Tumbleweed
Email Firewall
Administrator’s Guide
Release 6.2
Tumbleweed® Communications Corp. 700 Saginaw Drive
Redwood City, CA 94063 (650) 216-2000
Copyright Notice
The contents of this manual, the associated Tumbleweed Active Agents™, Tumbleweed SecureTransport™, Integrated Messaging Exchange™ (IME™) software, Messaging Management System™ (MMS™), Tumbleweed Dynamic Anti-spam Service™, Tumbleweed Email Firewall™ (EMF™), Tumbleweed Validation Authority™, Tumbleweed Valicert Validation Authority™ and other computer programs (hereinafter collectively called “Tumbleweed Software”) offered by Tumbleweed Communications Corp. (Tumbleweed) are the property of Tumbleweed and are copyrighted. Use of Tumbleweed Software is governed by the license agreement
accompanying the original media. Your right to copy Tumbleweed Software and its documentation is limited by copyright law. Making copies, adaptations, or compilation works (except copies of Tumbleweed Software for archival purposes or as an essential step in the utilization of the program in conjunction with the equipment) without prior written authorization from Tumbleweed is prohibited by law.
Tumbleweed may revise this publication from time to time without notice. Copyright 1997-2004 Tumbleweed Communications Corp.
All rights reserved.
Some of the processes, arrangements, user interfaces, transaction sequences, site and system architectures, data arrangements, and data processing algorithms, described or embodied in the Tumbleweed Software, are covered by one or more of the following U.S. Patents Nos. 5,790,790; 6,061,448; 6,119,137; 6,151,675; 6,192,407; 399,836; 6,385,655; 6,470,086; 6,487,599; 6,502,191; 6,516,411; 6,529,956; 6,609,196; 6,651,166; 6,725,381 and 6,748,529.
Restricted Rights Legend
Use, duplication or disclosure by the Government is subject to restrictions set forth in subparagraphs (a) through (d), excluding subparagraph (c)(2)(iv), of FAR 52.227-19 when applicable, or in DFARS 227.7202-3, and in similar clauses in the NASA FAR Supplement.
Trademarks
Tumbleweed®, is a registered trademark, and Integrated Messaging Exchange™, IME™, Messaging Management System (MMS)™, Secure Inbox™, Secure Envelope™, Secure Redirect™, Secure Response™, IME Statements™, IME Developer™, IME Messenger™, Tumbleweed Secure Mail™, Tumbleweed Dynamic Anti-spam Service™, Tumbleweed Email Firewall™ (EMF™), Tumbleweed Message Protection Lab™, Tumbleweed Active Agents™, Tumbleweed SecureTransport™, Tumbleweed Validation Authority™ and Tumbleweed Valicert Validation Authority™ are trademarks of Tumbleweed Communications Corp.
Contents
Preface xxv
Chapter 1
Introduction
1
1.1 Intended Audience ... 2
1.2 Overview of Email Firewall 6.2 ... 3
1.3 Other Documentation ... 4
Chapter 2
Setting Up Email Firewall Administration
7
2.1 Overview of Administrator Setup Tasks ... 82.2 Administrative Security ... 9
2.2.1 Web Administration Access Controls ... 9
2.2.2 Logging In ... 10
Setting Up Secure Login ... 10
2.2.3 Main Menu ... 12
2.3 System Status ... 14
2.3.1 Info and Alerts Status ... 14
2.3.2 Message Queues Status ... 17
2.3.3 Email Firewall Services Status ... 19
Automatic Email Firewall Services Restarts ... 21
2.4 Setting Up Admin Roles and Accounts ... 21
2.4.1 Admin Roles Access and Capabilities ... 23
Queues ...25
Policies ...25
Policy Modules ...25
Directory ...26
Logs and Reports ...26
Setup and Configuration ...26
2.4.2 Assigning and Creating Admin Roles ...27
2.4.3 Creating New Administrator Accounts ...29
2.4.4 Preferences ...31
2.5 Setting Up Relays ...32
2.5.1 Relay Settings Configuration ...33
2.5.2 Global Relay Settings ...34
Stopping Inbound or Outbound Mail ...34
Enabling and Disabling Preprocessing and Policy Engine ...35
2.5.3 Limit Settings ...36
Maximum Connections and Delay Settings ...36
Network Connections and Replication Environments ...37
Message Size and Recipient Limits ...37
2.5.4 Identity Settings ...38
Setting the SMTP Port ...38
Specifying the Relay Host Name ...39
Specifying the SMTP Greeting and Postmaster Information ...39
Hiding Email Firewall Version Number in Message Headers ....40
Local MX Hosts Configuration ...41
2.5.5 Specifying the DNS Servers ...41
2.5.6 Specifying DNSBL Settings ...42
2.5.7 Exceptions to Mail Delivery ...43
Specifying Illegal Characters in Email Address Formats ...43
Dropping Mailbox-Only Recipients ...44
Deleting Bounced Notifications ...44
2.5.8 Miscellaneous Relay Settings ...45
Delivery Status Notifications ...46
Alternate Lookups ...46
Load Balancing by Randomizing Order of MX Hosts ...47
Received Headers Content ...47
SMTP Relay Delay and Non-Delivery Notifications Sent ...48
2.5.9 Network Connections Concepts ...49
Understanding Internal vs. External Networks ...50
Rejecting Connections From Malicious Clients ...50
2.5.10 Domain-Based Authentication Protocols ...51
Servers, Routing Rules and TLS ... 58
Configuring Email Firewall To Prevent Open Relaying ... 59
2.5.13 Setting Up Mail Routing Rules ... 60
Setting Up Exact Matching for a Domain ... 65
Best Match Algorithm and Wildcards ... 66
Editing Routing Rules ... 66
2.5.14 Address Rewriting Concepts ... 67
Address Rewriting Rules ... 68
Match Specifiers ... 68
Rewrite Actions ... 69
Matching and Substitution Examples ... 70
A Complete Example ... 70
2.5.15 Setting Up Address Rewriting ... 71
Creating Custom Address Rewriting Rules ... 74
2.5.16 Testing Address Rewriting ... 75
2.5.17 SMTP Relay and Message Retry Configuration ... 76
2.5.18 Troubleshooting the SMTP Relay Service ... 76
SMTP Relay Service Not Accepting Messages ... 76
Email Firewall Relay Not Identifying Itself Properly ... 77
Troubleshooting Outbound Message Backlogs ... 78
Troubleshooting TLS ... 80
2.6 Setting Up Anti-virus and Anti-spam ... 80
2.6.1 Setting Up Anti-virus and Anti-spam Downloads ... 82
Virus Scanning Heuristics ... 84
2.6.2 Setting Up Dynamic Anti-spam Service Settings ... 84
Adding Spam Categories to Scanned Messages ... 85
Do Not Scan Messages Received From Internal Networks ... 86
Do Not Scan Messages Larger Than 200 KB In Size ... 86
2.7 Setting Up Global Policy Settings ... 87
2.7.1 Setting Up Peak Time for Policy Actions ... 87
2.7.2 Setting Up Archive for Policy Actions ... 88
Archiving Options for Virus-Infected Messages ... 90
2.7.3 Setting Up Other Global Policy Options ... 91
Scanning Bytes of Non-Text Attachments ... 93
Limitations in Scanning Non-Text Attachments ... 93
Marking Text Parts That Use Unsupported Character Sets ... 94
Marking Messages With Invalid MIME Structure or Illegal Character Encoding as Decomposition Failures ... 94
Isolating BCC recipients on Separate Copies of the Message .... 95
Quarantining Messages That Grow to Excessive Size ... 96
Quarantining Deeply Nested MIME Messages ... 96
2.7.4 Setting Up Policy-based Routing ... 97
Avoiding Infinite Message Looping ... 99
2.8.2 Setting Up Centralized Event Logging and Reporting ...101
Prerequisites to Enabling Centralized Event Logging and Reporting for Email Firewall Systems in a Domain ...101
Prerequisites to Enabling Centralized Event Logging and Reporting for Email Firewall Systems in Workgroups ...102
Enabling and Setting Up Centralized Event Logging and Reporting ...103
2.9 Other Setup Tasks ...105
2.9.1 Setting Up Message Queues ...105
What is the Personal Quarantine Manager? ...106
2.9.2 Setting Up Reporting ...106
