner installed on different machines, you must add the new IP address and disable the one that was added automatically.

■ Relay non-local domain mail to – Specifies how outbound SMTP message relaying is routed. By default, MX Lookup is used. Click Add to add an entry.

Outbound Mail Settings*

Indicates that, when saved, all settings on this page are applied immediately to all hosts.

Apply above settings to all hosts

Provides for inbound, outbound and delivery advanced settings. See“Configuring Default SMTP Settings”on page 31. Advanced Settings

(*) Classless InterDomain Routing (CIDR) is supported for inbound and outbound mail connection IP addresses.

6

Click Save to store your changes. Configuring system settings

(31)

Configuring Default SMTP Settings

Additional SMTP settings are available from the SMTP Defaults page of the SMTP tab when you click the Advanced Settings button at the bottom of the Edit Host Configuration page. There are advanced SMTP settings for:

■ Inbound messages ■ Outbound messages ■ Delivering messages

Specify the MTA host name in the MTA Configuration portion of the SMTP Defaults page. The MTA Host Name gives you the ability to define the HELO banner during the initial portion of the SMTP conversation.

SMTP Defaults page–inbound settings describes inbound SMTP settings you can use to further define your SMTP configuration.

Table 2-1 SMTP Defaults page—inbound settings

Description Item

Sets the maximum number of simultaneous inbound connections allowed. Additional attempted connections are rejected. The default is 2,000 connections.

Maximum number of connections

(Not available on Windows systems.) Sets the maximum number of simultaneous inbound connections allowed from a single IP address. Additional connections for the same IP address will be rejected. The default is 20. Maximum number of

connections from a single IP address

Sets the maximum size of a message before it is rejected. The default is 10,485,760 bytes.

Maximum message size in bytes

Sets the maximum number of recipients for a message. The default is 1,024 recipients.

Maximum number of recipients per message

Places a RECEIVED header in the message during inbound SMTP processing.

Insert RECEIVED header to inbound messages

Causes the system to perform reverse DNS lookup on the SMTP client IP addresses to resolve the IP address to a name when checked. This is the default condition. When unchecked, reverse DNS lookup is not performed for inbound messages.

Enable reverse DNS lookup

SMTP Defaults page–outbound settings describes the advanced outbound SMTP settings that you can use to further define your SMTP configuration.

(32)

Table 2-2 SMTP Defaults page—outbound settings

Description Item

Sets the maximum number of permissible simultaneous outbound connections. Additional attempted connections are rejected. The default is 2,000 connections.

Maximum number of connections

(Not available on Windows systems.) Sets the maximum number of permissible simultaneous outbound connections from a single IP address. Additional attempted connections are rejected. The default is 20 connections.

Maximum number of connections from a single IP address

Sets the maximum number of permissible simultaneous outbound connections from a single IP address. Additional attempted connections are rejected. The default is 20 connections.

Maximum number of connections from a single IP address

Sets the maximum size allowable for a message before it is rejected. The default is 10,485,760 bytes.

Maximum message size in bytes

Indicates the maximum number of recipients permitted for a message. The default is 1,024 recipients.

Maximum number of recipients per message

Sets a default domain when none can be found in the message. Default domain for sender

addresses with no domain

Places a RECEIVED header in the message during outbound SMTP processing when checked. When unchecked, no RECEIVED header is inserted during outbound SMTP processing. If Insert RECEIVED header to outbound messages and Strip pre-existing RECEIVED headers from outbound messages are both checked, the outbound SMTP RECEIVED header remains when the message goes to the delivery queue. Insert RECEIVED header

to outbound messages

Removes all RECEIVED headers for the message when checked. When headers are stripped, message looping can occur depending on the settings of other MTAs. When unchecked, RECEIVED headers remain in the message during outbound processing. The RECEIVED header for outbound SMTP processing remains in the message when Insert RECEIVED header to outbound messages and Strip pre-existing RECEIVED headers from outbound messages are checked.

Strip pre-existing RECEIVED headers from outbound messages

Causes the system to perform reverse DNS lookup on the SMTP client IP addresses to resolve the IP address to a name when checked. This is the default condition. When unchecked, reverse DNS lookup is not performed for outbound messages. Enable reverse DNS

lookup Configuring system settings Configuring host (Scanner) settings 32

(33)

SMTP Defaults page–delivery settings describes SMTP delivery configuration message settings for your site.

