Email Security 8.0 Administrator`s Guide

Email Security 8.0
Administrator’s Guide
| 1
Notes, Cautions, and Warnings
NOTE: A NOTE indicates important information that helps you make better use of your system.
CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are
not followed.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
© 2015 Dell, Inc.
Trademarks: Dell™, the DELL logo, SonicWALL™, MySonicWALL ™, Reassembly-Free Deep Packet
Inspection™, Dynamic Security for the Global Network™, SonicWALL Global Response Intelligent Defense
(GRID) Network™, and all other SonicWALL product and service names and slogans are trademarks of Dell,
Inc.
Microsoft Windows, Internet Explorer, and Active Directory are trademarks or registered trademarks of
Microsoft Corporation.
Other product and company names mentioned herein may be trademarks and/or registered trademarks of
their respective companies and are the sole property of their respective manufacturers.
2015 – 01
P/N 232-002500-00
2 | Dell SonicWALL Email Security Administrator Guide
Rev. B
Chapter 1. Planning Email Security Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 9
Dell SonicWALL Email Security and Mail Threats. . . . . . . . . . . . . . . . . . . . . . . . . 9
Defining Email Security Deployment Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10
Inbound and Outbound Email Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Proxy versus MTA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Should You Choose an All in One or a Split Architecture? . . . . . . . . . . . . . . 12
Typical Dell SonicWALL Email Security Deployments . . . . . . . . . . . . . . . . . . . . 13
Email Security as the First-Touch / Last-Touch Server . . . . . . . . . . . . . . . . . 13
Email Security Not as a First-Touch / Last Touch Server . . . . . . . . . . . . . . . 14
Chapter 2. System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Available Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
License Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Email Security Master Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Invalid Login Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Login Custom Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Quick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Setting Your Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Adding an Inbound Mail Server for All in One Architecture . . . . . . . . . . . . . . 21
Adding an Outbound Mail Server for All in One Architecture . . . . . . . . . . . . 25
Adding a Server for Split Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Adding a Remote Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Adding a Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configuring Inbound Email Flow for a Remote Analyzer. . . . . . . . . . . . . . . . 29
Configuring Outbound Email Flow for a Remote Analyzer . . . . . . . . . . . . . . 30
Configuring Remote Analyzers to Communicate with Control Centers . . . . . 30
Deleting a Remote Analyzer from a Split Configuration . . . . . . . . . . . . . . . . 30
Testing the Mail Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Changing from an All in One Configuration to a Split Configuration . . . . . . . 31
Configuring MTA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Mail Transfer Agent Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Non-Delivery Reports (NDR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Email Address Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Trusted Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
LDAP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
LDAP Query Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Add LDAP Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
| 1
Multiple LDAP Server Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configuring Email Security for Multiple LDAP Servers . . . . . . . . . . . . . . . . . 40
User View Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Web Proxy Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configure System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Alert Suppression Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
System Logging Facility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Connection Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Intrusion Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Manually Edit IP Address Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Backup/Restore Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Manage Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Schedule Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Managing Restores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Host Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
HTTPS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Date & Time Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
CIFS Mount Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Miscellaneous Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Reset Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Branding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Quick Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Generate CSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 3. Anti-Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
How Anti-Spoofing Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Enabling Inbound SPF Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2 | Dell SonicWALL Email Security Administrator Guide
SPF Hard Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
SPF Soft Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configuring Inbound DKIM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configuring Inbound DMARC Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
DMARC Incoming Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Configuring Outbound DKIM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Generating DNS Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Using Outbound DKIM Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter 4. Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Managing Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Spam Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Default Spam Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Address Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Using the Search Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Adding People, Companies, or Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Deleting People, Companies, or Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Import Address Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Anti-Spam Aggressiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configuring GRID Network Aggressiveness . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configuring Adversarial Bayesian Aggressiveness Settings . . . . . . . . . . . . . 95
Unjunking Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Determining Amounts and Types of Spam . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Black List Services (BLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Adding to the Black List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Email that Arrives from Sources on the Black Lists Services . . . . . . . . . . . . 97
Spam Submissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Managing Spam Submissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Probe Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Managing Miscategorized Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Forwarding Miscategorized Email to Email Security . . . . . . . . . . . . . . . . . . . 99
Configuring Submit-Junk and Submit-Good Email Accounts . . . . . . . . . . . . 99
Problem with Forwarding Miscategorized Email . . . . . . . . . . . . . . . . . . . . . 100
Anti-Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
What is Enterprise Phishing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Preventing Phishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Configuring Phishing Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Using Email Security’s Community to Alert Others . . . . . . . . . . . . . . . . . . . 102
Report Phishing and Other Enterprise Fraud . . . . . . . . . . . . . . . . . . . . . . . 102
Domain Keys Identified Mail (DKIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
| 3
Chapter 5. Anti-Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
What is Enterprise Phishing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Preventing Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Configuring Phishing Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Chapter 6. Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
How Virus Checking Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Configuring Anti-Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Checking for Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Configuring Zombie and Spyware Protection . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Configuring Flood Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 7. Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Searching Inbound and Outbound Emails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Audit Simple Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Audit Advanced View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configuring Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Using Message Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Judgment Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 8. Policy & Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Email Security and Mail Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Standard Module vs. Compliance Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Basic Concepts for Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Defining Word Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Defining Email Address Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Defining Intelligent Email Attachment Matching . . . . . . . . . . . . . . . . . . . . . 125
Defining Disguised Text Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Inbound vs. Outbound Policy Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Preconfigured Inbound Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Preconfigured Outbound Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Adding Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Managing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Editing a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Deleting a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Changing Filter Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Advanced Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Compliance Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Approval Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Record ID Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
4 | Dell SonicWALL Email Security Administrator Guide
Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Chapter 9. Encryption Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
How Encryption Service Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Outbound Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Enabling the Secure Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Licensing Email Encryption Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Configuring Encryption Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Whitelisting IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Users in Encryption Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Adding a New User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Updating an Existing User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Adding an Existing User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Importing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Exporting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Cobrand and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Sending Secure Mail Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Chapter 10. Users, Groups & Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Working with Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Finding All Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Sort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Signing In as a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Edit User Rights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Resetting User Message Management Setting to Default. . . . . . . . . . . . . . 160
Add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Working with Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
About LDAP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Add a New Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Finding a Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Removing a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Listing Group Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Setting an LDAP Group Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
User View Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Anti-Spam Aggressiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Junk Box Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Spam Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Phishing Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Virus Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
| 5
Forcing All Members to Group Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Assigning Delegates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Working with Organizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Signing In as an OU Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Configuring OU Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Removing an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Email Security User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Users and Groups in Multiple LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Chapter 11. Junk Box Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Junk Box—Simple View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Junk Box—Advanced View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Outbound Messages Stored in Junk Box . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Supported Search in Audit and Junkbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Boolean Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Wildcard Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Phrase Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Fuzzy Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Junk Box Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Junk Box Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Frequency Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Message Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Miscellaneous Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Other Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Chapter 12. Reports and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Monitoring Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
MTA Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Real-Time System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Reporting in Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Generating Per-Domain Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Overview Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Return on Investment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Bandwidth Savings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Inbound Good vs Junk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Outbound Good vs Junk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Inbound vs Outbound Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Top Outbound Email Senders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
6 | Dell SonicWALL Email Security Administrator Guide
Junk Email Breakdown Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Anti-Spam Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Spam Caught. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Top Spam Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Top Spam Recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Anti-Phishing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Phishing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Anti-Virus Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Inbound Viruses Caught . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Top Inbound Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Outbound Viruses Caught . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Top Outbound Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Policy Management Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Inbound Policies Filtered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Top Inbound Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Outbound Policies Filtered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Top Outbound Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Compliance Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Inbound Messages Decrypted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Inbound Messages Archived . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Top Inbound Approval Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Outbound Messages Encrypted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Outbound Messages Archived . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Top Outbound Approval Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Directory Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Number of Directory Harvest Attacks (DHA) . . . . . . . . . . . . . . . . . . . . . . . . 203
Top DHA Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Connection Management Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Allowed vs Blocked Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Blocked Connection Breakdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Greylisted Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
DMARC Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
DMARC Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Configure Known Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Customize a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Add Scheduled Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Download Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Chapter 13. Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Anti-Spam Desktop for Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Junk Button for Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
| 7
“Send Secure” for Outlook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
8 | Dell SonicWALL Email Security Administrator Guide
Chapter 1
Planning Email Security Deployment
Determine the appropriate architecture for Email Security before you deploy it in your network.
This section discusses the different modules available in Dell SonicWALL Email Security and
network topology planning.
Note For installation and set up instructions for your Dell SonicWALL Email Security solution,
refer to the Email Security Series Getting Started Guide document.
Dell SonicWALL Email Security and Mail Threats
Email Security determines that an email fits only one of the following threats: Spam, Likely
Spam, Phishing, Likely Phishing, Virus, Likely Virus, Policy Violation, or Directory Harvest
Attack (DHA). It uses the following precedence order when evaluating threats in email
messages:
Virus
Likely Virus
• Policy Filters
• Phishing
• Likely Phishing
• Spam
• Likely Spam
For example, if a message is both a Virus and a Spam, the message is categorized as a Virus
since Virus is higher in precedence than Spam.
•
•
If Dell SonicWALL Email Security determines that the message is not any of the above threats,
it is delivered to the destination server.
Planning Email Security Deployment | 9
Defining Email Security Deployment Architecture
SonicWALL Email Security can be configured in two ways:
•
All in One—In this configuration, all machines running Dell SonicWALL Email Security
analyze email, quarantine junk mail, and allow for management of administrator and user
settings.
In an All in One configuration, you can also deploy multiple Email Security servers in a
cluster setup wherein all of the gateways share the same configuration and data files. To
set up such a cluster, begin by creating a shared directory, on either one of the
Dell SonicWALL Email Security servers or on another dedicated server (preferred) running
the same operating system. This shared directory will be used to store data including user
settings, quarantine email, etc., from all the Dell SonicWALL Email Security servers in the
cluster.
10 | Dell SonicWALL Email Security Administrator Guide
•
Split—In a Split network configuration, there are two kinds of servers: Control Centers and
Remote Analyzers. In this configuration there is typically one Control Center and multiple
Remote Analyzers, but the Control Center can be set up in a cluster as well. The Split
configuration is designed for organizations with remote physical data centers.
The Split configuration allows you to manage Dell SonicWALL Email Security so that email
messages are filtered in multiple remote locations through multiple Remote Analyzers. The
entire setup is centrally managed from a single location through the Control Center.
Control Center clusters are not supported by Dell SonicWALL Email Security appliance.
•
•
The Control Center, in addition to managing all data files, controls, monitors and
communicates with all Remote Analyzers. The data files consist of statistical data such as
how much email has been received, network usage, remote hardware space used, and
hourly spam statistics. The Control Center stores or quarantines junk email it receives from
the Remote Analyzers. It also queries LDAP servers to ensure valid users are logging in to
Dell SonicWALL Email Security. End users can log in to a Control Center to manage their
junk mail.
Remote Analyzers analyze incoming email to determine whether it is good or junk. It sends
junk email to the Control Center where it is quarantined. It routes good mail to its destination
server. Only administrators can log in to a Remote Analyzer.
Note The Replicator is the Dell SonicWALL Email Security component that automatically sends
data updates from the Control Center to the Remote Analyzer, ensuring that these
components are always synchronized. Replicator logs are stored in the Control Center’s
logs directory. You can review replication activity from these logs for troubleshooting
purposes.
Planning Email Security Deployment | 11
Inbound and Outbound Email Flow
Dell SonicWALL Email Security can process both inbound and outbound email on the same
machine. In an All in One configuration, each Email Security instance can support both
inbound and outbound email. In a Split configuration, each Remote Analyzer can support both
inbound and outbound email.
For inbound email flow, DNS configuration and firewall rules need to be set to direct email traffic
to Dell SonicWALL Email Security. Whereas, for outbound email flow, the downstream email
server must be configured to send all email to Dell SonicWALL Email Security (Smart Host
Configuration).
Proxy versus MTA
Dell SonicWALL Email Security can run either as an SMTP proxy or an MTA (Mail Transfer
Agent).
The SMTP proxy operates by connecting to a destination SMTP server before accepting
messages from a sending SMTP server. Note that SMTP proxies can only send email to one
server. Some benefits of the SMTP proxy are:
All processing occurs in memory, significantly reducing the latency and providing higher
throughput
• There is no queue and Dell SonicWALL Email Security does not lose any email messages.
Dell SonicWALL Email Security automatically respects your existing failover strategies if
your mail infrastructure experiences a failure.
The MTA service operates by writing messages to disk and allows for routing of a message.
Some benefits of the MTA are:
•
•
•
•
Able to route messages to different domains based on MX records or LDAP mapping.
Able to queue messages by temporarily storing messages on disk and retrying delivery
later in case the receiving server is not ready.
Allows Dell SonicWALL Email Security to be the last touch mail gateway for outbound
traffic
Should You Choose an All in One or a Split Architecture?
Dell SonicWALL recommends the All in One configuration whenever possible because of its
simplicity. Choose a Split configuration to support multiple physical data centers and if you
want to centrally manage this deployment from a single location.
Dell SonicWALL strongly recommends that after you deploy the chosen architecture, you do
not change the setup from a Control Center to a Remote Analyzer or vice versa, as there are
no obvious advantages, and some data might be lost. Thus, it is important to make the
deployment architecture decision before installing Email Security.
12 | Dell SonicWALL Email Security Administrator Guide
Typical Dell SonicWALL Email Security Deployments
Email Security as the First-Touch / Last-Touch Server
In a deployment with first-touch and last-touch in the DMZ, change your MX records to point to
the Dell SonicWALL Email Security setup. Also, all the inbound and outbound connections
(typically port 25) for Dell SonicWALL Email Security must be properly configured in your
firewalls.
In this configuration, Dell SonicWALL Email Security can be configured on the inbound path to
be either a SMTP Proxy or a MTA. On the outbound path, it must be configured to be a MTA.
This setup also can be extended to a cluster with multiple SonicWALL Email Security servers
all using a shared drive for data location. For more information on routing using Smart Host,
refer to Adding an Inbound Mail Server for All in One Architecture on page 21.
To configure Email Security in this configuration, you also need to:
1.
Configure Email Security server with a static IP address on your DMZ.
2.
In your firewall, add an inbound NAT Rules’s private IP address to an Internet addressable
IP address for TCP port 25 (SMTP).
3.
In the public DNS server on the Internet, create an A record, mapping a name such as
smtp.my_domain.com, to the Internet addressable IP address you assigned in step 2.
4.
Update your email domain’s MX record to point to the new a record. You need to deploy
the Dell SonicWALL Email Security for each MX record.
Planning Email Security Deployment | 13
Email Security Not as a First-Touch / Last Touch Server
A network topology where Dell SonicWALL Email Security is not the first-touch and last-touch
SMTP server. is not recommended because security mechanisms such as SPF and Connection
Management cannot be used.
In this configuration Dell SonicWALL Email Security can be configured to be either an MTA or
a proxy.
14 | Dell SonicWALL Email Security Administrator Guide
Chapter 2
System
Introduction
In this chapter, you will learn how to configure the system more extensively and learn more
about additional system administration capabilities.
This chapter contains the following sections:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
License Management on page 16
Administration on page 18
Setting Your Network Architecture on page 21
Configuring MTA on page 31
Email Address Rewriting on page 34
Trusted Networks on page 35
User View Setup on page 42
Updates on page 44
Monitoring on page 46
Connection Management on page 51
Backup/Restore Settings on page 61
Host Configuration on page 63
Advanced on page 67
Branding on page 70
Certificates on page 73
Audit Trail on page 76
System | 15
License Management
The License Management page allows you to view current Security and Support Services for
your Dell SonicWALL Email Security solution.
Serial Number—The serial number of your Dell SonicWALL Email Security
appliance/software.
Authentication Code—The code you entered upon purchasing the
Dell SonicWALL Email Security appliance/software.
Model Number—The model number of the Dell SonicWALL Email Security appliance. If you
are using the Dell SonicWALL Email Security software, the model number is listed as Software.
Manage Licenses—Clicking this button allows you to log in to your mySonicWALL.com
account to register appliances and manage all security services, upgrades, and changes.
Refresh Licenses—Click this button to manually synchronize the state of licenses on this
server with the mysonicwall.com website. Upon successfully synchronizing, the licenses on
your appliance or software are automatically updated to those on your online account. Note that
once your appliance or software is successfully registered, the Email Security server contacts
the online license manager once every hour and updates to the most recent information.
Upload Licenses—Click this button to manually update your licenses. This feature is useful in
the event that you are unable to use the dynamic licensing feature for any reason. Before
clicking this button, download a license file from the mysonicwall.com website. Then, click the
Choose File button, select the license file you downloaded, and click the Upload button. Your
product’s licenses will update based on the license file.
Note that the hourly license update will synchronize with the online license manager, and
overwrite licenses applied by the offline method.
16 | Dell SonicWALL Email Security Administrator Guide
Available Services
Dell SonicWALL Email Security comes with several services that must be licensed separately.
For maximum effectiveness, all services are recommended. The following services available:
•
•
•
•
Email Security—The standard license that comes with the software and enables basic
components. This license allows the use of basic policy filters.
Email Protection Subscription (Anti-Spam and Anti-Phishing)—This license protects
against email spam and phishing attacks.
Email Anti-Virus (Kaspersky and SonicWALL Time Zero)—Provides updates for
Kaspersky anti-virus definitions and SonicWALL Time Zero technology for immediate
protection from new virus outbreaks.
Email Anti-Virus (SonicWALL Grid A/V and SonicWALL Time Zero)—Provides updates
for SonicWALL Grid anti-virus definitions and SonicWALL Time Zero technology for
immediate protection from new virus outbreaks.
License Table
The following table provides details about the different types of licenses:
Security Service
Name of the Dell SonicWALL Email Security service.
Status
The status may be one of the following:
•
•
•
•
Free Trial
Licensed—Services has a regular valid license.
Free Trial—Service has been using the 14-day free trial license.
Not Licensed—Service has not been licensed, neither through
a regular license nor through a free trial license.
Perpetual—The Base Key license comes with the purchase of
the product and is perpetual. Note that the Base Key is the only
perpetual license.
Dell SonicWALL offers the opportunity to try out various services for
a trial period of 14 days.
•
Try—This link leads to information about the service, and allows
you to sign up for a free trial license. If a free trial is accepted,
the “Try” option is removed from this column, and the Status
column is updated to “Free Trial”.
Count
Number of users to which the license applies.
Expiration
Expiration date of the service.
•
•
Never—Indicates the license never expires.
Date—A specific date on which the given service expires.
System | 17
Administration
The Administration page allows you to change the master account Username and Password.
SonicWALL strongly recommends that you change the master account password from the
default password.
18 | Dell SonicWALL Email Security Administrator Guide
Email Security Master Account
To update your administrator settings, follow the steps listed below:
1.
Change your Username by entering the new name in the text box. The Username you
originally registered with appears as the default Username (admin@domain.com)
2.
Type the Old Password in the text box.
3.
Type a new password in the Password text box.
4.
Type the same password in the Confirm Password text box.
5.
Click Apply Changes.
Password Policy
This section allows you to configure settings for passwords.
•
•
•
•
•
•
•
Require A-Z—Select this option to require that passwords have at least one capital letter.
Require a-z—Select this option to require that passwords have at least one lowercase
letter.
Require 0-9—Select this option to require that passwords have at least one digit.
Require Special—Select this option to require that passwords have at least one special
character.
Allow OU Admins to change password policy—Select this option to allow Organizational
Units (OU) administrators access to changing the password policy.
Password length—Specify the amount of characters required for passwords.
Change password link expiry—Specify the amount of time users are able to use
passwords for before requiring a change of password.
Invalid Login Policy
The System > Administration > Invalid Login Policy feature allows administrators to
configure a User Lockout feature, locking out user accounts if the number of unsuccessful
attempts to login is reached. Note that Invalid Login Policy is only available if the Global
Administrator configures this feature for all users.
You can configure the following settings:
•
•
•
Number of unsuccessful attempts before lockout—Specify the number of invalid
attempts allowed before the user account is locked. The default value is 5, but can range
between 0-9. If the value is set to 0, the feature is disabled.
Lockout Interval—This is the amount of time the user account is locked. The user will have
to wait for this time interval lapse before being able to login again; any correct or incorrect
attempts will not be allowed. The default value is 15 minutes. The hours value can range
from 0-72 hours, and the minutes value can range from 1-59 minutes.
Alert administrator when account is locked—Select this checkbox to alert administrator
with an emergency message about the user account lockout.
Login Custom Text
Enter custom text in the space provided for users to see upon logging in to
Dell SonicWALL Email Security.
System | 19
Quick Configuration
Most organizations that are using Dell SonicWALL Email Security can configure their system
by using the Quick Configuration window. Note that you must configure the same choices for
message handling for each Dell SonicWALL appliance to use Quick Configuration. For more
complex installations and advanced options, use the appropriate options in the left-hand side
links of the Server Configuration page.
20 | Dell SonicWALL Email Security Administrator Guide
Setting Your Network Architecture
There are different ways to configure and deploy Dell SonicWALL Email Security, and the first
decision to make is the choice of network architecture. See Planning Email Security
Deployment on page 9 for more information on what network architecture is appropriate for
your need. You must decide whether you are setting up a Split or All in One architecture, as
that choice impacts other configuration options. You can change the architecture later, but if
you do so, you will need to add your mail servers and reset configuration options again.
