MailMarshal SMTP User Guide

Comments

Transcription

MailMarshal SMTP User Guide
User Guide
MailMarshal SMTP
Version 6.0
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE
SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS
EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, MARSHAL
LIMITED PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT
ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS
STATEMENT MAY NOT APPLY TO YOU.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission
of Marshal Limited, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure
agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Marshal Limited.
Some companies, names, and data in this document are used for illustration purposes and may not represent real companies,
individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein.
These changes may be incorporated in new editions of this document. Marshal Limited may make improvements in or changes to the
software described in this document at any time.
© 1995-2006 Marshal Limited, all rights reserved.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or
by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of
Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and
documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will
be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software
Technologies Ltd.
Firewall Suite, MailMarshal, Security Reporting Center, and WebMarshal are trademarks or registered trademarks of Marshal Limited.
All other company and product names mentioned are used only for identification purposes and may be trademarks or registered
trademarks of their respective companies.
Contents
Contents
iii
Chapter 1
Introduction
1
What Is MailMarshal? .......................................................................................................... 2
What Does MailMarshal Provide? ...................................................................................... 2
How MailMarshal Helps You ............................................................................................. 4
How Customers Use MailMarshal ...................................................................................... 4
Legal Firm Gains Immunity From Network Issues .............................................. 5
Electronic Fulfillment House Optimizes Email Usage ......................................... 6
MailMarshal Customers Save Time and Money ................................................... 6
How MailMarshal Works .................................................................................................... 7
Servers .................................................................................................................... 8
Configuration ......................................................................................................... 9
Monitoring and Reporting ..................................................................................... 9
MailMarshal SMTP and MailMarshal for Exchange ......................................................... 10
iii
Chapter 2
Planning Your MailMarshal Implementation
11
Deployment Checklist ...................................................................................................... 12
Understanding Deployment Scenarios ............................................................................ 12
MailMarshal as an Internal Email Relay .............................................................. 13
MailMarshal as the Only Email Server ................................................................ 14
MailMarshal and Other Software on the Same Server ....................................... 15
MailMarshal in a Distributed Array of Servers .................................................... 16
Hardware and Software Requirements ............................................................................ 17
Hardware Required for MailMarshal Server ........................................................ 17
Software Required for MailMarshal Server ......................................................... 18
Software Required for Other Components ......................................................... 19
Network Access Required for MailMarshal ......................................................... 20
Understanding Email Routing .......................................................................................... 21
Background Information ..................................................................................... 21
How MailMarshal Routes Email .......................................................................... 22
Setting up Outbound Routing ............................................................................. 22
Setting up Inbound Routing ................................................................................ 23
When Installing MailMarshal on the Existing Email Server ............................... 24
Locating MailMarshal Folders ........................................................................................... 24
Gathering Information Before Installation ...................................................................... 26
Chapter 3
Installing MailMarshal
29
Installation Checklist ........................................................................................................ 30
Installing Pre-Requisites ................................................................................................... 31
Installing MailMarshal on a Single Server ........................................................................ 31
Installing MailMarshal on an Array of Servers ................................................................ 33
Installing the Array Manager Server .................................................................... 34
Installing an Email Processing Server ................................................................. 36
iv
User Guide
Post-Installation Configuration Steps ............................................................................... 38
Completing the Configuration Wizard ................................................................ 38
Excluding Working Folders From Virus Scanning ............................................. 42
Configuring Email Routing .................................................................................. 44
Creating Directory Connectors ............................................................................ 45
Installing MailMarshal Reports ......................................................................................... 47
Installing MailMarshal Web Components ....................................................................... 47
Installing MailMarshal Client Tools ................................................................................. 51
Upgrading MailMarshal .................................................................................................... 52
Uninstalling MailMarshal .................................................................................................. 55
Chapter 4
Understanding MailMarshal Interfaces
57
Understanding the Configurator ...................................................................................... 58
Working With the Getting Started and Common Tasks Pages ......................... 59
Working With Menu and Detail Items ................................................................ 60
Working With Properties Configuration ............................................................. 60
Committing Configuration ................................................................................... 61
Understanding the Console ............................................................................................. 61
Understanding the Web Console .................................................................................... 62
Understanding the Reports Console ................................................................................ 63
Understanding the Spam Quarantine Management Web Site ........................................ 64
Understanding Other Tools ............................................................................................. 65
Chapter 5
Implementing Your Email Content Security Policy
67
Configuring Email Content Security ................................................................................ 68
Stopping Spam ................................................................................................................. 68
Anti-Spam Configuration and Rules .................................................................... 69
Configuring SpamCensor Updates ...................................................................... 69
v
Stopping Viruses ............................................................................................................... 72
Anti-Virus Policy and Rules ................................................................................. 72
Installing and Configuring Virus Scanners .......................................................... 73
Preventing Relaying .......................................................................................................... 75
Controlling Who Can Send Email Through Your Server ................................................ 76
DNS Blacklists ...................................................................................................... 77
PTR Lookups ........................................................................................................ 78
Blocked Hosts ...................................................................................................... 79
Authentication by Account .................................................................................. 80
Filtering Messages and Attachments ................................................................................ 80
Chapter 6
Understanding Email Policy, Policy Groups, and Rules
83
Understanding Policy Groups .......................................................................................... 83
Understanding Rules ........................................................................................................ 85
Receiver Rules ...................................................................................................... 85
Standard Rules ...................................................................................................... 85
Creating Rules ...................................................................................................... 85
Understanding User Matching .......................................................................................... 88
Understanding Rule Conditions ....................................................................................... 89
Rule Conditions for Standard Rules .................................................................... 90
Rule Conditions for Receiver Rules ................................................................... 103
Understanding Rule Actions ........................................................................................... 105
Rule Actions for Standard Rules ........................................................................ 106
Rule Actions for Receiver Rules ........................................................................ 113
Understanding Order of Evaluation ............................................................................... 114
Adjusting the Order of Evaluation of Policy Groups ....................................... 115
Adjusting the Order of Evaluation of Rules ...................................................... 115
Viewing Email Policy ...................................................................................................... 116
vi
User Guide
Chapter 7
Understanding Email Policy Elements
117
Configuring Connectors ..................................................................................................119
Configuring User Groups ................................................................................................120
Creating and Populating User Groups ...............................................................120
Moving and Copying Users and Groups ...........................................................123
Identifying Email Text Content Using TextCensor Scripts ............................................123
Creating and Editing Scripts ...............................................................................124
Editing TextCensor Scripts .................................................................................127
Duplicating TextCensor Scripts ..........................................................................127
Script and Item Weighting .................................................................................127
Item Syntax .........................................................................................................129
Importing Scripts ................................................................................................130
Exporting Scripts .................................................................................................131
TextCensor Best Practices ..................................................................................131
Testing TextCensor Scripts .................................................................................133
Notifying Users with Message Templates and Message Stamps ...................................133
Message Templates .............................................................................................134
Creating a Message Template ............................................................................136
Digest Templates ................................................................................................138
Editing Templates ...............................................................................................140
Duplicating Templates ........................................................................................140
Deleting Templates .............................................................................................141
Message Stamps ..................................................................................................141
Using Variables ...................................................................................................143
Date Formatting ..................................................................................................148
Configuring Virus Scanners ............................................................................................149
Best Practices ......................................................................................................151
Configuring a Virus Scanner ..............................................................................152
Viewing Virus Scanner Properties .....................................................................152
Using Email Folders and Message Classifications ..........................................................152
Message Classifications .......................................................................................153
Folders .................................................................................................................155
vii
Header Matching and Rewriting .................................................................................... 158
Changing and Adding Headers with the Receiver ........................................... 158
Using Rules to Find Headers ............................................................................. 159
Using Rules to Change Headers ........................................................................ 160
Using the Header Rewrite Wizard ..................................................................... 160
Extending Functionality Using External Commands .................................................... 166
Chapter 8
Monitoring Email Flow
171
Using the MailMarshal Console ..................................................................................... 173
Connecting to MailMarshal Using the Console ................................................ 173
Connecting to MailMarshal Using the Web Console ........................................ 174
Viewing Server Statistics .................................................................................... 174
Deleting and Retrying Queued Messages ......................................................... 176
Using Mail Batching ........................................................................................... 176
Viewing Folders and Folder Contents .............................................................. 176
Working With Email Messages .......................................................................... 177
Viewing Email History ....................................................................................... 183
Searching Folders and Email History ................................................................ 184
Viewing Alert History ........................................................................................ 185
Setting Console Security .................................................................................... 185
Using Windows Tools .................................................................................................... 189
Event Log ............................................................................................................ 189
Performance Monitor ......................................................................................... 190
Using MailMarshal Text Logs ......................................................................................... 190
Chapter 9
Managing MailMarshal Configuration
191
Managing Your MailMarshal License ............................................................................. 191
Reviewing the Installed License ........................................................................ 192
Requesting a New License Key ......................................................................... 193
Entering a License Key ...................................................................................... 194
viii
User Guide
Backing Up and Restoring the Configuration ................................................................194
Backing Up the Configuration ...........................................................................195
Restoring the Configuration ...............................................................................196
Configuring Local Domains ............................................................................................197
Changing Local Domains Information ...............................................................197
Changing Local Domains on a Specific Server .................................................200
Setting Up Accounts ........................................................................................................201
Creating Accounts ...............................................................................................201
Editing Existing Accounts ...................................................................................202
Deleting Accounts ...............................................................................................203
Configuring Delivery Options ........................................................................................203
Configuring Default Delivery Options ...............................................................203
Configuring Delivery Options For A Specific Server ........................................205
Configuring Email Batching and Dial-Up ......................................................................206
Configuring Manager Security ........................................................................................207
Managing Array Nodes ....................................................................................................208
Managing Node Services ....................................................................................208
Adding and Deleting Nodes ...............................................................................209
Joining A Node To An Array ..............................................................................210
Customizing Settings for Nodes .........................................................................211
Setting Advanced Options ..............................................................................................212
Server Properties - Advanced .............................................................................212
Node Properties - Advanced ..............................................................................213
Array Communications .......................................................................................214
Folder Locations .................................................................................................216
Quarantine Synchronization Tool ......................................................................217
Quarantine Upgrade Tool ..................................................................................218
Group File Import Tool ......................................................................................220
Configuration Export Tool .................................................................................221
ix
Chapter 10
Reporting on MailMarshal Activity
223
Data Retention and Grouping ........................................................................................ 223
Data Retention .................................................................................................... 224
Reporting Groups ............................................................................................... 224
Connecting to the Database ........................................................................................... 225
Generating Reports ......................................................................................................... 226
Available Reports ............................................................................................... 226
Entering Parameters ........................................................................................... 228
Available Parameters .......................................................................................... 229
Navigating the Report Window ..................................................................................... 232
Exporting Reports ........................................................................................................... 233
Chapter 11
Delegating Spam and Quarantine Management
237
Setting Up Console Access ............................................................................................. 238
Setting Up Spam Quarantine Management Features .................................................... 239
Spam Quarantine Management Windows ........................................................ 239
Setting Up Folders and Templates .................................................................... 241
Setting Up Rules ................................................................................................. 242
Setting Up Spam Quarantine Management for Other Folders ......................... 242
Using the Message Release External Command ........................................................... 243
Appendix A
Wildcards and Regular Expressions
247
Wildcard Characters ........................................................................................................ 247
Regular Expressions ....................................................................................................... 249
Shortcuts ............................................................................................................. 249
Reserved Characters ........................................................................................... 250
Examples ............................................................................................................ 252
Map Files ............................................................................................................ 253
x
User Guide
Glossary
255
Index
261
xi
xii
User Guide
About This Book and the Library
The User Guide provides conceptual information about the MailMarshal SMTP product
(MailMarshal SMTP). This book defines terminology and various related concepts.
Intended Audience
This book provides information for individuals responsible for understanding
MailMarshal SMTP concepts and for individuals managing MailMarshal SMTP
installations.
Other Information in the Library
The library provides the following information resources:
Evaluation Guide
Provides general information about the product and guides you through
the trial and evaluation process.
User Guide
Provides conceptual information and detailed planning and installation
information about MailMarshal SMTP. This book also provides an
overview of the MailMarshal SMTP user interfaces and the Help.
Help
Provides context-sensitive information and step-by-step guidance for
common tasks, as well as definitions for each field on each window.
About This Book and the Library
xiii
Conventions
The library uses consistent conventions to help you identify items throughout
the documentation. The following table summarizes these conventions.
Convention
Bold
Use
• Window and menu items
• Technical terms, when introduced
Italics
• Book and CD-ROM titles
• Variable names and values
• Emphasized words
Fixed Font
• File and folder names
• Commands and code examples
• Text you must type
• Text (output) displayed in the command-line interface
xiv
Brackets, such as [value]
• Optional parameters of a command
Braces, such as {value}
• Required parameters of a command
Logical OR, such as
value1 | value2
• Exclusive parameters. Choose one parameter.
User Guide
About Marshal
Marshal's Content Security products (MailMarshal for SMTP, MailMarshal for Exchange ,
WebMarshal, Security Reporting Center and Firewall Suite) deliver a complete email and
Web security solution to a variety of Internet risks. They provide comprehensive
protection by acting as a gateway between an organization and the Internet. It allows
organizations to restrict, block, copy, archive, and automatically manage the sending and
receiving of messages.
Marshal Products
Marshal's Content Security solution, which includes MailMarshal SMTP, MailMarshal for
Exchange and WebMarshal, delivers a complete email and Web security solution to these
risks by acting as a gateway between your organization and the Internet. The products sit
behind your firewall but in front of your network systems to control outbound
documents and their content. By providing anti-virus, anti-phishing and anti-spyware
protection at the gateway, Marshal's Content Security solution offers you a strategic,
flexible and scalable platform for policy-based filtering that protects your network, and as
a result, your reputation.
Contacting Marshal
Please contact us with your questions and comments. We look forward to
hearing from you. For support around the world, please contact your local
partner. For a complete list of our partners, please see our Web site. If you
cannot contact your partner, please contact our Technical Support team.
Telephone:
+44 (0) 870 040 4441 (EMEA)
+1 713-681-0055 (Americas)
+ 64 9 580 0531 (Asia-Pacific)
Sales Email:
[email protected]
Support:
www.marshal.com/support
Web Site:
www.marshal.com
About Marshal
xv
xvi
User Guide
Chapter 1
Introduction
Email is an essential communication tool used by nearly every business and
organization. Email is widely used because it provides an open, effective, rapid,
and inexpensive way of sending text, images, and other data nearly anywhere.
However, the same features that make email such a useful tool also present
issues and hidden costs. Spam, email viruses, malicious code, legal liability
issues, and declining employee productivity are all risks associated with the use
of email by organizations.
Spam commonly accounts for more than half of the email that an organization
receives. Email viruses, Trojans and other malicious files spread around the
world and can cause millions of dollars in damage in just a matter of hours.
Every day brings new reports of organizations forced into legal action due to
staff misuse of email. Email remains the lifeblood of modern business
communication, but the disadvantages of email use are growing rapidly.
MailMarshal is an email security solution specifically designed to deal with these
issues. Many organizations today have created policies and guidelines for the
appropriate use of email, and employee education programs to deal with the
torrent of spam and viruses. MailMarshal allows an organization to actually
apply those policies and security rules to email at their corporate gateway,
defending the company against the risks and disadvantages of email use.
MailMarshal enables organizations to once again use email safely, securely and
productively.
Chapter 1 • Introduction
1
What Is MailMarshal?
NetIQ MailMarshal SMTP is a fast, easy-to-use email filtering solution that
ensures a safe and productive working environment by enforcing organizational
Acceptable Use Policy (AUP) and protecting against Spam and viruses. The
product boasts a 95% Spam detection rate with less than 0.01% false positives,
all while performing up to 4 times faster than the competition. Suspect email
messages are deleted, quarantined or simply monitored based on the needs of
the organization. Administrators can generate meaningful reports depicting
email usage and security concerns while the company receives a significant
return on investment (ROI) as workplace productivity increases, corporate
assets are protected and the potential for corporate liability is diminished.
Supporting enterprises with tens of thousands of users, MailMarshal SMTP is by
far the most powerful, feature-rich Anti-Spam solution available today.
What Does MailMarshal Provide?
MailMarshal includes many powerful features to scan and filter email messages.
MailMarshal also gives the email administrator granular control of policies, and
the ability to delegate monitoring and control to other users.
MailMarshal scans the content of email messages and attachments as they enter
or leave an organization. MailMarshal can:
• Block Spam using the NetIQ SpamCensor technology. This technology
typically delivers a 95% Spam detection rate with less than 0.01% false
positives.
• Scan email for viruses using third-party virus scanners.
• Scan message text, headers, and attached documents for the presence of
particular phrases.
• Recognize the type and size of attached items.
• Perform many other checks of message content.
2
User Guide
MailMarshal can take a wide variety of actions on messages that violate an
Acceptable Use Policy. MailMarshal can:
• Refuse receipt of a message from a remote server.
• Quarantine a message for later review by administrators or users.
• Delete a message.
• Redirect a message.
• Log receipt of a message for future reference.
In addition to a superior Spam detection rate and a full set of filtering abilities,
MailMarshal provides high performance.
• MailMarshal yields single server processing throughput up to 4 times greater
than competing products provide.
• You can install MailMarshal on multiple servers with centralized
administration to support the enterprise.
• You can control MailMarshal installations at geographically separate
locations from a single administrative server.
MailMarshal also provides effective, easy-to-use interfaces.
• The email administrator can monitor and control filtering activity using
Windows and Web consoles.
• Email users can verify and customize Spam blocking for their own email
addresses using the Spam Quarantine Management Web site.
• The administrator and managers can generate a selection of reports
detailing email usage and filtering activity.
Chapter 1 • Introduction
3
How MailMarshal Helps You
Unmonitored email presents both financial and legal dangers to a company. For
instance, Spam represents a dramatic financial threat in terms of the cost of
storage, bandwidth, and wasted employee time. Virus infection and malicious
code can be costly in employee time and in lost data. Inappropriate and
offensive email content is both a time waster and a potential legal liability.
With MailMarshal, a company receives a significant return on investment (ROI)
as network security is tightened, corporate assets are protected, the potential for
corporate liability is diminished, and workplace productivity increases.
How Customers Use MailMarshal
You can configure MailMarshal to support your Acceptable Use Policy for email
usage. Enforcing the Acceptable Use Policy often results in savings of network
resources and time. You can also use MailMarshal to provide a variety of
gateway based email services that enhance functionality and convenience.
The following stories show how some of our customers put MailMarshal to
work.
4
User Guide
Legal Firm Gains Immunity From Network Issues
Law firms rely on their Internet and email-based communications to stay in
contact with clients and staff, both locally and in distant locations. With the
increasing number of Internet-based threats making the rounds, it is essential
that these risks are kept to an absolute minimum. The IT manager of a law firm
that installed MailMarshal five years ago has this to say about the experience:
• Ever since we installed MailMarshal, we've been totally immune to
shutdowns due to email-based viruses, worms, Trojan horses and other
malignant payloads. We hear about them from colleagues and read about
them in newspapers, but we don't see them at work.
• Nobody, of course, would knowingly introduce a dangerous file into the
system, but the danger is in an inadvertent download or access. We have
very strict controls as to what attachments are allowed through to prevent
accidental infection. For instance, we quarantine all executable files as well
as others that might be dangerous. Questionable emails or attachments that
come in are quarantined for manual over-ride during work hours or saved
until the morning if they come in at night. This way we can monitor email
usage without being too invasive.
• At the end of the day, the main benefit is that we’ve avoided any problems,
shutdowns or slowdowns with our email and Internet and that, more than
anything, is invaluable.
Result: Reduced network congestion, reduced IT running costs, long term
system stability and added security.
Chapter 1 • Introduction
5
Electronic Fulfillment House Optimizes Email Usage
With over 2 million members ordering their books online, a leading book club
needed to optimize their email system to provide comprehensive support for
marketing, order taking, fulfillment and transaction management. The senior
systems analyst for the company comments:
• Email has gone from a 'best endeavors' service to a mission critical resource.
We needed a flexible and mature system that could handle any situation as
well as be scalable and easy to install and maintain.
• We did a full evaluation of the major available email management
packages, and MailMarshal was the product that best addressed our needs.
• The installation process was extremely painless. We simply swapped our old
anti-virus gateway for MailMarshal and haven't looked back since. In fact,
we have seen an increase in our email usage because our network capacity
has been optimized.
Result: Increased staff productivity via unobtrusive monitoring and reduction of
excessive email usage. MailMarshal effectively separates corporate and
customer email traffic.
MailMarshal Customers Save Time and Money
MailMarshal delivers benefits every day to large and small organizations. What
follows is just a small sample of stories from the files:
• A 300-user city council was infected twice by the Navidad virus. This event
resulted in 300 desktop computers being down for one and a half hours. All
software had to be reinstalled and any unsaved documents were lost. The
infection cost the council over $24,000 in lost staff productivity alone.
The council then installed MailMarshal on a 30-day trial. MailMarshal
prevented a further 150 Navidad virus infections over the following week.
• A large commercial airline implemented MailMarshal and reduced their
bandwidth usage by 50% immediately, simply by stopping video files.
6
User Guide
• A finance company reduced their bandwidth usage by 87% when they
implemented an email policy with MailMarshal that denied all files other
than Microsoft Office documents.
• A respected IT company was invited to evaluate MailMarshal's anti-spam
effectiveness for one month against a competitor of their choice. They ran
the test in a live head-to-head trial with a major MailMarshal competitor.
The products evaluated duplicate inbound email streams. At the end of the
test the IT company reported back:
- MailMarshal detected over 92% of the spam the company received with
only one false positive over the entire month.
- The competitor managed to detect just 81% of the spam but also created
189 false positives (more than 6 per day).
The company has since purchased MailMarshal.
• A large multi-national finance company performed an extended threemonth trial of MailMarshal. After monitoring email activity for the first two
months and then implementing an email Acceptable Use Policy with
MailMarshal in the final month, the customer reported that they reduced
non-business email by 98%.
How MailMarshal Works
MailMarshal is a server-based Simple Mail Transfer Protocol (SMTP) email
content scanner that can be easily installed into a new or existing network with
other gateway applications. It complements, and is compatible with, traditional
Internet firewalls, SMTP mail servers, anti-virus scanners, and other security
applications.
A MailMarshal installation consists of several pieces of software, including a
manager server, one or more email processing servers, a SQL database, and
optional management Web sites. In a small organization these items can all be
installed on a single server. In a large organization they can be installed as an
array distributed on multiple servers.
Chapter 1 • Introduction
7
MailMarshal user interfaces include a configuration console, administration
console, reports console, Spam quarantine management Web site for email
users, and Web administration console.
Servers
The MailMarshal email processing server functions as the email gateway of an
organization. All email entering or exiting the organization passes through it.
MailMarshal can be configured with more than one email processing server.
MailMarshal can use multiple servers to provide multiple gateways, or to add
bandwidth and redundancy to a single gateway.
Each MailMarshal email processing server includes four major system services:
the Receiver, the Engine, the Sender, and the Controller. All email enters the
MailMarshal server via the Receiver, and is processed in the Engine. The Engine
unpacks each email message (expanding any archive or compressed files) and
splits the message into its individual components. It then tests the whole
message and each component using the email policy.
As part of the policy, MailMarshal filters Spam using the NetIQ SpamCensor
technology. MailMarshal detects viruses by invoking other vendors’ virus
checking software. Many commercially available scanners are supported by
MailMarshal.
The results of rule processing determine whether each email message is
accepted, modified or quarantined. Accepted email is passed to the MailMarshal
Sender, which then forwards it to the appropriate recipients.
The MailMarshal Array Manager functions as a central repository for
configuration. It coordinates the activity of the other MailMarshal components
and serves as a connector between the email processing servers, the user
interfaces, and the database.
The MailMarshal database resides on a Microsoft SQL Server. It stores
configuration information and email logging data.
8
User Guide
Configuration
The administrator configures MailMarshal from a workstation connected to the
Manager server, using the MailMarshal Configurator. The initial configuration
settings allow MailMarshal to act as the email gateway of an organization. A
wide variety of additional configuration options allow MailMarshal to enforce
your Acceptable Usage Policy by controlling how MailMarshal processes SMTP
connections and individual email messages.
Monitoring and Reporting
MailMarshal provides several tools for monitoring and daily administration of
email. The main tool is the Console. The Console features MailMarshal Today,
which provides a summary of MailMarshal activity and server health at a glance.
Using the Console, an administrator can review the processing history for any
message, and can view and release any quarantined message.
The administrator can grant other users access to specific Console functions and
specific quarantine folders. This allows the administrator to delegate basic tasks
to help desk or departmental personnel. MailMarshal also provides a Web
version of the Console, which permits remote access to the Console
functionality.
Email users can review and manage suspected Spam and other quarantined
email using daily email digests and the Spam Quarantine Management console.
This console is a Web application typically deployed on an intranet Web server.
Administrators and managers can generate reports on MailMarshal activity using
the MailMarshal Reports application. MailMarshal Reports uses the Crystal
Reports engine to produce detailed reports.
Chapter 1 • Introduction
9
MailMarshal SMTP and MailMarshal for Exchange
MailMarshal SMTP shares many features with MailMarshal for Exchange, the
Exchange Server based Email Content Security product from NetIQ Corporation.
An organization may choose to install one or both products. Each product
delivers some unique benefits.
MailMarshal for Exchange provides the ability to scan internal email within the
Exchange Server.
MailMarshal SMTP provides several components which are not available within
MailMarshal for Exchange, including the Spam Quarantine Management
console, receiver rules and other SMTP receiver based functions. An
organization that requires both sets of functions can run both products in the
same environment. MailMarshal for Exchange and MailMarshal SMTP can be
run on the same server, subject to adequate system resources.
Within this Guide, “MailMarshal” always refers to MailMarshal SMTP unless
otherwise stated.
10
User Guide
Chapter 2
Planning Your MailMarshal
Implementation
MailMarshal consists of several components, which can be located on different
servers within an organization's network. The components are:
• One or more email processing servers
• A SQL database
• The Configurator, used to define policy
• The Console, used to manage email flow
• The Reports console
• Two Web components: the Spam Quarantine Management Web site and the
Web Console
• The Array Manager, which connects the user interfaces, email processing
servers, and database
These components can be installed in a variety of configurations to suit any size
of organization from small business to distributed enterprise.
Chapter 2 • Planning Your MailMarshal Implementation
11
Deployment Checklist
Choose your MailMarshal deployment options by completing the following
checklist:
Steps
See Section
1. Decide whether you will install
MailMarshal as an Array or
Standalone Server.
“Understanding Deployment Scenarios” on
page 12.
2. Decide the number and location
of MailMarshal email processing
servers.
“Understanding Deployment Scenarios” on
page 12.
3. Decide the location of the SQL
database.
“Understanding Deployment Scenarios” on
page 12.
4. Decide where MailMarshal folders
will be located on each email
processing server
“Locating MailMarshal Folders” on page 24.
5. Check hardware and software
prerequisites.
“Hardware and Software Requirements” on
page 17.
6. Check network access
prerequisites.
“Network Access Required for MailMarshal”
on page 20.
7. Gather information about your
email environment.
“Gathering Information Before Installation”
on page 26.
8. Plan email routing changes
“Understanding Email Routing” on page 21.
Understanding Deployment Scenarios
This section discusses some typical options for the deployment of the
MailMarshal components. Each option provides all required functions of an
email gateway. Many other configurations are possible.
12
User Guide
MailMarshal as an Internal Email Relay
You can install MailMarshal on its own physical server, as an email relay within
an organization, as shown below:
Workstation
SMTP
Port 25
Firewall
Internet
SMTP
Port 25
Workstation
MailMarshal Server
Email Server
Workstation
Email Admin
In this case the MailMarshal installation is a “standalone server” including all
management and email processing components. This option is suitable for
small to medium sized organizations with a single Internet gateway and email
server.
All workstations within the organization send email through the email server.
The email server forwards all external messages to the MailMarshal server for
processing and delivery.
The DNS MX record (or the firewall's relay setting) is set so that the MailMarshal
server receives all email inbound to the organization.
Install the MailMarshal database on an available SQL server in the local
network. In smaller organizations, it will be possible to install SQL Server or
MSDE on the MailMarshal server. Install the MailMarshal Spam Quarantine
Management Web site on an intranet Web server. Install MailMarshal Reports
and optionally management consoles on one or more workstations in the local
network.
Chapter 2 • Planning Your MailMarshal Implementation
13
MailMarshal as the Only Email Server
MailMarshal can function as a POP3/SMTP server providing all email server
functions for a small organization, as shown below:
Workstation
Internet
connection
SMTP Port 25
POP3 Port 110
Internet
Workstation
MailMarshal
Server
ISP
Workstation
Email Admin
In this example, workstations within the organization send email to the
MailMarshal server on port 25 for processing. MailMarshal delivers email for
internal addresses to MailMarshal POP3 mailboxes for collection by email
clients. Retrieve and send email to and from external addresses over a dial-up
or other link to an ISP.
In this case the MailMarshal installation is a “standalone server” including all
management and processing components. In most organizations that choose
this scenario, it will be possible to install SQL Server or MSDE on the
MailMarshal server. Install the MailMarshal Spam Quarantine Management Web
site on an intranet Web server. Install MailMarshal Reports and optionally
management consoles on one or more workstations in the local network.
14
User Guide
MailMarshal and Other Software on the Same Server
MailMarshal can run on the same physical server as the organization's email
server software, as shown below:
MailMarshal
Workstation
Port 25
Firewall
Internet
Localhost
Port 25
Localhost
Port 97
Other Email
Software
Workstation
Email Server
Computer
Workstation
Email Admin
In this case, all email sent from outside the organization arrives at the email
server computer on the default SMTP port, port 25. MailMarshal forwards
processed inbound email to the other server software using the “localhost” IP
address and port 97. The other server sends email for outside delivery to
MailMarshal using the “localhost” IP address and port 25.
Install the MailMarshal database on an available SQL server in the local
network.
MailMarshal is installed as a “standalone server” including all management and
processing components. Install the MailMarshal Spam Quarantine Management
Web site on an intranet Web server. Install MailMarshal Reports on one or more
workstations in the local network
Note
This installation option depends on the server having sufficient resources to
support both MailMarshal and another email server application.
Chapter 2 • Planning Your MailMarshal Implementation
15
MailMarshal in a Distributed Array of Servers
You can install MailMarshal as an array of servers for an enterprise. You can
install the required components in a variety of configurations. A typical
configuration is shown below:
DMZ
Local
Users
Local Email
Server
Internet
Port
25
Port
25
MailMarshal
SQM and
Console
Web sites
MailMarshal
Servers (email
processing)
Email
Admin
Port
19001
Port
19001
MailMarshal
Array Manager
and SQL Server
In this example, the MailMarshal installation includes a load balanced array of
MailMarshal email processing servers in a DMZ. A DMZ is a part of a local
network that has controlled access both to the Internet and to the internal
network of the organization. All email sent from within the organization passes
through the local email server, which delivers outbound messages to the
MailMarshal servers on port 25. MailMarshal delivers incoming email to the local
email server.
Install the MailMarshal Array Manager on a SQL server or a dedicated server
within the LAN to perform configuration and connect to the MailMarshal
database. Install the MailMarshal Spam Quarantine Management Web site and
the MailMarshal Web console on an intranet Web server. Open TCP port 19001
(or a single port of your choice) in the firewall between the DMZ and the Array
Manager, to allow MailMarshal configuration and logging traffic.
16
User Guide
A distributed enterprise with more than one email gateway can install one or
more MailMarshal email processing servers at each gateway. If the enterprise
uses the same policies at all locations, it can use a single MailMarshal Array
Manager to control configuration and perform logging for all locations. All the
email processing servers must be able to communicate with the Array Manager
on port 19001.
Install MailMarshal Reports and optionally management consoles on one or
more workstations in the local network.
Hardware and Software Requirements
A basic stand-alone installation of MailMarshal will run on almost any Pentium
III class computer running Windows 2000, Windows XP, or Windows
Server 2003.
Hardware Required for MailMarshal Server
The hardware required for a MailMarshal server naturally varies depending on
the number of email users and the amount of email traffic. The following
specifications are a suggested minimum for a single-server installation of
MailMarshal:
• 1,000 users: Pentium III 600, 10GB HD, 256MB RAM
• 10,000 users: Dual Pentium III 1000, 60GB HD, 1024MB RAM
Sites with more than 10,000 users can use a single server with a higher
specification, or multiple processing servers. Please contact NetIQ Technical
Support for a recommended configuration.
Chapter 2 • Planning Your MailMarshal Implementation
17
Software Required for MailMarshal Server
All prerequisite software (with the exception of the Windows operating system
and the full version of SQL Server) is available on the installation CD-ROM. You
can install the prerequisites during the MailMarshal installation from CD-ROM.
However, NetIQ recommends that you install the prerequisites before installing
MailMarshal, so as to isolate any installation issues to the specific package.
MailMarshal requires:
• Windows 2000, Windows XP Professional, or Windows Server 2003.
• SQL Server 2000 or MSDE 2000 to store configuration and logging data.
MSDE is a free runtime version of SQL Server. Because MSDE is limited to a
total database size of 2GB, it is suitable for MailMarshal sites with fewer
than 500 email users. MSDE is included on the MailMarshal CD-ROM and in
the trial download package.
• Service Pack 3 for SQL Server 2000 or MSDE 2000. This service pack is
included in the version of MSDE 2000 distributed with MailMarshal.
18
User Guide
• MSDE 2000 requires Microsoft Data Access Components (MDAC) 2.7 SP1, or
a later version of MDAC. The MSDE installation will install this software if
necessary. This installation requires a system restart.
• If you use named instances of SQL Server, you must install MDAC 2.8,
or a later version of MDAC, on the server where you install the MailMarshal
Array Manager. This installation requires a system restart.
Notes
•
Due to Microsoft licensing restrictions, the MailMarshal email processing
and Array Manager components cannot be installed on Windows
Server 2003, Web Edition. However, the MailMarshal Web components
can be installed on Web Edition.
•
When you install prerequisites you should be prepared to restart the
system.
•
MailMarshal working and quarantine folders must reside on a NTFS
partition.
•
Due to the limitation on database size in MSDE, SQL Server is
recommended for sites with more than 500 email users.
•
MSDE is limited to 5 client connections. This limits the number of
instances of MailMarshal Reports you can use concurrently.
Software Required for Other Components
MailMarshal Configurator, Console, and Reports can run under Windows 2000,
Windows XP Professional, or Windows Server 2003. If you use named
instances of SQL Server, MailMarshal Reports require Microsoft Data Access
Components (MDAC) 2.8, or a later version of MDAC.
Chapter 2 • Planning Your MailMarshal Implementation
19
The MailMarshal Web components (Spam Quarantine Management and the
MailMarshal Web Console) can run under Windows 2000, Windows XP
Professional, or Windows Server 2003, including the Web edition. They require:
• Windows 2000 Service Pack 3 or higher.
• Internet Information Services (IIS) 5.0 or higher.
• ASP.NET 1.1. ASP.NET is part of the .NET Framework 1.1, available on the
MailMarshal CD-ROM.
Notes
•
NetIQ recommends a secure Web site (HTTPS) for these components to
protect user data and authentication information.
•
If you install ASP.NET on a Windows Domain Controller, or on
Windows 2000 Service Pack 4, review the Microsoft Knowledge Base for
issue and fix information specific to those environments such as
Microsoft Knowledge Base Articles 824308 and 821546.
The Web components support browsing from Internet Explorer 5.5 and above.