Table 2-3 SMTP Defaults page—delivery settings

Description Item

Sets the maximum number of simultaneously allowed external connections. Additional attempted connections are rejected. The default is 100 connections.

Maximum number of external connections

Sets the maximum number of connections allowed to all defined internal mail servers. Additional connection attempts are rejected. The default is 100 internal mail server connections. Maximum number of

connections to all internal mail servers

Sets the maximum number of connections to one internal mail server. Additional connection attempts are rejected. The default is 50 connections.

Maximum number of connections per single internal mail server

Sets the smallest interval the SMTP server waits before trying to deliver a message again. The default is 15 minutes. Minimum retry interval

Sets the time after which an undelivered message times out and is rejected from the queue. The default is 5 days. Sent message time-out

(Unix/Linux only) Sets a time-out period for deletion of messages in your bounce queue. This can be particularly useful in environments where you cannot configure LDAP settings. The default is 1 day.

Bounce message time-out

Sets the time a message waits in the mail queue before notification of nondelivery is sent. The default is 4 hours. Message delay time in

queue before notification

(Unix/Linux only) Reverses the default delivery MTA interface bindings. Check this box if messages back up in the delivery queue due to routing issues.

Reverse Address Binding Strategy

(34)

Table 2-3 SMTP Defaults page—delivery settings(continued)

Description Item

For Unix/Linux installations, indicates if TLS encrypted information can be accepted. Check the box to accept encrypted information. Whenleft unchecked, TLS encryption is not performed.

On Windows installations, indicates which domains require information to be encrypted. Add or delete domains from which you require encryption.

Note:You must have created an MTA TLS certificate from the Certicate Setting page in Settings > Certificates before you can enable TLS encryption.

See“Configuring certificate settings ”on page 23. Enable TLS encryption

(Unix/Linux)

Require TLS encryption for the following hosts (Windows)

(Windows only) Adds the names of domains from which you may require encryption. Check the names of those domains from which information must currently be encrypted. Leave unchecked to currently except listed domains from this requirement. Press Delete to remove selected domains from the list.

Domains

To configure SMTP Default settings

1

From the Control Center, click Settings > Hosts.

2

Select a Scanner from the displayed list.

3

Click Edit.

4

Click the SMTP tab.

On this tab, you will see some general-purpose settings.

See“SMTP Scanner settings”on page 27. for details on these settings.

5

Click Advanced Settings.

On this page you will see the advanced settings for SMTP configuration detailed in the above tables.

6

As appropriate, modify the settings explained above.

7

Click Continue to store your information.

You are returned to the SMTP tab of the Edit Host Configuration page.

8

Click Save.

Configuring system settings Configuring host (Scanner) settings 34

(35)

Configuring internal mail hosts

You can add or delete internal mail hosts at your site.

Configure internal mail hosts

Follow these procedures to add or delete internal mail hosts.

To add an internal mail host

1

2

Check the Scanner you want to configure.

3

Click Edit.

4

Click the Internal Mail Hosts tab.

5

Specify the IP address for an internal mail host.

6

Click Add.

7

Click Save to store the information.

To delete an internal mail host

1

2

Check the Scanner you want to configure.

3

Click Edit.

4

Click the Internal Mail Hosts tab.

5

Select an internal mail host.

6

Click Delete.

7

Click Save to store the information.

Testing Scanners

After adding or editing a Scanner, you can quickly test that the Scanner is operating and that the Agent is able to make a connection. The Agent facilitates the transfer of configuration information between the Control Center and attached and enabled Scanners.

35 Configuring system settings

(36)

To test a Scanner

1

In the Control Center, click Status > Host Details.

2

If only one Scanner is attached to your system, you can see a snapshot of how it is currently functioning.

3

If more than one Scanner is attached, select the Scanner you want to test from the drop-down list.

You will see a snapshot of its current status. You can click on the plus sign to expand a section.

Configuring LDAP settings

The Control Center can optionally use directory information from LDAP servers at your site for any of the following purposes:

LDAP user data is used by the Control Center to authenticate Quarantine access and resolve email aliases for quarantined messages. The Control Center authenticates users by checking their user-name and password data directly against the LDAP source.

