AsyncOS 7.0.1 FCS Getting Started Guide

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

Cisco IronPort AsyncOS 7.0 Getting Started GuideJanuary 21, 2010

Text Part Number: 421-0149

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco IronPort AsyncOS 7.0 Getting Started Guide © 2010 Cisco Systems, Inc. All rights reserved.

78-xxxxx-xx

C O N T E N T S

Introduction 1-1

Before You Begin 1-1

About This Guide 1-1

Where to Go for More Information 1-2

IronPort Knowledge Base 1-2

IronPort Documentation 1-3

Customer Support 1-4

Overview of IronPort Email Security 1-5

Spam Protection 1-6

Virus Protection 1-6

Content Compliance 1-7

IronPort Email Security Appliance GUI 2-9

Email Security Tasks 3-11

Task 1: Drop Positive Spam Messages by Default 3-11

Concepts 3-12

Goal 3-12

Dropping Spam Messages by Default 3-12

Task 2: Exempt Specified Groups of Users from Spam Filtering 3-15

Concepts 3-15

Goal 3-15

Creating a Mail Policy 3-15

Changing the Anti-Spam Settings for a Mail Policy 3-17

Task 3: Quarantine Incoming Spam 3-19

iiiBook Title

Contents

Concepts 3-19

Goal 3-19

Configuring the IronPort Spam Quarantine 3-20

Enabling the IronPort Spam Quarantine HTTP or HTTPS Service 3-22

Configuring the Policy to Send Spam to the IronPort Spam Quarantine 3-24

Task 4: Configure End User Safelists and Blocklists 3-25

Concepts 3-25

Goal 3-25

Enabling the End User Safelist/Blocklist on the IronPort Spam Quarantine 3-26

Adding Items to the Safelist for an End User Account 3-26

Adding Items to the Blocklist for an End User Account 3-28

Task 5: Quarantine Incoming Virus Messages 3-29

Concepts 3-29

Goal 3-30

Enabling Virus Settings 3-30

Task 6: Strip Specified Types of Incoming Email Attachments 3-33

Concepts 3-33

Goal 3-34

Creating a Content Filter 3-34

Applying a Filter to an Incoming Mail Policy 3-36

Testing the Filter 3-36

Task 7: Enforce an Outgoing Email Policy 3-37

Concepts 3-37

Goal 3-38

Enabling RSA Email Data Loss Prevention 3-38

Creating a DLP Policy 3-39

Enabling a DLP Policy in an Outgoing Mail Policy 3-40

Testing the Policy 3-42

Task 8: Add a Domain to Accept Mail 3-42

ivBook Title

78-xxxxx-xx

Contents

Concepts 3-42

Goal 3-43

Accepting Mail for a Domain 3-43

Creating an SMTP Route for a Domain 3-44

Task 9: Add a Disclaimer to Outgoing Mail 3-45

Concepts 3-46

Goal 3-46

Creating a Footer Text Resource 3-46

Associating a Footer with a Private Listener 3-47

Task 10: Configure a Scheduled Report 3-48

Concepts 3-48

Goal 3-48

Configuring a Scheduled Report 3-48

Advanced Tasks 4-51

Task 11: Access the Command Line Interface 4-51

Concepts 4-51

Goal 4-52

Enabling the CLI 4-52

Task 12: Use the CLI 4-54

Concepts 4-54

Goal 4-54

Testing Connectivity 4-55

Monitoring the IronPort Appliance and Email Traffic 4-58

Configuring the Appliance 4-61

Task 13: Retrieve and Use Mail Logs 4-61

Concepts 4-62

Goal 4-62

Viewing Logs 4-62

Searching for Content in Logs 4-63

vBook Title

78-xxxxx-xx

Contents

Retrieving and Configuring Logs 4-64

Task 14: Configure Email Alerts 4-65

Concepts 4-65

Goal 4-65

Configuring Email Alerts 4-66

Task 15: Upgrade the IronPort Appliance 4-67

viBook Title

78-xxxxx-xx

Cisco IronPor421-0149

C H A P T E R 1
Introduction
This chapter contains the following sections:

• Before You Begin, page 1-1

• About This Guide, page 1-1

• Where to Go for More Information, page 1-2

• Overview of IronPort Email Security, page 1-5

Before You BeginBefore you begin, read the Quickstart Guide for the IronPort Email Security appliance you are installing and any release notes that were shipped with your appliance. This guide assumes that you have unpacked the appliance, physically installed it in a rack cabinet, and turned it on. You should also run the System Setup Wizard and accept the default configuration settings that are appropriate to the placement of the IronPort appliance in your network.

About This GuideThe Cisco IronPort AsyncOS Getting Started Guide provides an overview of the IronPort Email Security appliance and introduces its features.

This guide contains the following chapters:

1t AsyncOS 7.0 Getting Started Guide

Chapter

• Chapter 1, “Introduction” - This chapter provides an introduction to this guide and an overview of Ironport email security.

• Chapter 2, “IronPort Email Security Appliance GUI” - This chapter provides a general introduction to the IronPort appliance and the Email Security Manager.

• Chapter 3, “Email Security Tasks” - This chapter provides tasks that will help you become acquainted with your IronPort appliance.

• Chapter 4, “Advanced Tasks” - This chapter provides advanced tasks that can help you understand some of the advanced features of the IronPort appliance.

Where to Go for More InformationYou can refer to the resources described in this section if you have questions about the IronPort Email Security appliance.

IronPort Knowledge BaseYou can access the IronPort Knowledge Base on the Customer Support Portal at the following URL:

http://www.ironport.com/support/login.html

Note You need a Support Portal account to access the site. If you do not already have an account, click the Request an Account link on the Support Portal login page. Generally, only IronPort customers, partners, and employees can access the Support Portal.

The Knowledge Base contains a wealth of information on topics related to IronPort products.

Articles generally fall into one of the following categories:

• How-To. These articles explain how to do something with an IronPort product. For example, a how-to article might explain the procedures for backing up and restoring a database for an appliance.

2Cisco IronPort AsyncOS 7.0 Getting Started Guide

421-0149

Chapter

• Problem-and-Solution. A problem-and-solution article addresses a particular error or issue that you might encounter when using an IronPort product. For example, a problem-and-solution article might explain what to do if a specific error message is displayed when you upgrade to a new version of the product.

• Reference. Reference articles typically provide lists of information, such as the error codes associated with a particular piece of hardware.

• Troubleshooting. Troubleshooting articles explain how to analyze and resolve common issues related to IronPort products. For example, a troubleshooting article might provide steps to follow if you are having problems with DNS.

Each article in the Knowledge Base has a unique answer ID number.

IronPort DocumentationThe documentation for the Cisco IronPort Email Security appliance includes the following books:

• Cisco IronPort AsyncOS for Email Daily Management Guide. This guide provides instructions for performing common, everyday tasks that system administrators use to manage and monitor the IronPort appliance, such as viewing email traffic using the Email Security Monitor, tracking email messages, managing system quarantines, and troubleshooting the appliance. It also provides reference information for features that system administrators interact with on a regular basis, including Email Security Monitor pages, AsyncOS logs, CLI support commands, and quarantines.

• Cisco IronPort AsyncOS for Email Configuration Guide. This guide is recommended for system administrators who are setting up a new IronPort appliance and want to learn about its email delivery features. It provides instructions on installing the appliance into an existing network infrastructure and setting it up as an email gateway appliance. It also includes reference information and configuration instructions for email delivery features such as the Email Pipeline, Virus Outbreak Filters, content filters, email encryption, anti-virus scanning, and anti-spam scanning.