Network Access Required for MailMarshal
Typically MailMarshal uses the following network protocols and ports:
• SMTP email (port 25) from MailMarshal email processing servers to the
Internet and to the internal email servers and/or clients.
• DNS (port 53, both TCP and UDP) from MailMarshal email processing
servers for resolution of external email server names.
• TCP port 19001 for communication between the email processing servers,
Array Manager, and Console. This connection can be changed to another
port of your choice.
• HTTP and HTTPS from the Array Manager to the Internet for access to
SpamCensor updates (ports 80 and 443). You can use a proxy server for
Web access if your environment requires it.
20
User Guide
• SQL server connection (port 1433 by default) between the Array Manager
and the SQL database, and between the database and any Reports Console.
• Various NetBios ports for communication between the Array Manager and
the Configurator. For security reasons this connection should be within a
trusted LAN (not through a firewall).
• A remote desktop connection, such as Microsoft Terminal Services, for
access through a firewall to the email processing servers. You can also use a
remote desktop connection to connect securely through a firewall to the
Configurator.
• POP3 (port 110) if MailMarshal is functioning as a POP3 server.
Understanding Email Routing
MailMarshal must be able to monitor all email traffic at the email gateway of an
organization. Typically this requires some changes to email routing.
Background Information
Internet email travels from server to server using SMTP (Simple Mail Transfer
Protocol). MailMarshal functions as a SMTP relay. Logically, MailMarshal is
situated at the boundary of the local network so that email entering or leaving
the organization travels through it. Physically, a MailMarshal server can be
installed in several scenarios. It can run on a dedicated computer, or in some
cases share a computer with other software. For some typical configurations see
earlier sections of this chapter.
Before installing MailMarshal it is necessary to determine which functions
MailMarshal will serve and how it will handle incoming and outgoing email.
In general, SMTP email servers can route email in four ways:
• By delivering a message to a “local user” (a user on the same server).
• By sending email for a specific domain (for example wellknown.com) to a
fixed address entered by the administrator.
Chapter 2 • Planning Your MailMarshal Implementation
21
• By sending all outbound email to a specific server (email relay).
• By performing a Domain Name Service (DNS) lookup to determine the
appropriate email server for a domain, and attempting to contact that host
directly.
How MailMarshal Routes Email
MailMarshal can use any of the four methods described in the preceding
section.
• If MailMarshal has been configured as a POP3 server, the POP3 mailboxes
are “local” to it.
• MailMarshal uses the term “Local Domains” to name the specific domains
for which MailMarshal functions as the Internet email gateway. The local
domains should include all of the domains hosted by other email servers
within the organization that use MailMarshal as a gateway (such as
Exchange or Groupwise servers). Messages for these domains will be
delivered to fixed addresses.
• Where the recipient of a message is not in a local domain, MailMarshal can
be configured to deliver the message either by using DNS or by relaying to
a specific host for delivery.
Setting up Outbound Routing
When you plan outbound routing, take note of how your existing email server
sends email to the Internet. In general you should configure MailMarshal to use
the same process. For instance, your server may deliver email to a firewall or
ISP (email relay), or directly using DNS.
Reconfigure your existing email server to forward all outbound Internet email to
MailMarshal.
22
User Guide
Setting up Inbound Routing
When you plan inbound routing, determine how inbound email is currently
delivered to your server. If the MailMarshal server retains the IP address and
server name of the previous email server, then you will not have to change
inbound settings. This will generally be true if you install MailMarshal on the
same physical server as the other email server software.
If the MailMarshal server will have a different IP address and server name to
your previous email server, in most cases you must change the route to ensure
that inbound email messages are sent to the MailMarshal server.
Before sending email messages to your organization, an email server on the
Internet performs a DNS lookup to see which server (IP address) accepts email
for your domain. The address returned may be that of your email server,
firewall, proxy server or a downstream email relay (for example an ISP).
If email messages are sent directly to your organization's email server (the DNS
MX lookup returned the email server's IP address), then you must change the
DNS MX record to return the IP address of the new MailMarshal server. You
may also need to modify firewall permissions, to permit SMTP delivery to
MailMarshal.
If the DNS lookup returns the address of the firewall, and the firewall employs
address translation, you must change the translated address for incoming email
to the address of the MailMarshal server. If the firewall acts as an email relay,
you must change the address to which it forwards inbound email to that of the
MailMarshal server.
If the DNS lookup returns the address of an upstream email relay, you must
change the forwarding address setting used by that email relay so that it directs
email to MailMarshal.
Chapter 2 • Planning Your MailMarshal Implementation
23
When Installing MailMarshal on the Existing Email Server
When MailMarshal is installed on the same physical server as the existing email
server software, normally you will not need to change the inbound routing.
However, because MailMarshal will take over the role of listening for SMTP
traffic on port 25, you must configure the existing email server to listen for
SMTP traffic on another port. Port 97 is usually available and is commonly used
for this purpose, but any free TCP port can be used.
Configure MailMarshal, via its Local Domains information, to forward all
inbound email messages to the local computer on the new port. Use the
localhost IP address 127.0.0.1.
Configure the existing email server to forward all outbound email messages to
the local computer (127.0.0.1) on port 25.
Locating MailMarshal Folders
A MailMarshal email processing server uses folders for several purposes. By
default, the installation process creates these folders within the MailMarshal
program installation folder. In many cases this location is satisfactory.
In some cases you can enhance performance by choosing to create these
folders in another location. You can choose to install them on any local disk
drive. You can choose different locations on each email processing server.
The folders are defined as follows:
24
User Guide
Logging
MailMarshal uses this folder to hold text logs that provide details of each
action taken by each MailMarshal service. By default MailMarshal keeps
these logs for five days. These files can be large when email volume is
high.
Note
Compressing this folder with Windows file system compression reduces
the disk space required and does not materially affect performance in
most cases. Do not use compression for any other MailMarshal folders.
Queues
MailMarshal uses this folder to hold messages that are awaiting
processing or sending. In most cases these folders will not grow large.
However in the event that MailMarshal cannot connect to upstream or
downstream servers, the data in these folders can grow quickly.
Unpacking
MailMarshal uses this folder to unpack messages and extract their
content, including attachments such as archive files. The size of this
folder is relatively small. Because MailMarshal will create and delete files
repeatedly, this area of the disk can become fragmented, which can
have an adverse affect on other applications running on the server. You
can improve performance by placing this folder on a separate physical
disk drive to other MailMarshal components.
Chapter 2 • Planning Your MailMarshal Implementation
25
Quarantine
MailMarshal uses this folder as the default location for all quarantine
folders. MailMarshal will store all quarantined messages in subfolders of
this folder. This includes any archived messages and messages in the
Mail Recycle Bin. Ensure that the disk drive where this folder resides has
enough free space to accommodate the messages. The space required
will vary depending on retention policies for quarantined messages.
You can move individual folders to physically separate places on the
server. For more information see “Folders” on page 155.
Note
MailMarshal will not accept new messages if there is less than 100MB of
free disk space available for the Queues, Unpacking, or Quarantine
folders, or 10MB for the Logging folder.
Gathering Information Before Installation
Before beginning installation of MailMarshal, you should gather information
about the environment. This information will be needed to configure
MailMarshal, and to configure other settings so that email messages pass
through MailMarshal. For detailed information about how to configure
MailMarshal, see Chapter 3, “Installing MailMarshal” and Chapter 9, “Managing
MailMarshal Configuration.”
Information you should gather includes:
• The organization's Internet domain name(s) (for example
ourcompany.com).
• Names of any other local domains or subdomains for which MailMarshal
will process email (for example oursubsidiaries.com,
pop.ourcompany.com).
• Contact information for the DNS server administrators of domains for which
MailMarshal will process email. If the MailMarshal installation will require
changes to DNS settings, determine the time required to make and
propagate these changes.
26
User Guide
• Contact information for the administrator of the firewall, if there is one. If
the MailMarshal installation will require changes to firewall settings,
determine the time required to make these changes.
• The IP address of the existing local email server.
• The administrator's email address.
• The virus scanning software (with an appropriate license) to be used with
MailMarshal.
• The outbound email delivery method now in use. Determine what changes,
if any, will be required.
• The inbound email delivery method now in use. Determine what changes,
if any, will be required.
• The IP addresses of DNS servers MailMarshal should use to look up Internet
information.
• If prerequisite software must be installed and systems must be restarted,
determine the best time to restart these systems.
Chapter 2 • Planning Your MailMarshal Implementation
27
28
User Guide
Chapter 3
Installing MailMarshal
The MailMarshal installation process includes several steps. Before proceeding
with installation you should decide which components of MailMarshal you will
install, where in the network you will install each component, and how email
will be forwarded. You should gather all needed information and software. For
more information about typical installation scenarios and requirements, see
Chapter 2, “Planning Your MailMarshal Implementation.”
Chapter 3 • Installing MailMarshal
29
Installation Checklist
Install MailMarshal SMTP by completing the following checklist:
Steps
30
User Guide
See Section
1. Install prerequisite software.
“Installing Pre-Requisites” on page 31
2. If you plan to use a SQL Server
elsewhere in your network for the
MailMarshal database, ensure
that the SQL Server is correctly
installed and configured.
“Installing Pre-Requisites” on page 31
3. If you are installing MailMarshal
on a single server, install all
components.
“Installing MailMarshal on a Single Server”
on page 31
4. If you are installing MailMarshal
on an array of servers, install
required components on each
server.
“Installing MailMarshal on an Array of
Servers” on page 33
5. Complete post-installation steps.
“Post-Installation Configuration Steps” on
page 38
6. Customize MailMarshal
configuration.
Chapter 5, “Implementing Your Email
Content Security Policy”
7. Install MailMarshal Reports.
“Installing MailMarshal Reports” on page 47
8. Install MailMarshal Web
components.
“Installing MailMarshal Web Components”
on page 47
9. Optionally install the Console and
Configurator on additional
workstations.
“Installing MailMarshal Client Tools” on
page 51
Installing Pre-Requisites
If you have chosen to use MSDE 2000 to host your MailMarshal database on the
same server as the MailMarshal Array Manager, and you have the appropriate
version of the installation package, you can install MSDE 2000 as part of the
main MailMarshal installation. This installation can require the server to be
restarted if it must upgrade MDAC.
You should complete and test installation of other prerequisites before installing
MailMarshal components. You may need to install some or all of the following:
• If you are using SQL Named Instances, install MDAC 2.8 or above on the
MailMarshal Array Manager server (or the standalone MailMarshal server). A
suitable version of MDAC is included on the MailMarshal CD-ROM. To
install MDAC, see the Additional Installation tab of the MailMarshal
autorun application.
• Install Microsoft Internet Information Services (IIS) and ASP.NET 1.1 or
above on the server where you want to install MailMarshal Web
components. IIS is included with all versions of Windows supported by
MailMarshal 6.0. A suitable version of ASP.NET is included in the .NET
framework, which is provided on the MailMarshal CD-ROM. To install
ASP.NET, see the Additional Installation tab of the MailMarshal autorun
application.
Note
The installations of MDAC and IIS typically require a restart of the server.
Take this requirement into account when scheduling the installation.
Installing MailMarshal on a Single Server
You can install the email processing and management (Array Manager)
functions of MailMarshal on a single server. This server must be able to connect
to the MailMarshal database using TCP (port 1433 by default).
Chapter 3 • Installing MailMarshal
31
To install MailMarshal on a single server:
1. Insert the MailMarshal CD-ROM, or run the downloaded installation
package.
2. On the Setup tab of the autorun, choose Begin Server Setup.
3. On the License Agreement window, carefully read the license information.
To use MailMarshal, you must agree to be bound by the terms of the
agreement. To agree, click I accept the terms of the license agreement.
Click Next.
4. On the Setup Type window, choose Standalone MailMarshal Server then
click Next.
5. If Microsoft SQL Server 2000 is not installed on this server, the
installer presents the SQL Server Options window.
•If you want to install MSDE 2000 on this server, choose I want to
install and use the Microsoft SQL Server Desktop Engine
(MSDE).
•If you want to use a SQL Server on another server, choose I want to
use an existing installation of SQL Server 2000 or MSDE 2000.
Click Next. If you chose to install MSDE 2000, the MSDE installation runs.
6. The Choose Destination Location window displays the default installation
location for MailMarshal and the default locations for the MailMarshal
processing and quarantine folders. For more information about choosing
MailMarshal folder locations, see “Locating MailMarshal Folders” on
page 24.
7. If you want to change the installation location, click Change then
enter or browse to a location.
8. If you want to change one or more of the folder locations, click
Customize. On the Customize Folder Locations window, enter or browse
to a location for each folder. To effect the changes, click OK.
9. Click Next.
32
User Guide
10. On the Database window, enter the information required to connect to the
SQL database MailMarshal will use for configuration and logging. In the
server name field you can use the syntax servername[\instance][,port].
Click Next. If the database you selected already exists, MailMarshal will ask
whether you want to overwrite this database. If the database is a valid
MailMarshal 6 database, MailMarshal will also give the option to use the
database.
Note
If you use SQL Server named instances, use the instance parameter rather
than the port parameter.
11. The Ready to Install the Program window shows the installation type and
installation location you have chosen. To begin the installation process,
click Install. The installation can take several minutes to complete.
12. On the Setup Wizard Complete window, click Finish to close the setup
wizard and open the MailMarshal Configuration Wizard. You must complete
the Configuration Wizard before MailMarshal will accept and filter email.
For details of this wizard see “Post-Installation Configuration Steps” on
page 38.
Installing MailMarshal on an Array of Servers
MailMarshal can be installed as an array. A MailMarshal Array is a group of
email processing servers that use the same policy. Each email processing server
is also known as a Node. A MailMarshal Array Manager server controls
configuration for all email processing servers. An array consists of an Array
Manager and at least one additional node.
When MailMarshal is installed in an array, TCP port 19001 (or another port of
your choice) must be open in both directions between each node and the Array
Manager. The Array Manager server must be able to connect to the MailMarshal
database using TCP port 1433 (or another port as configured at the SQL server).
Chapter 3 • Installing MailMarshal
33
Installing the Array Manager Server
To install a MailMarshal array, first install an Array Manager server. You can
install an email processing node on the Array Manager server as part of this
installation.
Note
Typically the Array Manager server is installed on a dedicated server or a SQL
Server computer located within the trusted network, and all email processing
servers are located in the DMZ.
To install a MailMarshal Array Manager server:
1. Insert the MailMarshal CD-ROM, or run the downloaded installation
package.
2. On the Setup tab of the autorun, choose Begin Server Setup.
3. On the License Agreement window, carefully read the license information.
To use MailMarshal, you must agree to be bound by the terms of the
agreement. To agree, click I accept the terms of the license agreement.
Click Next.
4. On the Setup Type window, choose Array of MailMarshal Servers then
click Next.
5. On the Array Deployment window, choose I want to create a new array.
6. On the Array Manager Options window, if you want to install email
processing functions on this server choose This server is used to manage
the array and also process email.
7. If Microsoft SQL Server 2000 is not installed on this server, the
installer presents the SQL Server Options window.
•If you want to install MSDE 2000 on this server, select I want to
install and use the Microsoft SQL Server Desktop Engine
(MSDE).
•If you want to use a SQL Server on another server, choose I want to
use an existing installation of SQL Server 2000 or MSDE 2000.
34
User Guide
Click Next. If you chose to install MSDE 2000, the MSDE installation runs.
Note
Most MailMarshal array installations require SQL Server. For more
information see “Software Required for MailMarshal Server” on page 18.
8. The Choose Destination Location window displays the default installation
location for MailMarshal. If you chose to install email processing functions,
this window also shows the default locations for the MailMarshal processing
and quarantine folders. For more information about choosing MailMarshal
folder locations, see “Locating MailMarshal Folders” on page 24.
9. If you want to change the installation location, click Change then
enter or browse to a location.
10. If you want to change one or more of the folder locations, click
Customize. On the Customize Folder Locations window, enter or browse
to a location for each folder. To effect the changes, click OK.
11. Click Next.
12. On the Database window, enter the information required to connect to the
SQL database MailMarshal will use for configuration and logging. In the
server name field you can use the syntax servername[\instance][,port]. If
the database you selected already exists, MailMarshal will ask whether you
want to overwrite this database. If the database is a valid MailMarshal 6
database, MailMarshal will also give the option to use the database. Click
Next.
Note
If you use SQL Server named instances, use the instance parameter rather
than the port parameter.
Chapter 3 • Installing MailMarshal
35
13. The Ready to Install the Program window shows the installation type and
installation location you have chosen. To begin the installation process,
click Install. The installation can take several minutes to complete.
14. On the Setup Wizard Complete window, click Finish to close the setup
wizard and open the MailMarshal Configuration Wizard. You must complete
the Configuration Wizard before MailMarshal will accept and filter email.
For details of this wizard see “Post-Installation Configuration Steps” on
page 38.
Installing an Email Processing Server
To complete the initial installation of a MailMarshal array, install at least one
email processing server. You can install additional email processing servers at
any time.
Note
You must install the Array Manager server before installing email processing
servers.
To install a MailMarshal email processing server:
1. Insert the MailMarshal CD-ROM, or run the downloaded installation
package.
2. On the Setup tab of the autorun, choose Begin Server Setup.
3. On the License Agreement window, carefully read the license information.
To use MailMarshal, you must agree to be bound by the terms of the
agreement. To agree, click I accept the terms of the license agreement.
Click Next.
4. On the Setup Type window, choose Array of MailMarshal Servers then
click Next.
5. On the Array Deployment window, choose I want to join an existing
array. Click Next.
36
User Guide
6. The Choose Destination Location window displays the default installation
location for MailMarshal and the default locations for the MailMarshal
processing and quarantine folders. For more information about choosing
MailMarshal folder locations, see “Locating MailMarshal Folders” on
page 24.
7. If you want to change the installation location, click Change then
enter or browse to a location.
8. If you want to change one or more of the folder locations, click
Customize. On the Customize Folder Locations window, enter or browse
to a location for each folder. To effect the changes, click OK.
9. Click Next.
10. On the MailMarshal Array window, enter the name of the MailMarshal Array
Manager that you will use to manage policy for this server. The name can
be a computer name, IP address, or Fully Qualified Domain Name. If you
have changed the default MailMarshal port, enter the new value in the Port
field. If you are not logged in as a user with permission to join the
MailMarshal array, select Connect using following account and enter the
correct windows account information. For more information about setting
this permission see “Configuring Manager Security” on page 207. Click
Next.
11. The Ready to Install the Program window shows the installation type and
installation location you have chosen. To begin the installation process,
click Install. The installation can take several minutes to complete.
12. On the Setup Wizard Complete window, click Finish to close the setup
wizard. The server will retrieve configuration from the Array Manager
immediately and will begin accepting email connections.
Chapter 3 • Installing MailMarshal
37
Post-Installation Configuration Steps
After a standalone MailMarshal server or Array Manager is installed, you must
complete the MailMarshal Configuration Wizard before MailMarshal will accept
and filter email. You must also use the MailMarshal Configurator to complete
several localization tasks in order to implement minimum best practices for
MailMarshal installation and email filtering.
Completing the Configuration Wizard
When you click Finish on the final window of the MailMarshal Setup Wizard,
by default MailMarshal displays the Configuration Wizard. If you do not
complete this Wizard after setup, MailMarshal will display it when you start the
MailMarshal Configurator.
To complete the Configuration Wizard:
1. If necessary, start the Wizard by opening the MailMarshal Configurator,
found in the NetIQ MailMarshal program folder.
2. On the Welcome window, click Next.
3. On the License window, enter the name of your company or organization.
This information is used to help identify your organization when you
request a license key from within MailMarshal.
On this window, MailMarshal reports the details of the license key installed
on this server. In most cases the license key will be a 30 day trial key
generated by MailMarshal. You can enter another license key after
completing configuration. For more information, see “Managing Your
MailMarshal License” on page 191.
4. On the Local Domains window, use the Local Domain Wizard to specify the
names of local domains for which MailMarshal will accept inbound email.
The list should include all the domains of email addresses your organization
actually uses through this gateway. In most cases the Local Domains list
should exactly match the DNS MX records pointing at this server.
38
User Guide
MailMarshal supports two types of local domains: Relay and POP3.
•Email for a relay domain is delivered by MailMarshal to another email
server within your organization.
•Email for a POP3 domain is delivered to a mailbox hosted by the
MailMarshal server.
Many organizations have a single entry in the Local Domains list, which
matches the domain name used by the organization. However, if you
receive email for more than one domain or for subdomains, you will need
multiple entries.
Notes
•
All relay servers defined here will also be allowed to relay outbound
email through MailMarshal.
•
If you provide POP3 service for a domain using other software (such as
Microsoft Exchange), configure that domain as a Relay domain in
MailMarshal.
5. To start the Local Domain Wizard, click New.
6. Choose whether MailMarshal will host any POP3 mailboxes for the domain.
Click Next.
7. Enter the domain name. If this is a relay domain, the domain name can
contain wildcard characters. For details of wildcard syntax, see Appendix A,
“Wildcards and Regular Expressions.”
8. Enter the IP address and port of the server MailMarshal should relay email
to. Use port 25 unless the other server uses a different port, for instance, if
both MailMarshal and the other server software are installed on the same
system.
9. Optionally enter a second email server address and port. MailMarshal will
use the second address only as a fail-over if the first server does not
respond.
10. If this is a POP3 domain, choose the action MailMarshal will take if a
message is undeliverable.
Chapter 3 • Installing MailMarshal
39
11. To return to the Local Domains page, click Finish.
12. If this MailMarshal installation functions as a gateway for more
than one local domain, complete Steps 5 through 11 for each local
domain.
13. When you have entered all the local domains, you can adjust the order in
which MailMarshal will match the domains. MailMarshal will determine
where to deliver incoming email by the first entry in the list (from the top
down) that matches. To adjust the order of domains in the list, select a
domain name and use the up and down arrows on the window.
Note
Ensure that local domains are listed in the correct order. If you do not, email
may be misdirected. For example you could use the following sequence to
direct email to POP3 mailboxes within MailMarshal:
pop.example.com
POP3
10.2.5.4:25
*.example.com
Relay
10.1.2.1:25
If you were to reverse this sequence, the “pop” subdomain would be
ignored and all email would be delivered to the relay address (that is,
10.1.2.1 port 25), because *.example.com will match for messages addressed
to pop.example.com.
14. On the Administrative Notifications window, enter email addresses used by
automated functions of MailMarshal.
•MailMarshal will send administrative notifications (such as Dead Letter
reports) to the address specified in the Recipient Address field. This
should be a valid and appropriate mailbox or group alias.
•MailMarshal will send administrative and user notifications and other
automated email “from” the address entered in the From Address
field. This should also be a valid address to allow for replies to
notifications.
40
User Guide
15. On the DNS Servers window, enter the addresses of servers used by
MailMarshal. MailMarshal performs DNS lookups independently of the
Windows DNS settings. The DNS servers used by MailMarshal should be
located no further away than the ISP.
•Enter the IP address of the primary DNS (Domain Name Server) server.
You must enter a valid server address.
•Enter a secondary address. You can leave this entry blank, but it is best
practice to have a secondary DNS server.
Note
If MailMarshal must perform DNS lookups through a firewall, the
firewall must permit both TCP and UDP based lookups.
16. On the Delivery window, choose how you want MailMarshal to deliver
external messages. Two options are available:
a. MailMarshal will deliver external email itself: This is the default
option. MailMarshal will use DNS resolution to determine the
appropriate destination for outbound email and attempt to deliver
messages directly.
b. MailMarshal will forward email to another SMTP server: Select this
option to immediately send all outbound email (not for local domains)
to a firewall or a fixed relay server. For instance, you can use this option
to send all email through the email servers at your ISP. The firewall or
relay server will be responsible for final delivery.
Enter the host name or IP address of the relay or firewall in the
Forwarding Host field.
Chapter 3 • Installing MailMarshal
41
Optionally enter an alternate host. MailMarshal will only use the
alternate host if it encounters a DNS or greeting failure while attempting
to connect to the main forwarding host.
Note
You can configure advanced options for delivery. For more information,
see “Configuring Delivery Options” on page 203 and “Customizing
Settings for Nodes” on page 211.
17. On the final page of the Configuration Wizard, click Finish to complete
configuration. MailMarshal starts the email processing services automatically
and opens the main Configurator window.
Excluding Working Folders From Virus Scanning
You must ensure that certain folders, which are used by MailMarshal to process
and quarantine infected email messages, are excluded from any existing
resident or “on-access” anti-virus scanning.
Note
You must configure these exclusions for each installed virus scanner that
provides on-access scanning on every MailMarshal email processing server,
even if you do not use MailMarshal to scan for viruses.
The folders that must be excluded from scanning are the Incoming, Decryption,
Unpacking, and Quarantine folders. By default new MailMarshal installations
create all of these folders within the MailMarshal install folder. (Incoming and
Decryption are subfolders of Queues.) If you have chosen to change these
names or locations, you must exclude the new locations. You can verify the
locations of these folders by using the MailMarshal Server Tool on each server.
For more information about this tool, see Chapter 9, “Managing MailMarshal
Configuration.”
42
User Guide
MailMarshal checks for resident file scanning by attempting to write the
standard test virus file eicar.com (not a real virus) in each of the folders that
must be excluded from scanning. If any of these test files are removed or
cleaned by a resident scanner, or MailMarshal is denied access to the files, the
MailMarshal engine on the server will not start and MailMarshal will send an
email notice to the administrator.
If the check succeeds, MailMarshal deletes the eicar.com files, except for one
copy left in the Unpacking\avcheck folder.
For information about excluding folders from on-access scanning, please refer
to the virus scanner manufacturer's documentation. For example in Network
Associates NetShield, exclusions are set via the Exclusions tab in Scan
Properties. If the virus scanner does not have the facility to exclude the
appropriate folders, you must disable on-access scanning completely for that
scanner.
Details of Excluded Folders
The following folders must be excluded from virus scanning.
Incoming, Decryption
MailMarshal places received email in these folders before processing it.
Unpacking
MailMarshal copies files to the Unpacking folder and explicitly invokes
virus scanners to check for viruses. If a resident virus scanner found and
cleaned a file here, MailMarshal's virus scanning might then determine
the file to be clean. MailMarshal would then pass the original message
through with the virus still present.
Quarantine
MailMarshal uses folders within the Quarantine folder to store messages,
including those quarantined by virus scanning rule actions.
Chapter 3 • Installing MailMarshal
43
Configuring Email Routing
Once MailMarshal is installed and configured, change email routing so that
MailMarshal serves as the gateway for incoming and outgoing email. For more
information, see Chapter 2, “Planning Your MailMarshal Implementation.” These
routing changes can require you to alter one or more of the following:
DNS MX records
If MailMarshal is installed on a server with a different name and/or IP
address to the previous email server, you will probably need to change
the MX records that control email delivery from the Internet.
Internal email server settings
You should configure all email servers within your organization to
forward outgoing email to MailMarshal for delivery. In some cases, you
may also want to send email between local domains through
MailMarshal.
Port settings
In some cases MailMarshal is configured as a single server on the same
physical server as other email software. In these cases, change the
settings of the other software to allow MailMarshal to receive SMTP
connections from the Internet on port 25.
Firewall or relay server settings
If MailMarshal receives incoming email from a firewall that employs
address translation, change the translated address for incoming email to
the address of the MailMarshal server. If the firewall or another server
acts as an email relay, change the address to which it forwards inbound
email to that of the MailMarshal server.
44
User Guide
Creating Directory Connectors
MailMarshal can apply email policies selectively based on the email address of a
local or remote user. Typically organizations apply policy to groups of local
users by retrieving lists of users from an internal email server such as Microsoft
Exchange or Lotus Notes. MailMarshal can retrieve groups by connecting to a
Microsoft Active Directory or an LDAP directory server.
MailMarshal connectors allow you to retrieve user and group information
periodically from these directories. Only create connectors if you want to
retrieve information from directory servers.
To create a directory connector:
1. If necessary, open the MailMarshal Configurator, found in the NetIQ
MailMarshal program folder.
2. In the left pane, expand the item MailMarshal Configurator.
3. Click Connectors.
4. On the Action menu, click New Connector.
5. On the Connector Type window, choose the type of directory this
connector will access. MailMarshal supports connections to Microsoft Active
Directory and several types of LDAP directories.
6. If this is a Microsoft Active Directory connection, on the Microsoft
Active Directory Setting page choose to connect as anonymous, or as a
specific account. If you choose to connect using a specific account, enter
the account details. Click Next.
7. If this is a LDAP connection, enter the information required.
a. Select a specific type of LDAP directory server from the list. MailMarshal
will use appropriate parameters to retrieve group and member details
for the type of server you choose. Click Next.
Chapter 3 • Installing MailMarshal
45
b. On the LDAP Server and Logon page enter the server name, port, and
logon information. See the Help for full details of the fields on this
window. You can choose to connect as anonymous, or as a specific
account. If you choose to connect using a specific account, enter the
account details. If you do not know the required information, contact
the administrator of the LDAP server. Click Next.
c. On the LDAP Search Root window enter or browse for a search root for
this server, if one is required. If you do not know whether a search root
is required, contact the administrator of the LDAP server. Click Next.
d. If this is a generic LDAP connection, on the LDAP Groups and LDAP
Users windows customize the information MailMarshal will use to query
the LDAP server for group names and group members. To obtain
information on the appropriate values, consult the LDAP server
documentation and the LDAP server administrator. Click Next.
8. On the Reload Schedule window, choose how often MailMarshal will
import directory information through this connector. You can choose to
import once a day at a specific time, or more than once a day, or manually.
Click Next.
9. On the Connector Name and Description window, enter a descriptive name
and optionally a verbose description of this connector. Click Next.
10. On the Completing window, MailMarshal presents a summary of the settings
you have entered for this connector. Review the settings, then click Finish
to create the connector and close the window.
To view and alter the settings for a connector, highlight it then click Properties
in the taskpad header, or on the action menu in Standard view. The properties
of an LDAP connector include advanced configuration that allows you to
control what email addresses and groups MailMarshal retrieves. For more
information about editing connectors and advanced LDAP configuration, see
“Configuring Connectors” on page 119.
46
User Guide
Installing MailMarshal Reports
You can install MailMarshal Reports on one or more workstations in the local
network. Each workstation must be able to connect to the MailMarshal database
using Named Pipes or TCP (port 1433 by default). For details of prerequisites
and MSDE licensing limitations, see “Software Required for Other Components”
on page 19.
To install MailMarshal Reports on a workstation:
1. Insert the MailMarshal CD-ROM, or run the downloaded installation
package.
2. On the Setup tab of the autorun, choose Begin Reports Setup.
3. Carefully read and accept the license information.
4. Choose a destination location and program folder.
5. To begin the installation process, click Install.
For information about running the Reports application and connecting to the
MailMarshal database, see Chapter 10, “Reporting on MailMarshal Activity.”
Installing MailMarshal Web Components
MailMarshal includes two web-based consoles:
• A Spam Quarantine Management console that allows individual email users
to review and manage quarantined messages.
• A Web version of the Console application that allows administrators and
others (such as help desk personnel) to view server status and manage
quarantined email for all users.
You can install these consoles on a Windows 2000, Windows XP, or Windows
Server 2003 server that can connect to the MailMarshal Array Manager.
Chapter 3 • Installing MailMarshal
47
You can install the Spam Quarantine Management component on a multi-server
Web farm using the state management features of ASP.NET.
For details of prerequisites, see “Software Required for Other Components” on
page 19.
To install the Web-based Consoles:
1. Insert the MailMarshal CD-ROM, or run the downloaded installation
package.
2. Choose Begin Web Components Installation from the Setup tab of the
autorun.
3. Carefully read and accept the license information. By accepting the license
you agree to be bound by its terms.
4. On the Setup Type window, choose which components you want to install:
Spam Management, Web Console, or Both. Click Next.
5. Choose a destination location and program folder. By default the location is
within the Program Files\NetIQ folder.
6. On the Virtual Directory window, enter a Web site directory name for each
component you have chosen to install. These names will be the directory
path parts of the site URLs, within the default Web site on the server. Click
Next.
7. The Ready to Install the Program window shows the installation type and
installation location you chose. To begin the installation process, click
Install.
8. On the Setup Wizard Complete window, click Finish to close the setup
wizard and open the Configure MailMarshal Web window. This window
displays a tab for each component that you have installed. For full details of
the fields on the tabs of this window, see the Help for the window.
48
User Guide
9. If you have installed Spam Quarantine Management, on the Spam
Quarantine Management tab enter the site URL, timeout, MailMarshal
Manager connection information, and number of items per page.
•The site URL will be used for links in message digest email messages.
Enter a URL that can be resolved from workstations where
MailMarshal will send these messages. Do not include a trailing “/”
character in the URL. The default value is the server name and virtual
directory path.
•In the Array Manager section, specify an account with full permissions
over the MailMarshal Console functions.
10. If you have installed Spam Quarantine Management, on the Spam
Quarantine Management tab, click View/Edit User Authentication
Method to set the authentication method for the site. You can choose from
the following methods:
•Login by email address, with initial passwords generated by
MailMarshal.
•Windows login.
•Windows login with associated email addresses retrieved from Active
Directory. MailMarshal will automatically query Active Directory for
the list of email addresses that belong to a user each time they log in
to the Web site. The user can also add additional email addresses
manually.
Notes
•
You can only set the authentication method once for a MailMarshal
installation. If you install the Spam Quarantine Management Web
component on more than one IIS server, all the servers must use the
same method.
•
MailMarshal queries Active Directory from the Array Manager using
the credentials under which the Array Manager service is running.
Chapter 3 • Installing MailMarshal
49
11. If you have installed the Web Console, on the Admin Web Console tab
enter the server name, user authentication method, timeout, and number of
items to show per page.
12. To apply the settings, click OK at the bottom of the window.
The default installation of these Web sites includes NetIQ branding and generic
Help. You can customize these items.
Note
Any changes you make will be lost when you upgrade the Web components. If
you make changes, save them in another location.
You can customize the Help by editing the text of the existing Help pages.
You can customize the branding by replacing image files in the Web site
folders. The following files (relative to each of the web component installation
folders) include NetIQ branding:
50
File
Function
images\th_welcome.gif
Logo for top left of Welcome page
images\footer_logo.gif
Logo for bottom left of all pages
images\footer_tag.gif
Tagline for bottom right of all pages
help\images\logo_product.gif
Product icon for top left of Help pages
help\images\logo_footer.gif
Logo for bottom right of Help pages
User Guide
Installing MailMarshal Client Tools
You can install additional copies of the MailMarshal client tools (Configurator
and Console) on one or more computers. The Console communicates with the
Array Manager using port 19001. The Configurator requires additional NetBIOS
ports.
To install the MailMarshal Configurator or Console:
1. Insert the MailMarshal CD-ROM, or run the downloaded installation
package.
2. On the Setup tab of the autorun, choose Begin Server Setup.
3. On the License Agreement window, carefully read the license information.
To use MailMarshal, you must agree to be bound by the terms of the
agreement. To agree, click I accept the terms of the license agreement.
Click Next.
4. On the Setup Type window, choose MailMarshal Client Tools then click
Next.
5. On the Component Selection window, select the components to install
using the check boxes. Click Next.
6. The Folder Locations window shows the location where the installer will
place MailMarshal files. If you want to change the installation location,
click Change then enter or browse to a location. Click Next.
7. The Ready to Install the Program window shows the installation type and
installation location you chose. To begin the installation process, click
Install.
8. On the Setup Wizard Complete window, click Finish to close the setup
wizard.