To configure Dell SonicWALL Email Security as your desired network architecture, navigate to
the System > Network Architecture > Server Configuration page.
Adding an Inbound Mail Server for All in One Architecture
From System > Network Architecture > Server Configuration page, set the server to All in
One configuration by choosing the radio button next to All in One. Then, click Apply.
In the Inbound Email Flow section, click the Add Path button.
Source IP Contacting Path
This section allows you to specify the IP addresses of other systems that are allowed to connect
to and relay through this path. Select from the following:
•
•
•
Any source IP address is allowed to connect to this path—Use this setting if you want
any sending email server to be able to connect to this path and relay messages. Using this
option could make your server an open relay (see Caution note below).
Any source IP address is allowed to connect to this path but relaying is allowed only
for specified domains—Use this setting if you want any sending email servers to connect
to this path, but you want to relay messages only to the domains specified. Simply enter
the domains in the space provided, adding one domain per line.
Only these IP addresses can connect and relay—Use this setting if you know the
sending email server IP addresses and you do not want any other servers to connect.
Separate multiple IP addresses with a comma.
System | 21
Caution Dell SonicWALL Email Security strongly recommends against an open relay. Open relays
can reduce the security of your email network and allow malicious users to spoof your email
domain.
Path Listens On
This section allows you to specify the IP addresses and port number on which the path listens
for connections.
•
•
Listen for all IP address on this port—This is the typical setting for most environments,
as the service listens on the specified port using the machine’s default IP address. The
usual port number for incoming email traffic is 25.
Listen only on this IP address and port—If you have multiple IP addresses configured
on this machine, you can specify which IP address and port number to listen on.
Destination of Path
Destination of path allows you to specify the destination server for all incoming email traffic in
this path:
•
•
This is a Proxy. Pass all email to destination server—This setting configures the path to
act as a proxy and relay messages to a downstream email server. If the downstream server
is unavailable, incoming messages will not be accepted. Enter the host name or IP address
and the port number of the downstream email server.
This is a Proxy. Route email in Round-Robin or Failover mode to the following
multiple destination servers—This setting configures the path to act as a proxy and relay
messages to a downstream email server. If Round-Robin is selected, email is loadbalanced by sending a portion of the email flow through each server listed in the text box.
If Failover is selected, email is sent to the servers listed in the text box only if the
downstream server is unavailable. Email is queued if all of the servers listed are
unavailable.
22 | Dell SonicWALL Email Security Administrator Guide
•
•
•
•
This is an MTA. Route email using SmartHost to destination server—This setting is
similar to the “This is a Proxy. Pass all email to destination” option, except that incoming
messages are accepted and queued if the downstream server is unavailable. In this
instance, this path acts as a SMTP smarthost. With this setting selected, you can also
include Exceptions, specifying which domains should use MX record routing and which
should use the associated IP address or hostname.
This is an MTA. Route email using SmartHost in Round-Robin or Failover mode to the
following multiple destination servers—This setting is similar to the previous MTA
option, however incoming messages can be routed to multiple servers. If Round-Robin is
selected, email is load-balanced by sending a portion of the email flow through each server
listed in the text box. If Failover is selected, email is sent to the servers listed in the text
box only if the downstream server is unavailable. Email is queued if all of the servers listed
are unavailable.
This is an MTA. Route email using MX record routing. Queue email if necessary—This
setting routes any mail by standard MX (Mail Exchange) records. Messages can be queued
on disk and will retry transmissions later if the destination SMTP server is not immediately
available.
This is an MTA. Route email using MX record routing with these exceptions—This
setting routes any mail by standard MX (Mail Exchange) records. However, email
messages sent to the email addresses or domains in the table to the right are routed directly
to the associated IP address or hostname. Messages can be queued on disk and will retry
transmissions later if the destination SMTP server is not immediately available.
Note You can specify email addresses in addition to domains in this routing table. Also,
hostnames can be specified instead of IP addresses. For example, if you want to route
customer service emails to one downstream server and the rest of the traffic to a different
downstream server, you can specify something like:
service@mycompany.com 10.1.1.1
mycompany.com internal_mailserver.mycompany.com
System | 23
Advanced Settings
The following settings are optional.
•
•
•
Use this text instead of a host name in the SMTP banner—This setting allows you to
customize the host name of the server that appears in the heading of the email messages
relayed through this path. By default, the host name is used.
Action for messages sent to email addresses that not in your LDAP server—This
setting allows you to designate a port for messages from email recipients who are not listed
in your LDAP server.
Reserve the following port—This setting is for any miscellaneous internal “localhost to
localhost” communication between Email Security components.
24 | Dell SonicWALL Email Security Administrator Guide
•
Enable StartTLS on this path—Select this check box if you want a secure internet
connection for email. Dell SonicWALL Email Security uses Transport Layer Security (TLS)
to provide the secure internet connection. When StartTLS is enabled, email can be sent
and received over a secure socket. The source and destination email addresses and the
entire message contents are all encrypted during transfer.
When finished configuring settings, click Apply to add an inbound path for this All in One
server. The newly configured path will display in the Inbound Email Flow section.
Test Mail Servers
To test the inbound mail servers, click the Test Mail Servers button. A pop-up window will
display with the test result status of the inbound mail servers.
Adding an Outbound Mail Server for All in One Architecture
From System > Network Architecture > Server Configuration page, set the server to All in
One configuration by choosing the radio button next to All in One.
Then, click the Add Path button in the Outbound Email Flow section.
Source IP Contacting Path
This section allows you to specify the IP addresses of other systems that are allowed to connect
to and relay outgoing mail. Select from the following:
•
Any source IP address is allowed to connect to this path—Use this setting if you want
any sending email server to be able to connect to this path and relay messages. Using this
option could make your server an open relay.
Caution You need to use this setting if you configure your Dell SonicWALL Email Security
installation to listen for both inbound and outbound email traffic on the same IP address on
port 25.
System | 25
•
Only these IP addresses can connect and relay through this path—Use this setting if
you know the sending email server IP addresses and you do not want any other servers to
connect. Separate multiple IP addresses with a comma.
Note If your configuration is running in Split mode, and this path is on a remote analyzer, the
control center must be able to connect and relay through this path.
Path Listens On
This section allows you to specify the IP addresses and port number on which this path listens
for connections.
•
•
Listen for all IP address on this port—This is the typical setting for most environment as
the service listens on the specified port using the machine’s default IP address. The default
port for is 25.
Listen only on this IP address and port—If you have multiple IP addresses configured in
this machine, you can specify which IP address and port number to listen to.
Destination of Path
Destination of path allows you to choose whether to make a path through the
Dell SonicWALL Email Security, or through one of the following:
•
•
•
•
If Round robin is specified, email will be load-balanced by sending a portion of the email
flow through each of the servers specified in the text box in round-robin order. All of the
servers will process email all the time.
If Fail over is specified, the first server listed will handle all email processing under normal
operation. If the first server cannot be reached, email will be routed through the second
server. If the second server cannot be reached, email will be routed through the third server,
and so on.
MTA with MX record routing - This setting configures this path to route messages by
standard MX (Mail Exchange) records. To use this option, your DNS server must be
configured to specify the MX records of your internal mail servers that need to receive the
email.
MTA with MX record routing (with exceptions) - This setting configures this path to route
messages by standard MX (Mail Exchange) records, except for the specified domains. For
the specified domains, route messages directly to the listed IP address.
26 | Dell SonicWALL Email Security Administrator Guide
This section allows you to specify the destination server for incoming email traffic in this path.
•
•
•
•
•
This is a Proxy. Pass all email to destination server—This setting configures the path to
act as a proxy and relay messages to an upstream MTA. If the upstream server is
unavailable, outgoing messages will not be accepted or queued.
This is an MTA. Route email using SmartHost to destination server—This setting is
similar to the “This is a Proxy. Pass all email to destination” option, except that outgoing
messages are accepted and queued if the upstream MTA is unavailable.
This is an MTA. Route email using SmartHost in Round-Robin or Failover mode to the
following multiple destination servers—This setting is similar to the previous MTA
option, however outgoing messages can be routed to multiple upstream MTAs. If RoundRobin is selected, email is load-balanced by sending a portion of the email flow through
each MTA listed in the text box. If Failover is selected, email is sent to the MTAs listed in
the text box only if the upstream MTA is unavailable. Email is queued if all of the MTAs
listed are unavailable.
This is an MTA. Route email using MX record routing. Queue email if necessary—This
setting routes any outbound email messages by standard MX (Mail Exchange) records.
This is an MTA. Route email using MX record routing with these exceptions—This
setting routes any outbound email messages by standard MX (Mail Exchange) records.
However, email messages sent to the email addresses or domains in the table to the right
are routed directly to the associated IP address or hostname. Messages are queued if
necessary.
System | 27
Advanced Settings
The following settings are optional.
•
•
•
Use this text instead of a host name in the SMTP banner—This setting allows you to
customize the host name of the server that appears in the heading of the email messages
relayed through this path. By default, the host name is used.
Reserve the following port—This setting allows you to designate a port for miscellaneous
“localhost to localhost” communication between components.
Enable StartTLS on this path—Select this check box if you want a secure internet
connection for email. Dell SonicWALL Email Security uses Transport Layer Security (TLS)
to provide the secure internet connection. Click the Configure StartTLS button to configure
encrypted email communications.
When finished configuring settings, click Apply to add an outbound path for this All in One
server.
Test Mail Servers
To test the inbound mail servers, click the Test Mail Servers button. A pop-up window will
display with the test result status of the inbound mail servers.
Adding a Server for Split Architecture
Navigate to the System > Network Architecture > Server Configuration page. Then,
complete the following to add a server for Split Architecture.
1.
Set the server to Split configuration by choosing the radio button next to Split.
2.
Next, select whether the server is the Remote Analyzer or Control Center.
If you selected Control Center, select all that apply to the machine (Main Control Center,
Search Engine Server, or Reporting Server)
28 | Dell SonicWALL Email Security Administrator Guide
3.
Click Apply.
Adding a Remote Analyzer
Remember that you must add one or more Remote Analyzers to a Split Configuration. Remote
Analyzers can process inbound messages, outbound messages, or both.
1.
Click the Add Path button in the Server Configuration - Remote Analyzer section.
2.
Enter the Remote Analyzer’s hostname or IP address.
3.
Enter the Remote Analyzer Server Address Port number.
4.
If your network requires SSL, check the Requires SSL checkbox.
5.
Click the Add button.
Note If there is a high volume of network traffic, it might take some time before the new Remote
Analyzer is displayed in the System > Network Architecture > Server Configuration
window.
Any changes you make at the Control Center are propagated to the Remote Analyzers you just
added. You can monitor their status on the Reports page as well.
Adding a Control Center
1.
Click Add Path in the Control Center section of the Server Configuration window.
2.
Enter the Control Center Hostname.
3.
If feasible, use the default port number. If not, enter a new Control Center Server Address
Port Number.
4.
Click Add.
Configuring Inbound Email Flow for a Remote Analyzer
While logged into the Control Center, click the Add Path button next to the Inbound Remote
Analyzer. An Add Inbound Path window appears. Follow the instructions in Adding an Inbound
Mail Server for All in One Architecture on page 21
System | 29
Configuring Outbound Email Flow for a Remote Analyzer
While logged into the Control Center, Click the Add Path button next to the Outbound Remote
Analyzer. An Add Outbound Path window appears. Follow the instructions in Adding an
Outbound Mail Server for All in One Architecture on page 25. Make sure that the Control Center
can connect and relay email messages through this path - step 1 in the Add Outbound Path
dialog.
Configuring Remote Analyzers to Communicate with Control
Centers
After you have set up the Control Center, configure each Remote Analyzer so that it can
communicate with its Control Center.
1.
Log in to each server set up as a Remote Analyzer.
2.
From the Server Configuration > Control Center section, click the Add Path button to
identify from which Control Center this Remote Analyzer will accept instructions.
3.
Enter the hostname of your Control Center. If your Control Center is a cluster, you must
add each individual hostname as a valid Control Center.
Note If your Control Center is a cluster, add each individual hostname as a valid Control Center
by repeating steps 2-3.
Deleting a Remote Analyzer from a Split Configuration
Before deleting a Remote Analyzer, ensure there are no messages in the queue for quarantine:
1.
Stop SMTP traffic to the Remote Analyzer by turning off the Email Security Service. Click
Control Panel > Administrative Tools > Services > MlfASG Software > Stop.
2.
After a few minutes, view the last entry in the mfe log on the Remote Analyzer log.
3.
View the mfe log in the Control Center logs directory to ensure the last entry in the mfe log
for the Remote Analyzer is there
Turn off the ability of the associated email server to send mail to this Remote Analyzer, and/or
point the associated email server to another installed and configured Remote Analyzer.
Testing the Mail Servers
Click the Test Mail Servers button. Email Security displays a window that indicates either a
successful test or an unsuccessful test.
Note It takes 15 seconds for the Dell SonicWALL Email Security to refresh its settings. If the first
test fails, try the test again.
30 | Dell SonicWALL Email Security Administrator Guide
Changing from an All in One Configuration to a Split Configuration
There are only two situations that warrant changing your configuration:
•
•
You are a current Dell SonicWALL Email Security customer running All in One architecture
and want to upgrade to a Split Network configuration.
You are a new customer and have incorrectly configured for All in One architecture and you
want to configure for Split Network
Configuring MTA
Navigate to the System > Network Architecture > MTA Configuration screen to configure
the Mail Transfer Agent (MTA) settings. You can specify how the MTA will handle a case in
which Email Security is unable to deliver a message right away. Note that most installations will
not require any change to the MTA settings.
Mail Transfer Agent Settings
This section allows you to configure the Retry and Bounce intervals for the Mail Transfer Agent.
Delivery
Messages are bounced if the recipient domain returns a permanent failure (5xxx error code).
In the case of transient failures (4xx error codes, indicating a delay), the MTA will retry delivery
of the message periodically based on the schedule specified in the Retry interval field.
Delayed messages that cannot be delivered within the time period specified in the Bounce
after field will be bounced; no further attempts will be made to deliver them. Choose to Ignore
8-bit Mime encoded content by selecting the Off or On radio button. Click Save when finished
configuring the Mail Transfer Agent Settings.
Non-Delivery Reports (NDR)
When an email cannot be sent due to either a transient delay or a permanent failure, the sender
may receive a notification email, or a Non-Delivery Report (NDR), describing the failure.
Administrators can use this pane to customize the schedule and contents of those notification
emails.
System | 31
Transient Failure Settings
To enable Transient NDR, select the Send NDR for transient failures check box. Specify the
interval (days, hours, minutes) at which notifications are sent, the email address and sender
name (for example, “ericsmith@example.com” and “Eric Smith”), a customized subject line for
the NDR (for example, “Delay in sending your email”), and a customized body for the NDR.
Permanent Failure Settings
Enter an email address and a name from which NDRs will be sent (for example,
“ericsmith@example.com” and “Eric Smith”), a customized subject line for the NDR (for
example, “Your email could not be sent”), and a customized body for the NDR. Note that
Permanent Failure Settings cannot be disabled.
General Settings
All NDRs include a diagnostic report about the problem that prevented delivery, including the
headers of the original message. Permanent NDRs may optionally have the contents of the
original message attached. To enable the option to Attach original message to the NDR,
select the check box.
32 | Dell SonicWALL Email Security Administrator Guide
When finished configuring this section, click Save.
Customized Fields
Certain fields in the subject line, body, and sender of the DSN can be specified by the
administrator:
•
•
•
•
•
•
•
•
$subject—the subject of the original email
$hostname—the hostname from which the NDR is sent
$originator—the sender of the original email
$recipient—the intended recipient of the original email
$timeQueued—the time at which the original email was queued
$date—the current date
$retryAfter—the interval at which delivery of delayed emails is retried
$bounceAfter—the time after which delivery attempts will cease for delayed emails
System | 33
Example Sender—postmaster@$hostname
Example Subject—Delivery Status Notification (re: $subject)
Example Body—Your email from $originator regarding $subject has bounced. It was sent on
$timeQueued to $recipient. No further attempts at delivery will be made. Have a nice day!
Note Some mail servers, such as Microsoft Exchange, may send their own NDRs or rewrite the
contents of NDRs sent from other products. Please see the Administrator's Guide for
information on integrating this product's NDR functionality with Microsoft Exchange.
Email Address Rewriting
Use this dialog to rewrite email addresses for inbound or outbound emails. These operations
affect only the email envelope (the RFC 2821 fields); the email headers are not affected in any
way. For inbound email, the “To” field (the RCPT TO field) is rewritten. For outbound email, the”
From” field (the MAIL FROM field) is rewritten. Select the Inbound or Outbound tab, then click
the Add New Rewrite Operation button.
•
•
Enable this Rewrite Operation—Select this check box to enable the new rewrite
operation.
Type of Operation—Enter the text that triggers the rewrite operation in the Original RCPT
TO envelope address text field. For example, if you want to rewrite a domain from
corp.example.net, enter corp.example.com in this section.
34 | Dell SonicWALL Email Security Administrator Guide
The following operations are possible:
– If Exact Match is selected, the operation is triggered by the exact email address
(including the domain). The full email address is rewritten. For example, an email sent
to billy@corp.example.com could be rewritten so that the address is
mandy@example.net.
– If Starts With is selected, the operation is triggered when the starting characters of the
full email address (including the domain) match the characters specified. The entire
email address including the domain is replaced. For example, if the operation is
intended to be triggered by email addresses that start with billy@corp, an email sent to
billy@corp.example.net could be rewritten so that the address was
mandy@sales.example.com.
– If Ends With is selected, the operation is triggered when the ending characters of the
full email address (including the domain) match the characters specified. The entire
email address including the domain is replaced. For example, if the operation is
intended to be triggered by email addresses that end with .com, an email sent to
billy@example.com could be rewritten so that the address was
mandy@corp.example.net.
– If Domain is selected, the operation is triggered by a particular email domain. The
operation rewrites only the domain portion of the email address. For example, an email
sent to joe@corp.example.com could be rewritten so that the address is
joe@example.net. If an asterisk, *, is entered, all domains are matched, and the rewrite
operation will be triggered by any domain.
– If LDAP Rewrite to Primary is selected, the operation is applied to every inbound
email. The operation rewrites the entire email address to be the primary mail attribute
in LDAP. For example, an email sent to joe@corp.example.com could be rewritten so
that the address is joe@example.com.
– If LDAP Email List Expansion is selected, the operation is triggered by the email list
you select. Click the Select Email List button to choose an email list to expand. This
operation replaces the email list in the envelope with a RCPT TO header for each
member of the list. For example, an email sent to sysadmins@corp.example.com could
be rewritten so that the addresses in the envelope are joe@example.com,
sue@example.com, and malcom@example.com.
Perform the following actions—Enter the text that triggers the rewrite operation in the
Rewrite entire RCPT TO envelope address to be text field. For example, if you want to
rewrite a domain from example.com to be example.net, enter example.net here.
• Name of Rewrite Operation—Enter a descriptive name for the operation you are creating
here.
When finished configuring the Email Address Rewrite Option, click the Save This Rewrite
Operation button. The new operation appears on the respective Inbound or Outbound tab.
•
Trusted Networks
When the Email Security receives email messages from an upstream server that uses a nonreserved or public IP address, the GRID Network effectiveness may degrade. To avoid this
degradation on the GRID Network, users can put public IP addresses on a “privatized” list.
To add IP addresses to a Trusted Network, click the Add Server button. In the box that
displays, type in the IP addresses you want to add, then click Save. The IP addresses appear
on the Server List.
System | 35
LDAP Configuration
Dell SonicWALL Email Security uses Lightweight Directory Access Protocol (LDAP) to
integrate with your organization’s email environment. LDAP is an Internet protocol that email
programs use to look up users’ contact information from a server. As users and email
distribution lists are defined in your mail server, this information is automatically reflected in
Email Security in real time.
Many enterprise networks use directory servers like Active Directory or Lotus Domino to
manage user information. These directory servers support LDAP, and Email Security can
automatically get user information from these directories using the LDAP. You can run
Dell SonicWALL Email Security without access to an LDAP server as well. If your organization
does not use a directory server, users cannot access their Junk Boxes, and all inbound email
is managed by the message-management settings defined by the administrator.
Dell SonicWALL Email Security uses the following data from your mail environment:
Login Name and Password
When a user attempts to log into the Email Security server, their login name and password
are verified against the mail server using LDAP authentication. Therefore, changes made
to the usernames and passwords are automatically uploaded to
Dell SonicWALL Email Security in real time.
• Multiple Email Aliases
If your organization allows users to have multiple email aliases, Email Security ensures any
individual settings defined for the user extends to all the user’s email aliases. This means
that junk sent to those aliases aggregates into the same folder.
• Email Groups or Distribution Lists
Email groups or distribution lists in your organization are imported into
Dell SonicWALL Email Security. You can manage the settings for the distribution list in the
same way as a user’s settings.
LDAP groups allow you to assign roles to user groups and set spam-blocking options for user
groups.
•
Configuring LDAP
Navigate to the System > LDAP Configuration screen to configure your Email Security
solution for username and password authentication for all employees in the enterprise.
Dell SonicWALL recommends completing the LDAP configuration to get the complete list of
users who are allowed to login to their Junk Box. If a user does not appear in the User list in
the User & Group screen, their email will be filtered, but they cannot view their personal Junk
Box or change default message management settings.
