IronPort C-Series Channel Partner Technical Training · Technical Training IronPort C-Series...
-
Upload
trinhxuyen -
Category
Documents
-
view
227 -
download
0
Transcript of IronPort C-Series Channel Partner Technical Training · Technical Training IronPort C-Series...
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-SeriesChannel Partner
Technical Training
V1.1 21-Jul-04
2
Course Objectives ���� Critical SE Skills
• How do I install, configure and deliver basic support for the IronPort C-Series Messaging Gateway appliance?
• What guidelines can I give customers for deploying the appliance in a typical enterprise email environment?
• How do I manage and monitor the flow of email through the appliance?
• How do I configure access control policies?
• How do I create content filters?
• How do I configure the appliance to detect and handle unwanted spam and viruses?
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
3
Course Agenda
• IronPort C-Series Overview• Installation and Setup • Access Control• Policy Enforcement, Anti-Spam, and Anti-Virus• Monitoring, Logging, and Troubleshooting• System Administration
4
Things You Should Already Know…
• SMTP• TCP/IP • DNS• MIME • CLI and GUI device interfaces
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
5
Preview …A Typical New Customer Installation*
• Gather customer’s network information and custom requirements in advance – 30 min
• Rack, install, and setup the appliance – 30 min
• Make custom configuration changes– 15 min
• Test and demo – 30 min
• Put the appliance into production– 15 min
* Applicable to 90% of deals � 1,000 seats
6
Let’s Go!
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-Series Overview
Module 1
8
IronPort Products and Services
IronPort A-Series™
The World’s Leading Outbound Email Delivery Platform
Bonded Sender™ProgramGuaranteed Delivery of Legitimate Email
SenderBase™
The World’s Leading Email Reputation Service
IronPort C-Series™
Next Generation Enterprise Email Security
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
9
• Revolutionary MTA Platform for High Availability
• Threat Prevention with IronPort Reputation Filters™
• Content Scanning for Policy Enforcement
• Spam Detection with Brightmail™ Anti-Spam
• Virus Detection with Sophos™ Anti-Virus
IronPort C-Series is the Next Generation Email Security Appliance
10
C-Series = Server Consolidation
BEFORE IRONPORT AFTER IRONPORT
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
11
IronPort C-Series Channel Product Line
IronPort C60– 2U– Dual processor– 4 Drives; RAID 1+0– 3 Ethernet Interfaces– Up to: 140 msgs/sec (500,000 msgs/hr)– Protects >> 1,500 Users
IronPort C30– 2U– Single processor– 2 Drives; RAID 1– 3 Ethernet Interfaces– Up to: 40 msgs/sec (144,000 msgs/hr)– Protects 500-1,500 Users
IronPort C10– 1U– Single processor– 2 Drives; RAID 1– 2 Ethernet Interfaces– Up to: 15 msgs/sec (54,000 msgs/hr)– Protects up to 500 Users
12
C-Series Packaging & Licensing
• IronPort AsyncOS– MTA, Reputation Filtering, Content Scanning, etc.
• Evaluation: 30 day*• Purchase: Perpetual
• Optional Components– Brightmail Anti-Spam
• Evaluation: 30-day• Subscription: 1-3 years
– Sophos Anti-Virus• Evaluation: 30-day• Subscription: 1-3 years
* Extensions in 30-day increments are available upon request
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
13
Revolutionary MTA Platform• The need for a high performance,
highly available MTA has never been greater
– Evolving threats such as MyDoom and Bagel cripple legacy MTAs
• AsyncOS™: built for email Availability– Threading model, scheduler, and file
system designed for the mail gateway– IronPort C60 is capable of 140 messages
per second– 10,000 simultaneous connections
• Ensured email Deliverability– Slow or unavailable domains don’t affect
performance; each destination has adistinct queue and retry schedule
– Virtual Gateway™ technology provides multiple IP addresses for email delivery
Email is fundamentally Different from other enterprise applications
• High level of simultaneous inbound and outbound connections
• High rate of connection establishment and teardown; short-lived connections
• Massive File System use for small, short-lived files
Email requires a Robust & Purpose-Built Platform
14
Place IronPort Wherever it Fitsin the Network
data1
ip1
ip2
data1
ip1
data2
ip2
data1
data2
ip1
ip2
data1
ip1
data1ip1
data1
ip2
ip1
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
15
Common C60/C30 Configuration
ip1
data1
ip2data2
DMZ
Outside
Inside
mgmt
• One interface for incoming mail from the Internet (and for sending mail to Internet).
• One interface for delivering mail to your Message Store systems (and for receiving outgoing mail from those systems).
• One interface for system management.
16
Common C10 Configuration
ip1 data1
DMZ
Outside
Inside
• One physical interface with one IP for both incoming and outgoing mail.
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
17
You Already Understand MessagingTCP Connection:1.2.3.4,12345(mail1.from.com)
SMTP Session:EHLO from.comMAIL FROM: [email protected] TO: [email protected] TO: [email protected]
Envelope-FromEnvelope-To
Envelope
Body Headers:Received: from mail1.from.com (1.2...Subject: HelloFrom: “Bob” <[email protected]>To: “User One” <[email protected]>
Display namelocal-part@domain
mailbox
Header-FromHeader-To
Body
4.5.6.7,25(mx1.to.com)
The body after the first blank line may contain many MIME parts.Second and following parts are often called “attachments”; first is often called “body” or “text.” They are really all just “parts.”
Message Body:Hello,
18
IronPort C-Series Overview Key Points
• IronPort has the features and capabilities that enterprises need in a messaging gateway appliance
– Revolutionary MTA Platform for High Availability– Threat Prevention with IronPort Reputation Filters– Content Scanning for Policy Enforcement– Spam Detection with Brightmail Anti-Spam– Virus Detection with Sophos Anti-Virus
• IronPort can integrate easily with the customer’s existing messaging backbone
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
19
References
• IronPort AsyncOS 3.8 User Guide– Chapter 1: Introduction
• IronPort C-Series Appliance Evaluation Guide– http://support.ironport.com/secure/index.html
• Product brochures & data sheets– http://www.ironport.com/products/ironport_c_series.html
• White papers– IronPort AsyncOS White Paper– Reputation Filters White Paper– SMTPi White Paper– http://www.ironport.com/download/
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-SeriesChannel Partner
Technical Training
Installation and Setup
Module 2
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
21
A Roadmap to Successful DeploymentSet the MX record priority appropriately
• Evaluation: Set the C-Series as the secondary MX, so the legacy MTA can continue to handle production mail while you test the C-Series
• Production: Set the C-Series MX as the primary (“flip the switch”)
ip1
ip2
data1
Install IronPort on a live mail stream. You can’t test the mail flow monitoring features if it’s in a test lab
IronPort needs to talk to the Internet for SenderBase, Virus, and Spam updates
Don’t let the firewall (or old mail server) proxy. IronPort needs to “see” the actual sending IP address
Let the Internet talk to IronPort. If you don’t get spam & viruses, you can’t see how it works
12
3
22
Your configuration determines which features you can fully test
��������������������Acting as the Production MTA
• MX record = equal or high priority• C-Series handles all email
����������������Acting as the Backup MTA
• MX record = low priority• Unlikely to attract virus attacks
������������Sitting Behind Another MTA
• Primary MTA transfers all email• Sender IP addresses will be lost
������������Quietly Listening on the Internet
• No MX record in DNS• Unlikely to attract spam or viruses
����Closed Lab Environment
• Not connected to the Internet• Can’t receive external email
VirusProtection
SpamDetection
ContentScanning
ReputationFiltering
Mail FlowMonitor
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
23
Let’s Agree on Terms
Physical Ethernet Interface
IP Interface
Listener
IronPort Messaging Gateway
Physical Interface
IP address
Port
A listener is an SMTP server awaiting connections from SMTP clients, typically on TCP port 25
An IP interface is the binding of an IP address to a Physical Interface
IronPort can have multiple interfaces and multiple listeners
A listener is also called an injector, because it injects email into the IronPort
SMTP clients connect to the listener to send mail
A listener may be called an SMTP daemon
Relationship Between Listeners, IP Interfaces, and Physical Ethernet Interfaces
24
Why More Than One Listener?
Incoming mail has many SMTP senders,few receivers
Data2 Management
IP Mgmt
IP Pub1
IP Pub2
Data1
IP Private
SM
TP, 2
5
SM
TP, 2
5
SM
TP, 2
5
SS
H, 2
2
SS
H, 2
2
SS
H, 2
2 IronPort provides control, management, and security
points for SMTP
Outgoing mail has few SMTP senders,many receivers
Security and IP profiles are different
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
25
Choose Interfaces and Listeners to Match Your Network
AllowedNot AllowedDifferent Physical Interface
AllowedAllowedSame Physical Interface
Different NetworkSame Network
The C10 has 2 interfaces.The C30 has 3 interfaces.
