GFI MailSecurity for Exchange/SMTP 8
Manual
By GFI Software Ltd.
http://www.gfi.com
E-mail: info@gfi.com
This manual was produced by GFI Software Ltd. Information in this
document is subject to change without notice. Companies, names,
and data used in examples herein are fictitious unless otherwise
noted. No part of this document may be reproduced or transmitted in
any form or by any means, electronic or mechanical, for any purpose,
without the express written permission of GFI Software Ltd.
GFI MailSecurity was developed by GFI Software Ltd. GFI
MailSecurity is copyright of GFI Software Ltd.  1998-2004 GFI Ltd.
All rights reserved.
GFI MailSecurity is a registered trademark and GFI Software Ltd. and
the GFI logo are trademarks of GFI Software Ltd. in the Europe, the
United States and other countries.
Version 8.10 Last updated: March 15, 2004
Contents
Explaining GFI MailSecurity
1
Introduction to GFI MailSecurity .................................................................................... 1
Key features of GFI MailSecurity................................................................................... 1
GFI MailSecurity operating modes ................................................................................ 3
GFI MailSecurity VS API Exchange 2000/2003 mode .................................................. 3
GFI MailSecurity SMTP gateway mode ........................................................................ 4
Differences between SMTP gateway and Exchange VSAPI mode .............................. 5
Which operating mode should I use? ............................................................................ 5
Can I use both operating modes? ................................................................................. 6
GFI MailSecurity components ....................................................................................... 6
GFI MailSecurity from a user's perspective................................................................... 7
Add-ons – DownloadSecurity for ISA server ................................................................. 7
Add-ons – GFI MailEssentials ....................................................................................... 8
Installing GFI MailSecurity in VS API mode
9
Introduction to installing in VS API mode ...................................................................... 9
System requirements of VS API mode.......................................................................... 9
Installing GFI MailSecurity in VS API mode .................................................................. 9
Entering your License key after installation................................................................. 11
Installing GFI MailSecurity in gateway mode
13
Introduction to installing in SMTP gateway mode ....................................................... 13
System requirements of GFI MailSecurity SMTP gateway mode ............................... 14
Installing in SMTP Gateway mode on the Exchange server ....................................... 14
Installing in SMTP gateway mode on a separate machine ......................................... 15
The Exchange 5.5 User synchronization wizard ......................................................... 24
Entering your License key after installation................................................................. 25
Configuring Content & Attachment checking
27
Introduction to content checking.................................................................................. 27
Creating a content checking rule ................................................................................. 27
Creating an attachment checking rule ......................................................................... 32
Quarantining
37
Introduction .................................................................................................................. 37
Quarantine options ...................................................................................................... 37
Approving/rejecting mail via an e-mail client ............................................................... 40
Approving/rejecting mail using the Moderator Client................................................... 41
Using the remote moderator client .............................................................................. 42
Quarantined mail from the user point of view.............................................................. 45
Setting up the web based moderator .......................................................................... 46
Configuring Virus checking
53
Configuring scanning engines ..................................................................................... 53
Deleting/Quarantining infected mails........................................................................... 53
Norman Virus Control configuration ............................................................................ 54
Manual MailSecurity for Exchange/SMTP
Contents • i
BitDefender configuration ............................................................................................ 56
McAfee configuration................................................................................................... 57
Kaspersky configuration .............................................................................................. 57
The Email Exploit engine
59
Introduction to e-mail exploits...................................................................................... 59
Configuring the email exploit engine ........................................................................... 60
Email exploit update settings....................................................................................... 61
The HTML Threat Engine
63
Introduction to the HTML Threat Engine ..................................................................... 63
Configuring the HTML Threat Engine.......................................................................... 64
The Trojan & Executable Scanner
65
Introduction to the Trojan & executable scanner......................................................... 65
Configuring the Trojan & Executable scanner............................................................. 66
Trojan & Executable scanner update settings............................................................. 67
Decompression engine
69
Introduction to the decompression engine .................................................................. 69
Configuring the decompression engine....................................................................... 69
Remote monitoring & administration
73
Installing the remote monitor/configuration ................................................................. 73
Configuring & monitoring GFI MailSecurity remotely .................................................. 73
Switching to another server to monitor or configure.................................................... 74
General options
75
General options ........................................................................................................... 75
Update options ............................................................................................................ 76
VS API Scanning modes ............................................................................................. 77
Adding additional local domains .................................................................................. 78
Changing the bindings................................................................................................. 79
Checking number of licensed users ............................................................................ 80
Version information...................................................................................................... 81
Advanced topics
83
Determining Outbound/Inbound/Internal mail.............................................................. 83
User synchronization with Exchange 5.5 .................................................................... 83
GFI MailSecurity logging ............................................................................................. 85
Configuring ISA server to allow downloading of updates............................................ 85
Enabling Event Logging for the Virus Scanning API ................................................... 85
Setting Virus Scanning API Performance Monitor Counters....................................... 86
Customizing the notification templates ........................................................................ 87
Troubleshooting
91
Introduction .................................................................................................................. 91
Knowledgebase ........................................................................................................... 91
Request support via e-mail.......................................................................................... 91
Request support via webchat ...................................................................................... 92
Request support via phone.......................................................................................... 92
Web Forum .................................................................................................................. 92
Build notifications......................................................................................................... 92
ii • Contents
Manual MailSecurity for Exchange/SMTP
Index
Manual MailSecurity for Exchange/SMTP
93
Contents • iii
Explaining GFI MailSecurity
Introduction to GFI MailSecurity
The need to monitor email messages for dangerous, offensive or
confidential content has never been more evident. The most deadly
viruses, able to cripple your email system and corporate network in
minutes, are being distributed worldwide via email in a matter of hours
(for example, the Nimda virus). Anti-virus vendors cannot update their
signatures in time. Worse still, email is also used to install backdoors
(Trojans) and other harmful programs to help potential intruders break
into your network.
Your only defense is to install a comprehensive email content
checking and anti-virus solution to safeguard your mail server &
network. GFI MailSecurity acts as an Email Firewall and protects you
from headline-hitting viruses such as Love Letter, as well as email
attacks targeted at your organization.
GFI MailSecurity for Exchange/SMTP is the market leading email
content security software.
GFI MailSecurity can be installed in 2 modes: the Exchange 2000 VS
API mode or the SMTP gateway mode. The Exchange 2000 VS API
version integrates seamlessly with Exchange Server 2000 and scans
the Exchange 2000 information stores. The SMTP gateway version
should be deployed at the perimeter of the network as a mail relay
server.
GFI MailSecurity is totally transparent to your users - no additional
user training or administration is needed.
Key features of GFI MailSecurity
Email Content checking/filtering
GFI MailSecurity's key feature is the ability to content check all in- and
outbound mail. It can quarantine all mail with dangerous attachments,
such as *.exe, *.vbs and other files. Such attachments are more likely
to carry a virus, worm or email attack. Because email viruses can
spread so quickly and cause immense damage, it is best to quarantine
such emails before they are distributed to the email users. When an
email is quarantined, it can by reviewed by the administrator who can
then reject or approve the message.
In addition to scanning for harmful attachments, GFI MailSecurity can
check for script code in the message body itself, as well as scanning
for offensive content (for which a company could be sued) and
information leaks (distribution of confidential information by users).
Manual MailSecurity for Exchange/SMTP
Explaining GFI MailSecurity • 1
Furthermore, you might choose to quarantine mails carrying *.mp3 or
*.mpg files, as these hog bandwidth and can needlessly burden a mail
server's disk space.
The attachment checking module has effectively saved thousands of
companies from the Love Letter virus.
Email exploit detection engine
GFI's leading research on email exploits has contributed to the
creation of GFI MailSecurity's email exploit detection engine. This
industry-first detects emails that contain known email exploits - think of
it as "email intrusion detection". It therefore safeguards you from any
current or future email viruses and attacks that use known exploits.
GFI MailSecurity is the ONLY email security product to protect against
email exploits. For more information on exploits, visit
http://www.gfi.com/emailsecuritytest/
Automatic removal of HTML scripts
The advent of HTML mail has made it possible for hackers/virus
writers to trigger commands by embedding them in HTML mail. GFI
MailSecurity detects & disables these commands and sends the
'cleaned' HTML mail to the recipient. GFI MailSecurity is the only
product to protect you from potentially malicious HTML e-mail,
allowing you to be secure from not only HTML viruses, but also from
attacks directed at your network via HTML e-mail.
Automatic quarantining of Microsoft Word documents with
word macros
GFI MailSecurity protects you from present and future Word & Excel
macro viruses, by automatically quarantining documents with macros.
This means you can safely allow Word docs and excel spreadsheets
to be sent via e-mail, since if they are potentially malicious, you can
rest assured that GFI MailSecurity will quarantine them. (or delete if
you prefer)
Virus checking using multiple virus engines
GFI MailSecurity scans email for viruses using multiple virus engines.
Scanning email at the gateway and at mail server level prevents
viruses from entering and/or spreading within your network.
Furthermore, you can avoid the embarrassment of sending infected
emails to customers, as GFI MailSecurity also checks outgoing mail
for viruses. GFI MailSecurity includes the industrial strength Norman
anti-virus & Bitdefender virus engines that has received various
awards. Optionally you can choose to add the McAfee virus engine.
Multiple virus engines gives you a higher level of security, since virus
engines complement each other and lower the average virus response
time.
Trojan Executable scanner
GFI MailSecurity is able to analyze incoming executables and rate the
risk-level of an executable. This way, potentially dangerous, unknown
Trojans can be detected before they enter your network.
2 • Explaining GFI MailSecurity
Manual MailSecurity for Exchange/SMTP
GFI MailSecurity operating modes
GFI MailSecurity can be operated in 2 modes:
1. Exchange 2000/2003 VS API mode
2. SMTP gateway mode
Depending on your network set-up, and your objectives in deploying
GFI MailSecurity, either mode can be applicable. In some cases you
might consider deploying GFI MailSecurity in both modes.
GFI MailSecurity VS API Exchange 2000/2003 mode
If you have Microsoft Exchange 2000 or 2003, GFI MailSecurity can
integrate with Exchange Server via the Microsoft Virus Scanning API
(VS API).
What is and why use VS API (Virus Scanning API)?
Exchange 2000 & 2003 provides a new virus scan API that is
implemented at very low-level in the Exchange store. This allows a
virus scanning application to run with high performance and
guarantees that the message will be scanned before any client can
access a message or attachment. This low-level access facilitates the
elimination of viruses such as the Melissa virus.
In addition, VS API reduces scalability issues that can arise when a
particular server has a large number of users/mailboxes. VS-API's
real-time scan allows messages and attachments to be scanned once
before delivery, rather than multiple times determined by the number
of mailboxes the message is delivered to. This single-instance
scanning also helps prevent messages from being rescanned when a
message is copied. GFI MailSecurity VS API has the following
features:
•
Native MIME/MAPI content scanning
•
Proactive scanning
•
Priority-based queuing
•
Multithreaded queue processing
•
Per-Messaging Database configuration options
•
Enhanced background scanning
•
Event logging
•
Virus scanning API-specific Performance Monitor counters
Why choose a product based on the VSAPI?
Microsoft strongly encourages the development and adoption of
Exchange VS API-based anti-virus solutions
•
VS API is secure and preserves the integrity of the Information
Store and its databases
•
The Microsoft Exchange product group is committed to providing
enhancements to this API, bug fixes, documentation, and technical
assistance to ISVs using VS API (as appropriate)
Manual MailSecurity for Exchange/SMTP
Explaining GFI MailSecurity • 3
•
Antivirus solutions using Extensible Storage Engine API or any
other undocumented API may corrupt the Information Store and its
databases
•
The Microsoft Exchange product group does not provide any code
updates, documentation, or technical assistance to address issues
related to the use of a non-VS API-based solution
•
For Exchange customers using a non-VS API-based solution,
Microsoft Product Support Services may ask the customer to
uninstall/disable the anti-virus solution to help identify issues, this
may delay in final resolution
•
VS API enhances the current core feature set by providing abilities
to optimize and configure the scanning process at multiple levels,
as well as providing Exchange administrators with built-in
functionality to monitor the performance of the new API
For more information about VS API
You can find more information about VS API on this link:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285667
Limitations of using the VS API Exchange 2000/2003 mode
Although VS API is a recommended way to do content checking and
virus scanning on Exchange 2000, there are a number of limitations
which you need to be aware of as a system administrator:
1. The Virus API only scans information stores. That means that if you
have installed GFI MailSecurity for Exchange 2000 on for example a
front-end server, no mail will be scanned, because mail is not being
stored on the front-end server. In this case, you need to use GFI
MailSecurity in SMTP gateway mode.
2. You need to be more careful with applying attachment rules. Some
MAPI applications running on Exchange might be using vbs or exe
files. You need to ensure that if this is the case, you don’t apply rules
to quarantine exe or vbs files to mailboxes used by those applications.
3. Outgoing mails that have been approved need to be resent by the
user. For example, if an executable is quarantined and approved, the
user will get a message saying that he has 24 hours to send that
executable. The reason for this is because the recipient of the
message is not always known with 100% certainty in VS API mode.
GFI MailSecurity SMTP gateway mode
If you do not need to scan internal mail or do not have Microsoft
Exchange 2000/2003, you must install GFI MailSecurity in SMTP
gateway mode. You can install GFI MailSecurity in SMTP Gateway
mode on a separate machine on the perimeter of your network (acting
as a mail relay) or on the Exchange server 2000/2003 machine it self.