Authentication

LDAP user and group data is used to apply group policies, recognize directory harvest attacks, expand distribution lists, and validate message recipients. LDAP-authenticated user and group email address data are cached in the Control Center for replication to Scanners but are not written back to the LDAP source.

Synchronization

Symantec Mail Security supports the following LDAP directory types: ■ Windows 2000 Active Directory

■ Windows 2003 Active Directory

■ Sun Directory Server 5.2 (formerly known as the iPlanet Directory Server)

Note:If you are using Sun Directory Server 5.2, you must update to patch 4 to address some changelog issues that arose in patch 3.

■ Exchange 5.5

■ Lotus Domino LDAP Server 6.5 Configuring system settings

Configuring LDAP settings 36

(37)

Configure LDAP settings

Follow these procedures to configure LDAP settings.

To add an LDAP server definition to the Control Center

1

In the Control Center, click Settings > LDAP.

2

Click Add.

3

Complete the necessary fields presented for defining a new LDAP Server. The values you complete will depend on your choices for LDAP Server Usage. SeeTable 2-4on page 38. for a description of the available settings when adding an LDAP server to the Control Center.

4

Click Save.

Warning:When adding an LDAP server that performs synchronization, you can replicate data from the Control Center to attached and enabled Scanners using the Replicate now button on the Control Center Settings page. Begin this replication only after initial synchronization has completed successfully as shown on the LDAP Synchronization page, and the number of rejected entries is 0 or stays constant after successive synchronization changes. If synchronization has not completed successfully, a status of Failed appears on the LDAP Synchronization page. Error messages recorded in the logs detail the cause of the failure. Alternatively, you can wait until the next scheduled replication occurs, at which time the LDAP synchronization service updates all Scanners.

Warning:If you see the Failed to create user mappings for source error during source creation and you have recently changed DNS servers, restart your LDAP synchronization service.

See“Starting and stopping UNIX and Windows services”on page 213.. Then, follow the above steps again.

Note:If your LDAP service runs on the Linux operating system, restart LDAP synchronization by logging in and issuing the following command:

service ldapsync restart.

(38)

Table 2-4 Add LDAP Server page

Description Item

Description – Text describing the LDAP server being defined. Permissible characters are any alphanumeric character (1-9, a-z, and A-Z), a space ( ), hyphen (-), underline (_), and double-byte characters. The Description entry will fail if any of the following characters are used: reverse apostrophe (‵), tilde (~), exclamation point (!), at-sign (@), number symbol (#), dollar sign ($), percent sign (%), circumflex (^), ampersand (&), asterisk (*), left and right parentheses, plus (+), equal (=), left and right braces ({}), left and right bracket ([]), vertical bar (|), colon (:), semicolon (;), quote ("), apostophe ('), less than and greater than (<>), comma (,), question mark (?), slash (/), backslash (\).

Host – Host name or IP address of the LDAP server. Port – TCP/IP port for the server. The default port is 389.

Directory Type – Specifies the type of directory used by the LDAP server. Available choices are:

■ Active Directory

■ iPlanet/Sun ONE/Java Directory Server

■ Exchange 5.5

■ Domino

■ Other (for authentication only)

Usage (Required) – Describes how this LDAP server is used. Select any of the following items that apply to this server definition:

■ Authentication

■ Synchronization

■ Authentication and Synchronization LDAP Server

Anonymous bind – Allows you to login to an LDAP server without providing specific user ID and password information. Before using anonymous bind, configure your LDAP server to grant anonymous access to the changelog and base DN. For the Domino Directory Type using anonymous bind, group and dlist data are not retrieved.

Use the following – Specifies login and usage information to the LDAP server as follows:

■ Name (bind DN) – Login name allowing you to access the LDAP server.

When entering the Name (bind DN) for an Exchange 5.5 server, be sure to use the full DN such as cn=Administrator,cn=Recipients,ou=mysite,o=myorg rather than a shortened form such as cn=Administrator to ensure detection of all change events and guarantee full authentication by the LDAP server.

For an Active Directory server, the full DN or logon name with User Principal Name suffix may be required.

■ Password – Password information that allows you to access the LDAP server. Test Login – Verifies the anonymous bind connection or the user id and password given for accessing the LDAP server.