• Cisco IronPort AsyncOS for Email Advanced Configuration Guide. This guide provides instructions configuring the advanced features of the IronPort appliance. Topics include configuring the appliance to work with LDAP,


421-0149

Chapter

creating message filters to enforce email policies, organizing multiple appliances into clusters, and customizing the listeners on the appliance. In addition to configuration, this guide provides reference material for advanced features such as message filter rules and actions, regular expressions used in content dictionaries and message filter rules, and LDAP query syntax and attributes.

• IronPort AsyncOS CLI Reference Guide. This guide provides a detailed list of the commands in the AsyncOS command line interface (CLI), as well as examples of the commands in use. System administrators can use this guide for reference when using the CLI on the IronPort appliance.

Customer SupportYou can request customer support by phone, email, or online 24 hours a day, 7 days a week.

During Customer Support office hours (24 hours per day, Monday through Friday, excluding U.S. holidays), one of the engineers will contact you within an hour of your request.

To report a critical issue that requires urgent assistance, notify IronPort using the following contact information:

U.S. toll-free:+1 (877) 641-4766

International: http://www.ironport.com/support/contact_support.html

Support Portal: http://www.ironport.com/support

If you purchased support through a reseller or another supplier, please contact that supplier directly with your product support issues.

Support Request Page

You can also use the Support Request page in the GUI to request customer support. To access the Support Request page, select Help > Support Request. Complete the information on the page, and then click the Submit button. A Customer Support representative will contact you as soon as possible.


421-0149

Chapter

Overview of IronPort Email SecurityThe IronPort email security appliance combines several content scanning engines with IronPort preventive security solutions, such as SenderBase Reputation Filtering and Virus Outbreak Filters.

IronPort Consolidates Security Solutions for the Email Perimeter

B efo re Iro n P o rt A f te r Ir o n P o r t

IronPort Email Security Appliance

Internet

MTAs

Firewall

Anti-Spam

Anti-Virus

Policy Management

Mail Routing

Groupware

Users

Internet

Firewall

Groupware

Users

The IronPort appliance provides unparalleled protection for corporate groupware servers, as well as reliable inbound and outbound email delivery. It has earned its outstanding reputation through deployments at the world’s largest Internet Service Providers and thousands of global customers.

IronPort Email Security appliances use the proprietary IronPort AsyncOS operating system. AsyncOS provides a high-performance, flexible platform that supports the advanced security systems of IronPort. Unlike traditional messaging systems, the IronPort mail transfer agent (MTA) can handle thousands of simultaneous connections. The ability to support high volumes of simultaneous


421-0149

Chapter

connections is critical to both large and small email sites because of the large number of spammers and spyware systems attempting to deliver spam and virus- or malware-infected email messages. The IronPort appliance incorporates the AsyncOS operating system with support tools, security scanning engines, a GUI, a command line interface (CLI), and other interfaces.

Spam ProtectionFor anti-spam protection, the IronPort email security appliance combines SenderBase Reputation Filtering with traditional content filters. SenderBase is a global email-monitoring network that tracks hundreds of parameters from thousands of contributing networks to establish a historically accurate reputation score for IP addresses that send email on the Internet. Because it draws on traffic data from over 25% of all worldwide email traffic, SenderBase can help stop more than 80% of unwanted threat messages before accepting them for content scanning. This reputation filtering system allows the IronPort email security appliance to dramatically increase the throughput of the traditional signature-based content scanning engines, such as Symantec Brightmail and IronPort Anti-Spam, because it can filter email messages before the signature-based scans take place.

Virus ProtectionFor anti-virus protection, IronPort offers anti-virus scanning engines from McAffee and Sophos, as well as its exclusive Virus Outbreak Filters. You can configure your IronPort appliance to use one or both of the licensed anti-virus scanning engines. Because each engine relies on a separate base of technology, scanning messages with both the McAffee and Sophos scanning engines combines the benefits of both anti-virus scanning engines.

Because viruses and spyware use email as their primary distribution vector, SenderBase can detect patterns of email messages that signal an infection outbreak before traditional content-scanning virus filter signatures can be updated and deployed. The IronPort Global Threat Operations Center watches for emerging threats in email traffic and publishes outbreak rules to the IronPort appliance, which quarantines possible threat messages. This protects networks from virus threats before virus signature updates are available. As the outbreak matures and the threat rules adapt, non-matching messages are released from


421-0149

Chapter

quarantine, and possible threat messages are held back until a final signature is available for the virus-scanning engine. Over the course of a virus outbreak, you are protected from new infections coming into the network, and you do not need to worry about possible false positive messages being dropped.

How Virus Outbreak Filters Work - Dynamic Quarantine in Action

M e s s ag e sS c a n n e d &

D e le ted

T = 0–zip (exe) files

T = 5 mins-zip (exe) files

-Size 50 to 55 KB.

T = 10 mins–zip (exe) files–Size 50 to 55KB–“Price” in the

name file

T = 8 hours–Release messages

if signature update is in place

Content ComplianceIronPort security solutions are powered by an advanced content filtering engine, which comes with built-in configurations for compliance with Health Insurance Portability and Accountability Act (HIPPA), Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley Act. You can also use the content filtering engine to implement specific business-policy controls for a variety of systems. Email archiving, attachment control, keyword scanning, and encryption integration are all available for use in custom filtering rules.

You access this functionality with management and monitoring tools. AsyncOS provides both an intuitive web-based GUI and a command line interface (CLI). You can use the Email Security Manager in the GUI to set specific policies for groups of users so you can enforce appropriate levels of security for different business units. Many standard reports are built into the system, as well as flexible application programming interfaces (APIs) for retrieving reporting and monitoring data. You can use these features to integrate the appliance with your information systems infrastructure.


421-0149

Chapter

In addition, AsyncOS offers a unique centralized management feature that uses a peer-to-peer architecture to avoid the need for extra hardware in the data center and to eliminate any single point of failure.

With a multi-layer approach to spam and virus protection, IronPort provides the most comprehensive email security solution on the market. By combining pioneering preventive features, such as SenderBase and Virus Outbreak Filters, with best-in-class content scanning engines, IronPort is a cost-effective solution to your email security needs.

The integrated architecture of AsyncOS provides all the necessary email protection capabilities to secure internal networks and groupware servers. This guide demonstrates the features of the IronPort email security appliance so you can immediately take control of your email perimeter and solve email security problems.


421-0149


C H A P T E R 2
IronPort Email Security Appliance GUI
The graphical user interface (GUI) of the IronPort Email Security appliance provides access to features and services to help you effectively monitor and administer your organization’s email network traffic.

Figure 2-1 IronPort GUI

12

3

5

4


Chapter

The following table describes the GUI componenets shown in Figure 2-1.

Component Description

1 - Menu bar Click the menus to access the various areas of the GUI.

2 - Drop-down menu The menus display task-based links. Click the links to access pages for the tasks you want to perform.

3 - Options menu The Options menu enables you to change your password or log out of the IronPort appliance.

4 - Help menu The Help menu provides access to online help information about the current GUI page and access to the Support Portal. In addition, you can use this menu to send a support request and provide Customer Support with remote access to your IronPort appliance.

5 - Commit Changes button The Commit Changes button notifies you if changes are pending on your appliance. When you make changes to the appliance configuration, you must commit the changes for them take effect on the appliance.