9. Open the Configurator or Console from the NetIQ MailMarshal program
group.
10. On the Connect to Server window, enter the information required for the
tool to connect to the MailMarshal Array Manager server.
Chapter 3 • Installing MailMarshal
51
Upgrading MailMarshal
You can upgrade an existing MailMarshal 6.0 installation to the latest version by
running the appropriate installation package on each server you have
configured.
You can upgrade an existing MailMarshal 4.2 or higher installation to
MailMarshal 6.0. Due to changes in the configuration and database design, you
must create a new database. You can migrate existing data after upgrading. You
must also re-import LDAP user groups.
Notes
•
The upgrade installation starts all MailMarshal services, including any that
were stopped before the upgrade.
•
MailMarshal 6.0 does not support MailMarshal Secure (S/MIME). Before
upgrading you must remove the MailMarshal Secure component using the
Add/Remove Programs application in Control Panel. To remove this
component from a MailMarshal 4.2.5 installation, first upgrade to version 5.5
then remove the component.
•
If you have created an array of MailMarshal servers in MailMarshal 5.5, you
must re-create the array in MailMarshal 6.0. For more information about
upgrading MailMarshal 5.5 arrays, see NetIQ Knowledge Base article
NetIQKB39044.
•
For general information about upgrading to MailMarshal 6.0, see NetIQ
Knowledge Base article NetIQKB40548.
To upgrade MailMarshal from version 4.2 or higher to version 6.0:
1. If you have installed PestPatrol, disable any rules that use this software
and delete it from the MailMarshal Virus Scanners listing. PestPatrol is not
supported under MailMarshal 6.0.
2. Run the MailMarshal 6.0 installation package on an existing MailMarshal
server.
52
User Guide
3. During installation specify a new database and a location for the
MailMarshal quarantine folders. You can accept the default location for the
folders.
Notes
•
By default the MailMarshal 6.0 installation places the Unpacking or
Explode folder within the MailMarshal installation folder. If your
Unpacking or Explode folder is configured in another location, you can
select that location on the Choose Destination Location window of the
installation wizard.
•
MailMarshal 6.0 requires SQL Server 2000 or MSDE 2000 to store the
configuration and logging database. The upgrade installation will offer
to upgrade MSDE 1.0 to MSDE 2000 if it is installed locally. The
installation cannot upgrade a local installation of SQL Server 7.0, or SQL
software installed on another server. In these cases, you must upgrade
the SQL or MSDE software before you upgrade MailMarshal.
4. During the upgrade, MailMarshal will maintain existing rules and policy
elements.
Notes
•
The upgrade installation does not install any new rules. After upgrading,
you can import sample rules that support the new features available in
MailMarshal 6.0. For more information, see NetIQ Knowledge Base
article NetIQKB40430.
•
MailMarshal 6.0 automatically logs a classification record for each
quarantine action such as “move message to folder.” After upgrading,
review the rules and eliminate duplicate classification actions.
•
The Message Release external command application provided with
MailMarshal 6.0 does not accept message release codes generated by
earlier versions of MailMarshal.
Chapter 3 • Installing MailMarshal
53
5. As part of the upgrade, MailMarshal will re-create existing LDAP connectors.
Any existing LDAP user groups will become empty MailMarshal user
groups. You must re-create the LDAP user groups.
Notes
•
MailMarshal 6.0 offers customized support for various LDAP servers.
The upgrade process does not make use of the new features. To
improve the performance of LDAP connections, delete the upgraded
connectors and create new connectors before you re-create LDAP
groups.
•
MailMarshal 6.0 offers greater support for Active Directory. If you have
been connecting to Active Directory through LDAP, create an Active
Directory connector and import Active Directory groups and users
through that connector.
•
Best practice is not to use imported user groups directly in MailMarshal
user matching conditions. Use MailMarshal groups for user matching.
Insert the imported LDAP user groups in the MailMarshal groups. This
procedures permits you to add and delete LDAP based groups with less
disruption.
6. After completing the preceding steps, verify that MailMarshal is operating
correctly and processing email.
7. If you need to access old quarantine and logging data, use the
MailMarshal Quarantine Upgrade tool to import database records and items
in the MailMarshal Folders into the new locations. For more information
about the Quarantine Upgrade tool see “Quarantine Upgrade Tool” on
page 218.
To upgrade an existing installation of MailMarshal 4.1 or below, upgrade to
MailMarshal 5.5 and verify that MailMarshal is operating correctly. Then
upgrade to MailMarshal 6.0 following the procedures described in this section.
54
User Guide
Uninstalling MailMarshal
Before you uninstall an email processing server, ensure that you have revised
email delivery settings to exclude the server from email processing. For
example, these settings may include the DNS MX records, firewall translation
settings, and internal email server settings that direct email to the MailMarshal
server. After updating the delivery settings, verify that email is flowing through
the new path and no email is being delivered to the MailMarshal server you
plan to uninstall.
Ensure that the contents of the Quarantine folders have been backed up.
Warning
After you uninstall an email processing server, you will no longer be able to use
the MailMarshal Console to view any email messages that are in the quarantine
folders on that server.
To uninstall MailMarshal:
1. Uninstall MailMarshal from the specific servers using the Add/Remove
Programs application in Control Panel. You may have to restart systems to
remove some program files.
2. To delete the MailMarshal Quarantine folders, first delete all contents of the
subfolder Symbolic. After you have deleted these items, you can delete the
remaining folders and files.
3. If you have uninstalled an email processing server and you are
continuing to use the MailMarshal Array, delete the server entry for the
processing server from the Array Manager using the MailMarshal
Configurator.
4. If you have uninstalled the entire MailMarshal installation, uninstall
any additional instances of the MailMarshal Configurator, Console, Web
components, and Reports using the Add/Remove Programs application in
Control Panel on each system.
Chapter 3 • Installing MailMarshal
55
56
User Guide
Chapter 4
Understanding MailMarshal
Interfaces
MailMarshal provides several interfaces to help you set up and monitor email
content security.
MailMarshal Configurator
Allows you to customize your content security policy, configure email
delivery options, and control user access to other consoles.
MailMarshal Console
Allows you to monitor server health and email traffic flow on a real-time
basis, and manage quarantined email messages.
MailMarshal Web Console
Provides most features of the MailMarshal Console through a Web
interface.
MailMarshal Reports Console
Allows you to generate detailed historical reports on email traffic, policy
breaches, and MailMarshal actions.
MailMarshal Spam Quarantine Management Web Site
Allows email users to review and unblock email that MailMarshal has
quarantined as Spam, and to maintain lists of safe and blocked senders.
You can also configure this site to give users the same powers over any
quarantine folder.
Chapter 4 • Understanding MailMarshal Interfaces
57
Other Tools
Provide access to setup of items that cannot be changed within the main
interfaces. The tools include a server setup tool, web interfaces
configuration tool, quarantine upgrade/repair tool, and command line
tools to import user and group information and configuration from files.
Understanding the Configurator
The MailMarshal Configurator (Configurator) uses Microsoft Management
Console (MMC) technology. The Configurator is always installed on a
standalone MailMarshal server, or on the Array Manager server when you install
a MailMarshal array. You can also install the Configurator on other workstations
within your LAN. Only one Configurator can be connected to the server at a
time.
The left pane of the Configurator is the menu pane. The right pane of the
Configurator is the details or results pane. When you select an item in the left
pane, the right pane changes to reflect details for that item. The right pane
defaults to a taskpad view in most cases. In the taskpad view, MailMarshal
displays shortcuts to common tasks at the top of the pane.
Note
Many items in the Configurator include a right-click menu that lets you choose
context-sensitive actions. The items on right-click menus are also available on
the menus, the toolbar and/or the taskpad for the selected item.
To start the Configurator, click MailMarshal Configurator in the NetIQ
MailMarshal program group.
58
User Guide
Working With the Getting Started and Common Tasks Pages
When you start the Configurator for the first time, the right pane shows a
taskpad with two tabs: Getting Started and Common Tasks. You can return to
this view by clicking MailMarshal Configurator in the left pane. The items on
these tabs, shown below, provide guidance on selected important features of
MailMarshal.
Click the title of any item to read additional information about what the feature
does and how to use it. Click the additional link in the body of some items to
open the user interface for the feature.
Chapter 4 • Understanding MailMarshal Interfaces
59
Working With Menu and Detail Items
Expand the menu in the left pane by clicking the + symbol to the left of an
item. View the list of detail items for a menu item by clicking the menu item.
View detailed properties of an item by clicking it then clicking the Properties
icon in the toolbar.
Working With Properties Configuration
You can set many global properties of MailMarshal using three properties
windows.
MailMarshal Manager Properties
On the tabs of this window you can configure basic properties of the
MailMarshal installation. You can also back up or restore a MailMarshal
configuration. To open this window, select MailMarshal Properties
from the Tools menu.
Server and Array Properties
On the tabs of this window you can control how MailMarshal receives
and delivers email. You can also set up some email filtering that will be
applied to all messages. To open this window, select Server and Array
Properties from the Tools menu.
Node Properties
Each MailMarshal installation includes one or more email processing
servers, also known as nodes. To see a list of these servers, click Server
and Array Configuration in the left pane. The right pane will show a
list of installed servers. To configure settings for a server, click to select
that server in the right pane, then click the Properties icon in the
toolbar.
For more information about the properties and settings shown on these three
windows, see Chapter 5, “Implementing Your Email Content Security Policy”
and Chapter 9, “Managing MailMarshal Configuration.”
60
User Guide
Committing Configuration
Any changes you make to the MailMarshal configuration are not applied to
email processing servers immediately. To apply the changes, on the Tools
menu choose Commit Configuration.
If configuration changes are pending, the caption MailMarshal Configurator
at the top of the left pane of the Configurator is followed by the symbol -*- or
-!- The -!- symbol indicates that the MailMarshal services on email processing
servers will restart when you commit the configuration.
To check whether the email processing servers are up to date with the latest
configuration you have committed, in the left pane of the Configurator click
Server and Array Configuration. The status of each server shows Current if the
server is up to date.
Understanding the Console
The MailMarshal Console (Console) uses MMC technology. The Console is
always installed on a standalone MailMarshal server, or on the Array Manager
server and each email processing node when you install a MailMarshal array.
The Console can also be installed on other workstations within the LAN.
The right pane of the Console is the details or results pane. When you select an
item in the left pane, the right pane changes to reflect details for that item. The
right pane defaults to a taskpad view in most cases.
Note
Many items in the Console include a right-click menu that lets you choose
context-sensitive actions. The items on right-click menus are also available on
the toolbar and/or the taskpad for the selected item.
Chapter 4 • Understanding MailMarshal Interfaces
61
To start the Console, click MailMarshal Console in the NetIQ MailMarshal
SMTP program group. The Console displays a quick overview of daily statistics,
as shown below.
For more information about the features and functions of the Console, see
Chapter 8, “Monitoring Email Flow.”
Understanding the Web Console
The MailMarshal Web Console (Web Console) uses Microsoft Internet
Information Services (IIS). The Web Console can be installed on any IIS 5.0 or
higher server that can connect to the MailMarshal Array Manager or standalone
MailMarshal server.
62
User Guide
The Web Console provides most functions of the MailMarshal Console. It
supports Microsoft Internet Explorer version 5.5 and higher. The browser must
be configured to use Java Script and to accept cookies. You may also be able to
use the Web Console with recent versions of other Web browsers.
For more information about the features and functions of the Web Console, see
Chapter 8, “Monitoring Email Flow.”
Understanding the Reports Console
The MailMarshal Reports (MailMarshal Reports) uses MMC technology.
MailMarshal Reports can be installed on any workstation that can connect to the
MailMarshal database.
To start MailMarshal Reports, click MailMarshal Reports in the NetIQ
MailMarshal SMTP program group. The Reports interface gathers the available
reports into folders, as shown below:
For more information about the features and functions of the Reports Console,
see Chapter 10, “Reporting on MailMarshal Activity.”
Chapter 4 • Understanding MailMarshal Interfaces
63
Understanding the Spam Quarantine Management
Web Site
The MailMarshal Spam Quarantine Management Web site (Spam Console) uses
IIS. The Spam Console can be installed on any IIS 5.0 or higher server that can
connect to the MailMarshal server or Array Manager. It supports Microsoft
Internet Explorer version 5.5 and higher. The browser must be configured to
use Java Script and to accept cookies. The Spam Console allows users to release
messages and manage a variety of settings, as shown below:
For more information about the features and functions of the Spam Console,
see Chapter 11, “Delegating Spam and Quarantine Management.”
64
User Guide
Understanding Other Tools
The MailMarshal Server Tool allows you to change various settings related to
communication between the MailMarshal server(s) and the MailMarshal
database. These settings cannot be changed from within other interfaces for
technical reasons.
The Web Applications Configuration Tool allows you to change
authentication and communication settings for the Web based consoles.
The Quarantine Sync Tool and Quarantine Upgrade Tool allow you to
rebuild the index of email messages that MailMarshal has quarantined. This
index is stored in the MailMarshal database.
The Group File Import Tool allows you to import user and group information
into MailMarshal user groups from a text file.
The Configuration Export Tool allows you to import and export MailMarshal
configuration information from a command line or batch file.
For more information about the features and functions of these tools, see
Chapter 9, “Managing MailMarshal Configuration.”
Chapter 4 • Understanding MailMarshal Interfaces
65
66
User Guide
Chapter 5
Implementing Your Email Content
Security Policy
MailMarshal provides a powerful and flexible framework that allows you to
enforce an Email Content Security policy. You should configure MailMarshal to
support your organizational Acceptable Use Policy for email usage.
An Email Content Security policy typically has several goals:
• To stop Spam.
• To block or clean virus infected email.
• To prevent illegitimate relaying of email.
• To control who can send email through your server.
• To filter email messages and attachments according to local policies of the
organization.
MailMarshal includes facilities to perform these tasks. MailMarshal is configured
by default with settings and rules that implement some best practices and
common filtering policies “out of the box”. This chapter gives an overview of
typical policies and policy-related tasks, and the MailMarshal elements available
to accomplish each task.
Chapter 5 • Implementing Your Email Content Security Policy
67
Configuring Email Content Security
Configure email content security using the MailMarshal Configurator. For basic
information about the Configurator see Chapter 4, “Understanding MailMarshal
Interfaces.”
Content Security policies generally include elements of two types:
Email transport policies
These policies are implemented using global settings you configure in
MailMarshal Server and Array Properties. These policies control who is
allowed to send email to or through the MailMarshal server. For more
information on email transport policies, see “Preventing Relaying” on
page 75 and “Controlling Who Can Send Email Through Your Server”
on page 76.
Email content policies
These policies are implemented using rules you configure as part of
MailMarshal Email Policy. These policies control the content of email
messages. For more information on email content policies, see
“Stopping Spam” on page 68, “Stopping Viruses” on page 72, and
“Filtering Messages and Attachments” on page 80.
To work with the Configurator, click MailMarshal Configurator in the NetIQ
MailMarshal program group.
Stopping Spam
Stopping unsolicited incoming email (commonly known as Spam) is a primary
goal for most organizations. The NetIQ SpamCensor technology filters Spam
efficiently with minimal overhead.
68
User Guide
Anti-Spam Configuration and Rules
The default email policy provided with MailMarshal includes a policy group
titled Anti-Spam. This policy group includes a number of rules to block Spam.
To view the Anti-Spam policy group:
1. In the left pane of the Configurator, expand the item Email Policy.
2. Expand the item Anti-Spam.
3. View details of each rule, including a description of its intended use, by
selecting the rule in the right pane and choosing Properties from the
toolbar of the MMC or the taskpad.
The default rules include:
• A rule to block receipt of all email messages from specific addresses.
• A rule to block connections from hosts included on a DNS Blacklist. This
rule is disabled by default. For more information about using this rule see
“Where sender's IP address is listed in DNS Blacklist” on page 105.
• A rule to allow email messages from specific addresses.
• Rules to implement lists of blocked senders and safe senders for each user.
Users can update these lists through the MailMarshal Spam Quarantine
Management Web site.
• Rules to classify Spam using the NetIQ SpamCensor.
• A rule to quarantine email messages containing specific text using the
MailMarshal TextCensor.
Configuring SpamCensor Updates
NetIQ provides updates for the SpamCensor facility to all customers with
current extended support contracts. The updates are delivered through the Web
by HTTP and HTTPS.
Chapter 5 • Implementing Your Email Content Security Policy
69
Configuring and Checking Automatic SpamCensor Updates
Automatic updating of the SpamCensor is enabled by default. You can choose
to download updates manually or automatically.
To monitor and configure SpamCensor updates:
1. In the Configurator, select Server and Array Properties from the Tools
menu.
2. Click the Spam Updates tab. This tab shows the time and result of the last
update attempt, and the time of the next attempt.
3. If you do not want the SpamCensor to update automatically, clear the
check box Enable Automatic Updates.
70
User Guide
4. If you want to be notified by email when a SpamCensor update is
received, select the check box Send email to the administrator.
MailMarshal will send an email message to the administrator address
configured on the Notifications tab of the Server and Array Properties
window.
5. If you want to perform a check for SpamCensor updates
immediately, click Check for Updates Now.
Configuring Proxy Settings for SpamCensor Updates
If the MailMarshal server does not have direct access to the Web, you can
configure MailMarshal to use a proxy server to download the SpamCensor
updates.
To configure proxy settings for the SpamCensor updates:
1. In the Configurator, select Server and Array Properties from the Tools
menu.
2. Click the Internet Access tab.
3. If you want MailMarshal to access the Web directly, select Direct
Access.
4. If you want MailMarshal to use the proxy settings configured in
Internet Explorer, select Preset Configuration.
5. If you want MailMarshal to use a specific proxy server, select Proxy.
Enter a proxy server name and port. If necessary, enter a user name and
password for proxy authentication.
6. To apply the proxy settings, click OK to exit the window, then commit
MailMarshal configuration changes.
See the Help for additional notes on proxy configuration options.
Chapter 5 • Implementing Your Email Content Security Policy
71
Stopping Viruses
Blocking virus infections at the email gateway is a primary goal of email content
security for most organizations. MailMarshal can scan email messages for virus
infection using any of a number of virus scanners, including NetIQ Integrated
McAfee Antivirus. Nearly all MailMarshal installations use virus scanning.
MailMarshal can use one or more scanners to check email for viruses. Because
virus scanners have differing architecture and update policies, some
organizations choose to use multiple scanners.
MailMarshal invokes virus scanners as part of the email policy. After unpacking
all elements of an email message, MailMarshal passes the elements to the
scanner software for analysis, and takes action based on the result returned by
the scanner.
MailMarshal can invoke the “cleaning” feature of some virus scanners to attempt
to clean files that the scanner reports as infected.
Anti-Virus Policy and Rules
The default email policy provided with MailMarshal includes two policy groups
titled Anti-Virus (Inbound) and Anti-Virus (Outbound). These policy group
include a number of rules to block viruses.
To view the Anti-Virus policy groups:
1. In the left pane of the Configurator, expand the item Email Policy.
2. Expand the item Anti-Virus (Inbound) or Anti-Virus (Outbound).
3. View details of each rule, including a description of its intended use, by
selecting the rule in the right pane and choosing Properties from the
toolbar of the MMC or the taskpad.
The default rules include rules to attempt to clean virus infected email
messages, to block messages that cannot be cleaned, and to block known virusrelated messages by their textual content.
72
User Guide
The rules that invoke virus scanners are disabled by default. You must install
and configure at least one virus scanner before you can enable these rules.
Before you can enable the “cleaning” rules, you must install and configure a
scanner that supports cleaning.
Installing and Configuring Virus Scanners
To work with MailMarshal, a virus scanner must have a command-line interface
or a special MailMarshal DLL. The scanner must return a documented response
indicating whether or not a virus is detected. Most commercially available virus
scanners meet these specifications. For more information see NetIQ Knowledge
Base article NetIQKB29746.
To configure virus scanning in MailMarshal:
1. Install one or more virus scanners of your choice on each MailMarshal email
processing server computer, following the manufacturer's instructions. If the
scanner supports remote access, you can install the scanner in a single
location to support several email processing servers.
2. Ensure that the scanner does not perform on-demand scanning of the
MailMarshal excluded folders. For more information see “Excluding
Working Folders From Virus Scanning” on page 42.
3. In the left pane of the Configurator select Virus Scanners.
4. On the action menu, choose New Virus Scanner.
5. On the Select Virus Scanner window, select the scanner from the list. If a
the scanner does not appear on the pre-configured list, select Custom
Scanner to enter full information about it.
6. If you are configuring a command line scanner, on the Configure Virus
Scanner Path window enter the location where the main executable scanner
file is located, such as c:\McAfee\Scan.exe. You can browse using the
button provided.
Chapter 5 • Implementing Your Email Content Security Policy
73
7. If you are configuring a custom scanner, on the Configure External
Virus Scanner window enter the other required information. See the Help
for details of the fields.
Tip
If you need further information about a pre-configured scanner, click
Vendors Web Site to open the Web site in a web browser window.
8. If this scanner is installed remotely, on the Configure Virus Scanner
Location window enter the server name or IP address and port where the
scanner can be accessed.
9. On the final window of the Wizard, click Finish to add the virus scanner.
MailMarshal will attempt to test the action of the scanner on each installed
email processing node.
10. If you have installed more than one virus scanner, repeat Steps 2
through 9 for each scanner you have installed.
Notes
74
•
If you have installed MailMarshal as an array with more than one email
processing node, you must make the same virus scanners available on
all nodes.
•
You can make a scanner available by installing the software on the
node server, or in some cases by installing the virus scanner software
remotely and configuring MailMarshal to access it.
•
If you install command line virus software on more than one node
server, you must install it in the same location (same drive letter and
folder) on each server.
User Guide
Preventing Relaying
Relaying email means sending a message to an email server for delivery to
another email server. An open relay is an email server that accepts messages
from any server for delivery to any other server. Spam senders often exploit
open relays. It is best practice for an email server to refuse relaying requests,
unless the source is known and trusted.
By default MailMarshal only allows relaying requests from the email servers that
it delivers local email to. For instance, if MailMarshal delivers all incoming email
to an Exchange server, MailMarshal will also relay outgoing email from the
Exchange server.
You may need to allow relaying from other locations. You can allow relaying in
two ways:
• By specific account authentication. See “Authentication by Account” on
page 80.
• By IP address range.
To permit relaying by IP address range:
1. In the Configurator, select Server and Array Properties from the Tools
menu.
2. Click the Anti-Relaying tab.
3. To permit relaying from selected computers, edit the list of IP addresses on
this tab.
4. To add a range of addresses, click New.
5. In the New Local Network window, enter an IP address and a network
mask. For instance, to allow relaying from all computers in the 10.0.0.0
subnet, enter the IP address 10.0.0.0 and the network mask 8 bits.
Chapter 5 • Implementing Your Email Content Security Policy
75
6. To exclude a subset of an allowed range from relaying, enter the subset and
select Exclude from the local network. For instance, to exclude the
10.2.0.0 subnet from relaying, enter the IP address 10.2.0.0 and the mask 16
bits, and select Exclude from the local network.
Note
You only need to exclude a range if it is a subset of an included range. Any
range that is not explicitly included will be excluded.
7. To permit relaying from all computers, clear the check box Prohibit
Relaying.
Warning
NetIQ strongly recommends you do not permit relaying from all computers
if the MailMarshal server is open to the Internet. Your server would be an
open relay and would be subject to abusive relaying and possibly to
blacklisting by anti-Spam organizations.
8. To control how MailMarshal responds to specific formats of email addresses
that can be used to relay email, such as "[email protected]"@domain, select or
clear Block suspicious local-part relay attempt. In general you should
only clear this box if other servers in your environment respond properly to
these addresses.
Controlling Who Can Send Email Through Your
Server
MailMarshal includes a number of features that allow you to control acceptance
of email messages. These include DNS Blacklist checking, PTR lookups, a list of
blocked hosts, and authentication by account (user name and password).
76
User Guide
DNS Blacklists
MailMarshal can retrieve information from DNS based blacklists such as
SpamCop and the MAPS Realtime Blackhole List. A DNS blacklist is a service
that provides an automated response through the DNS protocol. These services
typically attempt to list email servers that are associated with Spamming, open
relays, or other unacceptable behavior. Each list has its own policies, and you
should carefully evaluate the lists you choose to use.
Configuring a DNS Blacklist for use in MailMarshal is a two step process. You
configure details of the list in Server and Array Properties, then you configure
one or more receiver rules to filter email based on the list information.
Notes
•
To minimize performance issues, use only one or two reliable DNS
blacklists.
•
You can view the result returned by a Receiver rule DNS blacklist in the
MailMarshal Receiver text log.
•
You can also use DNS blacklists in standard rules through the MailMarshal
Category (Spam Censor) facility. This is a more flexible method because it
allows for weighted combinations of conditions. For more information
about this facility, see the white paper “MailMarshal SMTP for Anti-Spam,”
available from the NetIQ Web site. You can view the result returned by a
Category DNS blacklist in the message log (if the message is quarantined) or
the MailMarshal Engine text log.
Configuring Access to a DNS Blacklist
MailMarshal maintains a list of available DNS blacklists it can use in Receiver
rules.
To configure access to a DNS blacklist:
1. In the Configurator, select Server and Array Properties from the Tools
menu.
2. Click the Host Validation tab.
Chapter 5 • Implementing Your Email Content Security Policy
77
3. The DNS Blacklist section of this tab shows a list of blacklists. You can edit
a blacklist entry or add a new entry. See Help for details of the required
information.
4. If you want to use a listed blacklist in a receiver rule, ensure that it is
enabled.
Enabling a DNS Blacklist Rule
The default email policy provided with MailMarshal includes a rule in the AntiSpam policy group that uses the SpamCop blacklist.
To use the default DNS blacklist rule:
1. In the DNS Blacklist section of the Host Validation tab, enable the blacklist
SpamCop.
2. To close the Server and Array Properties window, click OK.
3. In the left pane, expand the item Email Policy and select the policy group
Anti-Spam.
4. In the right pane, right-click the rule Deny SpamCop Blacklisted Senders
at Receiver. Choose Enable from the context menu.
5. To implement use of this rule, commit the configuration changes.
PTR Lookups
MailMarshal can mark or refuse email from external servers that do not have
correctly published Reverse DNS (PTR record) information. You can use this
method to help guarantee the genuineness of a remote site, and as a layer of
anti-spoofing protection.
Note
Use PTR lookups with caution. Not all sites publish correct PTR information.
Valid email traffic can be blocked by DNS checking if the sending site does not
have PTR records or they are faulty.
78
User Guide
To edit the PTR lookup policy:
1. In the Configurator, select Server and Array Properties from the Tools
menu.
2. Click the Host Validation tab.
3. To validate hosts sending incoming email using DNS information, select the
check box Validate connecting hosts in the DNS. MailMarshal will
perform a reverse DNS lookup on each IP address from which email is
being sent.
4. Select an option using the radio buttons.
•Choose Accept unknown hosts to accept email from hosts without
appropriate DNS information, but log this fact to the Windows event
log. This option annotates the message header as “not validated”. It is
usually used for testing or debugging purposes.
•Choose Host must have a PTR record to block messages from any
host that does not have a valid DNS PTR record.
•Choose PTR Record must match the HELO connection string to
block messages from hosts whose PTR domain does not match the
HELO identification sent by the server. This is the most restrictive
option.
5. To implement the blocking, click OK on the Server and Array Properties
window, then commit configuration changes.
Blocked Hosts
You can maintain a list of servers that are never allowed to send any email
through MailMarshal. MailMarshal will reject SMTP connections from these
servers. Entries on this list will generally be servers outside your local LAN.
Chapter 5 • Implementing Your Email Content Security Policy
79
To edit the list of Blocked Hosts:
1. In the Configurator, select Server and Array Properties from the Tools
menu.
2. Click the Blocked Hosts tab.
3. Add server names, IP addresses, or IP address ranges to the list. For
information about the format of entries, see the Help.
4. To implement the blocking, click OK on the Server and Array Properties
window, then commit configuration changes.
Authentication by Account
MailMarshal can require each computer connecting to it to provide a user name
and password.
To use authentication by account:
1. Create and maintain a list of accounts using the policy element Accounts.
For more information see “Setting Up Accounts” on page 201.
2. Configure MailMarshal to advertise ESMTP authentication. For more
information see “Server Properties - Advanced” on page 212.
3. Create a receiver rule using the condition “Where sender has authenticated”.
For information about creating rules see “Understanding Rules” on page 85.
For information about this rule condition see “Where sender has
authenticated” on page 105.
Filtering Messages and Attachments
MailMarshal provides a framework that allows you to create an email policy in
support of your Acceptable Use Policy.
A MailMarshal email policy is divided into policy groups. Each policy group
consists of one or more rules.
80
User Guide
For detailed information about the many options available when creating policy
groups and rules, see Chapter 6, “Understanding Email Policy, Policy Groups,
and Rules.”
The default email policy provided with MailMarshal contains several policy
groups containing example and best practice rules. The policy groups are:
Anti-Virus (Inbound)
Contains rules that implement a recommended best practice for virus
scanning of email messages sent in to your environment from the
Internet.
Anti-Virus (Outbound)
Contains rules that implement a recommended best practice for virus
scanning of email messages sent from your environment out to the
Internet.
Anti-Spam
Contains rules that implement a recommended best practice for
detection and blocking of Spam sent to your environment from the
Internet.
Content Security (Inbound)
Contains rules that implement a recommended best practice for filtering
email messages sent in to your environment from the Internet.
Content Security (Outbound)
Contains rules that implement a recommended best practice for filtering
email messages sent from your environment.
Monitoring Only:
Contains rules that allow you to monitor selected content entering and
leaving your environment. Some of these rules duplicate rules in the
other policy groups. If you enable a monitoring rule, to avoid confusion
you should disable any other rule that checks for the same conditions.
Example Rules
Contains rules designed to accomplish some specific tasks that
MailMarshal administrators have found useful.
Chapter 5 • Implementing Your Email Content Security Policy
81
82
User Guide
Chapter 6
Understanding Email Policy, Policy
Groups, and Rules
The MailMarshal Email Policy defines how MailMarshal treats each email
message that it processes.
The Email Policy consists of one or more policy groups. Each policy group
contains one or more rules. Each rule has three parts: User Matching,
Conditions, and Actions.
When MailMarshal evaluates a message, it first checks the User Matching criteria
for each policy group. If a message meets the User Matching criteria for a
group, MailMarshal evaluates the message according to the User Matching and
Conditions sections of each rule in the group. When a message meets the
criteria of a rule, MailMarshal applies the specified actions to the message.
Understanding Policy Groups
A policy group is a group of rules that share base User Matching conditions
and a schedule of times when they apply. When MailMarshal is processing
email, the conditions defined for a policy group must be met before any rule in
that policy group is evaluated.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
83
You can choose to use just a few policy groups, or many. For example, you
could use one policy group to contain rules that apply to all messages
outbound from the organization, and another policy group to contain rules that
apply to all inbound messages. If your organization is divided into departments,
you can also use policy groups to group rules governing email to and from
each department.
Some default policy groups and rules are provided with MailMarshal. You
should make changes and additions to meet your needs. NetIQ recommends a
minimum of two policy groups: one for incoming email and one for outgoing
email.
If you have more than one policy group, you can choose the order in which
MailMarshal will process the groups.
You can set a schedule for a policy group. Any rules in the policy group will
only be enabled at the scheduled times. You can choose to apply one or more
of three different scheduling options:
• A repeating weekly schedule
• An absolute starting date and time
• An absolute ending date and time
To create a policy group:
1. In the left pane of the Configurator, select Email Policy.
2. Choose New policy group from the Action menu.
3. In the top pane on the Filtering Conditions window, select the User
Matching conditions for this policy group.
4. The bottom pane of the Filtering Conditions window displays the conditions
you have selected. If MailMarshal needs more information to define a
condition, the description of the condition includes a hyperlink. Click the
hyperlink to open a rule condition window that allows you to enter the
required information.
5. On the Group Completion window, enter a name and optional schedule
information for this policy group.
84
User Guide
Understanding Rules
MailMarshal rules are divided into two types, receiver rules and standard rules.
A policy group can contain rules of both types. Within a policy group, receiver
rules will always be listed first, because they are always evaluated first for each
message.
Receiver Rules
MailMarshal applies receiver rules while the MailMarshal Receiver is receiving a
message from a remote email server. A receiver rule can cause MailMarshal to
refuse to accept a message based on the size or origin of the message. Because
receiver rules are based on the limited information available while the message
is being received, only a few conditions are available in these rules.
Standard Rules
MailMarshal applies standard rules after a message has been fully received.
They are processed by the MailMarshal Engine. Standard rules can evaluate a
large number of conditions, because the complete email message is available
for evaluation. Standard rules can also take a large number of quarantine and
logging actions.
Creating Rules
You can create as many rules as you need to implement your content security
policy.
To create a rule:
1. In the left pane of the Configurator, select a policy group.
2. Choose New Rule from the action menu.
3. On the first window of the rule wizard, choose to create a receiver rule or a
standard rule.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
85
4. In the top pane on the User Matching window, shown below, select the
User Matching conditions for this rule.
5. The bottom pane on the window displays the conditions you have selected.
If MailMarshal needs more information to define a condition, the description
of the condition includes a hyperlink. Click the hyperlink to open a rule
condition window that allows you to enter the required information.
6. To continue to the Rule Conditions window, click Next.
7. In the top pane on the Rule Conditions window, select the conditions for
this rule.
8. In the bottom pane on the window, review the conditions you have
selected and specify any additional information required as for Step 5.
9. To continue to the Rule actions window, click Next.
86
User Guide
10. In the top pane on the Rule Actions window, select the actions for this rule.
11. In the bottom pane on the window, review the actions you have selected
and specify any additional information required as for Step 5.
12. On the Rule Completion window, shown below, enter a name and optional
description for this policy rule. To create the rule and complete the wizard,
click Finish.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
87
Understanding User Matching
MailMarshal performs User Matching using the SMTP email addresses associated
with a message. When you create policy groups and rules, you can include a
number of User Matching conditions. User Matching conditions can refer to
individual SMTP addresses, wildcard patterns of addresses, and user groups.
All the User Matching conditions in a policy group or rule must match (evaluate
true) in order for MailMarshal to evaluate any other rule conditions.
The available User Matching conditions include the following:
Where message is incoming
Matches if the message is addressed to a domain that is included in the
MailMarshal Local Domains list.
Where message is outgoing
Matches if the message is addressed to a domain that is not included in
the MailMarshal Local Domains list.
Where addressed to people
Matches if a recipient of the message is found in the list of people
specified.
Note
Whenever a condition requires a list of “people”, the list can contain
individual email addresses, wildcard patterns to match sets of addresses
such as domains, and MailMarshal user groups. For more information
about wildcard characters, see Appendix A, “Wildcards and Regular
Expressions.”
Where addressed from people
Matches if the sender of the message is found in the list of people
specified.
Where addressed either to or from people
Matches if a recipient or sender of the message is found in the list of
people specified.
88
User Guide
Where addressed both to and from people
Requires two lists of people. Matches if the sender of the message is
found in the first list of people specified, and the recipient of the
message is found in the second list of people specified.
Except where addressed to people
Matches if no recipient of the message is found in the list of people
specified.
Except where addressed from people
Matches if the sender of the message is not found in the list of people
specified.
Except where addressed either to or from people
Matches if no recipient or sender of the message is found in the list of
people specified.
Except where addressed both to and from people
Requires two lists of people. Matches if the sender of the message is not
found in the first list of people specified, and no recipient of the
message is found in the second list specified.