Enter the server information and login information to test the connection to the LDAP server.
1.
Click the Add Server button to add a new LDAP Server. Configuring the LDAP server is
essential to enabling per-user access and management. These settings are limited
according to the preferences set in the User Management pane. See the User View Setup
on page 42 for details.
2.
The following checkboxes appear under the Settings section:
– Show Enhanced LDAP Mappings fields—Select this option for Enhanced LDAP, or
LDAP Redundancy. You will have to specify the Secondary Server IP address and Port
number.
– Auto-fill LDAP Query fields when saving configurations—Select this option to
automatically fill the LDAP Query fields upon saving.
36 | Dell SonicWALL Email Security Administrator Guide
3.
Enter the following information under the LDAP Server Configuration section:
– Friendly Name—The friendly name for your LDAP server.
– Primary Server Name or IP address—The DNS name or IP address of your LDAP
server. (Configuration checklist parameter M)
– Port number—The TCP port running the LDAP service. The default LDAP port is 389.
(Configuration checklist parameter N)
– LDAP server type—Choose the appropriate type of LDAP server from the dropdown
list.
– LDAP page size—Specify the maximum page size to be queried. The default size is
100.
– Requires SSL—Select this check box if your server requires a secured connection.
– Allow LDAP referrals—Leaving this option unchecked will disable LDAP referrals and
speed up logins. You may select this option if your organization has multiple LDAP
servers in which the LDAP server can delegate parts of a request for information to
other LDAP servers that may have more information.
4.
In the Authentication Method section, specify if the LDAP login method for your server is
by Anonymous Bind or Login. Specify the Login name and Password. This may be a
regular user on the network, and typically does not have to be a network administrator.
Note Some LDAP servers allow any user to acquire a list of valid email addresses. This state of
allowing full access to anybody who asks is called Anonymous Bind. In contrast to
Anonymous Bind, most LDAP servers, such as Microsoft's Active Directory, require a valid
username/password in order to get the list of valid email addresses. (Configuration checklist
parameter O and P)
5.
Click the Test LDAP Login button.
A successful test indicates a simple connection was made to the LDAP server. If you are
using anonymous bind access, be aware that even if the connection is successful,
anonymous bind privileges might not be high enough to retrieve the data required by
Dell SonicWALL Email Security.
6.
Click Save Changes.
LDAP Query Panel
To access the LDAP Query Panel settings window, click the Friendly Name link or the Edit
button of the server you wish to configure. If the “Auto-fill LDAP Query Fields” checkbox is
selected in the Settings section, the following fields will be automatically filled in with default
values after the basic configuration steps are completed.
Configuring Query Information for LDAP Users
1.
Enter values for the following fields:
– Directory node to begin search—The node of the LDAP directory to start a search for
users. (Configuration checklist parameter Q).
– Filter—The LDAP filter used to retrieve users from the directory.
– User login name attribute—The LDAP attribute that corresponds to the user ID.
– Email alias attribute—The LDAP attribute that corresponds to email aliases.
System | 37
– Use SMTP addresses only—Select the checkbox to enable the use of SMTP
addresses.
2.
Click the Test User Query button to verify that the configuration is correct.
3.
Click Save Changes to save and apply all changes made.
Note Click the Auto-fill User Fields button to have Dell SonicWALL Email Security automatically
complete the remainder of this section.
Configuring LDAP Settings for Groups
1.
Enter values for the following fields:
– Directory node to begin search—The node of the LDAP directory to start a search for
users. (Configuration checklist parameter Q).
– Filter—The LDAP filter used to retrieve groups from the directory.
– Group name attribute—The LDAP attribute that corresponds to group names.
– Group members attribute—The LDAP attribute that corresponds to group members.
– User member attribute—The LDAP attribute that specifies attribute inside each user's
entry in LDAP that lists the groups or mailing lists that this user is a member of.
2.
Click the Test User Query button to verify that the configuration is correct.
3.
Click Save Changes to save and apply all changes made.
Note Click the Auto-fill Group Fields button to have Dell SonicWALL Email Security
automatically complete the remainder of this section.
If you have a large number of user mailboxes, applying these changes could take several
minutes.
38 | Dell SonicWALL Email Security Administrator Guide
Add LDAP Mappings
On some LDAP servers, such as Lotus Domino, some valid addresses do not appear in LDAP.
Use this section with LDAP servers that only store the “local” or “user” portion of the email
addresses. Click the View Rules button. The LDAP Mappings screen displays:
Domain Mappings
•
•
•
Domain—Choose this option from the first dropdown menu to add additional mappings
from one domain to another.
Replace with—If this option is chosen from the second dropdown menu, then the domain
is replaced. For example, if the Domain is “engr.corp.com” then Replaced with “corp.com”,
then mail addressed to “anybody@engr.corp.com” is instead sent to “anybody@corp.com”.
Also add—If this option is chosen from the second dropdown menu, then when the first
domain is found, the second domain is added to the list of valid domains. For example, if
“engr.corp.com” is the first domain and “sales.corps.com” is the second, then when the
domain “engr.corp.com” is found in the list of valid LDAP domains, then “sales.corps.com”
is also added to that list.
Character Substitutions
•
•
•
Left hand side character is—Choose this option from the first dropdown menu to add
character substitution mappings.
Replace with—If this option is chosen from the second dropdown menu, then the character
is replaced in all characters to the left of the “@” sign in the email address. For example, if
the space character, “ ”, is the first character, and the “-” is the second character, then an
email addressed to “Colin Brown@corp.com” would be sent to “Colin-Brown@corp.com”.
Also add—If this option is chosen from the second dropdown menu, then a second email
address is added to the list of valid email addresses. For example, if “-” is the first character,
and “.” is the second character, then if “Obi-W-Kenobi@corp.com” is a valid email address,
the address “Obi.W.Kenobi@corp.com” would also be considered a valid email address.
Note This screen does not make changes to your LDAP system or rewrite any email addresses;
it only makes changes to the way Dell SonicWALL Email Security interprets certain email
addresses.
System | 39
Multiple LDAP Server Support
Dell SonicWALL Email Security allows administrators to set different filters and rules for each
LDAP server. In very large organizations, multiple LDAP servers can feed one Email Security
instance.
The following table describes the actions that can be taken on a group, domain, or global level..
Function
Domain/OU
LDAP Group
Global
Directory Harvest Attack prevention
Y
-
Y
Policy
Y
Y
Y
Reporting
Y
-
Y
Roles
-
Y
Y
Settings
Y*
Y
Y
Configuring Email Security for Multiple LDAP Servers
The LDAP configuration page allows administrators to configure more than one LDAP server.
All LDAP servers are listed. For each LDAP server, you can edit or delete it without affecting
the connection of other LDAP servers. To add an LDAP server:
1.
Log in as the Email Security administrator.
2.
Click System and then LDAP Configuration.
3.
Click the Add Server button.
4.
Fill in the connection information for the LDAP server you wish to add. Be sure to give it a
unique friendly name so that you can easily identify it in the list of servers.
5.
When you are finished, click Save Changes. Use the test button to confirm that the LDAP
server is properly connected and configured.
Administering Multi-LDAP Environments
Administrators must log into a specific domain unless they are the
Dell SonicWALL Email Security administrator. Once a domain administrator is logged in, he or
she can modify the Email Security settings for the domain, including the anti-spam settings. The
Email Security administrator can see all the LDAP servers attached to
Dell SonicWALL Email Security. This administrator logs in with no domain specified.
Editing LDAP Connection Information
The Email Security administrator configures multiple domains. To edit the settings of an
existing LDAP server:
1.
Log in as the Email Security administrator.
2.
Navigate to the System > LDAP Configuration page.
3.
Click the server name link or the Edit (pencil) button associated with the friendly name of
the LDAP server you want to change.
4.
Edit the details of the LDAP server using the information you have collected.
40 | Dell SonicWALL Email Security Administrator Guide
5.
In the Global Configurations section, you can enter aliases for your pseudo-domains. In
this example, the administrator can configure aliases (on the right side) to correspond with
the pseudo-domain. Aliases must be unique and can consist of lowercase alpha-numeric
characters and underscores. Aliases are separated by commas. If you set an alias to the
domain name, users can log in using their email address.
6.
In the Settings subsection, choose whether you want the domains to appear in the login
dropdown box. If this box is checked, all users will be able to see all domains. If it remains
unchecked, users must log in with their fully-qualified login, such as user@sonicwall.com.
You can also choose how often SonicWALL ES refreshes the LDAP usermap.
7.
When you are done, click Apply Changes and use the test button to confirm that the LDAP
server is properly connected and configured.
System | 41
User View Setup
Configure how the end users of the Email Security solution access the system and what
capabilities of the solution are exposed to the end users on the System > User View Setup
page.
To set up System > User View Setup, follow the procedures below:
1.
Select which items appear in the User Navigation Toolbar:
– Select the Login enabled checkbox to allow users to log into Email Security and have
access to their per-user Junk Box. If you disable this, mail will still be analyzed and
quarantined, but users will not have access to their Junk Box.
– Select the Anti-Spam Techniques checkbox to include the user-configurable options
available for blocking spam emails. Users can customize the categories People,
Companies, and Lists into their personal Allowed and Blocked lists. You can choose to
grant users full control over these settings by selecting the Full user control over antispam aggressiveness settings checkbox, or force them to accept the corporate
aggressiveness defaults by leaving the checkbox empty.
42 | Dell SonicWALL Email Security Administrator Guide
– Select the Reports checkbox to provide junk email blocking information about your
organization. Even if this option is checked, users may view only a small subset of the
reports available to administrators.
– Select the Settings checkbox to provide options for management of the user's Junk
Box, including individual Spam Management.
2.
Determine the User Download Settings:
– With the Allow users to download SonicWALL Junk Button for Outlook checkbox
selected, users will be able to download the Email Security Junk Button for Outlook.
The Junk Button is a lightweight plugin for Microsoft Outlook. It allows users to mark
emails they receive as junk, but does not filter email.
– With the Allow users to download SonicWALL Anti-Spam Desktop for Outlook and
Outlook Express checkbox selected, users will be able to download the Anti-Spam
Desktop. Anti-Spam Desktop is a plugin for Microsoft Outlook and Outlook Express that
filters spam and allows users to mark emails they receive as junk or good email.
3.
Determine the settings for Quarantined Junk Mail Preview Settings:
– Select the Users can preview their own quarantined junk mail checkbox to enable
users to view their individual mail that is junked.
– Choose which other types of users can preview quarantined junk mail. These roles are
configured within Dell SonicWALL Email Security.
4.
Users are not usually shown reports which include information about users, such as email
addresses. Select the Reports view settings checkbox to give user access to those
reports.
5.
Determine the Miscellaneous Settings:
– Enter an Optional login help URL. An administrator can specify a URL for any
customized help web page for users to view on the Login screen. If no URL is entered,
Email Security provides a default login help screen. If a URL is entered, that page is
launched when the user clicks the Login Help link.
– Select the Show Forgot Your Password Link checkbox to enable this feature for
users.
6.
Click Apply Changes.
System | 43
Updates
Dell SonicWALL Email Security uses collaborative techniques as one of many tools to block
junk messages. The collaborative database incorporates thumbprints of junked email from
Dell SonicWALL Anti-Spam Desktop and users. Your server uses the HTTP protocol to
communicate with a data center hosted by us to download data used to block spam, phishing,
viruses, and other evolving threats.
Navigate to the System > Updates page to configure settings for updates to the Email Security
service.
General Settings
Check for Spam, Phishing, and Virus Blocking Updates
Select how often your Dell SonicWALL Email Security appliance contacts the data center to
check for updates. The recommended frequency is 20 minutes. Setting this value too low
generates unnecessary HTTP traffic, may adversely affect the performance of your
Email Security appliance or software, and will not improve junk blocking effectiveness. Setting
this value too high may result in less frequent updates, also causing this junk blocking to be
less effective.
44 | Dell SonicWALL Email Security Administrator Guide
Submit Unjunk Thumbprints
This is an optional checkbox that submits thumbprints to the data center with a user Unjunks
a message. Thumbprints sent from the Dell SonicWALL Email Security appliance or appliance
contributes to the collaborative community by improving junk-blocking accuracy. Note that
these thumbprints contain no readable information.
Submit Generic Spam Blocking Data
This is an optional checkbox that sends generic spam-blocking data to the data center to assist
in customer support and to help improve spam blocking. No emails, email content, header
information, or any other uniquely identifiable information is ever sent.
Web Proxy Configuration
When your server contacts the data center to download data, it uses the HTTP protocol. If your
organization routes HTTP traffic through a proxy, you can specify the proxy server in this
section.
If your organization routes HTTP traffic through a proxy which requires basic authentication,
enter the Username and Password to configure the Email Security solution to authenticate
with the HTTP proxy server automatically.
When finished configuring the Updates settings, click the Apply Changes button.
Test Connectivity
Click the Test Connectivity button to verify if you are successfully connected to the Data
Center.
System | 45
Monitoring
The System > Monitoring screen allows you to configure system monitoring settings and
alerts. Note that some of these fields may be pre-defined based on the information provided
upon initial setup of the Dell SonicWALL Email Security.
The Monitoring page is also used to set up the postmaster for the MTA. If Email Security has
been configured to be an MTA, enter the email address to which postmaster notifications
generated by the MTA should be sent. Notifications are not sent more than once every ten
minutes.
If you are running Dell SonicWALL Email Security in split mode, and you route outbound email
through the Email Security, you must enter the IP addresses or fully-qualified domain names of
any Remote Analyzers through which outbound email is routed in this text box on the Control
Center.
Configure System Monitoring
46 | Dell SonicWALL Email Security Administrator Guide
The following settings are available for configuration:
•
Email address of the administrator who receives emergency alerts—The email
address of the mail server administrator. Enter the complete email address. For example,
user@example.com.
Email address of administrator who receives outbound quarantine notifications—The email
address of the administrator who receives notifications when an outbound message has
been quarantined. Notifications are not sent more than once every ten minutes. If this field
is left blank, notifications are not sent.
•
Postmaster for the MTA—The email address that receives notifications generated by the
MTA.
Name or IP address of backup SMTP servers—Enter the name or IP address of one or
more SMTP servers that can be used as fallback servers to send alerts to if the configured
downstream email server(s) cannot be contacted. For example, mail2.example.com or
10.100.0.1.
Customized Signature—Enter a signature to append at the end of your email messages.
View Alerts—Click this button to view all configured alerts. See Viewing Alerts on page 47
for more information.
Test Fallbacks—Click this button to test the name or IP address(es) listed as backup
SMTP servers.
•
•
•
•
Viewing Alerts
Under the Configuring System Monitoring section of the System > Monitoring page, You can
also click the View Alerts button to see the Alert history for a specific Host.
Alerts in Email Security provide the following details:
•
A time stamp
– In local time
System | 47
– In GMT
•
The severity of the alert, which is one of the following:
– Info
– Warning
– Critical
•
•
•
The domain of which the alert applies
A summary of the alert
Details that include the following:
– Host Name
– Two to three lines of description of an alert or trigger
– A trigger message if available
If available, the alert will also include the following:
Recommended action with possible suggestions on a next step
An alerts configuration page
• General alert settings
You may apply a severity filter to better assist you in viewing the alerts. Select the checkbox(es)
of which alerts you want to view, then click Apply Filter.
•
•
Alert Suppression Schedule
To turn off alerts during a product maintenance window, suppress alerts for a period of short
time by clicking the Schedule Alert Suppression button.
1.
Select from the dropdown list which host you want to Suppress Alert for.
2.
Select severity of alerts to suppress from the dropdown list. The following options are
available: Info Alerts, Info + Warning Alerts, and Info + Warning + Critical Alerts.
3.
Set the Start time and End time.
4.
Enter Your name.
5.
Enter the Reason for suppressing alerts.
6.
Click Submit to finish setting an alert suppression schedule.
48 | Dell SonicWALL Email Security Administrator Guide
System Logging Facility
This section allows you to configure system logging (syslog).
Setting the Severity Level
Choosing a severity means that messages of that severity and higher are sent to the syslog.
For example, choosing the default level of SYSLOG_ALERT means that only messages of
SYSLOG_ALERT and SYSLOG_EMERGENCY are sent to the syslog.
Note The severity level chosen for the syslog is not related to the log level chosen for
Email Security logging on the System > Advanced page.
Choose one of the syslog levels listed below (shown in order of decreasing severity). Note that
logging lower severity messages means more data is logged.
•
•
•
•
•
•
•
•
SYSLOG_EMERGENCY—The system is unusable. Because this is the highest on the
severity scale, this level minimizes the amount of logging.
SYSLOG_ALERT—Action must be taken immediately. This is the default severity level for
the syslog.
SYSLOG_CRITICAL—Critical conditions.
SYSLOG_ERROR—Error conditions.
SYSLOG_WARNING—Warning conditions.
SYSLOG_NOTICE—Normal, but significant conditions.
SYSLOG_INFORMATIONAL—Informational messages.
SYSLOG_DEBUG—Debug-level messages. Because this is the lowest on the severity
scale, this level maximizes the amount of logging.
System | 49
Local and Remote Storage
Local—Select the Local checkbox to write syslogs to the Dell SonicWALL Email Security
server. For Windows software installations of Email Security, syslogs are written to the
Windows Event Viewer. For Email Security appliances, syslogs are written to files on the
Dell SonicWALL Email Security server. For appliances, syslog files may be downloaded from
the System > Advanced page.
Remote—Select the Remote checkbox to send syslogs to remote servers. Specify the IP
addresses and ports of one or two servers to receive syslog messages. Port 514 is the
recommended port for syslog. Note that the second server is not a fallback server.
If both checkboxes are selected, syslogs are written locally and sent to both remote servers. If
both If neither box is selected, syslogs are not written anywhere.
Send Message Details—Select this checkbox to send information about every email that
passes through your Dell SonicWALL Email Security servers to the syslog. This option is only
available if the syslog severity chosen is one of the lowest two levels, SYSLOG_INFO or
SYSLOG_DEBUG.
Caution If you receive a lot of email, this can result in a very large amount of data being sent to the
syslog.
50 | Dell SonicWALL Email Security Administrator Guide
Connection Management
Dell SonicWALL Email Security uses collaborative techniques as one of many tools to block
junk messages. The collaborative database incorporates thumbprints of junked email from
Dell SonicWALL Anti-Spam Desktop and users. Your server uses the HTTP protocol to
communicate with a data center hosted by us to download data used to block spam, phishing,
viruses, and other evolving threats.
The System > Connection Management screen includes the following subsections:
•
•
Intrusion Prevention—Protection against Denial of Service (DoS) attacks, Directory
Harvest Attacks (DHA), and invalid email addresses.
Quality of Service—Enables a greater control over the server connection from suspicious
clients.
Intrusion Prevention
From the System > Connection Management screen, navigate to the Intrusion Prevention
section. Note that your LDAP must be configured before Directory Protection can be
configured. The following sections describe how to configure the Intrusion Prevention
components:
•
•
Directory Harvest Attack (DHA) Protection on page 51
Denial of Service (DoS) Attack Protection on page 53
Directory Harvest Attack (DHA) Protection
Spammers not only threaten your network with junk mail, they also stage Directory Harvest
Attacks (DHA) to get a list of all users in an organization’s directory. DHA makes unprotected
organizations vulnerable to increased attacks on their email and other data systems.
DHA can threaten your network in the following ways:
•
Expose the users in your directory to spammers—The people at your organization need
their privacy in order to be effective. To expose them to malicious hackers puts them and
the organization at significant risk from a variety of sources.
Users whose email addresses have been harvested are at risk. Once a malicious hacker
knows their email, users are at risk for being spoofed: someone can try to impersonate their
email identity. In addition, exposed users can be vulnerable to spoofing by others. IT
departments routinely receive email from people pretending to be providing upstream
services, such as DNS services.
•
Expose users to phishing—Exposed users can be targeted to receive fraudulent email.
Some receive legitimate-appearing email from banks or credit cards asking for personal or
financial information.
Some exposed users have been blackmailed; Reuters reported cases where users were
told if they did not pay up, their computers would be infected with viruses or pornographic
material.
•
Expose your organization to Denial of Service Attacks—DHA can lead to denial of service
attacks because malicious hackers can send lots of information to valid email addresses in
an effort to overwhelm the capacity of your mail server.
Expose your organization to viruses—DHA provides a highly effective means of delivering
virus-infected email to users.
•
System | 51
•
Exposes users to fraudulent email masquerading as good email—Directory Harvest
Attacks can perpetuate fraudulent email messages by giving malicious hackers the ability
to target your users individually and by name.
The following table lists and describes the available actions for messages sent to email
addresses that are not in your LDAP server:
Setting
Result
Directory Harvest Attack (DHA) Protection Off
Processes all messages the same (whether or not
email address is in LDAP)
No action is taken on messages
No directory protection.
Permanently Delete
All email messages addressed to users not in the
organization’s directory is permanently deleted
The sender does not receive notification about the
email they have sent. This option can lead to permanently deleting legitimate mail with a typographical
error in the address.