The SMTP gateway mode allows you to set-up more powerful content
security rules. If you do not need to scan internal mail we recommend
the SMTP gateway mode.
4 • Explaining GFI MailSecurity
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity on a separate machine
If you decide to install GFI MailSecurity on a separate machine then
you must install GFI MailSecurity in SMTP gateway mode. In this type
of installation GFI MailSecurity checks all inbound and outbound mail
before it reaches your mail server. In order to do this, it must be the
first to receive all mails destined for your mail server and it must the
last 'stop’ for outbound mail, i.e. mails destined for the Internet. In this
set-up GFI MailSecurity acts as a gateway for all email. This set-up is
also known as 'Smart host' or 'Mail relay' server.
GFI MailSecurity working as a mail gateway/relay
Differences between SMTP gateway and Exchange VSAPI mode
The main differences between the SMTP gateway mode and the
Exchange VS API version of GFI MailSecurity are as follows:
•
SMTP Gateway version only scans inbound and outbound mail,
not internal mail
•
SMTP Gateway version has more information about the e-mail,
and can therefore quarantine outbound mail without the need for a
ticketing system
•
SMTP Gateway version has more information about the e-mail and
can therefore determine better if it’s an inbound or an outbound
mail.
•
SMTP Gateway version has a more advanced quarantining
system. It is possible to hold the entire email until a part is
approved or rejected – that way a recipient only receives the mail if
it is approved. He will receive the mail in its entirety.
•
Exchange VS API version can only be used on Exchange
2000/2003
•
Exchange VS API version can scan internal mail also, and can
therefore prevent internal virus outbreaks.
Which operating mode should I use?
In general we recommend using the gateway version to block
viruses at the gateway and implement advanced content security
rules, and to use the VS API version mainly to block internal
virus outbreaks.
•
If you don’t have Exchange 2000/2003, you must use the SMTP
gateway version.
•
If you have Exchange 2000/2003, you can choose. If you have a
large network or many users on Exchange, its better to install GFI
MailSecurity in gateway mode at the perimeter of your network
and use the VS API mode only to block internal virus outbreaks. If
Manual MailSecurity for Exchange/SMTP
Explaining GFI MailSecurity • 5
you have a small number of users, you can just install the VS API
version.
•
If you want to block entire mails, rather then message parts, you
need to use the SMTP gateway version.
•
SMTP gateway mode is the correct mode if you run Exchange
5.5, Lotus Notes or another SMTP/POP3 server!
Can I use both operating modes?
It is possible to deploy both versions at the same time (as long as they
are installed on separate machines). The main advantage of this is
that you can have stricter rules on inbound and outbound mail, and
less strict rules on internal mail. Also, you can avoid mail reaching
your Exchange server in the first place, and use the Exchange VS API
version to control virus outbreaks through internal mail.
GFI MailSecurity components
GFI MailSecurity consists of the following parts:
GFI MailSecurity scan engine
The GFI MailSecurity scan engine analyses the content of all in- and
outbound mail and internal mail (if using in Exchange 2000/2003 VS
API mode).
If a mail is quarantined, the scan engine will notify the appropriate
supervisor/administrator and ask for approval of the message.
GFI MailSecurity configuration
The GFI MailSecurity configuration
The configuration program allows you to set up and configure GFI
MailSecurity. All configuration can be done from the MMC console.
6 • Explaining GFI MailSecurity
Manual MailSecurity for Exchange/SMTP
GFI MailSecurity Moderator client
The moderator client – gateway version
GFI MailSecurity allows you to approve or reject messages that are
quarantined in 2 ways – either using the moderator client or via HTML
mail in your inbox. If you have to approve/reject large amounts of mail,
you can use the moderator client.
GFI MailSecurity from a user's perspective
GFI MailSecurity is totally transparent to the user. That means that the
user will not notice that GFI MailSecurity is active, until the user sends
or receives a mail which has triggered a rule in GFI MailSecurity, for
example because it included a forbidden attachment or a virus.
In the case of a suspicious attachment, GFI MailSecurity will
quarantine the mail attachment for review by the administrator.
Optionally, the recipient will receive a message saying that a mail is
waiting for administrator review. Once the administrator approves the
email, the mail will be sent to the recipient.
Add-ons – DownloadSecurity for ISA server
A companion product to GFI MailSecurity is DownloadSecurity.
DownloadSecurity content filters & virus checks user's file downloads.
It uses the same scan engine as GFI MailSecurity.
DownloadSecurity installs on top of Microsoft ISA server (and
therefore requires Microsoft ISA server) and will intercept all files
downloads from users on your network. In this manner, you can safely
allow users to download files from the Internet.
If you use Microsoft Small Business Server, you are probably running
both Microsoft ISA server and Microsoft Exchange Server on a single
machine. GFI MailSecurity & GFI DownloadSecurity can be installed
on that same machine, and together provide http, ftp and SMTP
content security.
For more information, please see the GFI website.
DownloadSecurity is available at a bundle price if purchased in
combination with GFI MailSecurity.
Manual MailSecurity for Exchange/SMTP
Explaining GFI MailSecurity • 7
Add-ons – GFI MailEssentials
A companion product to GFI MailSecurity is GFI MailEssentials.
MailEssentials adds a number of corporate email features to
Exchange Server, notably:
•
Anti Spam
•
Disclaimers
•
Centralized archiving of inbound and outbound mail
•
POP3 down loader
•
Server based auto replies
For more information, please see the GFI website.
MailEssentials is available at a bundle price if purchased in
combination with GFI MailSecurity.
8 • Explaining GFI MailSecurity
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in VS API
mode
Introduction to installing in VS API mode
This chapter explains the procedure how to install and configure GFI
MailSecurity in Exchange 2000/2003 VS API mode. In this mode, GFI
MailSecurity uses the low level Microsoft Virus scanning API, ensuring
that the scanning process will be done in a high performance and
reliable manner. For more information about GFI MailSecurity
operating modes and VS API, please see the previous chapter.
VS API mode requires Exchange 2000 (SP1) or Exchange 2003!
System requirements of VS API mode
To install GFI MailSecurity you need:
•
Windows 2000 Server or Advanced Server with Service Pack 1 or
higher installed OR Windows 2003 Server or Advanced Server.
•
Microsoft Exchange server 2000 with Service Pack 1 or higher
installed or Microsoft Exchange server 2003.
•
If using Small Business Server, ensure you have installed Service
Pack 2 for Exchange Server.
•
IMPORTANT: Disable Anti Virus software from scanning the GFI
MailSecurity directories! AV products are known to both interfere
with normal operation as well as slow down any software which
requires file access. In fact Microsoft does not recommend running
file based anti virus software on the Exchange Server. For more
information: http://kbase.gfi.com/showarticle.asp?id=KBID001559
•
Make sure that backup software is not backing up any of the GFI
MailSecurity directories at any point.
Installing GFI MailSecurity in VS API mode
Before you install GFI MailSecurity, please make sure you are logged
on as an Administrator.
Step 1: Run GFI MailSecurity set-up by double-clicking the file
MailSecurity.exe on the Exchange Server machine. GFI MailSecurity
will also prompt you to check for a later GFI MailSecurity version. We
recommend you do this and always use the latest version.
Step 2: Confirm the License agreement.
Step 3: Enter your Name, company, and License key. If you are
evaluating the product, leave the default ‘Evaluation’. Click Next.
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in VS API mode • 9
Step 4: Set-up will now ask you if you wish to install in SMTP
Gateway mode or in VS API mode. Choose VS API mode.
Step 5: Set-up will now ask you to specify the administrator email
address. Enter the e-mail address of the Administrator.
Specifying the administrator email address
Step 6: Set-up will now ask you where you want GFI MailSecurity to
be installed. GFI MailSecurity will need approximately 30 MB of free
hard disk space. In addition to this, you must reserve approximately
200 MB for temporary files.
Step 7: Set-up will confirm installation in VS API mode and will now
copy all program files to the selected destination, and finish the
installation by creating a GFI MailSecurity program group. Click Finish
to finish setup.
The GFI MailSecurity services & the GFI MailSecurity VS API engine
will now be started.
Step 8: You can check if GFI MailSecurity is running using the GFI
MailSecurity monitor. Note that it can take up to a minute before GFI
MailSecurity will load, because VS API has to load GFI MailSecurity
first.
The GFI MailSecurity remote monitor
To monitor GFI MailSecurity: Click Start > Programs > GFI
MailSecurity and select GFI MailSecurity monitor.
10 • Installing GFI MailSecurity in VS API mode
Manual MailSecurity for Exchange/SMTP
Note that the monitor refers to items, not mails. An item is a message
part, such as a mail body or an attachment. Therefore a mail can
contain multiple items. For example a mail with 2 attachments consists
of 3 parts/items: 1 body and 2 attachments.
Entering your License key after installation
If you have purchased GFI MailSecurity, you can enter your License
key in the General > Licensing node.
If you are evaluating GFI MailSecurity with an evaluation key, the
product will time out after 60 days. If you then decide to purchase GFI
MailSecurity, you can just enter the License key here without having to
re-install.
Entering the License key should not be confused with the process of
registering your company details on our website. This is important;
since it allows us to give you support and notify you of important
product news. Register on:
http://www.gfi.com/pages/regfrm.htm
In VS API mode, you must license GFI MailSecurity based on the
number of mailboxes that you have on Exchange Server.
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in VS API mode • 11
Installing GFI MailSecurity in gateway
mode
Introduction to installing in SMTP gateway mode
This chapter explains the procedure how to install and configure GFI
MailSecurity in SMTP gateway mode. There are 2 ways to install GFI
MailSecurity in SMTP gateway mode:
1. On the Exchange Server 2000/2003 machine.
2. On a separate machine at the perimeter of your network.
If you are installing on the Exchange Server 2000/2003 machine, setup is very straight forward. Simply choose gateway mode rather then
VS API mode.
If installing on a separate server, you must configure that machine to
act as a gateway for all mail first. This set-up is also known as 'Smart
host' or 'Mail relay' server. Once configured, you can install GFI
MailSecurity on that machine.
In SMTP gateway mode, GFI MailSecurity checks inbound and
outbound mail before it reaches your mail server. For more
information about GFI MailSecurity operating modes and the SMTP
gateway mode, please see the chapter ‘Explaining GFI MailSecurity’.
SMTP gateway mode is the correct mode if you run Exchange
5.5, Lotus Notes or another SMTP/POP3 server!
If you are running a Windows NT network: The machine running
GFI MailSecurity can be totally separate from your Windows NT
network – GFI MailSecurity does not require Active Directory!
Installing GFI MailSecurity in front of your firewall
A good way to deploy GFI MailSecurity is to install it on a separate
machine in front of your firewall or on your firewall (if running a
Windows 2000/2003 firewall such as Microsoft ISA Server). This
allows you to keep your corporate mail server behind the firewall. GFI
MailSecurity will act as a smart host/mail relay server in the perimeter
network (also known as DMZ - demilitarized zone).
Additional advantages are:
•
You can perform maintenance on your Mail server machine, whilst
still receiving email from the Internet.
•
You use less resources on your Mail server machine
•
The GFI MailSecurity machine can have a lower spec then the
Mail server machine and process mail faster.
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in gateway mode • 13
•
Additional fault tolerance – if anything happens with your Mail
server you still receive mail, which is queued on the GFI
MailSecurity machine.
Note: This separate machine does not need to be dedicated to GFI
MailSecurity, it can be running other applications, for example a
firewall.
System requirements of GFI MailSecurity SMTP gateway mode
•
Windows 2000 - Pro, Server or Advanced Server OR Windows
2003 – Pro, Server or Advanced Server OR Windows XP (Note
that if you use Windows 2000 Pro or XP, you will only be able to
accept up to 10 inbound SMTP connections simultaneously, so its
better to use Windows server versions)
•
Microsoft Exchange server 2003, 2000, 4, 5 or 5.5, Lotus Notes
4.5 and up, or an SMTP/POP3 mail server.
•
IMPORTANT: Disable Anti Virus software from scanning the GFI
MailSecurity & IIS directories! AV products are known to both
interfere with normal operation as well as slow down any software
which
requires
file
access.
For
more
information:
http://kbase.gfi.com/showarticle.asp?id=KBID001559
•
Make sure that backup software is not backing up any of the GFI
MailSecurity directories at any point.
Installing in SMTP Gateway mode on the Exchange server
Before you install GFI MailSecurity, please make sure you are logged
on as an Administrator.
Step 1: Run GFI MailSecurity set-up by double-clicking the file
MailSecurity.exe on the Exchange Server machine. GFI MailSecurity
will also prompt you to check for a later GFI MailSecurity version. We
recommend you do this and always use the latest version.
Step 2: Confirm the License agreement.
Step 3: Enter your Name, company, and License key. If you are
evaluating the product, leave the default ‘Evaluation’. Click Next.
Step 4: Set-up will now ask you if you wish to install in SMTP
Gateway mode or in VS API mode. Choose SMTP Gateway mode.
Step 5: Set-up will now ask you to specify the administrator email
address. Enter the e-mail address of the Administrator.
