This action might not be possible to undo. Are you sure you want to continue?
0 Getting Started Guide
January 21, 2010
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: 421-0149
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco IronPort AsyncOS 7.0 Getting Started Guide © 2010 Cisco Systems, Inc. All rights reserved.
Introduction 1-1 Before You Begin 1-1 About This Guide 1-1 Where to Go for More Information 1-2 IronPort Knowledge Base 1-2 IronPort Documentation 1-3 Customer Support 1-4 Overview of IronPort Email Security 1-5 Spam Protection 1-6 Virus Protection 1-6 Content Compliance 1-7 IronPort Email Security Appliance GUI 2-9 Email Security Tasks 3-11 Task 1: Drop Positive Spam Messages by Default 3-11 Concepts 3-12 Goal 3-12 Dropping Spam Messages by Default 3-12 Task 2: Exempt Specified Groups of Users from Spam Filtering 3-15 Concepts 3-15 Goal 3-15 Creating a Mail Policy 3-15 Changing the Anti-Spam Settings for a Mail Policy 3-17 Task 3: Quarantine Incoming Spam 3-19
Book Title 78-xxxxx-xx
Contents Concepts 3-19 Goal 3-19 Configuring the IronPort Spam Quarantine 3-20 Enabling the IronPort Spam Quarantine HTTP or HTTPS Service 3-22 Configuring the Policy to Send Spam to the IronPort Spam Quarantine 3-24 Task 4: Configure End User Safelists and Blocklists 3-25 Concepts 3-25 Goal 3-25 Enabling the End User Safelist/Blocklist on the IronPort Spam Quarantine 3-26 Adding Items to the Safelist for an End User Account 3-26 Adding Items to the Blocklist for an End User Account 3-28 Task 5: Quarantine Incoming Virus Messages 3-29 Concepts 3-29 Goal 3-30 Enabling Virus Settings 3-30 Task 6: Strip Specified Types of Incoming Email Attachments 3-33 Concepts 3-33 Goal 3-34 Creating a Content Filter 3-34 Applying a Filter to an Incoming Mail Policy 3-36 Testing the Filter 3-36 Task 7: Enforce an Outgoing Email Policy 3-37 Concepts 3-37 Goal 3-38 Enabling RSA Email Data Loss Prevention 3-38 Creating a DLP Policy 3-39 Enabling a DLP Policy in an Outgoing Mail Policy 3-40 Testing the Policy 3-42 Task 8: Add a Domain to Accept Mail 3-42 Book Title iv 78-xxxxx-xx .
Contents Concepts 3-42 Goal 3-43 Accepting Mail for a Domain 3-43 Creating an SMTP Route for a Domain 3-44 Task 9: Add a Disclaimer to Outgoing Mail 3-45 Concepts 3-46 Goal 3-46 Creating a Footer Text Resource 3-46 Associating a Footer with a Private Listener 3-47 Task 10: Configure a Scheduled Report 3-48 Concepts 3-48 Goal 3-48 Configuring a Scheduled Report 3-48 Advanced Tasks 4-51 Task 11: Access the Command Line Interface 4-51 Concepts 4-51 Goal 4-52 Enabling the CLI 4-52 Task 12: Use the CLI 4-54 Concepts 4-54 Goal 4-54 Testing Connectivity 4-55 Monitoring the IronPort Appliance and Email Traffic 4-58 Configuring the Appliance 4-61 Task 13: Retrieve and Use Mail Logs 4-61 Concepts 4-62 Goal 4-62 Viewing Logs 4-62 Searching for Content in Logs 4-63 Book Title 78-xxxxx-xx v .
Contents Retrieving and Configuring Logs 4-64 Task 14: Configure Email Alerts 4-65 Concepts 4-65 Goal 4-65 Configuring Email Alerts 4-66 Task 15: Upgrade the IronPort Appliance 4-67 Book Title vi 78-xxxxx-xx .
page 1-1 About This Guide. About This Guide The Cisco IronPort AsyncOS Getting Started Guide provides an overview of the IronPort Email Security appliance and introduces its features. physically installed it in a rack cabinet. This guide contains the following chapters: Cisco IronPort AsyncOS 7. page 1-5 Before You Begin Before you begin. page 1-2 Overview of IronPort Email Security.CH A P T E R 1 Introduction This chapter contains the following sections: • • • • Before You Begin. page 1-1 Where to Go for More Information. and turned it on. read the Quickstart Guide for the IronPort Email Security appliance you are installing and any release notes that were shipped with your appliance.0 Getting Started Guide 421-0149 1 . You should also run the System Setup Wizard and accept the default configuration settings that are appropriate to the placement of the IronPort appliance in your network. This guide assumes that you have unpacked the appliance.
html Note You need a Support Portal account to access the site. “Advanced Tasks” .ironport. Chapter 2. partners.Chapter • • Chapter 1. and employees can access the Support Portal. a how-to article might explain the procedures for backing up and restoring a database for an appliance.0 Getting Started Guide 2 421-0149 .This chapter provides tasks that will help you become acquainted with your IronPort appliance.This chapter provides a general introduction to the IronPort appliance and the Email Security Manager. IronPort Knowledge Base You can access the IronPort Knowledge Base on the Customer Support Portal at the following URL: http://www. The Knowledge Base contains a wealth of information on topics related to IronPort products. For example. “Email Security Tasks” .com/support/login. “IronPort Email Security Appliance GUI” . Cisco IronPort AsyncOS 7.This chapter provides advanced tasks that can help you understand some of the advanced features of the IronPort appliance.This chapter provides an introduction to this guide and an overview of Ironport email security. • • Where to Go for More Information You can refer to the resources described in this section if you have questions about the IronPort Email Security appliance. Chapter 3. Chapter 4. If you do not already have an account. click the Request an Account link on the Support Portal login page. “Introduction” . Generally. These articles explain how to do something with an IronPort product. only IronPort customers. Articles generally fall into one of the following categories: • How-To.
and quarantines. tracking email messages. For example. a problem-and-solution article might explain what to do if a specific error message is displayed when you upgrade to a new version of the product. a troubleshooting article might provide steps to follow if you are having problems with DNS. CLI support commands. Cisco IronPort AsyncOS for Email Advanced Configuration Guide. IronPort Documentation The documentation for the Cisco IronPort Email Security appliance includes the following books: • Cisco IronPort AsyncOS for Email Daily Management Guide. For example. It also includes reference information and configuration instructions for email delivery features such as the Email Pipeline. email encryption. A problem-and-solution article addresses a particular error or issue that you might encounter when using an IronPort product. Troubleshooting articles explain how to analyze and resolve common issues related to IronPort products. and troubleshooting the appliance.Chapter • Problem-and-Solution. and anti-spam scanning. content filters. AsyncOS logs. including Email Security Monitor pages. such as viewing email traffic using the Email Security Monitor. It provides instructions on installing the appliance into an existing network infrastructure and setting it up as an email gateway appliance. such as the error codes associated with a particular piece of hardware. It also provides reference information for features that system administrators interact with on a regular basis. • • Cisco IronPort AsyncOS 7. Troubleshooting. This guide provides instructions configuring the advanced features of the IronPort appliance. Reference articles typically provide lists of information. This guide is recommended for system administrators who are setting up a new IronPort appliance and want to learn about its email delivery features.0 Getting Started Guide 421-0149 3 . This guide provides instructions for performing common. anti-virus scanning. Cisco IronPort AsyncOS for Email Configuration Guide. • • Each article in the Knowledge Base has a unique answer ID number. managing system quarantines. Virus Outbreak Filters. everyday tasks that system administrators use to manage and monitor the IronPort appliance. Reference. Topics include configuring the appliance to work with LDAP.
please contact that supplier directly with your product support issues. Support Request Page You can also use the Support Request page in the GUI to request customer support. This guide provides a detailed list of the commands in the AsyncOS command line interface (CLI).0 Getting Started Guide 4 421-0149 . Customer Support You can request customer support by phone. notify IronPort using the following contact information: U. and then click the Submit button. select Help > Support Request. System administrators can use this guide for reference when using the CLI on the IronPort appliance.S.Chapter creating message filters to enforce email policies. During Customer Support office hours (24 hours per day. holidays). and customizing the listeners on the appliance.ironport.com/support If you purchased support through a reseller or another supplier. this guide provides reference material for advanced features such as message filter rules and actions.com/support/contact_support. In addition to configuration. Cisco IronPort AsyncOS 7. regular expressions used in content dictionaries and message filter rules. organizing multiple appliances into clusters. Monday through Friday. excluding U. Complete the information on the page. one of the engineers will contact you within an hour of your request. toll-free:+1 (877) 641-4766 International: http://www. and LDAP query syntax and attributes.S. as well as examples of the commands in use. A Customer Support representative will contact you as soon as possible. email. 7 days a week.ironport. • IronPort AsyncOS CLI Reference Guide.html Support Portal: http://www. To report a critical issue that requires urgent assistance. or online 24 hours a day. To access the Support Request page.