2.9.3 Setting Up Policies ...106
2.9.4 Setting Up the Directory ...107
2.9.5 Setting Up Security ...107
2.9.6 What is the Dynamic Anti-spam Service? ...107
2.9.7 What is Secure Redirect? ...108
2.9.8 What is Secure Messenger? ...108
2.9.9 Setting Up Proxy Servers ...109
Setting up HTTP Proxy Server ...111
Setting up FTP Proxy Server ...111
Chapter 3
Working With Queues
113
3.1 Message Queues Status ...1143.2 Setting Up Message Queues ...116
3.2.1 Queue Configuration ...119
3.2.2 Setting Up Queue Actions ...120
Resetting Queue Actions ...121
3.2.3 Setting Up Queue Aging ...122
3.2.4 Setting Retry Queue Retry Intervals ...123
3.2.5 Creating Quarantine Custom Queues ...125
3.3 Setting Up Queue Searches ...126
3.3.1 Limitation on Queue Search Results ...126
3.3.2 Creating a Queue Search ...127
3.3.3 Modifying Queue Searches ...130
3.3.4 SQL Jobs and Deleting Messages in Queue Filters ...130
3.4 Working With Messages in the Queues ...131
3.5.2 Additional Queue Management Tips ... 134
Use Bulk Actions on Messages ... 134
Use Quarantine Queue Threshold Actions ... 135
Use Quarantine Queue Aging ... 135
Create Quarantine Queue Custom Queues ... 135
3.5.3 Checking the Quarantine Queue for Inbound Messages ... 135
3.5.4 Stopping Inbound Message Acceptance ... 136
3.5.5 Getting Rid of Undeliverable Bounced Messages ... 137
3.6 Troubleshooting Inbound and Outbound Queues ... 138
Stopping the SMTP Relay From Accepting More Messages ... 138
3.6.1 Troubleshooting Inbound Queue Backups -- Full File Groups ... 139
3.6.2 Troubleshooting Outbound Queue Backups ... 141
3.7 Using Personal Quarantine Manager ... 142
3.7.1 Personal Quarantine Manager Server ... 143
3.7.2 Quarantine Summary Notification Messages ... 144
QSNs and Quarantine Queue Aging ... 144
User Requests for Access to Quarantined Messages ... 145
Identifying QSN Message Headers ... 145
PQM Server Responses ... 146
3.7.3 Setting Up PQM Server Settings ... 147
Testing the PQM Server ... 148
3.7.4 Specifying User Domains To Receive QSNs ... 149
Editing and Removing User Domains ... 150
3.7.5 Setting Up the QSN Format and Schedule ... 151
Enabling QSN On-demand Access and White-listing ... 154
Turning Off QSN Deliveries ... 155
QSN Format Issues with Outlook Express 6 on Windows 2003 ... 156
3.7.6 Setting Up QSN Access Restrictions ... 156
Tags and Outbound Security Policies ... 157
Procedures for Setting Up QSN Tags ... 158
Editing and Deleting QSN Access Tags ... 160
3.8 PQM Reports Sent to Users ... 161
3.8.1 HTML Format QSN Blocked Messages Reports ... 161
3.8.2 Text Format QSN Blocked Messages Reports ... 165
3.8.3 User Requests for QSNs “On-Demand” ... 166
3.8.4 User Requests for “White List” ... 168
3.8.5 Bookmarking the QSN Update URL ... 168
3.8.6 PQM and Message Security Concerns ... 169
Sending QSNs in the Clear ... 169
Message Contents Not Displayed ... 170
3.9 Using Policies with PQM ... 171
3.9.1 Policies to Prevent QSNs from Being Sent to Specific Users ... 173
3.10.1 Changing the PQM Server Account Password ...175
3.10.2 PQM Tables that Must Not be Replicated ...175
3.10.3 PQM and IIS Server Configuration Issues ...176
Authentication Methods ...176
PQM Server Anonymous Account ...177
Application Protection ...177
Secure HTTP Access ...178
PQM Server Logging ...179
Diagnosing Authentication Problems ...179
3.11 Troubleshooting the PQM ...181
3.11.1 PQM Notification Service “Not Running” or Not Shown ...181
3.11.2 Localization Issues and PQM Message Display ...182
3.11.3 Duplicate Notifications from Notification Service ...182
3.11.4 Personal Quarantine Manager FAQs ...183
Chapter 4
Working With the Event Log
185
4.1 Setting Up Email Firewall Event Logging ...1864.1.1 Setting up Global Event Log Settings ...187
4.1.2 Setting Up Logging Levels ...187
4.1.3 Setting Up Event Aging ...188
4.1.4 Event Log Export ...189
4.1.5 Cleanup Jobs and Message Processing ...189
4.1.6 SQL Server Job Events Not Reported ...190
4.2 Searching the Event Log ...190
4.3 Using Event Log Filters ...192
4.3.1 Creating Event Log Filters ...192
4.3.2 Creating Custom Events ...194
4.4 Searching for Message Events ...199
Chapter 5
Understanding Policies
203
5.1 Policy Overview ...2045.1.1 Definitions ...204
5.1.2 Example ... 205 Name ... 206 Catch Conditions ... 206 Exclude Conditions ... 207 Actions ... 208 Backup Actions ... 209 Summary ... 209
5.2 Policy Categories and Types ... 210
5.2.1 Basic Mail Filtering Policy Types ... 211
Random Selection ... 213
5.2.2 Attachments Policy Types ... 215
File Attachment Stripping ... 215
Convert UUencoded Attachments to MIME Format. ... 216
5.2.3 LDAP Policy Types ... 216
5.2.4 Virus Policy Types ... 217
Infected Message ... 217
Clean Stamp Uninfected Messages ... 217
5.2.5 Security Policy Types ... 217
5.2.6 SPN Policy Types ... 218
5.2.7 Headers Type Policies ... 218
Remove MIME Headers ... 219
Remove Hostnames and Subdomains From MIME Headers ... 219
Normalize Email Addresses in MIME Headers ... 219
Message Header Fields ... 219
5.3 Email Firewall Directory ... 220
5.3.1 Directory Objects ... 220
Folders ... 221
Domain Records ... 221
Default Domain Record ... 221
User Records ... 222
5.3.2 Default Directory Structure ... 222
All Folder ... 223
External Folder ... 223
Internal Folder ... 224
5.3.3 Viewing Policies Applied to Directory Objects ... 224
5.3.4 Adding New Directory Objects ... 224
Adding Folders ... 225
Adding Domain Records ... 227
Adding User Records ... 228
5.3.5 How Policies and User Records Work Together ... 231
5.3.6 Using LDAP Import ... 232
5.4 How Email Firewall Applies Policies ... 233
5.4.1 Hierarchy of Message Actions ... 233
5.4.2 How Severity of Action Affects Policy Enforcement ...235
5.4.3 Understanding Policy Inheritance and Overrides ...237
5.4.4 Policy Inheritance Example ...237
5.4.5 Policy Override Example ...238
5.4.6 Preventing Policy Overrides ...238
5.5 General Policy Planning Considerations ...240
5.5.1 Inheritance Is From Parent Folders Only ...240
5.5.2 When to Use Sender Polices ...240
5.5.3 When to Use Recipient Policies ...241
5.5.4 Where To Apply Anti-spam Policies ...241
Using a Recipient Policy for Spam Example ...243
5.5.5 Use Directory Folder Policies Whenever Possible ...243
5.6 Default Policies and Folders ...245
5.6.1 General Rules About Policy Application ...245
5.6.2 Policies Applied to the All Folder ...246
Decompression Errors ...246
Decomposition Errors ...246
Partial Message Block ...247
Virus Hoax Block ...247
5.6.3 Additional Policies Applied to the External Folder ...248
Outbound Size Deferral ...248
5.6.4 Additional Policies Applied to the Internal Folder ...248
EXE Blocking ...250
Inbound Size Deferral ...250
Infected Message (Recipient) ...250
Infected Message (Sender) ...250
Long Filename Quarantine ...251
Multimedia Attachments Deferral ...251
Outbound Message Archival ...251
Résumé Block ...251
Sensitive Info Review ...252
5.6.5 HIPAA Compliance Policy ...252
5.6.6 Dynamic Anti-spam Service Policies ...252
Spam - DAS: Adult ...252
Spam - DAS: High Confidence ...253
Spam - DAS: Moderate Confidence ...253
Chapter 6
Creating and Editing Policies
255
6.1 Introduction to Policy Building ... 256
6.1.1 Using Multiple Policy Actions ... 256
6.2 Lists and Tags ... 257
6.2.1 Cautions on Using Text Wildcards in Lists ... 258
6.2.2 Word Lists ... 258
Using Wildcards in Word Lists ... 259
Word Lists and Wildcards Caution ... 260