To commit the changes:

1. Click the Commit Changes button.

2. Optionally, enter a comment in the Comment box. Adding comments can be useful for any future troubleshooting.

3. Click Commit Changes. You return to the originating page, and the Commit box indicates that no changes are pending.


421-0149


C H A P T E R 3
Email Security Tasks

• Task 1: Drop Positive Spam Messages by Default, page 3-11

• Task 2: Exempt Specified Groups of Users from Spam Filtering, page 3-15

• Task 3: Quarantine Incoming Spam, page 3-19

• Task 4: Configure End User Safelists and Blocklists, page 3-25

• Task 5: Quarantine Incoming Virus Messages, page 3-29

• Task 6: Strip Specified Types of Incoming Email Attachments, page 3-33

• Task 7: Enforce an Outgoing Email Policy, page 3-37

• Task 8: Add a Domain to Accept Mail, page 3-42

• Task 9: Add a Disclaimer to Outgoing Mail, page 3-45

• Task 10: Configure a Scheduled Report, page 3-48

Task 1: Drop Positive Spam Messages by DefaultThe IronPort Anti-Spam engine processes email for incoming and outgoing mail based on settings that you configure. IronPort Anti-Spam scans messages through its filtering modules for classification. It classifies messages as positive spam, suspected spam, or not spam. You determine the action to take on the message based on the IronPort Anti-Spam classification. You might choose to drop,


Chapter

deliver, or quarantine messages based on their classification. For example, you might decide to drop positive spam messages and quarantine suspected spam messages.

Note If you set up your IronPort appliance using the System Setup Wizard, the IronPort appliance drops positive spam messages by default.

ConceptsYou can use the IronPort Email Security Manager to define mail filtering and security policies for users based on their email addresses or an LDAP query. You configure settings for incoming email in an incoming mail policy. The incoming mail policy instructs the IronPort appliance to perform an action on a message based on the classification of the message and mail recipient. The default mail policy applies to all incoming messages.

GoalBy default, the IronPort appliance is not configured to scan email messages for suspected spam. In this task, you activate suspected spam scanning and configure the default policy to drop the suspected spam. Later, you will enable the end-user spam quarantine, which allows users to view and open email messages and release messages from the quarantine.

Dropping Spam Messages by DefaultTo drop spam messages by default:

Step 1 Select Mail Policies > Incoming Mail Policies.


421-0149

Chapter

The Incoming Mail Policies page is displayed.

Step 2 In the Anti-Spam settings for the default policy, click the link to open the mail policy.

The Mail Policies: Anti-Spam page is displayed.

Step 3 In the Anti-Spam Settings section, select “Use selected Anti-Spam service(s),” and select IronPort Anti-Spam.

Step 4 In the Positively Identified Spam Settings section, use the following settings:

– Apply this Action to the Message: Drop.


421-0149

Chapter

– Advanced > Archive Message: Select Yes to archive or No to skip archiving.

Step 5 In the Suspected Spam Settings section, use the following settings:

– Enable Suspect Spam Scanning: Yes.

– Apply This Action to Message: Deliver.

– Add Text to Subject: Select Prepend or Append if you want to add text, and enter the text in the text field. For example, enter [SUSPECTED SPAM].

Step 6 Click Submit. The new settings are displayed for the default policy.

Step 7 The IronPort appliance notifies you that you have pending changes.

The changes you make are not activated until you commit them.

Step 8 Click the Commit Changes button in the top right corner of the page.

The Uncommitted Changes page is displayed.

Step 9 Add a comment to describe the change.

Step 10 Click Commit Changes.


421-0149

Chapter

See Also

For more information about the Email Security Manager, see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide. For more information about anti-spam settings, see “Anti-Spam” in the Cisco IronPort AsyncOS for Email Configuration Guide.

Task 2: Exempt Specified Groups of Users from Spam Filtering

The default incoming mail policy you modified in Task 1 applies to all mail that enters the network. However, you may want to create a new policy that applies security scanning or content filters differently for some users. For example, you might want to ensure that executive users receive all messages.

ConceptsWith the IronPort appliance, you can use mail policies to apply different mail delivery settings to different users. You use incoming mail policies to manage flows of incoming emails to different addresses.

GoalIn this task, you create a new mail policy. Then, you modify the policy’s anti-spam settings to deliver spam-positive messages and suspected spam with a tag in the messages’ subject line. This allows you to exempt some users from spam filtering.

Creating a Mail PolicyTo create a mail policy:




421-0149

Chapter

Step 2 Click the Add Policy button.

The Add Incoming Mail Policy page is displayed.

Step 3 To define the policy, enter the following information:

– Policy Name: Enter a name. For example, enter Execs.

– Insert Before Policy: 1 (Default Policy).

– Add Users: This policy applies to the recipient of the message, so leave Recipient selected.

– Email Address(es): Add the email address that this policy applies to. For example, enter [email protected]. Then click the Add button. You can repeat this process for any number of email addresses or LDAP queries.

Step 4 Click Submit.


421-0149

Chapter

The Incoming Mail Policies page is displayed with the new mail policy.

Changing the Anti-Spam Settings for a Mail PolicyAfter you create a mail policy, you need to modify its anti-spam settings so that spam-positive messages and spam-suspect messages are tagged and sent to the address that you specified in the mail policy.

To change the anti-spam settings:

Step 1 On the Incoming Mail Policies page for the new policy (for example, the Execs policy), click the “(use default)” link in the Anti-Spam column. The Mail Policies: Anti-Spam page is displayed.

Step 2 In the Enable Anti-Spam Scanning for this Policy field, select “Use selected Anti-Spam service(s),” and select IronPort Anti-Spam.

Step 3 Scroll down to the Positively-Identified Spam Settings section.

Step 4 In the Positively-Identified Spam Settings section, enter the following information to ensure that messages identified as spam are delivered with an identifying tag:


– Add Text to Subject: Select Append or Prepend to add text to the subject, and enter text in the text field. For example, use the default entry, [SPAM].


421-0149

Chapter

Step 5 Scroll down to the Suspected Spam Settings section.

Step 6 In the Suspected Spam Settings section, enter the following information to ensure that messages identified as suspected spam are delivered with an identifying tag:

– Enable Suspect Spam Scanning: Yes.


– Add Text to Subject: Select Append or Prepend to add text to the subject, and enter text in the text field. For example, use the default entry, [SUSPECTED SPAM].



Step 8 Review the Anti-Spam column.

The new mail policy delivers messages that are tagged as spam-positive and spam-suspect to the specified accounts, and it drops spam-positive messages addressed to other accounts.

See Also

For more information about configuring anti-spam settings, see “Anti-Spam” in the Cisco IronPort AsyncOS for Email Configuration Guide.


421-0149

Chapter

For information about quarantining incoming spam messages, see “Task 3: Quarantine Incoming Spam” on page 19.

Task 3: Quarantine Incoming SpamThe IronPort Email Security appliance allows you to send spam or suspected spam messages to the IronPort Spam Quarantine. End users can then access the quarantine to determine if the messages are incorrectly identified as spam. You can use a local IronPort Spam Quarantine, stored on the IronPort appliance, or you can send messages to an external IronPort Spam Quarantine, stored on an M-Series IronPort appliance. Both AsyncOS administrators and end users can access the IronPort Spam Quarantine.

ConceptsTo use the IronPort Spam Quarantine, you work with several areas of the IronPort appliance:

• IronPort Spam quarantine. The Spam Quarantine is a special quarantine designed for mail end-user access. You can use a local quarantine or send spam to an external quarantine (M-Series appliance).

• The interface where the Spam Quarantine is enabled. You enable access to the IronPort Spam Quarantine through an HTTP or HTTPS service.

• Anti-spam options for a mail policy. You enable the spam quarantine for a particular mail policy. That way, you can quarantine mail for specified groups of users.

GoalIn this task, you enable the IronPort Spam Quarantine and configure the default policy to send incoming spam to the quarantine.

To use the IronPort Spam Quarantine, complete the following steps:

Step 1 Configure the local IronPort Spam Quarantine.


421-0149

Chapter

Step 2 Enable access to the IronPort Spam Quarantine through an HTTP or HTTPS service.

Step 3 Configure the anti-spam scanning options for the policy to send spam or suspect spam to the IronPort Spam Quarantine.

Configuring the IronPort Spam QuarantineTo configure the IronPort Spam Quarantine:

Step 1 Select Monitor > Quarantines.

The Quarantines page is displayed.

