Email Security
SonicWALL Email Security 6.2.2 Software
System Compatibility
SonicWALL Email Security 6.2.2 Software is supported on systems with the following:
Operating Systems
• Windows 2000, SP4 • Windows 2003, SP1 • Windows 2003, SP2
Hardware Requirements
• Intel Pentium: Celeron, P4 or compatible CPU • 1 Gigabyte RAM minimum
• Hard Disk: 40GB minimum
HTTPS
Connectivity to SonicWALL License Manager
Email Security products running version 6.0 and above communicate with the SonicWALL License Manager servers using the default HTTPS port. The Upstream firewalls in the network where this Email Security system is deployed must allow HTTPS communication on port 443 that is initiated from the 6.2.2 upgrade process.
Note: To test connectivity in SonicWALL Email Security 6.2.2, click the Test Connectivity to SonicWALL button on the System > License Management page in the user interface. If the test fails, check your firewall to be sure that outbound HTTPS communication is allowed.
Enhancements
The following is a list of enhancements made to features in the SonicWALL Email Security 6.2 Software release:
• BATV — To reduce the number of false bounce messages (NDRs) or backscatter spam, you can now enable Bounce Address Tag Validation on your outbound messages. This feature is described in the New Features section of this document and in the Administrator’s Guide.
• Performance Monitoring — Performance Monitoring allows you to see a visual representation of performance metrics on your SonicWALL Email Security system. This feature is described in the New Features section of this document and in the Administrator’s Guide.
• Enhanced Licensing — MySonicWALL has updated product licensing, including per-user licenses and stackable licenses. For more information on the new licensing model, see the technote New Licensing Model for Email Security.
Known Issues
The following is a list of known issues in the SonicWALL Email Security 6.2.2 Software release:
Installation
• 66089: Symptom: After upgrade the installer leaves .cab and other installation-specific files in the root directory of a Windows computer and does not properly dispose of them. This is a known issue with the Microsoft Visual Studio 2008 C++ Redistribution Package. The extra files do not impair the operation of SonicWALL Email Security. Condition: Occurs after an installation or upgrade of SonicWALL Email Security 6.2 Software on Windows systems.
Operation
• 49468: Symptom: When attempting to view or unjunk a very large message in the junkbox, users may see the error “Sorry, but there was an error. Please click the close button and try again. If you continue to experience problems, contact SonicWALL Support.” Condition: Occurs when a user or administrator attempts to view or unjunk a very large message (over 66 MB).
Resolved Known Issues
The following is a list of resolved known issues in the SonicWALL Email Security 6.2.2 release:
• 69674: Symptom: Customers who have upgraded all their remote analyzers to 6.2.0 or 6.2.1 and licensed them as a cluster on MySonicWALL.com may have experienced licensing problems. This problem will not occur unless there are
at least two remote analyzers in the cluster. Resolution: Fixed the license associations so customers do not experience licensing problems.
The following is a list of resolved known issues in the SonicWALL Email Security 6.2 release:
Installation
• 66412: Symptom: Vulnerability scanners reported that unauthorized access was possible through the
RemoteBindAddress. Resolution: Changed the SonicWALL version of Firebird to only accept connections from the localhost.
Operation
• 65319: Symptom: Some French-language emails were being wrongly identified. Resolution: Improved the language detection by character sets.
• 64564: Symptom: SonicWALL Email Security returned an SPF fail result if a message had an unknown macro. Messages with a fail result were put in the junk box. Resolution: Changed the SPF handling to return a neutral result, which will result in fewer false positives.
• 48198: Symptom: An earlier version of Apache Tomcat had a vulnerability in the web connector. Resolution: The version of Tomcat distributed with SonicWALL Email Security has been upgraded.
• 66600: Symptom: When users upgraded to 6.1 or 6.1.1, they sometimes had to rebuild their reporting database and therefore lost some historical reporting data. Resolution: Updated the connection method for the new versions of the software.
New Features
The following new features have been added to version 6.2. This section contains the technical notes written to introduce the features.
BATV
SonicWALL has added an option to use Bounce Address Tag Validation (BATV) to reduce the number bounce messages received by users (such as non-delivery receipts (NDR) and delivery status notification (DSN) messages.).
Bounce Address Tag Validation
SonicWALL Email Security has added support for Bounce Address Tag Validation (BATV). BATV adds a stamp to the envelope of all outbound mail. If the mail is bounced and does not reach a recipient, the stamp alerts the inbound mail processor that this email originated within your organization. False bounce messages, which will not have the stamp, will not be passed through the inbound mail processor.