Word List Construction and Weighted Word List Syntax ... 260
Validating and Saving Word Lists Using Advanced Add ... 261
6.2.3 Advanced Add, Character Sets and Lists ... 262
6.2.4 Using Regular Expressions in Word Lists ... 262
6.2.5 Creating a Word List Example ... 263
Plan the New Word List First ... 263
Associate the External Word List and Create the List ... 264
6.2.6 Address Lists ... 265
Address Lists and Wildcards Caution ... 266
6.2.7 Creating an Address List Example ... 266
6.2.8 Attachment Lists ... 268
Viewing File Types for Attachment Lists ... 269
Using Advanced Add and Wildcards in Attachment Lists ... 270
Attachment Lists and Wildcards Caution ... 270
Special Considerations for File Names and File Types ... 271
6.2.9 Creating an Attachment List Example ... 271
6.2.10 Exporting Lists ... 273
6.2.11 Tags ... 274
6.2.12 Creating a New Tag Example ... 275
Advanced Add for Tags ... 277
6.3 Annotations ... 278
6.3.1 Global Settings for In-line Annotations ... 279
Using Placeholders in Global In-line Annotations ... 280
6.3.2 Using Placeholders in Policy Annotation Text ... 281
6.3.3 Skipping Annotation Text ... 281
6.3.4 Annotating All Outbound Mail with a Disclaimer ... 282
Plan the Outbound Disclaimer Policy ... 283
Create the Outbound Disclaimer Annotation ... 284
Create the Outbound Disclaimer Policy ... 285
Apply the New Disclaimer Policy to the Policy Hierarchy ... 285
6.4 Notifications ...287
6.4.1 Global Notification Settings ...288
Notification Routing ...289
Default Global Notification Settings ...289
6.4.2 Creating a New Notification for a Policy Action ...290
Avoiding Duplicate Notifications ...292
Dropped or Returned Message Notification Option ...293
Virus in Message Notification Option ...293
6.5 Using Events as Policy Actions ...295
6.6 Creating Policies ...296
6.6.1 Viewing the Default Policies ...296
Editing Default Policies to Scan HTML Tags ...296
6.6.2 Creating a New Policy Example ...298
6.7 Applying the Policy to a Directory Object ...301
6.7.1 Adding Policies to Directory Objects ...302
6.8 Using Virus- and File-Stripping Policies ...303
6.8.1 How Virus-Stripping Policies Work ...303
6.8.2 How File-Stripping Policies Work ...304
6.9 Policy Protection Against New Viruses ...305
6.9.1 Defining Content-Based Policies for Viruses ...305
Creating the New Policy ...305
Applying the New Policy to the Directory ...308
Testing the New Policy ...309
6.9.2 Using Policies to Detect HTML Mobile Code ...310
Catching Script Tags ...310
6.9.3 Troubleshooting Virus Protection ...311
Common Ways Email Firewall is Misconfigured ...311
Other Channels for Virus Infiltration ...312
6.10 Using Headers Type Policies ...313
6.11 Using DAS Message Properties ...315
6.11.1 Default Dynamic Anti-spam Service Policies ...315
6.11.2 What a DAS Policy Should Look For ...316
DAS Message Properties Added ...317
DAS Message X-headers Added ...317
Acting on Spam Messages ...318
6.11.3 Using the Broadcast Content Rating in Policies ...319
6.11.4 Applying the Anti-spam Policy to the Directory ...319
6.11.5 Testing the Anti-spam Policy ...320
Special Test Keywords for Testing an Anti-spam Policy ...321
6.11.6 Creating a Broadcast Exception Policy ...321
Conditions Not Configured Properly ... 324
Directory Object Has Not Inherited a Policy ... 324
Exclude Conditions Not Configured Properly ... 325
Two Similar Policies Specify Different Actions ... 325
Policy Should Be Recipient (or Sender) ... 325
Address List Uses Non-Word Characters ... 325
Annotations Not Skipped ... 325
Signed Messages Not Being Caught ... 326
6.12.2 Other Problems ... 326
Virus Pattern File Needs to Be Updated ... 326
Virus Scan Engine Needs to Be Updated ... 326
SMTP Relay Service Is Stopped ... 326
Policy Enforcement Not Enabled ... 326
List Not Configured Correctly ... 327
Notification Address Is Incorrect ... 327
Queue Backups ... 327
Chapter 7
Dynamic Anti-Spam Service
329
7.1 Introduction to Stopping Spam ... 3307.1.1 At-the-Relay Protection ... 331
7.1.2 Incoming Message Classification ... 331
7.1.3 Acting on Spam Messages ... 332
7.2 Dynamic Anti-spam Service Overview ... 332
7.2.1 Email Firewall Spam Analysis Engine ... 332
7.2.2 Email Firewall Download Service ... 333
7.2.3 Tumbleweed Message Protection Lab ... 333
7.3 Dynamic Anti-Spam Service Architecture ... 334
7.3.1 Mail Flow with the Dynamic Anti-spam Service ... 334
7.4 How the Engine Processes Messages ... 337
7.4.1 What the Engine Looks For ... 337
7.4.2 Messages Not Analyzed by the Service ... 338
Large Messages ... 338
Secure Response Service Messages ... 338
SPN or Encrypted Messages ... 339
7.4.3 Internal Message Analysis ... 339
7.5 Message Categorization ... 340
7.5.1 Message Assessment and Properties Added ... 340
What the Spam Confidence Rating Means ... 341
What the Spam Content Rating Means ... 341
7.6 Dynamic Anti-spam Service Administration ...343
7.6.1 Spam Analysis Engine Maintenance ...344
7.6.2 SMTP Relay Routing Option Behavior ...344
7.6.3 Enabling and Disabling the Service ...344
Moving All Messages Out of the Spam Analysis Queue ...345
7.6.4 Enabling DAS X-headers ...345
Spam Filter Version Identifier ...345
7.6.5 Removing Internal Mail From Engine Processing ...346
7.6.6 Adding Large Messages to Engine Processing ...346
7.6.7 License Changes And License Events ...347
7.6.8 Error Handling in the Spam Analysis Engine ...347
7.6.9 Performance Counters ...348
Preliminary Steps Required for Log Mode ...349
Setting Up a Spam Analysis Engine Counter ...349
Starting a Spam Analysis Engine Counter ...350
Stopping a Spam Analysis Engine Counter ...350
7.6.10 Spam Analysis Engine Event Log Events ...351
7.7 Dynamic Anti-spam Filter Downloads ...351
7.7.1 Downloading Filter Data From the FTP Server ...351
7.7.2 Updating the Email Firewall Database Tables ...352
7.8 Download Service Maintenance ...353
7.8.1 Manually Checking for Updates ...353
7.8.2 Rolling Back To An Earlier Filter Data Version ...353
7.8.3 Removing A Corrupted Filter Version ...353
7.8.4 Increasing MMSConfigData Filegroup Size ...354
7.8.5 Troubleshooting Updates ...354
7.9 The Tumbleweed Message Protection Lab ...355
7.9.1 Message Protection Lab Tools ...356
7.9.2 Submitting Examples To the Lab ...356
How To Forward Unmarked Spam ...357
Microsoft Outlook and Netscape Users ...357
Automating Spam Submittal For Your Users ...357
Submitting False Positives ...359
Submitting False Positives Using Email Firewall Web Admin 359 7.10 The Anti-spam Toolbox ...360
Chapter 8
Email Encryption and Authentication Overview
363
8.1 Introduction to Email Encryption and Authentication in EMF ... 364
8.2 S/MIME and OpenPGP Overview ... 365
8.2.1 Email Firewall and S/MIME ... 366
8.2.2 Email Firewall and OpenPGP ... 368
8.3 Email Firewall Gateway-to-Gateway Security ... 369
8.3.1 Understanding Local Secure Domains ... 370
8.3.2 Setting up SPN Links ... 371
8.3.3 Certificate Import and Export ... 372
8.3.4 The Email Firewall SPN-Type Policies ... 372
Non-SPN Message Received From SPN Domain (Inbound) ... 372
Imperfect SPN Message Received (Inbound) ... 372
Unable to Encrypt and Sign to SPN Domain (Outbound) ... 372
8.4 Email Firewall Security using TLS ... 373
TLS Certificate Requirements ... 374
8.5 Email Firewall Server-to-Client Proxy Security ... 375
8.5.1 How Email Firewall Performs Proxy Security ... 377
Proxy Encryption ... 379
Proxy Decryption ... 380