IronPort Email Security appliances use the proprietary IronPort AsyncOS operating system. such as SenderBase Reputation Filtering and Virus Outbreak Filters. IronPort Consolidates Security Solutions for the Email Perimeter B e fo re Iro n P o rt Internet A fte r Ir o n P o r t Internet Firewall MTAs Anti-Spam Firewall IronPort Email Security Appliance Anti-Virus Policy Management Mail Routing Groupware Groupware Users Users The IronPort appliance provides unparalleled protection for corporate groupware servers.0 Getting Started Guide 421-0149 5 . flexible platform that supports the advanced security systems of IronPort. It has earned its outstanding reputation through deployments at the world’s largest Internet Service Providers and thousands of global customers. The ability to support high volumes of simultaneous Cisco IronPort AsyncOS 7. the IronPort mail transfer agent (MTA) can handle thousands of simultaneous connections.Chapter Overview of IronPort Email Security The IronPort email security appliance combines several content scanning engines with IronPort preventive security solutions. as well as reliable inbound and outbound email delivery. Unlike traditional messaging systems. AsyncOS provides a high-performance.
a GUI. IronPort offers anti-virus scanning engines from McAffee and Sophos. Because it draws on traffic data from over 25% of all worldwide email traffic. the IronPort email security appliance combines SenderBase Reputation Filtering with traditional content filters. This reputation filtering system allows the IronPort email security appliance to dramatically increase the throughput of the traditional signature-based content scanning engines. SenderBase is a global email-monitoring network that tracks hundreds of parameters from thousands of contributing networks to establish a historically accurate reputation score for IP addresses that send email on the Internet. Because each engine relies on a separate base of technology. scanning messages with both the McAffee and Sophos scanning engines combines the benefits of both anti-virus scanning engines. SenderBase can help stop more than 80% of unwanted threat messages before accepting them for content scanning. which quarantines possible threat messages. The IronPort appliance incorporates the AsyncOS operating system with support tools. and other interfaces. Virus Protection For anti-virus protection. As the outbreak matures and the threat rules adapt. Spam Protection For anti-spam protection. The IronPort Global Threat Operations Center watches for emerging threats in email traffic and publishes outbreak rules to the IronPort appliance. Because viruses and spyware use email as their primary distribution vector.Chapter connections is critical to both large and small email sites because of the large number of spammers and spyware systems attempting to deliver spam and virusor malware-infected email messages. SenderBase can detect patterns of email messages that signal an infection outbreak before traditional content-scanning virus filter signatures can be updated and deployed. as well as its exclusive Virus Outbreak Filters.0 Getting Started Guide 6 421-0149 . security scanning engines. This protects networks from virus threats before virus signature updates are available. You can configure your IronPort appliance to use one or both of the licensed anti-virus scanning engines. because it can filter email messages before the signature-based scans take place. non-matching messages are released from Cisco IronPort AsyncOS 7. such as Symantec Brightmail and IronPort Anti-Spam. a command line interface (CLI).
Many standard reports are built into the system. as well as flexible application programming interfaces (APIs) for retrieving reporting and monitoring data. you are protected from new infections coming into the network. and encryption integration are all available for use in custom filtering rules. and you do not need to worry about possible false positive messages being dropped. Over the course of a virus outbreak. You can use the Email Security Manager in the GUI to set specific policies for groups of users so you can enforce appropriate levels of security for different business units. You access this functionality with management and monitoring tools.Dynamic Quarantine in Action M essages Scanned & D e le te d T=0 –zip (exe) files T = 5 mins -zip (exe) files -Size 50 to 55 KB. AsyncOS provides both an intuitive web-based GUI and a command line interface (CLI). which comes with built-in configurations for compliance with Health Insurance Portability and Accountability Act (HIPPA). How Virus Outbreak Filters Work . attachment control. Email archiving.0 Getting Started Guide 421-0149 7 . keyword scanning. Gramm-Leach-Bliley Act (GLBA). and possible threat messages are held back until a final signature is available for the virus-scanning engine. You can use these features to integrate the appliance with your information systems infrastructure.Chapter quarantine. You can also use the content filtering engine to implement specific business-policy controls for a variety of systems. T = 10 mins –zip (exe) files –Size 50 to 55KB –“Price” in the name file T = 8 hours –Release messages if signature update is in place Content Compliance IronPort security solutions are powered by an advanced content filtering engine. and Sarbanes-Oxley Act. Cisco IronPort AsyncOS 7.
0 Getting Started Guide 8 421-0149 . With a multi-layer approach to spam and virus protection. This guide demonstrates the features of the IronPort email security appliance so you can immediately take control of your email perimeter and solve email security problems. such as SenderBase and Virus Outbreak Filters. IronPort provides the most comprehensive email security solution on the market. IronPort is a cost-effective solution to your email security needs. By combining pioneering preventive features. Cisco IronPort AsyncOS 7. with best-in-class content scanning engines.Chapter In addition. AsyncOS offers a unique centralized management feature that uses a peer-to-peer architecture to avoid the need for extra hardware in the data center and to eliminate any single point of failure. The integrated architecture of AsyncOS provides all the necessary email protection capabilities to secure internal networks and groupware servers.
0 Getting Started Guide 421-0149 9 . Figure 2-1 IronPort GUI 3 1 2 4 5 Cisco IronPort AsyncOS 7.CH A P T E R 2 IronPort Email Security Appliance GUI The graphical user interface (GUI) of the IronPort Email Security appliance provides access to features and services to help you effectively monitor and administer your organization’s email network traffic.
When you make changes to the appliance configuration.Menu bar 2 . You return to the originating page. you can use this menu to send a support request and provide Customer Support with remote access to your IronPort appliance.Drop-down menu Description Click the menus to access the various areas of the GUI. 2. Click Commit Changes. Optionally. enter a comment in the Comment box.0 Getting Started Guide 10 421-0149 . Component 1 . The menus display task-based links. In addition. To commit the changes: 1. Adding comments can be useful for any future troubleshooting.Help menu 5 . The Help menu provides access to online help information about the current GUI page and access to the Support Portal.Options menu 4 . you must commit the changes for them take effect on the appliance. 3 . The Options menu enables you to change your password or log out of the IronPort appliance. The Commit Changes button notifies you if changes are pending on your appliance. 3. Click the Commit Changes button. Click the links to access pages for the tasks you want to perform.Commit Changes button Cisco IronPort AsyncOS 7. and the Commit box indicates that no changes are pending.Chapter The following table describes the GUI componenets shown in Figure 2-1.
page 3-11 Task 2: Exempt Specified Groups of Users from Spam Filtering. page 3-42 Task 9: Add a Disclaimer to Outgoing Mail. or not spam. page 3-29 Task 6: Strip Specified Types of Incoming Email Attachments. page 3-19 Task 4: Configure End User Safelists and Blocklists. page 3-37 Task 8: Add a Domain to Accept Mail. page 3-33 Task 7: Enforce an Outgoing Email Policy.CH A P T E R 3 Email Security Tasks This chapter contains the following sections: • • • • • • • • • • Task 1: Drop Positive Spam Messages by Default. suspected spam.0 Getting Started Guide 421-0149 11 . page 3-25 Task 5: Quarantine Incoming Virus Messages. IronPort Anti-Spam scans messages through its filtering modules for classification. It classifies messages as positive spam. page 3-45 Task 10: Configure a Scheduled Report. You might choose to drop. Cisco IronPort AsyncOS 7. page 3-48 Task 1: Drop Positive Spam Messages by Default The IronPort Anti-Spam engine processes email for incoming and outgoing mail based on settings that you configure. page 3-15 Task 3: Quarantine Incoming Spam. You determine the action to take on the message based on the IronPort Anti-Spam classification.
