Cisco IronPort AsyncOS 7.

0 Getting Started Guide
January 21, 2010

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: 421-0149

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco IronPort AsyncOS 7.0 Getting Started Guide © 2010 Cisco Systems, Inc. All rights reserved.

CONTENTS
Introduction 1-1 Before You Begin 1-1 About This Guide 1-1 Where to Go for More Information 1-2 IronPort Knowledge Base 1-2 IronPort Documentation 1-3 Customer Support 1-4 Overview of IronPort Email Security 1-5 Spam Protection 1-6 Virus Protection 1-6 Content Compliance 1-7 IronPort Email Security Appliance GUI 2-9 Email Security Tasks 3-11 Task 1: Drop Positive Spam Messages by Default 3-11 Concepts 3-12 Goal 3-12 Dropping Spam Messages by Default 3-12 Task 2: Exempt Specified Groups of Users from Spam Filtering 3-15 Concepts 3-15 Goal 3-15 Creating a Mail Policy 3-15 Changing the Anti-Spam Settings for a Mail Policy 3-17 Task 3: Quarantine Incoming Spam 3-19
Book Title 78-xxxxx-xx

iii

Contents Concepts 3-19 Goal 3-19 Configuring the IronPort Spam Quarantine 3-20 Enabling the IronPort Spam Quarantine HTTP or HTTPS Service 3-22 Configuring the Policy to Send Spam to the IronPort Spam Quarantine 3-24 Task 4: Configure End User Safelists and Blocklists 3-25 Concepts 3-25 Goal 3-25 Enabling the End User Safelist/Blocklist on the IronPort Spam Quarantine 3-26 Adding Items to the Safelist for an End User Account 3-26 Adding Items to the Blocklist for an End User Account 3-28 Task 5: Quarantine Incoming Virus Messages 3-29 Concepts 3-29 Goal 3-30 Enabling Virus Settings 3-30 Task 6: Strip Specified Types of Incoming Email Attachments 3-33 Concepts 3-33 Goal 3-34 Creating a Content Filter 3-34 Applying a Filter to an Incoming Mail Policy 3-36 Testing the Filter 3-36 Task 7: Enforce an Outgoing Email Policy 3-37 Concepts 3-37 Goal 3-38 Enabling RSA Email Data Loss Prevention 3-38 Creating a DLP Policy 3-39 Enabling a DLP Policy in an Outgoing Mail Policy 3-40 Testing the Policy 3-42 Task 8: Add a Domain to Accept Mail 3-42 Book Title iv 78-xxxxx-xx .

Contents Concepts 3-42 Goal 3-43 Accepting Mail for a Domain 3-43 Creating an SMTP Route for a Domain 3-44 Task 9: Add a Disclaimer to Outgoing Mail 3-45 Concepts 3-46 Goal 3-46 Creating a Footer Text Resource 3-46 Associating a Footer with a Private Listener 3-47 Task 10: Configure a Scheduled Report 3-48 Concepts 3-48 Goal 3-48 Configuring a Scheduled Report 3-48 Advanced Tasks 4-51 Task 11: Access the Command Line Interface 4-51 Concepts 4-51 Goal 4-52 Enabling the CLI 4-52 Task 12: Use the CLI 4-54 Concepts 4-54 Goal 4-54 Testing Connectivity 4-55 Monitoring the IronPort Appliance and Email Traffic 4-58 Configuring the Appliance 4-61 Task 13: Retrieve and Use Mail Logs 4-61 Concepts 4-62 Goal 4-62 Viewing Logs 4-62 Searching for Content in Logs 4-63 Book Title 78-xxxxx-xx v .

Contents Retrieving and Configuring Logs 4-64 Task 14: Configure Email Alerts 4-65 Concepts 4-65 Goal 4-65 Configuring Email Alerts 4-66 Task 15: Upgrade the IronPort Appliance 4-67 Book Title vi 78-xxxxx-xx .

You should also run the System Setup Wizard and accept the default configuration settings that are appropriate to the placement of the IronPort appliance in your network.CH A P T E R 1 Introduction This chapter contains the following sections: • • • • Before You Begin. This guide contains the following chapters: Cisco IronPort AsyncOS 7. page 1-2 Overview of IronPort Email Security. page 1-5 Before You Begin Before you begin. This guide assumes that you have unpacked the appliance. About This Guide The Cisco IronPort AsyncOS Getting Started Guide provides an overview of the IronPort Email Security appliance and introduces its features. page 1-1 About This Guide. page 1-1 Where to Go for More Information. and turned it on. read the Quickstart Guide for the IronPort Email Security appliance you are installing and any release notes that were shipped with your appliance. physically installed it in a rack cabinet.0 Getting Started Guide 421-0149 1 .

“IronPort Email Security Appliance GUI” . click the Request an Account link on the Support Portal login page. Cisco IronPort AsyncOS 7.This chapter provides advanced tasks that can help you understand some of the advanced features of the IronPort appliance. Chapter 4.This chapter provides tasks that will help you become acquainted with your IronPort appliance.ironport. If you do not already have an account. These articles explain how to do something with an IronPort product. Articles generally fall into one of the following categories: • How-To. a how-to article might explain the procedures for backing up and restoring a database for an appliance. only IronPort customers.0 Getting Started Guide 2 421-0149 .html Note You need a Support Portal account to access the site. Chapter 2. Generally.This chapter provides a general introduction to the IronPort appliance and the Email Security Manager. The Knowledge Base contains a wealth of information on topics related to IronPort products. IronPort Knowledge Base You can access the IronPort Knowledge Base on the Customer Support Portal at the following URL: http://www.This chapter provides an introduction to this guide and an overview of Ironport email security. • • Where to Go for More Information You can refer to the resources described in this section if you have questions about the IronPort Email Security appliance. “Email Security Tasks” .Chapter • • Chapter 1. partners.com/support/login. “Introduction” . For example. Chapter 3. and employees can access the Support Portal. “Advanced Tasks” .

Troubleshooting. tracking email messages. and quarantines. CLI support commands.Chapter • Problem-and-Solution. and anti-spam scanning. email encryption. Topics include configuring the appliance to work with LDAP. Troubleshooting articles explain how to analyze and resolve common issues related to IronPort products. and troubleshooting the appliance. It also includes reference information and configuration instructions for email delivery features such as the Email Pipeline. Virus Outbreak Filters. everyday tasks that system administrators use to manage and monitor the IronPort appliance. such as viewing email traffic using the Email Security Monitor. anti-virus scanning. including Email Security Monitor pages. a troubleshooting article might provide steps to follow if you are having problems with DNS. a problem-and-solution article might explain what to do if a specific error message is displayed when you upgrade to a new version of the product. For example. IronPort Documentation The documentation for the Cisco IronPort Email Security appliance includes the following books: • Cisco IronPort AsyncOS for Email Daily Management Guide. managing system quarantines. It provides instructions on installing the appliance into an existing network infrastructure and setting it up as an email gateway appliance. A problem-and-solution article addresses a particular error or issue that you might encounter when using an IronPort product.0 Getting Started Guide 421-0149 3 . • • Cisco IronPort AsyncOS 7. This guide is recommended for system administrators who are setting up a new IronPort appliance and want to learn about its email delivery features. Reference. Cisco IronPort AsyncOS for Email Configuration Guide. content filters. AsyncOS logs. This guide provides instructions for performing common. such as the error codes associated with a particular piece of hardware. Reference articles typically provide lists of information. This guide provides instructions configuring the advanced features of the IronPort appliance. For example. • • Each article in the Knowledge Base has a unique answer ID number. Cisco IronPort AsyncOS for Email Advanced Configuration Guide. It also provides reference information for features that system administrators interact with on a regular basis.

toll-free:+1 (877) 641-4766 International: http://www. as well as examples of the commands in use. A Customer Support representative will contact you as soon as possible. and then click the Submit button. Cisco IronPort AsyncOS 7. holidays). please contact that supplier directly with your product support issues. This guide provides a detailed list of the commands in the AsyncOS command line interface (CLI). • IronPort AsyncOS CLI Reference Guide.Chapter creating message filters to enforce email policies. System administrators can use this guide for reference when using the CLI on the IronPort appliance. excluding U.S. and LDAP query syntax and attributes.ironport. regular expressions used in content dictionaries and message filter rules. or online 24 hours a day. 7 days a week. organizing multiple appliances into clusters.com/support If you purchased support through a reseller or another supplier. Customer Support You can request customer support by phone. notify IronPort using the following contact information: U. this guide provides reference material for advanced features such as message filter rules and actions. To access the Support Request page. Support Request Page You can also use the Support Request page in the GUI to request customer support. and customizing the listeners on the appliance. one of the engineers will contact you within an hour of your request.0 Getting Started Guide 4 421-0149 .ironport. To report a critical issue that requires urgent assistance.com/support/contact_support. During Customer Support office hours (24 hours per day. select Help > Support Request. In addition to configuration. email.S. Complete the information on the page.html Support Portal: http://www. Monday through Friday.