Proxy Signature ... 380
Proxy Verification ... 380
Automatic Lookup of User Certificates ... 381
8.5.2 Email Firewall and Automatic Certificate Association. ... 382
Policy Usage ... 382
New Certificates ... 383
Policy Limitations ... 383
Root Key Purpose ... 383
8.5.3 The Email Firewall Proxy Security Policy Types ... 384
Proxy Decrypt and Verify ... 384
Proxy Encrypt and/or Sign ... 384
Automatic Certificate Association (for S/MIME only) ... 384
Unencrypted Message Filter ... 385
Client Encryption and Signature ... 385
8.6 Email Firewall Client-to-Client Security ... 385
8.6.1 “Allow” Client-to-Client Security Policies ... 387
Plaintext Access ... 387
Understanding Plaintext Access ... 388
Allow Security Stripping ... 388
8.6.2 “Require” Client-to-Client Security Policies ... 389
8.7 The Sender Signature Policy Type ...391
8.7.1 Background ...391
8.7.2 Conceptual Overview ...392
8.7.3 Email Firewall Signing Certificate Validation ...393
8.8 Understanding Certificate Harvesting ...394
8.8.1 S/MIME Certificate Harvesting ...394
8.8.2 OpenPGP Key Harvesting ...394
8.9 Understanding Certificate and PGP Key Responders ...395
8.9.1 Certificate Responder and Server Certificates ...395
8.9.2 Certificate Responder and Proxy Certificates ...396
8.9.3 Understanding PGP Key Responder ...396
8.10 Third-Party Certificates and Email Firewall ...397
8.10.1 Supported Third-Party Server S/MIME Certificates ...398
8.10.2 Third Party TLS Certificate Requirements ...399
8.10.3 SMG Mode Certificates ...400
8.11 Third Party PGP Keys and Email Firewall ...400
8.12 Understanding Certificate Rollovers ...401
8.12.1 Server Certificate Expiration and Proxy Security ...402
8.12.2 Certificate Rollover Coordination Required ...403
8.12.3 Certificate Rollover Preparation Checklist ...404
8.12.4 Certificate Rollover Process Concepts ...404
Generate or Import the New Certificate ...404
Distribute The New Certificate ...405
Associate the New Certificate with the Local Secure Domain .405 Complete the Rollover ...406
Certificate Rollover Completion Wrap-Up and Consequences 407 8.12.5 Proxy PGP Key Rollover ...407
8.13 The PGP Trust Model ...408
8.14 Trust and Interoperability of S/MIME Certificates ...408
8.14.1 Understanding Key Size Issues ...409
8.14.2 Understanding Root Key Purposes ...411
8.14.3 Understanding S/MIME Interoperability Issues ...412
Trusting a Certificate ...412
Trusting Self-Signed Certificates ...412
Associating an Email Address with a Certificate ...413
Associating Self-Signed Certificates ...413
Understanding Server or Role Certificates in Email Firewall ..413
Understanding Proxy Certificates in Email Firewall ...414
8.14.4 Email Firewall S/MIME Certificate Verification ...416
8.14.5 Establishing Trust Relationships ...416
8.14.8 Email Firewall and CRL Distribution Points ... 420
8.14.9 Email Firewall and CRL Processing Precedence ... 421
8.15 Frequently Asked Questions ... 422
8.16 Commonly Used Security Terms ... 424
Certificate ... 424
Certificate Authority ... 424
Certification Practice Statement ... 424
Certificate Revocation List (CRL) ... 424
CRL Distribution Point ... 424
Chain Trust, or Trust According to Certificate Status ... 425
Decryption ... 425 Digital Signature ... 425 Encryption ... 425 Fingerprint ... 425 Key ... 425 OpenPGP ... 425 Private Key ... 426 Public Key ... 426 S/MIME ... 426 SMG ... 426 SPN ... 426 TLS ... 427
Chapter 9
Security Configuration
429
9.1 Setting Up Email Firewall Security ... 4309.1.1 Email Firewall Security Prerequisites ... 431
9.1.2 Using the Email Firewall Security Setup ... 432
9.2 Setting Up Key Pairs and Certificates for S/MIME ... 433
9.2.1 Generating an Email Firewall Certificate and Key Pair ... 434
9.2.2 Sharing the Certificate and Root Key ... 435
Exporting the Certificate and Root Key ... 436
Publishing the Certificate as a Root Key ... 436
9.2.3 Enabling Email Firewall Certificate Responder ... 437
What an External User Must Do to Invoke Certificate Responder ... 437
9.2.4 Importing Third-Party Server Certificates ... 438
Entrust-Specific Requirements for Certificates ... 438
From Entrust Certificate and Private Key to PKCS#12 File .... 439
VeriSign-Specific Requirements for Certificates ... 439
9.2.6 Obtaining Certificate Authority Root Certificates ...440
Obtaining Entrust Root Certificates ...441
Obtaining Verisign Root Certificates ...441
9.3 Setting Up PGP Keys ...442
9.3.1 Generating a PGP Proxy Domain Key ...443
9.3.2 Enabling Email Firewall PGP Key Responder ...444
What an External User Must Do to Invoke PGP Key Responder ...444
9.3.3 Importing PGP Keys Into Email Firewall ...445
9.4 Setting Up Certificates for TLS ...445
9.4.1 Creating a TLS Message Exchange Policy ...448
9.5 Setting Up for Sender Signature Policies ...451
9.5.1 Administrator Actions Required ...451
9.5.2 Expected Signing Behaviors ...454
9.5.3 Troubleshooting Sender Signature Policies ...456
9.6 Setting Up a Secure Public Network ...458
9.6.1 Defining and Associating Local Secure Domains ...458
Editing a Local Secure Domain ...460
9.6.2 Enabling SPN Links ...461
Requesting an SPN Link From External Email Firewall Servers ...461
9.6.3 Setting Up Email Firewall to Respond to SPN Links ...463
Checking For and Accepting SPN Links ...465
9.6.4 Verifying the SPN and Security for the Domain ...466
9.6.5 Creating a Policy to Check for Successful SPN ...467
9.7 Setting Up for SMG Mode ...471
9.7.1 Set Up Differences in SMG Mode ...471
9.8 Setting Up S/MIME Proxy Security ...474
9.8.1 Configuring S/MIME Proxy Security Checklist ...474
9.8.2 Configuring S/MIME Proxy Security Example ...476
9.8.3 Generating a Key Pair and Certificate ...476
9.8.4 Configuring Email Firewall to Use the New Certificate ...477
9.8.5 Exporting and Publishing the Root Certificate ...478
9.8.6 Enabling S/MIME Proxy Certificate Usage and Responder ...479
9.8.7 Creating the S/MIME Proxy Security Policies ...480
Creating a Client Encryption and Signature Policy ...480
Creating a Detect Cert-query Policy for the External Folder ....482
Creating a Proxy Decrypt and Verify Policy ...484
Creating a Proxy Encrypt and/or Sign Policy ...485
9.8.8 Enabling Automatic Certificate Association ...490
9.9 Rolling Over S/MIME Certificates ... 497
9.9.1 Rolling Over a Certificate ... 497
Generating or Importing The New Certificate ... 497
Distributing The New Certificate ... 498
Associating The Server Certificate With the Local Domain .... 499
Enabling Proxy Partners To Obtain The Proxy Certificates ... 499
Completing the Certificate Rollover ... 500
9.10 Downloading Certificate Revocation Lists ... 500
9.10.1 Specifying CRL Source and Download Schedule ... 501
9.10.2 Specifying the HTTP Proxy Server for Downloads ... 502
9.10.3 Manually Invoking CRL Downloads ... 502
9.11 Specifying the CRL DP LDAP Lookup ... 503
9.12 Setting Up OpenPGP Proxy Security ... 504
9.12.1 Configuring OpenPGP Proxy Security Checklist ... 504
9.12.2 Configuring OpenPGP Proxy Security Example ... 506
9.12.3 Generating an Internal PGP Key (Local Key) ... 506
9.12.4 Configuring Email Firewall to Use the New PGP Key ... 507
9.12.5 Creating the OpenPGP Proxy Security Policies ... 507
Create a Policy to Detect PGP Keys Sent to EMF Server ... 508
Creating an Proxy Decrypt and Verify Policy ... 509
Creating a Proxy Encrypt and/or Sign Policy ... 511
9.12.6 Creating the User Records ... 516