data1
data2
ip1
ip2
data1ip1
data2
ip2
ip1
26
You Select SMTP and Other Services
Ethernet
IP
TCP
SM
TP, 8
025
SM
TP, 2
5
SM
TP, 2
5
SM
TP, 2
5
= Listener
Data200:06:5b:3f:1b:94
Data100:06:5b:3f:1b:95
Management00:03:47:ad:6b:8a
IP Mgmt192.168.1.123
IP Private10.0.1.22
IP Pub15.2.3.11
IP Pub25.2.3.12
= Interface
SS
H, 2
2
SS
H, 2
2
FTP
, 21
HTT
P, 8
0
SS
H, 2
2
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
27
Common Two-Interface Topology
Ethernet Interface: Data 2
Listener: InboundMail
IP Interface: PublicNet (e.g. 192.35.195.101)
Ethernet Interface: Data 1
IP Interface: PrivateNet (e.g. 172.20.0.101)
Listener: OutboundMailThe “Inside” or “Private” side
The “Outside” or “Public” side
28
Welcome to the Command Line Interface (CLI)
• The CLI is hierarchicalinterfaceconfig
NEW EDIT DELETEName:Address:Interface:etc
Interface:Name:Address:Interface:etc
Interface:
smtp.scu.com> alertconfig
Please enter the email address(es) to send alerts.Separate multiple addresses with commas.Enter the word "DELETE" to clear the default and disable alerts.[[email protected]]> [email protected]
Debounce timeout (seconds):[300]> <cr>
Would you like to enable AutoSupport, which sends system alerts andweekly status reports to IronPort Customer Care? (Enabling AutoSupport isrecommended.) [N]> <cr>
smtp.scu.com> commit
Please enter some comments describing your changes:[]> change alert address to [email protected]
Changes committed: Mon Mar 22 16:19:49 2004
You must commit for configuration changes to take effect
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
29
smtp.scu.com> inter<tab>faceconfigCurrently configured interfaces:1. Management (192.168.42.42/24: ironport.example.com)2. PrivateNet (172.20.0.42/24: smtp-priv.scu.com)3. PublicNet (192.35.195.42/24: smtp.scu.com)Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- GROUPS - Define interface groups.- DELETE - Remove an interface.[]> edit
Enter the number of the interface you wish to edit. []> 1
IP interface name (Ex: "InternalNet"):[Management]> InternalNet
IP Address (Ex: 192.168.1.2):[192.168.42.42]> <cr>
Ethernet interface:1. Data 12. Data 23. Management[3]> ^Csmtp.scu.com> showchanges
{}smtp.scu.com> clear
The CLI Has Line Editing You Need to Learn
Use tab for command or filename completion
Subcommand prompt is [ ]>
Selection lists are used frequently
Defaults are given inside [ ] of prompt string
^C gets you out with no changes
Clear always clears all changes
Type ? or help to see commands.Get command line history with up arrow, down arrow, ^p or ^n
No changes
30
Getting Going Is Fast And Easy
• Set up IP addresses on physical interfaces– interfaceconfig
• Get your IP routing right– setgateway– routeconfig
• Set up SMTP listeners on the interfaces– listenerconfig– smtproutes
• Tidy up SMTP routing (if needed)
Option 2: Quick Setup
ironport.example.com> systemsetup
WARNING: The system setup wizard will completely delete any existing'listeners' and all associated settings including the 'Host Access Table' -mail operations may be interrupted.
Are you sure you wish to continue? [Y]>
Before you begin, please reset the administrator password to a new value.Old password: ironportNew password: passwordRetype new password: password
*****You will now configure the network settings for the IronPort C60.Please create a fully qualified hostname for the IronPort C60 appliance(Ex: "ironport-C60.example.com"):[]> smtp.scu.com*****
You will now assign an IP address for the "Management Interface". This isthe default interface you will use for connecting to the system to configureit.Enter the IP address to use for the management interface. (Ex:"192.168.1.1")[]> 192.168.1.1
What is the netmask for this IP address? (Ex: "255.255.255.0" or"0xffffff00"):[255.255.255.0]> <cr>
What is the broadcast address for this IP address?[192.168.1.255]> <cr>
You have successfully configured the Management interface.
*****You will now assign an IP address for the "Data 1" interface.
Please create a nickname for the "Data 1" interface (Ex: "PrivateNet"):[]> PrivateNet
Enter the static IP address to use for "PrivateNet" on the "Data 1"interface: (Ex: "10.1.1.1"):[]> 172.20.0.11
The systemsetupwizard configures everything needed for a basic configuration
Option 1: Manual Setup
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
31
interfaceconfig Sets IP AddressesIronPort> interfaceconfig
Currently configured interfaces:1. Management (192.168.42.42/24: IronPort)Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- GROUPS - Define interface groups.- DELETE - Remove an interface.[]> new
Please enter a name for this IP interface (Ex: "InternalNet"):[]> PrivateNet
IP Address (Ex: 192.168.1.2):[]> 172.20.0.42
Ethernet interface:1. Data 12. Data 23. Management[1]> 1
Netmask (Ex: "255.255.255.0" or "0xffffff00"):[255.255.255.0]> <cr>
Broadcast address:[192.168.0.255]> <cr>
Hostname:[]> smtp-priv.scu.com
This is an unconfigured box with only the default Management interface. Let’s add an interface.
The hostname on the private side is what will appear on the SMTP banner. Make this unique to help in debugging.
ManualSetup
32
interfaceconfig Controls the Protocols AvailableDo you want to enable FTP on this interface? [N]> yWhich port do you want to use for FTP? [21]> <cr>
Do you want to enable Telnet on this interface? [N]> <cr>
Do you want to enable SSH on this interface? [N]> yWhich port do you want to use for SSH? [22]> <cr>
Do you want to enable HTTP on this interface? [N]> <cr>
Do you want to enable HTTPS on this interface? [N]> yWhich port do you want to use for HTTPS? [443]> <cr>
You have not entered an HTTPS certificate. To assure privacy, run'certconfig' first. You may use the demo certificate,but this will not be secure.Do you really wish to use a demo certificate? [Y]> <cr>
Currently configured interfaces:1. Management (192.168.42.42/24: ironport.example.com)2. PrivateNet (172.20.0.11/24: smtp-priv.scu.com)[]> <cr>
IronPort> commit
Please enter some comments describing your changes:[]> configure private interface 172.20.0.42
Changes committed: Tue Mar 23 11:28:37 2004
Use etherconfig to set FDX/HDX/Auto ethernet properties
Control FTP, SSH, HTTP, and HTTPS access on this interface.
Don’t forget to commit changes!
Enter <cr> at the subcommand prompt to go up one level
Next: Create the PublicNet interface
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
33
Define Default and Static IP RoutesIronPort> setgateway
Warning: setting an incorrect default gateway may cause the current connection to be interrupted when the changes are committed.Enter new default gateway:[]> 192.35.195.1
IronPort> commit
IronPort> routeconfig
Currently configured routes:1. R&D net Destination: 172.20.2.0/24 Gateway: 172.20.0.2542. QA net Destination: 172.20.3.0/24 Gateway: 172.20.0.254
Choose the operation you want to perform:- NEW - Create a new route.- EDIT - Modify a route.- DELETE - Remove a route.- CLEAR - Clear all entries.[]>
Don’t forget to commit changes!
You can add static routes if you need them
ManualSetup
34
Use listenerconfig to Define a Public ListenerIronPort> listenerconfig
Currently configured listeners:
Choose the operation you want to perform:- NEW - Create a new listener.[]> new
Please select the type of listener you want to create.1. Private2. Public3. Blackhole[2]> 2
Please create a name for this listener (Ex: "InboundMail"):[]> InboundMail
Please choose an IP interface for this Listener.1. Management (192.168.42.42/24: IronPort)2. PrivateNet (172.20.0.42/24: smtp-priv.scu.com)3. PublicNet (192.35.195.42/24: smtp.scu.com)[1]> 3
Create a public listener on the public interface
The listener type selects defaults appropriate for public or private listeners.
ManualSetup
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
35
listenerconfig Public: Accept and Route MailEnter the domains or specific addresses you want to accept mail for.
Hostnames such as "example.com" are allowed.Partial hostnames such as ".example.com" are allowed.Usernames such as "postmaster@" are allowed.Full email addresses such as "[email protected]" or "joe@[1.2.3.4]" areallowed. Separate multiple addresses with commas.[]> exchange.scu.com
Would you like to configure SMTP routes for exchange.scu.com? [Y]> y
Enter the destination mail server where you want mail for exchange.scu.com to be delivered. Separate multiple entries with commas.[]> 172.20.0.30
Do you want to enable rate limiting per host? [Y]> n
Would you like to change the default host access policy? [N]> n
Listener InboundMail created.Defaults have been set for a Public listener.
Accept mail only for exchange.scu.com
Route all mail to the Exchange system
Say no to rate limiting. You can always add it later.
36
You Also Set up a Private ListenerCurrently configured listeners:1. InboundMail (on PublicNet, 192.35.195.102) SMTP TCP Port 25 PublicChoose the operation you want to perform:- NEW - Create a new listener.- EDIT - Modify a listener.- DELETE - Remove a listener.- SETUP - Change global settings.[]> new
Please select the type of listener you want to create.1. Private2. Public3. Blackhole[2]> 1
Please create a name for this listener (Ex: "OutboundMail"):[]> OutboundMail
Please choose an IP interface for this Listener.1. Management (192.168.42.42/24: IronPort)2. PrivateNet (172.20.0.42/24: smtp-priv.scu.com)3. PublicNet (192.35.195.102/24: smtp.scu.com)[1]> 2
Choose a protocol.1. SMTP2. QMQP[1]> 1
Please enter the TCP port for this listener.[25]> <cr>
Notice the default is not what you want. Read the selection lists carefully!
The Private Listener will do either SMTP or QMQP. The standard is SMTP, of course
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
37
listenerconfig Private: Select Relays and Policy DefaultsPlease specify the systems allowed to relay email through the IronPort C60.Hostnames such as "example.com" are allowed.Partial hostnames such as ".example.com" are allowed.IP addresses, IP address ranges, and partial IP addresses are allowed.Separate multiple entries with commas.[]> 172.20.0.0/24
Do you want to enable rate limiting for this listener? Rate limiting defines the maximum number of recipients per hour you are willing to receive from a remote domain.) [N]> n
Default Policy Parameters==========================Maximum Message Size: 100MMaximum Number Of Connections From A Single IP: 600Maximum Number Of Messages Per Connection: 10,000Maximum Number Of Recipients Per Message: 100,000Maximum Number Of Recipients Per Hour: DisabledUse SenderBase for Flow Control: NoVirus Detection Enabled: YesAllow TLS Connections: NoWould you like to change the default host access policy? [N]> <cr>
Listener OutboundMail created.Defaults have been set for a Private listener.Use the listenerconfig->EDIT command to customize the listener.
You must specify what hosts in your network will be allowed to send mail out through the IronPort. Otherwise, no mail will be allowed through.
The default limits are vast enough!
38
Use smtproutes to Override DNS
172.20.0.20notes.scu.com
172.20.0.30scu.com
RouteDomain
172.20.0.20notes.scu.com
172.20.0.30scu.com
RouteDomain
scu.com smtp.scu.comMX
smtproutes table
172.20.0.30
You could also use DNS names -if you want to depend on DNS
notes.scu.com MX smtp.scu.com
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
39
Use systemsetup to Quickly Configure:• Interfaces• Listeners• HTTP and HTTPS access• Admin password• System alert email destination• Autosupport
• Anti-Virus & -Spam• SMTP hostname• Default gateway• Smtproutes• NTP and timezone• DNS
IronPort> systemsetup…Before you begin, please reset your password to a new value.Old password: ironportNew password: passwordRetype new password: password
You will now configure the network settings for the IronPort C60.Please create a fully qualified hostname for the IronPort C60 appliance(Ex: "ironport-C60.example.com"):[]> smtp.scu.com
This is the name used in the SMTP banner
Please use ‘password’ in all lab exercises!