14 • Installing GFI MailSecurity in gateway mode
Manual MailSecurity for Exchange/SMTP
Specifying the administrator email address
Step 6: Set-up will now ask you where you want GFI MailSecurity to
be installed. GFI MailSecurity will need approximately 30 MB of free
hard disk space. In addition to this, you must reserve approximately
200 MB for temporary files.
Step 7: Set-up will now copy all program files to the selected
destination, and finish the installation by creating a GFI MailSecurity
program group. Click Finish to finish setup. The GFI MailSecurity
services will now be started.
Step 8: You can check if GFI MailSecurity is running using the GFI
MailSecurity monitor.
The GFI MailSecurity remote monitor
To monitor GFI MailSecurity: Click Start > Programs > GFI
MailSecurity and select GFI MailSecurity monitor.
Note that the monitor refers to items, not mails. An item is a message
part, such as a mail body or an attachment. Therefore a mail can
contain multiple items. For example a mail with 2 attachments consists
of 3 parts/items: 1 body and 2 attachments.
Installing in SMTP gateway mode on a separate machine
In order for GFI MailSecurity to be installed on a separate machine,
the IIS SMTP service must be installed and running on that machine
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in gateway mode • 15
and configured as an SMTP relay to your mail server. This means that
the MX record of your domain must be pointing to the machine on
which you will install GFI MailSecurity. This chapter describes how
you can install the mail relay. For more information about this:
http://support.microsoft.com/support/kb/articles/Q293/8/00.ASP
Installing & configuring the IIS SMTP service
GFI MailSecurity uses the Windows 2000/2003 IIS SMTP service as
its SMTP server. Because GFI MailSecurity works with this SMTP
service, you need to configure this service as a mail relay server first.
About the Windows 2000/2003 IIS SMTP service
The SMTP service is part of IIS, which is part of Windows 2000/2003.
It is used as the message transfer agent of Microsoft Exchange
Server, and has been designed to handle large amounts of mail traffic.
The Windows 2000/2003 IIS SMTP service is included in every
Windows 2000/2003 distribution, including Windows 2000 professional
and XP.
To install & configure the IIS SMTP service as a mail relay server:
Step 1: Verify the Installation of the SMTP Service
In Control Panel, open Add/Remove Programs, click Add/Remove
Windows Components. Click the Internet Information Services (IIS)
component, click Details, and then verify that the SMTP Service check
box is selected. If it is not selected, click to select it, click OK, and then
follow the installation directions that are displayed.
Specify mail relay server name and assign IP
Step 2: Specify mail relay server name and assign an IP
1. Click Start, point to Programs, click Administrative Tools, and then
click Internet Services Manager.
16 • Installing GFI MailSecurity in gateway mode
Manual MailSecurity for Exchange/SMTP
2. Expand the tree under the server name, and then expand the
Default SMTP Virtual Server. Right click and select 'Properties'.
Assign an IP to it.
Step 3: Configure the SMTP Service to relay mail to your
mail server
In this step, you configure the SMTP service to relay inbound
messages to your mail server.
Note: During installation, GFI MailSecurity will perform this step for
you automatically. GFI MailSecurity will ask for your local domain
name, and create it as a remote domain. You will see the domain
listed in the right pane. However, if you do this step manually, you can
confirm that your relay server is working properly before running the
GFI MailSecurity installation.
Creating a local domain in IIS to route mail
1. Click Start, point to Programs, click Administrative Tools, and then
click Internet Services Manager.
2. Expand the tree under the server name, and then expand the
Default SMTP Virtual Server. By default, you should have a Local
(Default) domain with the fully qualified domain name of the
server.
3. Configure the domain for inbound:
a) Right-click the Domains icon, click New, and then click
Domain.
b) Click Remote, click Next, and then type the domain name in
the Name box. Click Finish.
Configure the domain
IMPORTANT NOTE ABOUT LOCAL DOMAINS
Note: Upon installation, MailSecurity will import local domains from the
IIS SMTP service. If you want additional local domains, you have to
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in gateway mode • 17
add these local domains in the MailSecurity configuration. For more
information see ‘Adding additional local domains’ in the Advanced
Topics chapter.
If you add additional local domains in IIS SMTP service, they will not
be automatically recognized until you enter them in the MailSecurity
configuration. This allows you to setup remote smart hosts for
particular domains that are not local.
Configure the domain to relay mail to your mail server:
1. In the properties for the domain that you just created, click to
select the Allow the Incoming Mail to be Relayed to this Domain
check box.
2. If this is being set up for an internal domain, you should specify the
server that receives email for the domain name by the IP address
in the Route domain dialog box.
3. Click the forward all email to smart host option, and then type the
IP address of the server that is responsible for email for that
domain in square brackets. For example:
[123.123.123.123]
Note: Typing the IP address of the server in square brackets is
necessary so that the server recognizes this is an IP address and
not a host name.
4. Click OK.
Relay options
Step 4: Secure your mail relay server.
In this step you will specify your mail server name, and any other mail
servers that will send mail via this mail relay server. Effectively you
will limit the servers that can send mail through this server:
1. Open the properties of the Default SMTP Virtual Server.
2. On the Access tab, click Relay.
18 • Installing GFI MailSecurity in gateway mode
Manual MailSecurity for Exchange/SMTP
3. Click Only the list below, click Add, and then add the IP of your
mail server that will be forwarding the mail to this server. You can
specify a single computer, group of computers or a domain:
a) Single computer: Specify one particular host that you want to
relay off of this server. If you click the DNS Lookup button,
you can lookup an IP address of a specific host.
b) Group of computers: Specify a base IP address for the
computers that you want to relay.
c) Domain: Select all of the computers in a domain by domain
name that will openly relay. This option adds processing
overhead, and might reduce the SMTP service performance
because it includes reverse DNS lookups on all IP addresses
that try to relay to verify their domain name.
Step 5: Configure your mail server to relay mail via the mail
relay server
After you have configured the IIS SMTP service to send and receive
mail, you must configure your mail server to relay all mail to the mail
relay server. To do this;
If you have Microsoft Exchange Server 4/5/5.5:
1. Start up Microsoft Exchange Administrator.
2. Go to the Internet Mail Service and double-click on it to configure
its properties.
The Microsoft Internet mail connector
3. Go to the Connections tab.
4. Message Delivery section, select 'Forward all messages to host'.
Enter the computer name or IP of the machine running GFI
MailSecurity.
5. Click OK and restart Exchange server. This can be done from the
services applet.
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in gateway mode • 19
If you have Microsoft Exchange Server 2000/2003:
You will need to set-up an SMTP connector that forwards all mail to
GFI MailSecurity:
1. Start up Exchange System Manager
2. Right-click on the Connectors Node->New->SMTP Connector and
create a new SMTP connector. You will be prompted for a name.
3. Now select the option "Forward all mail through this connector to
the following smart host", and type in the IP of the GFI
MailSecurity server (the mail relay server) enclosed within square
brackets [ ] (e.g.: [100.130.130.10]. Click OK to ADD.
4. Select the SMTP Server that the SMTP Connector will be working
on. Go to the Address Space tab, and click Add. Select SMTP and
click OK.
5. Click OK to exit. All mails will now be forwarded to the GFI
MailSecurity machine.
If you have Lotus Notes:
1. Double click on the Address Book button in Lotus Notes
2. Click on Server item to open it’s sub-items
3. Click on Domains
4. Click on Add Domains
5. In the Basics section, select Foreign SMTP Domain from the
Domain Type field.
6. In the Messages Addressed to section type '*' in the Internet
Domain field.
7. In the Should be routed to section enter the IP number of the Mail
Essentials machine in the Internet Host field
8. Save the settings and restart the Lotus Notes server
If you have an SMTP/POP3 mail server:
1. Start-up the configuration program of your mail server.
2. Search for the option to relay all outbound mail via another mail
server. This option will be called something like 'Forward all
messages to host’. Enter the computer name or IP of the machine
running GFI MailSecurity.
3. If necessary, click OK and restart your mail server.
Step 6: Point the MX record of your domain to the mail relay
server.
Since the new mail relay server must receive all inbound mail first, you
must update the MX record of your domain to point to the IP of the
new mail relay server. Otherwise mail will continue to go to your mail
server and by-pass GFI MailSecurity.
If you run your own DNS server you need update this in your DNS
server. If your ISP manages it for you, you need to ask your ISP to
update the MX record for you. After you have done this, check if the
MX record is correct using the following procedure.
20 • Installing GFI MailSecurity in gateway mode
Manual MailSecurity for Exchange/SMTP
Checking if the MX record for your domain is set correctly
1. Open command prompt. Type nslookup
2. Now type 'set type=mx'
3. Enter your mail domain.
4. The MX record should return a single IP. This IP must be the IP of
the machine on which GFI MailSecurity is installed!
Checking the MX record of your domain
Step 7: Test your new mail relay server!
Before you proceed to install GFI MailSecurity, verify that your new
mail relay server is working correctly.
1. Test IIS 5 SMTP inbound connection of your mail relay server by
sending a mail from an external account to an internal user (you can
use hotmail, if you don’t have an external account available). Verify
that the mail client received the email.
2. Test IIS 5 SMTP outbound connection of your mail relay server by
sending a mail to an external account from a mail client. Verify that the
external user received the email.
Note: Instead of using an email client, you can use Telnet and
manually send an email. This will give you more troubleshooting
information. Here is the link to the Microsoft KB article how to do it:
http://support.microsoft.com/support/kb/articles/Q153/1/19.asp
Step 8: Running GFI MailSecurity set-up
Step 1: Run GFI MailSecurity set-up by double-clicking the file
MailSecurity.exe on the SMTP relay machine. GFI MailSecurity will
also prompt you to check for a later GFI MailSecurity version. We
recommend you do this and always use the latest version.
Step 2: Confirm the License agreement.
Step 3: Enter your Name, company, and License key. If you are
evaluating the product, leave the default ‘Evaluation’. Click Next.
Step 4: Set-up will now ask you to specify the administrator email
address. Enter the e-mail address of the Administrator.
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in gateway mode • 21
Specifying the administrator email address
Step 5: Set-up will now ask you where you want GFI MailSecurity to
be installed. GFI MailSecurity will need approximately 30 MB of free
hard disk space. In addition to this, you must reserve approximately
200 MB for temporary files.
Step 6: Set-up will now ask you to specify your mail server IP & port
and your local domain.
The local domain is the last part of your internal e-mail address, for
example gfi.com. You can use the Test IP function to test whether the
IP and port you specified are correct
Is Active Directory installed?
Step 7a: This step only occurs if Active Directory is installed! If
Active Directory is installed, set-up will ask you whether this server
has access to all Network users in Active Directory. This step is
relevant if you are installing GFI MailSecurity on a machine in the
DMZ that is not part of the main domain, and therefore will not have all
users listed in Active Directory. In this case you can select that GFI
MailSecurity will not use Active Directory to retrieve users. Users will
22 • Installing GFI MailSecurity in gateway mode
Manual MailSecurity for Exchange/SMTP
be based on SMTP e-mail addresses and not on Active Directory
users. Users will be automatically added to a database as e-mail flows
through the GFI MailSecurity scan engine. (Each internal email
address is automatically added to the database)
Step 7b: This step only occurs if Active Directory is NOT
installed! GFI MailSecurity will ask you what type of internal mail
server you are running.
What mail server you are running
In this dialog you have 3 options:
1. Microsoft Exchange Server 5.5. In this case, GFI MailSecurity
will synchronize its users with the Exchange Server 5.5 user
database. If you select this option, after installation the GFI
MailSecurity User synchronization wizard will start and retrieve
users from your Exchange 5.5 server. Note: Install Microsoft
Exchange administrator on the machine running GFI
MailSecurity!
2. SMTP/POP3 server or Lotus Notes. In this case, GFI
MailSecurity will automatically add users to a database as e-mail
flows through the GFI MailSecurity scan engine. (Each internal
email address is automatically added to the database)
3. Microsoft Exchange Server 2000/2003. This option is identical to
the SMTP/POP3 server or Lotus Notes option. If GFI MailSecurity
is running on the DMZ, and does not have access to all network
users in Active Directory, GFI MailSecurity will automatically add
users to a database as e-mail flows through the GFI MailSecurity
scan engine. (Each internal email address is automatically added
to the database) Note: If GFI MailSecurity is running on the DMZ,
and does not have access to Exchange 5.5, you can also select
this option.
The set-up program will now copy all program files to the selected
destination, and finish the installation by creating a GFI MailSecurity
program group. Click Finish to finish setup.
The GFI MailSecurity services will now be started.
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in gateway mode • 23
Step 8: You can check if GFI MailSecurity is running using the GFI
MailSecurity monitor.
The GFI MailSecurity remote monitor
To monitor GFI MailSecurity: Click Start > Programs > GFI
MailSecurity admin tools and select GFI MailSecurity monitor.
The Exchange 5.5 User synchronization wizard
Note: In order for the synchronization wizard to run, install the
Microsoft Exchange administrator on the machine running GFI
MailSecurity!
The User synchronization wizard is only applicable to Microsoft
Exchange server 5.5 users. This wizard will automatically start after
you have installed GFI MailSecurity AND selected that you are
running Microsoft Exchange Server 5.5. This wizard will connect to
Exchange server and synchronize users via DAPI, so as to allow you
to configure rules on a per user basis.
Requirements to run the User Synchronization Wizard
1. The Exchange 5.5 administrator must be installed on the GFI
MailSecurity machine. GFI MailSecurity requires certain DAPI DLL's
installed by the Exchange 5.5 administrator, in order to successfully
perform the synchronization process.