Step 2 Click Edit.

The Edit IronPort Spam Quarantine page is displayed.


421-0149

Chapter

Step 3 Use the default settings in the Spam Quarantine Settings panel and scroll down to End-User Quarantine Access.

Step 4 Click Enable End-User Quarantine Access.

The End-User Quarantine Access page is displayed.

Step 5 Select None in the End-User Authentication field.

By selecting None, you allow users to access quarantined mail by clicking links in the notification messages that they receive.

Step 6 Click Enable Spam Notification.

The Enable Spam Notification page is displayed.

Step 7 Enter an address to use in the From Address header if you want to send notifications.

Step 8 Enter a subject (such as “IronPort Spam Quarantine Notification”).


421-0149

Chapter

Step 9 Enter a title for the notification (such as “IronPort Spam Quarantine Notification”).

Step 10 Optionally, enter a spam notification message.

Step 11 Select a format.

Step 12 Enter an address to deliver bounce messages to.

Step 13 Leave the Consolidate Notifications field empty. This field consolidates email notifications for users when the IronPort Spam Quarantine is configured for LDAP authentication.

Step 14 In the Notification Schedule field, choose a notification schedule.


Step 16 Commit your changes.

Enabling the IronPort Spam Quarantine HTTP or HTTPS ServiceAfter you enable the IronPort Spam Quarantine, you must edit the IP interface to enable the HTTP or HTTPS service for the IronPort Spam Quarantine.

To enable the HTTP or HTTPS service:

Step 1 On the Network > IP Interfaces page, click the interface name (this example uses the Management interface).


421-0149

Chapter

The Edit IP Interface page is displayed.

Step 2 In Services > IronPort Spam Quarantine, select HTTP, HTTPS, or both, enter the port numbers, and optionally enable redirection of HTTP requests to HTTPS.

Step 3 Enter the default URL that appears in email notifications. This example uses the hostname.




421-0149

Chapter

Configuring the Policy to Send Spam to the IronPort Spam Quarantine

To send spam to the IronPort Spam quarantine:


Step 2 Click the anti-spam settings for the default mail policy.

The Anti-Spam Settings page is displayed.

Step 3 In Positively Identified Spam Settings > Apply this Action to Message, select IronPort Spam Quarantine. The Positively Identified Spam Settings field expands. It displays delivery settings for the IronPort Spam Quarantine.

Step 4 Use the default settings in the Positively Identified Spam field.

Step 5 Leave the Suspected Spam Settings as you configured them.

Step 6 Use default settings for Spam Thresholds.



See Also

For more information about working with incoming mail policies, see “Configuring the Gateway to Receive Email” in the Cisco IronPort AsyncOS for Email Configuration Guide. For more information about working with the IronPort Spam quarantine, see “Quarantines” in the Cisco IronPort AsyncOS for Email Daily Management Guide. For more information about configuring IP interfaces, see “Accessing the Appliance” in the Cisco IronPort AsyncOS for Email Configuration Guide.


421-0149

Chapter

Task 4: Configure End User Safelists and BlocklistsThe IronPort appliance allows you to send spam or suspected spam messages to the IronPort Spam Quarantine; however, an end user may want to ensure that mail from a particular sender is never treated as spam. Conversely, an end user may want to guarantee that certain mail is always sent to the IronPort Spam Quarantine. For example, a user may be unable to unsubscribe from an automated mailing list, and may want to block the list server’s email address. You can enable end users to create safelists and blocklists to better control which emails are treated as spam. The end user safelist and blocklist settings are configured from the IronPort Spam Quarantine, so you must have enabled and configured the IronPort Spam Quarantine to use this feature.

Note When you enable the safelist/blocklist feature, each end user maintains a safelist and blocklist for his or her email account.

ConceptsThis task introduces concepts related to end user safelists and blocklists. Safelists allow a user to ensure that certain users or domains are not treated as spam. Blocklists ensure that certain users or domains are always treated as spam.

GoalIn this task, you enable safelists and blocklists in the IronPort Spam Quarantine, and you configure a safelist and a blocklist for an end user account.

Note Steps 2 and 3 require that you log into an end user account to create a safelist. Ensure that you have created an end user account that you can access to complete this task.


421-0149

Chapter

Enabling the End User Safelist/Blocklist on the IronPort Spam Quarantine

You enable safelists and blocklists from the Quarantines page.

To enable safelists and blocklists on a C-Series appliance:

Step 1 Select Monitor > Quarantines.

Step 2 In the End-User Safelist/Blocklist section, click Edit Settings.

The Edit Safelist/Blocklist Settings page is displayed.

Step 3 Select Enable End User Safelist/Blocklist Feature.

Step 4 Select Quarantine or Delete for the blocklist action.

Step 5 Specify the maximum list items per user. This value represents the maximum number of addresses or domains a user can list in each safelist and blocklist. For example, a value of 100 would mean that the end user could add 100 terms in the safelist and 100 terms in the blocklist.


Adding Items to the Safelist for an End User AccountEnd users can use safelists to ensure that mail from specified senders is never treated as spam.

To add items to a safelist:

Step 1 Log in to the IronPort Spam Quarantine.


421-0149

Chapter

Step 2 Select the Options drop-down menu.

Step 3 Select Safelist.

Step 4 In the Safelist dialog box, enter an email address, subdomain, or domain.

Entries can be added to safelists and blocklists using the following formats:

– [email protected]

– server.domain.com

– domain.com

Step 5 Click Add to List.


421-0149

Chapter

Adding Items to the Blocklist for an End User AccountEnd users can use blocklists to ensure that they never receive mail from specified senders.

To add items to a blocklist:

Step 1 In the IronPort Spam Quarantine, select the Options drop-down menu.

Step 2 Select Blocklist.

Step 3 Enter the domain or email address you want to blocklist.


421-0149

Chapter

Step 4 Click Add to List.

When the IronPort appliance receives mail from the specified email address or domain that matches an entry in the blocklist, it treats the mail as spam. Because you configured AsyncOS to quarantine blocklisted items, any items identified as blocklisted are quarantined.

Task 5: Quarantine Incoming Virus MessagesYou can configure the IronPort appliance to quarantine incoming virus messages. The Virus quarantine stores messages marked by the anti-virus scanning engine as not scannable, virus-positive, or encrypted. Like the anti-spam settings, you configure the IronPort appliance to take different actions based on the results of the virus scan and the group of mail recipients. For example, you might want to quarantine all virus-positive messages to the Technical Support group, but drop all virus-positive messages sent to the Marketing group.

ConceptsThis task presents concepts related to IronPort virus scanning and the Virus quarantine. Unlike the IronPort Spam quarantine, the Virus quarantine can be accessed only by administrators. The Virus quarantine is enabled by default, but you must configure anti-virus scanning and quarantine settings in a mail policy to use the Virus quarantine. You also enable notifications in the mail policy to allow administrators or end users to see that messages were quarantined.


421-0149

Chapter

GoalIn this task, you activate IronPort virus scanning, and you configure the default mail policy to deliver suspected virus email messages and drop confirmed virus email messages. You also configure the default mail policy to quarantine virus messages and suspected virus messages.

Enabling Virus SettingsTo enable the Virus quarantine:


Step 2 Click the anti-virus settings for the default mail policy.

The Anti-Virus Settings page is displayed.

Step 3 Under Anti-Virus Settings, select Yes for Enable Anti-Virus Scanning for this Policy.

The anti-virus engines that you have licenses for are displayed.

Step 4 Select an anti-virus engine.

Step 5 Under Message Scanning, enter the following information:


421-0149

Chapter

– Select “Scan and Repair viruses” from the menu.

– Select “Include an X-header with the Anti-Virus scanning results in messages.”

Step 6 Use the default settings for the Repaired Messages section.

Step 7 Use the default settings for the Encrypted Messages section.