9.12.7 Exchanging and Verifying PGP Keys ... 517
9.12.8 Completing the Association ... 518
9.12.9 Putting It All Together ... 518
9.13 Rolling Over OpenPGP Proxy Domain Keys ... 519
9.13.1 Rolling Over a PGP Key ... 519
Generating the New PGP Key ... 519
Distributing the New PGP Key ... 520
Associating the Server PGP Key With the Local Domain ... 520
Enabling Proxy Partners To Obtain The Proxy PGP Key ... 520
9.14 Setting Up S/MIME and OpenPGP Client-to-Client Security 521 9.14.1 Creating Plaintext Access Policies ... 521
9.14.2 Creating Allow Security Stripping Policies ... 524
9.14.3 Creating an Unencrypted Message Filter Policy ... 525
Sender-Based Unencrypted Message Filter Solution ... 527
Chapter 10
Administrative Tools
531
10.1 Email Firewall Directory Tools ...532
10.1.1 Find User ...532
10.1.2 LDAP Import ...533
10.2 Setting Up LDAP Directory Imports ...534
10.2.1 Configuring LDAP Import Mappings ...535
Attribute Mapping ...536
10.2.2 Understanding the Directory Import Sequence ...539
Special Considerations When Using Active Directory ...540
10.2.3 Identifying the Data Source for LDAP Import ...540
LDAP Import and MS Exchange Issue ...544
10.2.4 Configuring a Query for LDAP Import ...545
10.2.5 Configuring a Mapping for LDAP Import ...548
10.2.6 The Email Firewall LDAP Import Process ...550
10.3 Performing the LDAP Import ...552
10.3.1 LDAP Import Scheduling ...553
How Deleting Directory Import Sequences Affects User Records ...555
10.3.2 Creating LDIF Files ...555
10.3.3 Stopping Updating of User Records ...557
10.3.4 Cleaning Up the Directory ...558
10.3.5 Email Firewall LDAP Import Log File ...559
10.4 Using the Command Line Program Tools ...560
10.4.1 MMSLDIFImportConfig ...560
10.4.2 EMFSave ...561
10.5 Using the Word List Tester ...564
10.5.1 Validating Word Lists ...564
10.5.2 Checking Word List Processing Time ...566
10.5.3 Checking Address List Processing Time ...567
10.6 Using the PrivateKeyWizard Tool ...568
10.6.1 Specifying a New Password ...569
10.6.2 Inputting a Password to Protect Private Keys ...571
10.6.3 Importing Private Keys from a PKCS#12 File ...574
10.6.4 Importing PGP Keys ...579
10.6.5 Removing Certificates and PGP Keys ...582
10.7 Using the Email Firewall Diagnostics Utility ...582
10.7.1 SQL Server Related Tests ...583
10.7.2 Email Firewall Related Tests ...584
10.8 Using the EMFDebugLogCapture Tool ... 590
10.9 Using EMFSave ... 592
10.9.1 EMFSave and Administration Data ... 592
10.9.2 EMFSave and Replication ... 593
10.9.3 Starting EMFSave ... 593
10.9.4 Restoring EMFSave Files ... 599
Missing Data and Restore Errors ... 601
10.9.5 Using EMFSave in a Cluster Environment ... 601
10.10 Using the Email Firewall Update Service ... 602
10.11 Using the Configuration Editor ... 609
Chapter 11
Email Firewall Reports
611
11.1 Setting Up Email Firewall Reports ... 61211.1.1 Global Reports Setup ... 612
11.1.2 Reporting Statistics and Queues Issues ... 615
11.2 Volume Reports ... 616
11.2.1 Attachment Volume and Size ... 617
11.2.2 Message Volume and Size ... 617
11.2.3 Message Volume by Policy Disposition Report ... 618
11.2.4 Attachment Volume for a Specific Attachment Type ... 619
11.2.5 Virus Type and Volume ... 619
11.2.6 SPF Volume Report ... 620
11.2.7 Caller ID Volume Report ... 621
11.2.8 Spam Volume Report ... 621
Interpreting the Spam Volume Report ... 623
11.3 Frequency Reports ... 624
11.3.1 Frequently Detected Virus ... 624
11.3.2 Frequent Policy Violation ... 624
11.3.3 Frequent Receiving Domains ... 624
11.3.4 Frequent Recipient Policy Violation ... 624
11.3.5 Frequent Sender Policy Violation ... 625
11.3.6 Frequent Sending Domains ... 625
11.3.7 Frequent Sending IP Addresses ... 625
11.3.8 Frequent Virus Sender ... 625
11.3.9 Frequent SPF and Caller ID Violators ... 626
11.3.10Frequent Senders Released from Quarantine ... 626
11.4 User Reports ... 627
11.4.1 Attachment Volume for Specific Recipient ... 627
11.4.2 Message Volume for Specific Recipient ... 627
11.4.5 Message Volume for Specific Sender ...628 11.4.6 Policy Violation for Specific Sender ...628 11.4.7 Virus Detected for Specific Sender ...628 11.5 Audit Reports ...629 11.5.1 Directory and Policy Audit ...629 11.5.2 Directory Audit ...629 11.5.3 Policy Audit ...629 11.5.4 Directory and Policy Audit for a Single User ...629 11.5.5 Directory Audit for a Single User ...630 11.5.6 Policy Audit for a Single User ...630 11.6 Customizing Email Firewall Reports ...630 11.6.1 Customizing Volume Reports ...631 11.6.2 Customizing Frequency Reports ...632 11.6.3 Customizing User Reports ...633 11.6.4 Customizing Audit Reports ...634 11.7 Printing and Saving Reports ...635 11.7.1 Printing Reports ...635 11.7.2 Saving Reports ...636
Appendix A
File Types Scanned
639
A.1 General Overview ...640 A.1.1 File Types and File Type Lists Provided ...640 A.1.2 Scanning Limitations ...642 A.1.3 Compressed Files and Embedded Objects ...643 Embedded Objects in Microsoft Office Files ...643 Limitations in File Type Decompression and Decomposition ..644 A.2 “All Supported” File Types ...645 A.2.1 All Supported Compressed Files ...645 A.2.2 All Supported Database Files ...645 A.2.3 All Supported Document Files ...646 A.2.4 All Supported Drawing Files ...647 A.2.5 All Supported Executable Files ...647 A.2.6 All Supported Image Files ...648 A.2.7 All Supported Multimedia Files ...648 A.2.8 All Supported Password-Protected Archive Files ...649 A.2.9 All Supported Password-Protected Files ...649 A.2.10 All Supported Presentation Files ...649
A.3.3 AutoCAD ... 651 A.3.4 Corel Draw ... 651 A.3.5 Help Files ... 651 A.3.6 Lotus 123 ... 652 A.3.7 Microsoft Excel ... 652 A.3.8 Microsoft PowerPoint ... 652 A.3.9 Microsoft PowerPoint with Macros ... 652 A.3.10 Microsoft Word ... 652 A.3.11 Paradox ... 653 A.3.12 Quattro/Quattro Pro ... 653 A.3.13 Windows Bitmap (BMP) ... 653 A.3.14 WordPerfect ... 653 A.4 File Types Recognized ... 655 A.5 File Types Scanned ... 659 A.5.1 Word Processing Formats ... 659 Adobe Portable Document Format (PDF) ... 660 A.5.2 Picture Formats ... 660 A.5.3 Presentation Formats ... 661 A.5.4 Spreadsheet Formats ... 661 A.5.5 Multimedia Formats ... 661 A.5.6 Compression Formats ... 662
Appendix B
Code Set Support
663
B.1 Definitions and Concepts ... 664 B.1.1 Characters and Code Sets ... 664 B.1.2 Message Text Parts ... 665 B.1.3 Non-ASCII-7 Text in Message Headers ... 665 B.1.4 The Default Recipient Locale ... 665 B.2 Data In The Email Firewall Database ... 666 B.2.1 Word List Data ... 666 Special Treatment of Japanese Text On Word Lists ... 667 B.2.2 Issues With Handling Non-English Text ... 667 Personal Quarantine Manager and Character Sets ... 668 B.3 Extraction of Text From Message Content ... 669 B.3.1 Extraction of Text From Attachments ... 669 B.3.2 Handling Text From Unsupported or Unidentified Code Sets ... 669 B.3.3 Handling of Unmapped Characters ... 670 B.4 Policy Engine Expected Behaviors ... 671 B.4.1 Annotations ... 671 Inline Annotations ... 671
B.4.2 Notifications ...672 B.4.3 Events ...672 B.4.4 Subject Alteration ...673 B.4.5 MIME Header Field Policies ...673 B.5 International Text Usage ...674 Japanese Character Issues ...675 B.6 Message Body and Attachments ...677 B.7 Message Subject ...678 B.8 ISO Tables ...679
Appendix C
Using Regular Expressions
683