Administrator Credentials

Configuring system settings Configuring LDAP settings 38

(39)

Table 2-4 Add LDAP Server page(continued)

Description Item

If you are using Active Directory, specify the Windows Domain names – When logging onto a Windows host, you see Windows domain names in the Log on to dropdown list. Use commas or semicolons to separate multiple domain names. You will not see this option unless you have chosen Active Directory as your Directory type.

Windows Domain Names

Domain entries are required for Domino server definitions. You will not see this option unless you have chosen Domino as your Directory type. Select any of the following items that apply to this server definition:

■ Primary domain – Internet domain to which mail is delivered.

■ Domain aliases – Internet domain names that resolve to the primary domain. For example, you could assign company.net to be an alias for company.com. Use commas to separate multiple names.

Internet Domain Names

Auto Fill—Places default values in the fields for you to modify as needed. You can have only one authentication server defined in the Control Center.

Specify the queries to use – You have the following options when selecting what authentication queries to use:

■ Query start (Auth base DN) – Designates the point in the directory from which to start searching for entries to authenticate. If an entry contains an ampersand, delimit the ampersand as follows:

OU=Sales \& Marketing,OU=test,DC=domain,DC=com & OU=test1,DC=domain,DC=com

■ Login attribute – The attribute on a person entry that defines a user name.

■ Primary email attribute – The attribute on a person or distribution-group entry that represents a mailbox.

■ Email alias attribute – The attribute on a person or distributing-group entry that contains one or more alternative email addresses for that entity's mailbox

■ Login query – Finds users based on their Login attributes. Test – Attempts to execute the query as defined.

Note:For Exchange 5.5, the user directory Name (rdn) must be the same as the alias (uid) for that user.

Authentication Query Details

(40)

Table 2-4 Add LDAP Server page(continued)

Description Item

Specify default synchronization options – This section only appears if Synchronization is checked for Usage. It allows for the following definitions governing synchronization behavior:

■ Synchronize every – Specifies how often scheduled synchronization occurs. You can specify a number of minutes, hours, or days. The default is 1 day.

■ Audit level – Verbosity setting for LDAP audit logs. Choices of Off, Low, and Verbose are available. The default is Off.

■ Page size – Number of discrete changes that are accepted together for synchronization. Use a number between 1 and 2,000. The default is 25. If you are using the

iPlanet/SunOne directory server, change Page size to 0 for optimal performance. Synchronization

Configuration

This section only appears if Synchronization is checked for Usage. Auto Fill – Places default values in the field for you to modify as needed.

Specify the queries to use – Specifies queries to use for synchronization. Available choices are:

■ Query start (Sync base DN) – Designates the point in the directory from which to start searching for entries with email addresses/aliases or groups. To use this field, begin by clicking Auto Fill for the naming contexts of the directory. Reduce the received list of DN's brought into the field by Auto Fill to a single DN, or write your own DN based on the provided list.

■ Custom query start – Allows for the addition of a customized query.

■ User Query – Finds users in the LDAP server. Test checks to see that your Custom/User query works.

■ Group Query – Finds LDAP groups in the LDAP server. Test checks your Group query to see that it works.

■ Distribution List Query – Finds Distribution Lists in the LDAP Server. Test checks to see that your Distribution query works.

Note:If you need to change Host, Port, base DN, ldap Group filter, User filter, or Distribution List filter after saving an LDAP synchronization source, you must delete the source, add the source including all attributes to be filtered, and perform a full

synchronization. Synchronization Query

Details

To edit an LDAP server definition to the Control Center

1

In the Control Center, click Settings > LDAP.

2

Select an LDAP server definition from the list to edit.

3

Click Edit.

Configuring system settings Configuring LDAP settings 40

(41)

4

Make changes to the definition as appropriate.

Not all of the original portions of this definiton visible during the add process are available for editing.

5

Click Save.

SeeTable 2-5on page 41. for a description of settings that can be changed after an LDAP server has been defined.

Table 2-5 Edit LDAP Server page

Description Item

Anonymous bind – Allows you to login to an LDAP server without providing specific user ID and password information. Before using anonymous bind, configure your LDAP server to grant anonymous access to the changelog and base DN. For the Domino Directory Type using anonymous bind, group and dlist data are not retrieved.