52 | Dell SonicWALL Email Security Administrator Guide
Setting
Result
Reject Invalid Email Addresses (Tarpitting)
SMTP clients that specify invalid recipients are
tarpitted
Responses to invalid recipient commands are
delayed for some time period to slow down the rate
that they can attack an organization’s mail system.
Warning: Enabling tarpitting protection uses your
system resources (CPU, memory) that may slow
down your server.
Always Store in Junk Box (regardless of spam
rating)
Email that is sent to an invalid address is stored in
the Junk Box. Email Security does not process the
email to determine if it is spam or another form of
unwanted email.
Email Security recommends this option to protect
the confidentiality of your directory population.
The following table lists and describes the available actions for DHA protection to recipient
domains:
Options
Results
Apply to all recipient domains
SonicWALL recommends that most organizations
choose Apply to all recipient domains.
Applies DHA protection to all recipient domains.
Apply only to the recipient domains listed below Applies DHA protection to the recipient domain(s)
listed.
Apply to all recipient domains except those
listed below
Applies DHA protection to all recipient domains
except for those listed.
Denial of Service (DoS) Attack Protection
A Denial of Service (DoS) attack aims at preventing authorized access to a system resource or
the delaying of system operations and functions for legitimate users. The Denial of Service
Attack Protection adds an extra level of security to thwart an attack.
DoS attacks can threaten your network in the following ways:
•
•
Bandwidth consumption— The available bandwidth of a network is flooded with junkmail
addressed to invalid recipients.
Resource starvation—The mail servers of an organization are overwhelmed trying to
process the increased volume of messages coming from infected computers, which leads
to the mail servers to run out of resources (CPU, memory, storage space).
To configure Denial of Service (DoS) attack protection, follow the procedures listed below:
1.
Navigate to the System > Connection Management screen.
2.
Select the Enable DoS protection checkbox. Read and acknowledge the warning.
To use the DoS Attach Protection feature, your Dell SonicWALL Email Security appliance
must be the first destination for incoming messages. If you are routing mail to your Email
Security appliance from an internal mail server or using an MTA, do not use DoS Attack
Protection.
3.
Specify trigger by selecting the number of connections to allow from a given IP address.
4.
Specify action to take by selecting either of the following:
System | 53
– Deferral for a set period of time
– Completely block all further connections
5.
Click the Apply Changes button.
Quality of Service
From the System > Connection Management screen, navigate to the Quality of Service
section. The following sections describe how to configure the Quality of Service components:
•
•
•
•
Throttling on page 54
Connections on page 54
Messages on page 55
Miscellaneous on page 55
Throttling
This section allows you to set specific thresholds to limit the sending ability of suspicious clients
by limiting offensive IP addresses. Some examples of thresholds include:
•
•
•
one connection per hour
one message per minute for the next 24 hours
ten recipients per message
To configure the Throttling feature from the System > Connection Management screen, follow
the procedures below:
1.
Select the Enable Throttling checkbox.
2.
Specify the Trigger:
– Specify the number of connections, messages, or the number of recipients from a given
IP address
– Specify the percentage of invalid emails to recipients. This setting only applies to
recipient commands
3.
Specify an action to take:
– Deferral for a set period of time
– Completely block all further connections
– limit a number of connections, messages, or recipients, for a number of minutes over a
range of time
4.
Click the Apply Changes button.
Note Some scenarios can be implemented with either Denial of Services Attack Protection or
Throttling settings. You can choose to throttle mail from clients above one threshold and
choose to block clients above a second threshold.
Connections
The Connections section allows you to impose a limit on the number of simultaneous inbound
and outbound connections that your Email Security server can accept.
54 | Dell SonicWALL Email Security Administrator Guide
On the inbound path, this value limits the number of simultaneous connections external hosts
can make to the Email Security appliance or software. On the outbound path, this value limits
the number of simultaneous connections internal hosts can make to the Email Security to
deliver messages. When the connections limit is exceeded, the Email Security sends a
transient failure message (421 error code).
Specify the Limit number of inbound / outbound connections in the fields provided.
Messages
The Messages section allows you to limit messages based on message characteristics, such
as message size and number of recipients.
If too many recipients are specified in a message, the Email Security sends a transient failure
message (4xx error code). If the message size limit is exceeded, the Email Security sends a
permanent failure message (5xx error code).
Specify the Limit number of recipients and Limit message size (in bytes) in the fields
provided. These values apply to both inbound and outbound paths.
Miscellaneous
The miscellaneous section allows you to enable certain connection management settings, such
as Bounce Address Tag Validation, Greylisting, and GRID Network IP reputation.
Bounce Address Tag Validation (BATV)
Bounce Address Tag Validation (BATV) reduces the number of unauthorized Non-Delivery
Reports (NDR) delivered to your organization. BATV protects your organization by adding a
signature to all outbound mail. When an NDR arrives, BATV checks for a valid signature. If the
signature does not exist or does not pass the security check, then Email Security rejects the
NDR. If the signature is authentic and the NDR is valid, Email Security continues analyzing the
NDR.
BATV is not enabled by default. Although BATV is a powerful tool to eliminate invalid messages,
some configurations on other mail servers may cause the BATV system to reject legitimate
messages. The user who sent out the message is not notified that the message did not reach
the intended recipient. Some reasons for “false positives” may include:
•
•
•
•
LDAP upstream of Dell SonicWALL Email Security
Null reverse paths instead of “From” fields
Divergent Dell SonicWALL Email Security configuration
Incorrect or altered reverse mail paths
To enable BATV, follow the procedures below:
1.
Log into your Dell SonicWALL Email Security as an administrator.
2.
Navigate to the System > Connection Management page.
3.
Scroll down to the Quality of Service > Miscellaneous section.
4.
Select the Bounced Address Tag Validation (BATV) checkbox to enable the feature.
5.
Click the Apply Changes button.
System | 55
Greylisting
The Greylisting feature discourages spam without permanently blocking a suspicious IP
address. When Greylisting is enabled, Email Security assumes that all new IP addresses that
contact it are suspicious, and requires those addresses to retry before it will accept the email.
The Greylist is the list of IP addresses that have contacted the Email Security once, and have
been sent a request to retry the connection. The Greylist is cleared and restarted every night.
Thus, if the connection is not retried before the Greylist is restarted, that server will be asked
to retry the connection again when it sends a retry of the initial connection request.
Dell SonicWALL Email Security also keeps track of the MTAs that have successfully retried the
connection and are now deemed to be responsible MTAs. These IP addresses are added to a
separate list. Connections from MTAs on this list are accepted without further retry requests,
but the data from the connection is subjected to the rigorous checking performed by Email
Security on all incoming mail.
Greylisting is useful only forEmail Security servers running the “first touch” server, which means
receiving email directly from the Internet. Dell SonicWALL recommends disabling Greylisting if
Email Security is not first touch.
The benefits of enabling the Greylisting feature include:
Increased effectiveness—Less spam received into the gateway translates to less spam
delivered to the Inbox.
• Better performance—Greylisting reduces the volume of traffic at the gateway, as well as
traffic to the downstream (for example, the Exchange server). As a result of the reduced
volume, valuable system resources are freed up (such as sockets, memory, network
utilization, etc.) allowing Dell SonicWALL Email Security to process more good mail in the
same amount of time.
• Storage requirements—With the increasing focus on archiving, Greylisting reduces the
amount of junk that gets stored in an archive, again saving valuable resources.
Greylisting and Connection Management Precedence Order
•
If Greylisting is enabled, the Source IP Address is cross-checked against the
Dell SonicWALL Email Security Connection Management components, in the following order:
•
•
•
•
•
•
•
Allow-list—If an IP address is on this list, it gets a free pass through Connection
Management. Note the message is still subject to plug-in chain processing.
Block-list—This IP address is already blocked from connecting to Email Security.
Defer-list—Connections from this IP address are already configured to be deferred.
DoS—Checks to see if the IP address has crossed the DoS threshold, and if so, takes the
appropriate action.
Throttling—Checks to see if the IP address has crossed the throttling threshold, and if so,
takes the appropriate action.
Responsible MTA List—This IP address has already been through and passed the
Greylisting filter.
Greylist—The IP address is added to the Greylist if this is first time the IP address has
contacted theEmail Security.
To enable the Greylisting feature, follow the procedures below:
1.
Navigate to the System > Connection Management page.
2.
Scroll down to the Quality of Service > Miscellaneous section.
3.
Select the Greylisting checkbox to enable the feature.
4.
Click the Apply Changes button.
56 | Dell SonicWALL Email Security Administrator Guide
Disable Strict MAIL FROM Checking
By default, this feature enforces the SMTP specification with regard to the Reverse Path, which
is the MAIL FROM field or Envelope From field. This feature reduces the load on the
downstream server (for example, Microsoft Exchange), as well as reduces the amount of junk
email allowed into the system.
To enable this feature, follow the procedures below:
1.
Navigate to the System > Connection Management page.
2.
Scroll down to the Quality of Service > Miscellaneous section.
3.
Select the Disable strict MAIL FROM checking checkbox.
4.
Click the Apply Changes button.
GRID Network IP Reputation
The GRID Connection Management with Sender IP Reputation feature is the reputation a
particular IP address has with members of the Dell SonicWALL GRID Network. When a
connection is received from a known bad IP address, a “554 No SMTPd here” error response
is given, and the SMTP session is rejected.
This feature is useful only for Dell SonicWALL Email Security servers running as “first touch”
servers. Dell SonicWALL recommends disabling the GRID Network IP Reputation feature if
Email Security is not first touch.
GRID Network IP Reputation and Connection Management Precedence Order
If IP Reputation is enabled, the source IP addresses is checked in the following order:
•
•
•
•
•
•
•
•
To
Allow-list—If an IP address is on this list, it gets a free pass through Connection
Management. Note the message is still subject to analysis by the Email Security server as
usual.
Block-list—This IP address is already blocked from connecting to Email Security server.
Reputation-list—If the IP address is not in the previous lists, the Email Security server
checks with the GRID Network to see if this IP address has a bad reputation.
Defer-list—Connections from this IP address are deferred. A set interval must pass before
the connection is allowed.
DoS—If the IP address is not on the previous lists, the Email Security server checks to see
if the IP addressed has crossed the DoS threshold. If it has, the server uses the existing
DoS settings to take action.
Throttling—Checks to see if the IP address has crossed the throttling threshold, and if so,
takes the appropriate action.
Not-grey-list—This IP address has already been through and passed the grey-list filter.
Note that this feature applies to the GRID Network IP Reputation only if it enabled.
Greylist—The IP address is added to the Greylist if this is first time the IP address has
contacted the Email Security.Note that this feature applies to the GRID Network IP
Reputation only if it enabled.
enable the GRID Network IP Reputation feature, follow the procedures below:
1.
Navigate to the System > Connection Management page.
2.
Scroll down to the Quality of Service > Miscellaneous section.
3.
Select the GRID Network IP Reputation checkbox to enable the feature.
– Click the Disable checks for IP addresses of unauthenticated mail sender
checkbox to disable this feature.
4.
Click the Apply Changes button.
System | 57
Manually Edit IP Address Lists
This section allows you to manage the list of IP addresses to allow, defer, block, or throttle.
Navigate to the System > Connection Management screen, then scroll down to the Manually
Edit IP Address Lists section. This section includes the following subsections:
•
•
•
•
Allowed List on page 58
Deferred List on page 58
Blocked List on page 59
Throttled List on page 60
Allowed List
When an IP address is added to the Allowed list, Email Security continues to check for spam
and phishing attacks in messages from that IP address.
To add an IP address to the list or edit the existing list, click the Edit Allowed List button. Enter
the IP address, then click the Add New IP Address button when finished. To delete an IP
address from the list, select the checkbox of the IP address you wish to delete, then click the
Delete Checked IP Addresses button.
Deferred List
In the case of a connection from a deferred IP address, the transient message is “421 4.4.5
Service not available, connection deferred.”
58 | Dell SonicWALL Email Security Administrator Guide
To add an IP address to the list or edit the existing list, click the Edit Deferred List button. Enter
the IP address, then click the Add New IP Address button when finished. To delete an IP
address from the list, select the checkbox of the IP address you wish to delete, then click the
Delete Checked IP Addresses button.
Blocked List
When the server receives a connection from an IP address on a blocked list, the Email Security
responds with a “554 No SMTP service here” error message, and reject the TCP/IP
connection.”
To add an IP address to the list or edit the existing list, click the Edit Blocked List button. Enter
the IP address, then click the Add New IP Address button when finished. To delete an IP
address from the list, select the checkbox of the IP address you wish to delete, then click the
Delete Checked IP Addresses button.
System | 59
Throttled List
When the SMTP server receives a connection from an IP address on this list, the Email Security
responds with a “421 4.4.5 Service not available, too many connections due to throttling” error
message and drops the TCP/IP connection.
To add an IP address to the list or edit the existing list, click the Edit Throttled List button.
Enter the IP address and the amount of hours to throttle for, then click the Add New IP Address
button when finished. To delete an IP address from the list, select the checkbox of the IP
address you wish to delete, then click the Delete Checked IP Addresses button.
60 | Dell SonicWALL Email Security Administrator Guide
Backup/Restore Settings
The System > Backup/Restore page allows the administrator to configure the backup and
restore settings for the server.
Note It is not necessary to perform either of these functions. Executing the backup and restore
functions depend on the needs of your organization.
Manage Backups
On the Backup tab, the administrator can select from the following categories of data that can
be backed up:
Settings—Select this category to back up ALL user settings, including network
architecture, LDAP, per-user settings, and policies. Dell SonicWALL recommends that you
back up your settings regularly since this data loss would require a complete reconfiguration of your settings.
• Per User Settings—Select this category to enable a snapshot of the Per User Settings.
This setting backs up all the settings configured for users in your user list.
• Junk Box—Select this category to enable a snapshot of your Junk Box for future recovery.
Enabling this category requires sufficient disk space and requires 30 to 60 minutes to
complete the backup snapshot.
• Archive—Select this category to enable back up of the archive. This setting backs up all
messages that have been archived on this server’s file system. Note that this setting does
not back up messages that have been archived to an external SMTP server.
• Reports Data—Select this category to enable a snapshot of your reports data. This backup
setting is the least critical of the three backup settings. Reports data does not include
critical information for system recovery.
Click the Take Snapshot Now button to combine the files selected for backup into a single zip
file called the “Snapshot,” which is saved onto the physical system running. There is only one
snapshot file on a system at any time. When a new snapshot is taken, the existing snapshot file
is overwritten.
•
Click the Download Snapshot button to download the latest snapshot from the system. This
file can then be saved onto a separate system if needed.
Note that the size of the snapshot file that can be uploaded is size-limited. A warning dialog
appears if you attempt to download a snapshot file that is too large to be uploaded again. The
following are ways you can reduce the size of the snapshot file:
•
•
•
•
Download the four categories of data in four separate snapshot files, instead of combining
all the data into one big file.
Reduce the amount of data in the reports database by removing older data more
aggressively. The System > Advanced page allows you to set the length of time after which
reporting data is removed.
Reduce the amount of data in the quarantine database by removing older data more
aggressively. The System > Junk Box Settings page allows you to set the length of time
after which quarantined data is removed.
Reduce the amount of data in the archive by removing older data more aggressively. The
Policy & Compliance > Archiving page allows you to set the length of time after which
archived messages are removed.
System | 61
Schedule Backup
Scheduled Backups allow administrators to schedule daily, weekly, or monthly backups. First,
you must select the Enable scheduled backup checkbox to use this feature.
Backup Frequency
Specify the Backup Frequency, including the Hour of Day, Day of Week, and Day of Month.
Create Snapshot
Select the categories to be included in the Scheduled Backup. The categories include: Settings,
Junk Box, Archive, and Reports Data. See Manage Backups on page 61 for more details about
these categories.
FTP Server Authentication
If you have a configured remote FTP server, click the FTP Server Authentication checkbox.
Specify the FTP Server information, including the Port, Username, Password, and
Destination Path.
Click the Apply button when finished.
Managing Restores
Administrators can restore data from a snapshot file on the System > Backup/Restore >
Restore tab.
Restore From a Snapshot File
Select one of the following methods to restore data from a snapshot file:
•
•
Restore data from a snapshot file on the Email Security server—This option takes the
last snapshot file saved onto the Email Security server and restores data.
Upload a snapshot file from your local hard drive and use it to restore data—This
option allows you to upload a snapshot file from your local hard drive. Click the Choose
File button and select the file from your local hard drive.
Restore the Following Data
Select the checkboxes of the categories you want restored from the snapshot you are restoring.
Categories include: Settings, Junk Box, Archive, and Reports Data. See Manage Backups on
page 61 for more details about these categories.
Click the Start Restoring Data button to begin the Restore process.
62 | Dell SonicWALL Email Security Administrator Guide
Host Configuration
The System > Host Configuration page allows you to make changes to the server on which
the Dell SonicWALL Email Security product is installed. After applying these settings, you can
then use the Restart Services or Reboot this Server buttons at the top of the Host
Configuration page. This section includes the following subsections:
•
•
•
•
•
General Settings on page 63
HTTPS Settings on page 64
Date & Time Settings on page 64
Network Settings on page 65
CIFS Mount Settings on page 66
General Settings
The general settings of the Host Configuration allow you to configure the Hostname settings
and Access PIN settings for Dell SonicWALL Email Security appliances.
Hostname
Changing the hostname causes a number of changes to be made to the Email Security settings,
configuration files, and may rename some of the directories in the installation and data
directories.
To change the hostname of this server, enter the new fully-qualified hostname in the Hostname
field, and then click the Apply Changes button. The hostname cannot be changed to an IP
address.
Note that the system performs a reboot upon a host name change and clicking the Apply
Changes button.
You may also click one of the buttons at the top of the page to Restart Services, Reboot this
Server, or Shut Down Server.
System | 63
HTTPS Settings
The HTTPS Settings section allows you to enable HTTP and HTTPS access on specific ports.
The following are HTTPS settings you can configure:
Enable HTTP access on port—Select the checkbox to enable this setting. Enter the port
number in the field provided. The default port for HTTP is Port 80.
• Enable HTTPS (SSL) access on port—Select the checkbox to enable this setting. Enter
the port number in the field provided. The default port for HTTPS is Port 443.
• Redirect access from HTTP to HTTPS—Select the checkbox to enable this setting.
Click the Apply Changes button.
•
Date & Time Settings
The Date & Time Settings section allows you to set the current date, time, and time zone for
this host. You can also set the Network Time Protocol (NTP) settings from this section.
For the Date & Time Settings, select from the Available time zones dropdown list the time
zone you want set for this host. Specify the System date and time.
Click the Enable Network Time Protocol checkbox to enable the NTP feature. Selecting this
checkbox will synchronize the server time using UDP on port 123. You can then list up to 8 NTP
servers in the NTP Server List.
Click the Apply Changes button to save and apply settings in this section.
64 | Dell SonicWALL Email Security Administrator Guide
Network Settings
This section allows you to configure the host system settings for Email Security.
The Use the static settings below is selected so you are able to configure the following:
•
•
•
•
Primary DNS Server IP address
Fallback DNS server IP address
Default gateway IPv4 address
Default gateway IPv6 address (optional)
Ethernet0 Port
By default, the Enable use of Ethernet0 port checkbox is selected. With this checkbox
selected, you can change the IP address and Subnet mask.
Click the Add Alias to add any additional IP addresses (IPv4 or IPv6) and Subnet Masks. Click
Save to complete adding an alias to this Ethernet port.
Click the Apply Changes button.
Ethernet1 Port
Click the Enable use of Ethernet1 port checkbox if your Email Security appliance supports
dual NIC cards. You will then have to configure the IP address and Subnet mask.
Click the Add Alias to add any additional IP addresses (IPv4 or IPv6) and Subnet Masks. Click
Save to complete adding an alias to this Ethernet port.
System | 65
Click the Apply Changes button.
CIFS Mount Settings
CIFS Mounting allows the mounting of an external drive to store the appliance’s data. The
available data on the current drive is migrated to the external storage drive, increasing the
storage limit for the appliance. For dual control centers, the same external drive can be
mounted on both control centers to share the data. The two control centers can be configured
to either share the load or as a failover.
Provide the Hostname (FQDN), Shared Drive Name, Remote Login UserID, and Remote
Login Password in the spaces provided. Then, click on one of the following:
•
•
Mount—Click this button to mount the external drive. If the external drive is empty, a
warning message displays. Click Continue to migrate the local data to the external drive.
If the external drive already contains Email Security-related data, the external drive will be
directly mounted.
Migrate—Click this button to migrate the local data to the external drive.
66 | Dell SonicWALL Email Security Administrator Guide
•
•
Unmount—Click this button to unmount the external drive and revert back to the local
drive. Note that data stored in the external drive will not be migrated back to the local drive.
Test Mount—Click this button to test whether or not the external drive has successfully
mounted.
Advanced
The System > Advanced page allows you to configure a variety of settings, such as customize
the STMP banner, configure logging levels, specify log levels, reinitialize to factory settings,
download system/log files, as well as other advanced features.
Note The Advanced page contains tested values that work well in most configurations. Changing
these values can adversely affect performance.
General Settings
The General Settings section of the System > Advanced page includes Message Management
settings, Other Settings, and SNMP Settings.
Message Management
•
•
•
•
•
•
Customize SMTP banner—Use this setting to specify the SMTP banner. Be sure to use
valid characters and syntax for an SMTP header.