The default password of an unconfigured box
QuickSetup
40
C30SystemSetup
NTP Server (IP address or hostname): System Time Enable AutoSupport? Alert email address (i.e., where to send email system alerts)
Enable rate limiting?
Systems allowed to relay email through this listener:
IP Interface for this listener (from above): Choose a Listener Name (e.g.“OutboundMail”): * Private listenerEnable rate limiting? SMTP routes for domains or specific addresses:
Local domains or specific addresses to accept email for: [Initial RAT entry]
IP Interface for this listener (from above): Choose a Listener Name (e.g. “InboundMail”): Public listenerSecondary DNS Server IP Address: Primary DNS Server IP Address: DNS
If yes: HTTP or HTTPS
Enable web interface?
Default Router (gateway) IP Address: * Broadcast Address: Netmask: IP Address: Choose an Interface Name (e.g. “PublicNet”): Data 2 Broadcast Address: * Netmask: * IP Address: * Choose an Interface Name (e.g. “PrivateNet”): * Data 1
Fully Qualified Hostname of IronPort C-Series appliance: * Choose a New Password for the “admin” account: *
* Indicates Required Information
data1
data2
ip1
ip2
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
41
C10SystemSetup
* Indicates Required Information NTP Server (IP address or hostname): System Time
Enable AutoSupport?
Alert email address (i.e., where to send email system alerts)
Systems allowed to relay email through this listener:
Enable rate limiting?
SMTP routes for domains or specific addresses:
Local domains or specific addresses to accept email for: [Initial RAT entry]
IP Interface for this listener (from above):
Choose a Listener Name (e.g. “MailDaemon”): Listener for accepting and relaying email
Secondary DNS Server IP Address:
Primary DNS Server IP Address: DNS
If yes: HTTP or HTTPS
Enable web interface?
Default Router (gateway) IP Address: *
Broadcast Address: *
Netmask: *
IP Address: *
Choose an Interface Name (e.g. “MailNet”): * Data 1 Fully Qualified Hostname of IronPort C-Series appliance: *
Choose a New Password for the “admin” account: *
data1ip1
42
You Often Will Add to systemsetupsmtp.scu.com> interfaceconfig
Currently configured interfaces:1. Management (192.168.42.42/24: IronPort)2. PrivateNet (172.20.0.42/24: smtp.scu.com)3. PublicNet (192.35.195.42/24: smtp.scu.com)
Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- GROUPS - Define interface groups.- DELETE - Remove an interface.[]> edit
Enter the number of the interface you wish to edit.[]> 2
Do you want to enable FTP on this interface? [N]> y
Which port do you want to use for FTP? [21]> <cr>
Do you want to enable Telnet on this interface? [N]> <cr>
Do you want to enable SSH on this interface? [N]> y
Which port do you want to use for SSH? [22]> <cr>
Use interfaceconfig to enable FTP and SSH access on the private interface
Other things you might want to do or change: dnsconfigntpconfig or settimesetgatewayrouteconfig
Don’t forget to commit changes!
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
43
Firewall Port Configuration
FTP for aggregation of log files. In or Out TCP 20/21
QMQP if injecting email from outside firewall. In TCP 628
Secure HTTP (https) access to the GUI for system monitoring. Brightmail Rules are downloaded directly over HTTPS, by default, unless a proxy server is configured.
In TCP 443
LDAP if LDAP directory servers are outside firewall. In & Out LDAP 389/3268
NTP if time servers are outside firewall. In & Out UDP 123
DNS if configured to use Internet root servers or other DNS servers outside the firewall.
In & Out UDP 53
HTTP access to the GUI for system monitoring. Sophos virus scanning engine updates are retrieved via HTTP from port 80.
In TCP 80
SMTP to receive bounced email or if injecting email from outside firewall. In TCP 25
SMTP to send email. Out TCP 25
Telnet upgrades, aggregation of log files. Out Telnet 23
Telnet access to the CLI, aggregation of log files. In Telnet 23
SSH upgrades, aggregation of log files. Out TCP 22
SSH access to the CLI, aggregation of log files. In TCP 22
Description In/Out Protocol Port
44
Verify Your Installation With Troubleshooting Tools
DNS layer: nslookupUse for A and MX record lookup for any
names anywhere in your configuration
Data2
IP Public
SM
TP, 2
5S
SH
, 22
Data1
IP Private
SM
TP, 2
5S
SH
, 22
DNS
IP layer: ping,tracerouteUse from outside to verify you can ping your IronPortUse from the IronPort to verify that you go the “right direction” for any packets
Mail layer: telnet to port 25Use to verify that the listeners are responding everywhere you think it should be and is coming up with a reasonable banner
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
45
Installation & Setup Key Points
• Interfaces, IP addresses, and Services (such as SMTP) are all distinct and controllable entities. You have the flexibility to do whatever you want.
• You’re going to use the CLI whether you like it or not, but you get a lot of help along the way
• You can quickly setup the system using systemsetup, or you can do it manually with interfaceconfig, setgateway, routeconfig, listenerconfig, and smtproutes
• The CLI offers traditional IP debugging tools such as ping, traceroute, and nslookup. Use them.
• Make sure you open all of the firewall ports for the services you configure
46
References
• IronPort AsyncOS 3.8 User Guide– Chapter 2: CLI Overview– Chapter 3: Setup and Installation
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-SeriesChannel Partner
Technical Training
Access Control
Module 3
48
HATs and RATs Give Control When the Message is Being Received
TCP Connection
SMTP Session
Body Headers
Message Body
Host Access TableControls access to the TCP port based on sender’s IP identity
Recipient Access TableNo RAT for outbound mail - who needs one?
Recipient Access TableControls which mail is accepted based on envelope recipient
InboundMail listener
OutboundMail listener
TCP Connection
SMTP Session
Body Headers
Message Body
Host Access TableControls access to the TCP port based on sender’s IP identity
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
49
The Host Access Table Gives You Control Based on IP Addresses
TCP Connection:1.2.3.4,12345(mail1.from.com)
SMTP Session:EHLO from.comMAIL FROM: [email protected] TO: [email protected] TO: [email protected]
Body Headers:Received: from mail1.from.com (1.2...Subject: HelloFrom: “Joe” [email protected]: “User One” [email protected]
Message Body:Hello,
4.5.6.7,25(mx1.to.com)
Identify senders by their IP addresses:
• Complete address• Partial address• CIDR block• Range of addresses• SenderBase score for
an address• Domain name
(DNS PTR record)• Partial domain name
(DNS PTR record)• DNS List lookup
THROTTLE.aol.com
REJECT216.255.128.0/19
ACCEPT192.35.195.42
Who? What?
50
The Left Hand Side of a HAT is a List of Sender Groups• A Sender Group is a collection of senders (the “Who?”)• HATs use Sender Groups to apply a Policy (Right Hand Side,
the “What?”) to the whole group at once• Built-in Sender Groups include WHITELIST, BLACKLIST,
SUSPECTLIST, UNKNOWNLIST, and RELAYLIST
Someone on United Layer was bugging us209.237.224-255.
AOL is just too big to not throttle.mx.AOL.COM
DIGEX is frequently a source of spam216.255.128.0/19
They sent us spam once209.237.250.106
Sender Comment
Example: SUSPECTLIST is a built-in Sender Group whose connections will be throttled if they send too much mail. It might contain entries such as these.
WHO?
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
51
Sender Groups Can Have Many Different Types of Members
DNS List query against domain dns serverdnslist[domain]
Special keyword that matches ALL addressesALL
SenderBase Network Owner ID numberSBO:177
SenderBase Reputation Score rangeSBRS[-10.0:-7.0]
A fully-qualified domain namemailin-01.mx.AOL.COM
Range of IP addresses216.255.128-159.
Partial IP Address - matches any IP address beginning with this string
216.255.128.
Everything within the partial host domain.mx.AOL.COM
CIDR address block216.255.128.0/19
Full IP Address192.35.195.42
Sender Group Syntax Meaning
* Square brackets not needed in GUI
WHO?
52
The Right Hand Side of the HAT is the Mail Flow Policy
$THROTTLEDSUSPECTLIST
$BLOCKEDBLACKLIST
$TRUSTEDWHITELIST
$ACCEPTEDUNKNOWNLIST
Uses this Mail Flow Policy:This Sender Group:
HAT for a Public Listener (C30)
ALL $ACCEPTED
$BLOCKEDALL
$RELAYEDRELAYLIST
Uses this Mail Flow Policy:This Sender Group:
HAT for a Private Listener (C30)
Default entry which cannot be removed
WHAT?WHO?
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
53
The Right Hand Side of the HAT is the Mail Flow Policy WHAT?WHO?
$RELAYEDRELAYLIST
$ACCEPTEDUNKNOWNLIST
$THROTTLEDSUSPECTLIST
$BLOCKEDBLACKLIST
$TRUSTEDWHITELIST
Uses this Mail Flow Policy:This Sender Group:
HAT for an Inbound / Outbound Listener (C10)
ALL $ACCEPTED
Default entry which cannot be removed
54
Mail Flow Policies Define a Set of Actions and Limitations
Default Mail Flow Policies
YESNONORELAY$RELAYED
YESYESNOACCEPT$ACCEPTED
YES
N/A
YES
Anti-virus
YES
N/A
NO
Anti-spam
YES
N/A
NO
Throttling
ACCEPT
REJECT
ACCEPT
Action
$THROTTLED
$BLOCKED
$TRUSTED
Policy Name
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
55
Mail Flow Policies Control and Throttle Mail
Throttle within a TCP connection
– Max messages per connection
– Max recipients per message
– Max message size– Max concurrent
connectionThrottle across TCP connections
– Max recipients per hour
– Max recipients per hour error code
– Max recipients per hour text
TCP Connection:1.2.3.4,12345(mail1.from.com)
SMTP Session:RCPT TO: [email protected] OK RCPT TO: [email protected] Too many recipientsRCPT TO: [email protected] Too many recipients this hour
Body Headers:Received: from mail1.from.com (1.2...Subject: Hello
Message Body:Hello,
4.5.6.7,25(mx1.to.com)
Access Control • Accept connection• Reject SMTP connection• Refuse TCP connection• Relay mail
Processing Control • Require or bypass Anti-Spam• Require or bypass Anti-Virus
WHAT?