Later. you will enable the end-user spam quarantine. the IronPort appliance drops positive spam messages by default. The incoming mail policy instructs the IronPort appliance to perform an action on a message based on the classification of the message and mail recipient. or quarantine messages based on their classification. In this task. Concepts You can use the IronPort Email Security Manager to define mail filtering and security policies for users based on their email addresses or an LDAP query. Note If you set up your IronPort appliance using the System Setup Wizard. Cisco IronPort AsyncOS 7. Dropping Spam Messages by Default To drop spam messages by default: Step 1 Select Mail Policies > Incoming Mail Policies. The default mail policy applies to all incoming messages. For example. you might decide to drop positive spam messages and quarantine suspected spam messages.Chapter deliver. you activate suspected spam scanning and configure the default policy to drop the suspected spam. You configure settings for incoming email in an incoming mail policy. Goal By default. the IronPort appliance is not configured to scan email messages for suspected spam. which allows users to view and open email messages and release messages from the quarantine.0 Getting Started Guide 12 421-0149 .
select “Use selected Anti-Spam service(s). Step 2 In the Anti-Spam settings for the default policy. click the link to open the mail policy. Cisco IronPort AsyncOS 7. In the Positively Identified Spam Settings section. Step 3 Step 4 In the Anti-Spam Settings section.” and select IronPort Anti-Spam. The Mail Policies: Anti-Spam page is displayed.0 Getting Started Guide 421-0149 13 . use the following settings: – Apply this Action to the Message: Drop.Chapter The Incoming Mail Policies page is displayed.
The new settings are displayed for the default policy. Cisco IronPort AsyncOS 7. Click Commit Changes.0 Getting Started Guide 14 421-0149 . Step 5 In the Suspected Spam Settings section. Step 6 Step 7 Click Submit. enter [SUSPECTED SPAM]. Step 8 Click the Commit Changes button in the top right corner of the page. The Uncommitted Changes page is displayed. For example. – Apply This Action to Message: Deliver. Step 9 Step 10 Add a comment to describe the change.Chapter – Advanced > Archive Message: Select Yes to archive or No to skip archiving. The IronPort appliance notifies you that you have pending changes. and enter the text in the text field. The changes you make are not activated until you commit them. use the following settings: – Enable Suspect Spam Scanning: Yes. – Add Text to Subject: Select Prepend or Append if you want to add text.
Chapter See Also For more information about the Email Security Manager. This allows you to exempt some users from spam filtering. you may want to create a new policy that applies security scanning or content filters differently for some users. you modify the policy’s anti-spam settings to deliver spam-positive messages and suspected spam with a tag in the messages’ subject line. Creating a Mail Policy To create a mail policy: Step 1 Select Mail Policies > Incoming Mail Policies. You use incoming mail policies to manage flows of incoming emails to different addresses. Goal In this task. For example. However. Then. Task 2: Exempt Specified Groups of Users from Spam Filtering The default incoming mail policy you modified in Task 1 applies to all mail that enters the network. see “Anti-Spam” in the Cisco IronPort AsyncOS for Email Configuration Guide. you create a new mail policy. For more information about anti-spam settings.0 Getting Started Guide 421-0149 15 . you can use mail policies to apply different mail delivery settings to different users. see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide. you might want to ensure that executive users receive all messages. Cisco IronPort AsyncOS 7. The Incoming Mail Policies page is displayed. Concepts With the IronPort appliance.
– Insert Before Policy: 1 (Default Policy). so leave Recipient selected. enter bob@example. Step 4 Click Submit. – Email Address(es): Add the email address that this policy applies to. enter Execs.0 Getting Started Guide 16 421-0149 . For example. enter the following information: – Policy Name: Enter a name. Then click the Add button.Chapter Step 2 Click the Add Policy button. Step 3 To define the policy. – Add Users: This policy applies to the recipient of the message. For example.com. Cisco IronPort AsyncOS 7. The Add Incoming Mail Policy page is displayed. You can repeat this process for any number of email addresses or LDAP queries.
select “Use selected Anti-Spam service(s). and enter text in the text field.” and select IronPort Anti-Spam. Step 2 Step 3 Scroll down to the Positively-Identified Spam Settings section. Cisco IronPort AsyncOS 7. Step 4 In the Positively-Identified Spam Settings section. you need to modify its anti-spam settings so that spam-positive messages and spam-suspect messages are tagged and sent to the address that you specified in the mail policy. – Add Text to Subject: Select Append or Prepend to add text to the subject. In the Enable Anti-Spam Scanning for this Policy field.Chapter The Incoming Mail Policies page is displayed with the new mail policy. For example. To change the anti-spam settings: Step 1 On the Incoming Mail Policies page for the new policy (for example. The Mail Policies: Anti-Spam page is displayed. the Execs policy). Changing the Anti-Spam Settings for a Mail Policy After you create a mail policy. click the “(use default)” link in the Anti-Spam column. [SPAM]. use the default entry.0 Getting Started Guide 421-0149 17 . enter the following information to ensure that messages identified as spam are delivered with an identifying tag: – Apply This Action to Message: Deliver.
– Apply This Action to Message: Deliver. [SUSPECTED SPAM]. Step 7 Click Submit. The Incoming Mail Policies page is displayed. and it drops spam-positive messages addressed to other accounts. Step 6 In the Suspected Spam Settings section. and enter text in the text field.Chapter Step 5 Scroll down to the Suspected Spam Settings section. Step 8 Review the Anti-Spam column. Cisco IronPort AsyncOS 7.0 Getting Started Guide 18 421-0149 . – Add Text to Subject: Select Append or Prepend to add text to the subject. See Also For more information about configuring anti-spam settings. see “Anti-Spam” in the Cisco IronPort AsyncOS for Email Configuration Guide. For example. enter the following information to ensure that messages identified as suspected spam are delivered with an identifying tag: – Enable Suspect Spam Scanning: Yes. use the default entry. The new mail policy delivers messages that are tagged as spam-positive and spam-suspect to the specified accounts.
You can use a local IronPort Spam Quarantine. Concepts To use the IronPort Spam Quarantine. The interface where the Spam Quarantine is enabled. see “Task 3: Quarantine Incoming Spam” on page 19. Anti-spam options for a mail policy. That way. you work with several areas of the IronPort appliance: • IronPort Spam quarantine. You enable access to the IronPort Spam Quarantine through an HTTP or HTTPS service.Chapter For information about quarantining incoming spam messages. or you can send messages to an external IronPort Spam Quarantine. You can use a local quarantine or send spam to an external quarantine (M-Series appliance). stored on an M-Series IronPort appliance. The Spam Quarantine is a special quarantine designed for mail end-user access. You enable the spam quarantine for a particular mail policy. To use the IronPort Spam Quarantine. complete the following steps: Step 1 Configure the local IronPort Spam Quarantine.0 Getting Started Guide 421-0149 19 . stored on the IronPort appliance. you enable the IronPort Spam Quarantine and configure the default policy to send incoming spam to the quarantine. • • Goal In this task. you can quarantine mail for specified groups of users. Both AsyncOS administrators and end users can access the IronPort Spam Quarantine. Cisco IronPort AsyncOS 7. End users can then access the quarantine to determine if the messages are incorrectly identified as spam. Task 3: Quarantine Incoming Spam The IronPort Email Security appliance allows you to send spam or suspected spam messages to the IronPort Spam Quarantine.
The Quarantines page is displayed. Cisco IronPort AsyncOS 7. Configure the anti-spam scanning options for the policy to send spam or suspect spam to the IronPort Spam Quarantine. Configuring the IronPort Spam Quarantine To configure the IronPort Spam Quarantine: Step 1 Select Monitor > Quarantines.0 Getting Started Guide 20 421-0149 .Chapter Step 2 Step 3 Enable access to the IronPort Spam Quarantine through an HTTP or HTTPS service. The Edit IronPort Spam Quarantine page is displayed. Step 2 Click Edit.
Step 7 Step 8 Enter an address to use in the From Address header if you want to send notifications. Enter a subject (such as “IronPort Spam Quarantine Notification”). you allow users to access quarantined mail by clicking links in the notification messages that they receive. The End-User Quarantine Access page is displayed. Cisco IronPort AsyncOS 7. The Enable Spam Notification page is displayed. Step 5 Select None in the End-User Authentication field. Click Enable End-User Quarantine Access.Chapter Step 3 Step 4 Use the default settings in the Spam Quarantine Settings panel and scroll down to End-User Quarantine Access. By selecting None.0 Getting Started Guide 421-0149 21 . Step 6 Click Enable Spam Notification.