2. An account with administrative rights within the Exchange directory.
You can either specify a separate account, or use your own admin
account. If you use a separate account, you can use this procedure to
grant an account admin rights in the Exchange 5.5 directory:
•
From the Exchange Administrator, open the Properties for the Site
against which synchronization should be performed.
•
In the permissions tab grant the Account used for synchronization
the 'Admin' role.
•
Repeat the same procedure for the 'Configuration' container within
the Site.
•
In case you want to synchronize multiple exchange sites you will
need to repeat the whole procedure for each of the sites.
Running the User synchronization Wizard
Step 1: When the Wizard is started you are presented with the initial
welcome screen. Click Next to Continue.
24 • Installing GFI MailSecurity in gateway mode
Manual MailSecurity for Exchange/SMTP
Step 2: The User sync wizard will ask you for:
•
The Exchange Server 5.5 machine name.
•
A username (use domain notation, i.e. domain\username) and
password which it should use to connect to the Exchange 5.5
server.
Note: that if you use an administrative account on which you change
the password regularly, you will have to change the password for the
synchronization service also.
Step 3: Confirm the entries you specified by clicking on ‘Confirm
settings’ and click Next. The wizard will now retrieve a list of sites from
which you can retrieve users. Select the sites from which you wish to
retrieve users and click Next.
Step 4: User synchronization will now take place. GFI MailSecurity will
install a new service, called the MailSecurity synchronisation service
and will re-start a number of services. Click Next to finish. The GFI
MailSecurity database will be populated with all users from the
Exchange 5.5 directory.
Entering your License key after installation
If you have purchased GFI MailSecurity, you can enter your License
key in the General > Licensing node.
If you are evaluating GFI MailSecurity with an evaluation key, the
product will time out after 60 days. If you then decide to purchase GFI
MailSecurity, you can just enter the License key here without having to
re-install.
Entering the License key should not be confused with the process of
registering your company details on our website. This is important;
since it allows us to give you support and notify you of important
product news. Register on:
http://www.gfi.com/pages/regfrm.htm
In Gateway mode, you must license GFI MailSecurity based on the
number of users in Active Directory that have an e-mail address
configured.
Manual MailSecurity for Exchange/SMTP
Installing GFI MailSecurity in gateway mode • 25
Configuring Content & Attachment
checking
Introduction to content checking
This chapter explains how to set up content & attachment checking in
GFI MailSecurity. The content checking feature allows you to setup a
policy regarding what types of email you will allow on your mail server.
To set up such a policy, GFI MailSecurity uses the concept of 'Rules'.
A rule is a condition that you set, for example, blocking all executable
attachments.
Other examples of rules are:
•
blocking all mails which contain certain words
•
blocking all mails with attachments that can contain programs or
scripts. (*.vbs) (Love Letter!)
•
blocking certain users sending attachments all together.
Types of Content checking rules
There are two types of content checking rules:
Content checking rule - this rule allows you to search a mail
message and its attachments for certain words. This allows you to
block mails and attachments with certain content. For example, you
can block attachments with specific words.
Attachment checking rule – An attachment checking rule allows you
to block attachments of a certain type.
Both rules can be applied to all users or a specified list of users.
Creating a content checking rule
To create a content checking rule:
1. Highlight the content checking node in the GFI MailSecurity
configuration. Right click and select New> Content checking rule.
2. A new rule will be created in the right pane. Highlight this rule and
double-click it. A tabbed dialog will appear.
Manual MailSecurity for Exchange/SMTP
Configuring Content & Attachment checking • 27
Checking the body & subject
A content checking rule (VSAPI mode)
3. In the general tab, you can specify whether you wish to apply this
rule to apply to inbound mail, internal mail, outbound mail or all. You
can also block PGP encrypted messages.
4. Now you can enter the conditions & keywords you wish to content
check emails for. Select either 'Add Condition' to enter a condition that
uses operands, or select 'Add Keyword' to enter a single keyword or a
phrase.
Adding a condition
Adding conditions
Conditions are combinations of keywords using the operands IF, AND,
AND NOT, OR or OR NOT. Using conditions, you can specify
combinations of words that must appear in the e-mail. For example a
condition "If Word1 AND Word2" will check for Word1 and Word2.
Both words would have to be present in the mail to activate the rule.
To add a condition, select 'Add Condition'
28 • Configuring Content & Attachment checking
Manual MailSecurity for Exchange/SMTP
Adding a keyword or phrase
Adding keywords
If you only wish to check for single words or phrases, you do not need
to create a condition. In this case you can just add a keyword. Select
'Add Keyword' to do this. If you enter multiple words, then GFI
MailSecurity will search for that phrase. For example if you enter
Basketball sports, then GFI MailSecurity will check for the phrase
'Basketball sports'. Only this phrase would activate the rule, not only
the word basketball OR sports.
5. By default, only the message body of the mail will be checked. You
can have GFI MailSecurity open an attachment and check for
keywords in the attachment itself. To do this, click on 'Attachment
checking options'. Enable 'Check these attachments', and specify the
extensions of the attachments you wish to content check using the
Add & remove buttons.
Note: This option will cost processing time, since it is time intensive to
search for words through attachments. Its best to only do this for doc,
txt and rtf attachments and to quarantine other attachments.
6. After you have specified keywords and combinations to check for,
you can select a number of options:
Match whole words only: Enabling this option allows you to ensure
that GFI MailSecurity will only block mails where the word you specify
is a whole word. For example, if you specify the word sport, an email
with the word sport will be blocked, but not an email with the word
Allsports.
Block PGP encrypted mails: This option will block/quarantine
messages that are encrypted using PGP. This will allow you to
intercept messages trying to bypass the GFI MailSecurity content
checking engine.
Import/Export: You can import keywords & conditions using the
Import/Export function. To do this, create a text file and include each
condition or keyword on a separate line. Phrases should be enclosed
in “”. Condition operators should be written in capitals. Tip: Export a
sample file to see the exact format.
7. You can now proceed onto the next tab and specify words that you
wish to check for in the subject of the message.
Manual MailSecurity for Exchange/SMTP
Configuring Content & Attachment checking • 29
Content checking rule – subject tab
Specifying the actions to be taken
8. After you have specified what the content rule should check for, you
can now specify what should be done if GFI MailSecurity finds a mail
with those words in the body.
Content checking rule – actions tab – gateway version
You can choose from the following options:
Block mail & perform action: Enabling this will block the mail and
allow you to either quarantine, delete or move the mail.
30 • Configuring Content & Attachment checking
Manual MailSecurity for Exchange/SMTP
Quarantine e-mail: This will quarantine the mail or message part for
review by an administrator. For more information on quarantining, see
the chapter on Quarantining.
Delete e-mail: (Gateway version only)
entire e-mail.
This option will delete the
Delete body/attachment: This option will delete the ‘offending’ mail
message part (i.e. body or attachment)
Move mail to folder: This option will move the mail part to a folder.
Notification
The following notification options are available
Notify user via mail: This option allows you to notify the user via email that the message was blocked.
Notify manager via mail: This option allows you to notify the users
manager via e-mail that the mail was blocked. The manager of a user
is specified in Active Directory. If no manager is specified the default
manager is notified. The default manager can be configured from the
quarantine options node.
Log occurrence of rule to this file: Optionally you can log the fact
that a rule was ‘activated’ to a log file of your choice.
Note: You can also choose not to block the mail, but simply to notify
the user or to log the occurrence of it.
Applying the rule to users
9. After you have configured what to check for and what to do, you
can specify for which users GFI MailSecurity will apply this rule. By
default, GFI MailSecurity will apply the rule to all emails. However, you
can choose to apply the rule to only a few users. This can be done
from the users tab.
The Content checking rule ‘Users’ tab
Manual MailSecurity for Exchange/SMTP
Configuring Content & Attachment checking • 31
To add users, select add. GFI MailSecurity will automatically list all the
users listed in Active Directory. If you do not have Active Directory, all
known/imported SMTP addresses will be listed.
You can then select to which users to apply the rule. Alternatively you
can select the users to which the rule should not apply! You can also
apply the rule to one or more mail enabled public folders. When you
are ready specifying to which users the rule will apply, click OK to
save the rule.
Renaming the rule
After you have created and saved the rule, you can rename it. To do
this, simply right click on the rule and select ‘rename’.
Creating an attachment checking rule
An attachment checking rule allows you to block attachments of a
certain type. The attachment checking rule differs from the content
checking rule in that it only checks for a type of attachment. The
content checking rule checks attachments also, but only for words
contained in them.
If running in Exchange VSAPI mode: Be careful when applying
attachment rules! Some MAPI applications running on Exchange
might be using vbs or exe files. You need to ensure that if this is the
case, you don’t apply rules to quarantine exe or vbs files to mailboxes
used by those applications.
To create an attachment checking rule:
1. Highlight the Attachment checking node in the GFI MailSecurity
configuration. Right click and select New> Attachment checking rule.
2. A new rule will be created in the right pane. Double-click on this
rule. A tabbed dialog will appear.
The attachment checking rule
32 • Configuring Content & Attachment checking
Manual MailSecurity for Exchange/SMTP
3. Specify whether to apply this rule to inbound mails, internal mails,
outbound mails or all. To understand how GFI MailSecurity
determines whether a mail is inbound, internal or outbound, see the
chapter 'Advanced Use'.
Checking attachments
4. Specify which attachments to block. You can specify a list of
attachments types or names to block, or you can specify a list of
attachments which are allowed through, such as doc or txt.
Adding a file type or file name to block
To add a file to block, click on the ‘Add’ button. You can use asterisk
(*) wildcards to specify file names that have certain strings in the
name. For example specifying *orders*.mdb blocks files which contain
the string 'orders' in the file name. *.jpg will block all jpg files.
You can also block attachments based on size. To do this simply
select ‘Block files greater than’ and enter attachment size.
The attachment checking rule ‘Actions’ tab.
Manual MailSecurity for Exchange/SMTP
Configuring Content & Attachment checking • 33
Specifying actions to be taken
5. After you have specified what the attachment rule should check for,
you can now specify what should be done if GFI MailSecurity finds
that type of attachment. You can choose from the following options:
Block attachment & perform action: Enabling this will block the
attachment and allow you to either quarantine, delete or move the
attachment.
Quarantine attachment: This will quarantine the attachment for
review by an administrator. For more information on quarantining, see
the chapter on Quarantining.
Delete attachment: This option will delete the attachment
Delete e-mail: (Gateway version only)
entire e-mail.
This option will delete the
Move attachment to folder: This option will move the attachment to a
folder.
Notification
The following notification options are available
Notify user via mail: This option allows you to notify the user via email that the attachment was blocked.
Notify manager via mail: This option allows you to notify the users
manager via e-mail that the attachment was blocked. The manager of
a user is specified in Active Directory. If no manager is specified the
default manager is notified. The default manager can be configured
from the quarantine options node.
Note: This option is only available if you have Active Directory. If you
don’t have Active Directory, the option is called “Notify Administrator
via e-mail”. The administrator email address can be configured in the
quarantine options dialog.
Log occurrence of rule to this file: Optionally you can log the fact
that a rule was ‘activated’ to a log file of your choice.
Note: You can also choose not to block the attachment, but simply to
notify the user or to log the occurrence of it.
Applying the rule to users
6. After you have configured what to check for and what to do, you
can specify for which users GFI MailSecurity will apply this rule. By
default, GFI MailSecurity will apply the rule to all email. However, you
can choose to apply the rule to only a few users. This can be done
from the users tab.
34 • Configuring Content & Attachment checking
Manual MailSecurity for Exchange/SMTP
The Content checking rule ‘Users’ tab
To add users, select add. GFI MailSecurity will automatically list all the
users listed in Active Directory. If you do not have Active Directory, all
known/imported SMTP addresses will be listed.
You can then select to which users to apply the rule. Alternatively you
can select the users to which the rule should not apply. You can also
apply the rule to one or more mail enabled public folders. When you
are ready specifying to which users the rule will apply, click OK to
save the rule.
Renaming the rule
After you have created and saved the rule, you can rename it. To do
this, simply highlight the rule, right click and select ‘rename’.
Manual MailSecurity for Exchange/SMTP
Configuring Content & Attachment checking • 35
Quarantining
Introduction
When an email does not pass the ‘content check’ and is quarantined
by GFI MailSecurity, the email has to be reviewed by an authorized
person (from now on called the administrator) and then approved or
rejected.
In GFI MailSecurity this review process can be done in the following
ways:
1. Via an HTML email to the administrator
2. Via an HTML email sent to a public folder.
3. Via an HTML email to the users manager/supervisor
4. Using the moderator client
5. Using the web based moderator
The advantage of using HTML email, is that the process is proactive,
i.e. the moderator does not need to remember to check the moderator
client.
In addition, e-mails can be approved/rejected directly from an e-mail
client, anywhere on the network. Furthermore, it allows the burden of
moderating emails to be distributed either amongst the managers of
the users, or to a public folder. By giving access to more then one
person to the public folder, the moderating burden can be divided.
The advantage of using either the moderator client or the web based
moderator is that the interface is optimized for faster/batch
approving/rejecting of mails.
Quarantine options
You can set-up how mail should be quarantined from the Quarantine
options node in the GFI MailSecurity configuration. To do this, right
click on the Quarantine options node and bring up the Quarantine
options properties.