Step 8 Scroll down to the Unscannable Messages section.

Step 9 Enter the following information in the Unscannable Messages section:

– Action Applied to Message: Quarantine.

– Archive Original Message: Yes.

– Modify Message Subject: Select Prepend or Append, and enter the text into the text field. For example, [WARNING: A/V UNSCANNABLE].

– Other Notification: Recipient.


421-0149

Chapter

Step 10 Scroll down to the Virus Infected Messages section.

Step 11 Enter the following information in the Virus Infected Messages section:

– Action Applied to Message: Quarantine.

– Archive Original Message: Yes.

– Modify Message Subject: Select Prepend or Append, and enter the text into the text field. For example, [WARNING: VIRUS DETECTED].

– Other Notification: Recipient.



421-0149

Chapter

The Default Mail Policy displays the anti-virus settings.


See Also

For more information about configuring anti-virus settings, see “Anti-Virus” in the Cisco IronPort AsyncOS for Email Configuration Guide. For more information about quarantines, see “Quarantines” in the Cisco IronPort AsyncOS for Email Daily Management Guide.

Task 6: Strip Specified Types of Incoming Email Attachments

In addition to spam and virus filters, the IronPort appliance allows you to apply custom scanning and email policies to messages by using content filters. You can use content filters to analyze incoming email messages and take action based on a variety of factors. Content filters can be enforced on different groups of users.

ConceptsThis task introduces concepts related to the content filter. The content filter applies custom filtering to messages after the anti-spam and anti-virus engines perform scans. Like anti-spam and anti-virus policies, you create the content filter and then apply it to a group of users via a mail policy.


421-0149

Chapter

Goal In this task, you create a new content filter to strip a specified type of media attachment from incoming messages, and then you add this filter to the default policy in the Email Security Manager.

Creating a Content FilterTo create a content filter:

Step 1 Click Mail Policies > Incoming Content Filters.

The Incoming Content Filters page is displayed.

Step 2 Click the Add Filter button.

The Add Content Filter page is displayed.

Note Content Filters are custom email rules that scan a message for specific content or recipients and then take actions based on the results of the scan.

Step 3 Enter the following information:

– Name: Enter a name to identify the filter. For example, Remove_MP3.

– Description: Briefly describe the filter.


421-0149

Chapter

– Conditions: Leave this section blank. This ensures that this filter is applied to all messages analyzed by the mail policy.

Step 4 Click Add Action.

Step 5 Select Strip Attachment by File Info.

The Strip Attachment by File Info page is displayed.

Step 6 Specify the action that the appliance takes when it encounters a flagged email message.

– Select File type is.

– In the drop-down menu, select -- mp3.

– Enter a replacement message that is displayed to the recipient if an MP3 attachment is stripped from an email message. For example, [MP3 FILE DROPPED].

– Click OK. The Edit Content Filter page displays the rule drop-attachments-by-filetype("mp3", "[MP3 FILE DROPPED]") in the Actions section of the page.


The Incoming Content Filters page displays the Remove_MP3 filter.


421-0149

Chapter

Applying a Filter to an Incoming Mail PolicyYou apply the content filter to incoming messages by associating it with an incoming mail policy.

To apply a content filter to an incoming mail policy:


When you associate the content filter with a mail policy, it is applied to the appropriate end users.

Step 2 Click the Disabled link in the Content Filters column. The Mail Policies: Content Filters page displays the content filter that you created.

Step 3 Click Yes to enable content filtering on the policy. Verify that the Enable check box is selected for the Remove_MP3 filter.


The Incoming Mail Policies page displays a success message.


Testing the FilterAfter you have created the filter and applied it to the default mail policy, test the filter by sending an email message with an MP3 attachment from an Internet email address (such as Yahoo! Mail) to an alias in your network.


421-0149

Chapter

You can use the Trace page (and trace CLI command) to test and troubleshoot the filter. The Trace page emulates a message that is accepted by a listener, and it prints a summary of features that would have been “triggered” or affected by the current configuration of the system. You can also run the tail command against mail logs to view the most recent mail logs in real time. For more information on mail flow monitoring, see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide.

See Also

For more information about content filters and the Email Security Manager, see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide.

Task 7: Enforce an Outgoing Email PolicyThe IronPort appliance allows you to enforce a policy for outgoing mail that would quarantine messages that may contain sensitive information or violate your company’s email policies. For example, you can quarantine all messages that contain credit card numbers and supporting information. Data loss prevention (DLP) policies can analyze outgoing messages for particular data patterns and take action based on the scanned content.

ConceptsThis task introduces concepts related to RSA Email DLP. RSA Email DLP is an integrated data loss prevention scanning engine from RSA Security Inc. that identifies and protects sensitive data. RSA Email DLP protects your organization’s sensitive information and enforce regulatory compliance and internal policies by preventing users from unintentionally emailing sensitive data. You define what kind of data your employees are not allowed to email and the actions that the appliance takes, such as quarantining messages containing sensitive information and sending notifications to a compliance officer.

RSA Email DLP also includes predefined DLP policy templates that you can use to create your DLP policies. A DLP policy is a set of conditions that AsyncOS and the RSA Email DLP scanning engine use to determine whether an outgoing


421-0149

Chapter

message contains sensitive data and the actions that AsyncOS takes when a message contains such data. RSA Email DLP searches for more than data patterns like credit card numbers and driver license IDs; it examines the context of the patterns, leading to fewer false positives.

If the DLP scanning engine detects a DLP violation in a message or attachment, the DLP scanning engine determines the risk factor of the violation and returns the result to the DLP policy. The DLP policy evaluates the severity of the violation and takes the appropriate action. You choose both the overall action to take on messages (deliver, drop, or quarantine) and secondary actions such as encrypting the message, copying it, altering its header, and sending notifications.

GoalIn this task, you create a new DLP policy that identifies outgoing emails that violate Payment Card Industry Data Security Standard (PCI-DSS) guidelines. PCI-DSS defines requirements for protection of commonly used elements of credit cardholder data. You configure the policy to quarantine emails that show patterns in data corresponding to credit card numbers and terms related to credit cards. After you create the DLP policy, you enable it in the default outgoing mail policy.

Enabling RSA Email Data Loss PreventionTo enable RSA Email DLP on your appliance:

Step 1 Select Security Services > RSA Email DLP.

The RSA Email Data Loss Prevention Settings page is displayed.

Step 2 Click Enable.

RSA Email DLP is enabled on the appliance:




421-0149

Chapter

Creating a DLP PolicyAfter enabling RSA Email DLP, create a DLP policy to scan outgoing messages for credit card-related data.You define the actions to perform on messages that contain DLP violations. The policy uses a scale to evaluate the severity of a DLP violation found in a message and performs the appropriate action the message. The scale includes five severity levels: Ignore, Low, Medium, High, and Critical. You can edit a level to specify different actions for different severities.

To create a DLP policy:

Step 1 Select Mail Policies > DLP Policy Manager.

The DLP Policy Manager is displayed.

Step 2 Click Add DLP Policy.

The Add DLP Policy page is displayed.

Step 3 Click Regulatory Compliance.

Step 4 Click Add for Payment Card Industry Data Security Standard (PCI-DSS).


421-0149

Chapter

The Mail Policies: DLP: Policy: Payment Card Industry Data Security Standard (PCI-DSS) page is displayed.

Step 5 Under Critical Severity Settings, select Quarantine for the action to apply to messages.

By default, all severity levels (except Ignore) inherit the settings of the higher severity level; the High severity level inherits the settings from Critical, Medium inherits from High, and Low inherits from Medium. You can uncheck the Inherit settings check box to edit a level’s actions.



Enabling a DLP Policy in an Outgoing Mail PolicyBy default, the DLP Policy is not applied to outgoing messages. You apply the policy by enabling it in an outgoing mail policy.