When remote SMTP servers contact the Email Security to send email through it, an SMTP
header displays that identifies the server as a Dell SonicWALL Email Security server.
Some companies may want to hide this information and present their own custom SMTP
banner header information.
Replace SonicWALL in “Received:” headers—Use this setting to replace the name in
the “Received:” header. If you do not want to have the Dell SonicWALL Email Security
name in the Received headers when sending good email downstream to your servers. use
this field to specify another name.
DNS Timeout for SPF—Enter a value between 1 to 30 seconds. Use this setting to
configure the number of seconds Dell SonicWALL Email Security searches for the SPF
record of the sender. If the Email Security cannot find the SPF record in the number of
seconds specified, it times out and does not return the SPF record of the sender. The
default value is 2 seconds.
Saved emails will automatically be deleted when older than—Enter the number of days
of data that you want to preserve in the email archives. Lowering this number means less
disk space is used, but note that you will not have report data older than the number of days
specified.
Permit users to add members of their own domain to their Allowed Lists—Selecting
the On button allows users to add people within their domain to their personal Allowed
Lists. For example, if you work at example.com and enable this feature, all users at
example.com can be added to your Allowed List. As a result, email messages between
internal users are not filtered by the Email Security product. You can either add people
manually or configure to automatically add each person to whom users send email.
Save a copy of every email that enters your organization—When the On button is
selected, folders with the entire contents of every email are created in the logs directory of
each server that analyzes email traffic (All-In-One Servers and Remote Analyzers). The
System | 67
•
emails are saved before being analyzed for threats by the Email Security product. Because
saving inbound emails can be handled independently, there are separate folders for saved
inbound email.
Email entering your organization is located in: <Install Directory>\logs\fullhistory_in\
Save a copy of every email that leaves your organization—When the On button is
selected, folders with the entire contents of every email are created in the logs directory of
each server that analyzes email traffic (All-In-One Servers and Remote Analyzers). The
emails are saved before being analyzed for threats by the Email Security product. Because
saving outbound emails can be handled independently, there are separate folders for saved
outbound email.
Email leaving your organization is located in: <Install Directory>\logs\fullhistory_out\
Other Settings
•
•
•
Log level—Use this setting to change the log level for the Email Security product. Change
the log level to increase or decrease the amount of information stored in your logs. Log level
1 provides the maximum quantity of logging information; level 6 results in the least. The
default level is 3.
Reports data will be deleted when older than—Enter the number of days of data you
want to preserve for reporting information. Reducing this number means less disk space is
used, but note that report data older than the number of days specified will not be available.
The default value is 366 days.
Test Connectivity to reports database—Click the Test Connectivity button to verify that
you can access the Reports database. If this test fails, custom reports will not work and the
database is not updated. If this test fails during normal operation, contact a system
administrator immediately. See the Reports & Monitoring Chapter for more information on
accessing and customizing reports.
SNMP Settings
•
•
SNMP—Click the On radio button to enable the Simple Network Management Protocol
(SNMP) feature. SNMP works to monitor network availability, performance, and error rates.
SNMP Community String—Specify the community string for SNMP in the field provided.
Miscellaneous Settings
Upload Patch
Use this setting to manually upload and install a new Email Security update. Usually when a
new Email Security update is available, the Email Security product automatically downloads the
update and alerts the administrator by email that it is available.
In some instances, an administrator may want or need to apply a patch manually. For example,
if an administrator has multiple servers running in split configuration mode (Remote Analyzer /
Control Center configuration), updates must be applied manually.
To upload a patch file manually, navigate to the System > Advanced page. Scroll down to the
Miscellaneous Settings > Upload Patch section. Click the Choose File button, and select a
file from your local hard drive to upload. Then, click the Apply Patch button.
68 | Dell SonicWALL Email Security Administrator Guide
Download System/Log Files
The Download System/ Log Files feature allows you to download or email log files and system
configuration files from your server.
To download system/ log files, select the Type of File from the dropdown list. You can use the
Choose specific files list to select one or more files to download. Then, click the Download
button.
To email the system/log files, select the Type of File from the dropdown list. You can use the
Choose specific files list to select one or more files to email. Click the Email To... button.
Enter the Recipient email address in the dialog box that appears, and then click Send. Note
that emailing very large files and directories can be problematic depending on the limitations of
your email system.
Reset Settings
Cleanup Per User
The Per User Cleanup tool deletes address books and settings filters of non-existent users in
your Email Security user list. You can click the Use last generated report to clean up
checkbox to reference the latest generated report for Per User Cleanup. The report is
generated as a .txt file.
Click Generate Report to generate an updated list of users.
Click Cleanup Peruser to use the Per User Cleanup tool to delete files of non-existent users.
Delete All Users’ Allowed and Blocked Lists
All users’ allowed and block lists on this server can be permanently deleted. If you wish to retain
any of this data, you will need to back it up from the System > Backup/Restore page and
download it to your local hard drive before deleting. Click the Delete All button to perform this
action.
Reinitialize Appliance to Factory Settings
Reinitialize the settings for this Email Security product to the factory default values. All log,
settings, data, license keys, etc. on this server are permanently deleted. If you wish to retain
any of this data, you will need to back it up from the System > Backup/Restore page and
download it to your local hard drive before deleting. Click the Reinitialize Appliance button to
perform this action.
Reset Licenses
Reset all license key information associated with this Dell SonicWALL Email Security product.
Click the Reset Licences button to perform this action. License keys can be restored by visiting
http://mysonicwall.com.
Note After clicking the Reset Licenses button, you will no longer have access to a majority of the
user interface features. Many left-hand navigation links will direct you to the License
Management page.
System | 69
Branding
Branding provides the ability to customize aspects of the user interface. Administrators can
upload replacement assets for the key branding elements, including company name, logo, and
other branding assets. Navigate to the System > Branding page to configure Branding feature
settings.
Quick Settings
Use the Quick Settings tab on the System > Branding page to specify global settings for
particular GUI elements. Any settings specified in this section takes precedence over those
specified by deployed packages.
Text Preferences
The Contact Us URL is the email address or URL that appears as the “Contact Us” link at the
footer of each page. This field supports “http://”, “https://”, and “mailto:”. To change the Contact
Us URL, type the email address or URL in the field provided.
Click the Test Connectivity button to verify the email address or URL you specified is valid.
Image Preferences
The image preference files can all be modified by clicking the Choose File button or clicking
the Download icon. The Choose File option allows you to select a file from your local system.
The Download icon downloads the default Dell SonicWALL image file. Note that an error
message displays if you have uploaded an incorrect file type.
The following Image Preferences can be modified:
•
•
•
•
•
•
•
Web Icon file—This field replaces the 4-bit Dell SonicWALL logo that appears in the
address bar of every Webpage across all browser platforms.
Logon logotype file—This field replaces the logon, logout, and mini-logon generic bitmap
that displays the Dell SonicWALL challenge screen layout and design.
Logon backdrop art file—This field replaces the logotype bitmap that appears upon every
challenge screen.
Page logotype file—This field replaces the short version of the Dell SonicWALL logotype
that appears at the top of each webpage’s banner art.
Page header art file—This field replaces the Dell SonicWALL banner art bitmap at the top
of each Webpage.
Pop-up logotype file—This field replaces the smaller version of the Dell SonicWALL
logotype that appears at the top of each pop-up dialog’s page banner art.
Pop-up header art file—This field replaces the smaller version of the Dell SonicWALL
banner art that appears at the top of each pop-up dialog page.
Junk Summary Preferences
The Junk Summary Preferences can all be modified by clicking the Choose File button or
clicking the Download icon. The Choose File option allows you to select a file from your local
system. The Download icon downloads the default Dell SonicWALL image file. Note that an
error message displays if you have uploaded an incorrect file type.
70 | Dell SonicWALL Email Security Administrator Guide
The following Junk Summary Preferences can be modified:
Junk Summary logotype file—This field replaces the black-on-white logotype that always
appears at the top of each Junk Summary email.
• Junk Summary header art file—This field replaces the Junk Summary banner art bitmap
at the top of each page.
Click the Save button when you have finished modifying settings on the Quick Settings tab.
•
System | 71
Packages
The Packages tab allows administrators to manage, upload, and apply branding packages to
their GUI. The Manage Packages table displays the available packages the administrator can
apply to the GUI, including the Dell SonicWALL brand package. Note that while this package
can never be deleted, administrators can edit or delete all other brand packages that have been
uploaded.
To upload a new package from the System > Branding page, follow the procedures below:
navigate to the Packages tab and click the Upload button under the Manage Packages
section.
72 | Dell SonicWALL Email Security Administrator Guide
Certificates
The System > Certificates page allows administrators to configure settings specific to
certificates, including trusted certificate authentication and enabling secured access.
Settings
Choose between self-signing and using a trusted certificate authority and enter the
appropriate settings—Enter the Certificate Name (required) and a Passphrase for Private
Key (optional) in the available fields. Then, select one of the following:
Enable secured access through a generic self-signed SSL certificate
Enable secured access through a self-signed SSL certificate. You are then prompted
to enter the hostname to be used when generating this certificate.
• Use an existing certificate issued by a trusted authority such as Verisign or Thawte.
Upload the SSL Certificate and Key from your local drive by clicking the Choose File
button. Enter the Password in the field provided.
Click Apply when finished.
•
•
System | 73
Generate CSR
If you do not have an existing certificate, navigate to the System > Certificates> Generate
CSR page. Fill out the form and click the Generate CSR button to submit a Certificate Signing
Request (CSR) for a trusted certificate to a trusted authority, such as Verisign or Thawte.
74 | Dell SonicWALL Email Security Administrator Guide
Configure
This screen allows you to view the Certificate Name, Type, and if it is SMTP or HTTPS. You
can click the View icon of a specific certificate to see the certificate details. Click the Download
icon to download the certificate to your local hard drive. Click the Delete icon to delete the
certificate from the Email Security system. Click the Apply button when you’re finished
configuring the settings on this page.
Note Certificates can be added to the this page from the Certificates > Settings page.
System | 75
Audit Trail
The Audit Trail feature, or Audit Log, on Email Security is a set of destination and source
records that provide tracks the actions performed on every email message that passes through
Email Security. This feature logs all the activity performed by users, where the Global
Administrator can view and search these activities.
The Audit Trail feature includes information of any fields that may have been added, edited, or
deleted; search queries in the Junkbox and Auditing pages; and all View, Unjunk, Delete, Sent
Copy to, Download actions performed on messages in the Junkbox and Auditing pages.
To use Audit Trail, follow the procedures listed:
1.
Navigate to the System > Audit Trail page.
2.
Click the Settings button.
3.
On the popup window that displays, click the On or Off button to Enable Audit Trail. This
enables auditing for both inbound and outbound email messages.
4.
Specify how long to Keep auditing files for with the dropdown list. You can select between
1 day to 7 years.
5.
Click the Apply button when finished.
Click the Export to CSV button to export a list of Messages Found. The list is downloaded to
your local system.
76 | Dell SonicWALL Email Security Administrator Guide
Diagnostics
The System > Diagnostics page allows the Administrator to run different diagnostic tests on
a specific SMTP Host or DNS Server.
The following Diagnostics Categories are available:
•
•
•
•
•
•
•
•
Run SMTP Test for given Host or IP—Run an SMTP test for the SMTP Hostname/IP
specified in the respective field. Optionally, you may specify the Alternate DNS Server IP.
Query DNS for given Host’s A record—Specify the Hostname/IP/Domain Name and
select this option to query the DNS server for the A record. Optionally, you may specify the
Alternate DNS Server IP.
Query DNS for MX Record of the given Host—Specify the Hostname/IP/Domain Name
and select this option to query the DNS server for the MX record. Optionally, you may
specify the Alternate DNS Server IP.
Query DNS for SPF Policy of the given Host—Specify the Hostname/IP/Domain Name
and select this option to query the DNS server for the SPF Policy. Optionally, you may
specify the Alternate DNS Server IP.
Query DNS for DMARC Policy of the given Host—Specify the Hostname/IP/Domain
Name and select this option to query the DNS server for the DMARC Policy. Optionally, you
may specify the Alternate DNS Server IP.
Query DNS for DKIM Policy of given Host—Specify the Hostname/IP/Domain Name
and select this option to query the DNS server for the DKIM Policy. Optionally, you may
specify the Alternate DNS Server IP.
Ping the mentioned Host or IP—Ping the Host or IP specified in the
Hostname/IP/Domain Name field. Optionally, you may specify the Alternate DNS Server
IP.
Telnet on a mentioned Host:Port—Specify the Hostname/IP:Port and select this option
to Telnet into the server.
System | 77
78 | Dell SonicWALL Email Security Administrator Guide
Chapter 3
Anti-Spoofing
This chapter contains the following sections:
•
Enabling Inbound SPF Validation on page 79
– SPF Hard Fail on page 80
– SPF Soft Fail on page 81
•
•
Configuring Inbound DKIM Settings on page 81
Configuring Inbound DMARC Settings on page 83
– Configuring Outbound DKIM Settings on page 86
– DMARC Incoming Reports on page 85
•
Configuring Outbound DKIM Settings on page 86
How Anti-Spoofing Works
The Anti-Spoofing page on your Dell SonicWALL Email Security solution allows you to enable
and configure settings to prevent illegitimate messages from entering your organization.
Spoofing consists of an attacker forging the source IP address of a message, making it seem
like the message came from a trusted host. By configuring SPF, DKIM, and DMARC settings,
your Email Security solution will run the proper validation and enforcement methods on all
incoming messages to your organization.
The Anti-Spoofing page works in an order of precedence, where rules set at the top of the page
are of a lower priority than rules set towards the bottom of the page. In general, a message will
be subjected to SPF, DKIM, and DMARC if all are enabled. The results from DKIM validation
will take precedence over the results from SPF validation, and DMARC validation results will
take precedence over DKIM validation results.
Enabling Inbound SPF Validation
The Anti-Spoofing > Inbound tab features SPF validation for inbound email messages.
Sender Policy Framework (SPF) is an email validation system designed to prevent email spam
by detecting email spoofing by verifying the sender IP addresses. SPF records, which are
published in the DNS records, contain descriptions of the attributes of valid IP addresses. SPF
is then able to validate against these records if a mail message is sent from an authorized
source. If a message does not originate from an authorized source, the message ‘fails.’ You
can configure the actions against messages that ‘fail.’
There are two types of SPF fails:
•
•
SPF HardFail—The SPF has designated the host as NOT being allowed to send messages
and does not allow messages through to the recipient.
SPF SoftFail—The SPF record has designated the host as NOT being allowed through to
the recipient.
Anti-Spoofing | 79
To enable SPF, click the Enable SPF validation for incoming messages checkbox.
SPF Hard Fail
With SPF Validation enabled for incoming messages, you can configure the following SPF Hard
Fail settings:
•
•
Ignore allow lists—When a SPF hard fail occurs, mail messages from senders in the Allow
list are not sent through to the recipient. This feature is enabled by default.
Action for messages marked as SPF Hard Fail—Select one of the following actions for
messages marked as SPF Hard Fail:
– No Action—No action is taken against messages marked as SPF hard fail.
– Permanently delete—Messages marked as SPF hard fail are permanently deleted.
– Reject with SMTP error code 550—Messages marked as SPF hard fail are rejected
with an SMTP error code 550.
– Store in Junk Box—Messages marked as SPF hard fail are stored in the Junk Box.
This is the recommended setting for most configurations.
– Send to [field]—Messages marked as SPF hard fail are sent to the user specified in
the available field. For example, you can send to [postmaster].
– Tag with [field] added to the subject—Messages marked as SPF hard fail are tagged
with a term in the subject line. For example, you may tag the messages [SPF Hard
Failed].
80 | Dell SonicWALL Email Security Administrator Guide
– Add X-Header: X-[field]:[field]—Messages marked as SPF hard failed add an X-
Header to the email with the key and value specified to the email message. The first
text field defines the X-Header. The second text field is the value of the X-Header. For
example, a header of type “X-EMSJudgedThisEmail” with value “spfhard” results in the
email header as: “X-EMSJudgedThisEmail:spfhard”.
•
Add Domain—Click this button to add a domain and configure SPF hard fail-specific
settings for that domain.
SPF Soft Fail
With SPF Validation enabled for incoming messages, you can configure the following SPF Soft
Fail setting:
•
Ignore allow lists—When a SPF soft fail occurs, mail messages from senders in the Allow
list are not sent through to the recipient. This feature is enabled by default.
Configuring Inbound DKIM Settings
Domain Keys Identified Mail (DKIM) uses a secure digital signature to verify that the sender of
a message is who it claims to be and that the contents of the message have not been altered
in transit. A valid DKIM signature is a strong indicator of a message’s authenticity, while an
invalid DKIM signature is a strong indicator that the sender is attempting to fake his identity. For
some commonly phished domains, the absence of a DKIM signature can also be a strong
indicator that the message is fraudulent. Users benefit from DKIM because it verifies legitimate
messages and prevents against phishing. Remember that DKIM does not prevent spam proper measures should still be taken against fraudulent content.
Anti-Spoofing | 81
To configure DKIM signature settings, navigate to the Anti-Spoofing > Inbound page and click
the Enable DKIM validation for incoming messages checkbox.
With DKIM validation enabled for incoming messages, you can configure the following settings:
•
•
Ignore allow lists—When a DKIM Failure occurs, mail messages from senders in the Allow
list are not sent through to the recipient. This feature is enabled by default.
Action for messages marked as DKIM signature failed—Select one of the following
actions for messages marked as DKIM signature failed:
– No Action—No action is taken against messages marked as DKIM signature failed.
– Permanently delete—Messages marked as DKIM signature failed are permanently
deleted.
– Reject with SMTP error code 550—Messages marked as DKIM signature failed are
rejected with an SMTP error code 550.
– Store in Junk Box—Messages marked as DKIM signature failed are stored in the Junk
Box. This is the recommended setting for most configurations.
– Send to [field]—Messages marked as DKIM signature failed are sent to the user
specified in the available field. For example, you can send to [postmaster].
– Tag with [field] added to the subject—Messages marked as DKIM signature failed
are tagged with a term in the subject line. For example, you may tag the messages
[DKIM Failed].
– Add X-Header: X-[field]:[field]—Messages marked as DKIM signature failed add an
X-Header to the email with the key and value specified to the email message. The first
text field defines the X-Header. The second text field is the value of the X-Header. For
example, a header of type “X-EMSJudgedThisEmail” with value “dkim” results in the
email header as: “X-EMSJudgedThisEmail:dkim”.
•
Add Domain—Click to add a domain and configure DKIM fail-specific settings for that
domain. The following settings are configurable:
– Domains—List the domains to add, separating multiple domains with a comma.
– Ignore allow lists—When a SPF hard fail occurs, mail messages from senders in the
Allow list are not sent through to the recipient. This feature is enabled by default.
82 | Dell SonicWALL Email Security Administrator Guide
– Action for messages marked as DKIM signature failed—Select one of the following
actions for messages marked as DKIM signature failed:
•
No Action—No action is taken against messages marked as DKIM fail.
•
Permanently delete—Messages marked as DKIM fail are permanently deleted.
•
Reject with SMTP error code 550—Messages marked as DKIM fail are rejected
with an SMTP error code 550.
•
Store in Junk Box—Messages marked as DKIM fail are stored in the Junk Box.
This is the recommended setting for most configurations.
•
Send to [field]—Messages marked as DKIM fail are sent to the user specified in
the available field. For example, you can send to [postmaster].
•
Tag with [field] added to the subject—Messages marked as DKIM fail are tagged
with a term in the subject line. For example, you may tag the messages
[DKIMFailed].
•
Add X-Header: X-[field]:[field]—Messages marked as DKIM failed add an XHeader to the email with the key and value specified to the email message. The first
text field defines the X-Header. The second text field is the value of the X-Header.
For example, a header of type “X-EMSJudgedThisEmail” with value “dkim” results
in the email header as: “X-EMSJudgedThisEmail:dkim”.
– Domain required to have DKIM signature—By default, this feature is enabled, which
requires a DKIM signature for messages sent to the domain being added.
Configuring Inbound DMARC Settings
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a policy that
works in tandem with SPF and DKIM to fully authenticate incoming and outgoing email
messages. A DMARC policy allows a sender to indicate that his emails are protected by SPF
and/or DKIM, and also tells a receiver what to do if neither of those authentication methods
passes, such as junk or reject the message.
To configure DMARC settings, navigate to the Anti-Spoofing > Inbound page, and click the
Enable DMARC Policy Enforcement for incoming messages checkbox.
Anti-Spoofing | 83
Note To use DMARC, you must also have DKIM and SPF enabled.
Configure the following settings for DMARC:
•
•
Exclude these sender domains—Enter any sender domains (for example, sonicwall.com
or gmail.com) you want excluded from DMARC policy enforcement in the space provided.
Multiple domains can be entered, separated by a comma.
Enable DMARC Outgoing Reports—By default, this feature is enabled when the “Enable
DMARC” checkbox is also enabled. Select the checkbox to disable the sending of DMARC
reports to outside domains.
