Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-SeriesChannel Partner

Technical Training

V1.1 21-Jul-04

2

Course Objectives ���� Critical SE Skills

• How do I install, configure and deliver basic support for the IronPort C-Series Messaging Gateway appliance?

• What guidelines can I give customers for deploying the appliance in a typical enterprise email environment?

• How do I manage and monitor the flow of email through the appliance?

• How do I configure access control policies?

• How do I create content filters?

• How do I configure the appliance to detect and handle unwanted spam and viruses?

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

3

Course Agenda

• IronPort C-Series Overview• Installation and Setup • Access Control• Policy Enforcement, Anti-Spam, and Anti-Virus• Monitoring, Logging, and Troubleshooting• System Administration

4

Things You Should Already Know…

• SMTP• TCP/IP • DNS• MIME • CLI and GUI device interfaces

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

5

Preview …A Typical New Customer Installation*

• Gather customer’s network information and custom requirements in advance – 30 min

• Rack, install, and setup the appliance – 30 min

• Make custom configuration changes– 15 min

• Test and demo – 30 min

• Put the appliance into production– 15 min

* Applicable to 90% of deals � 1,000 seats

6

Let’s Go!

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-Series Overview

Module 1

8

IronPort Products and Services

IronPort A-Series™

The World’s Leading Outbound Email Delivery Platform

Bonded Sender™ProgramGuaranteed Delivery of Legitimate Email

SenderBase™

The World’s Leading Email Reputation Service

IronPort C-Series™

Next Generation Enterprise Email Security

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

9

• Revolutionary MTA Platform for High Availability

• Threat Prevention with IronPort Reputation Filters™

• Content Scanning for Policy Enforcement

• Spam Detection with Brightmail™ Anti-Spam

• Virus Detection with Sophos™ Anti-Virus

IronPort C-Series is the Next Generation Email Security Appliance

10

C-Series = Server Consolidation

BEFORE IRONPORT AFTER IRONPORT

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

11

IronPort C-Series Channel Product Line

IronPort C60– 2U– Dual processor– 4 Drives; RAID 1+0– 3 Ethernet Interfaces– Up to: 140 msgs/sec (500,000 msgs/hr)– Protects >> 1,500 Users

IronPort C30– 2U– Single processor– 2 Drives; RAID 1– 3 Ethernet Interfaces– Up to: 40 msgs/sec (144,000 msgs/hr)– Protects 500-1,500 Users

IronPort C10– 1U– Single processor– 2 Drives; RAID 1– 2 Ethernet Interfaces– Up to: 15 msgs/sec (54,000 msgs/hr)– Protects up to 500 Users

12

C-Series Packaging & Licensing

• IronPort AsyncOS– MTA, Reputation Filtering, Content Scanning, etc.

• Evaluation: 30 day*• Purchase: Perpetual

• Optional Components– Brightmail Anti-Spam

• Evaluation: 30-day• Subscription: 1-3 years

– Sophos Anti-Virus• Evaluation: 30-day• Subscription: 1-3 years

* Extensions in 30-day increments are available upon request

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

13

Revolutionary MTA Platform• The need for a high performance,

highly available MTA has never been greater

– Evolving threats such as MyDoom and Bagel cripple legacy MTAs

• AsyncOS™: built for email Availability– Threading model, scheduler, and file

system designed for the mail gateway– IronPort C60 is capable of 140 messages

per second– 10,000 simultaneous connections

• Ensured email Deliverability– Slow or unavailable domains don’t affect

performance; each destination has adistinct queue and retry schedule

– Virtual Gateway™ technology provides multiple IP addresses for email delivery

Email is fundamentally Different from other enterprise applications

• High level of simultaneous inbound and outbound connections

• High rate of connection establishment and teardown; short-lived connections

• Massive File System use for small, short-lived files

Email requires a Robust & Purpose-Built Platform

14

Place IronPort Wherever it Fitsin the Network

data1

ip1

ip2

data1

ip1

data2

ip2

data1

data2

ip1

ip2

data1

ip1

data1ip1

data1

ip2

ip1

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

15

Common C60/C30 Configuration

ip1

data1

ip2data2

DMZ

Outside

Inside

mgmt

• One interface for incoming mail from the Internet (and for sending mail to Internet).

• One interface for delivering mail to your Message Store systems (and for receiving outgoing mail from those systems).

• One interface for system management.

16

Common C10 Configuration

ip1 data1

DMZ

Outside

Inside

• One physical interface with one IP for both incoming and outgoing mail.

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

17

You Already Understand MessagingTCP Connection:1.2.3.4,12345(mail1.from.com)

SMTP Session:EHLO from.comMAIL FROM: joe@from.comRCPT TO: user1@eng.to.comRCPT TO: user2@to.com

Envelope-FromEnvelope-To

Envelope

Body Headers:Received: from mail1.from.com (1.2...Subject: HelloFrom: “Bob” <bob@from.com>To: “User One” <user1@eng.to.com>

Display namelocal-part@domain

mailbox

Header-FromHeader-To

Body

4.5.6.7,25(mx1.to.com)

The body after the first blank line may contain many MIME parts.Second and following parts are often called “attachments”; first is often called “body” or “text.” They are really all just “parts.”

Message Body:Hello,

18

IronPort C-Series Overview Key Points

• IronPort has the features and capabilities that enterprises need in a messaging gateway appliance

– Revolutionary MTA Platform for High Availability– Threat Prevention with IronPort Reputation Filters– Content Scanning for Policy Enforcement– Spam Detection with Brightmail Anti-Spam– Virus Detection with Sophos Anti-Virus

• IronPort can integrate easily with the customer’s existing messaging backbone

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

19

References

• IronPort AsyncOS 3.8 User Guide– Chapter 1: Introduction

• IronPort C-Series Appliance Evaluation Guide– http://support.ironport.com/secure/index.html

• Product brochures & data sheets– http://www.ironport.com/products/ironport_c_series.html

• White papers– IronPort AsyncOS White Paper– Reputation Filters White Paper– SMTPi White Paper– http://www.ironport.com/download/

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-SeriesChannel Partner

Technical Training

Installation and Setup

Module 2

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

21

A Roadmap to Successful DeploymentSet the MX record priority appropriately

• Evaluation: Set the C-Series as the secondary MX, so the legacy MTA can continue to handle production mail while you test the C-Series

• Production: Set the C-Series MX as the primary (“flip the switch”)

ip1

ip2

data1

Install IronPort on a live mail stream. You can’t test the mail flow monitoring features if it’s in a test lab

IronPort needs to talk to the Internet for SenderBase, Virus, and Spam updates

Don’t let the firewall (or old mail server) proxy. IronPort needs to “see” the actual sending IP address

Let the Internet talk to IronPort. If you don’t get spam & viruses, you can’t see how it works

12

3

22

Your configuration determines which features you can fully test

��������������������Acting as the Production MTA

• MX record = equal or high priority• C-Series handles all email

����������������Acting as the Backup MTA

• MX record = low priority• Unlikely to attract virus attacks

������������Sitting Behind Another MTA

• Primary MTA transfers all email• Sender IP addresses will be lost

������������Quietly Listening on the Internet

• No MX record in DNS• Unlikely to attract spam or viruses

����Closed Lab Environment

• Not connected to the Internet• Can’t receive external email

VirusProtection

SpamDetection

ContentScanning

ReputationFiltering

Mail FlowMonitor

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

23

Let’s Agree on Terms

Physical Ethernet Interface

IP Interface

Listener

IronPort Messaging Gateway

Physical Interface

IP address

Port

A listener is an SMTP server awaiting connections from SMTP clients, typically on TCP port 25

An IP interface is the binding of an IP address to a Physical Interface

IronPort can have multiple interfaces and multiple listeners

A listener is also called an injector, because it injects email into the IronPort

SMTP clients connect to the listener to send mail

A listener may be called an SMTP daemon

Relationship Between Listeners, IP Interfaces, and Physical Ethernet Interfaces

24

Why More Than One Listener?

Incoming mail has many SMTP senders,few receivers

Data2 Management

IP Mgmt

IP Pub1

IP Pub2

Data1

IP Private

SM

TP, 2

5

SM

TP, 2

5

SM

TP, 2

5

SS

H, 2

2

SS

H, 2

2

SS

H, 2

2 IronPort provides control, management, and security

points for SMTP

Outgoing mail has few SMTP senders,many receivers

Security and IP profiles are different

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

25

Choose Interfaces and Listeners to Match Your Network

AllowedNot AllowedDifferent Physical Interface

AllowedAllowedSame Physical Interface

Different NetworkSame Network

The C10 has 2 interfaces.The C30 has 3 interfaces.

data1

data2

ip1

ip2

data1ip1

data2

ip2

ip1

26

You Select SMTP and Other Services

Ethernet

IP

TCP

SM

TP, 8

025

SM

TP, 2

5

SM

TP, 2

5

SM

TP, 2

5

= Listener

Data200:06:5b:3f:1b:94

Data100:06:5b:3f:1b:95

Management00:03:47:ad:6b:8a

IP Mgmt192.168.1.123

IP Private10.0.1.22

IP Pub15.2.3.11

IP Pub25.2.3.12

= Interface

SS

H, 2

2

SS

H, 2

2

FTP

, 21

HTT

P, 8

0

SS

H, 2

2

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

27

Common Two-Interface Topology

Ethernet Interface: Data 2

Listener: InboundMail

IP Interface: PublicNet (e.g. 192.35.195.101)

Ethernet Interface: Data 1

IP Interface: PrivateNet (e.g. 172.20.0.101)

Listener: OutboundMailThe “Inside” or “Private” side

The “Outside” or “Public” side

28

Welcome to the Command Line Interface (CLI)

• The CLI is hierarchicalinterfaceconfig

NEW EDIT DELETEName:Address:Interface:etc

Interface:Name:Address:Interface:etc

Interface:

smtp.scu.com> alertconfig

Please enter the email address(es) to send alerts.Separate multiple addresses with commas.Enter the word "DELETE" to clear the default and disable alerts.[postmaster@scu.com]> helpdesk@scu.com

Debounce timeout (seconds):[300]> <cr>

Would you like to enable AutoSupport, which sends system alerts andweekly status reports to IronPort Customer Care? (Enabling AutoSupport isrecommended.) [N]> <cr>

smtp.scu.com> commit

Please enter some comments describing your changes:[]> change alert address to helpdesk@scu.com