C.1 General Issues ...684 C.1.1 Using Asterisks ...684 Using Question Marks ...685 C.1.2 Incorrect Usage in Regular Expressions ...685 C.2 Operators ...686 C.3 Character Class Operators ...687 C.4 Tutorial Examples ...690
Appendix D
Creating Custom Reports
693
D.1 Creating and Installing a New Report ...694 D.1.1 Summary of Steps ...694 D.1.2 Creating and Installing the Report ...694 D.1.3 Example SQL Server Script for Adding Reports ...696 D.2 Report Customization Section Selection ...698 D.3 Parameter Field Order in the Report ...699 D.4 Report Categories ...701
Welcome to the Tumbleweed Email Firewall™ 6.2 Administrator’s Guide. This guide provides a description of the components, capabilities, and operation of Tumbleweed Email Firewall 6.2. It provides background, conceptual, and procedural information for planning your Tumbleweed Email Firewall installation, and provides instructions for setting up and configuring Email Firewall policies for your organization.
This preface contains the following sections:
Conventions Used in this Guide...xxvi Contact Information and Support ...xxvii
Preface
Conventions Used in this Guide
The following type and style conventions are used in this guide.
Table P.1: Conventions
Convention Meaning
body text This font is used for regular body text.
Bold Bold blue text indicates a menu, button, text entry or icon choice.
Italics Italics indicate a table title, book title, or cross-reference.
Command The Courier New font indicates application code or computer generated text.
<locale> Angle brackets indicate a user-specified com-mand line parameter.
http://www.example.com Small blue print indicates a URL or email link for additional relevant information.
1., 2., 3., ... Bold blue numbers indicate steps in a proce-dure.
The Note icon signals additional relevant information.
The Warning icon signals important informa-tion that may affect the operainforma-tion of or may be a potential threat to the system.
The Tip icon signals a tip that may save time or effort.
Contact Information and Support
The following modes of contact can be used for Tumbleweed Global Support assistance.
For Tumbleweed Global Support
If possible, log into the Tumbleweed product before contacting a Tumbleweed Global Support representative directly, and have the following information ready:
• Product version and Dynamic Anti-spam Update service filter version in use. (Select Status on the main menu and scroll to the License/version tab.)
• The text of the error or warning message.
• A description of the problem and attempts made to fix the problem. Please include your name, email address, company, and server URL in all correspondence.
Table P.2: Global Support Contact Information
Type of Contact Description
Global Support Online http://www.tumbleweed.com/en/support/ Global Support Email [email protected]
Global Support Helpline 650-216-2109 Global Support Request
Form
http://www.tumbleweed.com/dy/sup-port/request/request_support.php Customer Service,
License Keys and Ship-ping Orders
For General Information
The following modes of contact can be used for general information.
Table P.3: General Contact Information
Type of Contact Description
World Wide Web Visit the Tumbleweed Web site for general informa-tion and current issues.
http://www.tumbleweed.com
Email Address Send email to the following address: [email protected]
Telephone Use the following telephone number for general inquiries:
650-216-2000
Postal Address Send regular mail to the following address: Tumbleweed Communications Corp. 700 Saginaw Drive
Tumbleweed Email FirewallTM is a content security and policy management solution for Internet email. It integrates multiple protection modules, including access control, spam filtering, content filtering, attachment management, and virus and mobile code scanning to allow administrators to create and enforce SMTP email security policies across an organization.
Email Firewall 6.2 is the latest release in the Tumbleweed family of products. It is the email solution for enterprise communications. Email Firewall uses a modular architecture built around a Microsoft SQL Server database. Configuration data, policies, security certificates and keys, directory information, and message meta-data are stored in a central SQL Server database. This database is accessed by Email Firewall components, including one or more Policy Engines, SMTP relays, and other services, deployed on one or more (typically more) computers. With this easily scalable architecture, Email Firewall fits robustly into the enterprise network.
This chapter contains the following sections:
1.1 Intended Audience ... 2 1.2 Overview of Email Firewall 6.2 ... 3 1.3 Other Documentation ... 4
1.1 Intended Audience
This guide is intended for the people who design, plan, and administer email messaging solutions. It outlines the capabilities of Tumbleweed Email Firewall, describes how it works, and provides instructions for deployment and effective use in today’s business organizations. This guide assumes a working familiarity with messaging systems, networking concepts, and server administration. This guide describes what the Tumbleweed Email Firewall is and how to use its features. Included are discussions of email security options, descriptions of the default policies and what they do, and examples designed to help you to understand how to create, apply, and test your own policies.
This guide also provides instructions for customizing Email Firewall policies specifically for your organization, and provides examples of such policies at work. Also included are instructions on maintenance administration, troubleshooting, and an overview of the Email Firewall reporting features.
1.2 Overview of Email Firewall 6.2
Organizations use Tumbleweed Email Firewall for a variety of reasons. You can use Email Firewall to:
• exchange secure email
• protect against threats introduced by viruses and executable files • quarantine suspicious email
• reduce or eliminate spam and hoax traffic
• prevent leakage of sensitive and confidential information • establish conformance to corporate policy
• defer large messages to off-peak hours
• redirect messages to secure Tumbleweed Secure Messenger or IME servers.
• archive messages for a detailed audit trail of email communication The administrative functions of Tumbleweed Email Firewall support deployment and management of Email Firewall in large enterprises. The browser-based Web Admin component provides centralized administration of all of the Email Firewall components. Web Admin provides fully functional remote administration, authentication of administrators, and auditing of administrators’ actions. Administrator accounts are role-based to provide multiple levels of administration with granular access to sensitive controls or data. Secure access by multiple remote administrators with only the access privileges specifically granted provides a highly flexible overall enterprise security solution.
The modular, Microsoft SQL Server-based architecture allows Email Firewall to be deployed across multiple machines and in multiple remote locations. The SQL Server database management system enables enhanced throughput and centralized management of all Email Firewall data resources. Email Firewall configuration data, policies, certificates, directory information, event log data, and message meta-data are stored on a central SQL Server database server using its relational database.