Once DMARC is enabled, outgoing reports are automatically sent. The following settings can
be configured if you are attempting to override reporting attributes for a specific domain:
•
Domain—Enter the domain name to send DMARC reports to. You have the option of using
‘*’ as a value for the domain field. A few considerations:
– A configuration created with the domain name * will be considered the default domain.
– If the domain is not provided, DMARC will use configuration settings from the * domain.
– If no * domain is added, then a hard-coded default value, such as postmaster@domain,
will be used as the Sender ID.
•
•
Override DNS RUA Email Address—Click the checkbox to override reports being sent to
the RUA email address specified in the DNS record. An example from the DNS record is
‘rua=mailto:aggrep@yourcompany.com’.
RUA Email Address—If you selected the Override DNS RUA Email Address, specify the
RUA Email Address you would like the reports sent to.
84 | Dell SonicWALL Email Security Administrator Guide
Note The RUA is the aggregated report for domains with published domain records. Reports are
sent daily.
DMARC Incoming Reports
You can configure DMARC Incoming Report settings by clicking the Add Domain button in the
DMARC Incoming Reports Settings section. DMARC Incoming Reports will be collected and
processed only for the domains added.
In the Add Domain window that displays, enter the following information:
•
•
•
Domain—Enter the domain name to add for DMARC incoming reports.
Override DNS RUA Email Address—Click the checkbox to override reports being sent to
the RUA email address specified in the DNS record. An example from the DNS record is
‘rua=mailto:aggrep@yourcompany.com’.
RUA Email Address—If you selected the Override DNS RUA Email Address, specify the
RUA Email Address to which the reports are being sent.
Note The RUA is the aggregated report for domains with published domain records. Reports are
sent daily.
Anti-Spoofing | 85
Configuring Outbound DKIM Settings
Navigate to the Anti-Spoofing > Outbound tab to configure outbound DKIM settings.
To configure DKIM signature settings, click the Add Configuration button. The DKIM
Outbound Configuration page displays:
Configure the following settings:
Domain—Enter the domain name.
Identity of Signer—Enter an identity of the signer. Click the Same as domain checkbox
to use the specified Domain name as the Identity of Signer.
• Selector—Enter a value for the selector. The selector is used to differentiate between
multiple DKIM DNS records within the same organization (for example,
‘feb2014.domainkey.yourorganization.com’.
• List of Header fields for Signing—Click the Sign all standard headers button to include
all headers, or specify the headers in the designated field. Separate multiple headers with
a colon (for example, “from:to:subject”).
• Generate Key Pair—Specify the Key Size from the values in the drop down list, then click
the Generate Key Pair button. Copy and paste the Public Key into your DNS record. The
Private Key is simply for your own reference and should be stored on your local machine.
Click the Save button to finish. The signature will be added to the DKIM Signature
Configurations list.
•
•
86 | Dell SonicWALL Email Security Administrator Guide
Generating DNS Record
Once a domain has been successfully added to the Outbound DKIM Settings tab, you can
generate a DNS Record. Under the DNS Record column for the domain you want to generate
a record for, click the Generate button.
The Generate DNS Record page displays with the following settings:
Domain—This field auto-populates with the Domain you entered when adding a new
configuration. This field cannot be edited.
• Selector—This field auto-populates with the Selector you entered when adding a new
configuration. This field cannot be edited.
• Public Key—This field populates with the Public Key for your DNS record. You can copy
and paste from this field.
• Domain is testing DKIM—Select the checkbox to enable testing DKIM for this domain.
• Subdomains required to have their own DKIM keys—Select the checkbox to enable the
requirement for all subdomains to have their own DKIM keys.
Click the Generate DNS Record button to save the settings and generate your DNS record.
•
Using Outbound DKIM Settings
.The Settings column of each domain listed in the Outbound DKIM Signature Configurations list
has the following icons:
•
•
•
Edit—Click this icon to edit the DKIM Signature settings. Note that not all fields are
editable.
Delete—Click this icon to delete the DKIM Signature.
Download—Click this icon to download the Public Key for this DKIM Signature.
Anti-Spoofing | 87
•
Status—The status icon notifies you if the DKIM Signature is enabled (green icon) or
disabled (gray icon).
88 | Dell SonicWALL Email Security Administrator Guide
Chapter 4
Anti-Spam
This chapter contains the following sections:
•
•
•
•
•
•
•
•
Managing Spam on page 89
Default Spam Management on page 90
Address Books on page 92
Anti-Spam Aggressiveness on page 95
Languages on page 96
Black List Services (BLS) on page 96
Spam Submissions on page 97
Anti-Phishing on page 100
Managing Spam
Email Security uses multiple methods of detecting spam and other unwanted email. These
include using specific Allowed and Blocked lists of people, domains, and mailing lists, patterns
created by studying what other users mark as junk mail, and the ability to enable third-party
blocked lists.
Administrators can define multiple methods of identifying spam for your organization; users can
specify their individual preferences to a lesser extent. In addition, Email Security provides
updated lists and collaborative thumbprints to aid in identifying spam and junk messages.
Spam Identification
Email Security uses a multi-prong approach to identifying spam and other unwanted email. It is
useful to understand the general operation so you can build your lists appropriately.
When an email comes in, the sender of the email is checked against the various allowed and
blocked lists first, starting with the corporate list, then the recipient’s list, and finally the
Email Security-provided lists. If a specific sender is on the corporate blocked list but that same
sender is on a user’s allowed list, the message is blocked, as the corporate settings are a
higher priority than a user’s.
More detailed lists take precedence over the more general lists. For example, if a message is
received from aname@domain.com and your organization’s Blocked list includes domain.com
but a user’s Allowed list contains the specific email address aname@domain.com, the
message is not blocked because the sender’s full address is in an Allowed list.
After all the lists are checked, if the message has not been identified as junk based on the
Allowed and Blocked lists, Email Security analyzes messages’ headers and contents, and use
collaborative thumbprinting to block email that contains junk.
Anti-Spam | 89
Default Spam Management
Use the Anti-Spam > Default Spam Management window to select options for dealing with
definite spam and likely spam. The default setting for definite spam and likely spam will
quarantine the message in the user’s junk box.
To manage messages marked as definite spam or likely spam, follow the procedures listed:
1.
Choose one of the following responses for messages marked as Definite Spam and Likely
Spam:
Response
Effect
No Action
No action is taken for messages.
Permanently Delete
The email message is permanently deleted.
CAUTION: If you select this option, your organization risks losing
wanted email. Deleted email cannot be retrieved.
Reject with SMTP error code 550
The message is rejected and responds with a 550 error code, which
indicates the user’s mailbox was unavailable (for example, not found
or rejected for policy reasons).
90 | Dell SonicWALL Email Security Administrator Guide
Response
Effect
Store in Junk Box
(default setting)
The email message is stored in the Junk Box. It can be unjunked by
users and administrators with appropriate permissions.
This option is the recommended setting.
Send to
Forward the email message for review to the specified email address.
For example, you could “Send To [postmaster]”.
Tag With
The email is tagged with a term in the subject line, for example,
[SPAM]. Selecting this option allows the user to have control of the
email and can junk it if it is unwanted.
Add X-Header
This option adds an X-Header to the email with the key and value
specified to the email message. The first text field defines the XHeader. The second text field is the value of the X-Header. For example, a header of type “X-EMSJudgedThisEmail” with value “DefiniteSpam” results in the email header as: “XEMSJudgedThisEmail:DefiniteSpam”
2.
Select the Accept Automated Allowed List checkbox to allow automated lists that are
created by User Profiles to prevent spam. With this feature enabled, User Profiles analyze
the recipients of emails from members of your organization and automatically added them
to Allowed Lists. This helps reduce the false positives, which are good email messages
judged as junk. This feature can be configured globally, for particular groups, or for specific
users. Dell SonicWALL recommends enabling this feature.
Note If this checkbox is unchecked in the Corporate, Group, or User windows, User
Profiles have no effect.
3.
Select the Skip spam analysis for internal email checkbox to exclude internal emails
from spam analysis, resulting in a reduced amount of false positives. If you are routing
internal mail through the Email Security product, Dell SonicWALL recommends that you
enable this feature.
4.
Select the Allow users to delete junk email checkbox to allow users to control the delete
button on individual junk boxes.
Note Leave this checkbox unselected if you have an extended away / out of the office
message turned on so that your auto-reply does not automatically place all
recipients on your Allowed list.
5.
Click Apply Changes to save.
Anti-Spam | 91
Address Books
The Anti-Spam > Address Books page enables you to allow or block people, companies, or
mailing lists from sending you email. The page shows a compilation of allowed and blocked
senders from your organization’s lists and lists provided by default.
If you attempt to add your own email address or your organization’s domain, Email Security will
display a warning. A user’s email address is not automatically added to the allowed list because
spammers sometimes use a recipient’s own email address. Leaving the address off the allowed
list does not prevent users from emailing themselves, but their emails are evaluated to
determine if they are junk.
Using the Search Field
To search for an address, enter all or part of the email address in the Search field. For example,
entering sale displays sales@domain.com as well as forsale@domain.com. Narrow your
search by selecting the People, Companies, or Lists checkbox(es) below the Search field.
Click Go to perform the search.
Adding People, Companies, or Lists
To add People, Companies, or Lists to the Allowed or Blocked lists, follow the procedures listed
below:
1.
From the Anti-Spam > Address Books page, click the Allowed or Blocked tab.
2.
Click the Add button.
92 | Dell SonicWALL Email Security Administrator Guide
3.
Select the list type (People, Companies, Lists) from the dropdown menu. Enter one or
more email addresses, separated by carriage returns, to add to the chosen list. Then, click
Add to complete.
When adding addresses, consider the following:
•
•
•
•
•
•
You cannot put an address in both the Allowed and Blocked list simultaneously. If you add
an address in one list that already exists on the other, it is removed from the first one.
Email Security will warn you if you attempt to add your own email address or your own
organization.
Email addresses are not case-sensitive; Email Security converts the address to lowercase.
You can allow and block email messages from entire domains. If you do business with
certain domains regularly, you can add the domain to the Allowed list; Email Security allows
all users from that domain to send email. Similarly, if you have a domain you want to block,
enter it here and all users from that domain are blocked.
Email Security does not support adding top-level domain names such as .gov or .abc to
the Allowed and Blocked lists.
Mailing list email messages are handled differently than individuals and domains because
Email Security looks at the recipient’s address rather than the sender’s. Because many
mailing list messages appear spam-like, entering mailing list addresses prevents
misclassified messages.
Deleting People, Companies, or Lists
To delete people, companies, or lists from your Address Books, complete the following:
1.
From the Anti-Spam > Address Books page, click the Allowed or Blocked tab.
2.
Select the checkbox next to the address(es) you want to delete.
3.
Click the Delete button.
Anti-Spam | 93
Import Address Book
You can also import an address book of multiple addresses. Note that users and secondary
domains should be added prior to importing their respective address books.
The Address Book file for import must follow specific formatting to ensure successful importing:
<TAB> delimiter between data
<CR> to separate entries
Each address book entry must include each of the following:
•
•
•
•
•
•
Identifier—Specified as <email address / primary domain>
Domain / List / Email—Specified as D / L / E
Allowed / Blocked—Specified as A / B
Address List—Specified as abc@domain.com, example.com
See the following examples:
EmailID<TAB>E<TAB>A<TAB>email1@company.com,email2@company.com<CR>
Domain<TAB>L<TAB>B<TAB>list1@company.com,list2@compnay.com<CR>
To import Address Books, follow the procedures listed:
1.
From the Anti-Spam > Address Books page, click the Import button on either the Allowed
or Blocked tabs.
2.
Click the Choose File button. Select the correct file from your system.
3.
Click the Import button.
94 | Dell SonicWALL Email Security Administrator Guide
Anti-Spam Aggressiveness
The Anti-Spam > Anti-Spam Aggressiveness page allows you to tailor the Email Security
product to your organization’s preferences. Configuring this window is optional.
Email Security recommends using the default setting of Medium unless you require different
settings for specific types of spam blocking. This section includes the following subsections:
•
•
•
•
•
Configuring GRID Network Aggressiveness on page 95
Configuring Adversarial Bayesian Aggressiveness Settings on page 95
Unjunking Spam on page 96
Determining Amounts and Types of Spam on page 96
Languages on page 96
Configuring GRID Network Aggressiveness
The GRID Network Aggressiveness technique determines the degree to which you want to use
the collaborative database. Email Security maintains a database of junk mail identified by the
entire user community. You can customize the level of community input on your corporate spam
blocking. Selecting a stronger setting makes Email Security more likely more responsive to
other users who mark a message as spam.
Use the following settings to specify how stringently Email Security evaluates messages:
•
•
•
•
•
If you choose Mildest, you will receive a large amount of questionable email in your
mailbox. This is the lightest level of Anti-Spam Aggressiveness.
If you choose Mild, you are likely to receive more questionable email in your mailbox and
receive less email in the Junk Box. This can cause you to spend more time weeding through
unwanted email from your personal mailbox.
If you choose Medium, you accept Email Security’s spam-blocking evaluation.
If you choose Strong, Email Security rules out greater amounts of spam for you. This can
create a slightly higher probability of good email messages in your Junk Box.
If you choose Strongest, Email Security heavily filters out spam. This creates an even
higher probability of good email messages in your Junk Box.
Configuring Adversarial Bayesian Aggressiveness Settings
The Adversarial Bayesian technique refers to Email Security’s statistical engine that analyzes
messages for many of the spam characteristics. This is the high-level setting for the Rules
portion of spam blocking and lets you choose where you want to be in the continuum of choice
and volume of email. This setting determines the threshold for how likely an email message is
to be identified as junk email.
Use the following settings to specify how stringently Email Security evaluates messages:
•
•
•
•
If you choose Mildest, you will receive a large amount of questionable email in your
mailbox. This is the lightest level of Anti-Spam Aggressiveness.
If you choose Mild, you are likely to receive more questionable email in your mailbox and
receive less email in the Junk Box. This can cause you to spend more time weeding through
unwanted email from your personal mailbox.
If you choose Medium, you accept Email Security’s spam-blocking evaluation.
If you choose Strong, Email Security rules out greater amounts of spam for you. This can
create a slightly higher probability of good email messages in your Junk Box.
Anti-Spam | 95
•
If you choose Strongest, Email Security heavily filters out spam. This creates an even
higher probability of good email messages in your Junk Box.
Unjunking Spam
Select the Allow users to unjunk spam checkbox if you want to enable users to unjunk spam
messages. If unchecked, users cannot unjunk any spam messages.
Determining Amounts and Types of Spam
You can determine how aggressively to block particular types of spam, including sexual
content, offensive language, get rich quick, gambling, advertisements, and images.
For each of the aforementioned types of spam:
Choose Mildest to be able to view most of the emails that contain terms that relate to these
topics.
• Choose Mild to be able to view email that contains terms that relate to these topics.
• Choose Medium to cause Email Security to tag this email as likely junk.
• Choose Strong to make it more likely that email with this content is junked.
• Choose Strongest to make it certain that email with this content is junked.
For example, the administrator has determined that they want to receive no email with sexual
content by selecting Strong. They are less concerned about receiving advertisements, and
selected Mild. You can also select the Allow Unjunk checkbox to allow users to unjunk specific
flavors of spam.
•
Languages
From the Anti-Spam > Languages page, you can allow, block, or enter no opinion on email
messages in various languages. If you select No opinion, Email Security judges the content of
the email message based on the modules that are installed. After configuring Language
settings, click the Apply Changes button.
Note Some spam email messages are seen in English with a background encoded in different
character sets such as Cyrillic, Baltic, or Turkish. This is done by spammers to bypass the
anti-spam mechanism that only scans for words in English. In general, unless used, it is
recommended to exclude these character sets. Common languages such as Spanish and
German are normally not blocked.
Black List Services (BLS)
Public and subscription-based black list services, such as the Mail Abuse Prevention System
(MAPS), Real-time Blackhole List (RBL), Relay Spam Stopper (RSS), Open Relay Behaviormodification Systems (ORBS) and others, are regularly updated with domain names and IP
addresses of known spammers. Email Security can be configured from the Anti-Spam > Black
List Services page to query these lists and identify spam originating from any of their known
spam addresses.
96 | Dell SonicWALL Email Security Administrator Guide
Note Email Security performance may vary if you add Black List Services because each email is
placed on hold while the BLS service is queried.
Adding to the Black List
Click Add and enter the server name of the black list service, for example list.dsbl.org.
Each black list service is automatically enabled when added.
Email that Arrives from Sources on the Black Lists Services
Select the Treat all email that arrives from sources on Black List Services as Likely Spam
checkbox to prevent users from receiving messages from known spammers. If you select this
checkbox, you will be warned that enabling this feature increases the risk of false positives, and
you may not receive some legitimate email.
Spam Submissions
The Anti-Spam > Spam Submissions page allows you to manage email that is miscategorized
and to create probe accounts to collect spam and catch malicious hackers. Managing
miscategorized email and creating probe accounts increases the efficiency of Email Security’s
spam management. This page enables administrators and users to forward the following
miscategorized email messages to their IT groups, create probe accounts, and accept
automated allowed lists to prevent spam.
Managing Spam Submissions
To manage spam submissions, navigate to the Anti-Spam > Spam Submissions page. Then,
follow the procedures listed:
1.
Enter an Email address for Submitting Missed Spam in the text field. For example, you
might address all missed spam email to
mailto:submitmissedspam@your_domain.com.
Anti-Spam | 97
2.
Enter an email address in Submitting Junked Good Mail in the text field. For example,
you might address all misplaced good email to
mailto:submitgood@your_domain.com.
3.
Establish one or more Probe Email Accounts.
Enter the email address of an account you want to use to collect junk email. The email
address does not have to be in LDAP, but it does have to be an email address that is routed
to your organization and passes through Email Security. For example, you might create a
probe email account with the address
mailto:probeaccount1@your_domain.com.
Warning A probe account should NOT contain an email address that is used for any purpose other
than collecting junk email. If you enter an email address that is in use, the owner of that
email address will never receive another email - good or junk - again, because all email sent
to that address will be redirected to the Dell SonicWALL corporation’s data center.
4.
Click the Apply Changes button.
98 | Dell SonicWALL Email Security Administrator Guide
Probe Accounts
Probe accounts are accounts that are established on the Internet for the sole purpose of
collecting spam and tracking hackers. Email Security suggests that you use the name of a past
employee as the name in a probe account, for example, fredjones@example.com.
Configure the Probe Email Account fields to allow any email sent to your organization to
create fictitious email accounts from which mail is sent directly to SonicWALL, Inc. for analysis.
Adding this junk email to the set of junk email messages that the Email Security blocks
enhances spam protection for your organization and other users. If you configure probe
accounts, the contents of the email will be sent to Dell SonicWALL for analysis.
Managing Miscategorized Messages
The following happens when an email message is miscategorized:
•
•
•
For false negatives, Email Security adds the sender address of the junked email to the
user’s Blocked List so that future email messages from this sender are blocked. (The
original sender is blacklisted for the original recipient.)
For false positives, Email Security adds the addresses of good email senders that were
unjunked to the user’s Allowed List. (The original sender is whitelisted for the original
recipient.) If the sender email is the user’s own email address, the address is not added to
the allowed list, because spammers send email pretending to be from the user. Email sent
to and from the same address will always be evaluated to determine if it is junk.
These messages are sent to the global collaborative database. Good mail that was
unjunked is analyzed to determine why it was categorized as junk.
Forwarding Miscategorized Email to Email Security
You must set up your email system so that email messages sent to the
this_is_spam@es.your_domain.com and not_spam@es.your_domain.com pass
through Email Security.
Note The email addressed to not_spam@es.your_domain.com and
this_is_spam@es.your_domain.com must pass through the Email Security system so
that it can be analyzed. The same domain as the domain that is used to forward emails to.
Using a domain that does not route, such as “fixit.please.com”, is recommended.
Configuring Submit-Junk and Submit-Good Email Accounts
Mail is considered miscategorized if Email Security puts wanted (good) email in the Junk Box
or if Email Security delivers unwanted email in the user’s inbox. If a user receives a
miscategorized email, they can update their personal Allowed list and Blocked list to customize
their email filtering effectiveness. This system is similar to the benefits of running MailFrontier
Desktop in conjunction with Email Security, and clicking Junk or Unjunk messages, but does
not require Email Security Desktop to be installed.
Anti-Spam | 99
The email administrator can define two email addresses within the appropriate configuration
page in Email Security, such as this_is_spam@es.your_domain.comand
not_spam@es.your_domain.com. As Email Security receives email sent to these
addresses, it finds the original email, and appropriately updates the user’s personal Allowed
and Blocked list.
Note Users must forward their miscategorized email directly to these addresses after you define
them so that the Email Security system can learn about miscategorized messages.
Problem with Forwarding Miscategorized Email
A problem can arise if the user sends an email to this_is_spam@es.your_domain.com,
and the local mail server (Exchange, Notes, or other mail server) is authoritative for this email
domain, and does not forward it to the Email Security system. There are a few ways around this
problem; the most common solution is included below as an example.
To forward the missed email to Email Security for analysis, follow the procedures listed:
1.
Add the this_is_spam and not_spam email addresses as
this_is_spam@es.your_domain.com and not_spam@es.your_domain.com into
the Email Security Junk Submission text field.
Note Create an A and an MX record in your internal DNS that resolves es.your_domain.com
to your Email Security server's IP address.