flexible platform that supports the advanced security systems of IronPort. the IronPort mail transfer agent (MTA) can handle thousands of simultaneous connections. It has earned its outstanding reputation through deployments at the world’s largest Internet Service Providers and thousands of global customers. Unlike traditional messaging systems. as well as reliable inbound and outbound email delivery. The ability to support high volumes of simultaneous Cisco IronPort AsyncOS 7. AsyncOS provides a high-performance. IronPort Email Security appliances use the proprietary IronPort AsyncOS operating system. IronPort Consolidates Security Solutions for the Email Perimeter B e fo re Iro n P o rt Internet A fte r Ir o n P o r t Internet Firewall MTAs Anti-Spam Firewall IronPort Email Security Appliance Anti-Virus Policy Management Mail Routing Groupware Groupware Users Users The IronPort appliance provides unparalleled protection for corporate groupware servers.0 Getting Started Guide 421-0149 5 .Chapter Overview of IronPort Email Security The IronPort email security appliance combines several content scanning engines with IronPort preventive security solutions. such as SenderBase Reputation Filtering and Virus Outbreak Filters.

non-matching messages are released from Cisco IronPort AsyncOS 7. which quarantines possible threat messages. scanning messages with both the McAffee and Sophos scanning engines combines the benefits of both anti-virus scanning engines. The IronPort appliance incorporates the AsyncOS operating system with support tools. Because it draws on traffic data from over 25% of all worldwide email traffic. Spam Protection For anti-spam protection. Because viruses and spyware use email as their primary distribution vector. SenderBase can detect patterns of email messages that signal an infection outbreak before traditional content-scanning virus filter signatures can be updated and deployed. This reputation filtering system allows the IronPort email security appliance to dramatically increase the throughput of the traditional signature-based content scanning engines. SenderBase can help stop more than 80% of unwanted threat messages before accepting them for content scanning. the IronPort email security appliance combines SenderBase Reputation Filtering with traditional content filters. As the outbreak matures and the threat rules adapt. Because each engine relies on a separate base of technology.0 Getting Started Guide 6 421-0149 . The IronPort Global Threat Operations Center watches for emerging threats in email traffic and publishes outbreak rules to the IronPort appliance. such as Symantec Brightmail and IronPort Anti-Spam. Virus Protection For anti-virus protection. and other interfaces. a command line interface (CLI). SenderBase is a global email-monitoring network that tracks hundreds of parameters from thousands of contributing networks to establish a historically accurate reputation score for IP addresses that send email on the Internet. This protects networks from virus threats before virus signature updates are available. as well as its exclusive Virus Outbreak Filters. because it can filter email messages before the signature-based scans take place. a GUI. IronPort offers anti-virus scanning engines from McAffee and Sophos. security scanning engines.Chapter connections is critical to both large and small email sites because of the large number of spammers and spyware systems attempting to deliver spam and virusor malware-infected email messages. You can configure your IronPort appliance to use one or both of the licensed anti-virus scanning engines.

as well as flexible application programming interfaces (APIs) for retrieving reporting and monitoring data. which comes with built-in configurations for compliance with Health Insurance Portability and Accountability Act (HIPPA). and encryption integration are all available for use in custom filtering rules.0 Getting Started Guide 421-0149 7 .Dynamic Quarantine in Action M essages Scanned & D e le te d T=0 –zip (exe) files T = 5 mins -zip (exe) files -Size 50 to 55 KB. Cisco IronPort AsyncOS 7. You can also use the content filtering engine to implement specific business-policy controls for a variety of systems. Many standard reports are built into the system. You access this functionality with management and monitoring tools. T = 10 mins –zip (exe) files –Size 50 to 55KB –“Price” in the name file T = 8 hours –Release messages if signature update is in place Content Compliance IronPort security solutions are powered by an advanced content filtering engine. Email archiving. Over the course of a virus outbreak. You can use the Email Security Manager in the GUI to set specific policies for groups of users so you can enforce appropriate levels of security for different business units. and Sarbanes-Oxley Act. AsyncOS provides both an intuitive web-based GUI and a command line interface (CLI). and possible threat messages are held back until a final signature is available for the virus-scanning engine. keyword scanning. Gramm-Leach-Bliley Act (GLBA). How Virus Outbreak Filters Work .Chapter quarantine. and you do not need to worry about possible false positive messages being dropped. You can use these features to integrate the appliance with your information systems infrastructure. you are protected from new infections coming into the network. attachment control.

Chapter In addition. Cisco IronPort AsyncOS 7. such as SenderBase and Virus Outbreak Filters. By combining pioneering preventive features. The integrated architecture of AsyncOS provides all the necessary email protection capabilities to secure internal networks and groupware servers. With a multi-layer approach to spam and virus protection. IronPort provides the most comprehensive email security solution on the market.0 Getting Started Guide 8 421-0149 . IronPort is a cost-effective solution to your email security needs. This guide demonstrates the features of the IronPort email security appliance so you can immediately take control of your email perimeter and solve email security problems. AsyncOS offers a unique centralized management feature that uses a peer-to-peer architecture to avoid the need for extra hardware in the data center and to eliminate any single point of failure. with best-in-class content scanning engines.

Figure 2-1 IronPort GUI 3 1 2 4 5 Cisco IronPort AsyncOS 7.0 Getting Started Guide 421-0149 9 .CH A P T E R 2 IronPort Email Security Appliance GUI The graphical user interface (GUI) of the IronPort Email Security appliance provides access to features and services to help you effectively monitor and administer your organization’s email network traffic.

The Commit Changes button notifies you if changes are pending on your appliance. Component 1 .Chapter The following table describes the GUI componenets shown in Figure 2-1. 3. Click the links to access pages for the tasks you want to perform. The menus display task-based links. You return to the originating page.Options menu 4 .Drop-down menu Description Click the menus to access the various areas of the GUI. Optionally.Commit Changes button Cisco IronPort AsyncOS 7. 2. When you make changes to the appliance configuration. you can use this menu to send a support request and provide Customer Support with remote access to your IronPort appliance. Click Commit Changes. The Options menu enables you to change your password or log out of the IronPort appliance. To commit the changes: 1. 3 .0 Getting Started Guide 10 421-0149 . The Help menu provides access to online help information about the current GUI page and access to the Support Portal. Adding comments can be useful for any future troubleshooting.Help menu 5 . enter a comment in the Comment box.Menu bar 2 . and the Commit box indicates that no changes are pending. Click the Commit Changes button. you must commit the changes for them take effect on the appliance. In addition.

page 3-11 Task 2: Exempt Specified Groups of Users from Spam Filtering. page 3-33 Task 7: Enforce an Outgoing Email Policy. page 3-42 Task 9: Add a Disclaimer to Outgoing Mail. It classifies messages as positive spam. suspected spam. You might choose to drop. You determine the action to take on the message based on the IronPort Anti-Spam classification. or not spam. Cisco IronPort AsyncOS 7. page 3-45 Task 10: Configure a Scheduled Report. page 3-25 Task 5: Quarantine Incoming Virus Messages. page 3-15 Task 3: Quarantine Incoming Spam.CH A P T E R 3 Email Security Tasks This chapter contains the following sections: • • • • • • • • • • Task 1: Drop Positive Spam Messages by Default. page 3-29 Task 6: Strip Specified Types of Incoming Email Attachments. page 3-48 Task 1: Drop Positive Spam Messages by Default The IronPort Anti-Spam engine processes email for incoming and outgoing mail based on settings that you configure. page 3-19 Task 4: Configure End User Safelists and Blocklists.0 Getting Started Guide 421-0149 11 . page 3-37 Task 8: Add a Domain to Accept Mail. IronPort Anti-Spam scans messages through its filtering modules for classification.