Tip
“Except” matching criteria are the key to creating exception based
policies. Rules that apply to all recipients with the exception of small
specific groups help to ensure that security policies are uniformly
applied. For instance, a rule might apply Where the message is
incoming except where addressed to Managers
Understanding Rule Conditions
MailMarshal evaluates rule conditions within standard and receiver rules.
MailMarshal checks rule conditions after any User Matching conditions. In
general MailMarshal will only apply the rule actions to a message if all rule
conditions evaluate true.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
89
You can choose one or more rule conditions when you create or edit a rule in
the Configurator. If the condition includes options, arguments, or variables, you
can click a hyperlink in the rule wizard to open a rule condition window and
specify values.
Rule Conditions for Standard Rules
The following conditions are available for use in standard rules. They are
further explained in the sections following:
• Where message attachment is of type
• Where attachment fingerprint is/is not known
• Where message size is
• Where the estimated bandwidth required to deliver this message is
• Where message contains attachment(s) named (file names)
• Where message triggers text censor script(s)
• Where the result of a virus scan is
• Where the external command is triggered
• Where attachment parent is of type
• Where message attachment size is
• Where number of recipients is count
• Where message contains one or more headers (header match)
• Where number of attachments is count
• Where message is categorized as category
• Where message spoofing analysis is based on criteria
90
User Guide
• Where the sender is/is not in the recipient’s safe senders list
• Where the sender is/is not in the recipient’s blocked senders list
Note
If a single rule includes many conditions, they must all evaluate true for the
rule action to be taken. To match any of several conditions, place each one
in its own rule. It pays to keep rules simple and ensure they are logical.
Where message attachment is of type
MailMarshal checks the structure of all attached files to determine their type.
MailMarshal can recognize over 175 types as of this writing.
The rule condition window provides a listing of file types organized by
category. To select an entire category, select the check box associated with the
category. To select individual types within a category, expand the category and
select the check boxes associated with each type.
Note
You can enter additional custom types by entering signature information in a
configuration file. For information about the required procedures and structure
of the file, see NetIQ Knowledge Base article NetIQKB29638.
Where attachment fingerprint is/is not known
The “fingerprint” identifies a specific file (such as a particular image). The rule
condition window allows you to choose to base the condition on fingerprints
which are known or unknown.
To add a file to the list of “known” files, use the “add to valid fingerprints” rule
action, or select Add Fingerprints while processing messages in the Console.
For more information about adding fingerprints, see “Working With Email
Messages” on page 177.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
91
To delete a file from the list of “known” files, locate the file. It will be present
on one or more of the MailMarshal email processing servers in the
ValidFingerprints subfolder of the MailMarshal install folder. Delete the file from
this location on all servers then commit the MailMarshal configuration.
Tip
The attachment fingerprint condition can be useful to exclude certain images,
such as corporate logos or signatures, from triggering quarantine rules. For
example to take action only on images that are not in the list of known images,
use the following conditions:
When a message arrives
Where message attachment is of type IMAGE
And where attachment fingerprint is not known
Files can also be “made known” by placing them in the ValidFingerprints subfolder of the Quarantine folder on any email processing server. MailMarshal
loads these fingerprints every 5 minutes, and when configuration is committed.
For further information about this process, see NetIQ Knowledge Base article
NetIQKB29017.
Where message size is
MailMarshal uses the size of the entire message, before unpacking, in this
condition. The rule condition window allows you to choose a size and
matching method (greater than a given size, less than a given size, between two
sizes, or not between two sizes). If you choose to match between two sizes the
matching is inclusive.
Note
MailMarshal checks the size of the received message in its encoded format. This
is typically 33% larger than the size reported by an email client.
92
User Guide
Where the estimated bandwidth required to deliver this message is
MailMarshal calculates the bandwidth required to deliver a message by
multiplying the message size by the number of unique domains to which it is
addressed. The rule condition window allows you to choose a total bandwidth
and matching method (greater than a given size, less than a given size, between
two sizes, or not between two sizes). If you choose to match “between” two
sizes the matching is inclusive.
One use of this criterion is to move high-bandwidth messages to a “parking”
folder for delivery outside peak hours. Another use is to reject high-bandwidth
messages.
Where message contains attachments named
Use this condition to block files by extension, by specific file name, or by a
wildcard pattern of the file name.
You can enter a list of file names in the rule condition window. When you enter
information, you can use the wildcard characters * and ? For example, the
following are valid entries: *.SHS;*.VBS;*.DO?
You can use this condition to quickly block dangerous file types such as VBS,
or known virus attachments such as “creative.exe”. However, the condition
checks only the file name and not the contents of the file. Use the condition
“Where message attachment is of type” to check files by structure.
Where message triggers text censor script(s)
This condition checks textual content in some or all parts of the message and its
attachments, depending on the settings defined in the specific script.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
93
In the rule condition window, you can select a TextCensor script to be used in
evaluating the message. You can add a script or edit an existing script. For
detailed information about Scripts, see “Identifying Email Text Content Using
TextCensor Scripts” on page 123.
Note
You can include more than one TextCensor script in this condition by selecting
multiple boxes in the rule condition window. If you include more than one
script, all included scripts must trigger for the rule to be triggered.
Where the result of a virus scan is
This condition allows you to select from the virus scanning and cleaning
features available in MailMarshal. Use the rule condition window, shown
below, to choose the desired virus scanning action and the results to be
checked for.
94
User Guide
The following conditions are available:
Note
With the exception of Contains Virus and Unexpected scanner error, the
virus scanning features listed on the rule condition window can only be used
with DLL based scanners. If you attempt to select options that are not supported
by the scanners you have selected, MailMarshal will not allow you to save your
selections.
Scan message with:
This option allows you to choose the virus scanners MailMarshal will use when
processing this condition.
• All Scanners: MailMarshal will use all configured virus scanners to scan all
parts of the message and attachments. This option is the equivalent of virus
scanning rules in MailMarshal 5.0 and earlier versions.
• Specific scanners: To limit the virus scan to specific installed scanners,
choose this option then select the desired scanners from the list.
MailMarshal will use the scanners you select. This setting can be useful if
only some installed scanners support virus cleaning.
Where the result is:
This option allows you to choose the scanner results that will cause this
condition to trigger. To choose options, select the appropriate boxes on the
Select Virus Scanner Results window.
• Contains Virus: The condition will trigger if any part of the message
contains a virus. This is the basic condition.
• ...and is Cleaned: When you select this item, the condition will only trigger
if the code returned indicates that the virus was cleaned. This condition can
be used in a Clean Viruses rule. You cannot choose this option if any nonDLL scanners are selected.
For further information about setting up virus cleaning rules, see the next
section.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
95
• ...and Name Matches: When you select this item, the condition will only
trigger if the name of the virus as returned by the scanner matches the text
in the field. You can use this condition to modify MailMarshal's response
based on certain virus behaviors. For instance you can choose not to send
notifications to the sender address for viruses known to spoof the “from”
address. You can use wildcard characters when you enter virus names. For
details of the available wildcard characters see Appendix A, “Wildcards and
Regular Expressions.”
• Password Protected: When you select this item, the condition will trigger
if the scanner reports the file as password protected.
• File is corrupt: When you select this item, the condition will trigger if the
scanner reports the file as corrupt.
• Virus scanner signatures out of date: When you select this item, the
condition will trigger if the scanner reports its signature files are out of date.
• Could not fully unpack or analyze file: When you select this item, the
condition will trigger if the scanner reports that it could not unpack the file.
• Unexpected scanner error: When you select this item, the condition will
trigger if the scanner reports an unknown error or the code returned is
unknown.
Note
The detailed failure results depend on return codes provided by the
individual scanner vendors. Use the option “Unexpected scanner error” to
specify an action MailMarshal should take when the code returned by the
scanner is not known to MailMarshal. If this option is not selected in a rule
condition, an unexpected return code will result in the message being dead
lettered. For command line scanners, configure the list of return codes in
the virus scanner properties. For more information about virus scanner
properties, see “Configuring Virus Scanners” on page 149.
96
User Guide
To Set Up Virus Cleaning
If you want MailMarshal to attempt to “clean” viruses from email messages, you
must install at least one DLL based virus scanner and set up two rules. The
default configuration for new installations of MailMarshal includes appropriate
rules.
The first rule must have these options selected:
• Contains Virus
• ...and is Cleaned
The second rule must be a standard virus blocking rule, using the option
Contains Virus and invoking a move to a quarantine folder or other blocking
action.
If a virus cannot be cleaned, MailMarshal takes the following actions:
1. MailMarshal applies the rest of the email policy.
2. If no quarantine (move to folder) or other blocking rule has been triggered
after all rules have been applied, MailMarshal deadletters the affected
message.
3. The message log and MailMarshal Engine log will indicate that the message
still contains a virus.
4. If you choose to forward or process the affected message, MailMarshal will
raise a warning indicating that the message contains a virus.
Where the external command is triggered
This option allows you to select one or more external commands MailMarshal
will use to test the message. External commands can be executable programs or
batch files. In the rule condition window, specify the commands. If more than
one command is specified, all commands must be triggered for this condition to
be triggered. For more information about external commands see “Extending
Functionality Using External Commands” on page 166.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
97
Where attachment parent is of type
This condition is intended to be used with the condition “Where message
attachment is of type.” When this condition is selected, MailMarshal considers
the file type of the immediate parent container as well as that of the attachment.
For instance, you can check whether an image is contained in a MS Word
document.
The rule condition window provides a listing of available parent types
organized by category. To select an entire category, select the check box
associated with the category. To select individual types within a category,
expand the category and select the check boxes associated with each type. You
can also choose to apply the condition to types in or out of the selected list. For
instance, you can check that an image is not contained in a Word document.
Tip
You can check for well known attachments, such as signature images in
documents, using the condition “Where attachment fingerprint is/is not
known.”
Where message attachment size is
This condition checks the size of each attachment separately after all unpacking
and decompression is complete. The size of an attachment can be greater than
the size of the original message, due to decompression of archive files. The rule
condition window allows you to choose a size and matching method (greater
than a given size, less than a given size, between two sizes, or not between two
sizes). If you choose to match “between” two sizes the matching is inclusive.
Where number of recipients is count
This condition checks the number of SMTP recipient addresses in a message. It
is typically used to block messages with large recipient lists as suspected Spam.
The rule condition window allows you to choose a number and matching
method (greater than a given number, less than a given number, between two
numbers, or not between two numbers). If you choose to match “between” two
numbers the matching is inclusive.
98
User Guide
Where message contains one or more headers
This condition can be used to check for the presence, absence, or content of
any message header, including custom headers. You can use this condition to
check for blank or missing headers, or to reroute email.
Within the rule condition window, shown below, click New to create a new
header match rule using the Header Matching Wizard. For more information
about this Wizard, see “Using Rules to Find Headers” on page 159.
You can check more than one header match in a single condition. If you check
more than one match, all matches must be true for the condition to be true
(logical “and”). To match any of several header conditions (logical “or”),
include more than one rule with one condition per rule.
To edit any Header Match condition (or view its details), highlight it then click
Edit to restart the Header Matching Wizard. To delete a Header Match
condition, highlight it then click Delete.
Note
You can only use Header Match conditions within the rule where you create
them. To use the same condition in more than one rule, create it in each rule.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
99
Where number of attachments is count
This condition is typically used to block messages with large numbers of
attachments. The number of attachments can be counted using top level
attachments only, or top level attachments to email messages including any
attached messages, or all attachments at all levels.
Note
“Top level attachments” are the files explicitly attached by name to an email
message. Other files, such as the contents of a zip archive or images within a
MS Word document, may be contained within the top-level attachments.
The rule condition window allows you to choose a number and matching
method (greater than a given number, less than a given number, between two
numbers, or not between two numbers). If you choose to match “between” two
numbers the matching is inclusive.
Where message is categorized as Category
This condition allows action to be taken on messages that trigger a category
script. Select one or more category script files using the rule condition window.
MailMarshal can download updates to category scripts automatically. Currently
the only script that is updated in this way is the Spam category script. For
information about this process see “Configuring SpamCensor Updates” on
page 69.
You can created and customize your own category scripts. Some example
category scripts are provided with MailMarshal. For more information, see the
white paper “MailMarshal SMTP for Anti-Spam,” available from the MailMarshal
support page on the NetIQ Web site.
Where message spoofing analysis is based on criteria
This condition allows you to define when MailMarshal should consider a
message to be spoofed. A spoofed message did not originate within the
domain of the claimed sender email address.
100
User Guide
MailMarshal will evaluate this condition when the sender address (“From:”
header or SMTP “Mail From:” address) of a message is within a Local Domain,
as specified on the Local Domains tab of Server Properties.
Note
This condition does not check messages with From addresses in other domains.
In the rule condition window, shown below, select any of the detailed criteria
for this condition.
• The originating IP address: Select this condition to check for spoofing
based on the IP address of the computer which originated the message.
Choose one of the following options to determine how MailMarshal checks
the IP address:
a. Is not considered local as defined by the anti-relaying settings:
When you select this option, MailMarshal will consider email with a
local sender address “spoofed” if it does not originate from a computer
allowed to relay. The list of computers allowed to relay is determined
by the IP address ranges entered on the Anti-Relaying tab of Server and
Array Properties.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
101
This option is useful if you allow multiple servers and workstations in
the local network to route email directly through MailMarshal.
b. Does not match the IP address for that specific local domain:
When you select this option, MailMarshal will consider email with a
local sender address “spoofed” if it is not delivered to MailMarshal from
the correct Local Domain email server. The Local Domain server is the
computer to which MailMarshal delivers messages for the specific SMTP
domain of the “From:” address.
Note
This is the more restrictive option. It requires all email originating within
the organization to have been routed to MailMarshal from a trusted
internal email server. Only messages accepted by the internal email
server will be accepted by MailMarshal. This option can stop local users
from “spoofing” addresses within the local domains.
• The originating system did not use ESMTP authentication: Select this
option to check for spoofing based on the login given by the system that
delivered the message to MailMarshal. Use this condition (and not an IP
address based condition) if you allow roving users to send email through
MailMarshal using the Authentication feature. For more information about
this feature see “Authentication by Account” on page 80.
Where message is/is not in the recipient’s safe senders list
This condition allows you to take action on a message based on the list of “safe
senders” maintained by a local message recipient through the Spam Quarantine
Management Web site. A typical use of this action is to create an exception to
anti-Spam rules, using the rule action “Pass the message to rule.” The default
rules provided with new installations of MailMarshal include a rule to perform
this function.
The user can enter an individual email address, or a wildcard pattern using the
* wildcard character.
In the rule condition window, choose whether to apply the condition if the
sender is, or is not, in the recipient’s safe senders list.
102
User Guide
Where message is/is not in the recipient’s blocked senders list
This condition allows you to take action on a message based on the list of
“blocked senders” maintained by a local message recipient through the Spam
Quarantine Management Web site. A typical use of this action is to create an
rule that quarantines all email from addresses in the user’s blocked list. The
default rules provided with new installations of MailMarshal include a rule to
perform this function.
The user can enter an individual email address, or a wildcard pattern using the
* wildcard character.
In the rule condition window, choose whether to apply the condition if the
sender is, or is not, in the recipient’s blocked senders list.
Rule Conditions for Receiver Rules
The following conditions are available for use in receiver rules.
• Where message is of a particular size
• Where sender's IP address matches address
• Where sender has authenticated
• Where sender's IP address is listed in DNS Blacklist
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
103
Where message is of a particular size
This condition is normally used with a “refuse message” action to refuse large
messages. The rule condition window allows you to choose a size and
matching method (greater than a given size, less than a given size, between two
sizes, or not between two sizes). If you choose to match “between” two sizes
the matching is inclusive.
Note
The MailMarshal Receiver can only process this condition if the outside server
has made an ESMTP connection and reported the message size. In order to
check the size of all messages, you should repeat this condition in a standard
rule to include messages received from sources that do not support ESMTP.
Where sender's IP address matches address
This condition can be used to permit relaying, or to refuse messages, from one
or more ranges of IP addresses. MailMarshal shows the configured ranges in the
rule condition window. To add a range to the list, click New to open the Match
IP Address window. To modify an existing address, highlight it then click Edit.
To delete an existing address from the list, highlight it then click Delete.
Add or modify an address or range using the rule condition window. Select one
of the three choices using the option buttons:
• An IP Address: Enter a single IP address in dotted quad format. For
instance, enter “10.2.0.4”
• A range of IP addresses: Enter the starting and ending IP addresses for an
inclusive range (two dotted quads). For instance, enter “10.2.1.4” and
“10.2.1.37”
• An entire network range: Enter an IP address and a netmask in dotted
quad format. For instance, enter “10.2.1.4” and “255.255.255.0” to match the
entire 10.2.1.0 subnet.
104
User Guide
The check box at the bottom of the window controls whether this address or
range will be included or excluded from the condition match.
• To include the address or range, select the check box.
• To exclude the address or range, clear the check box.
Where sender has authenticated
This condition is normally used with the “Accept message” action to allow
relaying by specific users. This condition will trigger if MailMarshal
authenticated the remote system using an account and password. For more
information about setting up accounts for authentication see “Setting Up
Accounts” on page 201.
Where sender's IP address is listed in DNS Blacklist
This condition allows DNS Blacklist tests to be applied. Choose the Blacklists to
be used from the list in the DNS Blacklists window.
The window shows a list of all enabled Blacklists. Select the check box for each
Blacklist you want to use. Clear the check box for any Blacklist you do not
want to use in this Condition. For information about enabling blacklists, see
“DNS Blacklists” on page 77.
Understanding Rule Actions
MailMarshal rule Actions are performed by standard and receiver rules.
MailMarshal will perform the actions if the User Matching criteria and the other
conditions of the rule evaluate true.
You can include more than one action in a MailMarshal rule. MailMarshal can
also apply more than one set of actions to a message if more than one rule
triggers. However, some actions are terminal actions. If a terminal action is
performed, MailMarshal will stop processing rules for the affected message.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
105
Rule Actions for Standard Rules
The following actions are available for selection in standard rules. Details of
each action are given in the test following.
• Copy the message to folder
• BCC a copy of the message
• Run the external command
• Send a notification message
• Strip attachment
• Write log message(s) with classifications
• Stamp message with message stamp
• Rewrite message headers
• Add attachments to valid fingerprints list
• Set message routing to host
• Add message users into group
• Move the message (terminal action)
• Park the message (terminal action)
• Delete the message (terminal action)
• Pass the message to rule
Copy the message
This action copies the email message file to the specified quarantine folder. You
can make the message processing log available in the same folder by selecting
the check box at the bottom of the window. The message log showing how the
message was processed will then be available in the Console.
When you select this action you can create a new folder. To create a folder,
click New Folder. For more information see “Using Email Folders and Message
Classifications” on page 152.
106
User Guide
BCC a copy of the message
This action sends a blind copy of the message to one or more email addresses.
Enter each address as a complete SMTP address (for example
[email protected]). Separated multiple entries using semi-colons. The
original message will not be modified in any way by this action, so the original
recipient would not know a copy had been taken.
Tip
You can use this action in combination with “delete the message” to effectively
redirect a message to a different recipient.
Run the external command
This action runs an external application. The application can be a Windows
executable or batch file. For instance, an external command to release a
message from quarantine is included with MailMarshal.
Choose one or more commands to be run from the list of pre-defined external
commands. For information about defining external commands, see “Extending
Functionality Using External Commands” on page 166. To run the same
application with different parameters under different conditions, use more than
one external command definition.
Send a notification message
This action sends one or more email messages based on the templates selected
in the rule action window. To view or edit the details of a particular template,
select it then click Edit Template. To create a new template, click New
Template. The new template will automatically be selected for use when you
return to the template selection window. For further information about
templates, see “Notifying Users with Message Templates and Message Stamps”
on page 133.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
107
Strip attachment
This action removes one or more specific attachments from a message. Only the
attachments that triggered the rule conditions for this rule will be stripped. This
action would typically be used to remove attachments of specific file types or
file names.
Notes
•
MailMarshal does not save stripped attachments. If you use this action,
normally you should copy the original message so that you can retrieve the
attachment if necessary. You should stamp the message to inform the
recipient that an attachment has been stripped.
•
You can use this action in combination with a virus detection condition to
strip infected attachments and allow the message to be delivered. To ensure
that the message no longer contains a virus, you must include another virus
scanning rule to run after the stripping action. Otherwise MailMarshal will
treat the message as possibly infected and will move it to the Dead
Letter\Unpacking folder.
Write log message(s) with classifications
This action writes a record classifying this message to the MailMarshal database.
Select one or more logging classifications from the list in the rule action
window. Select the check box to write a logging classification for every
component of the message (for example a separate record for each image file in
a message). To view or edit the detailed information in the classification, click
Edit in the selection window. To create a new classification, click New in the
selection window. For details on classifications, see “Using Email Folders and
Message Classifications” on page 152.
Tip
If a rule moves the message to a folder, MailMarshal automatically logs a
classification for the message. In this case, usually you do not need to include a
classification action as well.
108
User Guide
Stamp message with text
This action adds text to the top or bottom of the original message body.
In the rule action window, choose one or more message stamps to be used. A
stamp will add text at the top or bottom of the message as selected when it is
created. To view or edit the details of a particular message stamp, select it then
click Edit Stamp. To create a new stamp, click New Stamp; the new message
stamp will automatically be selected when you return to the stamp selection
window. For details on message stamps, see “Notifying Users with Message
Templates and Message Stamps” on page 133.
Rewrite message headers
Use this action to modify, add, or delete any message header, including custom
headers. You can repair blank or missing headers, insert a notification into the
subject, or reroute email.
Within the rule action window, shown below, click New to create a new
header rewrite rule using the Header Rewrite Wizard. For more information
about this Wizard see “Using Rules to Change Headers” on page 160.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
109
You can include more than one Rewrite rule in the same action. If you include
more than one Rewrite rule, the order of application of the rules can be
significant. The rules listed first in the Header Rewrite window will be evaluated
first. Adjust the order of evaluation by selecting a rule and using the up and
down arrows on the window.
Note
Header Rewrite rules are only available within the rule where they are created.
To perform the same action in more than one rule (or within a rule and the
Header Rewrite function of the MailMarshal Receiver), create a Header Rewrite
rule in each place.
Add attachments to valid fingerprints list
This action adds the attachments to MailMarshal's list of “valid fingerprints”
(normally used for images or other files which require special treatment, such
as company logos). In the rule action window, choose whether to add all
attachments, or only images, to the list. For more information, see the rule
condition “Where attachment fingerprint is/is not known.”
Set message routing to host
This action allows a message to be marked for sending to a selected email
server. You can use this action to implement dynamic routing based on the
recipient, the message headers, or the content of a message.
110
User Guide
In the rule action window, enter a host name or IP address to which
MailMarshal should send the message. MailMarshal will use this address when it
attempts delivery, even if the message is “parked” first. If several rules invoke
this action, MailMarshal will use the last address.
Notes
•
This action is not a terminal action. It sets the route for the message, but it
does not send the message immediately or stop rule evaluation. MailMarshal
will continue to evaluate remaining applicable rules. Generally you should
not use the actions Delete the message and Set message routing to host
for the same message. If you do, the message will be deleted and not
delivered.
•
If a message is addressed to a MailMarshal POP3 domain, the message
routing set by this action will not take effect.
Add message users into group
This action allows you to add members to a MailMarshal user group based on
any rule criteria, such as the sender or recipients of a message. You can use this
action to automate the generation of lists of safe senders or blocked senders,
based on other features of messages.
In the rule action window, select one or more groups MailMarshal should add
users to. Choose whether to add the sender or recipients.
You can create a new group by clicking New Group.
Move the message
This action moves the email message file to the specified quarantine folder. To
make the message processing log available in the same folder, select the check
box at the bottom of the rule action window. The message log explaining how
the message was processed will then be available in the Console. If a new
folder is required, click New Folder to bring up the New Folder Wizard.
This is a terminal action. MailMarshal will not process any further rules for a
message if this action is performed.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
111
Park the message
This action moves the email message file to the specified parking folder for
release according to the schedule associated with that folder. To create a new
folder with a different schedule, click New Folder to bring up the New Folder
Wizard.
This is a terminal action. If this action is performed, MailMarshal will not
process any further rules for a message until the message is released from the
parking folder.
Delete the message
This action deletes the email message file. The message will not be sent to its
original destination.
This is a terminal action. MailMarshal will not process any further rules for a
message if this action is performed.
Pass the message to rule
If no “terminal” rule action has been taken, this action allows a choice of which
further rules to apply. Several choices are available in the rule action window:
• Skip the next rule (do not apply it).
• Skip to the next policy group (do not apply further rules in this policy
group).
• Skip all further rules (pass the message through to the intended recipients).
• Skip to a particular policy group or rule.
Note
It is only possible to skip to a rule which is evaluated after the current rule.
The order of evaluation can be changed. See “Understanding Order of
Evaluation” on page 114.
112
User Guide
When skipping to a rule in a different policy group, remember that the parent
policy group conditions can prevent its having any effect. For instance,
skipping from MailMarshal's default Content Security (Inbound) policy group to
the Content Security (Outbound) policy group is allowed, but rules in the
Outbound policy group will have no effect on inbound messages.
Rule Actions for Receiver Rules
The following actions are available for use in receiver rules.
• Accept message
• Refuse message and reply with message
Note
These actions take effect immediately. If you use both types of actions in
receiver rules, check the order of evaluation carefully to ensure that
MailMarshal checks for any exceptions first.
Accept message
This action directs MailMarshal to accept the message for delivery subject to
standard rules. The message could be relayed to an address outside
MailMarshal's local domains. This condition can be used in conjunction with the
condition “Where sender has authenticated” or an IP address match, to allow
relaying by specific email users.
Refuse message and reply with message
This action directs MailMarshal to refuse the message. MailMarshal will send a
SMTP response refusing delivery to the sending server. This action can be used
in conjunction with a size-limiting condition to conserve bandwidth, or to
refuse messages sent from specific problem addresses as detected by User
Match, IP Address, or DNS Blacklist conditions.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
113
On the rule action window, enter the SMTP response code and message to be
returned as the message refusal.
• Message Number: Enter a SMTP message number (between 400 and 599)
to return. The default number 550 is a standard SMTP “message refused”
response.
Note
If you use a number in the 400 range the sending server will treat the
refusal as temporary and will retry the delivery later. If you use a number in
the 500 range the sending server will treat the refusal as permanent and will
mark the message as undeliverable.
• Message Description: Enter a short message giving details of the reason
for refusal. Within this message, the following variables are available:
Variable
Data inserted
{Recipient}
The “To:” SMTP address of the original message.
{Sender}
The SMTP address of the sender. This is the
address in the “From” field unless it is empty, in
which case the “Reply to” address is used.
{SenderIP}
The IP address of the sender.
Understanding Order of Evaluation
The order in which MailMarshal evaluates policy groups and rules can affect the
outcome of processing for a message. This is usually due to “terminal” actions
that stop MailMarshal processing further rules for a given message.
For instance, by default MailMarshal evaluates virus scanning rules first. If a
scanner reports a virus MailMarshal quarantines the message immediately. In
this case MailMarshal will not perform any additional processing on the
message.
114
User Guide
MailMarshal evaluates policy groups and rules in “top down” order as it displays
them in the Configurator.
Adjusting the Order of Evaluation of Policy Groups
You can change the order of evaluation by changing the order of the policy
group listing in the Configurator.
To adjust the order of evaluation of policy groups:
1. Select Policy Groups in the left pane.
2. Select a policy group in the right pane.
3. Move the group up or down using the arrows in the toolbar or taskpad
header.
4. Commit the MailMarshal configuration to effect the change in order.
Adjusting the Order of Evaluation of Rules
You can change the order of evaluation by changing the order of the rule listing
in the Configurator.
To adjust the order of evaluation of rules:
1. Expand a policy group.
2. Select a rule in the right pane.
Chapter 6 • Understanding Email Policy, Policy Groups, and Rules
115
3. Move the rule up or down using the arrows in the toolbar or taskpad
header.
4. Commit the MailMarshal configuration to effect the change in order.
Notes
•
Within a policy group, MailMarshal lists all receiver rules first.
MailMarshal processes receiver rules before it accepts the body of a
message, so it always applies receiver rules before standard rules.
•
You cannot move a rule containing a “Goto” action (Pass the message
to rule) below the rule it is set to go to, because this order could cause
a processing loop. If you attempt to move a rule in this way MailMarshal
raises a warning notice. For more information, see “Pass the message to
rule” on page 112.
Viewing Email Policy
You can list the entire email policy or a policy group in a format suitable for
printing or copying to a file. For each rule, the listing shows the rule name, a
verbose description, and a detailed listing of conditions and actions. The listing
also indicates whether the rule is disabled.
To print or copy a listing of the email policy or a policy group:
1. In the left pane of the Configurator, select Email Policy or a named policy
group.
2. On the Action menu, choose Print.
3. MailMarshal presents the selected items in a print preview window.
4. To print the window contents, click the Print icon on the print preview
window toolbar. You can also copy part or all of the window contents to
the Clipboard using standard Windows commands.
116
User Guide
Chapter 7
Understanding Email Policy
Elements
Email policy elements are building blocks you can use when you create
MailMarshal policy groups and rules. These elements help you to specify
complex rule conditions and rule actions.
Some examples of each type of element are provided by default when
MailMarshal is installed. These examples are used in the default email policy.
You can edit the existing elements or create new ones to support your policy
requirements.
The following types of elements are available:
Connectors
Allow you to import user and group information from Active Directory
or LDAP servers.
User Groups
Allow you to apply policy based on email addresses. MailMarshal can
retrieve groups from Active Directory or LDAP servers. You can also
create local groups and enter members using wildcard characters.
Chapter 7 • Understanding Email Policy Elements
117
TextCensor Scripts
Allow you to apply policy based on the textual content of email
messages and attachments. You can create complex conditions using
weighted combinations of boolean and proximity searches.
Message Templates and Message Stamps
Allow you to notify email users and administrators about MailMarshal
actions, and insert disclaimers and confidentiality statements. You can
include specific information about a message using variables.
Virus Scanners
Allow you to check email messages for virus content. If a virus is found
in a message you can attempt to clean it.
Email Folders and Message Classifications
Allow you to quarantine or copy messages, or simply to record the
results of MailMarshal evaluation. You can report on folder and
classification actions using MailMarshal Reports.
Email Header Matching and Rewriting
Allow you to search for the content of email header fields using Regular
Expressions. You can modify, add, or delete headers.
External Commands
Allow you to extend MailMarshal functionality with customized
conditions and actions.
You can create or edit many policy elements on the fly while you are working
with rules. See Chapter 6, “Understanding Email Policy, Policy Groups, and
Rules”. You can also create elements in advance.
To work with policy elements, open the MailMarshal Configurator from the
NetIQ MailMarshal program folder. In the left pane of the Configurator select
Policy Elements. To work with Connectors, in the left pane of the
Configurator select Connectors.
118
User Guide
Configuring Connectors
Connectors allow MailMarshal to import user and group information from
Active Directory and LDAP servers.
For information about creating connectors, see “Creating Directory Connectors”
on page 45.
To edit a connector:
1. Select a connector in the right pane of the Configurator.
2. Click Properties on the taskpad header (Taskpad view) or the tools menu
(Standard view).
3. On the General tab, you can edit the name and description of the
connector.
4. On the Reload Schedule tab you can edit the schedule on which
MailMarshal will check for updated information on the groups imported
through this connector. You can choose to import once a day at a specific
time, or more than once a day, or manually.
5. If this is an Active Directory connector, on the Active Directory Logon
tab you can choose to connect as anonymous, or as a specific account. If
you choose to connect using a specific account, enter the account details.
6. If this is a LDAP connector, edit the information provided.
a. On the LDAP Server tab you can edit the server name, port, and logon
information. You can choose to connect as anonymous, or as a specific
account. If you choose to connect using a specific account, enter the
account details. You can enter or browse for a search root for this
server. See the Help for full details of the fields on this tab. To change
the attributes MailMarshal uses to retrieve group and member
information from the LDAP server, click Advanced.
Chapter 7 • Understanding Email Policy Elements
119
b. On the Group Attributes tab of the Advanced LDAP Properties window,
edit the information MailMarshal will use to retrieve groups from the
LDAP server. See the Help for full details of the fields on this tab.
c. On the User Attributes tab of the Advanced LDAP Properties window,
edit the information MailMarshal will use to retrieve user email
addresses from the LDAP server. See the Help for full details of the
fields on this tab.
7. When you have completed all required changes to the connector, click OK.
Configuring User Groups
You can use MailMarshal user groups within policy groups and rules. User
groups allow you to apply policy to specific users. MailMarshal uses SMTP
email addresses to perform user matching. You can create and populate user
groups within MailMarshal by entering email addresses manually or copying
them from other Groups. You can use wildcard characters when you define
groups. You can also import user groups from an Active Directory environment
or a LDAP server through a MailMarshal connector. MailMarshal updates the
membership of imported groups automatically on a schedule you choose within
the connector.
Creating and Populating User Groups
Before you can import user groups, you must create MailMarshal connectors to
provide access to the directory servers. For more information about creating
connectors, see “Creating Directory Connectors” on page 45.
To create and maintain user groups, in the left pane of the Configurator,
expand User Groups.
To create a user group:
1. In the left pane of the Configurator, expand User Groups.
2. On the Action menu, choose New User Group.
120
User Guide
3. Choose to create a MailMarshal group, or import groups through an Active
Directory or LDAP connector.
4. If you are importing a group, select the Active Directory or LDAP
connector you want to use. For more information about connectors, see
“Configuring Connectors” on page 119. Click Next.
5. If you are creating a MailMarshal group, enter a name and description
for the group.
6. If you are importing a group, enter the group name or click Browse to
browse or search for available groups. You can select more than one group
to import.
Note
Best practice with imported user groups is to avoid using them directly in
MailMarshal rules and policy groups. Configure the rules and groups using
MailMarshal groups, and include the imported groups as members of the
MailMarshal groups.
7. When you have entered all the required information, click Next.
8. If you are creating a MailMarshal group, you can choose to edit the
group immediately after creating it. To edit the group, on the final window
of the New User Group wizard select Edit the user group.
9. To create or import the group, click Finish.
Populating an Active Directory or LDAP Group
Initially, an Active Directory or LDAP group will be empty of users. The group
will be populated at the next scheduled update. You can use an imported
group immediately in editing MailMarshal rules. However, you should not
enable any rules that use a group until the group has been populated.
To populate an Active Directory or LDAP Directory group:
1. Select the group in the left pane of the Configurator.
2. On the Action menu, select Reload Group.
Chapter 7 • Understanding Email Policy Elements
121
Adding Members to a MailMarshal Group
You can add addresses or wildcard patterns to a MailMarshal user group.
To add members to a MailMarshal user group:
1. Select the appropriate user group from the right pane of the Configurator.
2. On the Action menu, select Insert Users.
3. In the New User Group window, enter an individual SMTP address, a partial
address using wildcard characters, or a domain name.
Note
For more information about wildcard characters, see Appendix A,
“Wildcards and Regular Expressions.”
4. To add the value, click Add or use the Enter key.
5. The window remains open and you can enter additional values. If you
entered an individual address, MailMarshal retains the domain name portion
of the address in the field and you can simply enter another new user
name.
6. When you have completed entry of all addresses, click OK.
7. Repeat this action to add other user groups.
8. When you have added all desired groups, click OK.
Adding Groups to a MailMarshal Group
You can add Active Directory, LDAP, and MailMarshal groups to a MailMarshal
user group.