Chapter Step 9 Step 10 Step 11 Step 12 Step 13 Enter a title for the notification (such as “IronPort Spam Quarantine Notification”). enter a spam notification message. Commit your changes. you must edit the IP interface to enable the HTTP or HTTPS service for the IronPort Spam Quarantine. Optionally. click the interface name (this example uses the Management interface). Step 14 Step 15 Step 16 Enabling the IronPort Spam Quarantine HTTP or HTTPS Service After you enable the IronPort Spam Quarantine. This field consolidates email notifications for users when the IronPort Spam Quarantine is configured for LDAP authentication. In the Notification Schedule field. Cisco IronPort AsyncOS 7. To enable the HTTP or HTTPS service: Step 1 On the Network > IP Interfaces page. choose a notification schedule. Leave the Consolidate Notifications field empty. Click Submit. Select a format. Enter an address to deliver bounce messages to.0 Getting Started Guide 22 421-0149 .
Cisco IronPort AsyncOS 7. Commit your changes. select HTTP.Chapter The Edit IP Interface page is displayed. Enter the default URL that appears in email notifications. Click Submit. and optionally enable redirection of HTTP requests to HTTPS. Step 2 Step 3 Step 4 Step 5 In Services > IronPort Spam Quarantine. or both. This example uses the hostname. HTTPS.0 Getting Started Guide 421-0149 23 . enter the port numbers.
Cisco IronPort AsyncOS 7.0 Getting Started Guide 24 421-0149 . see “Quarantines” in the Cisco IronPort AsyncOS for Email Daily Management Guide. Click the anti-spam settings for the default mail policy. select IronPort Spam Quarantine. Step 4 Step 5 Step 6 Step 7 Step 8 See Also For more information about working with incoming mail policies. Use default settings for Spam Thresholds. Click Submit. Use the default settings in the Positively Identified Spam field. The Positively Identified Spam Settings field expands. Leave the Suspected Spam Settings as you configured them. The Anti-Spam Settings page is displayed. Commit your changes. Step 3 In Positively Identified Spam Settings > Apply this Action to Message. For more information about configuring IP interfaces. For more information about working with the IronPort Spam quarantine. see “Configuring the Gateway to Receive Email” in the Cisco IronPort AsyncOS for Email Configuration Guide. see “Accessing the Appliance” in the Cisco IronPort AsyncOS for Email Configuration Guide.Chapter Configuring the Policy to Send Spam to the IronPort Spam Quarantine To send spam to the IronPort Spam quarantine: Step 1 Step 2 Select Mail Policies > Incoming Mail Policies. It displays delivery settings for the IronPort Spam Quarantine.
Safelists allow a user to ensure that certain users or domains are not treated as spam. Note When you enable the safelist/blocklist feature. Cisco IronPort AsyncOS 7. and may want to block the list server’s email address.Chapter Task 4: Configure End User Safelists and Blocklists The IronPort appliance allows you to send spam or suspected spam messages to the IronPort Spam Quarantine. an end user may want to guarantee that certain mail is always sent to the IronPort Spam Quarantine. You can enable end users to create safelists and blocklists to better control which emails are treated as spam. a user may be unable to unsubscribe from an automated mailing list.0 Getting Started Guide 421-0149 25 . however. Blocklists ensure that certain users or domains are always treated as spam. you enable safelists and blocklists in the IronPort Spam Quarantine. Concepts This task introduces concepts related to end user safelists and blocklists. The end user safelist and blocklist settings are configured from the IronPort Spam Quarantine. Ensure that you have created an end user account that you can access to complete this task. each end user maintains a safelist and blocklist for his or her email account. Goal In this task. an end user may want to ensure that mail from a particular sender is never treated as spam. and you configure a safelist and a blocklist for an end user account. Note Steps 2 and 3 require that you log into an end user account to create a safelist. so you must have enabled and configured the IronPort Spam Quarantine to use this feature. For example. Conversely.
This value represents the maximum number of addresses or domains a user can list in each safelist and blocklist. For example.Chapter Enabling the End User Safelist/Blocklist on the IronPort Spam Quarantine You enable safelists and blocklists from the Quarantines page. To enable safelists and blocklists on a C-Series appliance: Step 1 Step 2 Select Monitor > Quarantines. a value of 100 would mean that the end user could add 100 terms in the safelist and 100 terms in the blocklist. In the End-User Safelist/Blocklist section. Step 6 Adding Items to the Safelist for an End User Account End users can use safelists to ensure that mail from specified senders is never treated as spam. Specify the maximum list items per user. Select Quarantine or Delete for the blocklist action. Click Submit. Step 3 Step 4 Step 5 Select Enable End User Safelist/Blocklist Feature. To add items to a safelist: Step 1 Log in to the IronPort Spam Quarantine. The Edit Safelist/Blocklist Settings page is displayed. Cisco IronPort AsyncOS 7.0 Getting Started Guide 26 421-0149 . click Edit Settings.
In the Safelist dialog box.com Step 5 Click Add to List. enter an email address. Cisco IronPort AsyncOS 7. Entries can be added to safelists and blocklists using the following formats: – email@example.com. subdomain.com – server. or domain.0 Getting Started Guide 421-0149 27 . Step 3 Step 4 Select Safelist.com – domain.Chapter Step 2 Select the Options drop-down menu.
Adding Items to the Blocklist for an End User Account
End users can use blocklists to ensure that they never receive mail from specified senders. To add items to a blocklist:
In the IronPort Spam Quarantine, select the Options drop-down menu.
Step 2 Step 3
Select Blocklist. Enter the domain or email address you want to blocklist.
Cisco IronPort AsyncOS 7.0 Getting Started Guide
Click Add to List.
When the IronPort appliance receives mail from the specified email address or domain that matches an entry in the blocklist, it treats the mail as spam. Because you configured AsyncOS to quarantine blocklisted items, any items identified as blocklisted are quarantined.
Task 5: Quarantine Incoming Virus Messages
You can configure the IronPort appliance to quarantine incoming virus messages. The Virus quarantine stores messages marked by the anti-virus scanning engine as not scannable, virus-positive, or encrypted. Like the anti-spam settings, you configure the IronPort appliance to take different actions based on the results of the virus scan and the group of mail recipients. For example, you might want to quarantine all virus-positive messages to the Technical Support group, but drop all virus-positive messages sent to the Marketing group.
This task presents concepts related to IronPort virus scanning and the Virus quarantine. Unlike the IronPort Spam quarantine, the Virus quarantine can be accessed only by administrators. The Virus quarantine is enabled by default, but you must configure anti-virus scanning and quarantine settings in a mail policy to use the Virus quarantine. You also enable notifications in the mail policy to allow administrators or end users to see that messages were quarantined.
Cisco IronPort AsyncOS 7.0 Getting Started Guide 421-0149
In this task, you activate IronPort virus scanning, and you configure the default mail policy to deliver suspected virus email messages and drop confirmed virus email messages. You also configure the default mail policy to quarantine virus messages and suspected virus messages.
Enabling Virus Settings
To enable the Virus quarantine:
Step 1 Step 2
Select Mail Policies > Incoming Mail Policies. Click the anti-virus settings for the default mail policy. The Anti-Virus Settings page is displayed.
Under Anti-Virus Settings, select Yes for Enable Anti-Virus Scanning for this Policy. The anti-virus engines that you have licenses for are displayed. Select an anti-virus engine. Under Message Scanning, enter the following information:
Step 4 Step 5
Cisco IronPort AsyncOS 7.0 Getting Started Guide
Scroll down to the Unscannable Messages section. Cisco IronPort AsyncOS 7. – Archive Original Message: Yes.Chapter – Select “Scan and Repair viruses” from the menu. – Select “Include an X-header with the Anti-Virus scanning results in messages.” Step 6 Step 7 Step 8 Use the default settings for the Repaired Messages section.0 Getting Started Guide 421-0149 31 . – Other Notification: Recipient. For example. – Modify Message Subject: Select Prepend or Append. Use the default settings for the Encrypted Messages section. [WARNING: A/V UNSCANNABLE]. and enter the text into the text field. Step 9 Enter the following information in the Unscannable Messages section: – Action Applied to Message: Quarantine.