Later. In this task. you will enable the end-user spam quarantine. you might decide to drop positive spam messages and quarantine suspected spam messages. you activate suspected spam scanning and configure the default policy to drop the suspected spam. Note If you set up your IronPort appliance using the System Setup Wizard. The incoming mail policy instructs the IronPort appliance to perform an action on a message based on the classification of the message and mail recipient. The default mail policy applies to all incoming messages. For example. Goal By default.0 Getting Started Guide 12 421-0149 . Concepts You can use the IronPort Email Security Manager to define mail filtering and security policies for users based on their email addresses or an LDAP query. the IronPort appliance is not configured to scan email messages for suspected spam. the IronPort appliance drops positive spam messages by default. or quarantine messages based on their classification. You configure settings for incoming email in an incoming mail policy. which allows users to view and open email messages and release messages from the quarantine.Chapter deliver. Cisco IronPort AsyncOS 7. Dropping Spam Messages by Default To drop spam messages by default: Step 1 Select Mail Policies > Incoming Mail Policies.

” and select IronPort Anti-Spam.Chapter The Incoming Mail Policies page is displayed. Step 3 Step 4 In the Anti-Spam Settings section. use the following settings: – Apply this Action to the Message: Drop. click the link to open the mail policy. In the Positively Identified Spam Settings section. Cisco IronPort AsyncOS 7.0 Getting Started Guide 421-0149 13 . Step 2 In the Anti-Spam settings for the default policy. The Mail Policies: Anti-Spam page is displayed. select “Use selected Anti-Spam service(s).

Step 9 Step 10 Add a comment to describe the change. – Add Text to Subject: Select Prepend or Append if you want to add text. enter [SUSPECTED SPAM].0 Getting Started Guide 14 421-0149 . The new settings are displayed for the default policy. and enter the text in the text field. The changes you make are not activated until you commit them. Step 8 Click the Commit Changes button in the top right corner of the page. For example. Click Commit Changes.Chapter – Advanced > Archive Message: Select Yes to archive or No to skip archiving. Step 5 In the Suspected Spam Settings section. The Uncommitted Changes page is displayed. – Apply This Action to Message: Deliver. use the following settings: – Enable Suspect Spam Scanning: Yes. Step 6 Step 7 Click Submit. Cisco IronPort AsyncOS 7. The IronPort appliance notifies you that you have pending changes.

Task 2: Exempt Specified Groups of Users from Spam Filtering The default incoming mail policy you modified in Task 1 applies to all mail that enters the network. Concepts With the IronPort appliance. Goal In this task. Then. you create a new mail policy. You use incoming mail policies to manage flows of incoming emails to different addresses.0 Getting Started Guide 421-0149 15 .Chapter See Also For more information about the Email Security Manager. The Incoming Mail Policies page is displayed. For more information about anti-spam settings. see “Anti-Spam” in the Cisco IronPort AsyncOS for Email Configuration Guide. Creating a Mail Policy To create a mail policy: Step 1 Select Mail Policies > Incoming Mail Policies. see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide. you modify the policy’s anti-spam settings to deliver spam-positive messages and suspected spam with a tag in the messages’ subject line. However. Cisco IronPort AsyncOS 7. For example. you can use mail policies to apply different mail delivery settings to different users. This allows you to exempt some users from spam filtering. you might want to ensure that executive users receive all messages. you may want to create a new policy that applies security scanning or content filters differently for some users.

For example.Chapter Step 2 Click the Add Policy button. – Insert Before Policy: 1 (Default Policy). so leave Recipient selected. Step 3 To define the policy. enter Execs.com. Step 4 Click Submit. – Add Users: This policy applies to the recipient of the message.0 Getting Started Guide 16 421-0149 . enter the following information: – Policy Name: Enter a name. You can repeat this process for any number of email addresses or LDAP queries. Cisco IronPort AsyncOS 7. Then click the Add button. The Add Incoming Mail Policy page is displayed. – Email Address(es): Add the email address that this policy applies to. For example. enter bob@example.

” and select IronPort Anti-Spam. you need to modify its anti-spam settings so that spam-positive messages and spam-suspect messages are tagged and sent to the address that you specified in the mail policy. Step 2 Step 3 Scroll down to the Positively-Identified Spam Settings section. In the Enable Anti-Spam Scanning for this Policy field. use the default entry. enter the following information to ensure that messages identified as spam are delivered with an identifying tag: – Apply This Action to Message: Deliver. [SPAM].0 Getting Started Guide 421-0149 17 . Changing the Anti-Spam Settings for a Mail Policy After you create a mail policy.Chapter The Incoming Mail Policies page is displayed with the new mail policy. select “Use selected Anti-Spam service(s). The Mail Policies: Anti-Spam page is displayed. Cisco IronPort AsyncOS 7. Step 4 In the Positively-Identified Spam Settings section. and enter text in the text field. – Add Text to Subject: Select Append or Prepend to add text to the subject. To change the anti-spam settings: Step 1 On the Incoming Mail Policies page for the new policy (for example. For example. the Execs policy). click the “(use default)” link in the Anti-Spam column.

The Incoming Mail Policies page is displayed. Cisco IronPort AsyncOS 7.0 Getting Started Guide 18 421-0149 . See Also For more information about configuring anti-spam settings. see “Anti-Spam” in the Cisco IronPort AsyncOS for Email Configuration Guide. use the default entry. and it drops spam-positive messages addressed to other accounts. – Add Text to Subject: Select Append or Prepend to add text to the subject. – Apply This Action to Message: Deliver. The new mail policy delivers messages that are tagged as spam-positive and spam-suspect to the specified accounts. Step 8 Review the Anti-Spam column. Step 7 Click Submit.Chapter Step 5 Scroll down to the Suspected Spam Settings section. For example. Step 6 In the Suspected Spam Settings section. enter the following information to ensure that messages identified as suspected spam are delivered with an identifying tag: – Enable Suspect Spam Scanning: Yes. and enter text in the text field. [SUSPECTED SPAM].

Task 3: Quarantine Incoming Spam The IronPort Email Security appliance allows you to send spam or suspected spam messages to the IronPort Spam Quarantine. stored on an M-Series IronPort appliance. Cisco IronPort AsyncOS 7. stored on the IronPort appliance. you enable the IronPort Spam Quarantine and configure the default policy to send incoming spam to the quarantine.Chapter For information about quarantining incoming spam messages.0 Getting Started Guide 421-0149 19 . The interface where the Spam Quarantine is enabled. You can use a local quarantine or send spam to an external quarantine (M-Series appliance). The Spam Quarantine is a special quarantine designed for mail end-user access. complete the following steps: Step 1 Configure the local IronPort Spam Quarantine. You enable access to the IronPort Spam Quarantine through an HTTP or HTTPS service. see “Task 3: Quarantine Incoming Spam” on page 19. • • Goal In this task. End users can then access the quarantine to determine if the messages are incorrectly identified as spam. That way. Anti-spam options for a mail policy. you work with several areas of the IronPort appliance: • IronPort Spam quarantine. To use the IronPort Spam Quarantine. You enable the spam quarantine for a particular mail policy. Both AsyncOS administrators and end users can access the IronPort Spam Quarantine. You can use a local IronPort Spam Quarantine. or you can send messages to an external IronPort Spam Quarantine. you can quarantine mail for specified groups of users. Concepts To use the IronPort Spam Quarantine.

The Quarantines page is displayed. Step 2 Click Edit. Configuring the IronPort Spam Quarantine To configure the IronPort Spam Quarantine: Step 1 Select Monitor > Quarantines. Configure the anti-spam scanning options for the policy to send spam or suspect spam to the IronPort Spam Quarantine. Cisco IronPort AsyncOS 7. The Edit IronPort Spam Quarantine page is displayed.0 Getting Started Guide 20 421-0149 .Chapter Step 2 Step 3 Enable access to the IronPort Spam Quarantine through an HTTP or HTTPS service.

The Enable Spam Notification page is displayed. The End-User Quarantine Access page is displayed.0 Getting Started Guide 421-0149 21 . Step 6 Click Enable Spam Notification. Enter a subject (such as “IronPort Spam Quarantine Notification”). Step 5 Select None in the End-User Authentication field. you allow users to access quarantined mail by clicking links in the notification messages that they receive. Click Enable End-User Quarantine Access.Chapter Step 3 Step 4 Use the default settings in the Spam Quarantine Settings panel and scroll down to End-User Quarantine Access. Cisco IronPort AsyncOS 7. By selecting None. Step 7 Step 8 Enter an address to use in the From Address header if you want to send notifications.