To add other groups to a MailMarshal user group:
1. Select a MailMarshal user group from the right pane of the Configurator.
2. On the Action menu, select Insert Groups.
122
User Guide
3. In the Insert Into User Group window, select a group from the list.
4. To add the value, click Add or use the Enter key.
5. The window remains open and you can select additional values.
6. When you have completed your selection of groups, click OK.
Moving and Copying Users and Groups
You can use drag-and-drop to move or copy a user name or an included user
group from one parent group to another
To copy a user group, right-click it in the right pane of the Configurator. To
make a copy, choose Duplicate from the context menu.
To copy a user group so that it is included within another user group, in the left
pane select it and drag it over the target group.
To move a user group so that it is included within another user group, hold
down the Shift key while dragging.
To copy or move users, select a user group in the left pane to view its members
in the right pane. To move group members, select one or more members in the
right pane and drag them over a group in the left pane. To copy group
members, hold down the Ctrl key while dragging.
Identifying Email Text Content Using TextCensor
Scripts
TextCensor scripts check for the presence of particular lexical (text) content
in an email message. MailMarshal can check one or more parts of a message,
including the message headers, message body, and any attachments that can be
lexically scanned.
Chapter 7 • Understanding Email Policy Elements
123
A script can include many conditions. Each condition is based on words or
phrases combined using Boolean and proximity operators. The script matches,
or triggers, if the weighted result of all conditions reaches the target value you
set.
Apply TextCensor scripts to email messages using standard rules.
Creating and Editing Scripts
To work with TextCensor Scripts, select TextCensor Scripts in the left pane of
the Configurator.
To add a TextCensor Script:
1. In the left pane of the Configurator, expand TextCensor Scripts.
2. On the Action menu, choose New TextCensor Script to open the
TextCensor Script window.
124
User Guide
3. Enter a name for the script.
4. Select which portions of an email message you want this script to scan by
selecting one or more of the check boxes Subject, Headers, Body, and
Attachments.
Note
The script will check each part separately.
For instance, if you select both Headers and Message Body, the script will
be evaluated once for the headers, then again for the body. Script scoring is
not cumulative over the parts.
5. By default you can only use alphanumeric characters A-Z and 0-9 in
TextCensor items. If you need to match any non-alphanumeric characters,
select the check box enable matching for special characters, then enter
any special characters to be matched in the field. For instance, to match the
HTML tag fragment <script you must enter the < in this field. To match
parentheses ( ) you must enter them in this field.
Note
The equal sign = is an exception. To match this character in a TextCensor
item, simply enclose it within double quotes: “=”.
6. Add one or more TextCensor items. To begin adding items, in the
TextCensor Script window click New to open the TextCensor Item window.
Chapter 7 • Understanding Email Policy Elements
125
7. Select a weighting level and type for the item. For more information, see
“Script and Item Weighting” on page 127.
8. Enter the item text, optionally using boolean and proximity operators. For
example you could enter
(Dog FOLLOWEDBY hous*) AND NOT cat
In this example the item weighting will be added to the script total if the
scanned text contains the words “dog house” (or “dog houses”, and so on)
in order, and does not contain the word “cat”.
Note
TextCensor items are case insensitive by default. However, quoted content
is case sensitive. For example “textcensor” would not trigger on the first
word in the body of this note.
9. To add the value to this script, click Add or use the Enter key. The New
TextCensor Item window will remain open and you can create additional
items.
10. When you have entered all items, click Close to return to the New
TextCensor Script window.
11. Select a Weighting Trigger Level. If the total score of the script reaches or
exceeds this level, the script will be triggered. The total score is determined
by evaluation of the individual lines of the script.
12. To set the order of evaluation, click Sort List. Sorting sets items with
negative weighting levels to evaluate first.
Note
Because evaluation of a script stops when the trigger level is first reached,
setting evaluation order is important.
126
User Guide
Editing TextCensor Scripts
You can change the content of an existing script, including the individual items
and overall properties.
To edit a TextCensor Script:
1. Double-click the script to be edited in the right pane.
2. Edit an item by double-clicking it.
3. Delete an item by selecting it then clicking Delete.
4. Change the contents of any fields such as the script name, parts of the
message tested, special characters, and weighting trigger level.
5. Use the Sort List button to adjust the order of items.
6. Click OK to accept changes or Cancel to revert to the stored script.
Duplicating TextCensor Scripts
Duplicate a script if you want to use it as the basis for an additional script.
To duplicate a TextCensor Script:
1. Right-click the script name in the Configurator.
2. Choose Duplicate from the context menu.
3. After duplicating the script, make changes to the copy.
Script and Item Weighting
Each script has a trigger level expressed as a number. If the total score of the
content being checked reaches or exceeds this level, the script is triggered. The
total score is determined by summing the scores resulting from evaluation of
the individual items in the script.
Chapter 7 • Understanding Email Policy Elements
127
Each line in a script has a positive or negative weighting level and a weighting
type. The type determines how the weighting level of the line is figured into the
total score of the script. There are four weighting types:
Weighting Type
Description
Details
Standard
Each match of the words or
phrases will add the weighting
value to the total.
If the weighting level of this
item is 5, every match will add
5 to the total.
Decreasing
Each match of the words or
phrases will add a decreasing
(logarithmic) weighting value to
the total. Each additional match
is less significant than the one
before.
If the weighting level of this
item is 5, the first five matches
will add 5, 4, 4, 3, and 3 to the
total.
Increasing
Each match of the words or
phrases will add an increasing
(exponential) weighting value to
the total. Each additional match
is more significant than the one
before.
If the weighting level of this
item is 5, the first five matches
will add 5, 5, 6, 6, and 7 to the
total.
Once Only
Only the first match of the words
or phrases will add the weighting
value to the total.
If the weighting level of this
item is 5, this item will
contribute at most 5 to the total,
no matter how many times it
matches.
You can use negative weighting levels and trigger levels to allow for the
number of times a word may appear in an inoffensive message. For instance, if
“breast” is given a positive weighting in an “offensive words” script, “cancer”
could be assigned a negative weighting (since the presence of this word
suggests the use of “breast” is medical/descriptive).
Note
Because MailMarshal stops evaluation of a script when it reaches the trigger
level, you should make sure that items with negative weighting are set to
evaluate first. Use the Sort List button to set the order of evaluation correctly.
128
User Guide
Item Syntax
A TextCensor script contains one or more items, each consisting of words or
phrases, boolean and proximity operators.
• You can use the wildcard character * at the end of a word only (for example
“be*” matches “being” and “behave”).
• You can use parentheses to set the order of evaluation and for grouping.
You can also use parentheses to help readability in complex lines.
• You can use Boolean and proximity operators. You must enter the
operators in capital letters. The six supported operators are:
Operator
Function
Example
AND
Matches when all terms are
present
Dog AND cat
OR
Matches when any term is
present
dog OR cat
Logical negation of terms;
use after other operators;
means “anything else but.”
Dog AND NOT cat
NEAR
Matches when two terms are
found within the specified
number of words of each
other. The default is 5.
Dog NEAR=2 bone
FOLLOWEDBY
Matches when one term
follows another within the
specified number of words.
The default is 5.
Dog FOLLOWEDBY=2 house
INSTANCES
Matches when a term is
found the specified number of
times. You must specify a
value.
Dog INSTANCES=3
NOT
dog OR (cat AND rat)
Dog FOLLOWEDBY (NOT
house)
Chapter 7 • Understanding Email Policy Elements
129
• When you use NEAR or FOLLOWEDBY, a word is defined as any group of
one or more contiguous alphanumeric characters, bounded at each end by
non-alphanumeric characters. If any non-alphanumeric characters have
been included as “special characters”, each single special character is also
counted as a word.
Tip
For instance, by default S-P-A-M counts as four words. If the “-” character is
entered as a “special character,” then the same text counts as 7 words.
MailMarshal allows the INSTANCES operator for compatibility with earlier
TextCensor scripts, but it is deprecated. You can use item weighting types to
produce the same result with improved performance.
Importing Scripts
You can import scripts in files. Use this function to copy a script from another
MailMarshal installation, or to restore a backup
To import a TextCensor Script from a CSV or XML file:
1. On the Action menu, choose New TextCensor Script to open the
TextCensor Script window.
2. Click Import.
3. Choose the file to import from, and click Open.
4. In the Edit TextCensor Script window, click OK.
Note
TextCensor Scripts exported from MailMarshal 4.2.5 and earlier versions do
not include the Weighting Trigger Level, Special Characters, and Apply to
following parts settings. If you are importing such a script, you must add
this information by editing the script after you import it.
130
User Guide
Exporting Scripts
You can save scripts in files. Use this function to move a script between
MailMarshal installations, or to edit a script in another application such as
Microsoft Excel.
To export a TextCensor Script to a CSV or XML file:
1. Double-click the name of the script to be exported in the right pane to
bring up the Edit TextCensor Script window.
2. Click Export.
3. Enter the name of the file to export to, and click Save.
4. In the Edit TextCensor Script window, click OK.
TextCensor Best Practices
To use TextCensor scripts effectively, you should understand how the Text
Censor facility works and what it does.
MailMarshal applies TextCensor scripts to text portions of messages. Depending
on the potions you select, a script can apply to headers, message bodies, and
attachment content. MailMarshal can generally apply TextCensor scripts to the
text of Microsoft Office documents and Adobe PDF files, as well as to attached
email messages and plain text files.
Constructing TextCensor Scripts
The key to creating good TextCensor scripts is to enter exact words and phrases
that are not ambiguous. They must match the content to be blocked. Also, if
certain words and phrases are more important, you should give those words
and phrases a higher weighting. For instance, if your organizational Acceptable
Use Policy lists specific terms that are unacceptable, you should give those
terms a higher weighting to reflect the policy.
Chapter 7 • Understanding Email Policy Elements
131
In creating TextCensor scripts, strike a balance between over-generality and
over-specificity. For instance, suppose you are writing a script to check for
sports-related messages. If you enter the words “score” and “college” alone
your script will be ineffective because those words could appear in many
messages. The script will probably trigger too often, potentially blocking
general email content.
You could write a better script using the phrases “extreme sports”, “college
sports” and “sports scores” as these phrases are sport specific. However, using
only a few very specific terms can result in a script that does not trigger often
enough.
You can strike a good balance using both very specific and more general terms.
Again using the example of sports related content, you could give a low
positive weighting to a phrase such as “college sports.” Within the same script
you could give a higher weighting to the initials NBA and NFL, which are very
sports specific.
Decreasing Unwanted Triggering
TextCensor scripts sometimes trigger on message content which is not
obviously related to the content types they are intended to match.
To troubleshoot unwanted triggering:
1. Use the problem script in a rule which copies messages and their
processing logs to a folder. You could call this folder “suspected sports
messages”.
2. After using this rule for some time, check on the messages that have
triggered the script. Review the message logs to determine exactly which
words caused the script to trigger. See “Viewing Messages” on page 179.
3. Revise the script by changing the weighting, weighting type, or key words,
so as to trigger only on the intended messages.
4. When you are satisfied, modify the rule so as to block messages that trigger
the script. You could also choose to notify the sender and/or the intended
recipient.
132
User Guide
Testing TextCensor Scripts
When you are working with a TextCensor script in the Configurator, you can
test it against a file or pasted text.
To test a TextCensor Script:
1. On the New or Edit TextCensor Script window, click Test.
2. To test using a file, select Test script against file. Enter the name of a file
containing the test text (or browse using the button provided).
3. To test using pasted text, select Test script against text. Type or paste
the text to be tested in the field.
4. Click Test. MailMarshal will show the result of the test, including details of
the items which triggered and their weightings, in the Test Results pane.
Notifying Users with Message Templates and
Message Stamps
MailMarshal provides two ways of sending notifications by email.
Message stamps are short blocks of text that can be added to an email
message. You can use a stamp to add a company disclaimer, or to warn the
recipient of a message that MailMarshal has modified it.
Message templates are complete email messages that can be sent to a user or
administrator. MailMarshal uses templates for system notifications such as nondelivery reports. You can also use them to provide auto-responders or other
custom notices. MailMarshal can use special digest templates to provide users
with summary information about quarantined email.
Chapter 7 • Understanding Email Policy Elements
133
MailMarshal applies message stamps to both HTML and plain text portions of an
email message. Message templates can also include plain text and HTML
bodies.
Variables can be used in both templates and stamps. Variables are specially
formatted strings you can insert in a stamp or template. When MailMarshal uses
the stamp or template, it replaces the variables with information about the
specific message. This facility allows you to provide detailed information about
the actions MailMarshal has taken on a specific message.
Message Templates
Message templates are used when MailMarshal sends a notification email
message based on the outcome of rule processing. The most common use of
notification messages is to notify appropriate parties when an email message is
blocked.
Notifications are a very powerful tool to inform and modify user behavior.
When well thought out and constructed, they can save the administrator a lot of
time.
You can also use a notification to set up a general auto responder based on
message headers or content. For instance, MailMarshal could respond to a
message to [email protected] with the subject “Send Catalog” by returning
the product catalog to the sender as an email attachment.
134
User Guide
The same rule can send several notification messages. For instance, if
MailMarshal detects a virus you could choose to send different messages to an
email administrator, the external sender, and the intended internal recipient of
the message.
You can attach files to a notification. Attachments can include the original
message, the MailMarshal processing log for the message, and any other file
(such as a virus scanner log file).
You can create a template as plain text, HTML, or both. If you choose to create
a template with both HTML and plain text bodies, you must edit the two bodies
separately. If you choose to create a template with HTML only, MailMarshal will
automatically generate a plain text equivalent of the template with similar
formatting.
You can include links to images in HTML templates. You cannot embed images.
Note
In addition to rule notification templates, MailMarshal uses a number of preconfigured templates for administrative notifications (such as delivery failure
notifications). For more information about modifying these templates, see
“Server Properties - Advanced” on page 212.
Chapter 7 • Understanding Email Policy Elements
135
Creating a Message Template
To work with templates, select Message Templates in the left pane of the
Configurator.
To create a message template:
1. In the left pane of the Configurator, select Message Templates.
2. On the Action menu, select New Message Template to open the Message
Template window.
136
User Guide
3. By default, MailMarshal creates a HTML message body. MailMarshal will
automatically generate a plain text equivalent of the message body when
using the template. To choose a plain text body or edit both types
separately, click Options.
4. To see additional address fields, click Options.
5. Enter a name for the template.
6. Enter appropriate information in the Header Details section. For instance,
enter the email address to which replies should be sent in the Return Path
field.
Tip
The MailMarshal default configuration includes numerous templates. These
are a good source of ideas for the creation of new templates.
7. Enter text in the body section. To view the raw HTML, right-click in the
HTML pane and select Edit Raw HTML. Edit the HTML, or paste HTML
source from another editor, then click OK to return to the message template
window.
8. You can attach files to the notification, including the original message, the
MailMarshal message processing log, and other files. To attach one or more
files, select the appropriate box(es) and enter the file names if necessary.
9. You can use variables marked with braces { }. To see a list of variables
available in any field, type { to bring up a context menu. You can also enter
variable names manually. You can use nested variables. For details of the
variables available in templates, see “Using Variables” on page 143.
Note
When sending a notification to the original sender of an email message, use
the {ReturnPath} variable in the To: field to reduce the chance of looped
messages.
Chapter 7 • Understanding Email Policy Elements
137
Digest Templates
The MailMarshal Array Manager uses digest templates to deliver periodic
message digests to users.
Digest templates are similar to message templates. The key differences are:
• You cannot attach files to digest templates.
• Digest templates support several variables specific to the digesting function
that are not available in message templates. These variables allow
MailMarshal to provide a list of information about several messages within
the same notification message. For details of the variables available in digest
templates, see “Using Variables” on page 143.
Note
To obtain the best results with digest templates, edit the plain text and
HTML versions of the template separately using the “Both” option.
138
User Guide
To create a digest template:
1. In the left pane of the Configurator, select Message Templates.
2. On the Action menu, select New Digest Template to open the Digest
Template window.
3. By default, MailMarshal populates the template with basic information.
MailMarshal creates separate HTML and plain text message bodies. To
choose to use only one of the two types, click Options.
4. To see additional address fields, click Options.
5. Enter a name for the template.
6. Enter appropriate information in the Header Details section. For instance,
enter the email address to which replies should be sent in the Return Path
field.
Chapter 7 • Understanding Email Policy Elements
139
7. Enter text in the body section. To view the raw HTML, right-click in the
HTML pane and select Edit Raw HTML. Edit the HTML, or paste HTML
source from another editor, then click OK to return to the message template
window.
8. You can use variables marked with braces { }. To see a list of variables
available in any field, type { to bring up a context menu. You can also enter
variable names manually. You can use nested variables. MailMarshal
provides pre-formatted tables of all digested messages in HTML and plain
test formats. For details of the variables available in templates, see “Using
Variables” on page 143.
9. Click OK.
Editing Templates
You can edit a template, including the address information and the message
bodies.
To edit a template:
1. Double-click a template name in the Configurator.
2. Make changes then click OK. If you have created both a plain text and a
HTML version of the template, remember to change both versions.
Duplicating Templates
You can make a copy of a template if you want to use it as the starting point for
another template.
To copy a template:
1. Right-click a template name in the Configurator.
2. Choose Duplicate from the context menu.
3. After duplicating the template, make changes to the copy.
140
User Guide
Deleting Templates
You can delete a template if it is not used in any rules.
To delete a template:
1. Select a template in the Configurator.
2. Click the Delete icon in the toolbar.
Message Stamps
Message stamps are short blocks of text that MailMarshal can apply to the top or
bottom of an email message body. MailMarshal message stamps can include a
plain text and an HTML version. MailMarshal will apply the appropriate stamp
format to the body text of the same type in the message.
Many companies use message stamps to apply disclaimers or advertising on
outgoing email. MailMarshal can also use a message stamp to notify the
recipient that a message has been processed (for example by having an
offending attachment stripped).
To work with message stamps in the Configurator, select Message Stamps in the
left pane.
To create a message stamp:
1. In the left pane of the Configurator, select Message Stamps.
2. On the Action menu, select New Message Stamp.
3. Enter a name for the stamp.
4. Select whether the stamp is to appear at the top or the bottom of messages.
5. Enter a plain text version of the message stamp in the Plain Text tab.
6. Enter an HTML version of the stamp in the HTML tab. You can apply
various formatting, including hyperlinks, to the HTML text using the buttons
provided.
Chapter 7 • Understanding Email Policy Elements
141
To view the raw HTML, right-click in the HTML pane and select Edit Raw
HTML. Edit the HTML, or paste HTML source from another editor, then
click OK to return to the message stamp window.
7. To add the new stamp to the list of available message stamps, click OK
Note
If message stamping is enabled for RTF (Microsoft TNEF) messages, the
plain text message stamp will be used for these messages. To enable RTF
stamping, see the Advanced tab of Server Properties.
Both plain text and HTML message stamps can include the same variables
available within email notification templates.
Duplicating Message Stamps
You can make a copy of a stamp if you want to use it as the starting point for
another stamp.
To duplicate a message stamp:
1. Right-click the stamp name in the Configurator.
2. Choose Duplicate from the context menu.
3. After duplicating the message stamp, make any required changes to the
copy. Remember to make changes to both the Plain Text stamp and the
HTML stamp.
Editing Message Stamps
You can make changes to a stamp. Remember to make changes to both the
Plain Text stamp and the HTML stamp.
142
User Guide
To edit a message stamp:
1. Double-click the stamp name in the right hand pane of the Configurator.
2. Make the required changes.
3. Click OK.
Deleting Message Stamps
You can delete a message stamp if it is not used in any rules.
To delete a message stamp:
1. Select the stamp in the right hand pane of the Configurator.
2. Click the Delete icon in the toolbar.
Using Variables
When you create a message template, digest template, message stamp, or
message classification description, you can use a number of variables.
MailMarshal substitutes the appropriate information when it uses the template
or stamp.
Variables are marked by curly braces { }. You can select from available variables
in any field where they are available in a template, stamp, or classification. To
see a list of available variables in a specific field, type { .
Not all variables are available in all contexts. MailMarshal may not have the
required information to substitute. If MailMarshal does not have any data, it will
leave the variable marker intact.
Chapter 7 • Understanding Email Policy Elements
143
The following table lists commonly used variables and their functions:
144
Variable
Data inserted
{$MessageDigestTableHTML}
The HTML version of a message digest
detail listing. See also
{MessageDigestTableText}.
{Administrator}
Email address of the administrator as set on
the General tab of Server Properties.
{ArrivalTime}
The time when MailMarshal received a
message.
{AttachmentName}
File name of the attached file that triggered a
rule condition.
{Date}
The current date. See also “Date Formatting”
on page 148.
{DateLastRun}
The date of the previous MailMarshal
message digest for a folder.
{Errorlevel}
The last error returned by a virus scanner or
an external command.
{ExternalCommand}
The name of the last External Command
used.
{Env=varname}
Inserts the value of a Windows environment
variable.
{ExternalSender}
Returns 'y' or 'n' depending on whether the
sender was outside or inside the “allowed to
relay” space.
{File=fullpath}
Inserts a text file within the body of a
message (for instance, can be used to insert
the MailMarshal log for a message in a
notification email body).
{Folder}
The name of the folder that is the subject of
a MailMarshal message digest email.
User Guide
Variable
Data inserted
{FolderRetention}
The retention period for a folder that is the
subject of a MailMarshal message digest
email.
{From}
Email address in the 'From' field of the
message.
{HasAttachments}
Returns '1' if the message has attachments.
{HelloName}
Name given by the remote email server
when MailMarshal received this message.
{If variable}...[{else}...]{endif}
Allows conditional substitution of text. The
condition is true if the variable is not empty.
For example: {If VirusName}This
message contained the virus
{VirusName}.{endif}
The Else clause is optional.
{InitialMessageBody}
The first 200 characters of the body of the
message.
{Install}
The install location of MailMarshal.
{LastTextCensorRuleTriggered}
The name of the TextCensor Script that was
run and the phrase that triggered.
{LocalRecipient}
The message recipient, if any, within the
local domains. Includes multiple recipients
and CC recipients.
{LogName}
The name of the Logging Classification
used.
{Message-ID}
Original SMTP Message ID of the message.
{MessageFullName}
Full path to the message file.
{MessageCount}
The number of messages quarantined for a
user in a specific folder and listed in a
message digest email.
Chapter 7 • Understanding Email Policy Elements
145
146
Variable
Data inserted
{MessageDigestTableText}
The plain text version of a message digest
detail listing. See also
{$MessageDigestTableHTML}.
{MessageName}
Filename only of the message.
{MMSmtpMapsRBL}
A list of DNS blacklists that triggered on the
message within a Receiver rule. Does not
include information generated by the
Category Script (SpamCensor) process.
{PolicyGroupTitle}
The title of the policy group containing the
rule triggered by the message. Replaces
{RulesetTitle}.
{RawSubject}
Message subject with any encoding
included, as originally received. Use this
variable to include the subject in the Subject
field of notification templates. See also
{Subject}.
{Recipient}
Message recipient. Includes multiple
recipients and CC recipients.
{ReleasePassThrough}
Inserts a code recognized by the gateway to
release the message applying no further
rules. See “Using the Message Release
External Command” on page 243.
{ReleaseProcessRemaining}
Inserts a code recognized by the gateway to
release the message applying any additional
applicable rules. See “Using the Message
Release External Command” on page 243.
{ReplyTo}
Email address in the 'Reply to' field of the
message.
{ReturnPath}
SMTP “Mail From” email address.
{RuleTitle}
The title of the rule triggered by the
message.
User Guide
Variable
Data inserted
{Sender}
Email address of the sender. Uses the
address in the “From” field unless it is empty,
in which case the “Reply to” address is used.
{SenderIP}
IP address of the sender.
{ServerAddress}
Email address used as the 'From' address
for notifications as set on the General tab of
Server Properties.
{SpamCensorResult}
The result string as returned by the
SpamCensor facility.
{SsmUrl}
The URL of the MailMarshal Spam
Quarantine Management Web site.
{StrippedFiles}
The names of any attachment files stripped
from the message by rule action.
{Subject}
Message subject, decoded if applicable. Use
this variable in most cases. See also
{RawSubject}.
{ThreadWorking}
The MailMarshal working folder name.
{Time}
The current time. See also “Date Formatting”
on page 148.
{VirusName}
Name of the virus detected. This information
is only available if the virus scanner being
used is a DLL based scanner. If a command
line scanner reports a virus this variable is
set to “Unknown.”
{VirusScanner}
Name of the virus scanner used.
Chapter 7 • Understanding Email Policy Elements
147
Date Formatting
When you use dates in variables within message templates, message stamps,
and logging classifications, you can include formatted dates. This feature is
especially useful to avoid confusion about the order of day, month, and year in
dates.
To use date formatting, include the template variable {date=%%var} where var is
one of the sub-variables from the table below. You can include more than one
sub-variable within the same date variable. For instance {date=%%d %%b %%Y}
would return 07 Apr 2004.
Note
Each sub-variable must be preceded by %%. For example, to ensure that the
date is formatted according to the Windows locale, use {date=%%c}.
The following table lists the available date formatting sub-variables:
148
Variable
Value inserted
a
Abbreviated weekday name
A
Full weekday name
b
Abbreviated month name
B
Full month name
c
Date and time representation appropriate for locale
d
Day of month as decimal number (01–31)
H
Hour in 24-hour format (00–23)
I
Hour in 24-hour format (01–12)
j
Day of year as decimal number (001–366)
m
Month as decimal number (01–12)
M
Minute as decimal number (00–59)
User Guide
Variable
Value inserted
p
Current locale's A.M./P.M. indicator for 12-hour clock
S
Second as decimal number (00–59)
U
Week of year as decimal number, with Sunday as first day of week (00–53)
w
Weekday as decimal number (0–6; Sunday is 0)
W
Week of year as decimal number, with Monday as first day of week (00–53)
x
Date representation for current locale
X
Time representation for current locale
y
Year without century, as decimal number (00–99)
Y
Year with century, as decimal number
z
Time-zone name or abbreviation; no characters if time zone is unknown
Configuring Virus Scanners
MailMarshal is not a traditional virus scanner. MailMarshal can invoke thirdparty virus scanners to check email messages and attachments for viruses.
Nearly all MailMarshal installations use third-party virus scanning.
Tip
MailMarshal also provides substantial proactive protection against viruses
through file name and file type checking, as well as TextCensor scanning for
virus-related text and harmful commands.
MailMarshal can use one or more virus scanners. Because virus scanners have
differing architecture, some organizations choose to use multiple scanners.
MailMarshal invokes the virus scanner after unpacking all elements of an email
message. MailMarshal then passes the elements to the scanner software for
analysis, and takes action based on the result returned from the scanner.
Chapter 7 • Understanding Email Policy Elements
149
MailMarshal can invoke the “cleaning” feature of selected virus scanners to
attempt to clean infected files.
The MailMarshal default rules include sample virus scanning and cleaning rules.
You can modify these rules to suit local conditions.
To work with MailMarshal, a virus scanner must have a command-line interface
or a special MailMarshal DLL. The scanner must return a documented response
indicating whether or not a virus is detected. Most commercially available virus
scanners meet these specifications.
Note
Because DLL based scanners are always resident in memory, they are about 10
times faster than command line scanners. NetIQ recommends the use of DLL
scanners for sites with high message traffic.
The virus scanners listed below have been tested and validated for use with
MailMarshal as of the date of this Guide. Appropriate parameters for these
scanners are pre-coded in the Configurator, ready for selection. Please see
NetIQ Knowledge Base article NetIQKB29746 for the latest list.
• NetIQ Integrated McAfee Antivirus (DLL, Supports cleaning)
• Norman Virus Control (DLL, Supports cleaning)
• Panda Antivirus (DLL, Supports cleaning)
• Sophos Anti-Virus (DLL, Supports cleaning)
• Symantec AntiVirus Engine (DLL, Supports remote installation and cleaning)
• InoculateIT 6.x
• Network Associates Netshield and McAfee Command Line Scanner
• NOD 32
• Vet Anti-Virus for NT Server
150
User Guide
Install one or more chosen scanners on each MailMarshal email processing
server (or remotely, if the scanner supports remote access) following the
manufacturer's instructions. For more information about installing virus
scanners, see “Installing and Configuring Virus Scanners” on page 73.
Tip
NetIQ Integrated McAfee Antivirus requires installation of the NetIQ Integrated
McAfee Antivirus Console. This software is available on the MailMarshal CDROM, or in a separate download from www.netiq.com. This interface is enabled
through a special MailMarshal product key. MailMarshal trial keys have this
feature enabled. Permanent keys for NetIQ Integrated McAfee Antivirus are
available from NetIQ suppliers.
Best Practices
NetIQ recommends the following basic practices to ensure security with respect
to viruses and virus scanning:
• Block messages and attachments that MailMarshal cannot scan, such as
password protected attachments and encrypted attachments (for example
files of type ‘Encrypted Word Document’).
• Block encrypted messages that MailMarshal cannot decrypt, such as PGP
and S/MIME messages and encrypted ZIP files.
• Block executable and script files by type and name. This helps to ensure
that unknown viruses will not be passed through.
• Subscribe to email notification lists for virus outbreaks. Such lists are
available from many anti-virus software companies. When an outbreak
occurs, block the offending messages by subject line or other identifying
features
Note
If resident or “on access” virus scanning is enabled, MailMarshal's working
folders must be excluded from scanning. See “Excluding Working Folders
From Virus Scanning” on page 42.
Chapter 7 • Understanding Email Policy Elements
151
Configuring a Virus Scanner
Before MailMarshal can use a virus scanner in email processing, you must
configure it within MailMarshal.
For details about how to configure a virus scanner, see “Installing and
Configuring Virus Scanners” on page 73.
Viewing Virus Scanner Properties
Double click the name of any virus scanner in the right pane to review and
change MailMarshal's configuration information for that scanner. The fields
shown will vary depending on whether the scanner is a command line or DLL
based scanner. For details of the fields, see the Help for this window.
Using Email Folders and Message Classifications
MailMarshal uses a SQL database to log basic information about each message it
has processed. This information includes the sender, recipient, message size,
and actions taken.
If MailMarshal moves or copies a message to a folder, it logs this fact in the
database.
Message Classifications are another way of adding detail to the log records. You
can add Message Classifications by including an action within a MailMarshal
standard rule. MailMarshal Reports, the Console Message History, and the
Console search results can show the classification of a message.
152
User Guide
You should include at least one logging action (either a folder action or a
classification action) in each standard rule. MailMarshal's default rules include
such actions.
Notes
•
To avoid confusion in reporting, MailMarshal will not allow a folder and a
classification with the same name.
•
If a folder or classification is related to Spam or virus activity, you should
add it to the appropriate reporting group. For more information about
reporting groups, see “Reporting Groups” on page 224.
Message Classifications
Message classifications are useful for reporting on broad categories, such as
viruses or executable files quarantined. You can also use classifications to
record very specific occurrences such as a specific file or size of file being sent.
For example you could answer the question “How many PDF files over 500K in
size are sent by Sales each week?” by creating a rule to log sending of such
files. If several rules place messages in a single MailMarshal folder, you can use
classifications to give additional granularity for searching and reporting.
To work with Message Classifications in the Configurator, select Message
Classifications from the left pane menu tree.
To create a message classification:
1. On the Action menu, choose New Message Classification.
2. In the window, enter a meaningful name for the classification.
3. Give a brief description of the classification and its purpose. This
description will be used in the Console and Reports, and can contain { }
variables as in message stamps and templates.
4. To add the classification, click OK.
Chapter 7 • Understanding Email Policy Elements
153
Editing Message Classifications
You can edit the name and description of a classification.
To edit a message classification:
1. Double-click the classification name in the right pane of the Configurator to
view its properties.
2. Make any required changes.
3. Click OK.
Duplicating Message Classifications
You can make a copy of a classification if you want to use it as the starting
point for another classification.
To duplicate a message classification:
1. Right-click the classification name in the Configurator.
2. Choose Duplicate from the context menu.
3. After duplicating the classification, make any required changes to the copy.
Deleting Message Classifications
You can delete a classification if it is not used in any rules.
To delete a message classification:
1. Select the classification name in the right pane of the Configurator.
2. Click the Delete icon in the toolbar.
154
User Guide
Folders
Folders store messages that MailMarshal has quarantined, parked for later
delivery, or archived. For each folder you can choose how long MailMarshal
retains messages placed in that folder.
Folders also include the Dead Letter folders. A Dead Letter is a message
MailMarshal cannot process or cannot deliver. Dead Letters can result from bad
email addresses, from corrupted data, from differing interpretations of Internet
standards, or when a message is intentionally malformed in an attempt to
exploit a security vulnerability.
To work with folders in the Configurator, select Folders from the left pane
menu tree.
Creating Folders
You can create as many folders as your policy requires.
To create a folder:
1. On the Action menu, choose New Folder.
2. Choose how the folder will be used.
•If you select Standard Folder, messages MailMarshal places in the
folder can be managed by administrators or users.
•If you select Archive Folder, messages MailMarshal places in the folder
cannot be deleted manually.
•If you select Parking Folder, messages MailMarshal places in the folder
will be held until released by the schedule. When MailMarshal
releases messages from parking it continues evaluating rules starting
with the rule immediately following the rule that caused the message
to be “parked.”
Note
This version of MailMarshal no longer provides the option to skip
remaining rules on release from a parking folder.
Chapter 7 • Understanding Email Policy Elements
155
3. Click Next.
4. If this is a standard folder, specify a retention period for messages in the
folder. Choose whether to enable end-user management for the folder. Click
Next.
5. If you chose to enable end-user management, select the end-user
management options. Click Next.
6. If this is an archive folder, specify a retention period for messages in the
folder. You can choose to retain messages indefinitely. Click Next.
7. If this is a parking folder, specify a schedule of times when messages
will be “parked” for later delivery. Click Next.
8. Choose a name and an icon for the folder, and optionally enter a
description. Click Next.
9. The final window of the new folder wizard shows the options you have
selected. To add the folder, click Finish.
Editing Folders
You can change the name and most features of a folder. You cannot change the
type of an existing folder.
To edit the configuration of a folder:
1. Select the folder name in the Configurator.
2. Click the Properties icon on the taskpad header or the toolbar.
3. On the General tab, edit the name, description, and icon used to identify
the folder.
156
User Guide
4. If you want to set a custom location for this folder, under Folder Physical
Path select Use the following location and enter a path. The path can be
a full path relative to a drive letter, or a partial path relative to the
MailMarshal installation folder. If you have more than one email processing
server in your MailMarshal installation, the path must be valid on every
email processing server. MailMarshal will create the folder if it does not
exist. If you set a new location for a folder you must manually move any
subfolders to the new location.
Note
You can also change the base location for quarantine folders on each email
processing server. For more information, see “Folder Locations” on
page 216.
5. If this is a standard folder, on the Options tab edit the retention period
for messages in the folder. Choose whether to enable end-user management
for the folder. If you choose to enable end-user management, select the
end-user management options.
6. If this is an archive folder, on the Options tab specify a retention period
for messages in the folder. You can choose to retain messages indefinitely.
7. If this is a parking folder, on the Parking Schedule tab specify a
schedule of times when messages will be “parked” for later delivery.
8. On the Security tab, edit the user access permissions for the folder. For
more information, see “Setting Console Security” on page 185.
Deleting Folders
You can delete a folder if it is not used in any rules.
To delete a folder:
1. Select the folder name in the Configurator.
2. Click the Delete icon on the taskpad header or the toolbar.
Chapter 7 • Understanding Email Policy Elements
157
Deleting a folder in the Configurator does not delete the physical folder or any
email messages it contains. To delete email messages use the MailMarshal
Console. To delete the physical folder and its contents use Windows tools.