– Archive Original Message: Yes. For example. Cisco IronPort AsyncOS 7. Step 11 Enter the following information in the Virus Infected Messages section: – Action Applied to Message: Quarantine. [WARNING: VIRUS DETECTED]. – Modify Message Subject: Select Prepend or Append. – Other Notification: Recipient.0 Getting Started Guide 32 421-0149 . Step 12 Click Submit. and enter the text into the text field.Chapter Step 10 Scroll down to the Virus Infected Messages section.
Cisco IronPort AsyncOS 7. The content filter applies custom filtering to messages after the anti-spam and anti-virus engines perform scans.Chapter The Default Mail Policy displays the anti-virus settings. see “Quarantines” in the Cisco IronPort AsyncOS for Email Daily Management Guide. you create the content filter and then apply it to a group of users via a mail policy. Like anti-spam and anti-virus policies. Step 13 Commit your changes. Content filters can be enforced on different groups of users. For more information about quarantines. the IronPort appliance allows you to apply custom scanning and email policies to messages by using content filters. Concepts This task introduces concepts related to the content filter. Task 6: Strip Specified Types of Incoming Email Attachments In addition to spam and virus filters. You can use content filters to analyze incoming email messages and take action based on a variety of factors. see “Anti-Virus” in the Cisco IronPort AsyncOS for Email Configuration Guide. See Also For more information about configuring anti-virus settings.0 Getting Started Guide 421-0149 33 .
– Description: Briefly describe the filter. and then you add this filter to the default policy in the Email Security Manager. The Incoming Content Filters page is displayed. Step 3 Enter the following information: – Name: Enter a name to identify the filter.Chapter Goal In this task. you create a new content filter to strip a specified type of media attachment from incoming messages. Step 2 Note Content Filters are custom email rules that scan a message for specific content or recipients and then take actions based on the results of the scan.0 Getting Started Guide 34 421-0149 . Cisco IronPort AsyncOS 7. Remove_MP3. The Add Content Filter page is displayed. Click the Add Filter button. Creating a Content Filter To create a content filter: Step 1 Click Mail Policies > Incoming Content Filters. For example.
This ensures that this filter is applied to all messages analyzed by the mail policy. Step 4 Step 5 Click Add Action. "[MP3 FILE DROPPED]") in the Actions section of the page. – Select File type is. – Enter a replacement message that is displayed to the recipient if an MP3 attachment is stripped from an email message. The Strip Attachment by File Info page is displayed. [MP3 FILE DROPPED]. Select Strip Attachment by File Info. The Edit Content Filter page displays the rule drop-attachments-by-filetype("mp3". For example.Chapter – Conditions: Leave this section blank. – In the drop-down menu. – Click OK. select -. Cisco IronPort AsyncOS 7. The Incoming Content Filters page displays the Remove_MP3 filter.0 Getting Started Guide 421-0149 35 .mp3. Step 6 Specify the action that the appliance takes when it encounters a flagged email message. Step 7 Click Submit.
Verify that the Enable check box is selected for the Remove_MP3 filter. The Mail Policies: Content Filters page displays the content filter that you created. Cisco IronPort AsyncOS 7.0 Getting Started Guide 36 421-0149 . Step 5 Testing the Filter After you have created the filter and applied it to the default mail policy. Commit your changes. test the filter by sending an email message with an MP3 attachment from an Internet email address (such as Yahoo! Mail) to an alias in your network. Click Submit. it is applied to the appropriate end users. Step 2 Click the Disabled link in the Content Filters column.Chapter Applying a Filter to an Incoming Mail Policy You apply the content filter to incoming messages by associating it with an incoming mail policy. The Incoming Mail Policies page displays a success message. Step 3 Step 4 Click Yes to enable content filtering on the policy. When you associate the content filter with a mail policy. To apply a content filter to an incoming mail policy: Step 1 Select Mail Policies > Incoming Mail Policies.
0 Getting Started Guide 421-0149 37 . Data loss prevention (DLP) policies can analyze outgoing messages for particular data patterns and take action based on the scanned content. See Also For more information about content filters and the Email Security Manager. RSA Email DLP is an integrated data loss prevention scanning engine from RSA Security Inc. The Trace page emulates a message that is accepted by a listener. such as quarantining messages containing sensitive information and sending notifications to a compliance officer. that identifies and protects sensitive data. For more information on mail flow monitoring. see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide. and it prints a summary of features that would have been “triggered” or affected by the current configuration of the system. you can quarantine all messages that contain credit card numbers and supporting information. For example.Chapter You can use the Trace page (and trace CLI command) to test and troubleshoot the filter. Task 7: Enforce an Outgoing Email Policy The IronPort appliance allows you to enforce a policy for outgoing mail that would quarantine messages that may contain sensitive information or violate your company’s email policies. You can also run the tail command against mail logs to view the most recent mail logs in real time. RSA Email DLP also includes predefined DLP policy templates that you can use to create your DLP policies. see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide. Concepts This task introduces concepts related to RSA Email DLP. RSA Email DLP protects your organization’s sensitive information and enforce regulatory compliance and internal policies by preventing users from unintentionally emailing sensitive data. A DLP policy is a set of conditions that AsyncOS and the RSA Email DLP scanning engine use to determine whether an outgoing Cisco IronPort AsyncOS 7. You define what kind of data your employees are not allowed to email and the actions that the appliance takes.
You choose both the overall action to take on messages (deliver. and sending notifications. You configure the policy to quarantine emails that show patterns in data corresponding to credit card numbers and terms related to credit cards. Goal In this task.0 Getting Started Guide 38 421-0149 . drop. you enable it in the default outgoing mail policy. After you create the DLP policy. Click Enable. Commit your changes. copying it. or quarantine) and secondary actions such as encrypting the message. If the DLP scanning engine detects a DLP violation in a message or attachment. RSA Email DLP is enabled on the appliance: Step 2 Step 3 Step 4 Click Submit. RSA Email DLP searches for more than data patterns like credit card numbers and driver license IDs. it examines the context of the patterns. altering its header. PCI-DSS defines requirements for protection of commonly used elements of credit cardholder data. Enabling RSA Email Data Loss Prevention To enable RSA Email DLP on your appliance: Step 1 Select Security Services > RSA Email DLP. The RSA Email Data Loss Prevention Settings page is displayed. the DLP scanning engine determines the risk factor of the violation and returns the result to the DLP policy. The DLP policy evaluates the severity of the violation and takes the appropriate action. you create a new DLP policy that identifies outgoing emails that violate Payment Card Industry Data Security Standard (PCI-DSS) guidelines. Cisco IronPort AsyncOS 7. leading to fewer false positives.Chapter message contains sensitive data and the actions that AsyncOS takes when a message contains such data.
The scale includes five severity levels: Ignore. High. Click Regulatory Compliance. The DLP Policy Manager is displayed. Low. Step 2 Click Add DLP Policy.0 Getting Started Guide 421-0149 39 .You define the actions to perform on messages that contain DLP violations. You can edit a level to specify different actions for different severities. Medium. Step 3 Step 4 Cisco IronPort AsyncOS 7. To create a DLP policy: Step 1 Select Mail Policies > DLP Policy Manager. and Critical.Chapter Creating a DLP Policy After enabling RSA Email DLP. Click Add for Payment Card Industry Data Security Standard (PCI-DSS). create a DLP policy to scan outgoing messages for credit card-related data. The Add DLP Policy page is displayed. The policy uses a scale to evaluate the severity of a DLP violation found in a message and performs the appropriate action the message.
Step 5 Under Critical Severity Settings.Chapter The Mail Policies: DLP: Policy: Payment Card Industry Data Security Standard (PCI-DSS) page is displayed. all severity levels (except Ignore) inherit the settings of the higher severity level. Step 6 Step 7 Click Submit. select Quarantine for the action to apply to messages. the DLP Policy is not applied to outgoing messages.0 Getting Started Guide 40 421-0149 . Commit your changes. and Low inherits from Medium. To enable the DLP policy in an outgoing mail policy: Cisco IronPort AsyncOS 7. By default. You apply the policy by enabling it in an outgoing mail policy. You can uncheck the Inherit settings check box to edit a level’s actions. the High severity level inherits the settings from Critical. Enabling a DLP Policy in an Outgoing Mail Policy By default. Medium inherits from High.