56
ALL $ACCEPTED
IronPort Provides Default Entriesfor all HATs
$THROTTLEDSUSPECTLIST
$BLOCKEDBLACKLIST
$TRUSTEDWHITELIST
$ACCEPTEDUNKNOWNLIST
Uses this Mail Flow Policy:This Sender Group:
These groups start out empty; you add to them as you develop your policy.
Order matters: HAT entries are consulted in order, and the first match wins
The initial policy is all hosts are accepted.
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
57
Private Listener HATs Allow Inside to Send Out (Relay!)
$BLOCKEDALL
$RELAYEDRELAYLIST
Uses this Mail Flow Policy:This Sender Group:
The RELAYLIST Sender Group is initially empty, and no mail will pass through this listener.
systemsetup or listenerconfigfor a private (or C10) listener asks:Please specify the systems allowed to relay email through the IronPort C60…
It adds these hosts to the RELAYLIST Sender Group.
The default HAT entry ALL - $BLOCKED prevents an open relay.
58
Default HATs Satisfy Most Customers’Needs
Public Listener (C30)
Private Listener (C30)
YESYESModerateACCEPT$ACCEPTEDALL
UNKNOWNLIST
SUSPECTLIST
BLACKLIST
WHITELIST
Sender Group
YES
YES
N/A
YES
Anti-virus
YES
YES
N/A
NO
Anti-spam
Moderate
YES
N/A
NO
Inbound Throttling
ACCEPT
ACCEPT
REJECT
ACCEPT
Action
$THROTTLED
$BLOCKED
$TRUSTED
$ACCEPTED
Policy Name
ALL
RELAYLIST
Sender Group
N/A
YES
Anti-virus
N/A
NO
Anti-spam
N/A
NO
Inbound Throttling
REJECT
RELAY
Action
$BLOCKED
$RELAYED
Policy Name
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
59
Default HATs Satisfy Most Customers’Needs
Inbound / Outbound Listener (C10)
YESNONORELAY$RELAYEDRELAYLIST
YESYESModerateACCEPT$ACCEPTEDALL
UNKNOWNLIST
SUSPECTLIST
BLACKLIST
WHITELIST
Sender Group
YES
YES
N/A
YES
Anti-virus
YES
YES
N/A
NO
Anti-spam
Moderate
YES
N/A
NO
Inbound Throttling
ACCEPT
ACCEPT
REJECT
ACCEPT
Action
$THROTTLED
$BLOCKED
$TRUSTED
$ACCEPTED
Policy Name
60
Use the GUI to Modify Your Configuration
The GUI is organized with these five tabs:
• Incoming Mail• Scanning• Outgoing Mail• Reporting• System
Each tab has subtabs
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
61
Use the Incoming Mail Configuration Tab to Edit Your HAT
CLI: listenerconfig - edit - hostaccess
Choose the listener
Example: Add a trusted sender to the WHITELIST Sender Group of the InboundMail listener
62
SBRSDNS List
IP, IP Range, Domain NameIdentify sender by IP or domain name, or by using a SenderBase Reputation Score, or with a DNS List lookup
Use the GUI to Add a Trusted Sender to the Whitelist
Be careful to include .mypartner.com, which will match any subdomains they use
Changes in the GUI are automatically committed when you save
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
63
Mail Flow Monitor Makes Controlling Problem Domains Easy
Click on any problem domain and add it to one of the Sender GroupsClick on any problem domain and add it to one of the Sender Groups
64
Add the Selected Domain to a Sender Group to Apply Associated Policy
Q: What policy is associated with this Sender Group?
A: See next slide
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
65
View Entries in Your Sender Groups With the GUI
66
How To Use Sender Groups and Mail Flow Policies in Your HAT
• Most common things you want to do in the HAT:– Add senders to WHITELIST, BLACKLIST or
SUSPECTLIST• Less common things you might want to do in the HAT:
– Make new Sender Groups to distinguish classes of senders beyond WHITE/BLACK/SUSPECT
– Add SenderBase score ranges to Sender Groups• Very uncommon:
– Perform a DNS List lookup during SMTP connection for either whitelist or blacklist purposes
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
67
Say Who You Accept Mail For In The RAT
Everything within the .example.com domain.example.com
Fully-qualified domain nameDivision.example.com
Recipient Syntax Meaning
Username at a domain literal address(square brackets required)
User@[1.2.3.4]
Anything with the given usernameUser@
Complete email addressUser@domain
Less common usages:
Q: When do you add to the RAT?A: When you acquire a new domain.
68
TCP Connection:1.2.3.4,12345(mail1.from.com)
SMTP Session:EHLO from.comMAIL FROM: [email protected] TO: [email protected] TO: [email protected]
Body Headers:Received: from mail1.from.com (1.2...Subject: HelloFrom: “Joe” [email protected]: “User One” [email protected]
Message Body:Hello,
4.5.6.7,25(mx1.to.com)
The Recipient Access Table Is Checked For Each SMTP Recipient
Identify recipients by domain or local-part:
• Complete domain• Partial domain• Local-part (username)• Local-part@domain
REJECT(with customSMTP message)
oldname.com
ACCEPTeng.to.com
ACCEPTto.com
RAT Table
MAIL FROM: is not checked in the RAT; only recipients
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
69
The RAT Lets You Accept or Reject Each Recipient
TCP Connection:1.2.3.4,12345(mail1.from.com)
SMTP Session:RCPT TO: [email protected] OK RCPT TO: [email protected] No such user
Body Headers:Received: from mail1.from.com (1.2...Subject: HelloFrom: “Joe” [email protected]: “User One” [email protected]
Message Body:Hello,
4.5.6.7,25(mx1.to.com)
RAT Control Mechanisms• Accept recipient• Reject recipient• Accept recipient and
bypass throttling
70
Use listenerconfig to View and Edit RAT Settings
(SERVICE) smtp.scu.com> listenerconfig
Currently configured listeners:1. InboundMail (on PublicNet, 192.35.195.42) SMTP TCP Port 25 Public2. OutboundMail (on PrivateNet, 192.168.0.42) SMTP TCP Port 25 PrivateEnter "NEW" to create a new listener, "EDIT" to modify, "DELETE" to remove, or"SETUP" to change global settings.[]> edit
Enter the name or number of the listener you wish to edit.[]> 1
Name: InboundMailType: PublicInterface: PublicNet (192.35.195.42/24) TCP Port 25Protocol: SMTPDefault Domain:Max Concurrency: 1000 (TCP Queue: 50)Domain map: disabledTLS: NoAntispam: Deliver, Prepend "[SPAM] " to SubjectSuspectedspam: inactiveBounce Profile: DefaultUse SenderBase For IP Profiling: YesLDAP: offAntiVirus: Scan and Clean
Enter one of the following commands to change this listener's settings:NAME, INTERFACE, LIMITS, HOSTACCESS, SETUP, RCPTACCESS, BOUNCECONFIG,DOMAINMAP, ANTISPAM, ANTIVIRUS[]> rcptaccess
Recipient Access Table
There are currently 2 recipients.Default Access: REJECT
Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to remove,"PRINT" to display the list, "IMPORT" to import a list,"EXPORT" to save the list, or "CLEAR" to clear the list.[]> print
smtp.scu.com> listenerconfig[]> edit
[]> 1 (InboundMail)
Enter one of the following commands to change this listener's seNAME, INTERFACE, LIMITS, HOSTACCESS, SETUP, RCPTACCESS, BOUNCECODOMAINMAP, ANTISPAM, ANTIVIRUS[]> rcptaccess
Recipient Access Table
There are currently 2 recipients.Default Access: REJECT
Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to"PRINT" to display the list, "IMPORT" to import a list,"EXPORT" to save the list, or "CLEAR" to clear the list.[]> print
scu.com ACCEPTALL REJECT
Recipient Access Table
There are currently 2 recipients.Default Access: REJECT
You must editthe RAT to see what’s in it
Type print to see the whole RAT
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
71
You Must Use the CLI to Edit the RAT
Recipient Access Table
There are currently 2 recipients.Default Access: REJECT
Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to remove,"PRINT" to display the list, "IMPORT" to import a list,"EXPORT" to save the list, or "CLEAR" to clear the list.[]> new
Enter the recipient address for this entry.Hostnames such as "example.com" and "[1.2.3.4]" are allowed.Partial hostnames such as ".example.com" are allowed.Usernames such as "postmaster@" are allowed.Full email addresses such as "[email protected]" or "joe@[1.2.3.4]" are allowed.Separate multiple addresses with commas.[]> scu.net
Select the action to apply to this address:1. Accept2. Reject[1]> 1
Would you like to specify a custom SMTP response? [N]>
Would you like to bypass receiving control for this entry? [N]>
Recipient Access Table
There are currently 3 recipients.Default Access: REJECT
Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to remove,"PRINT" to display the list, "IMPORT" to import a list,"EXPORT" to save the list, or "CLEAR" to clear the list.[]>Name: InboundMailType: PublicInterface: PublicNet (192.35.195.42/24) TCP Port 25Protocol: SMTPDefault Domain:Max Concurrency: 1000 (TCP Queue: 50)Domain map: disabledTLS: NoAntispam: Deliver, Prepend "[SPAM] " to SubjectSuspectedspam: inactiveBounce Profile: DefaultUse SenderBase For IP Profiling: YesLDAP: offAntiVirus: Scan and Clean
Enter one of the following commands to change this listener's settings:NAME, INTERFACE, LIMITS, HOSTACCESS, SETUP, RCPTACCESS, BOUNCECONFIG,DOMAINMAP, ANTISPAM, ANTIVIRUS[]>
smtp.scu.com> listenerconfig[]> edit
[]> 1 (InboundMail)
[]> new
Enter the recipient address for this entry.Hostnames such as "example.com" and "[1.2.3.4]" are allowed.Partial hostnames such as ".example.com" are allowed.Usernames such as "postmaster@" are allowed.Full email addresses such as "[email protected]" or "joe@[1.2.3.4]" are allowed.Separate multiple addresses with commas.[]> scu.net
Select the action to apply to this address:1. Accept2. Reject[1]> 1
Would you like to specify a custom SMTP response? [N]>
Would you like to bypass receiving control for this entry? [N]>
Recipient Access Table
There are currently 3 recipients.Default Access: REJECT
Add an entry in the RAT to accept mail for another domain name
You can see the entry count go up
Don’t forget to commit!