Header Matching and Rewriting
MailMarshal can perform searches and replace text in email headers using a
Regular Expression engine. You can apply rewriting globally when messages
are received. You can also perform header searches and header replacements
within standard rules.
Warning
Regular Expression matching and substitution provides very powerful
capabilities. However, regular expressions are complex and can be difficult to
construct. If headers are rewritten incorrectly, you may be unable to determine
the sender or intended recipient of affected messages. Use this facility with
care.
Changing and Adding Headers with the Receiver
MailMarshal provides global header rewriting to modify email header and
envelope detail. Global rewriting is typically used to allow email aliasing. This
action is performed by the MailMarshal Receiver during email message receipt.
Some examples of actions that can be performed are
• Address modification: for example, changing [email protected] to
[email protected]
• Field removal: for example, stripping out the received: lines from outbound
messages.
• Alias substitution: for example, replacing addresses via a lookup table, as in
[email protected] being replaced by [email protected]
• Domain masquerading: for example, replacing all addresses in
thisdomain.com with identical addresses in thatdomain.com.
158
User Guide
To work with global header rewriting:
1. On the Tools menu of the Configurator, select Server and Array
Properties.
2. On the Array Properties window, click the Header Rewrite tab.
From this tab you can add a new global header rewrite rule, edit an existing
rule, or delete an existing rule. You can also change the order of evaluation of
the rules.
For details of the rule editing processes, see “Using the Header Rewrite Wizard”
on page 160.
Using Rules to Find Headers
You can search email headers using regular expressions using the MailMarshal
standard rule condition “Where message contains one or more headers.” This
rule condition allows matching based on the presence of specific email message
headers, or specific content within any header.
To create a header match condition, within the rule condition window click
New.
To perform more than one header match within a single condition, complete
the match rule wizard for each match.
Note
If more than one header to match is entered within a single rule condition, all
expressions must match for the condition to be true (logical AND). To check
any of several headers (logical OR), use one rule per header.
For details of the rule editing processes, see “Using the Header Rewrite Wizard”
on page 160.
Chapter 7 • Understanding Email Policy Elements
159
Using Rules to Change Headers
You can alter email headers using regular expressions using the MailMarshal
standard rule action “Rewrite message headers using expressions.” This rule
action allows matching based on the presence of specific email message
headers, or specific content within any header.
To create a header rewrite action, within the rule action window click New.
To perform more than one header rewriting action within a single condition,
complete the rule wizard for each header rewriting action.
Note
If more than one header to rewrite is entered within a single rule, the order in
which rewriting is applied will be significant. Rewriting actions will apply in top
down order as they are listed in the rule action window. To change the order,
use the arrows in the window.
For details of the rule editing processes, see “Using the Header Rewrite Wizard.”
Using the Header Rewrite Wizard
This wizard allows you to create a header matching or header rewriting rule.
The wizard uses regular expression matching and substitution. For more
information about regular expressions, see “Regular Expressions” on page 249.
The windows of the wizard are as follows:
• An introduction page that gives warning information (shown for Rewriting
only).
• A field matching page to select the header or envelope fields to be matched,
and the portion of the field to be modified.
• A substitution options page where matching and substitution expressions
are entered.
• A naming and test page for naming the rule and testing the matching and
substitution.
160
User Guide
You can also change the order of evaluation of header rewriting rules using the
arrows at the bottom of the parent window.
To use the Header Wizard:
1. If MailMarshal displays the Welcome window, click Next to proceed to the
Field Matching window.
2. Select the fields that you want the rule to apply to from the list. You can add
or edit a custom header field name using the buttons provided.
Chapter 7 • Understanding Email Policy Elements
161
3. Choose a parsing method from the list. Depending on this selection,
MailMarshal will apply regular expression matching to parts or all of the
selected headers.
Note
To insert a custom header, use the parsing method “Entire Line.” To match
or modify all email addresses, use the method “Email Address”.
•If you select the method “Entire Line” MailMarshal will use the entire
text of the header as the input text for the substitution engine.
•If you select the method “Email Address” MailMarshal will use each
email address found in the line as the input text.
•If you select the method “Domain” MailMarshal will use the domain
part of each email address as the input text.
4. Select the check box Match Case to perform a case sensitive search. Clear
the check box to make the search case insensitive.
Note
To search for email addresses or domains, use a case insensitive search.
162
User Guide
5. Click Next to proceed to the Field Substitution window.
6. In the Optional Exclusion Filter field, you can enter a regular expression.
If this expression is found in the input text, the search will return “not
matched”.
7. In the Field Search Expression field, enter a regular expression that
MailMarshal should use to select the data for matching or rewriting. If the
input text matches this expression, the rule will match or rewrite it, subject
to exceptions based on the exclusion filter.
Chapter 7 • Understanding Email Policy Elements
163
8. If this is a rewriting rule, choose one of the rewriting methods:
•Substitute into field using expression replaces the matched data
using a sed or Perl-like syntax. You can use sub-expressions
generated from the field search here. Refer to the sub-expressions as
$1 through $9.
Note
If you replace the entire contents of a field, be sure to terminate the text
with a CRLF (\r\n). You can insert this value through the arrow to the
right of the field. If you enter $0 (the tagged expression containing the
entire input line) at the end of the substitution expression, a CRLF will
already be included.
•Map using file provides for substitutions from a file, to allow a level
of indirection in resolving what to substitute into the field. See
“Regular Expressions” on page 249.
•Delete the field removes the matching material from the header.
When Entire line is selected in the parsing options, selecting Delete
the field removes the entire header line from the message.
•Insert if missing permits you to add a new header if any of the
selected headers does not exist. MailMarshal will use the text of this
field as the value of the new header line. For instance if you have
added the custom header x-MyNewField then you might enter the
value Created by Header Rewrite.
164
User Guide
9. Click Next to proceed to the Rule Completion window.
10. Enter a name for the rule.
11. Optionally enter a comment to explain the purpose of the rule.
12. To test the rule, enter an input string in the Source field and click Test. The
result will appear in the Result field. For rewriting actions, the result will be
the rewritten string. For matching, the result will be “matched” or “not
matched”.
Chapter 7 • Understanding Email Policy Elements
165
13. If this is a rewriting rule, select whether the changes will be actually
applied and/or logged. Select the check box Enable field changes to
apply this rule to messages. Select the check box Log changes to write a
log of changes to the MailMarshal logs for the message. If only Log
changes is selected, the logs will show the changes that would have
occurred.
14. Adjust the order of evaluation using the arrows provided below the list of
rules.
Notes
•
If you use several header matching rules within a single standard rule
condition, all must evaluate true for the condition to be true.
•
If you create several rewriting rules for global Header Rewrite or within
a single standard rule action, the order of evaluation will be significant.
Rewriting actions will be applied in top-down order as shown on the
window.
Extending Functionality Using External
Commands
An external command is a custom executable, Windows command, or batch file
that can be run by MailMarshal. The command can be used to check email
messages for a condition, or to perform an action when a message meets some
other condition.
You can use custom executables or batch files with the standard rule condition
“Where the external command is triggered.” For instance, you can invoke
fgrep.exe for advanced expression matching.
If you want to use an external command to check for a condition, the command
must return a standard return code.
166
User Guide
You can also use custom executables with the standard rule action “Run the
external command.” For instance, a particular email subject line could trigger a
batch file to start or stop a system service, or to send a page or network
notification to an administrator.
MailMarshal is provided with an external command for message release. See
“Using the Message Release External Command” on page 243.
To use an external command in MailMarshal rules, you must first define it.
To create a new external command definition:
1. In the left pane of the Configurator select External Commands.
2. On the Action menu, click New External Command to open the External
Command window.
.
3. Enter a name for the external command.
Chapter 7 • Understanding Email Policy Elements
167
4. Type the path for the executable file. You can also browse for the file by
clicking Browse.
Note
To use a batch file, you must invoke the command interpreter explicitly as
follows:
%Systemroot%\system32\cmd.exe /C {batchfile.cmd} [variables...]
5. In the Parameters field, enter any command line parameters necessary for
the command. You can pass specific information about a message to the
command using MailMarshal variables.
6. The Timeout and Timeout per MB values control how long MailMarshal
will wait for a response before ignoring the external command. The default
values are very generous.
Note
If the external command executable uses 10% of the timeout time in actual
processing (CPU usage), MailMarshal will terminate the command, log the
event as a runaway process, and place the message in the Dead
Letter\Unpacking folder.
7. The Single Thread setting indicates whether the command must operate
on one message at a time, or can be invoked multiple times. In most cases
this box should be left selected. Certain executables can be run multithreaded.
8. The Only execute once for each message setting determines whether an
external rule condition command will be run for each component of a
message, or only once. For example if you are using fgrep to perform
Regular Expression searches of attached files, this box should be cleared to
ensure that MailMarshal passes each component of each message of
fgrep.exe.
9. If you plan to use the external command as a rule condition, you must set
the trigger return code information. You should find this information in the
documentation of the executable.
168
User Guide
Two fields allow you to enter trigger values which further specify the meaning
of the code returned from the virus scanner.
• If the code returned matches any value entered in the field Command is
triggered if return code is, MailMarshal will consider the condition to be
satisfied.
• If the code returned matches any value entered in the field Command is
not triggered if return code is, MailMarshal will consider the condition
not to be satisfied.
• If the code returned matches neither field, the file is moved to the
Undetermined dead letter folder and an email notification is sent to the
MailMarshal administrator.
• Entries in both return code fields can be exact numeric values, ranges of
values (for example 2-4), greater than or less than values (for example <5,
>10). More than one expression can be entered in each field, separated by
commas (for example 1,4,5,>10).
Chapter 7 • Understanding Email Policy Elements
169
170
User Guide
Chapter 8
Monitoring Email Flow
MailMarshal provides a number of tools to assist in daily administration of email
flow and server health. These include the Console and Web Console, the
Configurator, MailMarshal Reports, the Spam Quarantine Management Web site,
Windows event logs, the Windows performance monitor, and the text logs
generated by each MailMarshal service.
You can delegate access to a number of these tools, including the Console
functions, reports, and Spam management.
If you want to:
Use:
View a summary of email traffic and filtering
activity for the current day; view details of
configuration update status and running
MailMarshal services for each email
processing server.
The MailMarshal Today page in the Console.
See “Viewing Server Statistics” on page 174.
View totals of messages processed and
queued for each email processing server;
delete a message queued for sending.
The Servers item in the Console. See
“Deleting and Retrying Queued Messages”
on page 176.
View a history of service alerts (unusual
activity) for all MailMarshal servers.
The Alert History in the Console. See
“Viewing Alert History” on page 185.
Stop and start MailMarshal services.
The Servers and Arrays item in the
Configurator. See “Managing Node
Services” on page 208.
Chapter 8 • Monitoring Email Flow
171
172
If you want to:
Use:
View details of each message processed.
The Email History and Folders in the
Console. See “Viewing Email History” on
page 183.
Search for details of a specific message.
The History Search in the Console. See
“Searching Folders and Email History” on
page 184.
View, release, redirect, or delete a message
in quarantine
The Email History, History Search, and
Folders in the Console.
View a graphical display of performance
information for the MailMarshal services.
The Windows Performance monitor. See
“Performance Monitor” on page 190.
View detailed debugging information for the
MailMarshal filtering and delivery services.
The Windows Application log and the
MailMarshal text service logs on each
server. See “Using MailMarshal Text Logs”
on page 190.
Generated detailed reports on email traffic
and filtering activity over time.
MailMarshal Reports. See Chapter 10,
“Reporting on MailMarshal Activity.”
Delegate administrative functions to help
desk personnel.
The Console Security tab on the Manager
Properties window and the folder security
options for each folder, all found in the
Configurator. See “Setting Console Security”
on page 185.
Delegate management of Spam and other
quarantined messages to email users.
The Spam Quarantine Management Web
site and the properties of folders. See
“Setting Up Spam Quarantine Management
Features” on page 239.
User Guide
Using the MailMarshal Console
The Console provides summary information on the current state of MailMarshal,
as well as administrative access to the quarantine folders and message sending
services. You can install the Console on any workstation that can connect to the
Mail Marshal Array Manager on port 19001 (or whatever port you have
configured at the Array Manager).
You can also access nearly all Console features using the MailMarshal Web
Console. The Web Console installs as a virtual directory under IIS and can be
accessed from any computer that can browse to the server where the Web
console is installed. All functions of the Console are also available in the Web
Console unless otherwise noted.
The procedures in this chapter refer to the MailMarshal Console MMC
application. The Web console provides the same left pane items, but the Web
interface uses different control buttons and menus. For details of how to
perform specific tasks using the Web Console, please see the Help for the Web
Console.
Note
You can limit access to the Console and to specific folders by granting
privileges to specific Windows accounts. For more information see “Setting
Console Security” on page 185.
Connecting to MailMarshal Using the Console
You can connect using the console from any computer that can connect to the
Array Manager computer.
To connect using the Console:
1. Start the MailMarshal Console from the NetIQ MailMarshal program group.
2. Choose the name of the Array Manager server from the list, or browse the
network for a server by clicking Browse.
Chapter 8 • Monitoring Email Flow
173
3. If the Array Manager server expects connections on a port other than the
default 19001, enter the correct value. (To change this value at the Array
Manager, use the MailMarshal Server Tool. See “Array Communications” on
page 214.)
4. To connect as a user other than the current Windows user, select the
appropriate radio button then enter the user information.
5. To attempt to connect, click OK.
Connecting to MailMarshal Using the Web Console
You can connect using the Web Console from any computer that can browse to
the Web Console server.
To connect using the Web Console:
1. Open Internet Explorer and browse to the Web Console Web site you have
configured.
2. Enter Windows credentials on the Windows authentication window, or the
login window of the Web console site.
Viewing Server Statistics
The MailMarshal Today page provides basic information about MailMarshal at a
glance. To view the MailMarshal Today page, select MailMarshal Console in the
left pane. You must be in Taskpad view. To switch to Taskpad View, from the
View menu choose Taskpad View.
Information available on this page includes:
Server Summary
Lists the MailMarshal email processing servers, and shows the software
version as well as the times of the last configuration commit and service
restart for each server.
174
User Guide
Email Statistics
Shows the number of messages and volume of traffic for the current
day, divided into inbound and outbound traffic. Inbound traffic is email
addressed to the local domains as configured in MailMarshal.
Inappropriate content
Shows the number of messages that MailMarshal has classified as spam
and virus infected. The data reported here can include one or more
folders or message classifications. For information about how to view or
edit the list of data included, see “Reporting Groups” on page 224.
Top Quarantine Folders
Shows the total number of messages currently in the MailMarshal
quarantine, and provides details of the top 5 folders by number of
messages.
Email Transport Policies
Shows the number of messages processed today that have triggered
MailMarshal transport policies. Transport policies cause a message to be
refused by MailMarshal. These messages are blocked before delivery, so
they are not quarantined.
The Servers item collects server and service status information for each
MailMarshal email processing server. To view this item click Servers in the left
pane. For each server the Console shows the server name, version of
MailMarshal installed, whether the configuration is up to date with the
configuration committed at the Array Manager, and whether the services are
running.
For each server you can also see details of the services and messages
processed. To see a summary of the receiver and sender activity for a specific
server, expand the Servers item then expand the item for the server name. To
see details of the individual items, select an item (Receiver, Sender, or
Domains).
Chapter 8 • Monitoring Email Flow
175
Deleting and Retrying Queued Messages
The Sender item for each server shows the messages MailMarshal is currently
sending. The Domains item for each server shows a list of email domains that
MailMarshal is attempting to send messages to, including domains that are
pending a retry.
To abandon sending and delete a message MailMarshal is currently sending, in
the Sender view highlight the message and click Kill Message.
To attempt to send all messages queued for a specific domain in the queue, in
the Domains view, highlight a domain and click Retry Domain Now.
Using Mail Batching
If mail batching is configured to send and receive email over an external
connection, you can initiate an immediate connection for a specific server by
selecting the server name in the right pane then selecting Send/Receive
Batched email from the action menu.
Viewing Folders and Folder Contents
To view a list of MailMarshal's message quarantine folders, expand the menu
item Folders. These folders include the archive, parking and standard folders
into which messages are placed through rule action, as well as the Dead Letter
folders used for messages that cannot be processed, and the Mail Recycle Bin
used to hold deleted items for a period.
176
User Guide
To view the contents of a folder, select it in the left pane. The contents will be
displayed in the right pane, divided into daily subfolders. Select a daily folder to
see its contents. By default no more than 200 items will be retrieved for each
subfolder per screen. You can view the next or previous screen using the Page
Up and Page Down keys. You can adjust the number of items per screen by
choosing Preferences from the Tools menu. You can sort the items on the
screen by clicking column headers.
Note
The column sorting function only sorts the items on the current screen. If the
folder contains more than one screen of items, sorting does not sort over
multiple screens. Use the user filter at the top of the listing, or the search
function, to retrieve a limited number of items.
You can also view items in the folders using the Email History view and the
Search window.
Working With Email Messages
You can perform the following actions on an email message located in a
MailMarshal quarantine folder:
View
Open a new window displaying the message headers, body,
attachments, and the MailMarshal email processing logs if they are
available for the message.
Forward
Send a copy of the message to a specified email address.
Delete
Move the message to the MailMarshal Mail Recycle Bin, or optionally
delete it permanently. You cannot perform this action for items in
Archive folders.
Process
Queue the message for action by other MailMarshal services. This action
is typically used to release a message from quarantine. You can choose
from several options.
Chapter 8 • Monitoring Email Flow
177
To work with a message, select it in the Email History, the Message Search
results, or the Folders view.
Forwarding Messages
Use forwarding to send a copy of the message to a specified email address.
To forward a message:
1. Select the message.
2. Click the Forward icon on the toolbar, or open the message then choose
Forward from the Message menu.
3. Enter one or more addresses. To forward to multiple addresses, enter them
separated by semi-colons (for instance [email protected];
[email protected]).
4. By default MailMarshal will delete the message as part of the forwarding
action. To adjust this behavior select or clear the check box. MailMarshal
will not delete messages from archive folders.
Deleting Messages
Deleting a message sends it to the Mail Recycle Bin, or optionally deletes it
permanently.
To delete one or more messages:
1. Select the messages. You can use shift and control click to multi-select.
2. Click the Delete icon in the taskpad header. The message(s) will be sent to
the Mail Recycle Bin folder.
3. If you want to delete the message(s) permanently, hold down the Shift
key while clicking the Delete icon.
178
User Guide
Restoring Messages
Restoring a message retrieves it from the Mail Recycle Bin. MailMarshal displays
it in the folder where it was originally quarantined.
To restore one or more messages from the Mail Recycle Bin to their
original location:
1. Select items in the Mail Recycle Bin.
2. Click the Restore icon.
Note
Once MailMarshal places a message in a quarantine folder, it retains that
message for the period configured in the properties of the folder, unless
you choose to delete the message permanently. The retention period
applies even if the message is moved to the Mail Recycle Bin or restored.
For instance, if the Spam folder has a retention period of one week, and
MailMarshal moves a message to the Spam folder, then you delete it to the
Mail Recycle Bin, it will be permanently deleted from the Mail Recycle Bin
one week after it was first received.
Viewing Messages
View a message to display the message headers, body, attachments, and the
MailMarshal email processing logs if they are available.
Chapter 8 • Monitoring Email Flow
179
To view a message and its associated processing log:
1. Double-click the message in a folder, History, or Search view. MailMarshal
opens the message in a new window.
2. The title of the window shows the message subject. The body of the
window shows basic information about the message and any attachments.
3. The lower portion of the message window includes three tabs: Message,
Log, and Details.
Note
On both the Message and Details tabs, MailMarshal restricts access to items
that could represent security threats.
Message
This tab shows the message body in the richest available format
(HTML, RTF, or plain text).
Details
This tab shows a tree view of the components of the message. You
can click on any item to view it in detail.
180
User Guide
Log
This tab shows the MailMarshal processing log for the message. The
processing log is only available if it was copied by the rule that
placed the item in the folder. It is good practice, especially for
debugging purposes, to copy the log for each message. If the rule
does not copy the log information, you may be able to retrieve it
from the main MailMarshal text logs. The text logs are created by
default in the Logging subfolder of the MailMarshal installation
folder. However by default these logs are only retained for five days.
Processing Messages
Processing a message queues it for action by other MailMarshal services.
To process a message:
You can select one or more messages for processing. When you have selected
messages, open the Process Message window by clicking the Process
Message(s) icon. Choose from the following actions:
Continue processing the message
This option continues processing the message after the rule which
placed it in the current folder. This action can be used to release a
message from quarantine while testing it for any further violations of
policy.
Reprocess the message
This option resubmits the message for processing by the current set of
MailMarshal rules. This option can be useful to resubmit a number of
messages after rules have been adjusted.
Pass the message through
This option queues the message for delivery with no further evaluation.
Chapter 8 • Monitoring Email Flow
181
If the check box Only apply this action to the following users is selected,
the selected option will be effective for one or more recipients of the message.
Select the users using the check boxes for each user in the list.
Note
You can also request the “Continue Processing” and “Pass Through” options
using a specially formatted email message. See “Using the Message Release
External Command” on page 243.
The following additional options are available:
• Delete the message after processing (selected by default): Once
MailMarshal has completed the selected actions, it deletes the message from
the folder. You cannot select this option for messages in archive folders.
Note
If the message has multiple recipients and you have chosen Only apply
this action to the following users, instead of deleting the message
MailMarshal removes the recipients that you applied the action to from the
list of recipients. You can view the message and apply actions for the
remaining recipients.
182
User Guide
• Add attachment fingerprints: MailMarshal saves attachments (including
images embedded in MS Word documents) in the folder ValidFingerprints
(located in the MailMarshal install folder on the email processing server
where the message is located.). The unique “fingerprint” of each attachment
will be loaded into the MailMarshal configuration and will be available on
all email processing servers in the array. The list of “valid fingerprints” can
be used in a rule condition. For more information, see the information
about the standard rule condition “Where attachment fingerprint is/is not
known” on page 91. You can choose to add the “fingerprints” of all
attachments to a message, or only the image attachments.
Note
MailMarshal automatically deletes a fingerprint (and the associated file) if it
does not trigger a condition for six months.
For information about how to delete a fingerprint manually see “Where
attachment fingerprint is/is not known” on page 91.
Viewing Email History
The Email History view shows each action taken on each message. Actions can
include message classifications, moving to folders, delivery, and delivery failure
among others. MailMarshal usually creates more than one history record for a
specific message. If a history record records a move or copy to a folder and the
message is present in the folder, you can use it to process the message exactly
as you could from the folders view
By default no more than 200 items will be retrieved per screen. You can view
the next or previous screen using the Page Up and Page Down keys. You can
adjust the number of items retrieved by choosing Preferences from the Tools
menu. You can sort the items on the screen by clicking column headers.
Note
The column sorting function only sorts the items that have been retrieved. If
there is more than one screen of history, sorting does not sort over multiple
screens. Use the user filter at the top of the listing, or the search function, to
retrieve a limited number of items.
Chapter 8 • Monitoring Email Flow
183
Searching Folders and Email History
You can limit the items displayed in the folders or email history using the User
Filter field at the top of the listing in Taskpad view. You can use wildcard
characters in this field. For a description of the syntax see Appendix A,
“Wildcards and Regular Expressions.”
Search the folders or email history by choosing Search from the Action menu.
You can choose from a large number of search criteria including dates, subject,
classification, and email addresses. If you want to see only items that can be
viewed and processed, you can choose to search only for items in folders.
You can search using any combination of the following options:
What is the Message Name
Allows you to enter a unique name MailMarshal has assigned to this
message. MailMarshal includes this information in the headers of each
message. You can enter the name alone (13 characters), or the name
and edition (13.12 characters) to identify a specific edition of the
message. You can add the server ID (13.12.4 characters). You cannot
combine this option with any other option.
Where can the message be found
Allows you to select a folder, or “all messages” to search all folders and
classifications.
When did the message arrive
Allows you to select the time and date when an action was logged. You
can also enter a range of dates. For instance, you can use this option to
search for messages that were sent on a specific day.
What is the email address
Allows you to enter the address the message was sent to, from, or both.
You can use wildcard characters. For a description of the syntax see
Appendix A, “Wildcards and Regular Expressions.”
What text does the subject contain
Allows you to find messages containing certain text in the subject line.
You can use wildcard characters. For a description of the syntax see
Appendix A, “Wildcards and Regular Expressions.”
184
User Guide
How was the message classified
Allows you to select a specific MailMarshal classification. Classifications
include both user classifications and system classifications such as
“Delivered successfully”.
What size is the message
Allows you to specific a size or range of sizes.
Search history items
Allows you to select whether the search will return message history
records including classifications, system actions, and messages that have
been quarantined within the database retention time, or only show
messages currently in folders.
Viewing Alert History
MailMarshal generates alerts for specific events of interest. Some of the events
included are services starting, stopping, or remaining idle for a longer than
expected time. To view a historical list of service alerts, select Alert History in
the left pane.
Setting Console Security
MailMarshal Console uses the Windows secure RPC mechanism to communicate
with the MailMarshal Array Manager server. A console user must have an
account and password that the Array Manager Server can validate. If the
console workstation is in a different domain to the Array Manager server, you
can either set up a trust relationship or create local accounts on the Array
Manager server. If the console and the server are separated by a firewall (for
instance if the server is located in a DMZ), port 19001 must be opened in the
firewall to allow remote console access.
You can permit or deny access to each feature of the console for each user or
group. You can also set access to view and act on the contents of each
quarantine folder.
Chapter 8 • Monitoring Email Flow
185
Configuring Console Access
Set Console access permissions to control which users can use various views
available in the MailMarshal Console.
To configure access to console features:
1. Open the MailMarshal Configurator.
2. On the Tools menu, select MailMarshal Properties.
3. Click the tab Console Security. This tab displays a list of users and groups
with permission over the console features. By default all members of the
Windows Administrators group on the MailMarshal server or Array Manager
are allowed full privilege over the Console.
186
User Guide
4. To add users or groups to the list, click Add then enter the names of users
or groups. You can select groups or users using the Browse Network Users
window. Each group or user you add is given full permissions by default.
5. To delete a user or group from the list, select it and click Remove.
6. To change permissions for a group or user, highlight the group or user
name in the top pane. The lower pane shows the current permissions for
this user. Set permissions for this user by selecting the appropriate boxes.
7. Repeat Step 6 for each group or user.
8. To save the changes, click Apply or OK at the bottom of the window.
9. To apply the changes, click the Commit button in the toolbar.
Configuring Default Folder Access
You can set the default folder permissions to control user ability to view and
manipulate items in most MailMarshal folders.
To configure default access permissions for MailMarshal folders:
1. Open the MailMarshal Configurator.
2. In the left pane, select Folders.
3. On the Action menu, click Properties.
4. This window displays a list of users and groups and shows the permissions
they have over the features of MailMarshal folders.
5. To add users or groups to the list, click Add then enter the names of users
or groups. You can select groups or users using the Browse Network Users
window. Each group or user you add is given full permissions by default.
6. To delete a user or group from the list, select it and click Remove.
7. To change permissions for a group or user, highlight the group or user
name in the top pane. The lower pane shows the current permissions for
this user. Set permissions for this user by selecting the appropriate boxes.
Chapter 8 • Monitoring Email Flow
187
8. Repeat Step 7 for each group or user.
9. To save the changes, click Apply or OK at the bottom of the window.
Configuring Access for a Specific Folder
Set the permissions on a particular folder to control user ability to view and
manipulate items in that folder. Permissions on a specific folder override the
default folder permissions.
To configure access permissions for a specific MailMarshal folder:
1. Open the MailMarshal Configurator.
2. In the left pane, expand Folders.
3. In the right pane, click a specific folder. Then click the Properties icon in
the toolbar or the taskpad header.
4. Select the Security tab of the folder properties. This tab displays a list of
users and groups with permission over the features of the folder.
5. To override the default security settings, select the check box Override
default folder security.
6. To add users or groups to the list, click Add then enter the names of users
or groups. You can select groups or users using the Browse Network Users
window. Each group or user you add is given full permissions by default.
7. To delete a user or group from the list, select it and click Remove.
8. To change permissions for a group or user, highlight the group or user
name in the top pane. The lower pane shows the current permissions for
this user. Set permissions for this user by selecting the appropriate boxes.
9. Repeat Step 8 for each group or user.
188
User Guide
10. To save the changes, click Apply or OK at the bottom of the window.
11. To apply the changes, click the Commit button in the toolbar.
Note
Setting access permissions for a folder in MailMarshal does not affect the
Windows file permissions for the folder or items in it. To limit access
through Windows, set the Windows access permissions for the MailMarshal
Quarantine folder and all items in that folder on each MailMarshal email
processing server.
To ensure that only the users with MailMarshal permissions can access these
items, give full control of the Quarantine folder to the LocalSystem account
or other account used by the MailMarshal services, and deny access to all
other accounts.
Using Windows Tools
MailMarshal provides information in a standard format through the Windows
event log and performance monitor.
Event Log
Each component of MailMarshal writes messages to the Windows application
log. Each event type is given a unique Event ID number. You can review these
events using the Event Viewer. You can also use these events to trigger
automatic actions such as pager notifications, service restarts, or popup
notifications via third-party products. To open the Event Log from the
MailMarshal Configurator select Open Event Viewer from the Tools menu.
Chapter 8 • Monitoring Email Flow
189
Performance Monitor
Each core service of MailMarshal (the Engine, Receiver, and Sender) makes
several counters available to the Windows Performance Monitor. To open the
Performance Monitor while using the MailMarshal Configurator, select Open
Performance Monitor from the Tools menu.
Please see the documentation for Performance Monitor to learn more about its
capabilities, which include remote monitoring
Using MailMarshal Text Logs
Each MailMarshal service creates its own daily log files. These files provide a
detailed record of routine processing and any problems encountered. The most
recent information is at the end of the log file. The files are located in the
Logging folder. By default, this folder is within the MailMarshal installation
folder. MailMarshal keeps 5 days of log files by default.
When a MailMarshal rule is set up to move or copy a message to a folder, it can
also copy the portion of the log file that relates to the message. You can see
these message logs when you view a message in the console. For more
information, see “Working With Email Messages” on page 177.
190
User Guide
Chapter 9
Managing MailMarshal
Configuration
This chapter discusses a number of configuration options and tasks that are not
directly related to the content security functions of MailMarshal.
Managing Your MailMarshal License
MailMarshal requires a valid license key in order to process email. When you
install MailMarshal, the installation process inserts a temporary license key valid
for 30 days from the time of installation. Contact a NetIQ Sales Representative to
purchase the product and receive a full license key, or to request an extended
trial. If you have received a valid permanent key, you can enter it at any time
using the procedure given in “Entering a License Key” on page 194.
Chapter 9 • Managing MailMarshal Configuration
191
Permanent MailMarshal license keys are keyed to the list of local domains you
enter. If you change the list of local domains the key will become invalid,
MailMarshal will notify you and generate a temporary key valid for 14 days. You
should immediately request a new key using the procedure given later in this
section.
Notes
•
When you upgrade MailMarshal to version 6.0, MailMarshal automatically
upgrades your license key. Retain a record of the new key for future
reference. No further action is necessary.
•
MailMarshal is licensed according to the number of email users in your
organization. If you exceed the licensed number MailMarshal will inform
you. This event will not have any effect on email processing.
•
If you change local domains frequently, NetIQ can provide a key based on
your computer or domain SID, or the network adapter MAC addresses of
the server. This key will not become invalid when you change local
domains.
Reviewing the Installed License
Use the Configurator to view the details of the installed license key including
the expiry date, number of users, and any optional features licensed.
192
User Guide
To view details of the currently installed license:
1. Select View License Details from the Tools menu. This action opens the
License tab of MailMarshal Properties.
2. You can select how MailMarshal will behave if the license expires or
becomes invalid.
•If you select Pass through all email, MailMarshal will function as an
email relay. MailMarshal will pass messages on to their destinations
without applying any engine based policy
•If you select Halt all processing and hold all email, MailMarshal
will continue to accept messages so long as there is available disk
space for the incoming queue. MailMarshal will not deliver any
messages until you enter a valid license or change this option to pass
through all email.
3. To apply the selection, click OK then commit the configuration.
Requesting a New License Key
To include all information required for NetIQ to generate an appropriate key,
request the key through the MailMarshal Configurator.
To request a new license key:
1. Select View License Details from the Tools menu.
2. Click Request Key.
3. Complete the required information on the Request License Key window.
MailMarshal will append the information required to generate a unique key.
4. To email the request to NetIQ, click Send Request. When you click Send
Request, MailMarshal also places the additional request information on the
Clipboard.
Chapter 9 • Managing MailMarshal Configuration
193
Entering a License Key
When you receive a key from NetIQ, use the Configurator to enter it and verify
its validity.
To enter a license key:
1. Select View License Details from the Tools menu.
2. Click Enter Key.
3. Enter the key, and select how MailMarshal will behave if the license expires
or becomes invalid.
4. Click OK. MailMarshal will report the validity of the key you entered.
5. If your key expired, MailMarshal may have stopped the Engine service. To
verify that the Engine is running on all email processing servers, see Server
and Array Properties in the configurator.
Backing Up and Restoring the Configuration
The MailMarshal Configuration Backup allows you to create an XML file that
includes most of the information you can set in the MailMarshal Configurator, as
well as the current SpamCensor DLL and configuration.
Notes
194
•
You can also back up and restore the configuration from a command line
prompt. For more information see “Configuration Export Tool” on page 221.
•
You can import MailMarshal user group information from a command line
prompt. For more information see “Group File Import Tool” on page 220.
User Guide
The backup does not store some important information. To fully restore
configuration on a new Array Manager server, you must take further steps to
back up and restore this information:
• The location of the MailMarshal database and the names of email processing
servers. Make a note of this information, and enter it manually to restore it.
• Users within LDAP and Active Directory user groups. To repopulate these
groups with the current members, in the left pane of the Configurator
highlight User Groups, then choose Reload User Groups from the Action
menu.
• The MailMarshal Spam Censor definition file (Spamfilter.xml). To retrieve
the latest version of this file, on the Spam Updates tab of the Server and
Array Properties window click Check for Updates Now.
• The email messages and logging information in MailMarshal quarantine
folders. For information about backing up the quarantine folders, see NetIQ
Knowledge Base article NetIQKB39546.
Backing Up the Configuration
You should back up the configuration before and after making substantial
changes, and before applying an upgrade.
To back up the configuration:
1. Select MailMarshal Properties from the Tools menu.
2. On the General tab, click Backup.
3. Enter or browse to the name of the file you want to contain the backup.
4. Click OK.
5. To back up “valid fingerprint” definitions, back up the contents of the
ValidFingerPrints folder in the MailMarshal Quarantine folder on every email
processing server.
6. To back up custom file type definitions, back up the file filetype.cfg in the
MailMarshal installation folder on the Array Manager.
Chapter 9 • Managing MailMarshal Configuration
195
Restoring the Configuration
You can restore the configuration if you must create a new Array Manager
server, or if you want to return to a previous version of your email policy.
To restore configuration from a backup:
1. Select MailMarshal Properties from the Tools menu.
2. On the General tab, click Restore.
3. Enter or browse to the name of the file containing the backup you want to
restore.
4. Click OK.
5. To restore “valid fingerprint” definitions, restore the backed up contents of
ValidFingerPrints folders to the MailMarshal Quarantine folder on any email
processing server. It is not necessary to restore these files to their original
servers.