Commit your changes. Cisco IronPort AsyncOS 7. Step 14 Step 15 Step 16 Enabling the IronPort Spam Quarantine HTTP or HTTPS Service After you enable the IronPort Spam Quarantine. To enable the HTTP or HTTPS service: Step 1 On the Network > IP Interfaces page. Leave the Consolidate Notifications field empty. click the interface name (this example uses the Management interface).0 Getting Started Guide 22 421-0149 . This field consolidates email notifications for users when the IronPort Spam Quarantine is configured for LDAP authentication. Enter an address to deliver bounce messages to. Select a format.Chapter Step 9 Step 10 Step 11 Step 12 Step 13 Enter a title for the notification (such as “IronPort Spam Quarantine Notification”). Optionally. In the Notification Schedule field. enter a spam notification message. Click Submit. choose a notification schedule. you must edit the IP interface to enable the HTTP or HTTPS service for the IronPort Spam Quarantine.

Chapter The Edit IP Interface page is displayed. Cisco IronPort AsyncOS 7. select HTTP. enter the port numbers. Commit your changes. and optionally enable redirection of HTTP requests to HTTPS. or both. Enter the default URL that appears in email notifications. Click Submit.0 Getting Started Guide 421-0149 23 . HTTPS. Step 2 Step 3 Step 4 Step 5 In Services > IronPort Spam Quarantine. This example uses the hostname.

Click the anti-spam settings for the default mail policy. The Anti-Spam Settings page is displayed. select IronPort Spam Quarantine. Click Submit. Use default settings for Spam Thresholds.0 Getting Started Guide 24 421-0149 . Commit your changes.Chapter Configuring the Policy to Send Spam to the IronPort Spam Quarantine To send spam to the IronPort Spam quarantine: Step 1 Step 2 Select Mail Policies > Incoming Mail Policies. see “Configuring the Gateway to Receive Email” in the Cisco IronPort AsyncOS for Email Configuration Guide. Use the default settings in the Positively Identified Spam field. For more information about working with the IronPort Spam quarantine. see “Accessing the Appliance” in the Cisco IronPort AsyncOS for Email Configuration Guide. For more information about configuring IP interfaces. Step 3 In Positively Identified Spam Settings > Apply this Action to Message. Cisco IronPort AsyncOS 7. Leave the Suspected Spam Settings as you configured them. Step 4 Step 5 Step 6 Step 7 Step 8 See Also For more information about working with incoming mail policies. The Positively Identified Spam Settings field expands. It displays delivery settings for the IronPort Spam Quarantine. see “Quarantines” in the Cisco IronPort AsyncOS for Email Daily Management Guide.

Chapter Task 4: Configure End User Safelists and Blocklists The IronPort appliance allows you to send spam or suspected spam messages to the IronPort Spam Quarantine. Note Steps 2 and 3 require that you log into an end user account to create a safelist. and you configure a safelist and a blocklist for an end user account. Note When you enable the safelist/blocklist feature. For example. Ensure that you have created an end user account that you can access to complete this task. The end user safelist and blocklist settings are configured from the IronPort Spam Quarantine. you enable safelists and blocklists in the IronPort Spam Quarantine. and may want to block the list server’s email address.0 Getting Started Guide 421-0149 25 . however. Concepts This task introduces concepts related to end user safelists and blocklists. an end user may want to ensure that mail from a particular sender is never treated as spam. an end user may want to guarantee that certain mail is always sent to the IronPort Spam Quarantine. Blocklists ensure that certain users or domains are always treated as spam. a user may be unable to unsubscribe from an automated mailing list. Conversely. so you must have enabled and configured the IronPort Spam Quarantine to use this feature. Goal In this task. You can enable end users to create safelists and blocklists to better control which emails are treated as spam. each end user maintains a safelist and blocklist for his or her email account. Safelists allow a user to ensure that certain users or domains are not treated as spam. Cisco IronPort AsyncOS 7.

0 Getting Started Guide 26 421-0149 . The Edit Safelist/Blocklist Settings page is displayed. a value of 100 would mean that the end user could add 100 terms in the safelist and 100 terms in the blocklist. Click Submit. In the End-User Safelist/Blocklist section. To enable safelists and blocklists on a C-Series appliance: Step 1 Step 2 Select Monitor > Quarantines. To add items to a safelist: Step 1 Log in to the IronPort Spam Quarantine. Specify the maximum list items per user. Step 3 Step 4 Step 5 Select Enable End User Safelist/Blocklist Feature. click Edit Settings. This value represents the maximum number of addresses or domains a user can list in each safelist and blocklist.Chapter Enabling the End User Safelist/Blocklist on the IronPort Spam Quarantine You enable safelists and blocklists from the Quarantines page. Step 6 Adding Items to the Safelist for an End User Account End users can use safelists to ensure that mail from specified senders is never treated as spam. Select Quarantine or Delete for the blocklist action. For example. Cisco IronPort AsyncOS 7.

subdomain. Step 3 Step 4 Select Safelist. or domain.com – server. enter an email address. Cisco IronPort AsyncOS 7.com Step 5 Click Add to List.domain. In the Safelist dialog box.com – domain.0 Getting Started Guide 421-0149 27 .Chapter Step 2 Select the Options drop-down menu. Entries can be added to safelists and blocklists using the following formats: – user@domain.

Chapter

Adding Items to the Blocklist for an End User Account
End users can use blocklists to ensure that they never receive mail from specified senders. To add items to a blocklist:
Step 1

In the IronPort Spam Quarantine, select the Options drop-down menu.

Step 2 Step 3

Select Blocklist. Enter the domain or email address you want to blocklist.

Cisco IronPort AsyncOS 7.0 Getting Started Guide

28

421-0149

Chapter

Step 4

Click Add to List.

When the IronPort appliance receives mail from the specified email address or domain that matches an entry in the blocklist, it treats the mail as spam. Because you configured AsyncOS to quarantine blocklisted items, any items identified as blocklisted are quarantined.

Task 5: Quarantine Incoming Virus Messages
You can configure the IronPort appliance to quarantine incoming virus messages. The Virus quarantine stores messages marked by the anti-virus scanning engine as not scannable, virus-positive, or encrypted. Like the anti-spam settings, you configure the IronPort appliance to take different actions based on the results of the virus scan and the group of mail recipients. For example, you might want to quarantine all virus-positive messages to the Technical Support group, but drop all virus-positive messages sent to the Marketing group.

Concepts
This task presents concepts related to IronPort virus scanning and the Virus quarantine. Unlike the IronPort Spam quarantine, the Virus quarantine can be accessed only by administrators. The Virus quarantine is enabled by default, but you must configure anti-virus scanning and quarantine settings in a mail policy to use the Virus quarantine. You also enable notifications in the mail policy to allow administrators or end users to see that messages were quarantined.

Cisco IronPort AsyncOS 7.0 Getting Started Guide 421-0149

29

Chapter

Goal
In this task, you activate IronPort virus scanning, and you configure the default mail policy to deliver suspected virus email messages and drop confirmed virus email messages. You also configure the default mail policy to quarantine virus messages and suspected virus messages.

Enabling Virus Settings
To enable the Virus quarantine:
Step 1 Step 2

Select Mail Policies > Incoming Mail Policies. Click the anti-virus settings for the default mail policy. The Anti-Virus Settings page is displayed.

Step 3

Under Anti-Virus Settings, select Yes for Enable Anti-Virus Scanning for this Policy. The anti-virus engines that you have licenses for are displayed. Select an anti-virus engine. Under Message Scanning, enter the following information:

Step 4 Step 5

Cisco IronPort AsyncOS 7.0 Getting Started Guide

30

421-0149

Cisco IronPort AsyncOS 7. – Select “Include an X-header with the Anti-Virus scanning results in messages. Scroll down to the Unscannable Messages section. and enter the text into the text field. – Other Notification: Recipient.Chapter – Select “Scan and Repair viruses” from the menu. Use the default settings for the Encrypted Messages section.0 Getting Started Guide 421-0149 31 . [WARNING: A/V UNSCANNABLE].” Step 6 Step 7 Step 8 Use the default settings for the Repaired Messages section. For example. – Archive Original Message: Yes. Step 9 Enter the following information in the Unscannable Messages section: – Action Applied to Message: Quarantine. – Modify Message Subject: Select Prepend or Append.