72
How to Avoid an Open Relay With the RAT
REJECTALL
ACCEPTmycompany.com
Has This Action Applied:This Recipient:
RAT for a Public Listener
The default RAT entry ALL - REJECT prevents an open relay.
Note that an overly broad recipient rule like ‘user@’ could be exploited by spammers
systemsetup or listenerconfigfor a public listener asks:Enter the domains or specific addresses you want to accept mail for.
It adds these hosts as ACCEPT entries in the RAT.
Order does NOT matter in the RAT - the most specific entry matches
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
73
Best Practice for Validating Inbound Recipients
1. Use the RAT to validate the domain
2. Use a centralized LDAP server or groupware server (e.g. Exchange, Notes) to validate the local-part (username)– Prevent directory harvest attacks!– Use the ldapconfig command
RATLDAP
74
There are several ways to re-write envelope addresses
• Inbound: Envelope-to– Alias table aliasconfig– Domain map domainmap
– LDAP ldapconfig
• Outbound: Envelope-from– Masquerading listenerconfig ���� EDIT ����
OutBoundMail ���� MASQUERADE
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
75
Access Control Key Points• The HAT is consulted at TCP connect time;
The RAT at SMTP dialog time for each recipient
• Sender Groups are the Left Hand Side of the HAT; Mail Flow Policies are the Right Hand Side of the HAT
• Incoming (“public listener”) HATs are different from Outgoing (“private listener”) HATs
• There’s a bunch of parameters that give you fine-grained control over the behavior of the Mail Flow Policies, although the default may be fine (depending on your customer)
• The RAT defines who (as in “which domain names”) you are willing to receive mail for
• Various mechanisms available (e.g. LDAP) to validate and re-write recipient addresses
76
References
• IronPort AsyncOS 3.8 User Guide– Chapter 4: Configuring the Gateway to Receive Email– Chapter 5: Configuring Email Routing and Delivery
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-SeriesChannel Partner
Technical Training
Policy Enforcement, Anti-Spam, and Anti-Virus
Module 4
78
Content Scanning Overview
• Content Scanning with Message Filters– Ensure intellectual property does not leave the network
• Scan for “company confidential” or words specific to your business
• Protect intellectual property and track offenders
– Eliminate illicit content at the gateway• Prevent inappropriate files, movies, etc. from entering your
network
– Minimize legal liability • Ensure compliance with industry laws and standards
– “Swiss Army Knife”• Unlimited ways to filter and act upon specific types of mail
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
79
Message Filters Redirect and Modify Messages As You Require
Message filters are a flexible way to customize the behavior of the system.
SMTP
Ses
sion
:
EHLO
from
.com
MAI
L FR
OM
: joe
@fro
m.c
om
RC
PT T
O: u
ser1
@to
.com
Bod
y H
eade
rs:
Rec
eive
d: fr
om m
ail1
.from
From
: bob
@fro
m.c
om
To: u
ser1
@to
.com
Mes
sage
Bod
y:
Hel
lo,
TCP
Con
nect
ion:
1.2.
3.4,
1234
5(m
ail1
.from
.com
)4.
5.6.
7,25
(mx1
.to.c
om)
Message filters are a script-like logical syntax that are applied to every message passed through the system
80
Filters Can Look For Things and Take Actions
Things You Can Look for– Destination host– Encryption– Sender– Recipient– Subject – Text in the message or
attachment– Attachment type– SBRS score– Message size
Actions You Can Take– Drop messages– Bounce messages– Insert/Delete headers– Drop attachments– Redirect message– Route to mail host– BCC, copy or archive– Notify someone– Skip spamcheck– Skip viruscheck– Change bounce profile– Stamp footer
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
81
Anatomy of a Filter
drop_all: if (true) {
insert-header('X-SBRS', '$Reputation');
}
Label Rule
Action Action Variable
Labels must be unique among all filters on the system.Labels are case sensitive.Labels must start with an underscore (_) or a letter (A-z). After the first character, labels may also include hyphens (-) or numbers (0-9).
A filter’s rules appear after the “if” and before the opening curly brace “{“.
Expressions are of the form <rule> <operator> <value>
where <value> may be a regular expression.
A filter may have any number of expressions, associated by Boolean operators AND, OR, and NOT.
Action variables contain information the system knows about this message that can be used in rules or actions
82
Final Actions:Drop, Bounce, and Deliver
• drop()Aborts the incoming message. The message will not be delivered.
• deliver()Short-circuits the filtering system. The message will go on to Anti-Spam/Anti-Virus processing, if configured, otherwise it will be enqueued for delivery immediately.
• bounce()Bounces the incoming message. The original message will not be delivered to anyone.
After a final action, filter processing stops immediately.
The rest of the filter is not checked, and no other filters are checked.
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
83
Examples
BounceOver6MB:if (body-size > 6M) {
bounce();}
NotifyAndDropOver6MB:if (body-size > 6M) {
notify('$EnvelopeFrom');drop();
} It would be smarter to not send the entire huge message back…
Bounce Messages > 6 MB
Looking for text in the body of a message
ConfidentialFilter:if (body-contains('(?i)Company Confidential')) {
notify ('[email protected]');}
You can also check against a content dictionary instead of a static string
84
More Examples
drop_all_dangerous: if (true) {
drop-attachments-by-filename ('(?i)\\.pif$');drop-attachments-by-filename ('(?i)\\.bat$');drop-attachments-by-filename ('(?i)\\.scr$');drop-attachments-by-filename ('(?i)\\.com$');drop-attachments-by-filetype ('Executable');
}
stamp_forward_looking: if (recv-listener == 'Outbound') {
add-footer ('Forward_Looking_Disclaimer');}
Drop attachments
Stamp message footer
This is a text object you define with textconfig
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
85
Create Filters with the CLI or Using Import / Exportsmtp.scu.com> filters
Available filter commands: NEW, DELETE, IMPORT, EXPORT, MOVE, SET, LIST,DETAIL, LOGCONFIG, ROLLOVERNOW.[]> list
Num Active Valid Name1 Y Y flowdet-skip-spamcheck2 Y Y dropbadmail3 Y Y BounceOver6MB
Available filter commands: NEW, DELETE, IMPORT, EXPORT, MOVE, SET, LIST,DETAIL, LOGCONFIG, ROLLOVERNOW.[]> delete 3
1 filters deleted.[]> new
Enter filter script. Enter '.' on its own line to end.NotifyAndDropOver6MB:if (body-size > 6M) {notify('$EnvelopeFrom');drop();
}.1 filters added.
Q: what happens when you re-import a filter of same name?A: It will replace an existing filter with the same case sensitive name.
You can also import / exportyour entire list of filters
86
Anti-Spam Overview
• Reputation Filters block spam before messages are even accepted
– Uses SenderBase scoring –similar to a credit rating service for sender IP addresses
– Typically blocks up to 50% of all spam
– Yields higher performance since blocked messages don’t have to be queued and processed
• Spam Detection scans messages for spam
– Scans for known spammers and “spammy” message content
• Configurable system-wide spam thresholds
– Decide whether to drop, forward, tag, archive or quarantine
– Handle spam and suspected spam differently
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
87
IronPort SenderBase™Reputation Service
• Rolls data up into a “reputation score” between -10 to +10– -10 is very bad– 0 is not enough traffic to be positive
and no bad reports– +10 is very good
• Tracks objective network data about senders– Global volume
– Complaints
– Blacklists and whitelists
– Geographic information
– Security threats
www.senderbase.org
88
Drill Down on a Sender’s IP or Domain
GUI: Incoming - IP address search
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
89
What do those SBRS numbers mean, anyway?
-10 +10-5 +50
A known enterprise, or sender who has undergone third-party certification, with no complaints and a long sending history.
Long sending history, few complaints
Some sending history, low or moderate complaints
May be a dynamic IP (e.g., dialup) sending direct to Internet or an email marketer with poor practices, or a legitimate enterprise with an open server
Spam houses generating complaints and hitting spam traps. IP listed on one or more open proxy lists. Almost always spam.
An IP on one or more reliable blacklists or belonging to a suspicious new sender with some complaints and spamtrap hits
An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Almost guaranteed to be spam.
90
Configure Reputation Filters in the HAT
SBRS Scoring Engine
1
5
432
64.12.2.8
64.12.2.8
Rule hits for64.12.2.8
SBRS = x.x
TCP/IPConnect
Apply the appropriate Mail Flow Policy250 - Recipient Accepted
or 452 - Too many recipients this houror 554 - Access Denied
Global complaint dataGlobal volume dataBlacklistsOpen Proxy ListsAdditional SenderBase Data Services
SenderBaseAffiliateNetwork
SBRS Database
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
91
How to Create a Reputation Filter
1. Define an SBRS range in a sender group2. Bind an appropriate mail flow policy to the sender group
THROTTLED
92
IronPort Suggests A Two-Phased Approach to Reputation Filters
$TRUSTED[ 6.0 : 10.0 ]
6, 7, 8, 9, 10
$ACCEPTED*[ -2.0 : 6.0 ]
-1, 0, 1, 2, 3, 4, 5
$THROTTLED[ -7.0 : -2.0 ]
$ACCEPTED*[ -7.0 : -2.0 ]
-6, -5, -4, -3, -2
$BLOCKED[-10.0 : -7.0 ]
$THROTTLED[ -10.0 : -7.0 ]
-10, -9, -8, -7
Phase2Phase 1SenderBase Reputation Score
(SBRS)
* This is the default mail flow policy
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
93
Use Brightmail for Content-based Spam Detection
Internet
ProbeNetwork
Brightmail Logistics and Operations Center
SMTP HTTPS
HTTPSSMTP
Brightmail Rules
Mailbox server
Brightmail Quarantine(optional)
Quarantinedmessages
Port: 41025
Users can also send suspected messages from their message store to the Brightmail Quarantine
End users and administrators view the quarantine via HTTP
94
Brightmail Configuration Means Making Many Decisions
TCP ConnSMTP
Body HdrsBody
Spam
PickOne
Quarantine
Bounce
Deliver
Drop
Redirect?Modify Subject?Add header?Archive?