Complete directory support allows policies to be applied globally, to groups, or to individual users. Information stored in LDAP-compliant directories can be easily imported and updated, and used to define to whom email usage policies apply.
(TLS). Using PGP keys instead of certificates, OpenPGP security also enables email encryption and authentication. Mail can be digitally signed and encrypted by Email Firewall for an entire organization, for specified groups within the organization, or for individual users using either S/MIME or OpenPGP security. For more information on using Tumbleweed Email Firewall 6.2, see the Tumbleweed Email Firewall Help link located on each page in Web Admin. for more general information, visit the Tumbleweed Web site at
www.tumbleweed.com.
1.3 Other Documentation
For additional information about how to install, configure, and administer Email Firewall 6.2, see the following sources:
• Tumbleweed Email Firewall Help
The Help in the Tumbleweed Email Firewall Web Administration component contains context-sensitive information as well as a Table of Contents and Index available from every page. You can access the Help by clicking the Help button in the Web Admin UI. The Help also contains
troubleshooting information and step-by-step instructions for configuration tasks.
• Tumbleweed Email Firewall 6.2 Release Notes
The Tumbleweed Email Firewall 6.2 Release Notes include prerequisites, hardware and software requirements, additional pre-installation and installation instructions, licensing information, new features since the EMF 6.1.1 release, and known limitations.
• Tumbleweed Email Firewall 6.2 Installation and Upgrade Guide This document provides background and conceptual information for planning your Email Firewall installation, and provides detailed
installation instructions. It also provides instructions for upgrading EMF 6.1.1 to Email Firewall 6.2.
• Tumbleweed Email Firewall Best Practices Guide
This document provides information about setting up Email Firewall optimally in large and complex environments. Included is information about SQL Server database setup, inbound and outbound email routing options, load balancing, and backup and failover strategies.
• Tumbleweed Email Firewall Anti-spam Best Practices Guide
This document provides additional information about setting up Email Firewall to combat spam.
• Secure Redirect Administrator’s Guide
This Administrator’s Guide describes how to set up the Secure Redirect service to transparently redirect email to a Tumbleweed IME server. If you are installing Secure Messenger 6.2 with EMF 6.2, see the following sources for information about how to install, configure, and administer Secure Messenger 6.2:
• Tumbleweed Secure Messenger 6.2 Release Notes
The Release Notes include up-to-date information related to hardware and software requirements, additional pre-installation instructions, licensing information and known limitations.
• Tumbleweed Secure Messenger 6.2 Administrator’s Guide This guide presents an overview of Email Firewall and describes
configuration procedures and administration functions. It describes various use cases, and provides troubleshooting tips for operating Email Firewall 6.2.
• Tumbleweed Secure Messenger Help
The online help in the Secure Messenger 6.2 Web Admin component contains context-sensitive information as well as a Table of Contents and Index available from every page.
You can access the Help by clicking the Help button in the Web Admin user interface. The Help also contains troubleshooting information and step-by-step instructions for configuration tasks.
• Tumbleweed Secure Messenger 6.2 Developer’s Guide
This document provides information about branding the Secure Messenger end-user interfaces and integrating third party authentication
infrastructure.
• Tumbleweed Email Firewall 6.2 Administrator's Guide This guide must be read and understood before deployment of Tumbleweed Secure Messenger 6.2 to obtain a comprehensive understanding of the entire Tumbleweed secure email solution.
This chapter describes many of the features and tools in the Email Firewall Status page and the Setup links in Web Administration. Use this chapter as a road map for setting up, administering and monitoring Email Firewall.
This chapter also contains references to other sections of this guide containing more detailed information about each administrative task. This chapter contains the following sections:
2.1 Overview of Administrator Setup Tasks... 8 2.2 Administrative Security... 9 2.3 System Status ... 14 2.4 Setting Up Admin Roles and Accounts ... 21 2.5 Setting Up Relays ... 32 2.6 Setting Up Anti-virus and Anti-spam... 80 2.7 Setting Up Global Policy Settings ... 87 2.8 Setting Up Event Logging... 100 2.9 Other Setup Tasks ... 105
2.1 Overview of Administrator Setup Tasks
Table 2.1 lists the tasks that should be performed to set up and administer Email Firewall in its entirety. It is recommend that you review the concepts and overview sections before performing these tasks.
Table 2.1: Overall Setup Tasks
Step Task Description and Procedures
1 Create additional administra-tors
2.4 Setting Up Admin Roles and Accounts on page 21
2 (Optional) Set up Centralized
Event Logging and Reporting
2.8.2 Setting Up Centralized Event Logging and Report-ing on page 101
3 Set up relays 2.5 Setting Up Relays on page 32
4 Set up global policy settings 2.7 Setting Up Global Policy Settings on page 87
5 Set up the Updates 2.6 Setting Up Anti-virus and Anti-spam on page 80
6 Set up the Queues 3.2 Setting Up Message Queues on page 116
7 Set up Personal Quarantine Manager
3.7 Using Personal Quarantine Manager on page 142
8 Set up the Dynamic Anti-spam Service
7.2 Dynamic Anti-spam Service Overview on page 332
9 Set up the Event Log 4.1 Setting Up Email Firewall Event Logging on page 186
10 Set up the Directory 10.2 Setting Up LDAP Directory Imports on page 534
11 Set up Security 9.1 Setting Up Email Firewall Security on page 430
12 Set up Policies 6.1 Introduction to Policy Building on page 256
2.2 Administrative Security
There are three components of Email Firewall Web Administration security: • Authentication - the process of verifying the identity of the user.
• Authorization - the process of determining whether the user is permitted to view a specific function or perform a specific action within the system. • Auditing - the process of tracking changes and attempted changes to the
system.
The Email Firewall program allows the first two components to be defined when setting up administrative roles and accounts. Audit logs provide data for the third. These features provide enterprise-wide administrative control in a multiple-server, multiple-administrator environment. Instructions for setting up administrator roles and accounts can be found in 2.4 Setting Up Admin Roles and Accounts on page 21, and also in the Email Firewall Help.
2.2.1
Web Administration Access Controls
Email Firewall provides multiple levels of administration. This design allows you to define different administrative capabilities for different components and allows the Email Firewall Web Admin environment to be partitioned so that multiple people in the organization can manage different subsets of the system. Administrative access is defined by Admin Roles and Admin Accounts. Admin Roles grant access to the capabilities defined by that role. An Admin Account can be granted only one Admin Role. Based on the capabilities assigned to an Admin Role, an administrator can view/modify only the subset of the Email Firewall system allowed by the role’s capabilities. An administrator can perform only the subset of the administrative tasks allowed by the role’s capabilities.
At least one administrator must be assigned all capabilities in order to have an administrator who can manage the whole system, including creating additional Admin Roles and Accounts. Instructions for setting up Admin Roles and Admin
Accounts can be found in 2.4 Setting Up Admin Roles and Accounts on page 21, and also in the Email Firewall Help.
2.2.2
Logging In
During Email Firewall installation, an administrator account consisting of name and password is set up. This default admin account with SuperAdmin role is
automatically granted the necessary privileges to set up additional administrator accounts and to administer Email Firewall. For instructions on creating additional admin accounts, see 2.4.3 Creating New Administrator Accounts on page 29.
To administer Email Firewall you must login to Email Firewall Web Admin. To access the login page, open your browser and type one of the following URLs in the browser address field:
To login to Email Firewall on a secure server (using a secure server is recom-mended):
https://<machine name>/emfadmin
To login to Email Firewall on a non-secure server:
http://<machine name>/emfadmin
Setting Up Secure Login
To setup Web Admin so that SSL (https) is required:
For the remainder of this chapter, functions are described assuming the administrator has full administrative privileges unless otherwise noted.