[WARNING: VIRUS DETECTED]. Step 11 Enter the following information in the Virus Infected Messages section: – Action Applied to Message: Quarantine. – Other Notification: Recipient. Step 12 Click Submit. – Modify Message Subject: Select Prepend or Append. – Archive Original Message: Yes. Cisco IronPort AsyncOS 7. and enter the text into the text field.Chapter Step 10 Scroll down to the Virus Infected Messages section.0 Getting Started Guide 32 421-0149 . For example.

0 Getting Started Guide 421-0149 33 . Cisco IronPort AsyncOS 7. The content filter applies custom filtering to messages after the anti-spam and anti-virus engines perform scans. You can use content filters to analyze incoming email messages and take action based on a variety of factors. see “Anti-Virus” in the Cisco IronPort AsyncOS for Email Configuration Guide. Content filters can be enforced on different groups of users. Like anti-spam and anti-virus policies. the IronPort appliance allows you to apply custom scanning and email policies to messages by using content filters. you create the content filter and then apply it to a group of users via a mail policy. Step 13 Commit your changes. Concepts This task introduces concepts related to the content filter. For more information about quarantines. See Also For more information about configuring anti-virus settings.Chapter The Default Mail Policy displays the anti-virus settings. Task 6: Strip Specified Types of Incoming Email Attachments In addition to spam and virus filters. see “Quarantines” in the Cisco IronPort AsyncOS for Email Daily Management Guide.

Cisco IronPort AsyncOS 7. The Incoming Content Filters page is displayed. you create a new content filter to strip a specified type of media attachment from incoming messages. and then you add this filter to the default policy in the Email Security Manager.Chapter Goal In this task. Step 3 Enter the following information: – Name: Enter a name to identify the filter. For example. The Add Content Filter page is displayed. Step 2 Note Content Filters are custom email rules that scan a message for specific content or recipients and then take actions based on the results of the scan. Remove_MP3. – Description: Briefly describe the filter. Click the Add Filter button.0 Getting Started Guide 34 421-0149 . Creating a Content Filter To create a content filter: Step 1 Click Mail Policies > Incoming Content Filters.

This ensures that this filter is applied to all messages analyzed by the mail policy. select -. For example. – Select File type is.mp3. The Incoming Content Filters page displays the Remove_MP3 filter. Cisco IronPort AsyncOS 7.0 Getting Started Guide 421-0149 35 . – Enter a replacement message that is displayed to the recipient if an MP3 attachment is stripped from an email message. – Click OK. "[MP3 FILE DROPPED]") in the Actions section of the page. Step 7 Click Submit. Step 6 Specify the action that the appliance takes when it encounters a flagged email message. The Edit Content Filter page displays the rule drop-attachments-by-filetype("mp3". The Strip Attachment by File Info page is displayed.Chapter – Conditions: Leave this section blank. [MP3 FILE DROPPED]. – In the drop-down menu. Select Strip Attachment by File Info. Step 4 Step 5 Click Add Action.

Step 3 Step 4 Click Yes to enable content filtering on the policy. Step 5 Testing the Filter After you have created the filter and applied it to the default mail policy.Chapter Applying a Filter to an Incoming Mail Policy You apply the content filter to incoming messages by associating it with an incoming mail policy. The Incoming Mail Policies page displays a success message. Click Submit. When you associate the content filter with a mail policy. Cisco IronPort AsyncOS 7. The Mail Policies: Content Filters page displays the content filter that you created. To apply a content filter to an incoming mail policy: Step 1 Select Mail Policies > Incoming Mail Policies. it is applied to the appropriate end users.0 Getting Started Guide 36 421-0149 . Commit your changes. Step 2 Click the Disabled link in the Content Filters column. Verify that the Enable check box is selected for the Remove_MP3 filter. test the filter by sending an email message with an MP3 attachment from an Internet email address (such as Yahoo! Mail) to an alias in your network.

0 Getting Started Guide 421-0149 37 . A DLP policy is a set of conditions that AsyncOS and the RSA Email DLP scanning engine use to determine whether an outgoing Cisco IronPort AsyncOS 7. The Trace page emulates a message that is accepted by a listener. For example. You define what kind of data your employees are not allowed to email and the actions that the appliance takes. You can also run the tail command against mail logs to view the most recent mail logs in real time. that identifies and protects sensitive data. For more information on mail flow monitoring. Concepts This task introduces concepts related to RSA Email DLP. such as quarantining messages containing sensitive information and sending notifications to a compliance officer. RSA Email DLP protects your organization’s sensitive information and enforce regulatory compliance and internal policies by preventing users from unintentionally emailing sensitive data. and it prints a summary of features that would have been “triggered” or affected by the current configuration of the system. see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide. RSA Email DLP also includes predefined DLP policy templates that you can use to create your DLP policies. see “Email Security Manager” in the Cisco IronPort AsyncOS for Email Configuration Guide. RSA Email DLP is an integrated data loss prevention scanning engine from RSA Security Inc. Task 7: Enforce an Outgoing Email Policy The IronPort appliance allows you to enforce a policy for outgoing mail that would quarantine messages that may contain sensitive information or violate your company’s email policies.Chapter You can use the Trace page (and trace CLI command) to test and troubleshoot the filter. you can quarantine all messages that contain credit card numbers and supporting information. Data loss prevention (DLP) policies can analyze outgoing messages for particular data patterns and take action based on the scanned content. See Also For more information about content filters and the Email Security Manager.

copying it. it examines the context of the patterns. Enabling RSA Email Data Loss Prevention To enable RSA Email DLP on your appliance: Step 1 Select Security Services > RSA Email DLP. Commit your changes. Cisco IronPort AsyncOS 7. The RSA Email Data Loss Prevention Settings page is displayed. you enable it in the default outgoing mail policy. Click Enable. PCI-DSS defines requirements for protection of commonly used elements of credit cardholder data. and sending notifications. The DLP policy evaluates the severity of the violation and takes the appropriate action.0 Getting Started Guide 38 421-0149 .Chapter message contains sensitive data and the actions that AsyncOS takes when a message contains such data. leading to fewer false positives. You configure the policy to quarantine emails that show patterns in data corresponding to credit card numbers and terms related to credit cards. You choose both the overall action to take on messages (deliver. altering its header. Goal In this task. you create a new DLP policy that identifies outgoing emails that violate Payment Card Industry Data Security Standard (PCI-DSS) guidelines. After you create the DLP policy. RSA Email DLP is enabled on the appliance: Step 2 Step 3 Step 4 Click Submit. drop. RSA Email DLP searches for more than data patterns like credit card numbers and driver license IDs. or quarantine) and secondary actions such as encrypting the message. the DLP scanning engine determines the risk factor of the violation and returns the result to the DLP policy. If the DLP scanning engine detects a DLP violation in a message or attachment.

Step 3 Step 4 Cisco IronPort AsyncOS 7. The scale includes five severity levels: Ignore. Click Add for Payment Card Industry Data Security Standard (PCI-DSS).0 Getting Started Guide 421-0149 39 . The DLP Policy Manager is displayed. High. The policy uses a scale to evaluate the severity of a DLP violation found in a message and performs the appropriate action the message. You can edit a level to specify different actions for different severities. Medium. Low.Chapter Creating a DLP Policy After enabling RSA Email DLP. The Add DLP Policy page is displayed. Click Regulatory Compliance. Step 2 Click Add DLP Policy. create a DLP policy to scan outgoing messages for credit card-related data. To create a DLP policy: Step 1 Select Mail Policies > DLP Policy Manager.You define the actions to perform on messages that contain DLP violations. and Critical.

0 Getting Started Guide 40 421-0149 . the DLP Policy is not applied to outgoing messages. You apply the policy by enabling it in an outgoing mail policy. select Quarantine for the action to apply to messages. all severity levels (except Ignore) inherit the settings of the higher severity level. By default. Enabling a DLP Policy in an Outgoing Mail Policy By default. To enable the DLP policy in an outgoing mail policy: Cisco IronPort AsyncOS 7. the High severity level inherits the settings from Critical.Chapter The Mail Policies: DLP: Policy: Payment Card Industry Data Security Standard (PCI-DSS) page is displayed. Medium inherits from High. and Low inherits from Medium. Step 6 Step 7 Click Submit. You can uncheck the Inherit settings check box to edit a level’s actions. Commit your changes. Step 5 Under Critical Severity Settings.