Changes committed: Mon Mar 22 16:19:49 2004

You must commit for configuration changes to take effect

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

29

smtp.scu.com> inter<tab>faceconfigCurrently configured interfaces:1. Management (192.168.42.42/24: ironport.example.com)2. PrivateNet (172.20.0.42/24: smtp-priv.scu.com)3. PublicNet (192.35.195.42/24: smtp.scu.com)Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- GROUPS - Define interface groups.- DELETE - Remove an interface.[]> edit

Enter the number of the interface you wish to edit. []> 1

IP interface name (Ex: "InternalNet"):[Management]> InternalNet

IP Address (Ex: 192.168.1.2):[192.168.42.42]> <cr>

Ethernet interface:1. Data 12. Data 23. Management[3]> ^Csmtp.scu.com> showchanges

{}smtp.scu.com> clear

The CLI Has Line Editing You Need to Learn

Use tab for command or filename completion

Subcommand prompt is [ ]>

Selection lists are used frequently

Defaults are given inside [ ] of prompt string

^C gets you out with no changes

Clear always clears all changes

Type ? or help to see commands.Get command line history with up arrow, down arrow, ^p or ^n

No changes

30

Getting Going Is Fast And Easy

• Set up IP addresses on physical interfaces– interfaceconfig

• Get your IP routing right– setgateway– routeconfig

• Set up SMTP listeners on the interfaces– listenerconfig– smtproutes

• Tidy up SMTP routing (if needed)

Option 2: Quick Setup

ironport.example.com> systemsetup

WARNING: The system setup wizard will completely delete any existing'listeners' and all associated settings including the 'Host Access Table' -mail operations may be interrupted.

Are you sure you wish to continue? [Y]>

Before you begin, please reset the administrator password to a new value.Old password: ironportNew password: passwordRetype new password: password

*****You will now configure the network settings for the IronPort C60.Please create a fully qualified hostname for the IronPort C60 appliance(Ex: "ironport-C60.example.com"):[]> smtp.scu.com*****

You will now assign an IP address for the "Management Interface". This isthe default interface you will use for connecting to the system to configureit.Enter the IP address to use for the management interface. (Ex:"192.168.1.1")[]> 192.168.1.1

What is the netmask for this IP address? (Ex: "255.255.255.0" or"0xffffff00"):[255.255.255.0]> <cr>

What is the broadcast address for this IP address?[192.168.1.255]> <cr>

You have successfully configured the Management interface.

*****You will now assign an IP address for the "Data 1" interface.

Please create a nickname for the "Data 1" interface (Ex: "PrivateNet"):[]> PrivateNet

Enter the static IP address to use for "PrivateNet" on the "Data 1"interface: (Ex: "10.1.1.1"):[]> 172.20.0.11

The systemsetupwizard configures everything needed for a basic configuration

Option 1: Manual Setup

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

31

interfaceconfig Sets IP AddressesIronPort> interfaceconfig

Currently configured interfaces:1. Management (192.168.42.42/24: IronPort)Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- GROUPS - Define interface groups.- DELETE - Remove an interface.[]> new

Please enter a name for this IP interface (Ex: "InternalNet"):[]> PrivateNet

IP Address (Ex: 192.168.1.2):[]> 172.20.0.42

Ethernet interface:1. Data 12. Data 23. Management[1]> 1

Netmask (Ex: "255.255.255.0" or "0xffffff00"):[255.255.255.0]> <cr>

Broadcast address:[192.168.0.255]> <cr>

Hostname:[]> smtp-priv.scu.com

This is an unconfigured box with only the default Management interface. Let’s add an interface.

The hostname on the private side is what will appear on the SMTP banner. Make this unique to help in debugging.

ManualSetup

32

interfaceconfig Controls the Protocols AvailableDo you want to enable FTP on this interface? [N]> yWhich port do you want to use for FTP? [21]> <cr>

Do you want to enable Telnet on this interface? [N]> <cr>

Do you want to enable SSH on this interface? [N]> yWhich port do you want to use for SSH? [22]> <cr>

Do you want to enable HTTP on this interface? [N]> <cr>

Do you want to enable HTTPS on this interface? [N]> yWhich port do you want to use for HTTPS? [443]> <cr>

You have not entered an HTTPS certificate. To assure privacy, run'certconfig' first. You may use the demo certificate,but this will not be secure.Do you really wish to use a demo certificate? [Y]> <cr>

Currently configured interfaces:1. Management (192.168.42.42/24: ironport.example.com)2. PrivateNet (172.20.0.11/24: smtp-priv.scu.com)[]> <cr>

IronPort> commit

Please enter some comments describing your changes:[]> configure private interface 172.20.0.42

Changes committed: Tue Mar 23 11:28:37 2004

Use etherconfig to set FDX/HDX/Auto ethernet properties

Control FTP, SSH, HTTP, and HTTPS access on this interface.

Don’t forget to commit changes!

Enter <cr> at the subcommand prompt to go up one level

Next: Create the PublicNet interface

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

33

Define Default and Static IP RoutesIronPort> setgateway

Warning: setting an incorrect default gateway may cause the current connection to be interrupted when the changes are committed.Enter new default gateway:[]> 192.35.195.1

IronPort> commit

IronPort> routeconfig

Currently configured routes:1. R&D net Destination: 172.20.2.0/24 Gateway: 172.20.0.2542. QA net Destination: 172.20.3.0/24 Gateway: 172.20.0.254

Choose the operation you want to perform:- NEW - Create a new route.- EDIT - Modify a route.- DELETE - Remove a route.- CLEAR - Clear all entries.[]>

Don’t forget to commit changes!

You can add static routes if you need them

ManualSetup

34

Use listenerconfig to Define a Public ListenerIronPort> listenerconfig

Currently configured listeners:

Choose the operation you want to perform:- NEW - Create a new listener.[]> new

Please select the type of listener you want to create.1. Private2. Public3. Blackhole[2]> 2

Please create a name for this listener (Ex: "InboundMail"):[]> InboundMail

Please choose an IP interface for this Listener.1. Management (192.168.42.42/24: IronPort)2. PrivateNet (172.20.0.42/24: smtp-priv.scu.com)3. PublicNet (192.35.195.42/24: smtp.scu.com)[1]> 3

Create a public listener on the public interface

The listener type selects defaults appropriate for public or private listeners.

ManualSetup

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

35

listenerconfig Public: Accept and Route MailEnter the domains or specific addresses you want to accept mail for.

Hostnames such as "example.com" are allowed.Partial hostnames such as ".example.com" are allowed.Usernames such as "postmaster@" are allowed.Full email addresses such as "joe@example.com" or "joe@[1.2.3.4]" areallowed. Separate multiple addresses with commas.[]> exchange.scu.com

Would you like to configure SMTP routes for exchange.scu.com? [Y]> y

Enter the destination mail server where you want mail for exchange.scu.com to be delivered. Separate multiple entries with commas.[]> 172.20.0.30

Do you want to enable rate limiting per host? [Y]> n

Would you like to change the default host access policy? [N]> n

Listener InboundMail created.Defaults have been set for a Public listener.

Accept mail only for exchange.scu.com

Route all mail to the Exchange system

Say no to rate limiting. You can always add it later.

36

You Also Set up a Private ListenerCurrently configured listeners:1. InboundMail (on PublicNet, 192.35.195.102) SMTP TCP Port 25 PublicChoose the operation you want to perform:- NEW - Create a new listener.- EDIT - Modify a listener.- DELETE - Remove a listener.- SETUP - Change global settings.[]> new

Please select the type of listener you want to create.1. Private2. Public3. Blackhole[2]> 1

Please create a name for this listener (Ex: "OutboundMail"):[]> OutboundMail

Please choose an IP interface for this Listener.1. Management (192.168.42.42/24: IronPort)2. PrivateNet (172.20.0.42/24: smtp-priv.scu.com)3. PublicNet (192.35.195.102/24: smtp.scu.com)[1]> 2

Choose a protocol.1. SMTP2. QMQP[1]> 1

Please enter the TCP port for this listener.[25]> <cr>

Notice the default is not what you want. Read the selection lists carefully!

The Private Listener will do either SMTP or QMQP. The standard is SMTP, of course

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

37

listenerconfig Private: Select Relays and Policy DefaultsPlease specify the systems allowed to relay email through the IronPort C60.Hostnames such as "example.com" are allowed.Partial hostnames such as ".example.com" are allowed.IP addresses, IP address ranges, and partial IP addresses are allowed.Separate multiple entries with commas.[]> 172.20.0.0/24

Do you want to enable rate limiting for this listener? Rate limiting defines the maximum number of recipients per hour you are willing to receive from a remote domain.) [N]> n

Default Policy Parameters==========================Maximum Message Size: 100MMaximum Number Of Connections From A Single IP: 600Maximum Number Of Messages Per Connection: 10,000Maximum Number Of Recipients Per Message: 100,000Maximum Number Of Recipients Per Hour: DisabledUse SenderBase for Flow Control: NoVirus Detection Enabled: YesAllow TLS Connections: NoWould you like to change the default host access policy? [N]> <cr>

Listener OutboundMail created.Defaults have been set for a Private listener.Use the listenerconfig->EDIT command to customize the listener.

You must specify what hosts in your network will be allowed to send mail out through the IronPort. Otherwise, no mail will be allowed through.

The default limits are vast enough!

38

Use smtproutes to Override DNS

smtp.scu.combob@scu.com

172.20.0.20notes.scu.com

172.20.0.30scu.com

RouteDomain

172.20.0.20notes.scu.com

172.20.0.30scu.com

RouteDomain

scu.com smtp.scu.comMX

smtproutes table

172.20.0.30

carol@notes.scu.com172.20.0.20

You could also use DNS names -if you want to depend on DNS

notes.scu.com MX smtp.scu.com

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

39

Use systemsetup to Quickly Configure:• Interfaces• Listeners• HTTP and HTTPS access• Admin password• System alert email destination• Autosupport

• Anti-Virus & -Spam• SMTP hostname• Default gateway• Smtproutes• NTP and timezone• DNS

IronPort> systemsetup…Before you begin, please reset your password to a new value.Old password: ironportNew password: passwordRetype new password: password

You will now configure the network settings for the IronPort C60.Please create a fully qualified hostname for the IronPort C60 appliance(Ex: "ironport-C60.example.com"):[]> smtp.scu.com

This is the name used in the SMTP banner

Please use ‘password’ in all lab exercises!