To use BATV, SonicWALL Email Security must touch all outbound mail. For maximum efficiency of processing inbound bounces, SonicWALL Email Security should be your first-touch inbound mail processor. SonicWALL Email Security will read the bounce message envelope, determine whether or not it is legitimate, and only download and pass through legitimate messages. The added BATV tag is removed before the email is passed to the users.
BATV is not enabled by default. Although BATV is a powerful tool to eliminate false bounce messages, some configurations on other mail servers may cause the BATV system to reject legitimate bounce messages. The user who sent out the message would not know it did not reach the intended recipient. Reasons for “false positives” might include:
• LDAP upstream of SonicWALL Email Security • Null reverse paths instead of “From” fields
• Divergent SonicWALL Email Security configuration • Incorrect or altered reverse mail paths
Users might also get “false negatives” where they get false bounce messages even though they did not send the originals. False negatives might come from a spambot or zombie infection of the organization. In that case, the spam would be properly stamped as it left the organization.
What is a Bounce Message?
Bounced messages are also known as non-delivery receipts (NDR) and delivery status notification (DSN). They are an email message from a receiving or relaying mail server to notify the sender that their email message has not reached the destination. This notification system allows users to assume that messages are successful unless they are otherwise notified.
The user receives a message telling them that their email was not received by the recipient. Sometimes, the original email or a part of it is attached. Sometimes, there is a plain-language explanation of why the email failed. Like any other email message, there is a header indicating the server that sent the message. Almost always, a legitimate bounced message will contain the headers and envelope of the original message. This allows for troubleshooting. This is also what BATV uses to validate legitimate bounced messages.
However, some spammers “spoof” a legitimate address, and use it to send out spam. When the email is recognized as spam and rejected, or when it is rejected for other reasons, the bounce messages come back to the legitimate address, even though that user is not the one who sent them out. These false bounce messages are called “backscatter” and place a burden on spoofing victim’s email sever.
Enabling BATV on SonicWALL Email Security
To enable BATV, you must turn it on for both your outbound and inbound SonicWALL Email Security servers, if they are different. If you are running an all-in-one system, you only have to turn it on once. BATV will work best if your SonicWALL portal is the last-touch for outbound mail and the first-touch for inbound mail.
NOTE: For the first 4-5 days after you enable BATV, your users may not receive legitimate bounce messages. This is because there are email messages which are still trying to reach an invalid destination, and when they come back, they will not have the appropriate stamp.
1. Log into your Email Security as an administrator. 2. Choose System from the left navigation bar. 3. Choose Connection Management.
4. Scroll down to the Quality of Service section.
5. Click in the Bounced Address Tag Validation to enable BATV 6. Click Apply Changes.
BATV is now enabled. If you have different servers for inbound and outbound mail, make sure that it is enabled on both servers.
Troubleshooting BATV
This section contains some common problems and solutions for using BATV with SonicWALL Email Security.
Problem: Users are still receiving false bounce messages.
Causes: You may not have enabled BATV on your inbound mail server, or it may be that the inbound BATV filtering happens too late in the inbound process.
Problem: Users are not receiving valid bounce messages.
Causes: Users may be sending out POP3 mail and bypassing the outbound stamp from the servers.
BATV may be implemented in one direction and not the other. Other organizations mail servers may not recognize BATV, or may treat it as an attack.
Conclusion
BATV is a solution to email backscatter caused by spoofed email addresses. Only messages sent from within your organization will be returned as bounces. This drastically reduces the bounce traffic. BATV must be enabled on both inbound and outbound servers to work.
Performance Monitoring
SonicWALL has added a performance monitoring section to SonicWALL Email Security. This feature allows administrators to view and compare performance metrics with the Email Security interface without downloading and formatting CVS files. The performance monitoring section displays data that has always been collected by SonicWALL Email Security.
Performance monitoring allows administrators to monitor a single metric over a period of time, or to compare two metrics. Once an administrator creates a graph, the graph can be saved or emailed to share with others who do not have administrator privileges.
Reading Performance Monitoring
There are two ways of viewing the data: by comparing data from the same day but different process metrics, or by comparing data of the same process metric across several days.