Manual MailSecurity for Exchange/SMTP
Quarantining • 37
Quarantine mode
Now configure who should moderate the e-mail:
1. Send quarantined mail to the user's manager: This option will
send the mail to the manager of the user as configured in Active
Directory. (See below how to do this)
2. Send all quarantined mail to the following e-mail address: This
option will send all quarantined mails to a single user, usually the
network administrator.
3. Send all quarantined mail to a mail enabled public folder: This
option allows you to specify a public folder. By giving multiple users
access to this folder, you can divide the moderating burden.
Note: This option only appears if you are using the VS API mode. Its
possible to use a public folder in Gateway mode too, however in that
case you will need to specify the email address of the public folder in
option 2.
38 • Quarantining
Manual MailSecurity for Exchange/SMTP
Quarantine options
Quarantine options
In the Quarantine options tab you can specify how you want approved
quarantined items to be delivered to recipients:
Always send file as attachment: This option always attaches the
quarantined item in e-mail. If using GFI DownloadSecurity, this option
is not recommended, because mail could slow down if the user
downloads a very large file.
Send link instead of attachment if file exceeds a number of bytes:
This option sends a link if the file is large.
Always send link instead of attachment: This option always send a
link.
Configure a manager in Active Directory
This option is only available if you have Active Directory
To configure a manager of a user in Active Directory:
1. Start Active Directory Users & Computers and go to the users node,
2. Now select the user for whom you want to configure the manager.
Double-click to bring up the user's properties.
3. Go to the Organization tab. Now click on the manager button to
specify the user's manager
Manual MailSecurity for Exchange/SMTP
Quarantining • 39
Configuring a manager in Active Directory
Approving/rejecting mail via an e-mail client
When email is quarantined, the administrator is notified by receiving
the actual mail that is quarantined. The subject of the mail will show
which mail user triggered the quarantine and what the reason of the
quarantine was.
A quarantined email in a public folder
The quarantined e-mail notification will contain the reason for
quarantining, the quarantined item as attachment, and the following
three options:
40 • Quarantining
Manual MailSecurity for Exchange/SMTP
Approve Message: This will approve the message and it will
automatically be sent to the recipient.
Delete Message: This will delete the message.
Delete and Notify: This action will delete the message, and notify the
sender that the message was not sent out.
You can select your preferred action. Note that you can also forward
the mail directly to the recipient, or to another user using the forward
function of your e-mail client.
You can notify the user automatically about the outcome of the quarantine
Approving/rejecting mail using the Moderator Client
When email is quarantined, it is also listed in the moderator client. The
moderator client lists all the emails that have been quarantined. This
utility allows you to approve or reject messages in a more ‘high
volume’ fashion, since you can approve/reject multiple messages in
one go. The moderator client is slightly different depending on whether
you have installed GFI MailSecurity in VS API or in Gateway mode. If
installed in Gateway mode, GFI MailSecurity will allow you to delete
an entire mail, not only a message part. In addition if a mail has
multiple ‘offending’ parts, then they will be grouped.
The moderator client – gateway version
Manual MailSecurity for Exchange/SMTP
Quarantining • 41
To use the moderator client:
1. Start up the moderator client from the MailSecurity program group.
The client consists of a 2 pane interface, which allows you to quickly
view all quarantined messages. In addition, you can view:
Critical Failures: Lists all processing errors
Notifications: Lists all messages that GFI MailSecurity has generated
regarding events that happened, such as updating the virus definition
files.
2. To approve or reject a mail, simply click on the ‘Quarantined mails’
node. This will show you a list of quarantined mails. You can now
approve or reject a mail by right clicking on a mail and selecting the
appropriate action.
Approving mail using the moderator client
Using the remote moderator client
The third method to approve or reject mail is to use the web based
remote moderator client. The web based remote moderator lists all the
emails that have been quarantined. This utility allows you to approve
or reject messages in a more ‘high volume’ fashion, since you can
approve/reject multiple messages in one go. The moderator client is
slightly different depending on whether you have installed GFI
MailSecurity in VS API or in SMTP Gateway mode. If installed in
Gateway mode, GFI MailSecurity will allow you to delete an entire
mail, not only a message part. In addition if a mail has multiple
‘offending’ parts, then they will be grouped.
42 • Quarantining
Manual MailSecurity for Exchange/SMTP
The web based remote moderator
To use the remote moderator:
1. Ensure that you have installed the web based moderator
according to instructions in the paragraph setting up the web
based moderator (further on in this chapter)
2. Go to the following URL and enter authentication
http://<mailsecurityserver_name>/remotemoderator (this depends
on how you have configured it)
3. After authentication, the remote moderator will show you the
quarantined mails on the right hand side. On the left hand side,
there are 3 sections:
•
Viewing – allows you to select between viewing quarantined
mails, critical failures or notifications.
•
Messages – allows you to perform operations on quarantined
mails, such as select all or approve or reject.
•
Navigation – allows you to navigate.
A quarantined item in the remote moderator
Manual MailSecurity for Exchange/SMTP
Quarantining • 43
4. To approve or reject a mail, expand the quarantined mail by
clicking on the arrow to the right of the mail. The reason for
quarantining the mail will be listed. You can view the mail by
clicking on the show email link. You can view the headers of the
mail by clicking on the headers.txt link
Viewing email content in the remote moderator
5. You can then either approve or reject the WHOLE MAIL or just a
particular MAIL PART:
•
To approve or reject the whole mail, tick the check box in front
of the mail and select Delete, Delete & Notify or Approve in the
‘Messages’ section to the left of the mail.
•
To approve or reject a mail part, click on the appropriate button
just below the mail part.
Approving mail using the web based moderator
6. Besides quarantined mails, you can view:
Critical Failures: Lists all processing errors
44 • Quarantining
Manual MailSecurity for Exchange/SMTP
Notifications: Lists all messages that GFI MailSecurity has
generated regarding events that happened, such as updating the
virus definition files. To view these simply click on the appropriate
heading in the ‘Viewing’ section.
Quarantined mail from the user point of view
The quarantining of mail is largely transparent to the mail user. It
differs slightly depending on which mode you are running GFI
MailSecurity in.
If running in SMTP gateway mode
For inbound & outbound mail, users will receive the quarantined mail
or attachment as soon as the administrator approves it.
If running in VS API Exchange mode
For inbound mail, users will receive the quarantined email or
attachment as soon as the administrator approves it.
For outbound mail however, the procedure is a little more complex.
This is due to the fact that GFI MailSecurity does not receive recipient
information via VS API, and therefore, GFI MailSecurity will generate a
mail that the user has to forward to the original recipient.
Forwarding an attachment that got quarantined to the original recipient
Ticketing system (VS API mode)
The system that allows outbound mails to be sent after they have
been quarantined is called the ticketing system. Basically what
happens is that a new message, containing the file attachment or the
original mail that was quarantined is sent to the user, accompanied by
Manual MailSecurity for Exchange/SMTP
Quarantining • 45
a ticket number, giving the user 24 hours to forward the mail or
attachment to the original recipient. The user can modify the body of
this approval ticket mail, but not the attachment.
Setting up the web based moderator
In order to use the web based moderator, you will need to setup the
moderator via the IIS configuration. To do this, follow these steps:
1.
The MailSecurity installation installs all the necessary files in
the MailSecurity\RemoteModerator folder. This folder contains a sub
folder wwwroot, which contains the Web based Moderator files.
Creating the virtual directory.
2.
To use the Web based moderator, you need to create a virtual
directory in IIS, pointing to the wwwroot folder. To do this, open up
Internet Services Manager, right click on the Web Site node, and from
the popup menu select New – Virtual Directory.
Naming a Virtual Directory Alias.
3.
This will start the Virtual Directory Creation Wizard. Click Next
to continue. Now you need to give the alias for the virtual directory. In
46 • Quarantining
Manual MailSecurity for Exchange/SMTP
this case it is RemoteModerator, but you can enter whatever name
you like, as long as it follows the folder naming conventions used in
Microsoft Windows. See Figure 3 below.
Selecting the web site content directory.
4.
Now enter the path where the content is located. From the
wizard select browse, and select the sub folder wwwroot under
RemoteModerator folder in the MailSecurity installation path.
5.
Next we need to set the access permissions for the Remote
Moderator Client. From the check boxes available select only Read
and Run Scripts. Now click next to finish the Virtual Directory Creation
Wizard
Setting the Virtual Directory Access Permissions.
Manual MailSecurity for Exchange/SMTP
Quarantining • 47
The newly created virtual directory.
6.
Now right click on the newly created virtual directory, located
under the web root of your web site server and select properties
Virtual Directory Properties Tab.
7.
From the properties dialog, select the Read, Log Visits and
Index this resource check boxes in the Virtual Directory tab. For
Execute Permissions, select Scripts Only. See Figure 9 for more
information.
8.
Next press on the configuration button. The Application
Configuration dialog pops up. Go to the App Options tab and set the
settings as shown in the screenshot.
Make sure to set the ASP Script Timeout value to 600 or above. Some
operations can take time, especially if the machine is heavily loaded.
This makes sure that the scripts will not timeout. Press OK when
ready to close the dialog.
48 • Quarantining
Manual MailSecurity for Exchange/SMTP
Settings in Application Configuration dialog.
9.
Press OK once again in the properties dialog box to close it.
Securing the web based moderator
Since the Remote Moderator Client provides administrative control on
messages and files, quarantined by GFI MailSecurity or GFI
DownloadSecurity, it is important that proper authentication is
performed.
There are three ways to secure the Remote Moderator Client. These
are Basic Authentication, Digest and Integrated Windows
Authentication. Integrated Windows Authentication is the preferred
choice in an Active Directory environment, because it makes the
authentication process seamless, since initially it does not prompt
users for their user name or password information. Rather, it uses the
current Windows user information on the client computer for
authentication. If you are installing GFI MailSecurity on a DMZ, you
must use Basic authentication.
The following steps show how to secure access to the Web based
moderator.
1. Open up Internet Services Manager. Right click on the Remote
Moderator Client virtual directory under your server web site and
select properties.
2. Under the Virtual Directory tab make sure to deselect Directory
Browsing.
3. Select the Documents tab and remove all the default documents.
Add the following default document ‘main.asp’.
Manual MailSecurity for Exchange/SMTP
Quarantining • 49
Default document for the Web based moderator.
4. Next select the Directory Security tab and click on the Edit button
for the Anonymous access and authentication control group.
5. Select Integrated Windows authentication (recommended if
installed on the internal network) OR Basic Authentication check box
(if installed in the DMZ). Ensure Anonymous access is deselected.
Authentication methods for Remote Moderator Client.
If using Integrated Windows authentication, then authentication will
occur against Active Directory. This means you do not need to
configure additional users. If you use basic authentication,
authentication will occur against the local user database on the
machine. In this case you must create user names and passwords on
50 • Quarantining
Manual MailSecurity for Exchange/SMTP
that local machine. For more information on securing IIS, please
review the IIS documentation.
Be sure not to allow anonymous access!
6. Now restrict access to the accounts you want by using NTFS
permissions. Open up Explorer and navigate to the wwwroot subfolder
under RemoteModerator folder in the MailSecurity installation path.
Right click on the ‘wwwroot’ sub folder and select properties and then
the Security tab.
7. Add / remove the users / groups you want to allow access to the
Remote Moderator Client. To allow access only to users forming part
of the administrators group you would set the security tab as in the
screenshot. Click OK. You have now secure the web based
moderator.
Setting the Web based Moderator NTFS permissions.
If you are using GFI DownloadSecurity:
You need to exclude the URL of the web based moderator, in order to
avoid duplicate quaranting of files. To do this:
1.
Open up the ISA Management console. Expand the Server
node where GFI DownloadSecurity is installed, and go to the
Extensions – Web Filters sub node. Right-click on the
DownloadSecurity filter item in the right pane of the ISA Management
console.
2.
In the DownloadSecurity Filter Properties dialog box, add the
domain of the server where you have installed the Remote Moderator
Client, to the Do not scan these URL’s list. Press the OK button to
close the dialog box. This will cause GFI DownloadSecurity not to
check files on the web based moderator website.
Manual MailSecurity for Exchange/SMTP
Quarantining • 51
Configuring Virus checking
Configuring scanning engines
GFI MailSecurity can virus check all inbound, internal and outbound
mail. All mails with viruses will be quarantined for review by an
administrator.
One of the key features of GFI MailSecurity is that it can use one or
more virus scanning engines. As standard, both the Norman Virus
Control engine and the BitDefender virus scanning engine are
included. Optionally you can license the McAfee virus scanning
engine.
The Norman Anti virus engine is a proven and reliable virus detection
engine, which has received many awards and certifications, including
the industry leading certifications of ICSA, VirusBTN and Check mark.
The BitDefender is a new and innovative virus scanning engine, which
has receive ICSA certification.
It is important to note that checking inbound mail with an anti virus
engine is only a small part of GFI MailSecurity. You must setup
content checking of inbound and outbound mail as well, in order to
block email with scripts.
Configuring Virus scanning engines
To configure virus checking, go to the virus scanning engines node.
This node lists all installed virus scanning engines. You can configure
each virus scanning engine separately.
Deleting/Quarantining infected mails
You configure GFI MailSecurity to either delete a virus infected mail,
delete the infected part only (for example the attachment) or
quarantine a virus infected mail. This can be done from the Virus
scanning engines properties dialog. To do this:
Manual MailSecurity for Exchange/SMTP
Configuring Virus checking • 53
Virus Scanning Properties
1. Go to the Virus scanning engines node, right click and select
properties.