To enable the DLP policy in an outgoing mail policy:


421-0149

Chapter

Step 1 Select Mail Policies > Outgoing Mail Policies.

The Outgoing Mail Policies page is displayed.

You enable the DLP policy in the outgoing mail policy so that it is applied to the appropriate end users. In this example, the DLP policy is applied to the Default policy.

Step 2 On the default policy, click the Disabled link in the DLP column.

Step 3 Under DLP Settings for Default Outgoing Mail Policy, select Enable DLP (Customize Settings) to enable DLP scanning on the outgoing mail policy.

The Mail Policies: DLP page displays a list of available DLP policies. The Payment Card Industry Data Security Standard (PCI-DSS) policy appears in this list.

Step 4 Select the Enable check box for the Payment Card Industry Data Security Standard (PCI-DSS) policy.


The Outgoing Mail Policies page displays a success message.



421-0149

Chapter

Testing the PolicyAfter you have created the DLP policy and enabled it in the default outgoing mail policy, you can test the policy by sending an outbound email message with credit card-related information in a message body or attachment. For example, send a message with the term “Visa” and multiple strings of numbers similar to a credit card number in close proximity to one another, and then send a message with only the term and a message with only a single credit card number string. Messages that contain both of these strings are quarantined, but messages that contain only one of the terms do not trigger the quarantine action.

See Also

For more information about RSA Email DLP, see “Data Loss Prevention” in the Cisco IronPort AsyncOS for Email Advanced Configuration Guide.

Task 8: Add a Domain to Accept MailIn this task, you configure the IronPort appliance to receive mail for another domain. Many enterprise gateways are configured to receive messages for several local domains. For example, if your company changes its name, it needs to receive mail for the old domain name and the new domain name.

ConceptsIncoming and outgoing mail is received through a listener, an email processing service that is configured on a particular IP interface. When you add accessibility for a new domain to the IronPort appliance, you must add entries to two tables. One table, the Recipient Access Table (RAT), specifies the mail recipients for the domain. It defines which recipients will be accepted by a public listener. The table specifies the address (which may be a partial address or host name) and whether to accept or reject it. The other table, the Host Access Table (HAT), maintains a set of rules that control incoming connections from remote hosts for a listener. You add an SMTP route to enable email for the new domain to be routed to the correct mail exchange host. SMTP routes allow you to redirect all email for a particular domain to a different mail exchange (MX) host.


421-0149

Chapter

GoalIn this task, you add accessibility to the IronPort appliance for a new domain. You do this by adding an entry for the domain in the RAT, the HAT, and the SMTP Routes table.

Accepting Mail for a DomainTo accept mail for a domain:

Step 1 Select Network > Listeners.

The Listeners page is displayed.

Step 2 Click the RAT link.

The Recipient Access Table Overview page is displayed.

Step 3 Click the Add Recipient button.


421-0149

Chapter

The Add to Recipient Access Table page is displayed.

Step 4 Enter the following information:

– Order: Enter 2 to place the domain second in the list.

– Recipient Address: Enter the domain address. For example, acquisition.com.

– Action: Accept.

– Bypass LDAP Accept Queries for this Recipient: Leave as is.

– Custom SMTP Response: No.

– Bypass Receiving Control: No.


The Recipient Access Table Overview page is refreshed with the new domain listed in position 2. At this point, your appliance is configured to accept mail for the new domain.

Creating an SMTP Route for a DomainTo create an SMTP route for a domain:

Step 1 Select Network > SMTP Routes.

The SMTP Routes page is displayed.


421-0149

Chapter

Step 2 Click the Add Route button.

The Add SMTP Route page is displayed.

Step 3 Enter the settings for the SMTP route:

– Receiving Domain: Enter the Receiving Domain. For example, enter acquisition.com.

– Destination Hosts: Enter the IP address or host name of the MUA that will receive the mail for the receiving domain. For example, enter exchange.company.com.

– Outgoing SMTP Authentication: Use default settings.


The SMTP Routes page displays the new SMTP route.

See Also

For more information about configuring listeners and working with the RAT and the HAT, see “Configuring the Gateway to Receive Email” in the Cisco IronPort AsyncOS for Email Configuration Guide.

Task 9: Add a Disclaimer to Outgoing MailYou can use the IronPort appliance to add footer text to outgoing or incoming messages. For example, you can append a copyright statement, promotional statement, or disclaimer to messages sent from your network.


421-0149

Chapter

ConceptsTo add an outgoing disclaimer, you create a disclaimer text resource and associate it with a private listener.

IronPort AsyncOS differentiates between public listeners — which, by default, can receive email from the Internet — and private listeners that accept email only from internal systems such as groupware, POP and IMAP, and other message generation systems.

GoalTo add an outgoing disclaimer, you first create a text resource and then associate the text resource with the private (outgoing) listener.

Creating a Footer Text ResourceTo create a footer text resource:

Step 1 Select Mail Policies >Text Resources.

The Text Resources page is displayed.

Step 2 Click the Add Text Resource button.

The Add Text Resource page is displayed.

Enter the following information:

– Name: Name of the text resource. For example, enter Confidential.


421-0149

Chapter

– Type: Disclaimer.

– Text: Enter the text to display as the disclaimer. Do not use variables.


The Text Resources page is displayed with the disclaimer text resource.


Associating a Footer with a Private ListenerAfter creating the disclaimer, you need to associate it with the private (outgoing) listener. The listener inserts the disclaimer text resource into every email message that the listener handles.

To associate the disclaimer with a private listener:

Step 1 Select Network > Listeners.

Step 2 Click the OutgoingMail link in the Listener Name column.

The Edit Listener page is displayed.

Step 3 Select Confidential from the Disclaimer Below menu to display the disclaimer at the bottom of messages.




421-0149

Chapter

See Also

For more information about working with message stamping, see “Text Resources” in the Cisco IronPort AsyncOS for Email Configuration Guide.

Task 10: Configure a Scheduled ReportYou can run a variety of reports to track activity on your IronPort appliance. You can track the flow of mail using incoming and outgoing mail summary reports, outgoing destinations, outgoing senders domains, and sender groups. You can track virus activity using the Virus Types report and the Virus Outbreak report. You can also track user activity using the Internal Users Summary report and the Content Filters report. You can also track system activity using an Executive Summary report and track system health using the System Capacity report.

ConceptsThe IronPort appliance allows you to track activity by using reports. You can also use reports to monitor the effectiveness of the appliance and view trends in the mail flow.

This task introduces the TLS Connections report. This report shows the overall usage of TLS connections for sent and received mail. The report also shows details for each domain sending mail using TLS connections.

GoalIn this task, you schedule a daily TLS Connections report.

Configuring a Scheduled ReportTo configure a scheduled report:

Step 1 Select Monitor > Scheduled Reports.


421-0149

Chapter

The Scheduled Reports page is displayed.

The Available Reports section displays the scheduled reports.

Step 2 Click the Add Scheduled Report button.

The Add Scheduled Report page is displayed.

Step 3 Select a Report type from the menu. For example, you might use the TLS Connections report to view the overall usage of TLS connections for emails sent to your network.

Step 4 Enter a title for the report.

Step 5 Under Time Range to Include, select “Previous calendar day.”

Step 6 Under Format, leave “PDF” selected.

Step 7 Under Schedule, select “Daily,” and leave the default time.

Step 8 Enter the email address where you want to send the report.



Note If you used the System Setup Wizard to configure the IronPort appliance, some reports are enabled by default.

See Also

For more information about generating and managing reports, see the section about reporting in “Using the Email Security Monitor” in the Cisco IronPort AsyncOS for Email Daily Management Guide.