The “View Multiple metrics for a given date” option creates a graph which contains one or two process metrics for a given date. If there are two metrics, a second y-axis scale will appear at the right-hand side of the graph for the interpretation of the second metric.
The “Compare many data files for a single performance metric” option creates a graph for a single process metric across multiple days. Each day’s worth of data is a line of a different color. Up to six data files can be displayed.
Graphs are shown for a 24-hour period starting and ending at midnight GMT+0. Once a graph is specified, it will not display or redraw until the “Refresh Reports” button is clicked. To view the raw data files used to build a particular graph, click either the “Email to…” or the “Download” buttons and a ZIP file containing the data files and also the bitmap will be provided accordingly.
NOTE:
When the Email Security System is processing heavy email volume/large attachments the CPU processor time may be higher than normal. This is an expected behavior. CPU processor time can vary widely depending on number of factors and high processor time alone is not an indication of a potential issue, so unless you are noticing very slow email processing/delivery coupled with high CPU processor time(~100%) for an extended period of time (typically > 1hour) there is no indication of any functional issue with the product. However if you notice these symptoms and the issue persists for extended periods of time, contact the SonicWALL Support.
Creating a Performance Monitoring Graph
To create a performance monitoring graph:
1. Log into your Email Security as an administrator.
2. Choose Reports & Monitoring from the left navigation bar. 3. Choose Monitoring.
5. You will see the empty performance monitoring graphs.
6. Choose the type of performance graph you want. 7. For the multiple metrics graph:
• Select the date you want information on from the select data file dropdown box. • Click in the first select process box and choose a process.
• Click in the first select metric box and choose a metric of the selected process.
8. For the multiple days graph:
• Select the process and metric you want information on. • Select your dates from the data file dropdown boxes.
• Click the Refresh button. You will see the performance graph for that metric on those days.
Monitored Metrics
The following processes are currently monitored and available as data files. These data files have always existed, but the information is now more readily accessible.
• Monitoring Service • Tomcat Service • Replicator Service • SMTP Server • Thumb Updater Service • Database Service • Operating System • MTA Service
Metrics List
These are the process metrics that are being tracked and stored in the data files. Most of these metrics exist in each process. The most common metrics appear in the table below. Metrics not shown in the list are usually System process monitoring.
Process Metric
Description
Private Bytes(kB) Virtual Bytes(kB)
%Disk Time The percentage of elapsed time that the selected disk drive
was busy servicing read or write requests.
%Processor Time The percentage of elapsed time that all of process threads
used to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code is executed to handle some hardware interrupts and trap conditions
Available Bytes The amount of physical memory, in bytes, available to
processes running on the computer.
This is calculated by adding the amount of space on the Zeroed, Free, and Standby memory lists. Free memory is ready for use; zeroed memory consists of pages of memory filled with zeros to prevent subsequent processes from seeing data used by a previous process; standby memory is memory that has been removed from a process' working set, but is still available to be recalled. This counter displays the last observed value only; it is not an average.
Avg. Disk Bytes/Transfer The time, in seconds, of the average disk transfer.
Avg. Disk Queue Length The average number of read and write requests queued for the selected disk during the sample interval.
Buffer Bytes Used in Linux systems. Buffer Bytes is the number of bytes
consumed by the kernel.
Cache Bytes The sum of the Memory\\System Cache Resident Bytes,
Memory\\System Driver Resident Bytes, Memory\\System Code Resident Bytes, and Memory\\Pool Paged Resident Bytes counters. This counter displays the last observed value only; it is not an average.
Committed Bytes The amount of committed virtual memory, in bytes. Committed
memory is the physical memory which has space reserved on the disk paging file(s). There can be one or more paging files on each physical drive. This counter displays the last observed value only; it is not an average.
Connections Established The number of TCP connections for which the current state is either ESTABLISHED or CLOSE-WAIT.
Connection Failures The number of times TCP connections have made a direct
transition to the CLOSED state from the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP
connections have made a direct transition to the LISTEN state from the SYN-RCVD state.
Connections Reset The number of times TCP connections have made a direct
transition to the CLOSED state from either the ESTABLISHED state or the CLOSE-WAIT state.
Handle Count The total number of handles this process currently has open.
This number is the sum of the handles currently open by each thread in this process.
Install Dir Free Space For Windows, the number of bytes remaining free on the installation drive.
Private Bytes Private Bytes is the current size, in bytes, of memory that this process has allocated which cannot be shared with other processes.