2. The Virus scanning engines properties dialog will appear. Select
whether to quarantine, delete infected message part only or delete
entire mail and click OK.
Norman Virus Control configuration
To configure the Norman Virus Control engine:
1. Go to the Virus scanning engines > Norman Virus Control node,
right click and select properties.
2. Enable virus checking for inbound mail, internal mail, outbound mail
or all.
Virus checking options
54 • Configuring Virus checking
Manual MailSecurity for Exchange/SMTP
Microsoft Office macro settings
3. Norman Virus Control also allows you to block Office documents
that contain macros. You can select one of the following options:
Do not check macros (not recommended) – This option will cause
GFI MailSecurity to ignore macros and just rely on the anti virus
engine to check for new viruses.
Block all documents containing macros – This option will
quarantine all Microsoft Office attachments that contain macros.
Blocking word macros
It is highly recommended to quarantine all macros. This will effectively
protect you 100% from any unknown macro viruses. Some macros are
not viruses, but macros received via the Internet are highly suspicious.
Of course the Virus engine will check for known viruses, but new email
viruses can spread so fast that your system can become infected
before the virus signatures has been updated. (This happens with all
anti virus engines).
In addition, malicious hackers, could use a custom made macro
embedded in a word document to attack your company to install a
Trojan or obtain confidential information.
Norman scanner engine information
4. The section in the general tab displays the scanning engine version
as well as the date of the current signature files.
Virus updates settings
Virus updates settings
You can set-up virus update settings from the updates tab. To enable
checking for updates, ensure that the ‘Automatically check for updates
option is ticked’. You can then choose to automatically download the
updates or just be notified when new updates are available. You can
specify the interval under the ‘Download/Check every:’ option.
Manual MailSecurity for Exchange/SMTP
Configuring Virus checking • 55
Triggering the virus update manually
You can trigger a manual download of the virus updates by clicking on
the 'Download updates now' button.
Update options
General update options, for example download mode and download
location, can be configured General > General settings node in the
MailSecurity configuration. For more information on general update
options, please see the General Options chapter, paragraph update
options.
Norman Web site
For more information about the virus patterns included in the Norman
Virus Control (NVC) engine, go to the NVC website at:
http://www.norman.no/technical_nvc.shtml
BitDefender configuration
To configure the BitDefender engine:
1. Go to the Virus scanning engines > BitDefender node, right click
and select properties.
2. Enable virus checking for inbound/internal and/or outbound mail.
The anti virus engine options are identical to the options for the
Norman engine. For a description, see the paragraph on the Norman
Virus Control configuration.
Configuring the BitDefender anti virus engine
BitDefender Web site
For more information about the virus patterns included in the
BitDefender engine, go to the BitDefender website at:
http://www.bitdefender.com
56 • Configuring Virus checking
Manual MailSecurity for Exchange/SMTP
McAfee configuration
Note: The Mc Afee engine is purchased separately: The engine is
not included in the base product. As standard, GFI MailSecurity
includes both the Norman and the Bitdefender anti virus engine.
For pricing information on adding the Mcafee anti virus engine,
please see the GFI website.
To configure the McAfee engine:
1. Go to the Virus scanning engines > McAfee node, right click and
select properties.
2. Enable virus checking for inbound/internal and/or outbound mail.
The anti virus engine options are identical to the options for the
Norman engine. For a description, see the paragraph on the Norman
Virus Control configuration.
Configuring the McAfee anti virus engine
McAfee Web site
For more information about the virus patterns included in the McAfee
engine, go to the McAfee website at:
http://www.mcafee.com
Kaspersky configuration
Note: The Kaspersky virus engine is purchased separately: The
engine is not included in the base product. As standard, GFI
MailSecurity includes both the Norman and the Bitdefender anti
virus engine. For pricing information on adding the Kaspersky
anti virus engine, please see the GFI website.
To configure the Kaspersky engine:
1. Go to the Virus scanning engines > Kaspersky node, right click and
select properties.
2. Enable virus checking for inbound/internal and/or outbound mail.
Manual MailSecurity for Exchange/SMTP
Configuring Virus checking • 57
The anti virus engine options are identical to the options for the
Norman engine. For a description, see the paragraph on the Norman
Virus Control configuration.
Configuring the Kaspersky anti virus engine
Kaspersky Web site
For more information about the virus patterns included in the
Kaspersky engine, go to the Kaspersky website at:
http://www.kaspersky.com
58 • Configuring Virus checking
Manual MailSecurity for Exchange/SMTP
The Email Exploit engine
Introduction to e-mail exploits
What is an exploit?
An exploit uses known vulnerabilities in applications or operating
systems to compromise the security of a system, for example execute
a program or command, or install a backdoor. It "exploits" a feature of
a program or the operating system for its own use.
What is an e-mail exploit?
An email exploit is an exploit launched via email. An email exploit is
essentially an exploit that can be embedded in an email, and executed
on the recipient’s machine either once the user opens or receives the
email. This allows the hacker to bypass firewalls and anti-virus
products.
Difference between Anti Virus software & Email exploit
detection software
Anti-virus software is designed to detect malicious code. It does not
necessarily analyze the method being used to execute the code.
The email exploit detection engine analyses emails for exploits - i.e., it
scans for methods to execute a program or command on the user’s
system. The email exploit engine does not check whether the program
is malicious or not. Rather, it assumes a security risk if an email is
using an exploit in order to run a program or command - whether or
not the actual program or command is malicious.
In this manner, the email exploit engine works like an intrusion
detection system (IDS) for email. The email exploit engine might
cause more false positives, but it is more secure than a normal antivirus package, simply because it uses a totally different way of
checking for e-mail threats.
Furthermore, the email exploit engine is optimized for finding exploits
in email, and can therefore be more effective at this job than a general
purpose anti-virus engine.
Manual MailSecurity for Exchange/SMTP
The Email Exploit engine • 59
Configuring the email exploit engine
Configuring the Email exploit engine
Disabling email exploits
You can configure which exploits GFI MailSecurity should check for.
For example, some exploits might not apply to your network, in which
case you can disable checking for them. You can disable an exploit
check by going to the exploit engine node and right clicking on the
exploit in the right pane, and selecting disable.
You can disable all exploits by disabling the email exploit engine. To
do this right click on the email exploit engine node and select ‘disable
engine’.
Email exploit engine properties
Email exploit engine properties
60 • The Email Exploit engine
Manual MailSecurity for Exchange/SMTP
You can configure what GFI MailSecurity should do with an email that
contains an email exploit. You can either quarantine or delete the email. You can change this setting by right-clicking on the exploit
engine node, and selecting properties.
Email exploit update settings
Configuring exploit updates
You can configure the Email Exploit engine to automatically download
new exploits as they come available. This can be configured from the
updates tab of the Email Exploit general properties dialog. To access
this dialog right click on the Email Exploit Engine node, right-click and
select properties.
To enable checking for updates, ensure that the ‘Automatically check
for updates option is ticked’. You can then choose to automatically
download the updates or just be notified when new updates are
available. You can specify the interval under the ‘Download/Check
every:’ option.
Triggering the update manually
You can trigger a manual download of the updates by clicking on the
'Download updates now' button.
Update options
General update options, for example download mode and download
location, can be configured from the General > General settings node
in the MailSecurity configuration. For more information on general
update options, please see the General Options chapter, paragraph
update options.
Manual MailSecurity for Exchange/SMTP
The Email Exploit engine • 61
The HTML Threat Engine
Introduction to the HTML Threat Engine
The HTML threat engine (previously called email threat engine) is
designed to analyze HTML emails for potential threats and defuse
them.
The HTML threat engine basically analyses inbound HTML e-mail for
HTML scripts. As soon as it finds an HTML script, it disables the script
by replacing the script with placeholders. The effect of this is that the
mail can still be sent to the recipient, and the recipient can read the email as usual, including formatting and images, but the e-mail is totally
harmless.
This HTML defusing is an automatic process and happens without
administrator intervention. The HTML defusing process is patented by
GFI Software Ltd.
Why defuse HTML scripts?
The introduction of HTML mail has allowed senders to include scripts
in email that can be triggered automatically upon opening mail. HTML
scripts are used in a number of headline hitting viruses, such as the
KAK worm. Also HTML scripts can be used in one-off attacks directed
towards particular users and particular companies.
So it’s recommended that you disable HTML scripts in e-mail. The
HTML script defuser is an easy way to do this.
Manual MailSecurity for Exchange/SMTP
The HTML Threat Engine • 63
Configuring the HTML Threat Engine
Configuring the HTML Threat engine
The email threat engine is installed and configured by default. All you
need to do is enable it and select medium or high security.
In medium security mode, all highly dangerous HTML scripts are
defused. In High Security mode, ALL HTML scripts are defused.
64 • The HTML Threat Engine
Manual MailSecurity for Exchange/SMTP
The Trojan & Executable Scanner
Introduction to the Trojan & executable scanner
GFI MailSecurity 8 includes an advanced Trojan and executable
scanner, which is able to analyze what an executable does, and
quarantine any executables (for example Trojans) which perform
suspicious activities.
What Is A Trojan Horse?
The Trojan Horse got its name from the old mythical story about how
the Greeks gave their enemy a huge wooden horse as a gift during
the war. The enemy accepted this gift and they brought it into their
kingdom, and during the night, Greek soldiers crept out of the horse
and attacked the city.
In computers a Trojan horse is a way to enter a victims computer
undetected, allowing unrestricted access to the data stored on that
computer to the attacker, causing great damage to the victim, just like
the citizens of Troy.
A Trojan can be hidden, as a program that is being run on your
computer which you don’t know about, or it can be ‘wrapped’ into a
legitimate program meaning that a program that you use might have
hidden functions that you don’t know about.
Difference between Trojans and Viruses
The difference between Trojans and Viruses is that Trojans are often
‘one-off’ executables, targeted towards a specific user to obtain
specific information. Anti virus software, which is ‘signature based’ is
unable to detect these types of Trojans. In deed any software that
uses signatures only to detect malicious software will not be effective
in detecting these threats (including specialized anti Trojan software).
Signature based software can only detect known viruses and Trojans,
which is why they need frequent updates. However, these types of
software will never get to know about these one-off Trojans.
Manual MailSecurity for Exchange/SMTP
The Trojan & Executable Scanner • 65
The Trojan executable scanner configuration
How the Trojan & executable scanner works
GFI MailSecurity takes a different approach by including built-in
intelligence to rate the risk-level of an executable. It decompiles the
executable, and detects in real time what the executable might do. It
compares these actions to a database of malicious actions and then
rates the risk level of the executable. This way, potentially dangerous,
unknown or one-off Trojans can be detected before they enter your
network.
Configuring the Trojan & Executable scanner
The Trojan & Executable scanner can be configured from the Trojan &
Executable scanner node. If you select the Trojan & Executable
Scanner node, the checks that the Trojan executable scanner
performs are listed in the right-hand side pane. However this is just for
informational purposes.
The main configuration option is selecting the security level of the
Trojan & Executable scanner. What this does is determine what level
of risk you allow an executable to have before it is quarantined. High
Security quarantines almost all executables. Low security will allow
many executables through.
Configuring security level
Selecting the security level.
To configure the security level, right click on the Trojan Executable
scanner node and select properties.
66 • The Trojan & Executable Scanner
Manual MailSecurity for Exchange/SMTP
Now move the slider to select what risk level of executables you want
to let through:
•
High Security: Quarantines almost all executables.
executable contains any signature it will get quarantined.
•
Medium Security: Quarantines suspicious executables. If the
executable contains 1 high risk signature or a combination of high
risk and low risk signatures it will get quarantined.
•
Low Security: Quarantines executables which are most probably
malicious. If the executable contains at least 1 high risk signature
it will get quarantined.
If the
Skip attachment checking
If an executable is quarantined because of its risk level, the
administrator must approve or reject the executable. You can
configure GFI MailSecurity to then bypass the attachment checking
module, in order to avoid the file being quarantined again. To do this,
tick the check box next to ‘Skip Attachment checking if the executable
is approved’
Trojan & Executable scanner update settings
Configuring Trojan & exe scanner definition updates
You can configure the Trojan & Executable Scanner to automatically
download new updates as they come available. This can be
configured from the updates tab of the Trojan and Executable scanner
properties dialog. To access this dialog right click on the Trojan &
Executable Scanner node, right-click and select properties.
To enable checking for updates, ensure that the ‘Automatically check
for updates option is ticked’. You can then choose to automatically
download the updates or just be notified when new updates are
Manual MailSecurity for Exchange/SMTP
The Trojan & Executable Scanner • 67
available. You can specify the interval under the ‘Download/Check
every:’ option.
Triggering the update manually
You can trigger a manual download of the updates by clicking on the
'Download updates now' button.
Update options
General update options, for example download mode and download
location, can be configured from the General > General settings node
in the MailSecurity configuration. For more information on general
update options, please see the General Options chapter, paragraph
update options.
68 • The Trojan & Executable Scanner
Manual MailSecurity for Exchange/SMTP
Decompression engine
Introduction to the decompression engine
The decompression engine is used to decompress compressed files
(archives). The GFI decompression engine can recognize 70+
different compression formats.
The decompression engine
Configuring the decompression engine
You can specify the way that files should be decompressed in the
decompression engine node. The node lists what can be configured in
the right pane:
1. Check password protected archives
2. Check corrupted archives
3. Check for amount of files in archives
4. Check for recursive archives
5. Check size of uncompressed files in archives
6. Scan within archives
You can enable or disable each option by either right-clicking on them
and disabling/enabling via a popup menu or by double-clicking on the
option to get the properties for that option.