In this example. The Mail Policies: DLP page displays a list of available DLP policies.Chapter Step 1 Select Mail Policies > Outgoing Mail Policies. The Payment Card Industry Data Security Standard (PCI-DSS) policy appears in this list. Step 6 Cisco IronPort AsyncOS 7. Under DLP Settings for Default Outgoing Mail Policy. The Outgoing Mail Policies page is displayed. Step 2 Step 3 On the default policy. You enable the DLP policy in the outgoing mail policy so that it is applied to the appropriate end users. Step 4 Step 5 Select the Enable check box for the Payment Card Industry Data Security Standard (PCI-DSS) policy. Commit your changes. the DLP policy is applied to the Default policy. select Enable DLP (Customize Settings) to enable DLP scanning on the outgoing mail policy. Click Submit. click the Disabled link in the DLP column.0 Getting Started Guide 421-0149 41 . The Outgoing Mail Policies page displays a success message.
It defines which recipients will be accepted by a public listener. Concepts Incoming and outgoing mail is received through a listener. see “Data Loss Prevention” in the Cisco IronPort AsyncOS for Email Advanced Configuration Guide. The other table. it needs to receive mail for the old domain name and the new domain name. maintains a set of rules that control incoming connections from remote hosts for a listener. if your company changes its name. For example. One table.Chapter Testing the Policy After you have created the DLP policy and enabled it in the default outgoing mail policy. SMTP routes allow you to redirect all email for a particular domain to a different mail exchange (MX) host. you must add entries to two tables. send a message with the term “Visa” and multiple strings of numbers similar to a credit card number in close proximity to one another. See Also For more information about RSA Email DLP. Task 8: Add a Domain to Accept Mail In this task. Messages that contain both of these strings are quarantined.0 Getting Started Guide 42 421-0149 . you can test the policy by sending an outbound email message with credit card-related information in a message body or attachment. the Recipient Access Table (RAT). the Host Access Table (HAT). and then send a message with only the term and a message with only a single credit card number string. but messages that contain only one of the terms do not trigger the quarantine action. you configure the IronPort appliance to receive mail for another domain. You add an SMTP route to enable email for the new domain to be routed to the correct mail exchange host. Many enterprise gateways are configured to receive messages for several local domains. Cisco IronPort AsyncOS 7. The table specifies the address (which may be a partial address or host name) and whether to accept or reject it. an email processing service that is configured on a particular IP interface. For example. When you add accessibility for a new domain to the IronPort appliance. specifies the mail recipients for the domain.
the HAT. Step 2 Click the RAT link.Chapter Goal In this task.0 Getting Started Guide 421-0149 43 . Cisco IronPort AsyncOS 7. You do this by adding an entry for the domain in the RAT. and the SMTP Routes table. you add accessibility to the IronPort appliance for a new domain. The Recipient Access Table Overview page is displayed. Accepting Mail for a Domain To accept mail for a domain: Step 1 Select Network > Listeners. The Listeners page is displayed. Step 3 Click the Add Recipient button.
0 Getting Started Guide 44 421-0149 . Step 4 Enter the following information: – Order: Enter 2 to place the domain second in the list. Creating an SMTP Route for a Domain To create an SMTP route for a domain: Step 1 Select Network > SMTP Routes. – Recipient Address: Enter the domain address. The SMTP Routes page is displayed.com. Cisco IronPort AsyncOS 7. – Action: Accept. For example. your appliance is configured to accept mail for the new domain. Step 5 Click Submit. – Bypass Receiving Control: No. The Recipient Access Table Overview page is refreshed with the new domain listed in position 2. acquisition. At this point. – Bypass LDAP Accept Queries for this Recipient: Leave as is.Chapter The Add to Recipient Access Table page is displayed. – Custom SMTP Response: No.
Step 3 Enter the settings for the SMTP route: – Receiving Domain: Enter the Receiving Domain.com. For example. For example. or disclaimer to messages sent from your network.0 Getting Started Guide 421-0149 45 . Step 4 Click Submit.company. you can append a copyright statement. The Add SMTP Route page is displayed. For example.com. Task 9: Add a Disclaimer to Outgoing Mail You can use the IronPort appliance to add footer text to outgoing or incoming messages. see “Configuring the Gateway to Receive Email” in the Cisco IronPort AsyncOS for Email Configuration Guide.Chapter Step 2 Click the Add Route button. – Destination Hosts: Enter the IP address or host name of the MUA that will receive the mail for the receiving domain. Cisco IronPort AsyncOS 7. enter acquisition. See Also For more information about configuring listeners and working with the RAT and the HAT. enter exchange. The SMTP Routes page displays the new SMTP route. promotional statement. – Outgoing SMTP Authentication: Use default settings.
The Text Resources page is displayed. can receive email from the Internet — and private listeners that accept email only from internal systems such as groupware. Creating a Footer Text Resource To create a footer text resource: Step 1 Select Mail Policies >Text Resources. IronPort AsyncOS differentiates between public listeners — which. POP and IMAP. by default. enter Confidential. For example. you create a disclaimer text resource and associate it with a private listener. and other message generation systems.Chapter Concepts To add an outgoing disclaimer. Cisco IronPort AsyncOS 7. Step 2 Enter the following information: – Name: Name of the text resource. The Add Text Resource page is displayed.0 Getting Started Guide 46 421-0149 . Goal To add an outgoing disclaimer. you first create a text resource and then associate the text resource with the private (outgoing) listener. Click the Add Text Resource button.
Step 3 Click Submit.Chapter – Type: Disclaimer. Click Submit. – Text: Enter the text to display as the disclaimer. To associate the disclaimer with a private listener: Step 1 Step 2 Select Network > Listeners. Commit your changes. Cisco IronPort AsyncOS 7. The listener inserts the disclaimer text resource into every email message that the listener handles.0 Getting Started Guide 421-0149 47 . Click the OutgoingMail link in the Listener Name column. The Edit Listener page is displayed. Step 4 Associating a Footer with a Private Listener After creating the disclaimer. Step 3 Step 4 Step 5 Select Confidential from the Disclaimer Below menu to display the disclaimer at the bottom of messages. Commit your changes. you need to associate it with the private (outgoing) listener. Do not use variables. The Text Resources page is displayed with the disclaimer text resource.
You can track virus activity using the Virus Types report and the Virus Outbreak report. see “Text Resources” in the Cisco IronPort AsyncOS for Email Configuration Guide. You can also track user activity using the Internal Users Summary report and the Content Filters report. Concepts The IronPort appliance allows you to track activity by using reports. outgoing senders domains. Goal In this task. and sender groups.Chapter See Also For more information about working with message stamping.0 Getting Started Guide 48 421-0149 . outgoing destinations. This report shows the overall usage of TLS connections for sent and received mail. You can also use reports to monitor the effectiveness of the appliance and view trends in the mail flow. you schedule a daily TLS Connections report. This task introduces the TLS Connections report. Task 10: Configure a Scheduled Report You can run a variety of reports to track activity on your IronPort appliance. Cisco IronPort AsyncOS 7. You can also track system activity using an Executive Summary report and track system health using the System Capacity report. You can track the flow of mail using incoming and outgoing mail summary reports. The report also shows details for each domain sending mail using TLS connections. Configuring a Scheduled Report To configure a scheduled report: Step 1 Select Monitor > Scheduled Reports.
Enter a title for the report. see the section about reporting in “Using the Email Security Monitor” in the Cisco IronPort AsyncOS for Email Daily Management Guide.” and leave the default time. select “Previous calendar day. Enter the email address where you want to send the report. Under Time Range to Include.” Under Format. Commit your changes. Step 2 Click the Add Scheduled Report button. you might use the TLS Connections report to view the overall usage of TLS connections for emails sent to your network. Click Submit. leave “PDF” selected.Chapter The Scheduled Reports page is displayed. select “Daily. See Also For more information about generating and managing reports. Cisco IronPort AsyncOS 7.0 Getting Started Guide 421-0149 49 . Step 3 Select a Report type from the menu. Under Schedule. The Add Scheduled Report page is displayed. Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Note If you used the System Setup Wizard to configure the IronPort appliance. some reports are enabled by default. For example. The Available Reports section displays the scheduled reports.