The Payment Card Industry Data Security Standard (PCI-DSS) policy appears in this list. Step 2 Step 3 On the default policy. click the Disabled link in the DLP column. Commit your changes. In this example. The Outgoing Mail Policies page is displayed. The Outgoing Mail Policies page displays a success message. Click Submit.Chapter Step 1 Select Mail Policies > Outgoing Mail Policies. The Mail Policies: DLP page displays a list of available DLP policies. Step 6 Cisco IronPort AsyncOS 7. You enable the DLP policy in the outgoing mail policy so that it is applied to the appropriate end users. Step 4 Step 5 Select the Enable check box for the Payment Card Industry Data Security Standard (PCI-DSS) policy.0 Getting Started Guide 421-0149 41 . the DLP policy is applied to the Default policy. Under DLP Settings for Default Outgoing Mail Policy. select Enable DLP (Customize Settings) to enable DLP scanning on the outgoing mail policy.

Task 8: Add a Domain to Accept Mail In this task.0 Getting Started Guide 42 421-0149 . the Recipient Access Table (RAT). The table specifies the address (which may be a partial address or host name) and whether to accept or reject it. When you add accessibility for a new domain to the IronPort appliance. if your company changes its name. it needs to receive mail for the old domain name and the new domain name. and then send a message with only the term and a message with only a single credit card number string. The other table. SMTP routes allow you to redirect all email for a particular domain to a different mail exchange (MX) host. For example. you can test the policy by sending an outbound email message with credit card-related information in a message body or attachment. It defines which recipients will be accepted by a public listener. see “Data Loss Prevention” in the Cisco IronPort AsyncOS for Email Advanced Configuration Guide.Chapter Testing the Policy After you have created the DLP policy and enabled it in the default outgoing mail policy. an email processing service that is configured on a particular IP interface. For example. See Also For more information about RSA Email DLP. the Host Access Table (HAT). you configure the IronPort appliance to receive mail for another domain. specifies the mail recipients for the domain. send a message with the term “Visa” and multiple strings of numbers similar to a credit card number in close proximity to one another. Concepts Incoming and outgoing mail is received through a listener. Many enterprise gateways are configured to receive messages for several local domains. maintains a set of rules that control incoming connections from remote hosts for a listener. One table. You add an SMTP route to enable email for the new domain to be routed to the correct mail exchange host. Messages that contain both of these strings are quarantined. but messages that contain only one of the terms do not trigger the quarantine action. you must add entries to two tables. Cisco IronPort AsyncOS 7.

the HAT. and the SMTP Routes table. Cisco IronPort AsyncOS 7. The Listeners page is displayed.0 Getting Started Guide 421-0149 43 . You do this by adding an entry for the domain in the RAT. you add accessibility to the IronPort appliance for a new domain. Step 3 Click the Add Recipient button.Chapter Goal In this task. Accepting Mail for a Domain To accept mail for a domain: Step 1 Select Network > Listeners. Step 2 Click the RAT link. The Recipient Access Table Overview page is displayed.

For example. Creating an SMTP Route for a Domain To create an SMTP route for a domain: Step 1 Select Network > SMTP Routes. Step 5 Click Submit. Cisco IronPort AsyncOS 7.0 Getting Started Guide 44 421-0149 .Chapter The Add to Recipient Access Table page is displayed. At this point. – Action: Accept. – Bypass Receiving Control: No. The SMTP Routes page is displayed. – Custom SMTP Response: No. Step 4 Enter the following information: – Order: Enter 2 to place the domain second in the list.com. acquisition. The Recipient Access Table Overview page is refreshed with the new domain listed in position 2. – Recipient Address: Enter the domain address. – Bypass LDAP Accept Queries for this Recipient: Leave as is. your appliance is configured to accept mail for the new domain.

– Outgoing SMTP Authentication: Use default settings. see “Configuring the Gateway to Receive Email” in the Cisco IronPort AsyncOS for Email Configuration Guide. promotional statement. enter exchange. The SMTP Routes page displays the new SMTP route. you can append a copyright statement.company.com. For example. Step 4 Click Submit.0 Getting Started Guide 421-0149 45 . enter acquisition. Task 9: Add a Disclaimer to Outgoing Mail You can use the IronPort appliance to add footer text to outgoing or incoming messages. For example. or disclaimer to messages sent from your network.Chapter Step 2 Click the Add Route button. Cisco IronPort AsyncOS 7.com. See Also For more information about configuring listeners and working with the RAT and the HAT. Step 3 Enter the settings for the SMTP route: – Receiving Domain: Enter the Receiving Domain. The Add SMTP Route page is displayed. For example. – Destination Hosts: Enter the IP address or host name of the MUA that will receive the mail for the receiving domain.

and other message generation systems. by default.Chapter Concepts To add an outgoing disclaimer. can receive email from the Internet — and private listeners that accept email only from internal systems such as groupware. Step 2 Enter the following information: – Name: Name of the text resource. Cisco IronPort AsyncOS 7. enter Confidential. For example. IronPort AsyncOS differentiates between public listeners — which. you first create a text resource and then associate the text resource with the private (outgoing) listener. Goal To add an outgoing disclaimer. The Text Resources page is displayed. Click the Add Text Resource button. you create a disclaimer text resource and associate it with a private listener.0 Getting Started Guide 46 421-0149 . Creating a Footer Text Resource To create a footer text resource: Step 1 Select Mail Policies >Text Resources. POP and IMAP. The Add Text Resource page is displayed.

Click Submit. Commit your changes.0 Getting Started Guide 421-0149 47 . Commit your changes. you need to associate it with the private (outgoing) listener. The Text Resources page is displayed with the disclaimer text resource. Step 4 Associating a Footer with a Private Listener After creating the disclaimer. The Edit Listener page is displayed. Step 3 Click Submit. Cisco IronPort AsyncOS 7. Click the OutgoingMail link in the Listener Name column. Do not use variables. – Text: Enter the text to display as the disclaimer. To associate the disclaimer with a private listener: Step 1 Step 2 Select Network > Listeners. The listener inserts the disclaimer text resource into every email message that the listener handles.Chapter – Type: Disclaimer. Step 3 Step 4 Step 5 Select Confidential from the Disclaimer Below menu to display the disclaimer at the bottom of messages.

Goal In this task. You can also track system activity using an Executive Summary report and track system health using the System Capacity report.0 Getting Started Guide 48 421-0149 . see “Text Resources” in the Cisco IronPort AsyncOS for Email Configuration Guide. You can also use reports to monitor the effectiveness of the appliance and view trends in the mail flow. outgoing senders domains. Configuring a Scheduled Report To configure a scheduled report: Step 1 Select Monitor > Scheduled Reports. and sender groups. This task introduces the TLS Connections report. This report shows the overall usage of TLS connections for sent and received mail. You can track the flow of mail using incoming and outgoing mail summary reports. outgoing destinations. The report also shows details for each domain sending mail using TLS connections. You can also track user activity using the Internal Users Summary report and the Content Filters report. Concepts The IronPort appliance allows you to track activity by using reports. Cisco IronPort AsyncOS 7.Chapter See Also For more information about working with message stamping. Task 10: Configure a Scheduled Report You can run a variety of reports to track activity on your IronPort appliance. you schedule a daily TLS Connections report. You can track virus activity using the Virus Types report and the Virus Outbreak report.

Under Schedule. Cisco IronPort AsyncOS 7. See Also For more information about generating and managing reports. see the section about reporting in “Using the Email Security Monitor” in the Cisco IronPort AsyncOS for Email Daily Management Guide. Step 3 Select a Report type from the menu. Commit your changes. For example. Under Time Range to Include. The Available Reports section displays the scheduled reports. some reports are enabled by default. select “Daily. you might use the TLS Connections report to view the overall usage of TLS connections for emails sent to your network.Chapter The Scheduled Reports page is displayed. leave “PDF” selected. The Add Scheduled Report page is displayed.” and leave the default time.” Under Format. select “Previous calendar day. Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Note If you used the System Setup Wizard to configure the IronPort appliance. Step 2 Click the Add Scheduled Report button. Click Submit. Enter the email address where you want to send the report. Enter a title for the report.0 Getting Started Guide 421-0149 49 .

Chapter Cisco IronPort AsyncOS 7.0 Getting Started Guide 50 421-0149 .