Manual MailSecurity for Exchange/SMTP
Decompression engine • 69
Check password protected archives
What to do with password protected archives
This option allows you to configure what to do with password
protected archives. You can:
Quarantine – This will quarantine the archive for administrator review
Skip all modules - this will allow the archive to bypass all content
security & anti virus checking. Be careful with this option!
Automatically delete – this will automatically delete the archive.
Optionally you can notify user via email when the password protected
file is deleted.
Check corrupted archives
This option allows you to configure what to do with corrupted archives.
You can:
Quarantine – This will quarantine the archive for administrator review
Skip all modules - this will allow the archive to bypass all content
security & anti virus checking. Be careful with this option!
Automatically delete – this will automatically delete the archive.
Optionally you can notify user when a corrupted file is deleted
automatically.
70 • Decompression engine
Manual MailSecurity for Exchange/SMTP
Check for recursive archives
What to do with recursive archives
This option allows you to configure what to do with archives that
contain more then a certain number of levels of archives (archives
within archives). This is also referred to as a recursive archive or a
nested archive. A high number of archive levels can indicate a
malicious archive: Recursive archives can be used in a DoS attack,
since many content scanning & anti virus packages will crash if you
send them a recursive archive with many levels of archives. You can
configure the maximum level of archives, and what to do with an
archive that contains more levels of archives. Then you can:
Quarantine – This will quarantine the file for administrator review
Automatically delete – This will automatically delete the archive.
Optionally you can notify user via email when an archive is
automatically deleted.
Check for amount of files in archives
This option allows you to configure what to do with archives that
contain more then a certain number of archives. You can configure the
limit of archives an archive should contain, and what to do with
archives that contain more then that limit. Then you can:
Quarantine – This will quarantine the archive for administrator review
Automatically delete – This will automatically delete the archives.
Optionally you can notify user via email when an archive is
automatically deleted.
Check size of uncompressed files in archives
This option allows you to configure what to do with compressed
archives which, when unpacked, are larger then a certain size.
Hackers sometimes use this method in a DoS attack: By sending a file
that uncompresses to a very large file, they can often crash content
Manual MailSecurity for Exchange/SMTP
Decompression engine • 71
security or anti virus software. You can configure the total size of the
uncompressed files, and what to do with archives that contain more
then that limit. Then you can:
Quarantine – This will quarantine the archive for administrator review.
Automatically delete – This will automatically delete the archive.
Optionally you can notify user via email when an archive is
automatically deleted.
Scan within archives
This option allows you to disable attachment checking of files in
archives. Effectively it means that files in the archive will bypass the
attachment checking module.
72 • Decompression engine
Manual MailSecurity for Exchange/SMTP
Remote monitoring & administration
Installing the remote monitor/configuration
GFI MailSecurity can be configured and monitored remotely. To be
able to monitor and configure GFI MailSecurity remotely, you must
first install the GFI MailSecurity remote admin tools.
The GFI MailSecurity remote monitor
The set-up for these tools can be found in the GFI MailSecurity
subdirectory 'remote install'. To install the remote monitor:
1. Go to the machine on which you wish to install the remote
configuration.
2. In Windows explorer, browse to the machine running GFI
MailSecurity, and go to the remoteinstall share. Double-click
'remotetools.exe' and follow the set-up instructions.
3. You will be asked to specify the machine name where GFI
MailSecurity is running. When set-up is finished, you can go to the GFI
MailSecurity admin tools program group to configure or monitor the
GFI MailSecurity server remotely.
NOTE: If you can't access the share, set-up read and write
permissions to the following directories:
<GFI MailSecurity root folder>\RemoteInstall (sharename RemoteInstall)
<GFI MailSecurity root folder>\Data (sharename Data)
<%RootDrive%>\Program Files\Common Files\GFi Shared\GFIM\Data (sharename GFIMDat)
Check that you can actually read and write to the shares from the
machine where the Remote admin tools will be installed.
Note: By default only administrators have access to the remote
monitor and configuration share. If you add additional users, you have
to give users access to the share.
Configuring & monitoring GFI MailSecurity remotely
To configure GFI MailSecurity remotely:
Manual MailSecurity for Exchange/SMTP
Remote monitoring & administration • 73
1. Click Start > Programs > GFI MailSecurity admin tools and select
GFI MailSecurity configuration. The GFI MailSecurity configuration
will start.
2. You can now modify GFI MailSecurity settings as if you we're on
the GFI MailSecurity server.
To monitor GFI MailSecurity remotely:
1. Click Start > Programs > GFI MailSecurity admin tools and select
GFI MailSecurity monitor.
2. You can now monitor GFI MailSecurity remotely.
Switching to another server to monitor or configure
Configuring a different GFI MailSecurity server
If you have multiple GFI MailSecurity servers in your network, you can
manage them from the same Remote configuration. To switch to
another server to configure:
1. Right-click on the root node, GFI MailSecurity, and select 'Connect
to another computer'
Switch to another server to configure or monitor
2. Now enter the computer name and click OK. You can now configure
another server.
Monitoring a different GFI MailSecurity server
1. In the file menu, select the option 'Connect'
2. Now enter the computer name and click OK. You will now be
monitoring another server.
74 • Remote monitoring & administration
Manual MailSecurity for Exchange/SMTP
General options
General options
The general node allows you to configure a number of general
options, including general settings, licensing and versioning
information. To configure general settings, right click on the general >
general settings node, and select properties.
Configuring general settings (gateway)
Manual MailSecurity for Exchange/SMTP
General options • 75
Server name: All notifications and quarantined mails are sent via the
SMTP service or Exchange Server. By default the server on which
GFI MailSecurity is installed is used. If you need to change this to
another machine, you can do so here.
The Verify button allows you to verify that GFI MailSecurity can send
mail via this server.
Update options
Configuring update options
The options for updating Virus definitions, Email Exploits and Trojan
and Executable scanner definitions are configured from the Updates
tab in the General properties dialog. In this tab you can configure:
•
Whether to check for updates on the internet
•
Or download updates from a directory on your network. This option
is useful if you have many MailSecurity servers and you prefer to
download the updates to a single central location.
If you select to check updates from the internet, you have to select 2
further options:
Download mode
You can select between HTTP, active FTP or passive FTP. We
recommend using active FTP or HTTP. Using HTTP saves you having
to configure the firewall.
WE RECOMMEND USING HTTP IF YOU HAVE A FIREWALL!
Preferred Update server
You can select a preferred update server. Select update.gfi.com if you
are located in the US/Canada and update.gfisoftware.com if you are
located in Europe or other part of the world.
76 • General options
Manual MailSecurity for Exchange/SMTP
Note about Proxy servers: GFI MailSecurity uses Internet Explorer
settings to download, so if you use a proxy server, you must setup
Internet Explorer to work correctly with that proxy server.
Note about Firewall & FTP: If you are behind a firewall, and have
selected to use active FTP, you have to enable an FTP connection on
the firewall which lets the machine where GFI MailSecurity is installed
open an FTP connection (PORT 21 & 20) to host ftp.gfi.com or
ftp.gfifax.de For a description how to make this set-up with Microsoft
ISA server, see the chapter 'Advanced Use'. If you have a firewall, do
not select passive FTP. We recommend using HTTP if you have a
firewall.
Note: If you don’t wish to configure your firewall to allow FTP
downloads, simply select HTTP as the download mode
If downloading fails: If the download of the virus update files fails, a
file called autodown.txt will be created in the GFI
MailSecurity/debuglogs directory. If this happens, please send these
files to support@gfi.com.
VS API Scanning modes
This section applies only to the Exchange VS API mode
If you have installed GFI MailSecurity in VS API mode, the general
settings dialog will contain a VS API tab.
Here you can configure the VS API Scanning mode: You can select
the type of VS API scanning mode that you want GFI MailSecurity to
use.
GFI MailSecurity supports all 3 VS API scanning modes. These
scanning modes are part of VS API. You can select which scanning
mode GFI MailSecurity should use from the General options > VS API
tab.
The VS API tab is located in the general properties dialog, which can
be accessed by right clicking on the general > general settings node
and selecting properties. VS API provides 3 scanning modes. Two of
these modes, on demand and pro active, are mutually exclusive,
where as background scanning can be turned on as an option in either
mode.
On demand scanning
In this mode, a new message gets scanned as it gets accessed by the
e-mail client. That means there will be a short delay before the user
can access the message.
Manual MailSecurity for Exchange/SMTP
General options • 77
GFI MailSecurity VS API scanning modes
Pro active scanning
In this mode, new messages get submitted to the queue for scanning
upon receipt. However if an e-mail client accesses a new message,
scanning of this message will receive higher priority.
This is the recommended scanning mode.
Background scanning
In this mode, all EXISTING messages in the store are scanned. This
setting will cause GFI MailSecurity to scan all messages in the stores.
Depending on how many messages you have in the stores, Exchange
& GFI MailSecurity will be very busy for a period of time after enabling
this option. If you want to do this, we suggest switching it on the first
time during the night, so that the bulk of the scanning work can be
done during the night.
For more information about scanning modes:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285667
Adding additional local domains
This section applies only to the SMTP Gateway mode
GFI MailSecurity needs to know what your local domains are to be
able to know if a mail is inbound or outbound. During installation, GFI
MailSecurity will import local domains from the IIS SMTP service. If
however you wish to add or remove local domains afterwards, you can
do so from the local domains tab in the general > general settings
node properties:
78 • General options
Manual MailSecurity for Exchange/SMTP
Adding a local domain
1. Right-click on the general settings node and select properties to
access this dialog.
2. Now enter the local domain
This feature is handy because in some cases you might want to
configure local mail routing in IIS differently, for example add domains
which are local for mail routing purposes but are not local for your mail
server.
Changing the bindings
Changing the SMTP server that GFI MailSecurity is bound to
This section applies only to the SMTP Gateway mode
Manual MailSecurity for Exchange/SMTP
General options • 79
GFI MailSecurity relies on the IIS SMTP service to send and receive
SMTP mail. It binds with your default SMTP virtual server. If you have
multiple SMTP virtual servers installed on your machine, you can bind
GFI MailSecurity to another SMTP virtual server in this dialog.
Checking number of licensed users
Checking number of licensed users
The License key dialog not only allows you to enter the License key, it
allows also you to see how many licenses you must have for GFI
MailSecurity.
Underneath the License key edit box, GFI MailSecurity will list how
many mailboxes/users it sees. You can use this information to check if
you have licensed GFI MailSecurity accordingly.
80 • General options
Manual MailSecurity for Exchange/SMTP
Version information
Checking GFI MailSecurity version information
The node General > Version Information contains GFI MailSecurity
version and build information. You can check if you have the latest
version installed using the 'Check for latest version on website' button.
Version information is also very useful when contacting GFI support.
This will allow us to know exactly which version you have.
Manual MailSecurity for Exchange/SMTP
General options • 81
Advanced topics
Determining Outbound/Inbound/Internal mail
This section applies only to the Exchange VS API mode
GFI MailSecurity uses a set of rules to determine whether a mail is
inbound, internal or outbound. In some cases it may be important to
understand the logic used. This logic is based on determining if the
user is present in Active Directory or not.
When is a mail outbound?
GFI MailSecurity will assume a mail is outbound if the sender is an
internal user and the recipient is an external user. To determine
whether a sender or recipient is external or internal, GFI MailSecurity
makes an Active Directory query. If the user is present, he is assumed
to be an internal user.
When is a mail inbound?
GFI MailSecurity will assume a mail is inbound if the sender is an
external user and the recipient is an internal user. It will use AD to
determine whether the sender/recipient is external or internal.
When is a mail internal?
If both the sender and the recipient appear in Active Directory then the
mail is internal. Because of various reasons, we can not determine
100% if an email is internal or inbound. This is the reason why, for
security reasons, you can not create separate rules for internal mail.
Assuming you would set up more relaxed rules for internal mail, a
security hole might appear.
What if the mail has multiple recipients, both internal and
external?
In this case, all rules will be applied. So if a mail contains an internal
recipient that has a specific rule specified, the rule will be applied. If
the mail also contains an outbound rule linked to the sender, then this
rule will be applied also.
User synchronization with Exchange 5.5
If you are using GFI MailSecurity in gateway mode with Microsoft
Exchange server 5.5, GFI MailSecurity installs a synchronization
service that updates the GFI MailSecurity user database
automatically. This eliminates the hassle of synchronizing users
manually between Exchange Server 5.5 and GFI MailSecurity.
Manual MailSecurity for Exchange/SMTP
Advanced topics • 83
During set-up, the Synchronization wizard prompts you for all the
relevant information. However, after set-up you can change Exchange
Server name/IP, synchronization interval and the Exchange sites that
are synchronized. This can be done from the General > User
Synchronization node. Right click on the node to bring up the User
Synchronization Properties dialog.
Here you can change Exchange Server machine IP & synchronization
interval.
User synchronization properties
Clicking on the sites button allows you to specify which sites you want
GFI MailSecurity to synchronize with.
84 • Advanced topics
Manual MailSecurity for Exchange/SMTP
GFI MailSecurity logging
GFI MailSecurity log files
GFI MailSecurity maintains a number of log files in the logs
subdirectory. These logs allow you to track the activity of GFI
MailSecurity. The logs will include information on which mails included
viruses or which mails triggered content or attachment checking rules.