The default password of an unconfigured box

QuickSetup

40

C30SystemSetup

NTP Server (IP address or hostname): System Time Enable AutoSupport? Alert email address (i.e., where to send email system alerts)

Enable rate limiting?

Systems allowed to relay email through this listener:

IP Interface for this listener (from above): Choose a Listener Name (e.g.“OutboundMail”): * Private listenerEnable rate limiting? SMTP routes for domains or specific addresses:

Local domains or specific addresses to accept email for: [Initial RAT entry]

IP Interface for this listener (from above): Choose a Listener Name (e.g. “InboundMail”): Public listenerSecondary DNS Server IP Address: Primary DNS Server IP Address: DNS

If yes: HTTP or HTTPS

Enable web interface?

Default Router (gateway) IP Address: * Broadcast Address: Netmask: IP Address: Choose an Interface Name (e.g. “PublicNet”): Data 2 Broadcast Address: * Netmask: * IP Address: * Choose an Interface Name (e.g. “PrivateNet”): * Data 1

Fully Qualified Hostname of IronPort C-Series appliance: * Choose a New Password for the “admin” account: *

* Indicates Required Information

data1

data2

ip1

ip2

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

41

C10SystemSetup

* Indicates Required Information NTP Server (IP address or hostname): System Time

Enable AutoSupport?

Alert email address (i.e., where to send email system alerts)

Systems allowed to relay email through this listener:

Enable rate limiting?

SMTP routes for domains or specific addresses:

Local domains or specific addresses to accept email for: [Initial RAT entry]

IP Interface for this listener (from above):

Choose a Listener Name (e.g. “MailDaemon”): Listener for accepting and relaying email

Secondary DNS Server IP Address:

Primary DNS Server IP Address: DNS

If yes: HTTP or HTTPS

Enable web interface?

Default Router (gateway) IP Address: *

Broadcast Address: *

Netmask: *

IP Address: *

Choose an Interface Name (e.g. “MailNet”): * Data 1 Fully Qualified Hostname of IronPort C-Series appliance: *

Choose a New Password for the “admin” account: *

data1ip1

42

You Often Will Add to systemsetupsmtp.scu.com> interfaceconfig

Currently configured interfaces:1. Management (192.168.42.42/24: IronPort)2. PrivateNet (172.20.0.42/24: smtp.scu.com)3. PublicNet (192.35.195.42/24: smtp.scu.com)

Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- GROUPS - Define interface groups.- DELETE - Remove an interface.[]> edit

Enter the number of the interface you wish to edit.[]> 2

Do you want to enable FTP on this interface? [N]> y

Which port do you want to use for FTP? [21]> <cr>

Do you want to enable Telnet on this interface? [N]> <cr>

Do you want to enable SSH on this interface? [N]> y

Which port do you want to use for SSH? [22]> <cr>

Use interfaceconfig to enable FTP and SSH access on the private interface

Other things you might want to do or change: dnsconfigntpconfig or settimesetgatewayrouteconfig

Don’t forget to commit changes!

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

43

Firewall Port Configuration

FTP for aggregation of log files. In or Out TCP 20/21

QMQP if injecting email from outside firewall. In TCP 628

Secure HTTP (https) access to the GUI for system monitoring. Brightmail Rules are downloaded directly over HTTPS, by default, unless a proxy server is configured.

In TCP 443

LDAP if LDAP directory servers are outside firewall. In & Out LDAP 389/3268

NTP if time servers are outside firewall. In & Out UDP 123

DNS if configured to use Internet root servers or other DNS servers outside the firewall.

In & Out UDP 53

HTTP access to the GUI for system monitoring. Sophos virus scanning engine updates are retrieved via HTTP from port 80.

In TCP 80

SMTP to receive bounced email or if injecting email from outside firewall. In TCP 25

SMTP to send email. Out TCP 25

Telnet upgrades, aggregation of log files. Out Telnet 23

Telnet access to the CLI, aggregation of log files. In Telnet 23

SSH upgrades, aggregation of log files. Out TCP 22

SSH access to the CLI, aggregation of log files. In TCP 22

Description In/Out Protocol Port

44

Verify Your Installation With Troubleshooting Tools

DNS layer: nslookupUse for A and MX record lookup for any

names anywhere in your configuration

Data2

IP Public

SM

TP, 2

5S

SH

, 22

Data1

IP Private

SM

TP, 2

5S

SH

, 22

DNS

IP layer: ping,tracerouteUse from outside to verify you can ping your IronPortUse from the IronPort to verify that you go the “right direction” for any packets

Mail layer: telnet to port 25Use to verify that the listeners are responding everywhere you think it should be and is coming up with a reasonable banner

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

45

Installation & Setup Key Points

• Interfaces, IP addresses, and Services (such as SMTP) are all distinct and controllable entities. You have the flexibility to do whatever you want.

• You’re going to use the CLI whether you like it or not, but you get a lot of help along the way

• You can quickly setup the system using systemsetup, or you can do it manually with interfaceconfig, setgateway, routeconfig, listenerconfig, and smtproutes

• The CLI offers traditional IP debugging tools such as ping, traceroute, and nslookup. Use them.

• Make sure you open all of the firewall ports for the services you configure

46

References

• IronPort AsyncOS 3.8 User Guide– Chapter 2: CLI Overview– Chapter 3: Setup and Installation

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-SeriesChannel Partner

Technical Training

Access Control

Module 3

48

HATs and RATs Give Control When the Message is Being Received

TCP Connection

SMTP Session

Body Headers

Message Body

Host Access TableControls access to the TCP port based on sender’s IP identity

Recipient Access TableNo RAT for outbound mail - who needs one?

Recipient Access TableControls which mail is accepted based on envelope recipient

InboundMail listener

OutboundMail listener

TCP Connection

SMTP Session

Body Headers

Message Body

Host Access TableControls access to the TCP port based on sender’s IP identity

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

49

The Host Access Table Gives You Control Based on IP Addresses

TCP Connection:1.2.3.4,12345(mail1.from.com)

SMTP Session:EHLO from.comMAIL FROM: joe@from.comRCPT TO: user1@eng.to.comRCPT TO: user2@to.com

Body Headers:Received: from mail1.from.com (1.2...Subject: HelloFrom: “Joe” joe@from.comTo: “User One” user1@eng.to.com

Message Body:Hello,

4.5.6.7,25(mx1.to.com)

Identify senders by their IP addresses:

• Complete address• Partial address• CIDR block• Range of addresses• SenderBase score for

an address• Domain name

(DNS PTR record)• Partial domain name

(DNS PTR record)• DNS List lookup

THROTTLE.aol.com

REJECT216.255.128.0/19

ACCEPT192.35.195.42

Who? What?

50

The Left Hand Side of a HAT is a List of Sender Groups• A Sender Group is a collection of senders (the “Who?”)• HATs use Sender Groups to apply a Policy (Right Hand Side,

the “What?”) to the whole group at once• Built-in Sender Groups include WHITELIST, BLACKLIST,

SUSPECTLIST, UNKNOWNLIST, and RELAYLIST

Someone on United Layer was bugging us209.237.224-255.

AOL is just too big to not throttle.mx.AOL.COM

DIGEX is frequently a source of spam216.255.128.0/19

They sent us spam once209.237.250.106

Sender Comment

Example: SUSPECTLIST is a built-in Sender Group whose connections will be throttled if they send too much mail. It might contain entries such as these.

WHO?

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

51

Sender Groups Can Have Many Different Types of Members

DNS List query against domain dns serverdnslist[domain]

Special keyword that matches ALL addressesALL

SenderBase Network Owner ID numberSBO:177

SenderBase Reputation Score rangeSBRS[-10.0:-7.0]

A fully-qualified domain namemailin-01.mx.AOL.COM

Range of IP addresses216.255.128-159.

Partial IP Address - matches any IP address beginning with this string

216.255.128.

Everything within the partial host domain.mx.AOL.COM

CIDR address block216.255.128.0/19

Full IP Address192.35.195.42

Sender Group Syntax Meaning

* Square brackets not needed in GUI

WHO?

52

The Right Hand Side of the HAT is the Mail Flow Policy

$THROTTLEDSUSPECTLIST

$BLOCKEDBLACKLIST

$TRUSTEDWHITELIST

$ACCEPTEDUNKNOWNLIST

Uses this Mail Flow Policy:This Sender Group:

HAT for a Public Listener (C30)

ALL $ACCEPTED

$BLOCKEDALL

$RELAYEDRELAYLIST

Uses this Mail Flow Policy:This Sender Group:

HAT for a Private Listener (C30)

Default entry which cannot be removed

WHAT?WHO?

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

53

The Right Hand Side of the HAT is the Mail Flow Policy WHAT?WHO?

$RELAYEDRELAYLIST

$ACCEPTEDUNKNOWNLIST

$THROTTLEDSUSPECTLIST

$BLOCKEDBLACKLIST

$TRUSTEDWHITELIST

Uses this Mail Flow Policy:This Sender Group:

HAT for an Inbound / Outbound Listener (C10)

ALL $ACCEPTED

Default entry which cannot be removed

54

Mail Flow Policies Define a Set of Actions and Limitations

Default Mail Flow Policies

YESNONORELAY$RELAYED

YESYESNOACCEPT$ACCEPTED

YES

N/A

YES

Anti-virus

YES

N/A

NO

Anti-spam

YES

N/A

NO

Throttling

ACCEPT

REJECT

ACCEPT

Action

$THROTTLED

$BLOCKED

$TRUSTED

Policy Name

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

55

Mail Flow Policies Control and Throttle Mail

Throttle within a TCP connection

– Max messages per connection

– Max recipients per message

– Max message size– Max concurrent

connectionThrottle across TCP connections

– Max recipients per hour

– Max recipients per hour error code

– Max recipients per hour text

TCP Connection:1.2.3.4,12345(mail1.from.com)

SMTP Session:RCPT TO: user1@eng.to.com250 OK RCPT TO: user2@to.com452 Too many recipientsRCPT TO: user3@to.com452 Too many recipients this hour

Body Headers:Received: from mail1.from.com (1.2...Subject: Hello

Message Body:Hello,

4.5.6.7,25(mx1.to.com)

Access Control • Accept connection• Reject SMTP connection• Refuse TCP connection• Relay mail

Processing Control • Require or bypass Anti-Spam• Require or bypass Anti-Virus

WHAT?