6. To restore custom file type definitions, restore the backed up file filetype.cfg
to the MailMarshal installation folder on the Array Manager.
7. To activate the restored configuration, commit the MailMarshal
configuration.
Note
By default you will be prompted to commit the configuration when the
configuration file has been restored. You can commit by clicking Yes on the
prompt window. If you have chosen to deactivate the prompt or you have
additional changes to make before committing, you can commit using the
Commit configuration icon in the toolbar.
196
User Guide
8. If you have restored the configuration to a newly installed server
and you want to use an existing MailMarshal database, connect to
the database using the MailMarshal Server Tool. See “Array
Communications” on page 214.
9. If you have connected to a different database, you must use the Server
Tool to rejoin email processing servers to the installation. You must use this
tool even if you have installed MailMarshal as a standalone server. See
“Joining A Node To An Array” on page 210.
Configuring Local Domains
You configure a list of local email domains when you install MailMarshal. You
may need to update this configuration if you change internal email servers, or if
you add more Internet domains.
Note
The list of local domains configured in MailMarshal should always match the
DNS MX records that direct email from the Internet to MailMarshal.
A local domain can be either of two types: relay domain or POP3 domain.
When an email message is addressed to a relay domain, MailMarshal sends it to
another email server for final delivery. When an email message is addressed to
a POP3 domain, it is typically delivered to a mailbox hosted by the MailMarshal
server.
If you are using an array of MailMarshal email processing servers, you can
choose to set a different delivery server for a specific local domain on each
MailMarshal email processing server.
Changing Local Domains Information
You can change the list of domains MailMarshal recognizes as local, and the
default delivery location for each domain.
Chapter 9 • Managing MailMarshal Configuration
197
To change the list of local domains:
1. Select Server and Array Properties from the Tools menu.
2. On the Server and Array Properties window, click the Local Domains tab.
3. Select the action you want to perform:
•To create a new local domain listing, click New.
•To edit an existing local domain listing, click Edit.
•To delete an existing local domain listing, highlight it then click
Delete.
4. If you are creating a new local domain listing, choose to create a relay
or POP3 local domain. Click Next.
198
User Guide
5. Enter the email domain name, such as example.com. If this is a Relay
domain listing, you can use wildcard patterns to match multiple
subdomains. For details of the wildcard characters you can use, see
Appendix A, “Wildcards and Regular Expressions.”
6. If you are working with a Relay domain, enter the IP address of the
server MailMarshal should use to deliver messages for this domain.
Optionally enter the IP address of a backup server. The second server will
only be used if the first server is not available.
7. If you are creating or editing a POP3 domain, choose how you want
MailMarshal to deal with messages addresses to non-existent mailboxes.
8. Click Finish.
9. Repeat Steps 3 through 8 for each domain listing you need to add or
modify.
10. If you want to change a local domain from Relay to POP3 or POP3 to
Relay, delete the listing and create a new listing.
11. If you have more than one domain, adjust the order of matching of
domain listings by selecting a domain from the list and clicking the up and
down arrows. For each message, MailMarshal will use the list in top-down
order and deliver a message to the first matching location.
Note
Ensure that local domains are listed in the correct order. If you do not,
email may be misdirected. For example you could use the following
sequence to direct email to POP3 mailboxes within MailMarshal:
pop.example.com
POP3
10.2.5.4:25
*.example.com
Relay
10.1.2.1:25
If you were to reverse this sequence, the “pop” subdomain would be
ignored and all email would be delivered to the relay address (that is,
10.1.2.1 port 25), because *.example.com will match for messages addressed
to pop.example.com.
Chapter 9 • Managing MailMarshal Configuration
199
If you change the list of local domains, your MailMarshal license key will
become invalid. MailMarshal will notify you and generate a temporary key valid
for 14 days. You should immediately request a new key. See “Managing Your
MailMarshal License” on page 191.
Changing Local Domains on a Specific Server
If your MailMarshal installation has more than one email processing server, you
can set delivery information for each domain on each server. This ability is most
likely to be required where some servers are at different geographical locations,
such as different company gateways to the Internet.
To set local domain options for a specific server:
1. Click Server and Array Configuration in the left pane.
2. Click a server name in the right pane, then click the Properties icon in the
toolbar.
3. On the Server Properties window, click the Local Domains tab.
4. Select the check box Customize the Local Domain Settings.
5. Change relay local domain entries as desired. For details of the settings, see
“Completing the Configuration Wizard” on page 38. You cannot change
POP3 local domain settings for a specific server.
200
User Guide
Setting Up Accounts
MailMarshal accounts consist of a user name and password. You can use
accounts for two purposes:
• To authenticate user connections using a receiver rule. For more
information, see “Where sender has authenticated” on page 105.
Note
If you use this feature to allow one or more accounts to relay email,
consider the following best practices:
•
Ensure that these accounts have strong passwords. If an account
password is guessed by a malicious person, MailMarshal could become
an open relay. Change the passwords periodically.
•
Use accounts that are only used for this purpose, and not Windows
accounts with other permissions. Password transmission during
authentication is not strongly secured.
• To specify users for the MailMarshal POP3 server. If you will be using
accounts for POP3 delivery, set up all POP3 domains before creating
accounts. For more information about POP3 domains, see “Completing the
Configuration Wizard” on page 38.
Note
The MailMarshal POP3 server is not designed to be used in an installation
with more than one email processing server.
Creating Accounts
Create accounts using the MailMarshal Configurator.
To create accounts:
1. In the left pane of the Configurator, select Accounts.
2. On the Action menu, choose New Account.
Chapter 9 • Managing MailMarshal Configuration
201
3. Enter the details for the user name and authentication information in the
New Account window.
4. MailMarshal will automatically enter an appropriate SMTP alias for email
delivery to this account's mailbox. If more than one POP3 domain is
configured, MailMarshal will enter an alias for each domain. Make any
desired changes to the list of SMTP aliases.
5. If you want to use the account only for authentication, enter a single
invalid alias such as “none.”
6. If you want email for other SMTP addresses to be delivered to this
account's mailbox, enter the complete addresses manually. Enter one
address per line. Use the Enter key to move between lines. Only use
domain names for which MailMarshal is functioning as a POP3 local domain
server.
Note
If you enter the same SMTP alias in more than one POP3 account, messages
directed to that alias will be delivered to all of the mailboxes
7. If the password fields are left blank, MailMarshal will use Windows NT
authentication to determine access for this account. In this case, ensure that
the account name matches the name of a valid Windows NT user account
permitting access to files on the MailMarshal server computer.
8. To add the account, click Add.
9. When you have added all accounts, click Close.
Editing Existing Accounts
Edit an account to change the password or email addresses associated with the
account.
To edit an existing account:
1. Select Accounts in the left pane of the Configurator.
2. Double-click the account you want to edit.
202
User Guide
3. Change the password and aliases as required.
4. Click OK.
Deleting Accounts
Delete accounts that are no longer required. If you delete an account used for
email delivery, you should also delete the delivery folder from the MailMarshal
sending queue directory.
To delete an account:
1. Select Accounts in the left pane of the Configurator.
2. Select the account you want to delete.
3. Click the Delete icon in the toolbar.
Configuring Delivery Options
MailMarshal distinguishes between “inbound” and “outbound” email.
Inbound email is email delivered to your organization. MailMarshal determines
how to deliver this email based on your local domains. For more information
about local domains see “Configuring Local Domains” on page 197.
Outbound email is email delivered to locations outside your local domains.
MailMarshal can deliver this email directly using DNS lookups, or by forwarding
all email to a relay host.
You configure delivery options using the Configuration Wizard when you install
MailMarshal. You can make changes later if required.
Configuring Default Delivery Options
You can make changes to delivery options for the entire installation using
Server and Array Properties.
Chapter 9 • Managing MailMarshal Configuration
203
To configure delivery options:
1. Select Server and Array Properties from the Tools menu.
2. On the Server and Array Properties window, click the Delivery tab.
3. Enter a primary DNS (Domain Name Server) address used by your
organization. Optionally enter a secondary DNS address. These servers
should be in the local network if possible, but in any case no further away
than your ISP. They must be able to resolve domain names outside your
organization.
Notes
204
•
MailMarshal does not use the DNS servers configured in Windows
networking.
•
If MailMarshal must perform DNS lookups through a firewall, the
firewall must permit both TCP and UDP based lookups.
User Guide
4. Choose one of the two available delivery options:
a. MailMarshal will deliver external email itself: This is the default
option. MailMarshal will use DNS resolution to determine the
appropriate destination for outbound email and attempt to deliver
messages directly.
If you select this option, you can optionally enter the name or IP
address of a fallback host. The fallback host will be used as a
forwarding host for messages that MailMarshal is unable to deliver
immediately. For instance, if MailMarshal encounters a DNS or greeting
failure while attempting to connect to the original destination server it
will immediately send the message to the fallback host.
b. MailMarshal will forward email to another SMTP server: Select this
option to immediately send all outbound email to a firewall or a fixed
relay server. This could be a server at your ISP. This relay server will be
responsible for final delivery.
Enter the host name or IP address of the relay or firewall in the
Forwarding Host box.
Optionally enter an alternate host. This alternate will only be used if
MailMarshal encounters a DNS or greeting failure while attempting to
connect to the main forwarding host.
5. To complete the changes, click OK on the Server and Array Properties
window and commit the configuration.
Configuring Delivery Options For A Specific Server
If you are using an array of MailMarshal servers, you can choose to set delivery
options for each server.
To set delivery options for a specific server:
1. Click Server and Array Configuration in the left pane.
2. Click a server name in the right pane, then click the Properties icon in the
toolbar.
Chapter 9 • Managing MailMarshal Configuration
205
3. On the Server Properties window, click the Delivery tab.
4. Select the check box Customize the Delivery Settings.
5. Change the entries as desired. For details of the settings, see earlier in this
section.
Configuring Email Batching and Dial-Up
MailMarshal supports batch receipt and sending of email messages where you
do not want to have an on-demand connection to the downstream email server.
Normally you would use this option if you connect to the Internet through a
dial-up connection. You can also use this option with an ADSL connection
where the MailMarshal server does not have a fixed IP address, or if frequent
connections incur high cost.
Notes
•
The MailMarshal Dial-Up Networking function is not designed to be used in
an installation with more than one email processing server.
•
Mail Batching must be enabled whenever Dial-Up Networking is used.
To configure email batching and dial-up options:
1. Select Server and Array Properties from the Tools menu.
2. On the Server and Array Properties window, click the Batching & Dial-Up
tab.
3. Select the check box Enable Mail Batching to enable the Mail Batching
related fields.
4. Select the check box Use Dial-Up Networking to enable the Dial-Up
related fields.
206
User Guide
5. Make entries appropriate to your environment. See the Help for detailed
descriptions of the fields on this tab and the Delivery/Polling Schedule
window.
6. Click OK or Apply.
Configuring Manager Security
You can control access to the MailMarshal Array Manager. To perform some
tasks a user must have an account that the Manager can validate. As of this
writing the only permission you can control is permission to join an email
processing server to an array.
To configure access to Array Manager features:
1. Open the MailMarshal Configurator.
2. On the Tools menu, select MailMarshal Properties.
3. Click the tab Manager Security. This tab displays a list of users and groups
with permission over the manager features. By default all members of the
Windows Administrators group on the MailMarshal server or Array Manager
are allowed full permissions over all items that are secured through this tab.
4. To add users or groups to the list, click Add then select groups or users
using the Browse Network Users window. Each group or user you add is
given full permissions by default.
5. To delete a user or group from the list, select it and click Remove.
6. To change permissions for a group or user, highlight the group or user
name in the top pane. The lower pane shows the current permissions for
this user. Set permissions for this user by selecting the appropriate boxes.
7. Repeat Step 6 for each group or user.
8. To save the changes, click Apply or OK at the bottom of the window.
9. To apply the changes, commit the configuration.
Chapter 9 • Managing MailMarshal Configuration
207
Managing Array Nodes
A MailMarshal installation consists of an Array Manager and one or more email
processing servers, also known as array nodes.
Managing Node Services
You can view the status of the MailMarshal services on each email processing
node, and stop or restart the services, from the MailMarshal Configurator.
To see an overview of the status of services on each node, in the left pane of
the Configurator click Server and Array Properties.
To see details of the status of services on a particular node, and to stop
or restart the services:
1. In the left pane of the Configurator click Server and Array Properties.
2. In the right pane, select a node.
3. Click the Properties icon in the toolbar or the Server Properties icon in
the taskpad header.
4. On the general tab, the Services listing shows the status of each service
installed on the node.
5. To stop one or more services, select them in the list then click Stop.
6. To start one or more services, select them in the list then click Start.
7. To restart all services, click Restart all.
Note
If you stop services from this window, they will remain stopped until you
start them. Committing the configuration will not start the services.
208
User Guide
Adding and Deleting Nodes
You can add email processing servers (nodes) to a running MailMarshal
installation to add capacity or redundancy. You can also delete existing nodes
from an installation.
Adding a Node
You can add a node at any time without affecting other nodes. After adding the
node, adjust email routing so that the new node shares in email processing.
To add a node to a MailMarshal installation:
1. Log on to the new server using an account that you have granted the
permission Join Array.
2. Install MailMarshal.
3. During installation, select the option “I want to join an existing array” and
enter the name of the existing Array Manager.
For more information, see “Installing MailMarshal on an Array of Servers” on
page 33.
Deleting a Node
You should delete a node to cleanly remove it from the MailMarshal array.
Before deleting a node, adjust email routing so that the node to be deleted does
not process any email.
To delete a node from a MailMarshal installation:
1. Stop MailMarshal services on the node using the MailMarshal Configurator.
2. If you want to preserve messages from quarantine folders stored on the
node, back up the Quarantine folder in the MailMarshal installation folder
on the node.
3. Uninstall MailMarshal on the node server using the Add/Remove Programs
application in Control Panel.
Chapter 9 • Managing MailMarshal Configuration
209
4. During the un-installation process, MailMarshal will attempt to remove the
node records from the array installation. If the logged in user does not have
the “can join servers to array” permission, MailMarshal will ask for an
alternate credential. If you do not remember the credential, you can still
perform the un-install. In this case, remove the node records later using the
Configurator.
5. In the Configurator, an un-installed node will show a status of “not active.”
You can highlight the node and click the delete icon in the toolbar.
Joining A Node To An Array
You can join an email processing server (node) to a MailMarshal array. After
joining the array, the node will retrieve policy configuration from the Array
Manager.
To join an existing node to a MailMarshal installation:
1. Log on to the node server.
2. Run the MailMarshal Server Tool from the NetIQ MailMarshal program
group.
3. On the Array/Node communication tab, click Change.
4. Enter the port and server name for the Array Manager, then click Join
Array. Enter the credentials of an account that you have granted the
permission Join Array. Click OK.
210
User Guide
Customizing Settings for Nodes
Since the purpose of a MailMarshal array is to replicate configuration over a
number of processing servers, most settings will be the same for all nodes. You
can configure the following settings for each node:
Server name information
For each email processing server, you can view and change the server
name and the description and location notes.
Note
Only change the server name here if you have changed the computer
name of the email processing server.
Local Domain delivery information
For each relay local domain, MailMarshal delivers email to a specific IP
address and port. You can override the common settings for each email
processing server. One use of this override would be to allow
geographically separated MailMarshal servers to deliver inbound email
to different internal email servers.
Outbound delivery information
For each email server in an array, you can specify DNS servers, whether
email is delivered directly or through a relay host, and whether a
fallback delivery method is required.
Advanced server information
For each server in an array, you can choose an IP address and port for
the MailMarshal receiver to bind to. You can specify a host name, which
may be required if this information is not entered in the Windows
networking properties. You can also select whether the email
processing server should be preferred by the Array Manager as a host to
be used in sending notifications.
Note
By default, the Receiver binds to port 25 on all configured IP addresses.
This allows MailMarshal to receive all email sent to each email
processing server at the default SMTP location.
Chapter 9 • Managing MailMarshal Configuration
211
To customize settings for a particular node:
1. In the left pane of the Configurator click Server and Array Properties.
2. In the right pane, select a node.
3. Click the Properties icon in the toolbar or the Server Properties icon in
the taskpad header.
4. On the Local Domains tab, set Local Domain delivery information for the
node.
5. On the Delivery tab, set outbound delivery information for the node.
6. On the Advanced tab, set the Receiver binding, host name, and notification
delivery preference information.
Setting Advanced Options
MailMarshal allows you to configure a number of advanced settings. These
settings default to values that are reasonable in the majority of cases. In specific
cases you may need to change them.
Server Properties - Advanced
These options affect delivery and processing of email. If more than one
MailMarshal server is included in an array, these options affect all servers.
General options
Allows you to set options for RTF stamping, unpacking depth,
advertising of ESMTP, and notifications of delivery failures.
Templates
Allows you to override the administrative notification messages built in
to MailMarshal.
Receiver
Allows you to set behaviors of the MailMarshal Receiver.
212
User Guide
Server Threads
Allows you to configure threading for optimal performance.
Times
Allows you to set retry and expiration timeouts for the Receiver and
Sender services.
To configure advanced server options:
1. Select Server and Array Properties from the Tools menu.
2. On the Server and Array Properties window, click the Advanced tab.
3. Click the Additional Options button.
For full information about the available options, see the Help for this window.
Node Properties - Advanced
These options affect delivery and processing of email. If more than one
MailMarshal server is included in an array, these options can be set for each
server.
Receiver Binding
Controls the IP address and port that the MailMarshal server uses to
listen for incoming email.
Server Host Name
If the server does not have a Primary DNS domain setting in Windows
networking, a fully qualified host name can be entered here.
Notification Delivery
Determines which servers are preferred for delivery of messages
generated by the MailMarshal Array Manager.
Chapter 9 • Managing MailMarshal Configuration
213
To configure advanced options for each processing node:
1. Click Server and Array Configuration in the left pane
2. Click a server name in the right pane, then click the Properties icon in the
toolbar.
3. On the Server Properties window, click the Advanced tab.
For full information about the available options, see the Help for this tab.
Array Communications
When MailMarshal is configured as an array of servers with an Array Manager
and one or more other servers as email processing servers, the MailMarshal
servers communicate over TCP/IP. By default MailMarshal uses port 19001. If
the Array Manager and email processing services are installed on the same
server, by default the email processing services use port 19002.
You can configure these settings using the MailMarshal Server Tool, which is
installed on each server. You must configure the settings on each server
individually.
Note
Close the MailMarshal Configurator and Console applications while using the
Server tool.
Changing Array Port Settings
You can change the TCP ports used by the MailMarshal services. For instance,
you may want to alter the default port numbers to enhance security.
To change the port settings:
1. Log on to the server.
2. Run the MailMarshal Server Tool from the MailMarshal Tools group in the
NetIQ MailMarshal program group.
214
User Guide
3. On the Array/Node Communication tab, review the current port settings.
Click Change.
4. If the server is an email processing server (not an Array Manager or
standalone server), you can change the port used by the services to listen
for communications from the Array Manager. When you apply this change
and restart the services, MailMarshal will report the change to the Array
Manager. You can also change the port the services use to attempt to
connect to the Array Manager.
5. If the server is an Array Manager, you can change the port used by the
Array Manager to accept connections from email processing servers, the
Console, the Configurator, and the Web components.
Note
If you change this value, to restore full functionality you must also change
the corresponding value in several other places. These include each email
processing server and the Web components if installed. The Configurator
and Console installations will prompt for a new port when they are next
opened.
Changing the Database Location
You can change the location of the MailMarshal database using the Server Tool
on the Array Manager server. Because most configuration information is stored
in the database, in general you should only use this option if you must change
the SQL server on which the database is hosted.
When you create a new database, MailMarshal does not retain Spam Quarantine
Management logins and related data.
To change the database location:
1. Back up the MailMarshal configuration. See “Backing Up and Restoring the
Configuration” on page 194.
2. Log on to the Array Manager server.
3. Run the MailMarshal Server Tool from the MailMarshal Tools group in the
NetIQ MailMarshal program group.
Chapter 9 • Managing MailMarshal Configuration
215
4. If you want to move the existing database:
a. Stop all MailMarshal services.
b. Move the database to the new location using SQL tools.
5. On the Database tab, review the current database settings. Click Change.
6. Enter the information about the new database server and database. Click
OK. If necessary, MailMarshal will ask whether you want to create a new
database, use or overwrite an existing database. If you have moved a
database and selected it, choose Use.
7. Click OK to close the Server Tool. MailMarshal will ask to restart services.
8. Restore the MailMarshal configuration.
9. Use the Server Tool on each email processing server to rejoin the servers to
the array. You must use this tool even if you have installed MailMarshal as a
standalone server. See “Joining A Node To An Array” on page 210.
Folder Locations
You can change the default location for MailMarshal logging, quarantine,
message unpacking, and message queues on each email processing server
using the MailMarshal Server Tool. For more information about the how these
folders are used, see “Locating MailMarshal Folders” on page 24.
To change the locations of folders:
1. Using the MailMarshal Configurator, stop the MailMarshal services on the
email processing server where you want to move folders.
2. Log on to the email processing server.
3. Run the MailMarshal Server Tool from the MailMarshal Tools group in the
NetIQ MailMarshal program group.
4. On the Folders tab, change the locations. You can enter a full path relative
to a local drive letter, or a partial path relative to the MailMarshal installation
folder.
216
User Guide
5. Click OK. The Server Tool will offer to copy files from the old locations.
The Server tool will also offer to restart the MailMarshal services.
6. The Server Tool will not delete files from the old locations. You can safely
do so using normal Windows procedures.
Note
You can change the location of an individual folder. For more information,
see “Folders” on page 155.
Quarantine Synchronization Tool
The MailMarshal Quarantine Synchronization Tool is designed to ensure that
every email message in the MailMarshal Quarantine folders has a corresponding
record in the MailMarshal database. Each message must have a record in the
database so that the MailMarshal Console can retrieve and process all messages.
The Quarantine Synchronization Tool does not delete any records from the
database.
Use this tool to repair or recreate the database in case of database corruption.
To run the Quarantine Synchronization Tool:
1. Log on to a MailMarshal email processing server or standalone server.
2. Run the Quarantine Synchronization Tool from the MailMarshal Tools group
in the NetIQ MailMarshal program group.
3. Click Start.
4. The tool displays a progress bar and detailed progress information. The
“time remaining” displayed is an estimate based on material already
processed.
5. To stop the tool, click Stop. You can stop the tool at any time and start it
again later.
Chapter 9 • Managing MailMarshal Configuration
217
6. If the tool encounters a message it cannot synchronize, you can choose to
abort, retry, ignore the message, or ignore all problem messages. By
choosing to ignore all messages you can allow the tool to run unattended.
The tool logs its activity to a file in the MailMarshal logging folder. Use this
file to review any messages that cannot be synchronized.
7. If you have installed a MailMarshal array with more than one email
processing server, complete Steps 1 to 6 on each email processing server.
Quarantine Upgrade Tool
When you upgrade MailMarshal to version 6.0, the installation process creates a
new database and a new set of quarantine folders.
The MailMarshal Quarantine Upgrade Tool allows you to import database
records and email messages from an earlier MailMarshal installation into a
MailMarshal 6.0 installation.
Note
Because the database structure and reporting queries have been changed in
MailMarshal 6.0, when you generate reports using the upgraded database the
results can differ from those generated using the same parameters by earlier
versions of MailMarshal Reports.
This tool can take many hours or even days to run fully. You can stop and
restart the tool. It does not affect processing of new email by the MailMarshal
installation
218
User Guide
If you are upgrading a MailMarshal 5.5 array installation, please refer to NetIQ
Knowledge Base article NetIQKB39044 before using this tool..
Warning
•
Before using this tool, ensure that you have backed up the quarantine
folders on the server. The tool changes the files contained in these folders.
After the upgrade, you will not be able to use earlier MailMarshal
applications to view them.
•
To ensure that upgraded messages are logged with the correct timestamp,
ensure that the SQL server hosting the new MailMarshal database and the
server hosting the old quarantine folders are in the same time zone. The
upgrade tool converts the internal representation of times from local time to
UTC.
To run the Quarantine Upgrade Tool:
1. Log on to a MailMarshal email processing server or standalone server.
2. Run the Quarantine Upgrade Tool from the MailMarshal Tools group in the
NetIQ MailMarshal program group
3. Click Start.
4. The tool displays a progress bar and detailed progress information. The
“time remaining” displayed is an estimate based on material already
processed.
5. To stop the tool, click Stop. You can stop the tool at any time and start it
again later.
6. If the tool encounters a message it cannot convert, you can choose to abort,
retry, ignore the message, or ignore all problem messages. By choosing to
ignore all messages you can allow the tool to run unattended. The tool logs
its activity to a file in the MailMarshal logging folder. Use this file to review
any messages that cannot be converted.
Chapter 9 • Managing MailMarshal Configuration
219
Group File Import Tool
The MailMarshal Group File Import Tool is a command line tool that allows you
to import information into MailMarshal user groups from a file in the format of
the MailMarshal 5.x UserGroups.txt file. You can use this tool to import
information that has been exported from an email server that does not support
LDAP.
The input to this tool is a plain text file. Each line in the file can be a group
name in square brackets, an email address, or a wildcard pattern of an email
address. For instance, the following is valid input:
[New Group]
[email protected]
[email protected]
q*@example.com
The application is found in the MailMarshal installation folder and is named
GroupFileImport.exe. To use the tool you must use a Windows account with
the permission to modify the Windows Registry on the server where the Array
Manager is located (for instance a member of the Windows administrator group
on the system).
The syntax and options of the tool are as follows:
GroupFileImport.exe [options] {-f inputfilename}
Available options are:
220
Option
Use
-h {computer name or identifier}
Array Manager name or IP address. Defaults
to localhost.
-p {IP Port}
Array Manager port. Defaults to 19001.
-n {text}
Text string prefixed to all group names at
import, such as File Group:
User Guide
Option
Use
-m
Merge imported data. If a group in the import
file has the same name as an existing group,
existing items in the MailMarshal group will
not be deleted. New items in the import file
group will be added. The default is to delete
all members from a group before import.
-v
Verbose mode. Generates warnings about
individual group members.
-u {user name}
User name used to connect to the Array
Manager server. Defaults to the logged on
user.
-d {domain}
Domain in which the user name is found.
-k {password}
Password associated with the user name.
-?
Prints the usage help text.
Configuration Export Tool
The MailMarshal Configuration Export Tool is a command line tool that allows
you to export and import MailMarshal configuration from a command line
interface or batch file.
The input or output of this tool is an XML file in MailMarshal configuration
export format.
To use the tool you must use a Windows account with the permission to modify
the Windows Registry on the server where the Array Manager is located (for
instance a member of the Windows administrator group on the system).
The syntax and options of the tool are as follows:
MMExportCfg.exe [options] {filename}
Chapter 9 • Managing MailMarshal Configuration
221
Available options are:
222
Option
Use
-i
Imports the configuration from the specified
file. The default is to export the configuration
to the file.
-f
On export, filters out server settings such as
delivery options, and exports only content
security settings. One use of this setting is to
copy email policy from one MailMarshal
installation to another.
-m
Merge the imported policy. If a setting is not
present in the import file, the existing setting
remains in place. The default is to clear all
settings that are not in the import file.
-c
Commit configuration after import.
-s:{computer name or identifier}
Array Manager name or IP address. Defaults
to localhost
-p:{IP Port}
Array Manager port. Defaults to 19001.
User Guide
Chapter 10
Reporting on MailMarshal Activity
The MailMarshal Reports application allows you to generate reports based on
the information MailMarshal logs as it processes email messages. You can
choose from a wide range of reports covering email throughput, specific
content, and threat information. You can produce both overall summaries and
per-user information.
Note
The structure of the MailMarshal database, and the reporting queries, have
changed significantly in MailMarshal 6.0. If you have imported data from an
earlier version MailMarshal database, reports may show different results to the
equivalent reports in the earlier version.
Data Retention and Grouping
The data available for reports and grouping of certain data is configured
through the MailMarshal Configurator.
To configure reporting options:
1. Open the MailMarshal Configurator.
2. On the Tools menu, click MailMarshal Manager Properties.
Chapter 10 • Reporting on MailMarshal Activity
223
3. Click the Reporting tab.
4. When you have completed changes on the Reporting tab as described in
the next sections of this chapter, click OK then commit the MailMarshal
configuration to effect the changes.
Data Retention
You can adjust the length of time for which MailMarshal will retain logging
records.
1. The General Options section of the Reporting tab shows the length of time
for which MailMarshal will retain logging data.
2. To change the retention time, enter a number of days.
Notes
•
Best practice is to retain enough data to allow reporting on several
months of email traffic.
•
You can reduce the size of your MailMarshal database by reducing the
retention time.
•
If you archive messages for longer than the logging retention time,
MailMarshal will retain basic database records about each archived
message for as long as the archives are retained. This information is
necessary to allow viewing of the messages in the Console. For more
information about backing up and restoring messages in quarantine
folders, see NetIQ Knowledge Base article NetIQKB39546.
Reporting Groups
Spam information and virus information are likely to be logged in varying
classifications and folders. To allow unified reporting on these two categories,
MailMarshal allows you to specify the folders and classifications you are using
for each of these types of content. These groups affect the display on the
MailMarshal Today page of the console, the Spam Overview report, the Virus
Overview report, and the two virus detail reports.
224
User Guide
To configure the reporting groups:
1. The Reporting Group section of the Reporting tab shows the folders and
classifications that are included in each reporting group.
2. To change the items included in a group, click Modify to open the Edit
Reporting Group window, shown below.
3. Select the items you want to include, then click OK to return to the
Reporting tab.
Note
Ensure that the folders and classifications you select are relevant to the
purpose of the group. Otherwise, results based on the group will be
meaningless.
Connecting to the Database
MailMarshal Reports uses a direct connection to the MailMarshal Database,
which is hosted on a Microsoft SQL 2000 Server or MSDE 2000 server. To
generate reports, you must be able to connect to the database. If the database is
separated from the client workstation by a firewall, connect using TCP and
open the SQL port through the firewall. By default this is port 1433.
Chapter 10 • Reporting on MailMarshal Activity
225
To connect to the database:
1. Run the MailMarshal Reports application in the NetIQ MailMarshal program
group.
2. If this is the first time MailMarshal Reports has been run on this
workstation, or the database connection information has not been
saved, MailMarshal Reports displays a window requesting connection
information. Enter the appropriate information to connect to the database.
In the SQL Server Name field you can use the syntax
servername[\instance][,port].
Note
If you use SQL Server named instances, use the instance parameter rather
than the port parameter.
3. If you want to connect to a different database, in the left pane of
MailMarshal Reports select the item MailMarshal Reporting. From the
Action menu, select Database. Enter the appropriate information to connect
to any database.
Generating Reports
Within MailMarshal Reports, reports are organized in folders. The default folders
group reports according to functions, such as classification reports, bandwidth
reports, and virus related reports.
Available Reports
To view the list of available reports, expand the items in the left pane. The
Description column of the right pane gives basic information about each
folder and report.
To view the full definition of a particular report, select it then choose
Properties from the Action menu.
226
User Guide
The properties are shown in a Report Properties window with four tabs.
• General: gives the report name, as shown in the MMC, and a more
complete description.
• Parameters: gives the report title, as it will be seen when the report is
generated, and shows the default parameters that will be used.
If the check box Request parameters before running report is selected,
the parameters detail will be presented to the user each time the report is
generated. If this box is not selected, MailMarshal will not request
parameters when the report is generated.
To view and change the parameters using the parameters detail window,
click Edit.
Tip
You can save a specific instance of a report, such as “all traffic last month
from example.com”, by editing the parameters and clearing the Request
Parameters box. You can run this report quickly by double-clicking on the
report name in the main Reports window.
• Report: Shows information about the report definition file and the DLL it is
stored in.
• Select: You can select a new report definition file from the list. Choosing a
new file will effectively reset all features and is generally not recommended.
Chapter 10 • Reporting on MailMarshal Activity
227
Entering Parameters
To begin generating a report, select it then click Open on the Action menu. By
default MailMarshal displays a parameter detail window similar to the following:
Choose detailed parameters using the fields on this window.
Note
If MailMarshal Reports does not display the parameter detail window the report
is configured to run without requesting parameters. You can change this
behavior by selecting the report then clicking Requests Parameters on the
Action menu.
The title of the parameter detail window shows the title of the report as it will
be generated. To change the title use the Parameters tab of the Report
Properties window.
For more information about the available parameters, see “Available
Parameters.”
When you have chosen all options, click OK to view the report in a new
window.
228
User Guide
Available Parameters
Each MailMarshal report has a different set of parameters. For more information
about the parameters of a specific report, see the Help for the specific
parameter window.
Reporting Period
Every report allows the same choices of reporting period. The period can be
selected in any of five ways, each represented by a tab. When entering a date,
you can use the arrow at the right of the date field to select the date using a
calendar, or type the date in a format defined by the regionalization settings for
the computer. If in doubt about the order of day and month, click the arrow to
see the date displayed on the calendar.
• Common: On this tab, select a standard period from the available choices
such as “Last Month”.
• Special: On this tab, select the total period to include in the report by
selecting a period type from the list, the number of periods, and the starting
day. For instance, you might choose “Last 2 Months starting on the 15th of
the month.”
• Period: Select a reporting period by selecting a period type from the list,
the number of periods, and the starting date.
• Date: Select a reporting period by choosing starting and ending dates. If
you select the check box Inclusive, the ending date will be included in the
report.
• Time: Select a reporting period by choosing starting and ending dates and
times.
Sort
You can choose the sorting order for the data in a report. Most reports provide
several sorting options.
Chapter 10 • Reporting on MailMarshal Activity
229
Domain, User, Subject, Message Name, Classification, Folder,
Description
You can enter text to search for in any of these fields. If you leave the field
blank, the report shows all items in that field.
You can use wildcard characters. For a full description of the available syntax,
see Appendix A, “Wildcards and Regular Expressions.”
You can access a menu of some commonly used wildcard characters through
the button at right of each field. The functions shown on this menu include:
Any Character
Match any single character (inserts “?” into the query).
Any String
Match any number of characters (inserts “*” into the query).
Character in Range
Match any character in the given range (inserts [ ] into the query; add a
range of characters for example a-z).
Character not in range
Match any character not in the given range (inserts [^] into the query;
add a range of characters for example a-z after the ^).
All
Show all items without limits.
Starting With
Show items starting with the characters entered.
Ending With
Show items ending with the characters entered.
Containing
Show items containing the characters entered.
230
User Guide
For the Classification or Folder field, click the button to the right of the field and
choose Select to view a list of available items. To include one or more items in
a report, select the appropriate boxes.
Note
Either the Select option or wildcard characters (but not both) can be used.
Size
Enter a minimum (and optionally a maximum) message size to search for.
Select a size unit from K (Kilobytes) or M (Megabytes).
Sent Messages Counted
If it is present, this option allows you to choose the way in which sent messages
are counted:
• Once (count of messages sent to MailMarshal by the sender.)
• Per Session (count of resulting messages sent outbound, normally one per
recipient domain.)
• Per Recipient (count of all recipients for all messages.)
Note
The “per session” method most closely reflects Internet bandwidth usage.
Local Domains Only
When you select this box, only information about Local Domains is included in
the report.
Include Internal Traffic
When you select this box, messages sent through MailMarshal between Local
Domains will be included in the totals.
Chapter 10 • Reporting on MailMarshal Activity
231
Costing
Enter values for the cost to send and to receive one megabyte of data. Do not
include a currency symbol. The currency symbol will be supplied from the
system settings.