Stop
To Quarantine Host
BounceProcessing
SuspectedSpam
PickOne
Quarantine
Bounce
Deliver
Drop
Redirect?Modify Subject?Add header?Archive?
Stop
To Quarantine Host
BounceProcessing
Not Spam or Reinserted from Quarantine
Deliver
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
95
Configure Brightmail Through the GUI
Enable Brightmail…
Brightmail score which will be considered suspected spam
96
Accept the Brightmail License Agreement … to get to The Question
Hint: Choose Yes,because you can’tchange your mind.
Accept the Brightmail License Agreement
… and answer The Question
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
97
Enabled
Choose How to Deal With Spam
You have the same choices for Spam and Suspected Spam
DeliverBounceDropQuarantine
Modify the message if you want to deliver suspected spam and mark it somehow
Modify the message if you want to deliver suspected spam and mark it somehow
Redirect, quarantine, or archive the message if you want to avoid normal delivery
Redirect, quarantine, or archive the message if you want to avoid normal delivery
98
Anti-Virus Overview
• Virus Protection under your control
– Decide whether to drop, forward, tag, archive or deliver attachments containing viruses
– Handle cleanable and uncleanable messages differently
• Up to 55 msgs/second at this point in the funnel
• Content Scanning can identify virus or worm-generated email
– Match messages with your own criteria
– Decide whether to drop, forward, tag, archive or deliver identified messages
– Handle encrypted messages differently
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
99
IronPort usesSophos for Anti-Virus Protection
Internet
SMTP
SMTP HTTP
Mailbox Server
Anti-Virus UpdatesSophos Updates
HTTP
Anti-Virus Definitions
IronPort Support Center
100
Sophos Configuration Means Making Many Decisions TCP Conn
SMTP
Body HdrsBody
Virus Found
Is Repairenabled?
Deliver
Modify Subject?Add header?Archive original?Notify anyone?
No VirusFound
PickOne
Deliver as Attachment
Drop Deliver
Deliver
Modify Subject?Add header?Redirect?Route to alternate host?Archive original?Notify anyone?
NoIs Drop infected attachments enabled?
Attempt to Clean
DropAttachment
Messageunscannable
(possible virus)Encryption detected
(unscannableportions)
Yes
Yes
No
Failure
Success
Archive original?Notify anyone?
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
101
Configure Sophos with the GUI
Enable Sophos and set the update interval
Edit settings on a listener
Note that all updates come from IronPort
102
Scan and Repair virusesScan for Viruses only
Choose Your Actions When a Virus Is Found
Enable on this listener
GUI: Scanning - Sophos - edit InboundMail
Choose scan behavior when a virus is found
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
103
Choose Your Actions When a Virus Is Successfully Repaired
Alert the recipient
You can provide custom headers for mail agents to sort on
GUI: Scanning - Sophos - edit InboundMail
104
Choose Your Actions When a Virus Cannot be Repaired
Choose Your Actions When a Virus Cannot be RepairedYou get separate configurations for each case:
• Encrypted message• Message unscannable• Virus-infected message
DropDeliver as Attachment to New MessageDeliver As Is
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
105
Policy Enforcement Key Points• Filters can be used to look within a message, including the
message body, attachments, and headers
– Filters allow you to drop, bounce, deliver, redirect and modify messages
– Filters should be used with care but can be a powerful tool
• Reputation filters can be used to drop, throttle, or tag mail based on the SenderBase Reputation Score (SBRS)
• Brightmail Anti-spam allows you to control what happens to spam and suspected spam
• Sophos Anti-virus allows you to control what happens to viruses
106
References
• IronPort AsyncOS 3.8 User Guide– Chapter 6: Anti-Spam– Chapter 7: Anti-Virus– Chapter 8: Policy Enforcement
• IronPort Reputation Filters White Paper– http://www.ironport.com/download/
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-SeriesChannel Partner
Technical Training
Monitoring,Logging, and Troubleshooting
Module 5
108
Regular Monitoring Makes for Happy Mail Systems
Daily checksReport status
• Is my system healthy?
Monthly checksReport details
• What happened last month?
Troubleshooting Configuration changes
• I need to make this change: Will it work?
• Does it do what I expect?
TroubleshootingProblem / query
• What happened to a particular message?
• Is this change I am making correct?
Periodic Reactive
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
109
The IronPort GUI Gives You Five Views Into Your System
110
Incoming Mail Overview Shows How Effective Your Policy Is
Your time range setting is saved in a browser cookie
Get an instant view of your recipient load and which Mail Flow Policies are being exercised
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
111
Incoming Reports Show How Your Policies Perform - Use Standard Reports
Top IPs by recipients blocked (past day)Top domains by recipients blocked (past day)Top domains by unclassified recipients (past day)Top network owners by unclassified recipients (past day)
112
Incoming Reports Show How Your Policies Perform - Create Custom Reports
IPDomainsNetwork Owner
Recipients Received% Change RecipientsRcpts. Blocked by Rate Limit% Brightmail Positive% Brightmail SuspectVirus PositiveConnections RejectedSBRS
Past HourPast DayPast WeekPast Month
2050100
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
113
Verify You Got Your Anti-Virus and Anti-Spam Updates
The Sophos Overview also shows latest anti-virus update time
114
Outgoing Overview Shows Any Delivery Problems CLI: tophosts
Check the Status of Outbound Mail
You can sort by any of these columns
Active Recipients are messages in the IronPort work queue
Totals since last counter reset
Concurrent connections
Click on a recipient host to see status information
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
115
System Overview Shows Queue Size and Connection Rates
Learn what queue size is normal for your system
Do the math: Of 2,375 recipients received, about 1,100 are out of the system. That means 1275 are in the work queue.
Set each graph to the subject and interval you want for your system
116
Generate Periodic Reports Automatically
• System Statistics• Spam Statistics• Virus Statistics• Message Flow Histogram
System Summary
• Virus Senders• Spam Senders• Unclassified Recipients• Rejected Connections• Recipients Received• Received Bytes• Accepted TLS Connections• Rejected TLS Connections
Incoming Volume
Available ComponentsReport Type
You can configure what periodic reports you want, what to include in the report, what format you want them in, and where to send them
Report specific
Specify a number
• Text• HTML• CSV• XML
• Email (multiple)
• CLI / text• GUI / HTML
• Daily• Weekly• Monthly
• Incoming Volume
• System Summary
AvaliableSelections
Components to Include
Save Previous Reports
Result Formats
Send Result To
FrequencyReport TypeReport Configuration
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
117
Choose the Periodic Reports You Want
118
Set Up Periodic Reports the Way You Want Them
Configure the report deliveries you want
Specify what data you want
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
119
See the HTML Reports From the GUI
120
Overview of Troubleshooting Tasks
Daily checksReport status
• Is my system healthy?
Monthly checksReport details
• What happened last month?
TroubleshootingConfiguration changes
• I need to make this change: Will it work?
• Does it do what I expect?
TroubleshootingProblem / query
• What happened to a particular message?
• Is this change I am making correct?