56

ALL $ACCEPTED

IronPort Provides Default Entriesfor all HATs

$THROTTLEDSUSPECTLIST

$BLOCKEDBLACKLIST

$TRUSTEDWHITELIST

$ACCEPTEDUNKNOWNLIST

Uses this Mail Flow Policy:This Sender Group:

These groups start out empty; you add to them as you develop your policy.

Order matters: HAT entries are consulted in order, and the first match wins

The initial policy is all hosts are accepted.

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

57

Private Listener HATs Allow Inside to Send Out (Relay!)

$BLOCKEDALL

$RELAYEDRELAYLIST

Uses this Mail Flow Policy:This Sender Group:

The RELAYLIST Sender Group is initially empty, and no mail will pass through this listener.

systemsetup or listenerconfigfor a private (or C10) listener asks:Please specify the systems allowed to relay email through the IronPort C60…

It adds these hosts to the RELAYLIST Sender Group.

The default HAT entry ALL - $BLOCKED prevents an open relay.

58

Default HATs Satisfy Most Customers’Needs

Public Listener (C30)

Private Listener (C30)

YESYESModerateACCEPT$ACCEPTEDALL

UNKNOWNLIST

SUSPECTLIST

BLACKLIST

WHITELIST

Sender Group

YES

YES

N/A

YES

Anti-virus

YES

YES

N/A

NO

Anti-spam

Moderate

YES

N/A

NO

Inbound Throttling

ACCEPT

ACCEPT

REJECT

ACCEPT

Action

$THROTTLED

$BLOCKED

$TRUSTED

$ACCEPTED

Policy Name

ALL

RELAYLIST

Sender Group

N/A

YES

Anti-virus

N/A

NO

Anti-spam

N/A

NO

Inbound Throttling

REJECT

RELAY

Action

$BLOCKED

$RELAYED

Policy Name

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

59

Default HATs Satisfy Most Customers’Needs

Inbound / Outbound Listener (C10)

YESNONORELAY$RELAYEDRELAYLIST

YESYESModerateACCEPT$ACCEPTEDALL

UNKNOWNLIST

SUSPECTLIST

BLACKLIST

WHITELIST

Sender Group

YES

YES

N/A

YES

Anti-virus

YES

YES

N/A

NO

Anti-spam

Moderate

YES

N/A

NO

Inbound Throttling

ACCEPT

ACCEPT

REJECT

ACCEPT

Action

$THROTTLED

$BLOCKED

$TRUSTED

$ACCEPTED

Policy Name

60

Use the GUI to Modify Your Configuration

The GUI is organized with these five tabs:

• Incoming Mail• Scanning• Outgoing Mail• Reporting• System

Each tab has subtabs

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

61

Use the Incoming Mail Configuration Tab to Edit Your HAT

CLI: listenerconfig - edit - hostaccess

Choose the listener

Example: Add a trusted sender to the WHITELIST Sender Group of the InboundMail listener

62

SBRSDNS List

IP, IP Range, Domain NameIdentify sender by IP or domain name, or by using a SenderBase Reputation Score, or with a DNS List lookup

Use the GUI to Add a Trusted Sender to the Whitelist

Be careful to include .mypartner.com, which will match any subdomains they use

Changes in the GUI are automatically committed when you save

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

63

Mail Flow Monitor Makes Controlling Problem Domains Easy

Click on any problem domain and add it to one of the Sender GroupsClick on any problem domain and add it to one of the Sender Groups

64

Add the Selected Domain to a Sender Group to Apply Associated Policy

Q: What policy is associated with this Sender Group?

A: See next slide

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

65

View Entries in Your Sender Groups With the GUI

66

How To Use Sender Groups and Mail Flow Policies in Your HAT

• Most common things you want to do in the HAT:– Add senders to WHITELIST, BLACKLIST or

SUSPECTLIST• Less common things you might want to do in the HAT:

– Make new Sender Groups to distinguish classes of senders beyond WHITE/BLACK/SUSPECT

– Add SenderBase score ranges to Sender Groups• Very uncommon:

– Perform a DNS List lookup during SMTP connection for either whitelist or blacklist purposes

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

67

Say Who You Accept Mail For In The RAT

Everything within the .example.com domain.example.com

Fully-qualified domain nameDivision.example.com

Recipient Syntax Meaning

Username at a domain literal address(square brackets required)

User@[1.2.3.4]

Anything with the given usernameUser@

Complete email addressUser@domain

Less common usages:

Q: When do you add to the RAT?A: When you acquire a new domain.

68

TCP Connection:1.2.3.4,12345(mail1.from.com)

SMTP Session:EHLO from.comMAIL FROM: joe@from.comRCPT TO: user1@eng.to.comRCPT TO: user2@to.com

Body Headers:Received: from mail1.from.com (1.2...Subject: HelloFrom: “Joe” joe@from.comTo: “User One” user1@eng.to.com

Message Body:Hello,

4.5.6.7,25(mx1.to.com)

The Recipient Access Table Is Checked For Each SMTP Recipient

Identify recipients by domain or local-part:

• Complete domain• Partial domain• Local-part (username)• Local-part@domain

REJECT(with customSMTP message)

oldname.com

ACCEPTeng.to.com

ACCEPTto.com

RAT Table

MAIL FROM: is not checked in the RAT; only recipients

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

69

The RAT Lets You Accept or Reject Each Recipient

TCP Connection:1.2.3.4,12345(mail1.from.com)

SMTP Session:RCPT TO: user1@eng.to.com250 OK RCPT TO: user2@to.com550 No such user

Body Headers:Received: from mail1.from.com (1.2...Subject: HelloFrom: “Joe” joe@from.comTo: “User One” user1@eng.to.com

Message Body:Hello,

4.5.6.7,25(mx1.to.com)

RAT Control Mechanisms• Accept recipient• Reject recipient• Accept recipient and

bypass throttling

70

Use listenerconfig to View and Edit RAT Settings

(SERVICE) smtp.scu.com> listenerconfig

Currently configured listeners:1. InboundMail (on PublicNet, 192.35.195.42) SMTP TCP Port 25 Public2. OutboundMail (on PrivateNet, 192.168.0.42) SMTP TCP Port 25 PrivateEnter "NEW" to create a new listener, "EDIT" to modify, "DELETE" to remove, or"SETUP" to change global settings.[]> edit

Enter the name or number of the listener you wish to edit.[]> 1

Name: InboundMailType: PublicInterface: PublicNet (192.35.195.42/24) TCP Port 25Protocol: SMTPDefault Domain:Max Concurrency: 1000 (TCP Queue: 50)Domain map: disabledTLS: NoAntispam: Deliver, Prepend "[SPAM] " to SubjectSuspectedspam: inactiveBounce Profile: DefaultUse SenderBase For IP Profiling: YesLDAP: offAntiVirus: Scan and Clean

Enter one of the following commands to change this listener's settings:NAME, INTERFACE, LIMITS, HOSTACCESS, SETUP, RCPTACCESS, BOUNCECONFIG,DOMAINMAP, ANTISPAM, ANTIVIRUS[]> rcptaccess

Recipient Access Table

There are currently 2 recipients.Default Access: REJECT

Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to remove,"PRINT" to display the list, "IMPORT" to import a list,"EXPORT" to save the list, or "CLEAR" to clear the list.[]> print

smtp.scu.com> listenerconfig[]> edit

[]> 1 (InboundMail)

Enter one of the following commands to change this listener's seNAME, INTERFACE, LIMITS, HOSTACCESS, SETUP, RCPTACCESS, BOUNCECODOMAINMAP, ANTISPAM, ANTIVIRUS[]> rcptaccess

Recipient Access Table

There are currently 2 recipients.Default Access: REJECT

Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to"PRINT" to display the list, "IMPORT" to import a list,"EXPORT" to save the list, or "CLEAR" to clear the list.[]> print

scu.com ACCEPTALL REJECT

Recipient Access Table

There are currently 2 recipients.Default Access: REJECT

You must editthe RAT to see what’s in it

Type print to see the whole RAT

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

71

You Must Use the CLI to Edit the RAT

Recipient Access Table

There are currently 2 recipients.Default Access: REJECT

Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to remove,"PRINT" to display the list, "IMPORT" to import a list,"EXPORT" to save the list, or "CLEAR" to clear the list.[]> new

Enter the recipient address for this entry.Hostnames such as "example.com" and "[1.2.3.4]" are allowed.Partial hostnames such as ".example.com" are allowed.Usernames such as "postmaster@" are allowed.Full email addresses such as "joe@example.com" or "joe@[1.2.3.4]" are allowed.Separate multiple addresses with commas.[]> scu.net

Select the action to apply to this address:1. Accept2. Reject[1]> 1

Would you like to specify a custom SMTP response? [N]>

Would you like to bypass receiving control for this entry? [N]>

Recipient Access Table

There are currently 3 recipients.Default Access: REJECT

Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to remove,"PRINT" to display the list, "IMPORT" to import a list,"EXPORT" to save the list, or "CLEAR" to clear the list.[]>Name: InboundMailType: PublicInterface: PublicNet (192.35.195.42/24) TCP Port 25Protocol: SMTPDefault Domain:Max Concurrency: 1000 (TCP Queue: 50)Domain map: disabledTLS: NoAntispam: Deliver, Prepend "[SPAM] " to SubjectSuspectedspam: inactiveBounce Profile: DefaultUse SenderBase For IP Profiling: YesLDAP: offAntiVirus: Scan and Clean

Enter one of the following commands to change this listener's settings:NAME, INTERFACE, LIMITS, HOSTACCESS, SETUP, RCPTACCESS, BOUNCECONFIG,DOMAINMAP, ANTISPAM, ANTIVIRUS[]>

smtp.scu.com> listenerconfig[]> edit

[]> 1 (InboundMail)

[]> new

Enter the recipient address for this entry.Hostnames such as "example.com" and "[1.2.3.4]" are allowed.Partial hostnames such as ".example.com" are allowed.Usernames such as "postmaster@" are allowed.Full email addresses such as "joe@example.com" or "joe@[1.2.3.4]" are allowed.Separate multiple addresses with commas.[]> scu.net

Select the action to apply to this address:1. Accept2. Reject[1]> 1

Would you like to specify a custom SMTP response? [N]>

Would you like to bypass receiving control for this entry? [N]>

Recipient Access Table

There are currently 3 recipients.Default Access: REJECT

Add an entry in the RAT to accept mail for another domain name

You can see the entry count go up

Don’t forget to commit!