2.
Tell users to forward mail to this_is_spam@ES.your_domain.com or
not_spam@ES.your_domain.com.The mail goes directly to the Email Security servers.
Anti-Phishing
Email Security’s Anti-Spam, Anti-Phishing > Anti-Phishing feature allows you to protect your
organization against email containing fraudulent content. There are two audiences for fraud:
the consumer and enterprise users. Email Security focuses on preventing fraud that enters the
enterprise via email. Email is an entry point for malicious hackers.
What is Enterprise Phishing?
There are numerous types of enterprise phishing;
Consumer phishers try to con users into revealing personal information such as social
security numbers, bank account information, credit card numbers, and driver’s license
identification. This is known as identity theft. Recouping from having a phisher steal your
identity can take many hours and can cost consumers many dollars. Being phished can
bring your life to a virtual standstill as you contact credit card companies, banks, state
agencies, and others to regain your identity.
• Enterprise phishers attempt to trick users into revealing the organization’s confidential
information. This can cost thousands of executive and legal team hours and dollars. An
organization’s electronic-information life can stop abruptly if hackers deny services, disrupt
email, or infiltrate sensitive databases.
Phishing aimed at the IT group in the organization can take the following forms:
•
100 | Dell SonicWALL Email Security Administrator Guide
Email that appears to be from an enterprise service provider, such as a DNS server, can
cause your organization’s network to virtually disappear from the Web.
• Hacking into your web site can cause it to be shut down, altered, or defaced.
• Email might request passwords to highly sensitive databases, such as Human Resources
or strategic marketing information. The email might take the form of bogus preventive
maintenance.
• Other information inside the organization’s firewall, such as Directory Harvest Attacks
(DHA) to monitor your users.
Phishing can also take the form of malicious hackers spoofing your organization. Email is sent
that appears to come from your organization can damage your community image and hurt your
customers in the following ways:
•
•
•
Spoofed email can ask customers to confirm their personal information.
Spoofed email can ask customers to download new software releases, which are bogus
and infected with viruses.
Preventing Phishing
As with spam, Dell SonicWALL Email Security uses multiple methods of detecting phishing:
•
•
•
Divergence Detection ensures that all contact points are consistent and legitimate. Contact
points include email addresses, URLs, phone numbers, and physical addresses.
Sender ID tests if the source of an email has permission to send email for that domain.
Many Internet domains publish the list of IP addresses that are authorized to send email on
their behalf. If the source IP address of an email is not on the domain’s list of authorized
addresses, Sender ID suggests that the message may be a forgery. Email Security factors
Sender ID pass or fail into its junk algorithm, which can be enabled on the Anti-Spam, AntiPhishing > Anti-Phishing page.
Domain Keys Identified (DKIM) uses a secure digital signature to verify that the sender of
a message is who it claims to be and that the contents of the message have not been
altered in transit. A valid DKIM signature is a strong indicator of a message’s authenticity,
while an invalid DKIM signature is a strong indicator that the sender is attempting to fake
his identity. For some commonly phished domains, the absence of a DKIM signature can
also be a strong indicator that the message is fraudulent.
Configuring Phishing Protection
To configure your Email Security system to screen for phishing, navigate to the Anti-Spam,
Anti-Phishing > Anti-Phishing page, then follow the procedures listed:
1.
Click the radio button to choose which action to take for messages identified as Definite
Phishing.
2.
Click the radio button to choose which action to take for messages that contain Likely
Phishing.
3.
Select the Allow users to unjunk phishing messages checkbox if you want to allow users
to unjunk fraudulent messages.
4.
To send copies of fraudulent email messages to a person or people designated to deal with
them, enter the recipients’ email addresses in the Send copies of emails containing
phishing attacks to the following email addresses text box.
Anti-Spam | 101
5.
Click Apply Changes.
Using Email Security’s Community to Alert Others
Phishing is continuously evolving and adapting to weaknesses in the organization’s network.
Malicious hackers use any known weakness to infiltrate the corporate firewall. Email Security
has tuned and enhanced their spam-management techniques to prevent phishing.
Email Security also collects incidences of phishing and summarizes the email addresses, text,
phone numbers, and domains of phishing perpetrators in a database, which stores the
thumbprints of the phishing message.
Report Phishing and Other Enterprise Fraud
Email Security alerts organizations to phishing attacks and asks that you to report fraudulent
email messages to mailto:fraud@sonicwall.com. Reporting phishing enables Email Security to
alert other users to the phishing attacks you experienced.
102 | Dell SonicWALL Email Security Administrator Guide
Domain Keys Identified Mail (DKIM)
Dell SonicWALL Email Security supports Domain Keys Identified Mail (DKIM) verification of
inbound email messages. With the DKIM verification feature, the recipient is able to identify the
domain name associated with the sender by validating the DKIM signature in the message. Mail
messages are filtered based on three parameters: if the message is DKIM signed, if DKIM
verification is successful, and if DKIM is strictly enforced for the domain. After Email Security
completes the verification of a message, the results are written into the Junk Summary, as well
as in the SMTP X header of the mail message.
Users benefit from DKIM because it verifies legitimate messages and prevents against
phishing. Remember that DKIM does not prevent spam—proper measures should still be taken
against fraudulent content. Dell SonicWALL recommends that DKIM typically not be configured
with overly aggressive settings. However, with some domains, such as paypal.com, aggressive
DKIM settings may be useful to stop phishing. The recommended setting is to store email
messages with invalid DKIM signatures in the Junk Box. See the table below for descriptions
of each setting.
To configure settings for the DKIM feature, navigate to the Anti-Spam, Anti-Phishing > AntiPhishing page. Then, scroll to the DKIM Settings and select the action for an invalid DKIM
signature:
Action
DKIM blocking off (deliver messages
to recipients)
Permanently Delete
Bounce Back to Sender
Store in Junk Box (recommended for
most configurations)
Send To
Tag With
Add X-Header
Effect
This is the default setting. All messages are delivered to the recipients.
The email message is permanently deleted.
CAUTION: If you select this option, your organization risks losing
wanted email.
The message is returned to sender with a message indicating that
it was not deliverable.
The email message is stored in the Junk Box. It can be unjunked
by users and administrators with appropriate permissions.
This option is the recommended setting.
Enter the email address of the person to receive this email.
This email is tagged with a term in the subject line, for example,
[DKIM Failed]. Selecting this option allows the user to have control
of the email and can junk it if it is unwanted.
This option adds an X-Header to the email with the key and value
specified to the email message. The first text field defines the XHeader. The second text field is the value of the X-Header. For
example, a header of type “X-EMSJudgedThisEmail” with value
“fraud” results in the email header as: “S-EMSJudgedThisEmail:fraud”.
Anti-Spam | 103
You can also add domains to the list of Enforced DKIM domains, which are domains required
to have a DKIM signature. In the DKIM Settings section, click the Add Domain button. In the
dialog box that appears, enter the Domains to enforce the DKIM feature and specify the Action
for invalid DKIM Signature. Click Save when finished.
104 | Dell SonicWALL Email Security Administrator Guide
Chapter 5
Anti-Phishing
Email Security’s Anti-Phishing page allows you to protect your organization against email
containing fraudulent content. There are two audiences for fraud: the consumer and enterprise
users. Email Security focuses on preventing fraud that enters the enterprise via email. Email is
an entry point for malicious hackers.
This chapter contains the following sections:
•
•
•
What is Enterprise Phishing? on page 105
Preventing Phishing on page 106
Configuring Phishing Protection on page 106
What is Enterprise Phishing?
There are numerous types of enterprise phishing;
Consumer phishers try to con users into revealing personal information such as social
security numbers, bank account information, credit card numbers, and driver’s license
identification. This is known as identity theft. Recouping from having a phisher steal your
identity can take many hours and can cost consumers many dollars. Being phished can
bring your life to a virtual standstill as you contact credit card companies, banks, state
agencies, and others to regain your identity.
• Enterprise phishers attempt to trick users into revealing the organization’s confidential
information. This can cost thousands of executive and legal team hours and dollars. An
organization’s electronic-information life can stop abruptly if hackers deny services, disrupt
email, or infiltrate sensitive databases.
Phishing aimed at the IT group in the organization can take the following forms:
•
Email that appears to be from an enterprise service provider, such as a DNS server, can
cause your organization’s network to virtually disappear from the Web.
• Hacking into your web site can cause it to be shut down, altered, or defaced.
• Email might request passwords to highly sensitive databases, such as Human Resources
or strategic marketing information. The email might take the form of bogus preventive
maintenance.
• Other information inside the organization’s firewall, such as Directory Harvest Attacks
(DHA) to monitor your users.
Phishing can also take the form of malicious hackers spoofing your organization. Email is sent
that appears to come from your organization can damage your community image and hurt your
customers in the following ways:
•
•
•
Spoofed email can ask customers to confirm their personal information.
Spoofed email can ask customers to download new software releases, which are bogus
and infected with viruses.
Anti-Phishing | 105
Preventing Phishing
As with spam, Dell SonicWALL Email Security uses multiple methods of detecting phishing:
Divergence Detection ensures that all contact points are consistent and legitimate. Contact
points include email addresses, URLs, phone numbers, and physical addresses.
• Sender ID tests if the source of an email has permission to send email for that domain.
Many Internet domains publish the list of IP addresses that are authorized to send email on
their behalf. If the source IP address of an email is not on the domain’s list of authorized
addresses, Sender ID suggests that the message may be a forgery. Email Security factors
Sender ID pass or fail into its junk algorithm, which can be enabled on the Anti-Phishing
page.
• Domain Keys Identified (DKIM) uses a secure digital signature to verify that the sender of
a message is who it claims to be and that the contents of the message have not been
altered in transit. A valid DKIM signature is a strong indicator of a message’s authenticity,
while an invalid DKIM signature is a strong indicator that the sender is attempting to fake
his identity. For some commonly phished domains, the absence of a DKIM signature can
also be a strong indicator that the message is fraudulent.
Phishing is continuously evolving and adapting to weaknesses in the organization’s network.
Malicious hackers use any known weakness to infiltrate the corporate firewall. Email Security
has tuned and enhanced their spam-management techniques to prevent phishing.
Email Security also collects incidences of phishing and summarizes the email addresses, text,
phone numbers, and domains of phishing perpetrators in a database, which stores the
thumbprints of the phishing message.
•
Email Security alerts organizations to phishing attacks and asks that you to report fraudulent
email messages to mailto:fraud@sonicwall.com. Reporting phishing enables Email Security to
alert other users to the phishing attacks you experienced.
Configuring Phishing Protection
To configure your Email Security system to screen for phishing, navigate to the Anti-Phishing
page, then follow the procedures listed:
1.
Under the Action Settings section, click the radio button to choose which action to take for
messages identified as Definite Phishing and messages identified as Likely Phishing:
Response
Effect
No Action
No action is taken for messages.
Permanently Delete
The email message is permanently deleted.
CAUTION: If you select this option, your organization risks losing
wanted email. Deleted email cannot be retrieved.
Reject with SMTP error code 550
The message is rejected and responds with a 550 error code, which
indicates the user’s mailbox was unavailable (for example, not found
or rejected for policy reasons).
Store in Junk Box
(default setting)
The email message is stored in the Junk Box. It can be unjunked by
users and administrators with appropriate permissions.
This option is the recommended setting.
106 | Dell SonicWALL Email Security Administrator Guide
Response
Effect
Send to
Forward the email message for review to the specified email address.
For example, you could “Send To [postmaster]”.
Tag With
The email is tagged with a term in the subject line, for example,
[PHISHING] or [LIKELY PHISHING]. Selecting this option allows the
user to have control of the email and can junk it if it is unwanted.
Add X-Header
This option adds an X-Header to the email with the key and value
specified to the email message. The first text field defines the XHeader. The second text field is the value of the X-Header. For example, a header of type “X-EMSJudgedThisEmail” with value “Fraud”
results in the email header as: “X-EMSJudgedThisEmail:Fraud”
This option does not take protective action against the email.
2.
Under the Miscellaneous section, select the Allow users to unjunk phishing messages
checkbox if you want to allow users to unjunk fraudulent messages.
3.
To send copies of fraudulent email messages to a person or people designated to deal with
them, enter the recipients’ email addresses in the Send copies of emails containing
phishing attacks to the following email addresses text box.
4.
Click Apply Changes.
Anti-Phishing | 107
108 | Dell SonicWALL Email Security Administrator Guide
Chapter 6
Anti-Virus
Dell SonicWALL Email Security’s Anti-Virus techniques protect your organization from inbound
email-borne viruses and prevent your employees from sending viruses with outbound email.
Once Dell SonicWALL Email Security has identified the email message or attachment that
contains a virus or is likely to contain a virus, you choose how to manage the virus-infected
email. Optional virus-protection modules for the entire organization are available.
This chapter includes the following sections:
•
•
•
How Virus Checking Works on page 109
Configuring Anti-Virus Protection on page 110
Configuring Flood Protection on page 113
How Virus Checking Works
The Anti-Virus modules use virus-detection engines to scan email messages and attachments
for viruses, Trojan horses, worms, and other types of malicious content. The virus-detection
engines receive periodic updates to keep them current with the latest definitions of viruses.
Dell SonicWALL Email Security supports McAfee ® and Kaspersky virus-detection engines.
You can choose to buy and deploy one or both virus-detection engines supported by
Email Security. Messages determined to be dangerous by McAfee or Kaspersky engine are
categorized as Viruses. Dell SonicWALL Email Security also supports the Dell SonicWALL
GRID antivirus automatically. GRID virus-detection works in with the McAfee and Kaspersky
virus-detection engines to improve your protection from virus payloads.
When any one of the virus-detection engines is activated, you also get the benefit of
Dell SonicWALL Email Security’s Time Zero Virus Technology. This technology uses heuristic
statistical methodology and virus outbreak responsive techniques to determine the probability
that a message contains a virus. If the probability meets certain levels, the message is
categorized as Likely Virus. This technology complements virus-detection engines and
enabling this technology provides the greatest protection for time zero viruses, the first hours
that a virus is released, when major anti-virus companies have not yet modified their virus
definitions to catch it.
Anti-Virus | 109
Configuring Anti-Virus Protection
To configure Anti-Virus protection, follow the procedures listed:
1.
Navigate to the Anti-Virus page of your Email Security solution.
If you have licensed more than one virus-detection engines, they will all work in tandem.
Licensed virus-detection engines can be used on both inbound and outbound paths. Be
sure to select the Inbound or Outbound tab to configure settings for the correct path.
2.
Determine how to treat email messages that contain Definite Viruses or Likely Viruses
and select the action to take. The following table describes the available actions:
Response
Effect
No Action
No action is taken for messages.
Permanently Delete
The email message is permanently deleted.
CAUTION: If you select this option, your organization risks losing
wanted email. Deleted email cannot be retrieved.
Reject with SMTP error code 550
The message is rejected and responds with a 550 error code,
which indicates the user’s mailbox was unavailable (for example,
not found or rejected for policy reasons).
110 | Dell SonicWALL Email Security Administrator Guide
Response
Effect
Store in Junk Box
(default setting)
The email message is stored in the Junk Box. It can be unjunked
by users and administrators with appropriate permissions.
This option is the recommended setting.
Send to
Forward the email message for review to the specified email
address. For example, you could “Send To [postmaster]”.
Tag With
The email is tagged with a term in the subject line, for example,
[VIRUS]. Selecting this option allows the user to have control of
the email and can junk it if it is unwanted.
Add X-Header
This option adds an X-Header to the email with the key and value
specified to the email message. The first text field defines the XHeader. The second text field is the value of the X-Header. For
example, a header of type “X-EMSJudgedThisEmail” with value
“Virus” results in the email header as: “X-EMSJudgedThisEmail:Virus”
This option does not take protective action against the email.
3.
In the Miscellaneous section, select the Allow Users to Unjunk Viruses checkbox to allow
users to view messages with viruses from Junk Box. The virus is removed before the user
accesses the message. This setting allows both Viruses and Likely Viruses to be unjunked.
4.
Click Apply Changes.
Checking for Updates
To determine how frequently you want to check for virus definition updates, follow the
procedures listed:
1.
Click System > Updates. The Updates window appears.
2.
Choose a time interval from the dropdown list adjacent to Check for Spam, Phishing, and
Virus Blocking Updates. You can select every 5 minutes to every 2 hours.
3.
Click the Apply Changes button.
Configuring Zombie and Spyware Protection
Unauthorized software may be running on a computer within your organization and sending out
junk email messages such as: spam, phishing, virus, or other unauthorized content. This
scenario could happen if your organization was subjected to a virus attack called Trojans or a
user downloaded something from the web and unauthorized software got installed without
user’s knowledge. These unauthorized software programs that send out malicious content are
called Zombies or Spyware.
Anti-Virus | 111
Dell SonicWALL Email Security's Zombie and Spyware Protection technology brings the
same high standard of threat protection available on the inbound email path to email messages
leaving your organization through the outbound path.
To enable Zombie and Spyware Protection:
1.
Navigate to the Anti-Virus page, and click on the Outbound tab.
2.
Select the box Enable Zombie and Spyware Protection.
3.
Use the Monitoring for Zombie and Spyware Activity section to configure several alerts
to notify the administrator. The following alerts can be sent:
– Email is sent from an address not in LDAP
– More than (specify number) messages are identified as possible threats (within the
last hour)
– More than (specify number) messages are sent by one user within the last hour
The following table describes the available Action and Miscellaneous Settings for the Zombie
Protection feature:
Action
Description
Action for messages leaving
your organization that are identified as spam, phishing attacks,
or other threats
Select one of the following settings:
Allow Delivery—Allows the delivery of the message without interference.
Permanently Delete—The message is permanently deleted. Use this
option with caution since deleted email cannot be retrieved.
Store in Junk Box—Stores messages with potential threats in the outbound Junk Box.
Action for messages leaving
your organization in which the
“From” address is not in LDAP
Select one of the following settings:
Allow any “From” address— Allows messages from all email
addresses. Note that this is the only option you are able to use if you have
not configured LDAP.
Permanently delete—The message is permanently deleted. Use this
option with caution since deleted email cannot be retrieved.
Store in Junk Box—Stores messages from unknown senders in the
Junk Box.
112 | Dell SonicWALL Email Security Administrator Guide
Action
Description
Activate/Deactivate Outbound
Safe Mode preventing any dangerous attachments from leaving your organization
Outbound Safe Mode blocks all emails with potentially dangerous attachments from leaving your organization. When there is a new virus outbreak
and one or more of your organization’s computers is affected, the virus
can often propagate itself using your outbound email traffic. Outbound
Safe Mode also minimizes the possibility of new virus outbreaks spreading through your outbound email traffic.
Select the Safe Mode is on checkbox to enable the Outbound Safe Mode
feature.
When Outbound Safe Mode is
on, take this action for any message with dangerous attachments
If you have enabled Outbound Safe Mode, select one of the following
actions when a message with dangerous attachments is received:
Permanently delete—The message is permanently deleted. Use this
option with caution since deleted email cannot be retrieved.
Store in Junk Box—Stores messages from unknown senders in the
Junk Box.
Automatically turn Outbound
Safe Mode on and alert administrators every 60 minutes that
Safe Mode is on if
These settings do not take any action other than alerting the administrator
of a potential zombie infection.
Select any of the check boxes to send and alert to the administrator if:
Email is sent from an address not in the LDAP (within the last hour)
More than (specify number) messages are identified as possible
threats within the last hour
More than (specify number) messages are sent by one user within an
hour
Specify senders that will not
trigger alerts or actions:
Enter email addresses in this box that you want exempt from Zombie Protection. (This list might include any email addresses that are not in LDAP
and email addresses that are expected to send a lot of messages.)
Configuring Flood Protection
The Flood Protection feature supports Zombie Protection by automatically blocking specified
users from sending outbound mail when it exceeds the specified Message Threshold.
To enable Flood Protection:
1.
Navigate to the Anti-Virus page, and click the Outbound tab.
Anti-Virus | 113
2.
Scroll down to the Flood Protection section. Then, click the Enable Flood Protection
checkbox.
3.
Configure the following settings:
– Message Threshold—Specify the amount of outbound messages (between 1-10,000)
that are sent by a sender. Then, specify the interval (in hours) by selecting a value from
the dropdown list. The Flood Protection service activates when a sender has exceeded
the amount of messages sent within the specified interval of hours.
– Alert sender when threshold is crossed—Enable this option to alert the sender that
he/she has exceeded the organizational threshold. Note that as a result, outbound
emails are now affected.
– Action on outbound message from Flood Senders—Select one of the following
options to determine what action is taken on outbound messages from flood sender(s):
•
Permanently delete—The message is permanently deleted. Use this option with
caution since deleted email cannot be retrieved.
•
Store in Junk Box—The message moves to the Junk Box and flagged as ‘likely
virus’ with the category name ‘flood_protection.’ The administrator is able to unjunk
the message, which is then delivered from the outbound path.
•
None—No action is taken; messages go through as usual.
– Flood Protection Senders Exception List—Found under the Flood Protection >
Miscellaneous section, specify the list of outbound senders that are exempt from the
Flood Protection rule.