Periodic Reactive
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
121
Use Debugging Tools After Changing the System Configuration
• The trace utility (GUI or CLI) simulates how policy acts on a message
• Various logs record the passage of a message through the system and its final disposition (CLI)– mail_logs records a summary trail of connection to a listener,
acceptance of the message, processing, and delivery
• Use tail to look at logs from the console, or ftp logs to your workstation to use tail and grep(CLI)
122
mail_logs Records Every Step In Processing A Message
• Contain details of message receiving, delivery, and bounces– Status information is also logged every minute– Does not include delivery codes
• Use cases– Track the receipt, processing, and delivery of specific messages– Track Anti-Spam and Anti-Virus checking results– Analyze system performance
• How event records are identified– ICID Incoming Connection ID– MID Message ID – RID Recipient ID– DCID Delivery Connection ID– New New connection initiated; ICID created– Start New message started; MID created
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
123
Track One Message from Beginning to End in the mail_logs
Mon Apr 7 19:56:22 2003 Info: New SMTP ICID 5 interface Management address 10.1.1.209 Mon Apr 7 19:57:20 2003 Info: Start MID 6 ICID 5 Mon Apr 7 19:57:20 2003 Info: MID 6 ICID 5 From:<[email protected]> Mon Apr 7 19:58:06 2003 Info: MID 6 ICID 5 RID 0 To:<[email protected]> Mon Apr 7 19:59:52 2003 Info: MID 6 ready 100 bytes from <[email protected]> Mon Apr 7 19:59:59 2003 Info: ICID 5 close Mon Apr 7 20:10:58 2003 Info: New SMTP DCID 8 interface 192.168.42.42 address 10.5.3.25 Mon Apr 7 20:10:58 2003 Info: Delivery start DCID 8 MID 6 to [0] Mon Apr 7 20:10:58 2003 Info: Message done DCID 8 MID 6 to [0] Mon Apr 7 20:11:03 2003 Info: DCID 8 close
New connection initiated; ICID created
New message started; MID created
Delivery Connection ID
Recipient IDMessage ID
Incoming Connection ID
124
smtp.scu.com> logconfig
Currently configured logs:1. "antivirus" Type: "AntiVirus Logs" Retrieval: FTP Poll<etc>Enter "NEW" to create a new log or "EDIT" to modify or "DELETE" to remove or"SETUP" for general settings or "LOGHEADERS" to set up headers to log.[]> editEnter the number of the log you wish to edit. []> 9
Log level:1. Error2. Warning3. Information4. Debug5. Trace[3]> <cr>
Please enter the name for the log: [mail_logs]> <cr>
Choose the method to retrieve the logs.1. FTP Poll2. FTP Push3. SCP Push[1]> 1
Please enter the filename for the log: [mail]> <cr>
This is the first part of the file name
To Retrieve the Whole Log File,Use Log Subscriptions
Log level should be Informationunless you are troubleshooting something really hard
This is the directory name
Choose FTP Poll for now
Log file names:[email protected][email protected]
Open for writing
Saved -complete
Open for writing
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
125
Retrieve Logs With FTPjlt:~ jlt$ ftp smtp.scu.comConnected to smtp.scu.com.220 smtp.scu.com IronPort FTP server (V1.37.10.1) ready.Name (smtp.scu.com:jlt): admin331 Password required.Password: password230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> dir150 Opening ASCII mode data connection for file listdrwxrwx--- 2 root log 512 May 19 06:21 brightmail_logsdrwxrwx--- 2 root config 512 May 22 04:50 configurationdrwxrwx--- 2 root log 1024 May 19 06:21 domain_logsdrwxrwx--- 2 root log 1024 May 22 04:50 system_logsdrwxrwx--- 2 root log 512 May 22 04:50 cli_logsdrwxrwx--- 2 root log 512 May 19 06:21 bounce_logsdrwxrwx--- 2 root log 512 May 22 04:51 rptd_logsdrwxrwx--- 2 root log 1024 May 22 04:51 sntpd_logsdrwxrwx--- 2 root log 512 May 22 04:51 antivirusdrwxrwx--- 2 root log 1024 May 22 04:51 mail_logsdrwxrwx--- 2 root log 512 May 22 04:51 brightmaildrwxrwx--- 2 root log 512 May 22 04:51 statusdrwxrwx--- 2 root log 512 May 22 04:51 bouncesdrwxrwx--- 2 root log 1024 May 22 04:51 error_logsdrwxrwx--- 2 root log 512 May 22 04:51 ftpd_logsdrwxrwx--- 2 root log 1024 May 22 04:51 avarchive
These are all directories with log files below
126
CLI tail Shows You Logs in Real Timesmtp.scu.com> tail
Currently configured logs:1. "antivirus" Module: thirdparty Format: AntiVirus2. "avarchive" Module: mail Format: AntiVirus Archive3. "bounces" Module: bounces Format: Bounces4. "brightmail" Module: thirdparty Format: Brightmail5. "cli_logs" Module: system Format: CLI Audit Logs6. "error_logs" Module: mail Format: IronPort Text7. "ftpd_logs" Module: ftpd Format: IronPort Text8. "gui_logs" Module: gui Format: IronPort Text9. "mail_logs" Module: mail Format: IronPort Text10. "rptd_logs" Module: rptd Format: IronPort Text11. "sntpd_logs" Module: sntpd Format: IronPort Text12. "status" Module: mail Format: Status Logs13. "system_logs" Module: system Format: IronPort TextEnter the number of the log you wish to tail.[]> 9
Press Ctrl-C to stop.Fri Mar 26 09:53:11 2004 Info: MID 659 ICID 561 RID 1 To: <[email protected]>Fri Mar 26 09:53:11 2004 Info: MID 659 ICID 561 RID 2 To: <[email protected]>Fri Mar 26 09:53:14 2004 Info: MID 659 ready 872 bytes from <[email protected]>Fri Mar 26 09:53:19 2004 Info: New SMTP ICID 562 interface PublicNet address 211.133.243.25Fri Mar 26 09:53:19 2004 Info: Start MID 660 ICID 562^C
Tail runs continuously until ^C, so start it before you send a test message
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
127
Verify Connectivity With CLI Toolssmtp.scu.com> ping 192.245.12.8
Press Ctrl-C to stop.PING 192.245.12.8 (192.245.12.8): 56 data bytes64 bytes from 192.245.12.8: icmp_seq=0 ttl=253 time=2.174 ms64 bytes from 192.245.12.8: icmp_seq=1 ttl=253 time=1.187 ms64 bytes from 192.245.12.8: icmp_seq=2 ttl=253 time=1.295 ms64 bytes from 192.245.12.8: icmp_seq=3 ttl=253 time=1.260 ms^C--- 192.245.12.8 ping statistics ---4 packets transmitted, 4 packets received, 0% packet lossround-trip min/avg/max/stddev = 1.187/1.479/2.174/0.403 mssmtp.scu.com> ping
Which interface do you want to send the pings from?1. Auto2. Management (192.168.42.42/24: IronPort)3. PrivateNet (192.168.0.42/24: inside.scu.com)4. PublicNet (192.35.195.42/24: smtp.scu.com)[1]> 4
Please enter the host you wish to ping.[]> 192.245.12.8
Press Ctrl-C to stop.PING 192.245.12.8 (192.245.12.8) from 192.35.195.42: 56 data bytes64 bytes from 192.245.12.8: icmp_seq=0 ttl=253 time=1.864 ms64 bytes from 192.245.12.8: icmp_seq=1 ttl=253 time=1.226 ms^C--- 192.245.12.8 ping statistics ---2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max/stddev = 1.226/1.545/1.864/0.319 ms
ping and traceroutecan take a command line argument, or will let you select the source interface
128
Learn to Talk To Your SMTP Receiverssmtp.scu.com> telnet
Please select which interface you want to telnet from.1. Auto2. Management (192.168.42.42/24: IronPort)3. PrivateNet (192.168.0.42/24: inside.scu.com)4. PublicNet (192.35.195.42/24: smtp.scu.com)[1]> 4
Enter the remote hostname or IP.[]> 192.245.12.8
Enter the remote port.[25]> <cr>
Trying 192.245.12.8...Connected to viola.opus1.com.Escape character is '^]'.220 Viola.Opus1.COM -- Server ESMTP (PMDF V6.2-X17#9830)quit221 2.3.0 Bye received. Goodbye.Connection closed by foreign host.
smtp.scu.com> mailconfig
Please enter the email address to which you want to send the configurationfile.Separate multiple addresses with commas.[]> [email protected]
The configuration file has been sent to [email protected].
Use telnet to test connectivity to port 25.Don’t forget to test from the other side coming in!
mailconfig is a quick way to test that the IronPort can send mail
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
129
Debugging DNS Problems
smtp.scu.com> nslookup
Please enter the host or IP to resolve.[]> torba.com
Choose the query type:1. A2. CNAME3. MX4. NS5. PTR6. SOA7. TXT[1]> 3
MX=torba.com PREF=10 TTL=36m33s
Greetings from IronPort customer care. You've emailed [email protected] to perform basic DNS checks on your system. Here are your results:
FAILED - DNS PTR record (the IP resolves to hostname)FAILED - DNS A record (PTR hostname resolves to the IP)FAILED - HELO match (PTR hostname matches HELO)PASSED - mail server exists to accept delayed bounce messages
The need for these configurations and details of your results are includedbelow.
Regards,
IronPort Customer [email protected]
Detailed test results:
• dnsflush will flush the DNS cache on the IronPort• dnsstatus gives statistics on requests and cache usage• Check DNS entries with nslookup on the IronPort• Use nslookup or dig on other systems to see other points of view• Send email to [email protected] for a report on your IronPort’s
DNS presence on the net
Unlike other nslookups, the IronPort nslookupwill recurse until it gets a final answer
130
Troubleshooting Clip-n-Save
• tail• logconfig• ping• traceroute• telnet• nslookup• mailconfig• rate• topin• hostrate• deleterecipients• bouncerecipients• delivernow
• suspendlistener• resumelistener
• suspenddel• resumedel
• suspend
• resume• workqueue
• showchanges• clear
Places to Start in the GUIOutgoing Mail - OverviewSystem - Overview
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
131
Monitoring, Logging, and Troubleshooting Key Points
• The GUI offers many different views of system performance and status, plus a variety of tools for email monitoring
• Use the GUI Reporting feature to automatically generate and deliver periodic reports on system operation
• Use logconfig, tail, and FTP to configure and view log files
• Use tools like ping, traceroute, nslookup, and telnet to troubleshoot the network, transport, and presentation layers
– IronPort’s dnscheck service can give you an “outside view”
• Use the trace tool to test how the IronPort will process a test message, especially after you change the system configuration
132
References
• IronPort AsyncOS 3.8 User Guide– Chapter 9: Managing and Monitoring via the CLI– Chapter 11: Using the GUI– Chapter 12: Logging– Chapter 13: Reporting– Chapter 14: Testing and Troubleshooting
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-SeriesChannel Partner
Technical Training
System Administration
Module 6
134
System Administration Means…
• Starting and stopping• Managing the presence on your network• Controlling access • Software version control and licenses• Alerting• Configuration management• Disaster recovery and backup
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
135
Starting and Stopping the IronPort
TCP Connection
SMTP Session
Body Headers
Message Body
InboundMail listener
OutboundMail listener
suspendStops accepting all
inbound connections on all listeners
Stops delivering all outbound messages
Waits for any current connections to complete
Stays suspended across reboots
resumeResumes all normal
operations
Shutdown/reboot–When is a mail appliance not a mail appliance? When it’s a UNIX system.–Avoid power cycles.–Call support if the box loses power for a health check
• Use suspend to quiesce the system gracefully
• Use shutdown or reboot to take your IronPort down
• Use resume following reboot if you did a suspend, to resume normal operations
136
IronPort Network Configuration Command Summary
• sethostname– Sets the SMTP hostname. This should match the forward and
reverse DNS entries for the public listener• dnsconfig
– Act as a caching nameserver with direct access to the Internet root nameservers, or configure to forward to your local nameservers
• routeconfig– Add static routes
• setgateway– Sets the default route
• etherconfig– Sets Full / Half Duplex and 10 /100 Mb speed on interfaces
• interfaceconfig– Sets basic IP address configuration on interface
• resetconfig– Erase all configuration and reset to factory default
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
137
Add Users With Different Privileges
User accounts in this group may only view status information
Guests
User accounts in this group are restricted from:- Creating or editing user accounts- Issuing any of these commands: resetconfig, upgradecheck, upgradeinstall
Otherwise, they have the same privileges as “Administrators”
Operators
Accounts in this group have full access to all configuration settings of the system. However, only the “admin” user can issue the upgradecheck and upgradeinstall commands
Administrators
DescriptionUser Group
Add users with the userconfig command.The password command changes the password of the logged in user
Permissions apply to both the GUI and the CLI
138
License New Features or Check License Expiration Datessmtp.scu.com> featurekey
Module Quantity Time RemainingSophos 1 24 weeks 3 days 35 mins 55 secsBrightmail 1 24 weeks 3 days 35 mins 18 secsReceiving 1 23 weeks 2 days 1 hours 24 mins 26 secsEnter feature key, or press Enter to go to the main prompt.[]> <cr>
smtp.scu.com> version
Current Version===============Model C60Version: 3.7.2-026Build Date: 2004-04-02Serial #: 000D5670320E-89NMS31
Features that require licenses• IronPort AsyncOS
– Evaluation: 30 day*– Purchase: Perpetual
• Brightmail Anti-Spam– Evaluation: 30-day– Purchase: 1-3 years
• Sophos Anti-Virus– Evaluation: 30-day– Purchase: 1-3 years
* Extensions available upon request
����
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
139
smtp.scu.com> upgradecheck
All interaction with the upgrade server is done using ssh. By default thisprotocol is run over TCP on port 22. If you are behind a firewall you maywant to run this protocol over a non-standard port.