72

How to Avoid an Open Relay With the RAT

REJECTALL

ACCEPTmycompany.com

Has This Action Applied:This Recipient:

RAT for a Public Listener

The default RAT entry ALL - REJECT prevents an open relay.

Note that an overly broad recipient rule like ‘user@’ could be exploited by spammers

systemsetup or listenerconfigfor a public listener asks:Enter the domains or specific addresses you want to accept mail for.

It adds these hosts as ACCEPT entries in the RAT.

Order does NOT matter in the RAT - the most specific entry matches

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

73

Best Practice for Validating Inbound Recipients

1. Use the RAT to validate the domain

2. Use a centralized LDAP server or groupware server (e.g. Exchange, Notes) to validate the local-part (username)– Prevent directory harvest attacks!– Use the ldapconfig command

local-part@domain.com

RATLDAP

74

There are several ways to re-write envelope addresses

• Inbound: Envelope-to– Alias table aliasconfig– Domain map domainmap

– LDAP ldapconfig

• Outbound: Envelope-from– Masquerading listenerconfig ���� EDIT ����

OutBoundMail ���� MASQUERADE

Jane_Doe@mycompany.com � jdoe@exchange.mycompany.com

jdoe@exchange.mycompany.com � Jane_Doe@mycompany.com

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

75

Access Control Key Points• The HAT is consulted at TCP connect time;

The RAT at SMTP dialog time for each recipient

• Sender Groups are the Left Hand Side of the HAT; Mail Flow Policies are the Right Hand Side of the HAT

• Incoming (“public listener”) HATs are different from Outgoing (“private listener”) HATs

• There’s a bunch of parameters that give you fine-grained control over the behavior of the Mail Flow Policies, although the default may be fine (depending on your customer)

• The RAT defines who (as in “which domain names”) you are willing to receive mail for

• Various mechanisms available (e.g. LDAP) to validate and re-write recipient addresses

76

References

• IronPort AsyncOS 3.8 User Guide– Chapter 4: Configuring the Gateway to Receive Email– Chapter 5: Configuring Email Routing and Delivery

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-SeriesChannel Partner

Technical Training

Policy Enforcement, Anti-Spam, and Anti-Virus

Module 4

78

Content Scanning Overview

• Content Scanning with Message Filters– Ensure intellectual property does not leave the network

• Scan for “company confidential” or words specific to your business

• Protect intellectual property and track offenders

– Eliminate illicit content at the gateway• Prevent inappropriate files, movies, etc. from entering your

network

– Minimize legal liability • Ensure compliance with industry laws and standards

– “Swiss Army Knife”• Unlimited ways to filter and act upon specific types of mail

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

79

Message Filters Redirect and Modify Messages As You Require

Message filters are a flexible way to customize the behavior of the system.

SMTP

Ses

sion

:

EHLO

from

.com

MAI

L FR

OM

: joe

@fro

m.c

om

RC

PT T

O: u

ser1

@to

.com

Bod

y H

eade

rs:

Rec

eive

d: fr

om m

ail1

.from

From

: bob

@fro

m.c

om

To: u

ser1

@to

.com

Mes

sage

Bod

y:

Hel

lo,

TCP

Con

nect

ion:

1.2.

3.4,

1234

5(m

ail1

.from

.com

)4.

5.6.

7,25

(mx1

.to.c

om)

Message filters are a script-like logical syntax that are applied to every message passed through the system

80

Filters Can Look For Things and Take Actions

Things You Can Look for– Destination host– Encryption– Sender– Recipient– Subject – Text in the message or

attachment– Attachment type– SBRS score– Message size

Actions You Can Take– Drop messages– Bounce messages– Insert/Delete headers– Drop attachments– Redirect message– Route to mail host– BCC, copy or archive– Notify someone– Skip spamcheck– Skip viruscheck– Change bounce profile– Stamp footer

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

81

Anatomy of a Filter

drop_all: if (true) {

insert-header('X-SBRS', '$Reputation');

}

Label Rule

Action Action Variable

Labels must be unique among all filters on the system.Labels are case sensitive.Labels must start with an underscore (_) or a letter (A-z). After the first character, labels may also include hyphens (-) or numbers (0-9).

A filter’s rules appear after the “if” and before the opening curly brace “{“.

Expressions are of the form <rule> <operator> <value>

where <value> may be a regular expression.

A filter may have any number of expressions, associated by Boolean operators AND, OR, and NOT.

Action variables contain information the system knows about this message that can be used in rules or actions

82

Final Actions:Drop, Bounce, and Deliver

• drop()Aborts the incoming message. The message will not be delivered.

• deliver()Short-circuits the filtering system. The message will go on to Anti-Spam/Anti-Virus processing, if configured, otherwise it will be enqueued for delivery immediately.

• bounce()Bounces the incoming message. The original message will not be delivered to anyone.

After a final action, filter processing stops immediately.

The rest of the filter is not checked, and no other filters are checked.

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

83

Examples

BounceOver6MB:if (body-size > 6M) {

bounce();}

NotifyAndDropOver6MB:if (body-size > 6M) {

notify('$EnvelopeFrom');drop();

} It would be smarter to not send the entire huge message back…

Bounce Messages > 6 MB

Looking for text in the body of a message

ConfidentialFilter:if (body-contains('(?i)Company Confidential')) {

notify ('postmaster@scu.com');}

You can also check against a content dictionary instead of a static string

84

More Examples

drop_all_dangerous: if (true) {

drop-attachments-by-filename ('(?i)\\.pif$');drop-attachments-by-filename ('(?i)\\.bat$');drop-attachments-by-filename ('(?i)\\.scr$');drop-attachments-by-filename ('(?i)\\.com$');drop-attachments-by-filetype ('Executable');

}

stamp_forward_looking: if (recv-listener == 'Outbound') {

add-footer ('Forward_Looking_Disclaimer');}

Drop attachments

Stamp message footer

This is a text object you define with textconfig

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

85

Create Filters with the CLI or Using Import / Exportsmtp.scu.com> filters

Available filter commands: NEW, DELETE, IMPORT, EXPORT, MOVE, SET, LIST,DETAIL, LOGCONFIG, ROLLOVERNOW.[]> list

Num Active Valid Name1 Y Y flowdet-skip-spamcheck2 Y Y dropbadmail3 Y Y BounceOver6MB

Available filter commands: NEW, DELETE, IMPORT, EXPORT, MOVE, SET, LIST,DETAIL, LOGCONFIG, ROLLOVERNOW.[]> delete 3

1 filters deleted.[]> new

Enter filter script. Enter '.' on its own line to end.NotifyAndDropOver6MB:if (body-size > 6M) {notify('$EnvelopeFrom');drop();

}.1 filters added.

Q: what happens when you re-import a filter of same name?A: It will replace an existing filter with the same case sensitive name.

You can also import / exportyour entire list of filters

86

Anti-Spam Overview

• Reputation Filters block spam before messages are even accepted

– Uses SenderBase scoring –similar to a credit rating service for sender IP addresses

– Typically blocks up to 50% of all spam

– Yields higher performance since blocked messages don’t have to be queued and processed

• Spam Detection scans messages for spam

– Scans for known spammers and “spammy” message content

• Configurable system-wide spam thresholds

– Decide whether to drop, forward, tag, archive or quarantine

– Handle spam and suspected spam differently

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

87

IronPort SenderBase™Reputation Service

• Rolls data up into a “reputation score” between -10 to +10– -10 is very bad– 0 is not enough traffic to be positive

and no bad reports– +10 is very good

• Tracks objective network data about senders– Global volume

– Complaints

– Blacklists and whitelists

– Geographic information

– Security threats

www.senderbase.org

88

Drill Down on a Sender’s IP or Domain

GUI: Incoming - IP address search

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

89

What do those SBRS numbers mean, anyway?

-10 +10-5 +50

A known enterprise, or sender who has undergone third-party certification, with no complaints and a long sending history.

Long sending history, few complaints

Some sending history, low or moderate complaints

May be a dynamic IP (e.g., dialup) sending direct to Internet or an email marketer with poor practices, or a legitimate enterprise with an open server

Spam houses generating complaints and hitting spam traps. IP listed on one or more open proxy lists. Almost always spam.

An IP on one or more reliable blacklists or belonging to a suspicious new sender with some complaints and spamtrap hits

An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Almost guaranteed to be spam.

90

Configure Reputation Filters in the HAT

SBRS Scoring Engine

1

5

432

64.12.2.8

64.12.2.8

Rule hits for64.12.2.8

SBRS = x.x

TCP/IPConnect

Apply the appropriate Mail Flow Policy250 - Recipient Accepted

or 452 - Too many recipients this houror 554 - Access Denied

Global complaint dataGlobal volume dataBlacklistsOpen Proxy ListsAdditional SenderBase Data Services

SenderBaseAffiliateNetwork

SBRS Database

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

91

How to Create a Reputation Filter

1. Define an SBRS range in a sender group2. Bind an appropriate mail flow policy to the sender group

THROTTLED

92

IronPort Suggests A Two-Phased Approach to Reputation Filters

$TRUSTED[ 6.0 : 10.0 ]

6, 7, 8, 9, 10

$ACCEPTED*[ -2.0 : 6.0 ]

-1, 0, 1, 2, 3, 4, 5

$THROTTLED[ -7.0 : -2.0 ]

$ACCEPTED*[ -7.0 : -2.0 ]

-6, -5, -4, -3, -2

$BLOCKED[-10.0 : -7.0 ]

$THROTTLED[ -10.0 : -7.0 ]

-10, -9, -8, -7

Phase2Phase 1SenderBase Reputation Score

(SBRS)

* This is the default mail flow policy

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

93

Use Brightmail for Content-based Spam Detection

Internet

ProbeNetwork

Brightmail Logistics and Operations Center

SMTP HTTPS

HTTPSSMTP

Brightmail Rules

Mailbox server

Brightmail Quarantine(optional)

Quarantinedmessages

Port: 41025

Users can also send suspected messages from their message store to the Brightmail Quarantine

End users and administrators view the quarantine via HTTP

94

Brightmail Configuration Means Making Many Decisions

TCP ConnSMTP

Body HdrsBody

Spam

PickOne

Quarantine

Bounce

Deliver

Drop

Redirect?Modify Subject?Add header?Archive?