Use the following – Specifies login and usage information to the LDAP server as follows:

■ Name (bind DN) – Login name allowing you to access the LDAP server.

When entering the Name (bind DN) for an Exchange 5.5 server, be sure to use the full DN such as cn=Administrator,cn=Recipients,ou=mysite,o=myorg rather than a shortened form such as cn=Administrator to ensure detection of all change events and guarantee full authentication by the LDAP server.

For an Active Directory server, the full DN or logon name with User Principal Name suffix may be required.

■ Password—Password information that allows you to access the LDAP server. Test Login – Verifies the anonymous bind connection or the user id and password given for accessing the LDAP server.

Administrator Credentials

If you are using Active Directory, specify the Windows Domain names – When logging onto a Windows host, you see Windows domain names in the Log on to dropdown list. Use commas or semicolons to separate multiple domain names. You will not see this option unless you have chosen Active Directory as your Directory type.

Windows Domain Names

Domain entries are required for Domino server definitions. You will not see this option unless you have chosen Domino as your Directory type. Select any of the following items that apply to this server definition:

■ Primary Domain: Internet domain to which mail is delivered.

■ Domain Aliases: Internet domain names that resolve to the primary domain. For example, you could assign company.net to be an alias for company.com. Use commas to separate multiple names.

Internet Domain Names

(42)

Table 2-5 Edit LDAP Server page(continued)

Description Item

Autofill – Places default values in the fields for you to modify as needed. Specify the queries to use – You have the following options when selecting what authentication queries to use:

■ Query start (Auth base DN) – Designates the point in the directory from which to start searching for entries to authenticate.

■ Login attribute – The attribute on a person entry that defines a user name.

■ Primary email attribute – The attribute on a person or distribution-group entry that represents a mailbox.

■ Email alias attribute – The attribute on a person or distributing-group entry that contains one or more alternative email addresses for that entity's mailbox

■ Login query – Finds users based on their Login attributes. Test –Attempts to execute the query as defined.

Note:For Exchange 5.5, the user directory Name (rdn) must be the same as the alias (uid) for that user.

Authentication Query Details

Specify default synchronization options – This section only appears if Synchronization is checked for Usage. It allows for the following definitions governing synchronization behavior:

■ Synchronize every – Specifies how often scheduled synchronization occurs. You can specify a number of minutes, hours, or days. The default is 1 day.

■ Audit level – Verbosity setting for LDAP audit logs. Choices of Off, Low, and Verbose are available. The default is Off.

■ Page size – Number of discrete changes that are accepted together for synchronization. Use a number between 1 and 2,000. The default is 25. If you are using the

iPlanet/SunOne directory server, change Page size to 0 for optimal performance. Synchronization

Configuration

Caution:Editing an LDAP server definition can cause a full synchronization to be initiated. This can have serious performance impact on your system until the synchronization completes.

Note:If you must disable an LDAP server while synchronization is in progress, you must first cancel the synchronization and then disable the LDAP server.

To initiate an LDAP synchronization from an LDAP server to the Control Center

1

Click Status > LDAP Synchronization.

2

Check the LDAP server you wish to synchronize to the Control Center. Configuring system settings

Configuring LDAP settings 42

(43)

3

If you wish to synchronize only the LDAP data that has changed since the last synchronization, click Synchronize Changes.

In most cases synchronizing only updated data is much faster than performing a full synchronization.

4

If you have made substantial changes to your directory data or structure or you have recently restored your directory from a backup, click Full

Synchronization.

Full synchronization removes all previously synchronized directory data from the Control Center and initiates a full scan of the directory. Full synchronization can significantly impact the peformance of your system until synchronization completes

To cancel a synchronization in progress

1

Click Status > Synchronization.

2

Check the LDAP server whose synchronization to the Control Center you wish to cancel.

To delete an LDAP server

1

In the Control Center, click Status > Synchronization.

Check to be sure that no synchronization is processing. You cannot delete a synchronization server while synchronization is running.

2

Click Settings > LDAP.

3

Choose one or more LDAP server definitions from the list.

4

Click Delete.

Note:

If you need to change the IP address of your LDAP server, you must delete the LDAP source using the Control Center before changing the IP address of the LDAP server machine, and then re-add the LDAP source using the Control Center.