Message Only
When you select this box, the report shows only a list of messages. If you do
not select this box, actions taken on the messages will also be shown on the
main view of the report. the check box is not selected by default.
Navigating the Report Window
A typical MailMarshal report window is shown below:
232
User Guide
The report window provides several options to customize the view and see
additional details. The Help menu for the report window includes two choices:
general help and help about the specific report.
Toolbar Options
• Close Current View: close the drill-down tab currently showing.
• Print: print a copy of the report, or selected pages. (Printer setup is
available from the File menu)
• Toggle group tree: show a list of available detail items in a separate pane.
Double-click any of these items to jump to it in the main report. If the item
is a group, click the + icon to view the members of the group.
• Magnification: choose the magnification of the report on screen.
• Page selector: shows the number of pages in the report. Choose the page
to view.
Note
The scroll bar in the report window is limited to the current page. Use the
page selector to move between pages.
• Stop button (available while report is being generated): Stop generating
the report. Optionally show the partial report.
Exporting Reports
MailMarshal Reports can be exported (saved) in a variety of formats provided
by the Crystal Reports engine. The presentation quality varies depending on the
format you select. In general the best formats to use are: Crystal Report,
DHTML, text, Excel, and RTF.
Chapter 10 • Reporting on MailMarshal Activity
233
Begin exporting a report by right-clicking on the report name and choosing
Export, or by clicking the Export icon from the report window toolbar.
Note
Drill-down pages are only available in the Crystal Report 8.0 export format. All
other export formats show only the main report view.
Export Options
Selecting Export, either from the report window or by right-clicking on a
report name, opens the export options window. You can also open this
window by selecting a report name and choosing Export Options from the
Action menu. The options you select become the defaults for the report
instance.
On the first page of the Export Options window, choose how to create the
export:
• File saves the export as a file. The reports engine enters a name by default.
To select a specific name, use the browse button or type a file name in the
field.
• Application opens the export directly in the required application (such as
Internet Explorer or Lotus 123). Clear the check box Use Temporary File
to save the data in a permanent named file as well.
• Email attaches the exported data to an email message using the default
email application.
Depending on the type of export chosen, you may have additional options to
choose from.
234
User Guide
Email Options
The report will be attached to the email as a file of the type you choose on the
export options window.
• Send to: Enter the email address to which the message should be sent.
• Copy to: Optionally enter an email address to which the message should be
CC'd.
• Subject: Optionally enter a subject for the email message.
• Message: Optionally enter a message body describing the attachment.
HTML Options
Use these options when exporting a report in HTML format.
• Generate navigation buttons: The engine will add links at the bottom of
each page to jump to the first, next, previous, or last page of the report.
• Create all output on one page: The engine will create a single HTML
document for all output. Page divisions will show as lines.
Pagination Options
Use this option when exporting a report to paginated text.
• Lines per page: Set the number of output lines between page break
characters.
Chapter 10 • Reporting on MailMarshal Activity
235
Separator Options
Use these options are when creating a values text file (character separated
values, comma separated values, data interchange format, and tab separated
values).
• Format numbers as in report: The engine will output numbers with text
formatting (such as comma separation of thousands). Clearing this box
causes numbers to be output in a basic format.
• Format dates as in report: The engine will output dates with text
formatting. Clearing this box causes dates to be output in a basic format.
You can select from the following additional options for character separated
values only:
• Field separator: Determines the character (or characters) marking the
boundary between two fields. A commonly used value is the comma. In
addition to printable characters, special separators you can choose include:
Field Entry
Separator used
\t
Tab character
\n
New Line character
\r
Carriage Return
\0
NUL character (Hexadecimal 00)
\\
\ (backslash)
\xHH
Any character (two hexadecimal digits)
• String delimiter: Determines the character (or characters) marking the
beginning and end of field text. You can use the same values as for field
separators. A commonly used value is the quote character. This field can
also be blank, in which case the engine will not add a field delimiter.
236
User Guide
Chapter 11
Delegating Spam and Quarantine
Management
In some cases when MailMarshal quarantines an email message as suspicious,
the recipient or sender wants the message to be released to its destination. If an
organization generates a large number of these cases, the email administrator
may not have the time required to review them. This situation is likely to arise
with messages that MailMarshal has classified as Spam.
MailMarshal provides several options that allow the administrator to delegate
the responsibility for reviewing these messages and taking action:
• Departmental administrators or help desk personnel can have permission to
process the messages in selected quarantine folders, using the MailMarshal
Console or Web Console.
• Each email user can receive a daily summary of their incoming messages
that have been quarantined, through MailMarshal digest emails.
Chapter 11 • Delegating Spam and Quarantine Management
237
• Each email user can have permission to review and release messages
quarantined in one or more folders, through the MailMarshal Spam
Quarantine Management Web site. This facility is specifically designed to
allow users to review messages that have been classified as Spam, but it can
be used for other classifications. It also allows each user to refine the Spam
classification by maintaining personal lists of safe and blocked senders.
• Where a policy requires a small number of messages to be held for review,
users can receive notice of each message and release it by email using the
MailMarshal Message Release facility.
Setting Up Console Access
MailMarshal controls access to the features of the Console through Access
Control Lists (ACLs) that contain Windows user information.
For general information about setting Console security and access, see “Setting
Console Security” on page 185.
To allow a user to use the MailMarshal Console to release messages from
quarantine:
1. Grant the user the Console permission Console and Folder Connect.
2. For each quarantine folder the user is allowed to manage, grant the
appropriate permissions. For instance, you could grant a help desk user
group the permissions Read and Release. These permissions do not allow
the user to see the content of messages.
238
User Guide
Setting Up Spam Quarantine Management
Features
The MailMarshal Spam Quarantine Management system includes a Web site that
allows users to review and release email quarantined in one or more folders
that you specify. The Web site also allows each user to maintain lists of allowed
senders and blocked senders. You can use these lists in MailMarshal rules to
help determine whether email sent to that user is Spam.
For information about setting up the Spam Quarantine Management Web site,
see “Installing MailMarshal Web Components” on page 47.
Spam Quarantine Management Windows
The Spam Quarantine Management Web site includes the following windows:
Log In
Allows a user to enter an email address and password to log in to the
Spam Quarantine Management Web site. Also allows a user to request a
login and to request a new password. MailMarshal only uses this
window if you configure the site to use authentication by email address
and password.
Home
Allows a user to view a menu of available options with brief
explanations.
Review blocked email
Allows a user to review a list of email quarantined in a folder. The user
can view, release or delete each message. If more than one folder is
available through this site, the window shows a list of folders the user
can review.
View message details
Allows a user to view the body and additional details of a message from
the list of blocked email. The user can release the message or delete the
message.
Chapter 11 • Delegating Spam and Quarantine Management
239
Edit list of safe senders
Allows a user to add, edit, or delete entries in a list of safe email
addresses. MailMarshal uses this list in the rule condition “Where sender
is/is not in recipient’s safe senders list.”
Edit list of blocked senders
Allows a user to add, edit, or delete entries in a list of blocked email
addresses. MailMarshal uses this list in the rule condition “Where sender
is/is not in recipient’s blocked senders list.”
Add alternate email addresses
Allows a user to add or delete entries in a list of email addresses that
they can manage using this login. Before adding a requested address to
the list, MailMarshal requests confirmation by sending a message to the
email address. The user must click a link in the message and confirm
the request.
Let another user review my blocked email
Allows a user to delegate the power to review their blocked email to
one or more other users. The delegates will also be able to edit the
user’s blocked and safe senders lists. The delegates can choose which
user’s email to review using a list at the top of the window. Depending
on the site authentication setting, delegation is by email addresses or
Windows user names.
Change password
Allows a user to change the password associated with their login (email
address) for this site. MailMarshal only uses this window if you
configure the site to use authentication by email address and password.
Help
Each window includes a link to a Help window that provides additional
information about fields and functions.
240
User Guide
Setting Up Folders and Templates
The primary use of the Spam Quarantine Management Web site is to allow users
to review messages that MailMarshal has quarantined as Spam. You can
configure the site to manage one or more folders used for this purpose. You
can also configure the site to manage folders that are used for other purposes.
Each folder managed by the Spam Quarantine Management Web site can
contain either messages sent to local users or messages sent by local users, but
not both.
To set up folders to manage Spam with the Spam Quarantine
Management Web site:
1. Create or edit a MailMarshal folder. See “Using Email Folders and Message
Classifications” on page 152. The default configuration provided with
MailMarshal 6.0 uses the folder “Spam - Suspect” to quarantine messages
that are likely candidates for user review.
2. On the Options tab of the folder properties, choose the setting Enable Enduser Management for this folder.
3. Choose the setting Folder is used to manage inbound messages.
4. If you want each user to receive a digested notification of messages
addressed to them that have been quarantined in this folder, select the
check box Send a digest notification, and select the schedule and
template to be used for the notification.
5. Repeat Steps 1 to 4 for each folder you want to set up for Spam Quarantine
Management.
Chapter 11 • Delegating Spam and Quarantine Management
241
Setting Up Rules
MailMarshal places email in quarantine folders through rule action.
To set up Spam Quarantine rules:
1. Create MailMarshal rules to move Spam messages into each folder you have
created. If you are using the default configuration provided with
MailMarshal 6.0, rules are included in the Anti-Spam policy group to move
Spam messages into several folders.
2. Within the rule or rules, use the condition “Where the sender is in the
recipient’s allow list.” Configure the rule so that messages that meet this
condition are not quarantined as Spam.
3. Within the rule or rules, use the condition “Where the sender is in the
recipient’s block list.” Configure the rule so that messages that meet this
condition are quarantined as Spam.
Note
If you are using the default configuration provided with MailMarshal 6.0, the
rules included in the Anti-Spam policy group use these conditions.
4. When a user releases a message, MailMarshal continues processing the
message. In this case MailMarshal begins processing using the rule
immediately after the rule that quarantined the message.
Setting Up Spam Quarantine Management for Other Folders
You can configure any MailMarshal folder to be managed through the Spam
Quarantine Management Web site.
Note
Each folder can be used for inbound or outbound messages, but not both.
242
User Guide
To set up folders to manage other messages with the Spam Quarantine
Management Web site:
1. Create or edit a MailMarshal folder. See“Using Email Folders and Message
Classifications” on page 152.
2. Choose the setting Enable End-user Management for this folder.
3. Choose the setting Folder is used to manage inbound messages or
Folder is used to manage outbound messages as appropriate.
4. If the folder is used to manage inbound messages and you want
each user to receive a digested notification of messages addressed to
them that have been quarantined in this folder, select the check box Send a
digest notification, and select the schedule and template to be used for
the notification.
5. Repeat Steps 1 to 4 for each folder you want to set up for Spam Quarantine
Management.
Using the Message Release External Command
Some MailMarshal administrators set up rules that quarantine small volumes of
email for specific reasons. For instance, an Acceptable Use Policy could require
that the sender or an administrator must “click to confirm” before sending or
receiving some types of content.
MailMarshal provides a message releasing function for these situations. Message
Releasing allows MailMarshal to send an email notification when it quarantines
a message. Simply by replying to the notification, a user can release the original
message from quarantine.
Chapter 11 • Delegating Spam and Quarantine Management
243
To use automatic message release:
1. Create or modify a Mail Marshal rule which moves certain messages to a
folder.
2. In this rule, include a rule action which sends a notification message. The
body of this message must contain the variable {ReleaseProcessRemaining}
or {ReleasePassThrough}. See the pre-configured template Automatic
Message Release Outbound for an example.
Notes
•
The message template must include a plain text message body. It may
include a HTML body as well.
•
The From address must be one which guarantees that replies will pass
through MailMarshal. The address need not be valid but it must be wellformed.
To process message release requests, create a MailMarshal rule similar to the
following:
Where addressed to [email protected]
Run the external command Message Release
And write log message(s) with Release Requests
And delete the message
(The logging classification “Release Requests” is pre-configured.)
Automatic Message Release should be used sparingly as it tends to defeat
MailMarshal's purpose. The {ReleaseProcessRemaining} variable is preferred
because it forces all messages to be evaluated against all rules.
244
User Guide
If MailMarshal is used in an array, the following additional considerations apply:
• The MailMarshal Engine service on email processing servers must run using
a Windows credential that the Array Manager can validate. If the email
processing servers are not in the same domain as the Array Manager you
can create accounts with matching user names and passwords in each
domain.
Note
Windows Server 2003 does not accept accounts with matching user names
from other domains.
• If the array includes more than one email processing server, you must use
more complex rules to route the release requests to the correct MailMarshal
server. For more information see the white paper “MailMarshal SMTP with
Automatic Message Releasing,” available from the MailMarshal support page
at netiq.com.
If you want to be notified of failed message release attempts, you can run the
external command as a rule condition rather than an action. The Message
Release executable returns 0 on success and 1 on failure.
By default the Message Release executable releases the message to all recipients
and deletes the message after releasing it. You can use two parameters to
modify this behavior:
• To leave a copy of the message on the server after releasing it, edit the
external command definition. In the properties, change the parameters field
to read
-l {MessageName}
(the parameter is a lower case letter L).
Chapter 11 • Delegating Spam and Quarantine Management
245
• You can also configure the message release facility to release the message
only to the user requesting it. Typically you would use this option in the
case of incoming messages addressed to more than one user. Edit the
external command definition. In the properties, change the parameters field
to read
-r {From} {MessageName}
The message will be released only to the email address from which the
request was sent. This need not be one of the original recipients. The
message will be left on the server and can be released again.
Note
These options can result in a message being sent to a user more than once.
246
User Guide
Appendix A
Wildcards and Regular Expressions
MailMarshal supports a simple wildcard syntax when you enter several types of
information including local domains, user groups, and report parameters.
MailMarshal also uses a full Regular Expression syntax for matching and
substitution in Header Rewrite rules.
Wildcard Characters
MailMarshal allows wildcard entries in the following contexts:
• Local domains. See “Completing the Configuration Wizard” on page 38.
• User and Group matching for policy groups and rules. See “Understanding
User Matching” on page 88.
• The Console search and filtering options. See “Using the MailMarshal
Console” on page 173.
• Report parameters. See “Entering Parameters” on page 228.
Appendix A • Wildcards and Regular Expressions
247
In each of these types of entry, MailMarshal supports this syntax:
Character
Function
*
Matches any number of characters
?
Matches any single character
[abc]
Matches a single character from a b c
[!abc] or [^abc]
Matches a single character except a b or c
[a!b^c]
Matches a single character from a b c ! ^
[a-d]
Matches a single character in the range from a to d inclusive
[^a-z]
Matches a single character not in the range a to z inclusive
The table below gives some examples of results of the wildcard syntax.
Pattern
matches
*.ourcompany.com
pop.ourcompany.com
hq.ourcompany.com
etc.
*.mail[0-9].ourcompany.com
mail5.ourcompany.com
but not
maila.ourcompany.com
mail[!0-9].ourcompany.com
mails.ourcompany.com
but not
mail3.ourcompany.com
Note
The !, -, and ^ are special characters only if they are inside [ ] brackets.To be a
negation operator, ! or ^ must be the first character within [ ].
248
User Guide
Regular Expressions
MailMarshal uses regular expressions in header matching and rewriting rules.
For more information about these rules, see “Standard Rules” on page 85.
MailMarshal also uses regular expressions in category scripts. For more
information about category scripts, see the white paper MailMarshal for AntiSpam, available from the MailMarshal support page at netiq.com.
MailMarshal implements a full-featured regular expression syntax. Full
documentation of this syntax is beyond the scope of this manual. For additional
documentation and links to further information, see NetIQ Knowledge Base
article NetIQKB29755.
This appendix provides limited information about some commonly used
features and some extensions specific to MailMarshal.
Shortcuts
The arrow to the right of each field on the matching/substitution page of the
header rule wizard provides access to some commonly used Regular Expression
features.
Selection
Inserts
Usage
Any Character
.
Matches any single character.
Character in range
[]
Enter a range or set of characters to be
matched within the brackets. For instance, to
match lower case characters you could enter
a-z between the brackets.
Character not in range
[^]
Enter a range or set of characters after the ^.
Matches any character not in the set.
Beginning of line
^
Text to the right of the ^ will only match if
found at the beginning of the line.
End of line
$
Text to the left of the $ will only match if
found at the end of the line.
Appendix A • Wildcards and Regular Expressions
249
Selection
Inserts
Usage
Tagged expression
()
The content within the parentheses will be
considered as a single expression for repeat
purposes. This expression will be saved for
use within the substitution field.
Or
|
The field will be matched if it matches either
the expression before the | or the expression
after the |.
0 or more matches
*
The expression before the * will be matched
if it is repeated any number of times,
including zero.
1 or more matches
+
The expression before the + will be matched
if it is repeated at least once.
Repeat
{}
Enter a number or two numbers separated
by a comma within the braces. The
expression before the braces will be
matched if it is repeated the number of times
specified. See “Repeat Operators * + ? {}” on
page 251.
Whitespace
[[:space:]]
Matches a single whitespace character
(space, tab, and so on.).
Alphanumeric character
[[:alnum:]]
Matches a single letter or number character.
Alphabetic character
[[:alpha:]]
Matches a single letter character.
Decimal digit
[[:digit:]]
Matches a single number character 0-9.
Reserved Characters
Some characters have special meanings within regular expressions.
Operators
The following characters are reserved as regular expression operators:
250
User Guide
* . ? + ( ) { } [ ] $ \ | ^
To match any of these characters literally, precede it with \
For example, to match netiq.com enter netiq\.com
Wildcard Character .
The dot character . matches any single character.
Repeat Operators * + ? {}
A repeat is an expression that occurs an arbitrary number of times.
An expression followed by * can be present any number of times, including
zero. An expression followed by + can be present any number of times, but
must occur at least once. An expression followed by ? may occur zero times or
once only. You can specify a precise range of repeated occurrences as a
comma-separated pair of numbers within {}. For instance,
ba* will match b, ba, baaa, etc.
ba+ will match ba or baaaa for example but not b.
ba? will match b or ba.
ba{2,4} will match baa, baaa and baaaa.
Parentheses ( )
Parentheses serve two purposes:
• To group items together into a sub-expression. You can apply repeat
operators to sub-expressions in order to search for repeated text.
• To mark a sub-expression that generated a match, so it can be used later for
substitution.
For example, the expression (ab)* would match all of the string
ababab
Appendix A • Wildcards and Regular Expressions
251
The expression “ab” would be available in a variable (tagged expression) with a
name in the range $1...$9 (see the matching and substitution examples in
following sections).
Alternatives
Alternatives occur when the expression can match either one sub-expression or
another. In this case, each alternative is separated by a |. Each alternative is the
largest possible previous sub-expression (this is the opposite to repetition
operator behavior).
a(b|c) could match ab or ac
abc|def could match abc or def
Examples
Matching
The expression
(.+)@(.+)\.ourcompany\.com$
will match a sequence of 1 or more characters followed by an @ followed by
another sequence of 1 or more characters, followed by .ourcompany.com at the
end of the field.
That is, it will match [email protected] and
[email protected] but not
[email protected]
Substitution
Using the example given in the preceding section, the substitution expression
[email protected]$2.co.uk.eu
252
User Guide
would yield [email protected], [email protected] and
[email protected] respectively. The last result may be somewhat
surprising, but data that does not match part of the regular expression is simply
copied across.
Map Files
MailMarshal allows substitution using regular expressions to search for an entry
in text file known as a map file. Each line in the map file contains two values
separated by a comma. If the search expression matches the first value in a line,
MailMarshal substitutes the second value. If the search expression does not
match the first value in any line, MailMarshal substitutes the search expression.
A typical use of map files is to redirect incoming email to arbitrary addresses.
The following simple example modifies email addresses using a map file.
Map file
[email protected], [email protected]
[email protected], [email protected]
Search expression
(.+)@domain\.co\.uk$
Lookup key
[email protected]
Appendix A • Wildcards and Regular Expressions
253
Sample results
254
Input Email Address
Result
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
User Guide
Glossary
access control list (ACL). A table that
tells a computer operating system which
access rights each user has to a particular
system object, such as a file directory or
individual file.
array manager. A MailMarshal service
that controls configuration for all email
processing servers and connects to the
MailMarshal database. Also, the server
running the array manager service.
Acceptable Use Policy (AUP). Rules
and regulations governing the use of
organizational email and Internet
browsing.
attribute. Computer characteristic,
typically defined by a registry key or
value.
Active Directory. The directory service
implemented in the Windows 2000 or
later environment to store often accessed
information. It contains information about
users, groups, computers, organizational
units, and domains.
alert. An indication of a significant event.
Alerts are generated by MailMarshal
services.
array. A group of MailMarshal email
processing servers that use the same
policy.
component. Individual part of a
MailMarshal implementation that
performs a specific function. For
example, an email processing server,
Array Manager, or database is a
MailMarshal component.
computer name. A name that uniquely
identifies a computer on a network. The
computer name cannot be the same as
any other computer or domain name on
the network. The network uses the
computer name to identify the computer
and to allow other users to access the
shared resources on that computer.
Glossary
255
Configurator. Interface that allows you
to edit email policy and configure email
delivery and server settings.
Console. Interface that allows you to
monitor email traffic and manage
quarantined email. Intended to be used
by email administrators, managers, and
help desk personnel.
distinguished name. An address format
used to locate and access objects in an
X.500 directory using the LDAP protocol.
This format specifies the complete path to
the object through the hierarchy of
containers in a domain. Each
distinguished name is unique. For
example, in Windows 2000 or later a user
object with the common name J. Doe in
the organizational unit container called
Users on the domain NetIQ.com might be
represented as follows:
DMZ. A part of a local network that has
controlled access both to the Internet and
to the internal network of the
organization. Servers that provide
gateway services for an organization are
typically located in a DMZ.
DNS blacklist. A service that provides an
automated response through the DNS
protocol. DNS blacklists typically attempt
to list email servers that are associated
with Spamming, open relays, or other
unacceptable behavior.
Domain Name Service (DNS). The
Internet service that translates domain
names into IP addresses.
email processing server. A MailMarshal
server that accepts SMTP email messages
and takes action as defined in the
organizational email policy.
CN=JDoe,OU=Users,DC=NetIQ,DC=com
DNS. See Domain Name Service (DNS).
DLL. A library of executable functions or
data that can be used by a Windows
application. Typically, a DLL provides
one or more particular functions and a
program accesses these functions.
Extended Simple Mail Transfer
Protocol (ESMTP). A standard that
defines optional additions to the SMTP
email protocol.
event. Any significant occurrence in the
system or application that requires user
notification or an entry to be added to an
event log.
event log. A record of any event that
happens on a server. In Windows, events
are stored in the System, Security, or
Application log.
256
User Guide
Extensible Markup Language (XML). A
data tagging language that permits the
storage and interchange of structured
data.
firewall. A security system that is placed
between the Internet and the private
network of an organization, or within a
network, and only passes authorized
network traffic.
local area network (LAN). A group of
computers in the same place that are
connected and typically have the same
network operating system installed. Users
on a LAN can share storage devices,
printers, applications, data, and other
resources.
mailbox. A disk storage space assigned
to a user account to receive incoming
email messages.
fault tolerance. The ability of a product
to respond to a catastrophic event (fault)
that ensures no data is lost and that any
work in progress is not corrupted.
MDAC. See Microsoft Data Access
Components (MDAC).
hyperlink. An emphasized portion of
text on a window that, when clicked,
opens another document or window.
Microsoft Data Access Components
(MDAC). A set of network libraries and
programming interfaces designed to
allow client applications to connect to
data providers such as SQL databases.
Lightweight Directory Access
Protocol (LDAP). A network protocol
designed to work on TCP/IP stacks to
extract information from a hierarchical
directory such as X.500. It is useful for
searching through data to find a
particular piece of information. An
example of an LDAP directory is the
Active Directory in Windows 2000 or
later. Objects in an LDAP directory are
identified by their distinguished names.
Microsoft Management Console
(MMC). A common interface designed to
host administrative tools for networks,
computers, services, and other system
components.
Multi-Purpose Internet Email
Extensions (MIME). A standard that
permits transmission of content other
than text through SMTP email.
Microsoft SQL Server Desktop Engine
(MSDE). A freely distributable limited
version of SQL Server.
Glossary
257
open relay. An email server that accepts
messages from any server for delivery to
any other server. Open relays are often
exploited by Spam senders.
remote procedure call (RPC). A
standard protocol for client server
communication that allows a distributed
application to call services available on
various computers in a network.
permissions. Authorization for a user to
perform an action, such as sending email
messages for another user or posting
items in a public folder.
scalability. Ability to distribute loads
across multiple servers, allowing for
greater accessibility and balanced traffic.
Post Office Protocol 3 (POP3). The
standard protocol used by email client
software to retrieve email messages from
a mailbox.
security identifier (SID). A unique
value in Windows NT and Windows 2000
or later that identifies a user account,
group, or computer account in a domain.
queue. A storage structure in which a set
of items are held until they can be
processed. For example, when
MailMarshal receives email messages, the
messages are stored in a queue until the
MailMarshal Engine can process them.
service account. In Windows NT and
Windows 2000, a user account that a
service uses to log on to Windows NT or
Windows 2000. The account must have
the specific rights and permissions
required by that service.
registry. A database repository for
information about the computer
configuration. The database is organized
in a hierarchical structure of sub trees and
their keys, hives, and value entries.
Simple Mail Transfer Protocol
(SMTP). A member of the TCP/IP suite of
protocols. The standard governing email
delivery over the Internet.
regular expressions. Search criteria for
text pattern matching that provide more
flexibility than simple wildcard
characters.
relaying. Sending an email message to
an email server for delivery to another
server. See open relay.
258
User Guide
SMTP. See Simple Mail Transfer Protocol
(SMTP).
Spam. Unsolicited email messages,
usually of a commercial nature.
SpamCensor. The proprietary Spam
detection technology incorporated in
MailMarshal. SpamCensor includes a
multi-faceted message analysis tool and
regular definition updates.
Spam Quarantine Management Web
site. Interface that allows a user to review
and release their email messages that
MailMarshal has quarantined.
spoofing. Disguising the sender address
of an email message to make it appear as
though it is from another person, usually
for malicious reasons.
SQL Server. The Microsoft enterprise
database server software.
Structured Query Language (SQL). A
programming language used to retrieve
information from a database.
TextCensor. The lexical analysis engine
included in MailMarshal. TextCensor
allows you to scan email messages and
attachments for complex text content,
using Boolean and proximity operators
and numerical weighting.
Web Console. Interface that allows you
to perform Console functions from any
computer that can run Microsoft Internet
Explorer. See Console.
wildcard character. A character in a
search pattern that represents a number
of arbitrary characters within the text
being searched.
X.500. A global, hierarchical directory
service. For example, a domain controller
hosting Active Directory on a network
running Windows 2000 or later provides
an X.500 directory service.
XML. See Extensible Markup Language
(XML).
Glossary
259
260
User Guide
Index
A
Accept message 113
Acceptable Use Policy 67, 131
Accounts 80, 102, 105, 201
Actions. See Rule Actions
Active Directory 45, 119, 121
Add message users 111
Administrative notifications 40, 71, 135
Administrator email addresses 40
Advanced options 212
Alert History 185
Aliases, email 202
Alternate host, email delivery 42
Anti-relaying 67, 75, 101
Anti-Spam 69, 100
Anti-Virus 72
Archiving 155, 176, 224
Array Manager 16, 33, 215
Array of servers 16, 33, 208
Array options
Delivery 205
Local domain 200
Managing nodes 208
ASP.NET 31
Attachment fingerprints 91, 183
Attachment parent 98
Attachment size 98
Attachments
Checking name 93
Checking parent type 98
Checking size 98
Checking text 125
Checking type 91
Counting 100
Scanning for viruses 95
Stripping 108
Unpacking depth 212
Valid fingerprints 91, 110
Authentication method, Spam Quarantine
Management 49
B
Back up
Configuration 194
Folders 224
Messages 224
TextCensor scripts 131
Bandwidth required 93
BCC 107
Best practices 89, 131, 151, 201
Block receipt 113
Blocked Hosts 80
Index
261
C
Category scripts 100
Classifications 108, 152, 153
Commit configuration 61, 174, 175, 196,
208
Conditions. See Rule Conditions
Configuration
Back up and restore 194
Importing and exporting 221
MailMarshal properties 60
Configuration Wizard 38
Configurator, MailMarshal 58
Connectors 119
Console, MailMarshal
Security 185
Understanding 61
Web Console 62
Controller, MailMarshal 8
Copy the message 106
Crystal Reports 233
D
Daily administration 171
Data retention 223, 224
Database
Changing location 215
Connecting to 225
Size 223
Date formatting 148
Dead Letters
Causes 96, 97, 108, 168, 169
Defined 155
Delegating
Console Access 238
Quarantine management 239
262
User Guide
Spam management 239
Delete message 112
Delivery, email 21, 23, 203, 205
Deployment scenarios 12
Dial-Up 206
Digest templates 138
Directory 220
Directory connectors 45, 119
Disclaimers. See Message stamps
Distributed enterprise 17
DMZ 16, 185
DNS 22, 23, 26, 27, 41, 44, 55, 204, 205
DNS blacklists 76, 105
Domains 22, 26
See also Local Domains
Drill-down 233
E
eicar.com 43
Email batching 206
Email content policies 67, 68
Email headers
Matching 99
Rewriting 109
Email history 183
Email messages
Forwarding 178
Processing logs 180
Processing manually 181
Retention 179
Viewing 177
Email policy
Default 81
Understanding 83
Viewing and printing 116
Email policy elements 117
Email processing server
Adding or deleting 209
Changing array port settings 215
Installing 33
Email transport policies 68
Engine, MailMarshal 8
Enterprise installation 17
ESMTP
Authentication 80, 102
Connection 104
Spoofing criterion 102
Event Log 189
Exporting
Configuration 194
Reports 233
TextCensor scripts 130
External commands
Configuring 166
Message release 243
Rule action 107
Rule condition 97
F
Fallback host, email delivery 205
False positives
Spam 237
TextCensor scripts 132
File extension 93
File name 93
File type signatures, custom 91
File types 91
Filtering email 67
Firewall 22, 41, 44, 204, 205
Folders
and virus scanning 42
Archive 156, 176, 177
Compression of 25
Dead Letter 169, 176
Default permissions 187
Default security 187
Locations 24, 216
Logging 25
Parking 156
Permissions 188
Physical path 157
Quarantine 26, 155
Queues 25
Searching 184
Security 157, 185, 188
Setting up Spam Quarantine
Management 241
Standard 156
Unpacking 25
Using 152
Viewing contents 176
Forwarding host, email delivery 41
G
Goto action 112
H
Hardware requirements 17
Header Matching
Map Files 253
Header matching 99
Header rewriting
Map files 253
Order of evaluation 166
Rule action 109
Index
263
Headers, email
Altering 160
Deleting 164
Inserting 164
Matching 159
Rewriting 160
History. See Alert History, Email History
HTTPS 69
I
Importing
Configuration 194
TextCensor scripts 130
User Groups 220
Users 45
Installation
Array 33
Standalone server 31
Installation options 12
ISP 22, 41, 204, 205
K
Keys, MailMarshal license
Entering 194
Invalid 193
Requesting 193
Required 191
Trial 38
L
M
Mail batching 176, 206
Mail Recycle Bin 176, 178, 179
MailMarshal Today 174
Manager security 207
Message parking 112, 176
Message release 243
Message size 92, 104
Message stamps 109, 141
Message templates 134
Microsoft Internet Information
Services 31
Microsoft SQL Server 18
Move the message 111
MX record 13, 23, 44, 55, 197
N
LDAP
Configuring connectors 119
Creating connectors 45
Customizing connectors 120
User groups 121
264
License key. See Keys
Licensing 191
Local domains
and license keys 192
Configuring 38, 197
Defined 22
Delivery 211
Spoofing 101, 102
User matching 88
Localhost 15, 24
Local-part relay attempt 76
Logging
Classifications 108
Daily log files 190
User Guide
Named Instances, SQL 31
NetIQ Integrated McAfee Antivirus 72
Node. See Email processing server
Notification message 107
Notifications 96, 107, 134, 167
Number of attachments 100
Number of recipients 98
O
Open relay. See Anti-relaying
Order of evaluation 110, 126, 128, 129
P
Parameters, report 228
Pass message to rule 112
Performance Monitor 190
Policy groups
Creating 84
Order of evaluation 114
POP3 22, 197, 201
See also Accounts
Ports. See TCP ports
Postmaster. See Administrative
notifications
Prerequisites 17, 19, 31
Properties configuration 60
Properties, MailMarshal Manager 60
Properties, Node 60
Properties, Server and Array 60
Proxy settings 71
PTR lookups 78
Q
Quarantine 155, 181
Quarantine Management 237
Quarantine Synchronization 217
Quarantine Upgrade 218
Queued domains 176
Queued messages 176
R
Receiver, MailMarshal 8
Refuse message 113
Regular expressions 158, 249
Relay domain 197
Relay server 41, 44, 205
Relaying
See also Anti-Relaying
Allowing 75, 104, 105, 113
Allowing outbound 39
Blocking 67
Defined 75
Release Message 181
Report window 232
Reporting groups 224
Reports
Classifications 108
Console 63
Exporting 233
Installing 47
Prerequisites 19
Using 223
Restore
Configuration 194
Routing, email 21, 22
Rule based 110
RTF message stamping 142
Rule actions
Receiver 113
Standard 106
Rule conditions
Receiver 103
Standard 90
Rule user matching 86, 88, 89
Rules
Creating 85
Global header rewriting 158
Order of evaluation 114
Index
265
Receiver 85
Spam Quarantine 242
Standard 85
Rulesets. See Policy groups
T
S
Schedules
Folder 112
Policy groups 84
User group reload 46
Searching
Email history 184
Folders 184
Security
Console 185
Folders 157
Manager 207
Sender, MailMarshal 8
Sender’s IP address 104
Server health 171
Server name 211
Server Properties. See Properties, Server
and Array
Server statistics 174
Server threads 213
Server, Email processing 208
Set message routing 110
Signatures. See Message stamps
SMTP 21, 24
Software requirements 17, 18, 19
Spam 67, 68, 98, 100, 224, 237, 242
Spam Quarantine Management 47, 64,
239
SpamCensor 69
Spoofing 100, 101, 102
Stamp message 109
Standalone server 13, 14, 15, 31
266
Storage requirements 224
Subject line 109, 125, 151
System requirements 26
User Guide
TCP ports
25 14, 15, 16, 20
53 20
80 20
97 15
110 14, 21
443 20
1433 21, 47, 31
19001 16, 20, 174
Templates
Administrative 135
Digest 138, 241
Notification 107, 136
Terminal actions 105, 111, 112
TextCensor scripts
Editing 127
Operators 126
Rule condition 93
Special characters 125
Syntax 129
Testing 133
Understanding 123
Weighting 127
Timeouts, email delivery 213
Tools, MailMarshal 65
U
UDP 41, 204
Understanding 57, 83, 117
Uninstalling MailMarshal 55
Upgrade 218
Upgrading MailMarshal 52, 192
User groups 120–123
Reloading 121
User Matching. See Rule User Matching
Users 123
Users, importing 45
V
Valid fingerprints 91, 110, 183
Variables 114, 137, 140, 142, 143, 148,
153
Virus cleaning 94, 97
Virus scanners
Configuring 149
Installing and configuring 73
Results 94
Rule condition 94
Virus scanning 67
Viruses 72
W
Web Console 47, 62
Wildcards 129, 247
Index
267
268
User Guide

Similar documents