Stop

To Quarantine Host

BounceProcessing

SuspectedSpam

PickOne

Quarantine

Bounce

Deliver

Drop

Redirect?Modify Subject?Add header?Archive?

Stop

To Quarantine Host

BounceProcessing

Not Spam or Reinserted from Quarantine

Deliver

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

95

Configure Brightmail Through the GUI

Enable Brightmail…

Brightmail score which will be considered suspected spam

96

Accept the Brightmail License Agreement … to get to The Question

Hint: Choose Yes,because you can’tchange your mind.

Accept the Brightmail License Agreement

… and answer The Question

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

97

Enabled

Choose How to Deal With Spam

You have the same choices for Spam and Suspected Spam

DeliverBounceDropQuarantine

Modify the message if you want to deliver suspected spam and mark it somehow

Modify the message if you want to deliver suspected spam and mark it somehow

Redirect, quarantine, or archive the message if you want to avoid normal delivery

Redirect, quarantine, or archive the message if you want to avoid normal delivery

98

Anti-Virus Overview

• Virus Protection under your control

– Decide whether to drop, forward, tag, archive or deliver attachments containing viruses

– Handle cleanable and uncleanable messages differently

• Up to 55 msgs/second at this point in the funnel

• Content Scanning can identify virus or worm-generated email

– Match messages with your own criteria

– Decide whether to drop, forward, tag, archive or deliver identified messages

– Handle encrypted messages differently

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

99

IronPort usesSophos for Anti-Virus Protection

Internet

SMTP

SMTP HTTP

Mailbox Server

Anti-Virus UpdatesSophos Updates

HTTP

Anti-Virus Definitions

IronPort Support Center

100

Sophos Configuration Means Making Many Decisions TCP Conn

SMTP

Body HdrsBody

Virus Found

Is Repairenabled?

Deliver

Modify Subject?Add header?Archive original?Notify anyone?

No VirusFound

PickOne

Deliver as Attachment

Drop Deliver

Deliver

Modify Subject?Add header?Redirect?Route to alternate host?Archive original?Notify anyone?

NoIs Drop infected attachments enabled?

Attempt to Clean

DropAttachment

Messageunscannable

(possible virus)Encryption detected

(unscannableportions)

Yes

Yes

No

Failure

Success

Archive original?Notify anyone?

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

101

Configure Sophos with the GUI

Enable Sophos and set the update interval

Edit settings on a listener

Note that all updates come from IronPort

102

Scan and Repair virusesScan for Viruses only

Choose Your Actions When a Virus Is Found

Enable on this listener

GUI: Scanning - Sophos - edit InboundMail

Choose scan behavior when a virus is found

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

103

Choose Your Actions When a Virus Is Successfully Repaired

Alert the recipient

You can provide custom headers for mail agents to sort on

GUI: Scanning - Sophos - edit InboundMail

104

Choose Your Actions When a Virus Cannot be Repaired

Choose Your Actions When a Virus Cannot be RepairedYou get separate configurations for each case:

• Encrypted message• Message unscannable• Virus-infected message

DropDeliver as Attachment to New MessageDeliver As Is

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

105

Policy Enforcement Key Points• Filters can be used to look within a message, including the

message body, attachments, and headers

– Filters allow you to drop, bounce, deliver, redirect and modify messages

– Filters should be used with care but can be a powerful tool

• Reputation filters can be used to drop, throttle, or tag mail based on the SenderBase Reputation Score (SBRS)

• Brightmail Anti-spam allows you to control what happens to spam and suspected spam

• Sophos Anti-virus allows you to control what happens to viruses

106

References

• IronPort AsyncOS 3.8 User Guide– Chapter 6: Anti-Spam– Chapter 7: Anti-Virus– Chapter 8: Policy Enforcement

• IronPort Reputation Filters White Paper– http://www.ironport.com/download/

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-SeriesChannel Partner

Technical Training

Monitoring,Logging, and Troubleshooting

Module 5

108

Regular Monitoring Makes for Happy Mail Systems

Daily checksReport status

• Is my system healthy?

Monthly checksReport details

• What happened last month?

Troubleshooting Configuration changes

• I need to make this change: Will it work?

• Does it do what I expect?

TroubleshootingProblem / query

• What happened to a particular message?

• Is this change I am making correct?

Periodic Reactive

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

109

The IronPort GUI Gives You Five Views Into Your System

110

Incoming Mail Overview Shows How Effective Your Policy Is

Your time range setting is saved in a browser cookie

Get an instant view of your recipient load and which Mail Flow Policies are being exercised

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

111

Incoming Reports Show How Your Policies Perform - Use Standard Reports

Top IPs by recipients blocked (past day)Top domains by recipients blocked (past day)Top domains by unclassified recipients (past day)Top network owners by unclassified recipients (past day)

112

Incoming Reports Show How Your Policies Perform - Create Custom Reports

IPDomainsNetwork Owner

Recipients Received% Change RecipientsRcpts. Blocked by Rate Limit% Brightmail Positive% Brightmail SuspectVirus PositiveConnections RejectedSBRS

Past HourPast DayPast WeekPast Month

2050100

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

113

Verify You Got Your Anti-Virus and Anti-Spam Updates

The Sophos Overview also shows latest anti-virus update time

114

Outgoing Overview Shows Any Delivery Problems CLI: tophosts

Check the Status of Outbound Mail

You can sort by any of these columns

Active Recipients are messages in the IronPort work queue

Totals since last counter reset

Concurrent connections

Click on a recipient host to see status information

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

115

System Overview Shows Queue Size and Connection Rates

Learn what queue size is normal for your system

Do the math: Of 2,375 recipients received, about 1,100 are out of the system. That means 1275 are in the work queue.

Set each graph to the subject and interval you want for your system

116

Generate Periodic Reports Automatically

• System Statistics• Spam Statistics• Virus Statistics• Message Flow Histogram

System Summary

• Virus Senders• Spam Senders• Unclassified Recipients• Rejected Connections• Recipients Received• Received Bytes• Accepted TLS Connections• Rejected TLS Connections

Incoming Volume

Available ComponentsReport Type

You can configure what periodic reports you want, what to include in the report, what format you want them in, and where to send them

Report specific

Specify a number

• Text• HTML• CSV• XML

• Email (multiple)

• CLI / text• GUI / HTML

• Daily• Weekly• Monthly

• Incoming Volume

• System Summary

AvaliableSelections

Components to Include

Save Previous Reports

Result Formats

Send Result To

FrequencyReport TypeReport Configuration

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

117

Choose the Periodic Reports You Want

118

Set Up Periodic Reports the Way You Want Them

Configure the report deliveries you want

Specify what data you want

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

119

See the HTML Reports From the GUI

120

Overview of Troubleshooting Tasks

Daily checksReport status

• Is my system healthy?

Monthly checksReport details

• What happened last month?

TroubleshootingConfiguration changes

• I need to make this change: Will it work?

• Does it do what I expect?

TroubleshootingProblem / query

• What happened to a particular message?

• Is this change I am making correct?

Periodic Reactive

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

121

Use Debugging Tools After Changing the System Configuration

• The trace utility (GUI or CLI) simulates how policy acts on a message

• Various logs record the passage of a message through the system and its final disposition (CLI)– mail_logs records a summary trail of connection to a listener,

acceptance of the message, processing, and delivery

• Use tail to look at logs from the console, or ftp logs to your workstation to use tail and grep(CLI)

122

mail_logs Records Every Step In Processing A Message

• Contain details of message receiving, delivery, and bounces– Status information is also logged every minute– Does not include delivery codes

• Use cases– Track the receipt, processing, and delivery of specific messages– Track Anti-Spam and Anti-Virus checking results– Analyze system performance

• How event records are identified– ICID Incoming Connection ID– MID Message ID – RID Recipient ID– DCID Delivery Connection ID– New New connection initiated; ICID created– Start New message started; MID created

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

123

Track One Message from Beginning to End in the mail_logs

Mon Apr 7 19:56:22 2003 Info: New SMTP ICID 5 interface Management address 10.1.1.209 Mon Apr 7 19:57:20 2003 Info: Start MID 6 ICID 5 Mon Apr 7 19:57:20 2003 Info: MID 6 ICID 5 From:<sender@remotehost.com> Mon Apr 7 19:58:06 2003 Info: MID 6 ICID 5 RID 0 To:<mary@yourdomain.com> Mon Apr 7 19:59:52 2003 Info: MID 6 ready 100 bytes from <sender@remote-host.com> Mon Apr 7 19:59:59 2003 Info: ICID 5 close Mon Apr 7 20:10:58 2003 Info: New SMTP DCID 8 interface 192.168.42.42 address 10.5.3.25 Mon Apr 7 20:10:58 2003 Info: Delivery start DCID 8 MID 6 to [0] Mon Apr 7 20:10:58 2003 Info: Message done DCID 8 MID 6 to [0] Mon Apr 7 20:11:03 2003 Info: DCID 8 close

New connection initiated; ICID created

New message started; MID created

Delivery Connection ID

Recipient IDMessage ID

Incoming Connection ID

124

smtp.scu.com> logconfig

Currently configured logs:1. "antivirus" Type: "AntiVirus Logs" Retrieval: FTP Poll<etc>Enter "NEW" to create a new log or "EDIT" to modify or "DELETE" to remove or"SETUP" for general settings or "LOGHEADERS" to set up headers to log.[]> editEnter the number of the log you wish to edit. []> 9

Log level:1. Error2. Warning3. Information4. Debug5. Trace[3]> <cr>

Please enter the name for the log: [mail_logs]> <cr>

Choose the method to retrieve the logs.1. FTP Poll2. FTP Push3. SCP Push[1]> 1

Please enter the filename for the log: [mail]> <cr>

This is the first part of the file name

To Retrieve the Whole Log File,Use Log Subscriptions

Log level should be Informationunless you are troubleshooting something really hard