0 Getting Started Guide 421-0149 51 . you must first enable it from the GUI. page 4-51 Task 12: Use the CLI. SSH is encrypted and provides better security. page 4-67 Task 11: Access the Command Line Interface The IronPort AsyncOS Command Line Interface (CLI) provides a set of management commands through a text-based interactive interface. You connect to the CLI using telnet or Secure Shell (SSH).CH A P T E R 4 Advanced Tasks This chapter contains the following sections: • • • • • Task 11: Access the Command Line Interface. To use the CLI. Cisco IronPort AsyncOS 7. Concepts The CLI and the GUI contain many of the same functions. page 4-61 Task 14: Configure Email Alerts. page 4-65 Task 15: Upgrade the IronPort Appliance. page 4-54 Task 13: Retrieve and Use Mail Logs. but some advanced tasks are available only in the CLI.

Connect to the configured IP address using telnet or SSH. Doing so will cause unexpected behavior and is not supported. Cisco IronPort AsyncOS 7. To use the CLI. Enabling the CLI You can enable the CLI on any IP interface. and click the Management link. you enable and access the CLI. the CLI is enabled in the Management interface.0 Getting Started Guide 52 421-0149 . In this example. Goal In this task. you need to: • • Enable the CLI to use SSH or telnet.Chapter Note Do not run multiple concurrent CLI or GUI sessions. To enable the CLI: Step 1 Select Network > IP Interfaces.

enter your username and password to log in to the appliance. Cisco IronPort AsyncOS 7. you can connect to the IP address using either telnet or SSH. select SSH and Telnet. When you select both options. and enter port numbers. Initially. only the admin user account has access to the CLI.0 Getting Started Guide 421-0149 53 . SSH uses port 22. Telnet uses port 25. Step 4 In the CLI.Chapter The Edit IP Interface dialog box is displayed. Step 3 Use telnet or SSH to connect to the Management interface. Step 2 In the Services field. You can add other users when you access the CLI through the admin account.

You can use the status command to determine the status of the IronPort appliance.0 Getting Started Guide 54 421-0149 . Cisco IronPort AsyncOS 7. You use the tophosts command to view information about the email queue and determine if a particular recipient host has delivery problems. • • Goal In this task. System status. such as testing connectivity. Concepts You can use the CLI to complete the following types of tasks: • Connectivity. see the Cisco IronPort AsyncOS CLI Reference Guide. and controlling services. Task 12: Use the CLI You can perform many advanced tasks in the CLI.Chapter See Also For more information about the CLI. You can use the traceroute command to test connectivity to a network host from the appliance and debug routing issues with network hops. you run commands to test connectivity. Use the suspendlistener and resumelistener commands to stop and restart listeners if you need to troubleshoot a mail processing problem. such as a queue buildup. viewing system status. and suspend and resume listeners. Control services. You can test connectivity using the telnet command. review system status details.

You can use traceroute to display a network route to a remote host. For example. Allow the IronPort appliance to ping the address several times.616 ms Cisco IronPort AsyncOS 7.18. such as telnet. Use these commands to debug network connectivity from the IronPort appliance.example.191: icmp_seq=1 ttl=63 time=41. and enter your username and password.company.18. Ping a Network Host To ping a network host: Step 1 Step 2 Step 3 Step 4 Step 5 Table 4-1 Use telnet or SSH to connect to the Management interface.0 Getting Started Guide 421-0149 55 .18.55.191: icmp_seq=2 ttl=63 time=37. Enter ping and the host name for an address on your network.55. Example of ping command mga. you can ensure that your diagnostics are not affected by firewalls or other rules that may treat the IronPort appliance differently from a workstation.078 ms 64 bytes from 69.Chapter Testing Connectivity The IronPort appliance allows you to use several common network diagnostic tools. ping. and traceroute. Review the ping statistics.941 ms 64 bytes from 69.191: icmp_seq=0 ttl=63 time=46.com (69.com Press Ctrl-C to stop.example.55.55. PING mail. You can use ping to test whether a particular host is reachable across an IP network.191): 56 data bytes 64 bytes from 69.18. Press Ctrl+C to stop the IronPort appliance from pinging the host. You can use telnet to connect to a remote host.com> ping mail.

93. 0% packet loss round-trip min/avg/max/stddev = 37.speakeasy. Step 1 Step 2 Step 3 Table 4-2 From the CLI.543 ms Use the telnet Command Use telnet to establish a telnet connection or other interactive TCP connection.company.Chapter ^C --.example. Example of the traceroute Command mga.697 ms 31.55.878/46.com ping statistics --3 packets transmitted. Press Ctrl+C to stop the trace.133.com Press Ctrl-C to stop.mail.com (69.199 ms 2 ^C * * * 30. traceroute to mail. To establish a telnet connection: Cisco IronPort AsyncOS 7.1)35.078/3.616/41.191).18.com> traceroute mail. 3 packets received.net(66.455 ms Use the traceroute Command Use the traceroute command to test connectivity to a network host from the appliance and debug routing issues with network hops. Review the traceroute statistics.example.0 Getting Started Guide 56 421-0149 .example. 44 byte packets 1 er1.sfo1. 64 hops max. enter traceroute <network host name>.

example.18. 220 mail. Step 2 Table 4-3 Example of the telnet Command mga.0 Getting Started Guide 421-0149 57 .com 250-mail.com 250-PIPELINING 250-SIZE 102400000 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME ^] telnet> quit Connection closed.com 25 Trying 69.example. enter telnet <host name><port number>.com> telnet mail. Escape character is '^]'.191..Chapter Step 1 From the CLI. Cisco IronPort AsyncOS 7.com ESMTP Postfix EHLO mga.55. Press Ctrl+C to close the connection..company.example. The IronPort appliance opens a connection to the remote host.company.example. Connected to mail.com.

You can use the status command to view a broad range of information about the IronPort appliance.com> status detail Status as of: Thu Mar 30 13:22:24 2006 PST Up since: Tue Mar 21 07:24:41 2006 PST (9d 5h 57m 43s) Last counter reset: System status: Oldest Message: Never Online No Messages Feature .0 Getting Started Guide 58 421-0149 . such as the anti-spam and anti-virus features that are enabled and the last date you started the appliance.Brightmail: Feature .Receiving: Feature .Sophos: 205 days 50 days 50 days 50 days Cisco IronPort AsyncOS 7.IronPort Anti-Spam: Feature . enter status detail to retrieve detailed status of the IronPort appliance. Table 4-4 Example of the status Command mga. Use the detail subcommand to return more specific information. Using the status Command From the CLI.company.Virus Outbreak Filters: 50 days Feature .Chapter Monitoring the IronPort Appliance and Email Traffic You can use the CLI to monitor the IronPort appliance and traffic flowing through it.

connections out. Bounce Recipients Reset Uptime Lifetime 22. The CLI returns a list of hosts in order of the connections out. including active recipients. enter tophosts.267 22.Chapter Counters: Receiving Messages Received Recipients Received Gen.651 1. Step 2 Table 4-5 Example of the tophosts Command mga. soft bounced events. Sort the hosts by connections out. The tophosts command returns a list of the top 20 recipient hosts in the queue.324 81 7 81 22. delivered recipients. To use the tophosts command: Step 1 From the CLI. and hard bounced recipients.119 1. The list can be sorted by a number of statistics.651 For more information about counters.119 22.com> tophosts Sort results by: Cisco IronPort AsyncOS 7.company. The CLI displays a list of sorting options. see the Cisco IronPort AsyncOS for Email Configuration Guide.0 Getting Started Guide 421-0149 59 . Using the tophosts Command To view immediate information about the email queue and determine if a particular recipient host has delivery problems — such as a queue buildup — use the tophosts command.

com mail. For example. you can retrieve the information from the status command with the URL http://<hostname>/xml/status.com 0 0 0 0 0 0 2 128 889 0 76 0 0 5 0 You can retrieve the information from these commands in an XML format by using a GUI request. Connections Out 3. Conn. Cisco IronPort AsyncOS 7.0 Getting Started Guide 60 421-0149 . Soft Bounced Hard Bounced 1 2 3 yahoo. For information on using XML pages to gather email monitoring statistics. Active # Recipient Host Recip.Chapter 1.example. Out Deliv. Active Recipients 2. Hard Bounced Recipients 5. see “Gathering XML Status from the GUI” in the Cisco IronPort AsyncOS for Email Daily Management Guide. Other useful commands for gathering email monitoring statistics include hoststatus and topin. Recip. Delivered Recipients 4. Soft Bounced Events [1]> 2 Status as of: Thu Mar 30 13:23:42 2006 PST Hosts marked with '*' were down as of the last delivery attempt.com hotmail.