421-0149

Chapter


421-0149


C H A P T E R 4
Advanced Tasks

• Task 11: Access the Command Line Interface, page 4-51

• Task 12: Use the CLI, page 4-54

• Task 13: Retrieve and Use Mail Logs, page 4-61

• Task 14: Configure Email Alerts, page 4-65

• Task 15: Upgrade the IronPort Appliance, page 4-67

Task 11: Access the Command Line InterfaceThe IronPort AsyncOS Command Line Interface (CLI) provides a set of management commands through a text-based interactive interface. You connect to the CLI using telnet or Secure Shell (SSH). SSH is encrypted and provides better security.

ConceptsThe CLI and the GUI contain many of the same functions, but some advanced tasks are available only in the CLI. To use the CLI, you must first enable it from the GUI.


Chapter

Note Do not run multiple concurrent CLI or GUI sessions. Doing so will cause unexpected behavior and is not supported.

GoalIn this task, you enable and access the CLI. To use the CLI, you need to:

• Enable the CLI to use SSH or telnet.

• Connect to the configured IP address using telnet or SSH.

Enabling the CLIYou can enable the CLI on any IP interface. In this example, the CLI is enabled in the Management interface.

To enable the CLI:

Step 1 Select Network > IP Interfaces, and click the Management link.


421-0149

Chapter

The Edit IP Interface dialog box is displayed.

Step 2 In the Services field, select SSH and Telnet, and enter port numbers.

Telnet uses port 25. SSH uses port 22. When you select both options, you can connect to the IP address using either telnet or SSH.

Step 3 Use telnet or SSH to connect to the Management interface.

Initially, only the admin user account has access to the CLI. You can add other users when you access the CLI through the admin account.

Step 4 In the CLI, enter your username and password to log in to the appliance.


421-0149

Chapter

See Also

For more information about the CLI, see the Cisco IronPort AsyncOS CLI Reference Guide.

Task 12: Use the CLIYou can perform many advanced tasks in the CLI, such as testing connectivity, viewing system status, and controlling services.

ConceptsYou can use the CLI to complete the following types of tasks:

• Connectivity. You can test connectivity using the telnet command. You can use the traceroute command to test connectivity to a network host from the appliance and debug routing issues with network hops.

• System status. You can use the status command to determine the status of the IronPort appliance. You use the tophosts command to view information about the email queue and determine if a particular recipient host has delivery problems, such as a queue buildup.

• Control services. Use the suspendlistener and resumelistener commands to stop and restart listeners if you need to troubleshoot a mail processing problem.

GoalIn this task, you run commands to test connectivity, review system status details, and suspend and resume listeners.


421-0149

Chapter

Testing ConnectivityThe IronPort appliance allows you to use several common network diagnostic tools, such as telnet, ping, and traceroute. You can use telnet to connect to a remote host. You can use ping to test whether a particular host is reachable across an IP network. You can use traceroute to display a network route to a remote host.

Use these commands to debug network connectivity from the IronPort appliance. For example, you can ensure that your diagnostics are not affected by firewalls or other rules that may treat the IronPort appliance differently from a workstation.

Ping a Network Host

To ping a network host:

Step 1 Use telnet or SSH to connect to the Management interface, and enter your username and password.

Step 2 Enter ping and the host name for an address on your network.

Step 3 Allow the IronPort appliance to ping the address several times.

Step 4 Press Ctrl+C to stop the IronPort appliance from pinging the host.

Step 5 Review the ping statistics.

Table 4-1 Example of ping command

mga.company.com> ping mail.example.com

Press Ctrl-C to stop.

PING mail.example.com (69.18.55.191): 56 data bytes

64 bytes from 69.18.55.191: icmp_seq=0 ttl=63 time=46.078 ms




421-0149

Chapter

Use the traceroute Command

Use the traceroute command to test connectivity to a network host from the appliance and debug routing issues with network hops.

Step 1 From the CLI, enter traceroute <network host name>.

Step 2 Press Ctrl+C to stop the trace.

Step 3 Review the traceroute statistics.

Table 4-2 Example of the traceroute Command

mga.company.com> traceroute mail.example.com


traceroute to mail.example.com (69.18.55.191), 64 hops max, 44 byte packets

1 er1.sfo1.speakeasy.net(66.93.133.1)35.199 ms 30.697 ms 31.543 ms

2 * * *

^C

Use the telnet Command

Use telnet to establish a telnet connection or other interactive TCP connection.

To establish a telnet connection:

^C

--- mail.example.com ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max/stddev = 37.616/41.878/46.078/3.455 ms


421-0149

Chapter

Step 1 From the CLI, enter telnet <host name><port number>.

The IronPort appliance opens a connection to the remote host.

Step 2 Press Ctrl+C to close the connection.

Table 4-3 Example of the telnet Command

mga.company.com> telnet mail.example.com 25

Trying 69.18.55.191...

Connected to mail.example.com.

Escape character is '^]'.

220 mail.example.com ESMTP Postfix

EHLO mga.company.com

250-mail.example.com

250-PIPELINING

250-SIZE 102400000

250-VRFY

250-ETRN

250-STARTTLS

250 8BITMIME

^]

telnet> quit

Connection closed.


421-0149

Chapter

Monitoring the IronPort Appliance and Email TrafficYou can use the CLI to monitor the IronPort appliance and traffic flowing through it. You can use the status command to view a broad range of information about the IronPort appliance, such as the anti-spam and anti-virus features that are enabled and the last date you started the appliance. Use the detail subcommand to return more specific information.

Using the status Command

From the CLI, enter status detail to retrieve detailed status of the IronPort appliance.

Table 4-4 Example of the status Command

mga.company.com> status detail

Status as of: Thu Mar 30 13:22:24 2006 PST

Up since: Tue Mar 21 07:24:41 2006 PST (9d 5h 57m 43s)

Last counter reset: Never

System status: Online

Oldest Message: No Messages

Feature - Virus Outbreak Filters: 50 days

Feature - IronPort Anti-Spam: 205 days

Feature - Receiving: 50 days

Feature - Brightmail: 50 days

Feature - Sophos: 50 days


421-0149

Chapter

For more information about counters, see the Cisco IronPort AsyncOS for Email Configuration Guide.

Using the tophosts Command

To view immediate information about the email queue and determine if a particular recipient host has delivery problems — such as a queue buildup — use the tophosts command. The tophosts command returns a list of the top 20 recipient hosts in the queue. The list can be sorted by a number of statistics, including active recipients, connections out, delivered recipients, soft bounced events, and hard bounced recipients.

To use the tophosts command:

Step 1 From the CLI, enter tophosts.

The CLI displays a list of sorting options.

Step 2 Sort the hosts by connections out.

The CLI returns a list of hosts in order of the connections out.

Table 4-5 Example of the tophosts Command

Counters: Reset Uptime Lifetime

Receiving

Messages Received 22,119 1,267 22,119

Recipients Received 22,651 1,324 22,651

Gen. Bounce Recipients 81 7 81

mga.company.com> tophosts

Sort results by:


421-0149

Chapter

You can retrieve the information from these commands in an XML format by using a GUI request. For example, you can retrieve the information from the status command with the URL http://<hostname>/xml/status. Other useful commands for gathering email monitoring statistics include hoststatus and topin. For information on using XML pages to gather email monitoring statistics, see “Gathering XML Status from the GUI” in the Cisco IronPort AsyncOS for Email Daily Management Guide.

1. Active Recipients

2. Connections Out

3. Delivered Recipients

4. Hard Bounced Recipients

5. Soft Bounced Events

[1]> 2

Status as of: Thu Mar 30 13:23:42 2006 PST

Hosts marked with '*' were down as of the last delivery attempt.