Please choose a port to use:1. port 22, default SSH2. port 25, normally SMTP3. port 53, normally DNS4. port 80, normally HTTP5. port 443, normally HTTPS6. port 4766, IronPort reserved[1]> <cr>
Checking for upgrades that are available.Upgrades available:1. AsyncOS 3.8b1 upgrade, 2004-04-16 Build 061 (36,809,399 bytes)[1]> <cr>
Downloading AsyncOS 3.8b1 upgrade, 2004-04-16 Build 061
The upgrade has been downloaded. This upgrade will require a reboot of thesystem after it finishes. Do you wish to install it now? [Y]> n
smtp.scu.com> upgradeinstall
Decompressing the upgrade.Installing the upgrade.IronPort Messaging Gateway Appliance(tm) Upgrade
The upgrade will start in 10 seconds.
This upgrade will require a reboot of the system after it finishes.You may log in again after this is done.
Performing Upgrades
A large upgrade can take over 10 minutes. Your mileage will vary.
You probably want to say No here, and do a suspend first, then resume later
140
Alerts Show Up To Tell You About Issues and Potential Problems
Message: DNS cacheAn application fault occurred: (('dns_cache', 'send_request',
'183'), 'exceptions.OSError', "[Errno 49] Can't assign requested address",
'[smtp_client|run|576] [smtp_client|_run|616] [smtp_client|_connect|659]
[omh|get_prioritized_ip_list|258] [omh|get_prioritized_ip_list|265][PrioritizedIP|fetch_mx_array|117] [PrioritizedIP|_fetch_mx_data|147]
[dns_cache|query|486] [dns_cache|best_nameserver|446][dns_cache|bootstrap_cache|290] [dns_cache|_bootstrap_cache|306][dns_cache|query_by_ip|687] [dns_cache|do_query|255][dns_cache|send_request|183]')
MeaningThe DNS cache initializes at boot time. This failure is not fatal, since the cache initializes again at a defined interval. If you see this error message only once or twice, the DNS cache must have initialized successfully at one of the subsequent intervals. If the appliance failed to finalize the appliance consistently, the appliance would be unable to resolve hostnames and IP addresses for all messages.
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
141
smtp.scu.com> alertconfig
Please enter the email address(es) to send alerts.(Ex: "[email protected]")Separate multiple addresses with commas.Enter the word "DELETE" to clear the default and disable alerts.[[email protected]]> <cr>
Debounce timeout (seconds):[300]> <cr>
Would you like to enable IronPort AutoSupport, which automatically emailssystem alerts and weekly status reports directly to IronPort Customer Care?(Enabling AutoSupport is recommended.) [N]> y
Would you like to receive a copy of the weekly AutoSupport reports? [Y]> y
Configure Where System Alerts Go
Period to wait before sending an identical alert
Get the Alert Messages Definitions document from the Support site for a detailed explanation of alerts
AutoSupport is a Good Thing and is highly recommended!
142
Why Call IronPort? They Can Call You!
smtp.scu.com> alertconfig
Would you like to enable IronPort AutoSupport, which automatically emails system alerts and weekly status reports directly to IronPort Customer Care?
(Enabling AutoSupport is recommended.) [N]> y
smtp.scu.com> supportrequest
Do you want to send the configuration information via email [email protected]? [Y]> <cr>
Do you want to send the configuration information via email to additionalrecipient(s)? [N]> y
Please enter the email address(es) to which you want to send the configuration information. Include anyone in your organization that should be included on future correspondence for this issue. Separate multiple addresses with commas.[]> [email protected]
Please enter some comments describing your issue, providing as much detail as possible to aid in diagnosing any issues:[]> I am having difficulty getting ftp push to work to my Mac OSX machine
Your IronPort Can Notify Support You Can Generate a Request Yourself
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
143
The IronPort Configuration is in One Big File
XML configdata
XML DTD data
CLI updates
GUIupdates
FTP
Document Type Definitions are essential to interpreting XML data
XML config + AsyncOS version + model no. = complete system description
144
The Configuration File is in XML Format<config><!--*************************************************** Network Configuration ***************************************************-->
<hostname>smtp.scu.com</hostname>
<interfaces><interface><interface_name>PublicAlpha</interface_name><ip>192.35.195.101</ip>
</interface></interfaces>
<dns><local_dns><ip>192.245.12.50</ip>
</local_dns><rbl_dns><rbl_negative_ttl>1800</rbl_negative_ttl><rbl_timeout>3</rbl_timeout>
</rbl_dns></dns>
Other parts of the configuration might apply to all IronPorts in your network
Some parts of the configuration are specific to one IronPort gateway
You can manage your configuration by importing XML sections.
You could manage the common configurations with one common file.
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
145
Tools To Manage Your Configuration File
XML configdata
XML DTD data
XML configdata
FTP
Document Type Definitions are essential to interpreting XML data
showconfig - see the XML file
saveconfig - save the XML file to a file in the ftp directory
loadconfig -import XML into the configuration
mailconfig - mail the XML file
CLI or GUI updates
You must also copy the config.dtd with FTP
/configuration/config.dtd
146
You Can Review Commit Comments in the System Log
Sat Apr 10 16:01:01 2004 Info: Begin LogfileSat Apr 10 16:01:01 2004 Info: System is coming upSat Apr 10 16:30:38 2004 Info: PID 233: User system commit changes: Automated Alert MX Cache UpdateSat Apr 10 17:14:25 2004 Info: PID 390: User admin commit changes: Create nomercy bounce profile and apply it to InboundMail listenerSat Apr 10 17:31:54 2004 Info: PID 390: User admin commit changes: rename bounceconfig nomercy to NoMercySat Apr 10 17:40:11 2004 Info: PID 390: User admin commit changes: add exhangeinto setgoodtableSun Apr 11 10:29:40 2004 Info: PID 623: User admin commit changes: add dropbadmail filterSun Apr 11 12:07:43 2004 Info: PID 623: User admin commit changes: add bodysize filter to bounce over 20 MB filesSun Apr 11 12:13:35 2004 Info: PID 623: User admin commit changes: enable delivery logSun Apr 11 12:28:39 2004 Info: PID 623: User admin commit changes: add filter DropOver6MBSun Apr 11 12:56:35 2004 Info: PID 623: User admin commit changes: replace BounceOver6MB filter with NotifyAndDropOver6MBSun Apr 11 13:11:44 2004 Info: PID 623: User admin commit changes: tune dropbadmail filter
/system_logs/[email protected]
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
147
High Availability Configuration
Pseudo load balancing:• DNS round robin using
equal-priority MX records
148
Disaster Recovery
• Buy two IronPorts• Call support if one dies• Save the configuration on a regular basis
– Write an off-box script (cron job) to login (SSH) and do a showconfig or saveconfig or mailconfig
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
149
• Upgrades are easy with upgradecheck and upgradeinstall. You can control upgrade timing and behavior.
• Alerting on exceptional events via email is a preferred technique of the IronPort (and you can control how this behaves).
• Configuration management using showconfig /
mailconfig / loadconfig / saveconfig should be part of your disaster recovery plan.
System Administration Key Points
150
References
• IronPort AsyncOS 3.8 User Guide– Chapter 10: System Administration
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
IronPort C-SeriesChannel Partner
Technical Training
IronPort C-SeriesChannel Partner
Technical Training
Course Wrap-Up
152
Review …Course Objectives ���� Critical SE Skills
• How do I install, configure and deliver basic support for the IronPort C-Series Messaging Gateway appliance?
• What guidelines can I give customers for deploying the appliance in a typical enterprise email environment?
• How do I manage and monitor the flow of email through the appliance?
• How do I configure access control policies?
• How do I create content filters?
• How do I configure the appliance to detect and handle unwanted spam and viruses?
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
153
Review …A Typical New Customer Installation
• Gather customer’s network information and custom requirements in advance – 30 min
• Rack, install, and setup the appliance – 30 min
• Make custom configuration changes – 15 min
• Test and demo – 30 min
• Put the appliance into production– 15 min
154
Questions & Answers
• IronPort C-Series Overview• Installation and Setup • Access Control• Policy Enforcement, Anti-Spam, and Anti-Virus• Monitoring, Logging, and Troubleshooting• System Administration
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
155
Where do I go next?
• IronPort Sales Resources …• IronPort C-Series Appliance Evaluation Guide …• IronPort Technical Resources …• IronPort Customer Care …
156
IronPort Sales Resources
• C-Series product brochures and data sheets– http://www.ironport.com/products/ironport_c_series.html
• IronPort company profile– http://www.ironport.com/about/index.html
• IronPort product overview presentation slides– Contact your IronPort Channel Partner Rep. for latest version
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
157
IronPort C-Series ApplianceEvaluation Guide
• Designed to help system administrators evaluate the IronPort C-Series appliance– Make sure all prospective customers read this guide!
• Provides an overview of the key product features, along with guidelines for setting up and testing those features
• Available on the IronPort Support Web site– http://support.ironport.com/secure/index.html
158
IronPort Technical Resources
• Product documentation– IronPort QuickStart Guide– IronPort AsyncOS User Guide– IronPort AsyncOS Release Notes– http://support.ironport.com/secure/index.html
• White papers– IronPort AsyncOS White Paper– Reputation Filters White Paper– SMTPi White Paper– http://www.ironport.com/download/
Copyright © 2004 IronPort Systems™, Inc. All rights reserved
�������������� �������������������������
159
Closing Comments