You can open the logs with Microsoft Excel or Access to do further
analysis on these logs.
You can configure which logs you want GFI MailSecurity to log to.
This can be done from the GFI MailSecurity > Logging node.
Configuring ISA server to allow downloading of updates
If your GFI MailSecurity server is running behind a firewall, you will
need to allow the machine running GFI MailSecurity to download
updates from the GFI site through port 21 & port 20.
If you are running Microsoft ISA server, you can find a step by step
procedure in our knowledgebase.
If GFI MailSecurity is NOT installed on the same machine as Microsoft
ISA
Server,
follow
the
procedure
described
at
http://kbase.gfi.com/showarticle.asp?id=KBID001346
If GFI MailSecurity is installed on the same machine as Microsoft ISA
Server,
follow
the
procedure
described
at:
http://kbase.gfi.com/showarticle.asp?id=KBID001347
Enabling Event Logging for the Virus Scanning API
This section applies only to the Exchange VS API mode
This information can be found in the Microsoft Knowledgebase
(Q294336).
Manual MailSecurity for Exchange/SMTP
Advanced topics • 85
The VS API includes inbuilt event logging that you can turn on. To set
the level of detail that is logged by the virus scanning API:
1. Start Exchange System Manager.
2. In the console tree, double-click Servers, right-click the server on
which you want to set the logging detail level, and then click
Properties.
3. Click the Diagnostics Logging tab.
4. In Services, click MSExchangeIS\System.
5. In Categories, click Virus Scanning.
Click one of the following logging levels, as appropriate:
•
None
•
Minimum
•
Medium
•
Maximum
Setting Virus Scanning API Performance Monitor Counters
This section applies only to the Exchange VS API mode
This information can be found in the Microsoft Knowledgebase
(Q285696)
In addition to event logging, the VS API also has the capability to
create performance counters.
The following Performance Monitor counters are available:
•
Messages Processed. This is a cumulative value of the total
number of top-level messages that are processed by the virus
scanner.
•
Messages Processed/sec. This counter represents the rate at
which top-level messages are processed by the virus scanner.
•
Messages Cleaned. The total number of top-level messages that
are cleaned by the virus scanner.
•
Messages Cleaned/sec. The rate at which top-level messages are
cleaned by the virus scanner.
•
Messages Quarantined. The total number of top-level messages
that are put into quarantine by the virus scanner.
86 • Advanced topics
•
Messages Quarantined/sec. The rate at which top-level
messages are put into quarantine by the virus scanner.
•
Files Scanned. The total number of separate files that are
processed by the virus scanner.
•
Files Scanned/sec. The rate at which separate files are
processed by the virus scanner.
•
Files Cleaned. The total number of separate files that are
cleaned by the virus scanner.
•
Files Cleaned/sec. The rate at which separate files are cleaned
by the virus scanner.
•
Files Quarantined. The total number of separate files that are
put into quarantine by the virus scanner.
Manual MailSecurity for Exchange/SMTP
•
Files Quarantined/sec. The rate at which separate files are put
into quarantine by the virus scanner.
•
Bytes Scanned. The total number of bytes in all of the files that
are processed by the virus scanner.
•
Queue Length. The current number of outstanding requests
that are queued for virus scanning.
•
Folders Scanned in Background. The total number of folders
that are processed by background scanning.
•
Messages Scanned in Background. The total number of
messages that are processed by background scanning.
Customizing the notification templates
Configuring the notification templates
GFI MailSecurity sends out various notification messages to the
sender or recipient of an e-mail that gets quarantined or modified, as
well as various messages to the administrator/manager.
These messages are based on a set of templates, which can be
edited from the Notification templates node. The templates contain the
text of the message, as well as fields that are replaced by values upon
generation of the notification message.
You may wish to modify these notification templates. The most
obvious reason is to localize/translate them to another language.
Alternatively you might feel that the templates can be modified to
explain a particular rule set or policy you have better.
To modify a template, simply double-click on the corresponding
template in the right-hand pane. This will open up the template in
Notepad and allow you to edit the notification message.
Here is a list of template file names and what they do:
Filename
Description
Quarsubj.txt
Template includes the subject of a Quarantined action message
sent to manager or administrator. This subject appears on the mail
sent to the person who must reject or approve a mail.
quarbody.htm
Message body of the Quarantined action message sent to
(VSAPI
mode manager or administrator. This mail is sent to the person that
only)
should approve or reject the mail.
quarbodymsec. Message body of the Quarantined action message sent to
htm (Gateway manager or administrator. This mail is sent to the person that
mode only)
should approve or reject the mail.
quarappsubj.txt
Contains the subject sent to a sender when the mail is approved to
Manual MailSecurity for Exchange/SMTP
Advanced topics • 87
be sent out or when the mail is approved and the recipient
receives the mail.
quarappticketbo Template includes the body of the "Approval ticket message", sent
dy.txt
(VSAPI to sender when he is allowed to send out a particular attachment
mode only)
or text. (in case of outbound mail)
quarappbody.txt
Template includes the message body of a mail that is sent to
recipient when a mail item, sent to that recipient, is approved. The
approved mail item will be attached to this mail.
notifyusersubj.tx Notification message subject sent to recipient. This mail only gets
t
sent if "Notify User via e-mail" is enabled in the action tab of a rule.
notifyuserbody.t
xt
Notification message body sent to recipient. This mail only gets
sent if "Notify User via e-mail" is enabled in the action tab of a rule.
notifymanagers
ubj.txt
Notification message subject sent to manager or administrator.
This mail only gets sent if "Notify manager via e-mail is enabled in
the action tab of a rule.
notifymanagerb
ody.txt
Notification message body sent to manager or administrator. This
mail only gets sent if "Notify manager via e-mail is enabled in the
action tab of a rule.
notifyuserappsu
bj.txt
Template includes the subject of a mail that is sent to recipient
when a mail item, sent to that recipient, has been rejected/deleted.
notifyuserappbo
dy.txt
Template includes the message body of a mail that is sent to
recipient when a mail item, sent to that recipient, has been
rejected/deleted.
violatedel.txt
Template includes the message body of a mail that is sent to notify
a recipient that part of the mail, sent to him/her, has been deleted.
violatequar.txt
Template includes the message body of a mail that is sent to notify
a recipient that part of the mail, sent to him/her, has been
quarantined.
Template fields
The templates contain fields that are replaced by values upon
generation of the notification message by GFI MailSecurity. In the
below table each field is explained.
Tag
Description
[QMC_ID]
ID of this quarantined item.
[LAST_ERROR]
Last error reported by the module that quarantined
this item.
[LAST_MODULE]
The last module to quarantine this item
[MORE_INFO]
More information on the last error
[OBJECT_DATE]
Date and time when item was quarantined
[OBJECT_USER_NAME]
Name of user who caused this quarantine
[OBJECT_USER_EMAIL]
Email of user who caused this quarantine
[OBJECT_MANAGER_NA
ME]
Name of manager of user who
quarantine. (Or default manager)
[OBJECT_MANAGER_EM
AIL]
Email of manager of user who caused this quarantine.
(Or default manager)
[ACTION]
The action taken
[ITEM]
The name of the object
caused
this
[MESSAGE_BODY]
Not yet defined
[TTL]
Time to live (the date when this object will be deleted
from the Quarantine system
[WEB_SERVER]
The IP or server name where the Web monitor is
listening. Used mainly for form processing and not
88 • Advanced topics
Manual MailSecurity for Exchange/SMTP
display purposes.
[QUAR_PATH]
The full path of the quarantine item. Will be in the
format: Rule://QTYPE/QID. Used mainly for form
processing and not display purposes.
[QUAR_SECURITY_GUID]
The QMC_QUAR_SECURITY GUID from the QMC
record for this quarantined item. Used mainly for form
processing and not display purposes.
[QUAR_TTL]
Time to live in floating point format. Used mainly for
form processing and not display purposes.
[QUAR_SECURITY_PREFI The QMC_QUAR_SECURITY PREFIX from the QMC
X]
record for this quarantined item. Used mainly for loop
protection and not display purposes. It is automatically
added to the end of every subject generated.
[PRODUCT_NAME]
Identifies the source of this item. Current values are:
DSEC for download security
MSEC for mail security exchange 2000
MSEC GWAY for mail security (Gway version)
[GFISCAN_DAT_CONTEN
TTYPE]
The content-type of the quarantined item
[GFISCAN_DISPLAY_SEN
DER]
The display name of the sender
[GFISCAN_DISPLAY_TO]
The display name of the recipient(s)
[GFISCAN_DISPLAY_CC]
The display name of the CC'd recipient(s)
[GFISCAN_SUBJECT]
The subject of the quarantined item
[GFISCAN_MBX]
The mailbox of the quarantined item (only available in
MSEC exchange)
[GFISCAN_STOREDB]
The db store of the quarantined item (only available in
MSEC exchange)
[GFISCAN_FOLDER]
The folder of the quarantined item (only available in
MSEC exchange)
Manual MailSecurity for Exchange/SMTP
Advanced topics • 89
Troubleshooting
Introduction
The troubleshooting chapter explains how you should go about
resolving issues you have. The main sources of information available
to users are:
•
The manual – most issues can be solved by reading the manual.
•
The GFI knowledgebase – accessible from the GFI website.
•
The GFI support site.
•
Contacting the
support@gfi.com
•
Contacting the GFI support department using our live support
service at http://support.gfi.com/livesupport.asp
•
Contacting our support department by telephone.
GFI
support
department
by
email
at
Knowledgebase
GFI maintains a knowledgebase, which includes answers to most
common problems. If you have a problem, please consult the
knowledgebase first. The knowledgebase always has the most up-todate listing of support questions and patches.
The knowledgebase can be found on http://kbase.gfi.com
Request support via e-mail
If, after using the knowledgebase and this manual, you have any
problems that you cannot solve, you can contact the GFI support
department. The best way to do this is via e-mail, since you can
include vital information as an attachment that will enable us to solve
the issues you have more quickly.
The Troubleshooter, included in the program group, generates
automatically a series of files needed for GFI to give you technical
support. The files would include the configuration settings etc. To
generate these files, start the troubleshooter and follow the
instructions in the application.
In addition to collecting all the information, it also asks you a number
of questions. Please take your time to answer these questions
accurately. Without the proper information it will not be possible to
diagnose your problem.
Then go to the support directory, located under the main program
directory, ZIP the files, and send the generated files to
support@gfi.com.
Manual MailSecurity for Exchange/SMTP
Troubleshooting • 91
Ensure that you have registered your product on our website
first, at http://www.gfi.com/pages/regfrm.htm!
We will answer your query within 24 hours or less, depending on your
time zone.
Request support via webchat
You may also request support via Live support (webchat). You can
contact the GFI support department using our live support service at
http://support.gfi.com/livesupport.asp
Ensure that you have registered your product on our website
first, at http://www.gfi.com/pages/regfrm.htm!
Request support via phone
You can also contact GFI by phone for technical support. Please
check our support website for the correct numbers to call, depending
on where you are located, and for our opening times.
Support website:
http://support.gfi.com
Ensure that you have registered your product on our website
first, at http://www.gfi.com/pages/regfrm.htm!
Web Forum
User to user support is available via the web forum. The forum can be
found at:
http://forums.gfi.com/
Build notifications
We strongly suggest that you subscribe to our build notifications list.
This way, you will be immediately notified about new product builds.
To subscribe to our build notifications, go to:
http://support.gfi.com
92 • Troubleshooting
Manual MailSecurity for Exchange/SMTP
M
Index
A
attachment checking 25, 30,
31
Attachment checking rule 25,
30
B
background scanning 3, 85
Background scanning 3, 75–
76, 85
Bitdefender 51, 54–55, 54,
55
macro viruses 2, 53
macros 2, 51–53
Mail essentials 8, 19
mail relay server 1, 13
MailSecurity scan engine 6
McAfee 2, 51, 55
Microsoft Exchange
Administrator 18
Microsoft Exchange server
2000 9, 14, 18
moderator 7, 35, 39–40
moderator client 7, 35, 39–40
MX record 14, 19
N
Norman 2, 51–53, 54, 55, 56
Norman Virus Control 52–53,
54–55
nslookup 19
O
On demand scanning 75
C
Collaboration Data Objects
14
conditions 26–27
configuration 7
content checking 1–2, 4, 25–
28, 29–30, 33, 51
Content checking rule 25,
28, 30
P
Password 10, 20
Performance Monitor 3, 84
perimeter network 13
POP3 19
Pro active scanning 76
public folder 35–36, 38
S
D
DMZ - demilitarized zone 13
DownloadSecurity 8
E
Email exploit detection 2, 57
email exploits 2
Event Logging 3, 83
Exchange 2000 VS API
mode 3, 9, 30, 81
SMTP gateway 1, 4–5, 13,
43
SMTP gateway mode 3, 13,
43
SMTP Service 14–17, 74
SMTP/POP3 mail server 19
T
Troubleshooting 20, 89
V
F
fault tolerance 13
I
IIS 5 14, 20
ISA server 8, 75, 83
virus 1–7, 9, 40–54, 40–54,
83–84
Virus updates 53–54
W
Windows 2000 Server 9, 14
L
Licensing 78
logging 3, 83
Lotus Notes 6, 13, 14, 19
Love Letter 1–2, 25
Manual MailSecurity for Exchange/SMTP
Troubleshooting • 93