0 Getting Started Guide 50 421-0149 .Chapter Cisco IronPort AsyncOS 7.
0 Getting Started Guide 421-0149 51 . but some advanced tasks are available only in the CLI. You connect to the CLI using telnet or Secure Shell (SSH). you must first enable it from the GUI. Concepts The CLI and the GUI contain many of the same functions. SSH is encrypted and provides better security. page 4-54 Task 13: Retrieve and Use Mail Logs. page 4-51 Task 12: Use the CLI. To use the CLI. Cisco IronPort AsyncOS 7.CH A P T E R 4 Advanced Tasks This chapter contains the following sections: • • • • • Task 11: Access the Command Line Interface. page 4-65 Task 15: Upgrade the IronPort Appliance. page 4-67 Task 11: Access the Command Line Interface The IronPort AsyncOS Command Line Interface (CLI) provides a set of management commands through a text-based interactive interface. page 4-61 Task 14: Configure Email Alerts.
To use the CLI. Connect to the configured IP address using telnet or SSH. the CLI is enabled in the Management interface. you need to: • • Enable the CLI to use SSH or telnet. you enable and access the CLI. Doing so will cause unexpected behavior and is not supported. and click the Management link. In this example.Chapter Note Do not run multiple concurrent CLI or GUI sessions.0 Getting Started Guide 52 421-0149 . Enabling the CLI You can enable the CLI on any IP interface. Goal In this task. Cisco IronPort AsyncOS 7. To enable the CLI: Step 1 Select Network > IP Interfaces.
Chapter The Edit IP Interface dialog box is displayed. you can connect to the IP address using either telnet or SSH. enter your username and password to log in to the appliance. Initially.0 Getting Started Guide 421-0149 53 . When you select both options. only the admin user account has access to the CLI. Step 3 Use telnet or SSH to connect to the Management interface. Cisco IronPort AsyncOS 7. Step 4 In the CLI. SSH uses port 22. and enter port numbers. You can add other users when you access the CLI through the admin account. select SSH and Telnet. Telnet uses port 25. Step 2 In the Services field.
• • Goal In this task. Concepts You can use the CLI to complete the following types of tasks: • Connectivity. and controlling services. viewing system status. You can use the status command to determine the status of the IronPort appliance.0 Getting Started Guide 54 421-0149 . review system status details. Cisco IronPort AsyncOS 7. and suspend and resume listeners.Chapter See Also For more information about the CLI. such as testing connectivity. Task 12: Use the CLI You can perform many advanced tasks in the CLI. You can test connectivity using the telnet command. You use the tophosts command to view information about the email queue and determine if a particular recipient host has delivery problems. you run commands to test connectivity. such as a queue buildup. System status. Control services. Use the suspendlistener and resumelistener commands to stop and restart listeners if you need to troubleshoot a mail processing problem. You can use the traceroute command to test connectivity to a network host from the appliance and debug routing issues with network hops. see the Cisco IronPort AsyncOS CLI Reference Guide.
PING mail. Enter ping and the host name for an address on your network. Use these commands to debug network connectivity from the IronPort appliance.191): 56 data bytes 64 bytes from 69.18.078 ms 64 bytes from 69. and enter your username and password.55.18. You can use ping to test whether a particular host is reachable across an IP network. ping.18. You can use telnet to connect to a remote host. such as telnet. Example of ping command mga.191: icmp_seq=0 ttl=63 time=46.191: icmp_seq=1 ttl=63 time=41.616 ms Cisco IronPort AsyncOS 7.com> ping mail. You can use traceroute to display a network route to a remote host. Press Ctrl+C to stop the IronPort appliance from pinging the host.18. and traceroute.com Press Ctrl-C to stop.941 ms 64 bytes from 69. Review the ping statistics.example.0 Getting Started Guide 421-0149 55 .com (69. For example.company.191: icmp_seq=2 ttl=63 time=37.example.55.55.55. Allow the IronPort appliance to ping the address several times. Ping a Network Host To ping a network host: Step 1 Step 2 Step 3 Step 4 Step 5 Table 4-1 Use telnet or SSH to connect to the Management interface. you can ensure that your diagnostics are not affected by firewalls or other rules that may treat the IronPort appliance differently from a workstation.Chapter Testing Connectivity The IronPort appliance allows you to use several common network diagnostic tools.
Chapter ^C --.example.93. Press Ctrl+C to stop the trace.com (69.133.mail. To establish a telnet connection: Cisco IronPort AsyncOS 7.543 ms Use the telnet Command Use telnet to establish a telnet connection or other interactive TCP connection.0 Getting Started Guide 56 421-0149 .com> traceroute mail.speakeasy.com Press Ctrl-C to stop. Example of the traceroute Command mga. 0% packet loss round-trip min/avg/max/stddev = 37.com ping statistics --3 packets transmitted.199 ms 2 ^C * * * 30.191).example.455 ms Use the traceroute Command Use the traceroute command to test connectivity to a network host from the appliance and debug routing issues with network hops.18.697 ms 31.878/46. 64 hops max. Review the traceroute statistics. traceroute to mail.company.1)35.example. enter traceroute <network host name>.55. 3 packets received.078/3. Step 1 Step 2 Step 3 Table 4-2 From the CLI.net(66. 44 byte packets 1 er1.616/41.sfo1.
com.example.example..55.191. Connected to mail. 220 mail.Chapter Step 1 From the CLI.example.company.company. Step 2 Table 4-3 Example of the telnet Command mga. Escape character is '^]'.com 250-mail.0 Getting Started Guide 421-0149 57 . Cisco IronPort AsyncOS 7.com ESMTP Postfix EHLO mga. enter telnet <host name><port number>.com 250-PIPELINING 250-SIZE 102400000 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME ^] telnet> quit Connection closed.example.com> telnet mail.com 25 Trying 69.18. The IronPort appliance opens a connection to the remote host.. Press Ctrl+C to close the connection.
Sophos: 205 days 50 days 50 days 50 days Cisco IronPort AsyncOS 7.Brightmail: Feature . enter status detail to retrieve detailed status of the IronPort appliance. Table 4-4 Example of the status Command mga. such as the anti-spam and anti-virus features that are enabled and the last date you started the appliance. Use the detail subcommand to return more specific information. Using the status Command From the CLI.company.Virus Outbreak Filters: 50 days Feature .IronPort Anti-Spam: Feature .0 Getting Started Guide 58 421-0149 .com> status detail Status as of: Thu Mar 30 13:22:24 2006 PST Up since: Tue Mar 21 07:24:41 2006 PST (9d 5h 57m 43s) Last counter reset: System status: Oldest Message: Never Online No Messages Feature .Receiving: Feature . You can use the status command to view a broad range of information about the IronPort appliance.Chapter Monitoring the IronPort Appliance and Email Traffic You can use the CLI to monitor the IronPort appliance and traffic flowing through it.
0 Getting Started Guide 421-0149 59 . Using the tophosts Command To view immediate information about the email queue and determine if a particular recipient host has delivery problems — such as a queue buildup — use the tophosts command.com> tophosts Sort results by: Cisco IronPort AsyncOS 7. The list can be sorted by a number of statistics.Chapter Counters: Receiving Messages Received Recipients Received Gen. To use the tophosts command: Step 1 From the CLI. soft bounced events.267 22. including active recipients.651 For more information about counters. The CLI returns a list of hosts in order of the connections out. delivered recipients.company. Sort the hosts by connections out. The CLI displays a list of sorting options.324 81 7 81 22.651 1. and hard bounced recipients. enter tophosts. Step 2 Table 4-5 Example of the tophosts Command mga. see the Cisco IronPort AsyncOS for Email Configuration Guide.119 1.119 22. The tophosts command returns a list of the top 20 recipient hosts in the queue. connections out. Bounce Recipients Reset Uptime Lifetime 22.
you can retrieve the information from the status command with the URL http://<hostname>/xml/status. For example. Cisco IronPort AsyncOS 7.Chapter 1. Conn. For information on using XML pages to gather email monitoring statistics.com 0 0 0 0 0 0 2 128 889 0 76 0 0 5 0 You can retrieve the information from these commands in an XML format by using a GUI request.com hotmail. Delivered Recipients 4. Soft Bounced Hard Bounced 1 2 3 yahoo. Hard Bounced Recipients 5.0 Getting Started Guide 60 421-0149 . Active Recipients 2. Connections Out 3. see “Gathering XML Status from the GUI” in the Cisco IronPort AsyncOS for Email Daily Management Guide. Other useful commands for gathering email monitoring statistics include hoststatus and topin.com mail. Recip. Soft Bounced Events > 2 Status as of: Thu Mar 30 13:23:42 2006 PST Hosts marked with '*' were down as of the last delivery attempt. Active # Recipient Host Recip. Out Deliv.example.
and it makes these logs available through a variety of interfaces. Task 13: Retrieve and Use Mail Logs AsyncOS offers extensive logging capabilities.Chapter Configuring the Appliance You can control the operation of your IronPort appliance directly from the CLI.com> resumelistener Mail delivery resumed. mga... and Cisco IronPort AsyncOS 7.company. > Waiting for listeners to exit. Table 4-6 Suspending and Resuming a Listener mga. Other useful commands for stopping mail delivery from the appliance include suspenddel and resumedel. The suspendlistener and resumelistener commands allow you to stop and restart listeners if you need to troubleshoot a mail processing problem. Logs record information about mail flow. CLI and GUI usage. operation of various software systems on the appliance.company.com> suspendlistener Enter the number of seconds to wait before abruptly closing connections. Use the syntax in Table 4-6 to suspend a listener.0 Getting Started Guide 421-0149 61 . Receiving suspended for External.