Synchronization status information

When LDAP data is synchronized between an LDAP server and the Control Center, status information is generated and displayed via the Status tab.

To view LDAP Synchronization status information ■ In the Control Center, click Status > Synchronization.

The following information is displayed:

(44)

Information about synchronization activity. Status can indicate any of the following states:

■ Idle – Nothing is happening.

■ Starting – The status during a one-minute delay between saving an LDAP synchronization source and initiation of

synchronization.

■ Cancelled – The status after synchronization or replication is manually cancelled by clicking Status > LDAP sychronization > Cancel or Status > Replication > Cancel. This status is also indicated if a scheduled LDAP synchronization interrupts a replication in progress or a scheduled replication interrupts an LDAP synchronization in progress.

■ In Progress – A synchronization request has been acknowledged by the synchronization server and the process is under way.

■ Success –The synchronization has completed successfully.

■ Failed –The synchronization has failed. Consult your logs to identify possible causes.

Status

The time at which the most recent synchronization began. Started

The time at which the most recent synchronization finished. Ended

The number of directory entries read from the synchronization server. For a full synchronization, this number is equal to the total number of records from the LDAP source.

Read

The number of directory entries added from the synchronization server to the Control Center.

Added

The number of records modified in the Control Center based on synchronization server information.

Modified

The number of entries deleted from the Control Center based on synchronization server information.

Deleted Configuring system settings Configuring LDAP settings 44

(45)

The number of directory entries from the LDAP server rejected by the synchronization server.

A number of LDAP transactions can be rejected when an attempt to add a group entry fails because one or more of the group members is not yet known to the LDAP synchronization service. Generally, this can be resolved by issuing a Synchronize Changes request from the Control Center. Each time this is done, the number of rejected entries should decrease. Once all group members are propagated, the group entries are added successfully. If, after a number of LDAP synchronization attempts, you continue to see the same number of rejected entries for an LDAP Source, examine the logs at Status > Logs with Control Center: LDAP selected in the Log Type: drop-down list. Use the information on this page to determine why the entries are repeatedly rejected. Pay particular attention to the file error.log.X, whereXis a number.

Rejected

Replicating data to Scanners

After an LDAP server has been defined to the Control Center, and after the synchronization of LDAP data between the LDAP server and the Control Center has successfully completed one full cycle, LDAP data can be synchronized to all attached and enabled Scanners.

LDAP data includes the following:

■ Email addresses of users and distribution lists

■ Membership information for groups and distribution lists

If any policies have end user settings enabled, the following data is replicated along with the above LDAP data:

■ Allowed/Blocked Sender settings ■ Language settings

For replication to work properly, you must have configured, enabled, and scheduled Scanner replication and made certain that Scanner replication is enabled for each Scanner.

See“Work with the Services tab”on page 26.

In this section, information is available on the following topics: ■ Starting and stopping replication

■ Replication status information ■ Troubleshooting replication

45 Configuring system settings Replicating data to Scanners

(46)

Starting and stopping replication

You may occasionally need to start or stop replication manually.

Start or stop replication

Start and stop replication using the following procedures.

To start a manual replication cycle

1

In the Control Center, click Status > Scanner Replication.

2

Click Replicate Now.

To stop a replication in progress

1

In the Control Center, click Status > Scanner Replication.

2

Click Cancel Replication.

Replication status information

When LDAP data is replicated from the Control Center to one or more Scanners, status information is generated and displayed via the Status interface in Symantec Mail Security.

To view replication status information

■ In the Control Center, click Status > Scanner Replication. The following information is displayed:

Description Item

Status can indicate any of the following states:

■ Idle – Nothing is happening.

■ Started – A replication request has been issued.

■ Cancelled – Either the replication was cancelled manually by clicking Status > LDAP Synchronization > Cancel Synchronization, or an LDAP synchronization was in progress when a scheduled or manual replication was initiated.

■ In Progress – A replication request has been acknowledged by the Control Center and the process is under way.

■ Success – The replication has completed successfully.

■ Failed – The replication has failed. Consult your logs to identify possible causes.

Status

The time at which the most recent replication began. Started

Configuring system settings Replicating data to Scanners 46