This is the directory name

Choose FTP Poll for now

Log file names:mail.currentmail.text.@20040317T173729.smail.@20040324T160804.c

Open for writing

Saved -complete

Open for writing

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

125

Retrieve Logs With FTPjlt:~ jlt$ ftp smtp.scu.comConnected to smtp.scu.com.220 smtp.scu.com IronPort FTP server (V1.37.10.1) ready.Name (smtp.scu.com:jlt): admin331 Password required.Password: password230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> dir150 Opening ASCII mode data connection for file listdrwxrwx--- 2 root log 512 May 19 06:21 brightmail_logsdrwxrwx--- 2 root config 512 May 22 04:50 configurationdrwxrwx--- 2 root log 1024 May 19 06:21 domain_logsdrwxrwx--- 2 root log 1024 May 22 04:50 system_logsdrwxrwx--- 2 root log 512 May 22 04:50 cli_logsdrwxrwx--- 2 root log 512 May 19 06:21 bounce_logsdrwxrwx--- 2 root log 512 May 22 04:51 rptd_logsdrwxrwx--- 2 root log 1024 May 22 04:51 sntpd_logsdrwxrwx--- 2 root log 512 May 22 04:51 antivirusdrwxrwx--- 2 root log 1024 May 22 04:51 mail_logsdrwxrwx--- 2 root log 512 May 22 04:51 brightmaildrwxrwx--- 2 root log 512 May 22 04:51 statusdrwxrwx--- 2 root log 512 May 22 04:51 bouncesdrwxrwx--- 2 root log 1024 May 22 04:51 error_logsdrwxrwx--- 2 root log 512 May 22 04:51 ftpd_logsdrwxrwx--- 2 root log 1024 May 22 04:51 avarchive

These are all directories with log files below

126

CLI tail Shows You Logs in Real Timesmtp.scu.com> tail

Currently configured logs:1. "antivirus" Module: thirdparty Format: AntiVirus2. "avarchive" Module: mail Format: AntiVirus Archive3. "bounces" Module: bounces Format: Bounces4. "brightmail" Module: thirdparty Format: Brightmail5. "cli_logs" Module: system Format: CLI Audit Logs6. "error_logs" Module: mail Format: IronPort Text7. "ftpd_logs" Module: ftpd Format: IronPort Text8. "gui_logs" Module: gui Format: IronPort Text9. "mail_logs" Module: mail Format: IronPort Text10. "rptd_logs" Module: rptd Format: IronPort Text11. "sntpd_logs" Module: sntpd Format: IronPort Text12. "status" Module: mail Format: Status Logs13. "system_logs" Module: system Format: IronPort TextEnter the number of the log you wish to tail.[]> 9

Press Ctrl-C to stop.Fri Mar 26 09:53:11 2004 Info: MID 659 ICID 561 RID 1 To: <anestra@scu.com>Fri Mar 26 09:53:11 2004 Info: MID 659 ICID 561 RID 2 To: <tbu@scu.com>Fri Mar 26 09:53:14 2004 Info: MID 659 ready 872 bytes from <ekwtrw@yahoo.com>Fri Mar 26 09:53:19 2004 Info: New SMTP ICID 562 interface PublicNet address 211.133.243.25Fri Mar 26 09:53:19 2004 Info: Start MID 660 ICID 562^C

Tail runs continuously until ^C, so start it before you send a test message

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

127

Verify Connectivity With CLI Toolssmtp.scu.com> ping 192.245.12.8

Press Ctrl-C to stop.PING 192.245.12.8 (192.245.12.8): 56 data bytes64 bytes from 192.245.12.8: icmp_seq=0 ttl=253 time=2.174 ms64 bytes from 192.245.12.8: icmp_seq=1 ttl=253 time=1.187 ms64 bytes from 192.245.12.8: icmp_seq=2 ttl=253 time=1.295 ms64 bytes from 192.245.12.8: icmp_seq=3 ttl=253 time=1.260 ms^C--- 192.245.12.8 ping statistics ---4 packets transmitted, 4 packets received, 0% packet lossround-trip min/avg/max/stddev = 1.187/1.479/2.174/0.403 mssmtp.scu.com> ping

Which interface do you want to send the pings from?1. Auto2. Management (192.168.42.42/24: IronPort)3. PrivateNet (192.168.0.42/24: inside.scu.com)4. PublicNet (192.35.195.42/24: smtp.scu.com)[1]> 4

Please enter the host you wish to ping.[]> 192.245.12.8

Press Ctrl-C to stop.PING 192.245.12.8 (192.245.12.8) from 192.35.195.42: 56 data bytes64 bytes from 192.245.12.8: icmp_seq=0 ttl=253 time=1.864 ms64 bytes from 192.245.12.8: icmp_seq=1 ttl=253 time=1.226 ms^C--- 192.245.12.8 ping statistics ---2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max/stddev = 1.226/1.545/1.864/0.319 ms

ping and traceroutecan take a command line argument, or will let you select the source interface

128

Learn to Talk To Your SMTP Receiverssmtp.scu.com> telnet

Please select which interface you want to telnet from.1. Auto2. Management (192.168.42.42/24: IronPort)3. PrivateNet (192.168.0.42/24: inside.scu.com)4. PublicNet (192.35.195.42/24: smtp.scu.com)[1]> 4

Enter the remote hostname or IP.[]> 192.245.12.8

Enter the remote port.[25]> <cr>

Trying 192.245.12.8...Connected to viola.opus1.com.Escape character is '^]'.220 Viola.Opus1.COM -- Server ESMTP (PMDF V6.2-X17#9830)quit221 2.3.0 Bye received. Goodbye.Connection closed by foreign host.

smtp.scu.com> mailconfig

Please enter the email address to which you want to send the configurationfile.Separate multiple addresses with commas.[]> trumbo@opus1.com

The configuration file has been sent to trumbo@opus1.com.

Use telnet to test connectivity to port 25.Don’t forget to test from the other side coming in!

mailconfig is a quick way to test that the IronPort can send mail

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

129

Debugging DNS Problems

smtp.scu.com> nslookup

Please enter the host or IP to resolve.[]> torba.com

Choose the query type:1. A2. CNAME3. MX4. NS5. PTR6. SOA7. TXT[1]> 3

MX=torba.com PREF=10 TTL=36m33s

Greetings from IronPort customer care. You've emailed dnscheck@ironport.com to perform basic DNS checks on your system. Here are your results:

FAILED - DNS PTR record (the IP resolves to hostname)FAILED - DNS A record (PTR hostname resolves to the IP)FAILED - HELO match (PTR hostname matches HELO)PASSED - mail server exists to accept delayed bounce messages

The need for these configurations and details of your results are includedbelow.

Regards,

IronPort Customer Carecustomercare@ironport.com

Detailed test results:

• dnsflush will flush the DNS cache on the IronPort• dnsstatus gives statistics on requests and cache usage• Check DNS entries with nslookup on the IronPort• Use nslookup or dig on other systems to see other points of view• Send email to dnscheck@ironport.com for a report on your IronPort’s

DNS presence on the net

Unlike other nslookups, the IronPort nslookupwill recurse until it gets a final answer

130

Troubleshooting Clip-n-Save

• tail• logconfig• ping• traceroute• telnet• nslookup• mailconfig• rate• topin• hostrate• deleterecipients• bouncerecipients• delivernow

• suspendlistener• resumelistener

• suspenddel• resumedel

• suspend

• resume• workqueue

• showchanges• clear

Places to Start in the GUIOutgoing Mail - OverviewSystem - Overview

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

131

Monitoring, Logging, and Troubleshooting Key Points

• The GUI offers many different views of system performance and status, plus a variety of tools for email monitoring

• Use the GUI Reporting feature to automatically generate and deliver periodic reports on system operation

• Use logconfig, tail, and FTP to configure and view log files

• Use tools like ping, traceroute, nslookup, and telnet to troubleshoot the network, transport, and presentation layers

– IronPort’s dnscheck service can give you an “outside view”

• Use the trace tool to test how the IronPort will process a test message, especially after you change the system configuration

132

References

• IronPort AsyncOS 3.8 User Guide– Chapter 9: Managing and Monitoring via the CLI– Chapter 11: Using the GUI– Chapter 12: Logging– Chapter 13: Reporting– Chapter 14: Testing and Troubleshooting

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-SeriesChannel Partner

Technical Training

System Administration

Module 6

134

System Administration Means…

• Starting and stopping• Managing the presence on your network• Controlling access • Software version control and licenses• Alerting• Configuration management• Disaster recovery and backup

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

135

Starting and Stopping the IronPort

TCP Connection

SMTP Session

Body Headers

Message Body

InboundMail listener

OutboundMail listener

suspendStops accepting all

inbound connections on all listeners

Stops delivering all outbound messages

Waits for any current connections to complete

Stays suspended across reboots

resumeResumes all normal

operations

Shutdown/reboot–When is a mail appliance not a mail appliance? When it’s a UNIX system.–Avoid power cycles.–Call support if the box loses power for a health check

• Use suspend to quiesce the system gracefully

• Use shutdown or reboot to take your IronPort down

• Use resume following reboot if you did a suspend, to resume normal operations

136

IronPort Network Configuration Command Summary

• sethostname– Sets the SMTP hostname. This should match the forward and

reverse DNS entries for the public listener• dnsconfig

– Act as a caching nameserver with direct access to the Internet root nameservers, or configure to forward to your local nameservers

• routeconfig– Add static routes

• setgateway– Sets the default route

• etherconfig– Sets Full / Half Duplex and 10 /100 Mb speed on interfaces

• interfaceconfig– Sets basic IP address configuration on interface

• resetconfig– Erase all configuration and reset to factory default

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

137

Add Users With Different Privileges

User accounts in this group may only view status information

Guests

User accounts in this group are restricted from:- Creating or editing user accounts- Issuing any of these commands: resetconfig, upgradecheck, upgradeinstall

Otherwise, they have the same privileges as “Administrators”

Operators

Accounts in this group have full access to all configuration settings of the system. However, only the “admin” user can issue the upgradecheck and upgradeinstall commands

Administrators

DescriptionUser Group

Add users with the userconfig command.The password command changes the password of the logged in user

Permissions apply to both the GUI and the CLI

138

License New Features or Check License Expiration Datessmtp.scu.com> featurekey

Module Quantity Time RemainingSophos 1 24 weeks 3 days 35 mins 55 secsBrightmail 1 24 weeks 3 days 35 mins 18 secsReceiving 1 23 weeks 2 days 1 hours 24 mins 26 secsEnter feature key, or press Enter to go to the main prompt.[]> <cr>

smtp.scu.com> version

Current Version===============Model C60Version: 3.7.2-026Build Date: 2004-04-02Serial #: 000D5670320E-89NMS31

Features that require licenses• IronPort AsyncOS

– Evaluation: 30 day*– Purchase: Perpetual

• Brightmail Anti-Spam– Evaluation: 30-day– Purchase: 1-3 years

• Sophos Anti-Virus– Evaluation: 30-day– Purchase: 1-3 years

* Extensions available upon request

����

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

139

smtp.scu.com> upgradecheck

All interaction with the upgrade server is done using ssh. By default thisprotocol is run over TCP on port 22. If you are behind a firewall you maywant to run this protocol over a non-standard port.