4.1.net>: Sender address rejected: Domain not found']) Cisco IronPort AsyncOS 7.0 Getting Started Guide 62 421-0149 . You can view and search the logs. and retrieve logs using different formats.net> To:<firstname.lastname@example.org. ['<email@example.com> RID 0 . change the options for how much detail is recorded to the logs.0 .0 . use the syntax in Table 4-7. By default. which allows you to view log details in real time. Wed Mar 29 22:25:24 2006 Info: Delayed: DCID 12949 MID 23365 From:<firstname.lastname@example.org>: Sender address rejected: Domain not found']) Wed Mar 29 23:25:26 2006 Info: Delayed: DCID 12951 MID 23365 From:<rob@main. Table 4-7 Example of tail Command mga. archives.Chapter the AsyncOS system itself.company. and purges old log files.com> RID 0 . you view the logs in real time through the CLI. it introduces methods for retrieving logs. In addition.1. and how the files themselves are handled on disk. Goal In this task.Unknown address error ('450'.com> tail bounces Press Ctrl-C to stop.example. ['<rob@main. It also introduces the grep command. Concepts This task introduces the tail command. AsyncOS records. which allows you to search through logs for specific details. search logs for information.example.example.4. Viewing Logs To view the logs in real-time as they are written to the log files.net> To:<bob@company.Unknown address error ('450'.
163 reverse dns host alagny-154-1-70-163.wanadoo.fr verified yes Sat Jan 21 02:43:03 2006 Info: ICID 23441 ACCEPT SG SUSPECTLIST match sbrs[-4.0:-1. Table 4-8 Example of the grep Command mga.com> mga.229.company.133.203.com> Sat Jan 21 02:43:05 2006 Info: MID 13276 ICID 23441 RID 0 To: <bob@company. For example.191) address 86.com> grep -e “MID 13276” -e “ICID 23441” mail_logs Sat Jan 21 02:43:03 2006 Info: New SMTP ICID 23441 interface External (66.com and then retrieves the details of a message sent to that address by searching for the message ID. check out the huge sale these guys are offering' Sat Jan 21 02:43:17 2006 Info: MID 13276 ready 9637 bytes from <email@example.com] SBRS -2.com> grep -e “firstname.lastname@example.org” mail_logs Sat Jan 21 02:43:05 2006 Info: MID 13276 ICID 23441 RID 0 To: <email@example.com Sat Jan 21 02:43:04 2006 Info: Start MID 13276 ICID 23441 Sat Jan 21 02:43:04 2006 Info: MID 13276 ICID 23441 From: <firstname.lastname@example.org Getting Started Guide 421-0149 63 . the following grep query searches for mail logs for bob@company.Chapter Searching for Content in Logs You can search for content in the logs by using the grep command.w86-203.com> Sat Jan 21 02:43:17 2006 Info: MID 13276 Message-ID '<000001c61ea1$2ec70280$0100007f@localhost>' Sat Jan 21 02:43:17 2006 Info: MID 13276 Subject 'Hey bro.com> Sat Jan 21 02:43:17 2006 Info: MID 13276 matched all recipients for per-recipient policy EUQ Testers in the inbound table Cisco IronPort AsyncOS 7.
you can connect to the IronPort appliance using the FTP or SCP client to browse and retrieve log files. On the Network > IP Interfaces page. Retrieving Logs Using FTP or SCP You can retrieve log files directly from the appliance using either an FTP or an SCP client.) By default. Other types of files are available for download. and it deletes the oldest file when it rolls over data to a new file. including saved configuration files.Chapter Sat Jan 21 02:43:17 2006 Info: MID 13276 using engine: CASE spam positive Sat Jan 21 02:43:17 2006 Info: EUQ: Tagging MID 13276 for quarantine Sat Jan 21 02:43:17 2006 Info: MID 13276 antivirus negative Sat Jan 21 02:43:17 2006 Info: MID 13276 queued for delivery Sat Jan 21 02:43:18 2006 Info: Start delivery of MID 13276 over RPC connection 8572 Sat Jan 21 02:43:18 2006 Info: EUQ: Quarantined MID 13276 Sat Jan 21 02:43:18 2006 Info: Delivery of MID 13276 over RPC completed on connection 8572 Sat Jan 21 02:43:18 2006 Info: Message finished MID 13276 done Sat Jan 21 02:43:19 2006 Info: ICID 23441 close Retrieving and Configuring Logs Log data rolls over to a new file when the file size reaches a specified limit. After you enable the service. and saved reports.0 Getting Started Guide 64 421-0149 . Cisco IronPort AsyncOS 7. archive mailboxes created by different filter commands. or you can configure the appliance to push rolled-over log files to an FTP or SCP server. You can use FTP or SCP to retrieve archived log files on demand. you can enable both the FTP and the SSH (for SCP) services. the appliance stores up to 10 files for each log. (The default is 95 MB.
See Also For more information. Goal In this task. Cisco IronPort AsyncOS 7. and it stores up to 10 old log files. see “Logging” in the Cisco IronPort AsyncOS for Email Daily Management Guide. Task 14: Configure Email Alerts You can configure the IronPort appliance to send email-based alerts when errors and other types of events occur. You can configure the log settings to reduce or increase the number and size of the log files. Different levels of alerts can be delivered to different recipients.Chapter Configuring Log Subscriptions By default. You can also configure the appliance to push logs to a remote server for further archiving and processing. Log subscriptions can be managed through the logconfig CLI command and through the GUI on the System Administration > Log Subscriptions page. Concepts The IronPort appliance can send informational and error alerts. the appliance is configured to roll over the log files when they reach a specified size. you view email alerts and add a recipient for the email alerts.0 Getting Started Guide 421-0149 65 . You can configure these alerts based on the information you want to receive and the users who need to receive the information.
Cisco IronPort AsyncOS 7. Figure 4-1 Alerts Page Figure 4-1 shows the default configuration for email alerts. You can configure the system to deliver a different set of alerts to another email address. To do this. click Add Recipient.0 Getting Started Guide 66 421-0149 .Chapter Configuring Email Alerts You configure alerts through the GUI on the System Administration > Alerts page.
Task 15: Upgrade the IronPort Appliance You can use either the CLI or the GUI to perform system upgrades. you choose the recipient to receive alerts and the level and type of alert messages to send to that recipient.Chapter Figure 4-2 Add Alert Recipient Page On this page. This allows you to watch the upgrade events more closely than when you perform the upgrade from the GUI. use the upgrade command. After select the alerts.0 Getting Started Guide 421-0149 67 . it is easier to perform upgrades from the CLI. In the GUI. click the Submit button and commit your changes. which you can perform at a convenient time. See Also For more information about alerts. it continues to process mail. In the CLI. the download can take from several minutes to over an hour. see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide. The system checks for available upgrades and provides a choice of upgrade versions. For some sites. While the IronPort appliance performs the upgrade. Note that upgrades require download of a significant amount of data. The upgrade requires a reboot. Depending on the speed of your Internet connection. Cisco IronPort AsyncOS 7. select System Administration > System Upgrades.
see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide.0 Getting Started Guide 68 421-0149 . For information about upgrading IronPort appliances that belong to a centralized management cluster. see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide. Cisco IronPort AsyncOS 7.Chapter See also For more information about upgrading the IronPort appliance.
This action might not be possible to undo. Are you sure you want to continue?