The Email Firewall Web Admin component requires the use of JavaScript. When using Internet Explorer, the Active Scripting Option must be enabled. See the Email Firewall
6.2 Installation and Upgrade Guide for instructions. Pop-up
3. Click Internet Information Services and expand it.
4. Right-click the Default Web Site and select Properties.
5. Select the Directory Security tab.
6. In the Secure communications group box, click Edit.
7. Mark the Require secure channel (SSL) checkbox.
8. Optionally mark the Require 128-bit encryption checkbox.
9. Click Save.
When the login page opens, see Figure 2.1, type your Username and Password
in the fields and click Login. While logged in you can customize your account
preferences, including identity, password, and how many lines are displayed in your browser pages. For instructions, see 2.4.4 Preferences on page 31. Using multiple browser sessions is supported. However, you should start a new instance of the browser to do so. Do not attempt to open multiple browser windows using the same Web Administration session.
Figure 2.1: Login Page EMF
For security reasons the Web Administration component has a time-out feature. After 60 minutes of inactivity, you are automatically logged out and must log in again to continue.
2.2.3
Main Menu
When you are logged into Web Administration, you will see the name of the SQL server on which Web Administration database resides. This server name displays on the top left of the page under the product name. Under the server name is the main menu. Each main menu item is the name of a major component or administrative tool. See Figure 2.2.
Figure 2.2: Main Menu Overview
Click any menu item to open its main page.
The sections in this chapter:
• describe the Email Firewall page accessed by the menu item.
• describe the functions available from that page.
• when appropriate, refer you to other sec-tions of this guide for more detailed infor-mation.
The title bar at the top of every page shows the navigation path used to reach the open page. Each underlined page name is a link to that page. The last item is the name of the page you are viewing. To return to a previous page, click its underlined name in the path.
Note: The browser Back, Forward, and
Refresh buttons should not be used in Email Firewall Web Admin. Use the main menu and links in the pages to navigate.
2.3 System Status
The System Status page is displayed on login. This page contains the Info and Alerts, Message Queues and Email Firewall Services tabs. A review of the
information on these tabs alerts you to the current Email Firewall operating status.
While working with Email Firewall, click Status to return to the Status page.
2.3.1
Info and Alerts Status
Thistab contains the Product version and its build number, and if installed, the
version information for all Dynamic Anti-spam Service (DAS) Filter and Virus Pattern along with date and time of the lastest update. If installed, this tab also contains the version and build number for either Secure Messenger or Secure Redirect depending on which secure email component is installed. If you need to contact your Tumbleweed Global Support representative you will be requested to provide this information. See Figure 2.3.
Underlined headings and text in the Email Firewall Web Admin pages are links to the described page.
The Email Firewall Service Update heading provides a link to a page that provides
all available Email Firewall updates (versions, patches or hot fixes) for this system.
The Email Firewall Knowledge Base heading provides a link to the Tumbleweed Knowledge Portal where you access Tumbleweed Knowledge Base articles. This page requires a user name and password. To obtain a user name and password, click the New users click here to register for access link.
The Email Firewall Services heading provides a quick reference to the status of
the services and a convenient link to the Email Firewall Services tab.
The Errors & Warnings heading lists the number of errors and warnings
generated during the last 24 hours. Click the link after Errors or Warnings to
open the Event Log to view, filter and sort these events. The Event Log can be filtered so that only those warning and error events you select are shown in the Event Log. For more information on creating and configuring Event Log filters, see 4.2 Searching the Event Log on page 190.
Alerts are displayed for the following conditions:
• All Outbound Mail Currently Stopped This alert is displayed when:
• the Stop All Outbound Mail checkbox is marked on the Setup > Relay
General Settings page.
• the value for Maximum Outbound Connections is set to 0 on the
Setup > Relay General Settings page. • All Inbound Mail Currently Stopped
This alert is displayed when:
• the Reject All Inbound Connections checkbox is marked on the Setup > Relay General Settings page.
• the value for Maximum Inbound Connections is set to 0 on the Setup > Relay General Settings page.
• if the Dynamic Anti-spam Service is not installed: the Stop the SMTP relay from accepting incoming messages checkbox is marked
(in the Inbound queue setup page) and the Inbound queue threshold
is triggered. (The Triggered status is displayed on the Message
Queues tab when the queue grows to or exceeds the specified number of messages.)
• if the Dynamic Anti-spam Service is installed: the Stop the SMTP relay from accepting incoming messages checkbox is marked (in the Spam Analysis queue setup page) and the Spam Analysis queue
threshold is triggered. (The Triggered status is displayed on the
Message Queues tab when the queue grows to or exceeds the specified number of messages.)
• Mail Not Being Routed through Policy Engine
This alert is displayed when the Route messages through policy engine (and spam analysis engine if installed and running) checkbox is unmarked on the Setup > Relay General Settings page.
To resolve these alerts, check the settings as applicable. • Expiration of Evaluation License
This alert is displayed when:
• The Email Firewall evaluation license is about to expire.
After expiration, Email Firewall stops all content, spam and virus filtering of incoming and outgoing mail. Email Firewall will
• The Dynamic Anti-spam Service evaluation license is about to expire.
After expiration, the Spam Analysis Engine stops analyzing and tagging messages with DAS message properties or X-headers. Policies that depend on the DAS tagging will not work. To resolve these alerts, obtain a full license from your Global Support Representative.
• When the anti-virus patterns files are more than 7 days old. • When the anti-spam filter files are more than 7 days old.
2.3.2
Message Queues Status
The Message Queues tab displays the number of messages currently in the Email Firewall mail queues. See Figure 2.4.
The queues contain messages that are inbound to or outbound from Email Firewall, messages awaiting preprocessing by the Dynamic Anti-spam Service (if installed), awaiting redirection to a secure Tumbleweed IME server (if installed), awaiting preprocessing by the Secure Messenger (if installed), awaiting retry, and messages that were quarantined, detained, deferred, archived, returned or could not be delivered. The Partition queue contains messages requiring delivery to multiple recipients.
For more detailed information on the queues, including how to set them up, see 3.2 Setting Up Message Queues on page 116 and the Email Firewall Help. For a more detailed description of each queue, see Table 3.1 on page 116.
Email Firewall is an active system and the Message Count displayed shows the
number of messages in the queues when the System Status page was last accessed. The current message count may differ from the number displayed. Use Refresh to update the page to show the most current message count.
From the Message Queues tab you can click an underlined queue name to access
that queue’s main page and view the messages in that queue. Although the
Return, Archive and Partition queues are not configurable, it is useful to occasionally note the number of messages in those queues. An excessive number of messages in those queues could indicate a processing problem that should be investigated.
If you notice a large number of messages in the Quarantine Queues, see 3.5.3
Checking the Quarantine Queue for Inbound Messages on page 135 for troubleshooting information.
The Queue Counts tab displays either the Redirect link or the Secure Messenger link depending on whether you have installed Tumbleweed’s IME server or Secure Messenger to securely deliver your outbound email messages. Figure 2.4 shows the Redirect link.
2.3.3
Email Firewall Services Status
The Email Firewall Services tab lists the services that are currently running and
those that were running at some point in the past when Web Administration was running. This tab shows the current or past operating status of each service, the host name each service is running on (if applicable), and if available, its IP address. If a service is not currently running or has been uninstalled, a Remove
button appears in its Action column.
Clicking Remove deletes that service from the Email Firewall Services tab list.
However, Remove does not delete or uninstall the service from Email Firewall; it only removes its row from the list on the Email Firewall Services tab. Use the Remove button if you do not want to view the Email Firewall services that are
not currently running or that have been uninstalled. Figure 2.5 shows an example of the Email Firewall Services tab.
Figure 2.5 shows services as they would appear if installed
on the same host. In complex environments it is expected that some of these services will be deployed on different hosts.
For the services related to the secure delivery of email messages, either the Email Firewall Secure Redirect service or the Email Firewall Secure Messenger service displays within the Email Firewall Services tab depending on which component is installed, if at all.
Click Refresh to update the information displayed on the tab.
Figure 2.5: System Status Email Firewall Services Tab
If you have installed the Email Firewall SMTP Relay service Inbound partition only, you may not see the SMTP Relay Service status displayed on the Email Firewall Services tab until after the Inbound relay has received messages. This is because the relay does not establish a connection with the database until after the Inbound relay is in use.
If you have installed the Secure Messenger with Email Firewall, the Email Firewall Secure Messenger service displays on the Email Firewall Services tab instead of the Email Firewall Secure Redirect service, which is currently shown in Figure 2.5.