Please choose a port to use:1. port 22, default SSH2. port 25, normally SMTP3. port 53, normally DNS4. port 80, normally HTTP5. port 443, normally HTTPS6. port 4766, IronPort reserved[1]> <cr>

Checking for upgrades that are available.Upgrades available:1. AsyncOS 3.8b1 upgrade, 2004-04-16 Build 061 (36,809,399 bytes)[1]> <cr>

Downloading AsyncOS 3.8b1 upgrade, 2004-04-16 Build 061

The upgrade has been downloaded. This upgrade will require a reboot of thesystem after it finishes. Do you wish to install it now? [Y]> n

smtp.scu.com> upgradeinstall

Decompressing the upgrade.Installing the upgrade.IronPort Messaging Gateway Appliance(tm) Upgrade

The upgrade will start in 10 seconds.

This upgrade will require a reboot of the system after it finishes.You may log in again after this is done.

Performing Upgrades

A large upgrade can take over 10 minutes. Your mileage will vary.

You probably want to say No here, and do a suspend first, then resume later

140

Alerts Show Up To Tell You About Issues and Potential Problems

Message: DNS cacheAn application fault occurred: (('dns_cache', 'send_request',

'183'), 'exceptions.OSError', "[Errno 49] Can't assign requested address",

'[smtp_client|run|576] [smtp_client|_run|616] [smtp_client|_connect|659]

[omh|get_prioritized_ip_list|258] [omh|get_prioritized_ip_list|265][PrioritizedIP|fetch_mx_array|117] [PrioritizedIP|_fetch_mx_data|147]

[dns_cache|query|486] [dns_cache|best_nameserver|446][dns_cache|bootstrap_cache|290] [dns_cache|_bootstrap_cache|306][dns_cache|query_by_ip|687] [dns_cache|do_query|255][dns_cache|send_request|183]')

MeaningThe DNS cache initializes at boot time. This failure is not fatal, since the cache initializes again at a defined interval. If you see this error message only once or twice, the DNS cache must have initialized successfully at one of the subsequent intervals. If the appliance failed to finalize the appliance consistently, the appliance would be unable to resolve hostnames and IP addresses for all messages.

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

141

smtp.scu.com> alertconfig

Please enter the email address(es) to send alerts.(Ex: "administrator@example.com")Separate multiple addresses with commas.Enter the word "DELETE" to clear the default and disable alerts.[postmaster@scu.com]> <cr>

Debounce timeout (seconds):[300]> <cr>

Would you like to enable IronPort AutoSupport, which automatically emailssystem alerts and weekly status reports directly to IronPort Customer Care?(Enabling AutoSupport is recommended.) [N]> y

Would you like to receive a copy of the weekly AutoSupport reports? [Y]> y

Configure Where System Alerts Go

Period to wait before sending an identical alert

Get the Alert Messages Definitions document from the Support site for a detailed explanation of alerts

AutoSupport is a Good Thing and is highly recommended!

142

Why Call IronPort? They Can Call You!

smtp.scu.com> alertconfig

Would you like to enable IronPort AutoSupport, which automatically emails system alerts and weekly status reports directly to IronPort Customer Care?

(Enabling AutoSupport is recommended.) [N]> y

smtp.scu.com> supportrequest

Do you want to send the configuration information via email tocustomercare@ironport.com? [Y]> <cr>

Do you want to send the configuration information via email to additionalrecipient(s)? [N]> y

Please enter the email address(es) to which you want to send the configuration information. Include anyone in your organization that should be included on future correspondence for this issue. Separate multiple addresses with commas.[]> trumbo@opus1.com

Please enter some comments describing your issue, providing as much detail as possible to aid in diagnosing any issues:[]> I am having difficulty getting ftp push to work to my Mac OSX machine

Your IronPort Can Notify Support You Can Generate a Request Yourself

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

143

The IronPort Configuration is in One Big File

XML configdata

XML DTD data

CLI updates

GUIupdates

FTP

Document Type Definitions are essential to interpreting XML data

XML config + AsyncOS version + model no. = complete system description

144

The Configuration File is in XML Format<config><!--*************************************************** Network Configuration ***************************************************-->

<hostname>smtp.scu.com</hostname>

<interfaces><interface><interface_name>PublicAlpha</interface_name><ip>192.35.195.101</ip>

</interface></interfaces>

<dns><local_dns><ip>192.245.12.50</ip>

</local_dns><rbl_dns><rbl_negative_ttl>1800</rbl_negative_ttl><rbl_timeout>3</rbl_timeout>

</rbl_dns></dns>

Other parts of the configuration might apply to all IronPorts in your network

Some parts of the configuration are specific to one IronPort gateway

You can manage your configuration by importing XML sections.

You could manage the common configurations with one common file.

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

145

Tools To Manage Your Configuration File

XML configdata

XML DTD data

XML configdata

FTP

Document Type Definitions are essential to interpreting XML data

showconfig - see the XML file

saveconfig - save the XML file to a file in the ftp directory

loadconfig -import XML into the configuration

mailconfig - mail the XML file

CLI or GUI updates

You must also copy the config.dtd with FTP

/configuration/config.dtd

146

You Can Review Commit Comments in the System Log

Sat Apr 10 16:01:01 2004 Info: Begin LogfileSat Apr 10 16:01:01 2004 Info: System is coming upSat Apr 10 16:30:38 2004 Info: PID 233: User system commit changes: Automated Alert MX Cache UpdateSat Apr 10 17:14:25 2004 Info: PID 390: User admin commit changes: Create nomercy bounce profile and apply it to InboundMail listenerSat Apr 10 17:31:54 2004 Info: PID 390: User admin commit changes: rename bounceconfig nomercy to NoMercySat Apr 10 17:40:11 2004 Info: PID 390: User admin commit changes: add exhangeinto setgoodtableSun Apr 11 10:29:40 2004 Info: PID 623: User admin commit changes: add dropbadmail filterSun Apr 11 12:07:43 2004 Info: PID 623: User admin commit changes: add bodysize filter to bounce over 20 MB filesSun Apr 11 12:13:35 2004 Info: PID 623: User admin commit changes: enable delivery logSun Apr 11 12:28:39 2004 Info: PID 623: User admin commit changes: add filter DropOver6MBSun Apr 11 12:56:35 2004 Info: PID 623: User admin commit changes: replace BounceOver6MB filter with NotifyAndDropOver6MBSun Apr 11 13:11:44 2004 Info: PID 623: User admin commit changes: tune dropbadmail filter

/system_logs/system.@20040410T160102.s

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

147

High Availability Configuration

Pseudo load balancing:• DNS round robin using

equal-priority MX records

148

Disaster Recovery

• Buy two IronPorts• Call support if one dies• Save the configuration on a regular basis

– Write an off-box script (cron job) to login (SSH) and do a showconfig or saveconfig or mailconfig

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

149

• Upgrades are easy with upgradecheck and upgradeinstall. You can control upgrade timing and behavior.

• Alerting on exceptional events via email is a preferred technique of the IronPort (and you can control how this behaves).

• Configuration management using showconfig /

mailconfig / loadconfig / saveconfig should be part of your disaster recovery plan.

System Administration Key Points

150

References

• IronPort AsyncOS 3.8 User Guide– Chapter 10: System Administration

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

IronPort C-SeriesChannel Partner

Technical Training

IronPort C-SeriesChannel Partner

Technical Training

Course Wrap-Up

152

Review …Course Objectives ���� Critical SE Skills

• How do I install, configure and deliver basic support for the IronPort C-Series Messaging Gateway appliance?

• What guidelines can I give customers for deploying the appliance in a typical enterprise email environment?

• How do I manage and monitor the flow of email through the appliance?

• How do I configure access control policies?

• How do I create content filters?

• How do I configure the appliance to detect and handle unwanted spam and viruses?

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

153

Review …A Typical New Customer Installation

• Gather customer’s network information and custom requirements in advance – 30 min

• Rack, install, and setup the appliance – 30 min

• Make custom configuration changes – 15 min

• Test and demo – 30 min

• Put the appliance into production– 15 min

154

Questions & Answers

• IronPort C-Series Overview• Installation and Setup • Access Control• Policy Enforcement, Anti-Spam, and Anti-Virus• Monitoring, Logging, and Troubleshooting• System Administration

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

155

Where do I go next?

• IronPort Sales Resources …• IronPort C-Series Appliance Evaluation Guide …• IronPort Technical Resources …• IronPort Customer Care …

156

IronPort Sales Resources

• C-Series product brochures and data sheets– http://www.ironport.com/products/ironport_c_series.html

• IronPort company profile– http://www.ironport.com/about/index.html

• IronPort product overview presentation slides– Contact your IronPort Channel Partner Rep. for latest version

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

157

IronPort C-Series ApplianceEvaluation Guide

• Designed to help system administrators evaluate the IronPort C-Series appliance– Make sure all prospective customers read this guide!

• Provides an overview of the key product features, along with guidelines for setting up and testing those features

• Available on the IronPort Support Web site– http://support.ironport.com/secure/index.html

158

IronPort Technical Resources

• Product documentation– IronPort QuickStart Guide– IronPort AsyncOS User Guide– IronPort AsyncOS Release Notes– http://support.ironport.com/secure/index.html

• White papers– IronPort AsyncOS White Paper– Reputation Filters White Paper– SMTPi White Paper– http://www.ironport.com/download/

Copyright © 2004 IronPort Systems™, Inc. All rights reserved

�������������� �������������������������

159

Closing Comments