Segments Retransmitted/sec The rate at which segments are retransmitted, that is, segments transmitted containing one or more previously transmitted bytes.
Segments/sec The rate at which TCP segments are sent or received using
the TCP protocol.
Swap Available Bytes Used in Linux systems. Swap Available Bytes is “Swap space which is still free to use”.
Thread Count The number of threads currently active in this process. An
instruction is the basic unit of execution in a processor, and a thread is the object that executes instructions. Every running process has at least one thread.
Virtual Bytes The current size, in bytes, of the virtual address space the process is using. Use of virtual address space does not imply corresponding use of either disk or main memory pages. Virtual space is finite, and the process can limit its ability to load libraries.
Conclusion
SonicWALL Email Security has added performance monitoring graphs so that administrators can more easily see performance metrics for their systems. These graphs enhance other graphs already existing in the product.
Upgrading to Email Security 6.2.x
The following procedures are for upgrading an existing Email Security setup to Email Security 6.2.x. Use the Full Installer method to upgrade from Email Security 5.0 and later to Email Security 6.2.x.
Downloading SonicWALL Email Security 6.2.x
1. Log into your mysonicwall.com account at http://www.mysonicwall.com. 2. In the left navigation pane under Downloads, click Download Center.
3. In the Activate Service – Software Download dialog box, select a language from the Select Language drop-down list. 4. Select the checkbox to agree to the terms and conditions, and then click Submit.
5. In the Download Center screen, select Email Security Software from the Type drop-down list. If not already on this selection, the screen will refresh to show links to the available Email Security software versions and release notes. 6. Click the link for the version that you want and then select Save in the dialog box. Copy the downloaded binary to the
Windows server running your Email Security application.
Backing Up Your Existing Environment
Before you upgrade your environment to 6.2.x, you should back up your existing environment. This will enable you to restore it if you decide to change back for some reason. Your backup should include the setting files, including the per user settings. To back up your existing environment:
1. In the left navigation pane under System, choose Backup/Restore. You will see the Backup/Restore page:
2. In the Manage Backups section, select Settings. 3. Click Take Snapshot Now to create a snapshot.
4. Click Download Snapshot to save the snapshot to your local file system.
If, after upgrading to 6.2.x, you need to roll back to a previous version, go back to the Backup/Restore page and use the Manage Restores section to upload the snapshot you have stored.
Upgrading Your SonicWALL Email Security
Follow this procedure to upgrade your existing Email Security to Email Security 6.2.x. The Full Installer includes installation of Apache Tomcat, the Java Runtime Environment (JRE), and Firebird as well as the base Email Security software.
1. On the server you run Email Security on, double-click the Email Security 6.2.x installation file and then click Run in the dialog box. If you do not have direct access to the server, use a remote desktop connection to connect to the server and run the installation file on the server.
2. In the Welcome page of the installation wizard, click Next.
3. Read the License Agreement and then click Next to accept the agreement.
4. An alert is displayed if the system does not have Asian language packs installed. SonicWALL recommends that Asian language packs be installed. To proceed with the Email Security installation and install Asian language packs later, click Next. To install Asian language packs prior to proceeding, click Cancel.
Note: Installing Asian language packs is optional, however, the spam prevention capabilities of SonicWALL Email Security may be diminished without them. Asian language packs can be installed before or after SonicWALL Email Security Software installation.
5. In the Destination Folder page, click Browse to select an alternate folder, or click Next to accept the default location. Alert: It is important that this folder is not scanned by an anti-virus engine.
6. In the Choose Data Folder page, click Browse to select an alternate folder, or click Next to accept the default location. If the data folder is on a different disk drive than the install directory, ensure that it has fast read/write access with less than 10 millisecond latency. You can test latency with the ping command.
7. In the Start Installation page, click Next.
8. If requested, allow the installation of Tomcat, Firebird, and the Java Runtime Environment (J2RE). If Tomcat is installed in this step, it prompts for the Apache Tomcat Web server port number. The default port is 80. If you are already running a Web server on port 80, you must change the port setting. SonicWALL recommends port 8080. Click Next to continue.
Note: You can change the port number and configure HTTPS access after installation by using the Server Configuration > User View Setup page of the Email Security user interface.
9. After the installation finishes, click Finish in the Installation Complete wizard. A browser window is displayed with links to the Email Security user interface and documentation.
Document part number: 232-001534-00 Rev: A Last updated: 8/13/2008