The suspendlistener and resumelistener commands allow you to stop and restart listeners if you need to troubleshoot a mail processing problem.0 Getting Started Guide 421-0149 61 . and it makes these logs available through a variety of interfaces. Task 13: Retrieve and Use Mail Logs AsyncOS offers extensive logging capabilities. Logs record information about mail flow. Receiving suspended for External.company.company. operation of various software systems on the appliance. and Cisco IronPort AsyncOS 7. CLI and GUI usage.com> resumelistener Mail delivery resumed.. Other useful commands for stopping mail delivery from the appliance include suspenddel and resumedel.Chapter Configuring the Appliance You can control the operation of your IronPort appliance directly from the CLI. [30]> Waiting for listeners to exit. Table 4-6 Suspending and Resuming a Listener mga. Use the syntax in Table 4-6 to suspend a listener.com> suspendlistener Enter the number of seconds to wait before abruptly closing connections. mga..

search logs for information.4.net>: Sender address rejected: Domain not found']) Wed Mar 29 23:25:26 2006 Info: Delayed: DCID 12951 MID 23365 From:<rob@main.net> To:<bob@company. and retrieve logs using different formats. Wed Mar 29 22:25:24 2006 Info: Delayed: DCID 12949 MID 23365 From:<rob@main.1. which allows you to view log details in real time.example.Chapter the AsyncOS system itself. Table 4-7 Example of tail Command mga.example. change the options for how much detail is recorded to the logs. ['<rob@main.com> RID 0 .example. which allows you to search through logs for specific details. Goal In this task. You can view and search the logs.0 .company. archives. it introduces methods for retrieving logs.net> To:<bob@company. Concepts This task introduces the tail command.net>: Sender address rejected: Domain not found']) Cisco IronPort AsyncOS 7.com> tail bounces Press Ctrl-C to stop.0 . It also introduces the grep command. use the syntax in Table 4-7. Viewing Logs To view the logs in real-time as they are written to the log files. In addition.1.example. and how the files themselves are handled on disk. By default.0 Getting Started Guide 62 421-0149 . and purges old log files. AsyncOS records.Unknown address error ('450'. ['<rob@main.4.com> RID 0 .Unknown address error ('450'. you view the logs in real time through the CLI.

abo.133.company. Table 4-8 Example of the grep Command mga.229.0 Getting Started Guide 421-0149 63 .203.191) address 86. For example.com> Sat Jan 21 02:43:17 2006 Info: MID 13276 matched all recipients for per-recipient policy EUQ Testers in the inbound table Cisco IronPort AsyncOS 7.w86-203.fr verified yes Sat Jan 21 02:43:03 2006 Info: ICID 23441 ACCEPT SG SUSPECTLIST match sbrs[-4.com” mail_logs Sat Jan 21 02:43:05 2006 Info: MID 13276 ICID 23441 RID 0 To: <bob@company.com> Sat Jan 21 02:43:05 2006 Info: MID 13276 ICID 23441 RID 0 To: <bob@company.2 Sat Jan 21 02:43:04 2006 Info: Start MID 13276 ICID 23441 Sat Jan 21 02:43:04 2006 Info: MID 13276 ICID 23441 From: <mduffm@309s.0:-1.com> grep -e “MID 13276” -e “ICID 23441” mail_logs Sat Jan 21 02:43:03 2006 Info: New SMTP ICID 23441 interface External (66. the following grep query searches for mail logs for bob@company.com> grep -e “bob@company.0] SBRS -2.com and then retrieves the details of a message sent to that address by searching for the message ID.163 reverse dns host alagny-154-1-70-163.Chapter Searching for Content in Logs You can search for content in the logs by using the grep command.company.39.com> mga. check out the huge sale these guys are offering' Sat Jan 21 02:43:17 2006 Info: MID 13276 ready 9637 bytes from <mduffm@309s.com> Sat Jan 21 02:43:17 2006 Info: MID 13276 Message-ID '<000001c61ea1$2ec70280$0100007f@localhost>' Sat Jan 21 02:43:17 2006 Info: MID 13276 Subject 'Hey bro.wanadoo.

and it deletes the oldest file when it rolls over data to a new file. or you can configure the appliance to push rolled-over log files to an FTP or SCP server. the appliance stores up to 10 files for each log. you can enable both the FTP and the SSH (for SCP) services. You can use FTP or SCP to retrieve archived log files on demand. On the Network > IP Interfaces page.) By default. including saved configuration files. (The default is 95 MB. Cisco IronPort AsyncOS 7. you can connect to the IronPort appliance using the FTP or SCP client to browse and retrieve log files. After you enable the service. and saved reports.Chapter Sat Jan 21 02:43:17 2006 Info: MID 13276 using engine: CASE spam positive Sat Jan 21 02:43:17 2006 Info: EUQ: Tagging MID 13276 for quarantine Sat Jan 21 02:43:17 2006 Info: MID 13276 antivirus negative Sat Jan 21 02:43:17 2006 Info: MID 13276 queued for delivery Sat Jan 21 02:43:18 2006 Info: Start delivery of MID 13276 over RPC connection 8572 Sat Jan 21 02:43:18 2006 Info: EUQ: Quarantined MID 13276 Sat Jan 21 02:43:18 2006 Info: Delivery of MID 13276 over RPC completed on connection 8572 Sat Jan 21 02:43:18 2006 Info: Message finished MID 13276 done Sat Jan 21 02:43:19 2006 Info: ICID 23441 close Retrieving and Configuring Logs Log data rolls over to a new file when the file size reaches a specified limit. Other types of files are available for download.0 Getting Started Guide 64 421-0149 . archive mailboxes created by different filter commands. Retrieving Logs Using FTP or SCP You can retrieve log files directly from the appliance using either an FTP or an SCP client.

You can configure the log settings to reduce or increase the number and size of the log files. See Also For more information.Chapter Configuring Log Subscriptions By default. You can configure these alerts based on the information you want to receive and the users who need to receive the information. Task 14: Configure Email Alerts You can configure the IronPort appliance to send email-based alerts when errors and other types of events occur. you view email alerts and add a recipient for the email alerts. the appliance is configured to roll over the log files when they reach a specified size.0 Getting Started Guide 421-0149 65 . Goal In this task. Concepts The IronPort appliance can send informational and error alerts. and it stores up to 10 old log files. You can also configure the appliance to push logs to a remote server for further archiving and processing. see “Logging” in the Cisco IronPort AsyncOS for Email Daily Management Guide. Log subscriptions can be managed through the logconfig CLI command and through the GUI on the System Administration > Log Subscriptions page. Different levels of alerts can be delivered to different recipients. Cisco IronPort AsyncOS 7.

0 Getting Started Guide 66 421-0149 . Cisco IronPort AsyncOS 7.Chapter Configuring Email Alerts You configure alerts through the GUI on the System Administration > Alerts page. Figure 4-1 Alerts Page Figure 4-1 shows the default configuration for email alerts. To do this. click Add Recipient. You can configure the system to deliver a different set of alerts to another email address.

use the upgrade command. the download can take from several minutes to over an hour. While the IronPort appliance performs the upgrade. Cisco IronPort AsyncOS 7. The upgrade requires a reboot. This allows you to watch the upgrade events more closely than when you perform the upgrade from the GUI. Task 15: Upgrade the IronPort Appliance You can use either the CLI or the GUI to perform system upgrades. which you can perform at a convenient time. See Also For more information about alerts. Depending on the speed of your Internet connection. select System Administration > System Upgrades.0 Getting Started Guide 421-0149 67 . After select the alerts. The system checks for available upgrades and provides a choice of upgrade versions. For some sites. In the CLI. it is easier to perform upgrades from the CLI.Chapter Figure 4-2 Add Alert Recipient Page On this page. In the GUI. Note that upgrades require download of a significant amount of data. you choose the recipient to receive alerts and the level and type of alert messages to send to that recipient. click the Submit button and commit your changes. see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide. it continues to process mail.

Chapter See also For more information about upgrading the IronPort appliance. see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide. see “System Administration” in the Cisco IronPort AsyncOS for Email Configuration Guide. For information about upgrading IronPort appliances that belong to a centralized management cluster.0 Getting Started Guide 68 421-0149 . Cisco IronPort AsyncOS 7.