Active Conn. Deliv. Soft Hard

# Recipient Host Recip. Out Recip. Bounced Bounced

1 yahoo.com 0 0 2 0 0

2 hotmail.com 0 0 128 76 5

3 mail.example.com 0 0 889 0 0


421-0149

Chapter

Configuring the ApplianceYou can control the operation of your IronPort appliance directly from the CLI. The suspendlistener and resumelistener commands allow you to stop and restart listeners if you need to troubleshoot a mail processing problem.

Use the syntax in Table 4-6 to suspend a listener.

Table 4-6 Suspending and Resuming a Listener

mga.company.com> suspendlistener

Enter the number of seconds to wait before abruptly closing connections.

[30]>

Waiting for listeners to exit...

Receiving suspended for External.

mga.company.com> resumelistener

Mail delivery resumed.

Other useful commands for stopping mail delivery from the appliance include suspenddel and resumedel.

Task 13: Retrieve and Use Mail LogsAsyncOS offers extensive logging capabilities, and it makes these logs available through a variety of interfaces. Logs record information about mail flow, operation of various software systems on the appliance, CLI and GUI usage, and


421-0149

Chapter

the AsyncOS system itself. By default, AsyncOS records, archives, and purges old log files. You can view and search the logs, change the options for how much detail is recorded to the logs, and how the files themselves are handled on disk.

ConceptsThis task introduces the tail command, which allows you to view log details in real time. It also introduces the grep command, which allows you to search through logs for specific details. In addition, it introduces methods for retrieving logs.

GoalIn this task, you view the logs in real time through the CLI, search logs for information, and retrieve logs using different formats.

Viewing LogsTo view the logs in real-time as they are written to the log files, use the syntax in Table 4-7.

Table 4-7

mga.company.com> tail bounces


Wed Mar 29 22:25:24 2006 Info: Delayed: DCID 12949 MID 23365 From:<[email protected]> To:<[email protected]> RID 0 - 4.1.0 - Unknown address error ('450', ['<[email protected]>: Sender address rejected: Domain not found'])

Wed Mar 29 23:25:26 2006 Info: Delayed: DCID 12951 MID 23365 From:<[email protected]> To:<[email protected]> RID 0 - 4.1.0 - Unknown address error ('450', ['<[email protected]>: Sender address rejected: Domain not found'])

Example of tail Command


421-0149

Chapter

Searching for Content in LogsYou can search for content in the logs by using the grep command. For example, the following grep query searches for mail logs for [email protected] and then retrieves the details of a message sent to that address by searching for the message ID.

Table 4-8 Example of the grep Command

mga.company.com> grep -e “[email protected]” mail_logs

Sat Jan 21 02:43:05 2006 Info: MID 13276 ICID 23441 RID 0 To: <[email protected]>

mga.company.com> grep -e “MID 13276” -e “ICID 23441” mail_logs

Sat Jan 21 02:43:03 2006 Info: New SMTP ICID 23441 interface External (66.39.133.191) address 86.203.229.163 reverse dns host alagny-154-1-70-163.w86-203.abo.wanadoo.fr verified yes

Sat Jan 21 02:43:03 2006 Info: ICID 23441 ACCEPT SG SUSPECTLIST match sbrs[-4.0:-1.0] SBRS -2.2

Sat Jan 21 02:43:04 2006 Info: Start MID 13276 ICID 23441

Sat Jan 21 02:43:04 2006 Info: MID 13276 ICID 23441 From: <[email protected]>

Sat Jan 21 02:43:05 2006 Info: MID 13276 ICID 23441 RID 0 To: <[email protected]>

Sat Jan 21 02:43:17 2006 Info: MID 13276 Message-ID '<000001c61ea1$2ec70280$0100007f@localhost>'

Sat Jan 21 02:43:17 2006 Info: MID 13276 Subject 'Hey bro, check out the huge sale these guys are offering'

Sat Jan 21 02:43:17 2006 Info: MID 13276 ready 9637 bytes from <[email protected]>

Sat Jan 21 02:43:17 2006 Info: MID 13276 matched all recipients for per-recipient policy EUQ Testers in the inbound table


421-0149

Chapter

Retrieving and Configuring LogsLog data rolls over to a new file when the file size reaches a specified limit. (The default is 95 MB.) By default, the appliance stores up to 10 files for each log, and it deletes the oldest file when it rolls over data to a new file.

You can use FTP or SCP to retrieve archived log files on demand, or you can configure the appliance to push rolled-over log files to an FTP or SCP server.

Retrieving Logs Using FTP or SCP

You can retrieve log files directly from the appliance using either an FTP or an SCP client. On the Network > IP Interfaces page, you can enable both the FTP and the SSH (for SCP) services. After you enable the service, you can connect to the IronPort appliance using the FTP or SCP client to browse and retrieve log files.

Other types of files are available for download, including saved configuration files, archive mailboxes created by different filter commands, and saved reports.

Sat Jan 21 02:43:17 2006 Info: MID 13276 using engine: CASE spam positive

Sat Jan 21 02:43:17 2006 Info: EUQ: Tagging MID 13276 for quarantine

Sat Jan 21 02:43:17 2006 Info: MID 13276 antivirus negative

Sat Jan 21 02:43:17 2006 Info: MID 13276 queued for delivery

Sat Jan 21 02:43:18 2006 Info: Start delivery of MID 13276 over RPC connection 8572

Sat Jan 21 02:43:18 2006 Info: EUQ: Quarantined MID 13276

Sat Jan 21 02:43:18 2006 Info: Delivery of MID 13276 over RPC completed onconnection 8572

Sat Jan 21 02:43:18 2006 Info: Message finished MID 13276 done

Sat Jan 21 02:43:19 2006 Info: ICID 23441 close


421-0149

Chapter

Configuring Log Subscriptions

By default, the appliance is configured to roll over the log files when they reach a specified size, and it stores up to 10 old log files. You can configure the log settings to reduce or increase the number and size of the log files. You can also configure the appliance to push logs to a remote server for further archiving and processing.

Log subscriptions can be managed through the logconfig CLI command and through the GUI on the System Administration > Log Subscriptions page.

See Also

For more information, see “Logging” in the Cisco IronPort AsyncOS for Email Daily Management Guide.

Task 14: Configure Email AlertsYou can configure the IronPort appliance to send email-based alerts when errors and other types of events occur.

ConceptsThe IronPort appliance can send informational and error alerts. You can configure these alerts based on the information you want to receive and the users who need to receive the information. Different levels of alerts can be delivered to different recipients.

GoalIn this task, you view email alerts and add a recipient for the email alerts.


421-0149

Chapter

Configuring Email Alerts You configure alerts through the GUI on the System Administration > Alerts page.

Figure 4-1 Alerts Page

Figure 4-1 shows the default configuration for email alerts. You can configure the system to deliver a different set of alerts to another email address. To do this, click Add Recipient.


421-0149

Chapter

Figure 4-2 Add Alert Recipient Page

On this page, you choose the recipient to receive alerts and the level and type of alert messages to send to that recipient. After select the alerts, click the Submit button and commit your changes.

See Also

For more information about alerts, see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide.

Task 15: Upgrade the IronPort ApplianceYou can use either the CLI or the GUI to perform system upgrades. In the CLI, use the upgrade command. In the GUI, select System Administration > System Upgrades. The system checks for available upgrades and provides a choice of upgrade versions. While the IronPort appliance performs the upgrade, it continues to process mail. The upgrade requires a reboot, which you can perform at a convenient time.

Note that upgrades require download of a significant amount of data. Depending on the speed of your Internet connection, the download can take from several minutes to over an hour. For some sites, it is easier to perform upgrades from the CLI. This allows you to watch the upgrade events more closely than when you perform the upgrade from the GUI.


421-0149

Chapter

See also

For more information about upgrading the IronPort appliance, see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide.

For information about upgrading IronPort appliances that belong to a centralized management cluster, see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide.


421-0149

AsyncOS 7.0.1 FCS Getting Started Guide

Documents