– Flood Senders List—Users that exceeded the specified Message Threshold values
are added to this table by Email Address and the time which the Flood Sender was
found exceeding the threshold. To remove a user from the Flood Senders List, select
the checkbox next to the email address(es) you wish to remove, then click the Delete
button.
When finished configuring the Flood Protection settings, click the Apply Changes button.
114 | Dell SonicWALL Email Security Administrator Guide
Chapter 7
Auditing
Dell SonicWALL Email Security’s Auditing module enables the user to monitor all emails, both
inbound and outbound, that pass through the Email Security. This allows the user to monitor
where emails have filtered into or locate the destination of a particular email.
The Auditing chapter contains the following sections:
•
•
•
Searching Inbound and Outbound Emails on page 115
Configuring Auditing on page 118
Using Message Audit on page 119
Searching Inbound and Outbound Emails
Inbound emails processed by Email Security are those that originate from outside of your
organization including the total number of junk messages and good messages. Below the
search section a list of emails is displayed with the following information:
the recipient of the email
• where the email is located
• the type of threat the email is identified as
• notes about the email
• attachments from the email
• the subject heading of the email
• the sender of the email
• the timestamp of the email
Outbound emails processed by Email Security are those that come from the recipients of your
organization. This includes both junk emails and good emails.
•
Audit Simple Search
To use the Audit Simple Search Mode, navigate to the Auditing page of your Email Security
system, and follow the procedures listed:
1.
Search for messages by selecting specific strings from the dropdown list in the following
fields: Subject, From, To, or Unique Message ID. Ensure sentence fragments are
surrounded by quotation marks.
2.
Select the specific date or Show all to search from the dropdown list.
Auditing | 115
3.
Click Search.
Audit Advanced View
This view provides support to search on multiple fields to get the results in more granularity. To
use Advanced Search, follow the procedures listed:
1.
On the Auditing page, click the Advanced View button.
2.
To search for specific email threat types or in specific mail locations, select the desired
checkboxes.
3.
Click Search.
Messages matching your search criteria are displayed. To move quickly through results pages,
click in the field that says “Page 1 of 5086744” and type the result page you want to view. You
can also change the number of messages displayed on each page.
116 | Dell SonicWALL Email Security Administrator Guide
As an example, suppose you wanted to see only messages that were Spam or Likely Spam.
Clear all the checkboxes except the Spam and Likely Spam checkboxes. Leave all the
locations selected and click Search.
You can also Send Copy To, Download, or Export to csv specific messages.
•
•
•
Send Copy To—To send a copy of specific email messages, select the checkbox next to
the message, then click the Send Copy To button. Enter the email address, then click
Send.
Download—To download specific messages, select the checkbox next to the message,
then click the Download button. The message will download to your local drive.
Export to csv—To export specific messages, select the checkbox next to the message,
then click the Export to csv button. The messages are exported as a csv file on your local
drive.
Auditing | 117
Configuring Auditing
The Configure Auditing window on the Auditing page allows you to tailor the Email Security
system to your organization’s preferences for auditing emails. Configuration in this window is
optional. Email Security sets the default in the ON positions with a default of 30 days for
keeping auditing files.
To configure auditing, follow the procedures listed:
1.
From the Auditing page, click the Settings button.
2.
Select the radio button(s) in the On position for the following:
– Auditing for inbound email
– Auditing for outbound email
– Enable Judgment Details logging
3.
Select the length of time from the drop-down list to audit messages. Time ranges from one
day to seven years. Click the Apply button.
118 | Dell SonicWALL Email Security Administrator Guide
Using Message Audit
Email Security enables you to diagnose why an email failed through the Message Audit
window. To activate the window, click on the desired email address which is displayed in the
inbound or outbound tab. Email Security displays the message audit.
When the message audit window is open, data is displayed about the actions of the email, such
as the IP address of the computer that sent the email, and also the details about the email itself,
such as the subject heading and message size.
The following tables describe message actions and message details with their descriptions:
.
Message Action
Description
Arrived into gateway from
Shows the IP address from the computer that sent
the email.
The date and time are taken from the email header.
Direction
The email is either inbound or outbound.
Arrival notes
Additional information about the arrival of the email,
e.g. if the email arrived encrypted.
Audit trails
Provides information on what happens to the email
on a per recipient basis
Message Field
Description
Subject
Subject title of the email
From
Sender’s email address
To
Recipient’s email address
Date Received
Date and time, taken from the email header
Message Size
Message size
Threat
Identifies the threat status of the email
Category
Identifies the subtype of spam the email is categorized with
Attachment
Attachments with the email
Judgment Details
The Dell SonicWALL Judgment Details feature allows administrators to view blocked email and
determine why it was blocked. This additional information allows them to tune their filters better
and reduce false positives.
Judgment Details are a description of why a particular email message was flagged as junk or
possible junk by the Email Security. This might include keywords, suspicious headers, or other
data that indicates a message is not legitimate. This information is only available to
administrators.
Auditing | 119
Email Security has always collected data on why a particular email was rejected. A simplified
version of the judgment details appears to users in their junk boxes, explaining that their
messages were flagged as having attributes of a particular category of junk mail, including
phishing or gambling. Judgment Details for administrators is a much more fine-grained tool that
identifies exactly which words, phrases, headers, or contents causing Email Security to put the
message in the Junk Box.
Using Judgment Details
Full judgment details are only available if judgment detail auditing has been configured on the
auditing page. Auditing must also be turned on, or judgment detail auditing information is not
stored. Only administrators can view judgment details.
When judgment detail is being audited, an administrator can view a message. In addition to the
existing message details, there will be a list of judgment details.
To view judgment details, follow the procedures listed:
1.
Click the Auditing page from the left-hand navigation bar.
2.
Configure the search to find the message(s) you are interested in viewing and click Search.
3.
Click on the link in the Subject column for the message you want details on.
4.
The Message Audit window displays.
Your judgment details appear as a part of this window. The specific fields recorded depend on
whether the message was inbound or outbound. Not all fields will appear all the time - fewer
judgment details are collected on outbound messages.
Effectiveness Field
Description
Anti-Virus
The virus scanner that was first to find a virus in the
message.
Policy
The name of the policy that blocked emails with this
characteristic.
120 | Dell SonicWALL Email Security Administrator Guide
Effectiveness Field
Description
People, Companies, Lists
If this message was blocked because of a list you
configured, the list item that occurred in the message.
Anti-Spam Aggressiveness
Depending on the aggressiveness settings you have
configured, where the message falls on the sensitivity ratings.
Significant Keywords and Phrases Found
The words in the email that increased the email’s
score.
Spammer’s Tricks
The known spammer tricks that have been coded
against. Only the first-found spammer trick is
reported in this window.
Language Detected
The language the email is in. Some organizations
block languages they do not expect.
GRID Network
Reports from other users about this email.
Reputation
The sender ID.
Misc
The reason a message was allowed through without
checking. This is usually because the message is
from a sender in the same domain as the recipient.
Auditing | 121
122 | Dell SonicWALL Email Security Administrator Guide
Chapter 8
Policy & Compliance
Dell SonicWALL Email Security’s Policy Management feature enables you to write policies to
filter messages and their contents as they enter or exit your organization. Policies can be
defined only by an administrator. Typical use of policies include capturing messages that
contain certain business terms, such as trademarked product names, company intellectual
property, and dangerous file attachments.
Email Security and Mail Threats
Dell SonicWALL Email Security determines that an email fits only one of the following threats:
Spam, Likely Spam, Phishing, Likely Phishing, Virus, Likely Virus, Policy Violation, or Directory
Harvest Attack (DHA). It uses the following precedence order when evaluating threats in email
messages:
Virus
• Likely Virus
• Policy Filters
• Phishing
• Likely Phishing
• Spam
• Likely Spam
For example, if a message is both a virus and a spam, the message will be categorized as a
virus since virus is higher in precedence than spam.
•
If Dell SonicWALL Email Security determines that the message is not any of the above threats,
it is delivered to the destination server.
Policy & Compliance | 123
Standard Module vs. Compliance Module
The Email Security Policy & Compliance Module is divided into two subsections:
•
Standard Module—This module comes activated through the Email Security Base License
Key that deploys with Email Security and includes access to the following features in the
left-hand navigation menu:
– Managing Filters on page 135
– Policy Groups on page 138
•
Compliance Module—This module is accessible through the optional purchase of a
Compliance Subscription License Key. The module contains the following features in the
left-hand navigation menu:
– Dictionaries on page 140
– Approval Boxes on page 141
– Encryption on page 143
– Record ID Definitions on page 143
– Archiving on page 144
Basic Concepts for Policy Management
Policy Management enables you to filter email based on message contents and attachments.
You can filter for specific terms that you want, such as terms in your product or terms you do
not want in your organization’s email.
You manage policy by creating filters in which you specify the words to search for in content,
senders, or other parts of the email. After filtering for specified characteristics, you can choose
from a list of actions to apply to the message and its attachments.
Note that any of the policies configured in the Policy section takes precedence over any
configurations made in the Allowed List entries.
Defining Word Usage
In the context of Policy Management, a word is a series of alphabetic characters and numbers
with no spaces.
Punctuation
Character
Example
Slash
/
http://example.com
Punctuation allowed as first or Character value
last character but not in the
middle.
Example
Dollar sign
$
$100
Percent sign
%
100%
Punctuation allowed in the
middle but not as first or last
character
Character value
Example
.
http://example.com is allowed.
.mail or mail. are not allowed.
Period
124 | Dell SonicWALL Email Security Administrator Guide
Punctuation
Character
Example
“at” sign
@
ktran@sonicwall.com
Ampersand
&
AT&T
Colon
:
http://example.com
Hyphen
-
xxx-yyy
All other punctuation is used as word separators to split words. Punctuation included in this
category includes the following characters:
~ ! # ^ * + = { } [ ] ; " < > , ? \ | `()"
For example, X~Y is treated as two words, X and Y.
Defining Email Address Matching
Policy Management can do intelligent matching for email addresses in the From and
To/CC/BCC fields.
Address field
Matching strings
jdoe
company.com
jdoe@company.com
jdoe@company.com
Match
Match
Match
asmith@company.com
No Match
Match
No Match
jdoe@yahoo.com
Match
No Match
No Match
Defining Intelligent Email Attachment Matching
When you create a policy to detect attachments based on file extension, by default,
Email Security will do simple matching based on the specified file extension. If the attachment
has been renamed to have a different file extension, this simple matching will not detect that.
To accurately detect attachments without relying on the file extension, select Intelligent
Attachment Matching checkbox. For example, an executable attachment renamed to .txt
extension can be matched as an executable. Email Security supports Intelligent Attachment
Matching for the following file extensions.
File Format
Extension
Bitmap format
.bmp
FITS format
.fits
GIF format
.gif
Graphics Kernel System
.gks
IRIS rgb format
.rgb
ITC (CMU WM) format
.itc
JPEG File Interchange Format
.jpg
NIFF (Navy TIFF)
.nif
PM format
.pm
Policy & Compliance | 125
File Format
Extension
PNG format
.png
Postscript format
.[e]ps
Sun Rasterfile
.ras
Targa format
.tga
TIFF format (Motorola - big
endian)
.tif
TIFF format (Intel - little endian)
.tif
X11 Bitmap format
.xbm
XCF Gimp file structure
.xcf
Xfig format
.fig
XPM format
.xpm
Bzip
.bz
Compress
.Z
gzip format
.gz
pkzip format
.zip
TAR (pre-POSIX)
.tar
TAR (POSIX)
.tar
MS-DOS, OS/2 or MS Windows
.exe
Unix elf
pgp public ring
pgp security ring
pgp security ring
pgp encrypted data
Defining Disguised Text Identification
Dell SonicWALL Email Security provides disguised text identification to prevent users in your
organization from sending or receiving messages with unwanted words with substituted,
inserted, constructed, or deleted characters. Using traditional word matching or spell checking
finds exact matches or known frequent misspellings, such as hte for the.
Disguised text identification is as simple and intuitive as traditional word matching; and is more
powerful than using regular expressions to find specific words or terms. In addition, it is far
easier to use and less potentially dangerous than regular expressions.
Disguised text identification provides the following types of matches:
Variations
Resulting Words or Phrases
Constructed characters
\ / for V, or \./\/ for W, for example, \/\/ork at home
Inserted characters
- or _, for example, c-o-m-m-e-n-t or f_e_e_s
Substituted characters
@ for a or 1 for i, for example, p@ntyhose or Sat1sfact10n
126 | Dell SonicWALL Email Security Administrator Guide
Variations
Resulting Words or Phrases
Deleted characters
wnderful opprtunty
Imaginative spelling
Purrfection or garunteeed suxess
Note Disguised text identification might result in false positives due to unexpected conditions, and
can be computationally intensive.
Disguised text identification is not meant to be a spam catcher. Email Security has developed
extensive heuristic statistical techniques for catching spam. Instead, this feature allows you to
detect terms that are important to your organization and build policies based on them. You can
use this feature to capture specific terms, for example, route incoming messages with your
product’s name with appropriate trademarks for your sales departments. It can also be used to
filter outgoing mail. As an example, if your organization prohibits sending source code outside
of the company, you could use various programming keywords as search terms and route
messages with those terms to the appropriate manager.
Policy & Compliance | 127
Inbound vs. Outbound Policy Filters
Organizations can create policies to deal with both inbound and outbound messages. To create
inbound policies, select Inbound tab and click on Add New Filters. Policies created on the
inbound path can not be shared with the outbound path and vice versa. To create outbound
policies, select Outbound tab and click on Add New Filter.
See Managing Filters on page 135 for examples of adding inbound and outbound policies.
Preconfigured Inbound Filters
New installations of Dell SonicWALL Email Security ship with preconfigured filters. These
preconfigured filters are not enabled by default.
Junk Emails with Attachments over 4MB
This filter, Junk Emails with Attachments Over 4MB, stores all incoming email messages over
4MB in size in the Junk Box.
Strip Potentially Dangerous File Attachments
This filter, Strip Potentially Dangerous File Attachments, strips all attachments from the
incoming email messages that triggered the filter conditions. Enable and edit this rule if you
want to allow some of these attachments and not others.
PGP: Decrypt
This filter, PGP: Decrypt, sends encrypted inbound messages to the PGP Universal Server for
decryption. PGP is often used for signing, encrypting, and decrypting texts, emails, files, and
directories.
128 | Dell SonicWALL Email Security Administrator Guide
Strip Picture and Movie Attachments
This filter, Strip Picture and Movie Attachments, strips all attachments from the incoming email
messages that triggered the filter conditions. Enable and edit this rule if you want to allow some
of these attachments and not others.
Detect Personal Health Information (PHI) Records in Inbound Mails
This filter, Detect Personal Health Information (PFI) Records in Inbound Mails, detects personal
health information by utilizing the Medical Drug Names pre-defined dictionary as an identifying
tool.
Detect Corporate Financial Information in Inbound Mails
This filter, Detect Corporate Financial Information in Inbound Mails, detects corporate financial
information in the subject line or body of an email by utilizing the Financial Terms predefined
dictionary as an identifying tool.
Detect Personal Financial Information (PFI) Records in Inbound Mails
This filter, Detect Personal Financial Information (PFI) Records in Inbound Mails, detects
personal financial information by using the Record ID definitions feature as an identifying tool
looking for mails that match Social Security Number and Credit Card Number formats.
PGP: Decrypted by PGP
This filter, PGP: Decrypted by PGP, delivers messages decrypted by the PGP server to the
internal mail server.
Preconfigured Outbound Filters
New installations of Dell SonicWALL Email Security ship with preconfigured filters. These
preconfigured filters are not enabled by default.
Policy & Compliance | 129
Detect Personal Financial Information (PFI) Records in Outbound Mails
This filter, Detect Personal Financial Information (PFI) Records in Outbound Mails, detects
personal financial information by using Record ID definitions feature as an identifying tool
looking for mails that match Social Security Number and Credit Card Number formats.
Detect Personal Health Information (PHI) Records in Outbound Mails
This filter, Detect Personal Health Information (PFI) Records in Outbound Mails, detects
personal health information by utilizing the Medical Drug Names pre-defined dictionary as an
identifying tool.
PGP: Deliver Encrypted Msg
This filter, PGP: Deliver Encrypted Msg, delivers the encrypted message to the external
recipient.
PGP: Encrypt
This filter, PGP: Encrypt, sends outbound messages to the PGP Universal Server for
encryption. PGP is often used for signing, encrypting, and decrypting texts, emails, files, and
directories.
Send Secure Mail: Deliver Message via SecureMail Server
This filter, Send Secure Mail: Deliver Message via SecureMail Server, delivers messages using
the SecureMail Server.
Detect Corporate Financial Information in Outbound Mails
This filter, Detect Corporate Financial Information in Outbound Mails,detects corporate financial
information in the subject line or body of an email by utilizing the Financial Terms predefined
dictionary as an identifying tool.
Send Secure Mail: Deliver Message via Encryption Service
This filter, Send Secure Mail: Deliver Message via Encryption Service, delivers messages using
the Encryption Service.
Adding Filters
A Policy Filter is an action or actions you want Email Security to take on messages that meet
the conditions you define.Dell SonicWALL’s Policy Management module enables you to filter
email as it enters or exits your organization. Note that Policy Management is a tool only for
administrators; policies cannot be managed individually and are not user-configurable.
To create and manage policy filters, follow the procedures listed.
1.
Navigate to the Policy & Compliance > Filters page.
2.
Select the Inbound or Outbound tab to create filters for inbound or outbound email
messages, respectively.
130 | Dell SonicWALL Email Security Administrator Guide
3.
Click the Add New Filter button. The Add Filter window displays.
Note The fields in the window change based on the action you choose.
4.
The Enable this Filter checkbox is checked by default. Uncheck the checkbox to create
rules that do not go into effect immediately.
5.
Choose whether the filter matches All of the conditions or Any of the conditions
– All—Causes email to be filtered when all of the filter conditions apply (logical AND)
– Any—Causes email to be filtered when any of the conditions apply (logical OR)
6.
Choose the parts of the message to filter.
Select
Definition
Judgement
The server’s assessment of a categorized message threat
From
Filter by the sender’s name
To/Cc/Bcc
Filter by the names in the To: cc: or bcc: fields
Subject
Filter by words in the subject
Body
Filter based on information in the body of the email
Subject or Body
Filter based on information in the subject and body of the email
Policy & Compliance | 131
Select
Definition
Subject, Body, or Attachments
Filter based on information in the subject, body, and attachments of
the email
Message header
Filter by the RFC822 information in the message header fields, which
includes information including the return path, date, message ID,
received from, and other information
Attachment name
Filter attachments by name
Attachment contents
Filter based on information in the email attachments
Size of message
Filter messages based on the size of the message
Number of recipients
Filter messages based on the number of recipients
RFC 822 Byte Scan
Scan the entire email message
7.
Choose the matching operation. The choices for matching operation vary with the message
part being matched against. The following table describe the matching operations
available.
Type
Explanation
Example
With Specific Word
Equivalent to “Find the whole
word only”
Search for the word “Mail” from the subject line “This is Mail” will match.
Search for the word “Mail” from the subject line “This is MailFrontier” will not
match.
Without Specific Word
Not equivalent to “Find the whole
word only”
With Specific Phrase
Equivalent to “Find complete
phrase”
Without Specific Phrase
Not equivalent to “Find complete
phrase”
Starts With
The message part being
Search for “This” from the subject line
searched for should start with the “This is Mail” will match.
search value
Ends With
The message part being
searched for should end with the
search value
Search for “is Mail” from the subject line
“This is Mail” will match.
Is
Only the search criteria should
exist (exact match).
Search for the word “Mail” from the subject line “This is Mail” will not match.
Search for “is Mail” from the subject line
“is Mail” will match.
Is Not
Only the search criteria should
not exist
Search for the phrase “is Mail” from the
subject line “This is MailFrontier”, will
match.
Contains
Substring search
Search for “is Mail” from the subject line
“This is Mail” will match.
Does not
Contain
Substring search does not match
132 | Dell SonicWALL Email Security Administrator Guide
Search for the words “is Mail” from the
subject line “This is Mail” will match.
Search for the word “is Mail” from the
subject line “This is MailFrontier” will not
match.
8.
Enter the words or phrase that you want to filter in the Search Value text box. Select the
appropriate check boxes.
– Match Case—Filters a word or words sensitive to upper and lower case.
– Intelligent Attachment Matching—Filters attachment names, such as .exe or .zip.
– Disguised Text Identification—Filters disguised words through the sequence of its
letters, for example Vi@gr@.
Note Disguised Text Identification cannot be used together with Match Case and can be selected
only for Body and Subject message parts.
If the Compliance Module is active, the administrator has additional filtering conditions that can
be set. The Use Dictionary option of using terms from a dictionary can be selected, as well as
the Use Record Match option which looks for numbers such as telephone numbers or social
security numbers.
1.
Click the plus sign (+) to add another layer of filtering. See “Junk Emails with Attachments
over 4MB” on page 128.
You can add up to 20 filters.
Filters are similar to rock sifters: Each additional filter adds further screens that test email
for additional conditions.
2.
Choose the response action from the Action drop-down list.
Action
Effect
Log as event
The email message is logged. No further processing in Policy management occurs (default). This option stores a log of all messages so that
the administrator has a record and can analyze traffic patterns. The log
is in the mfe log.
NOTE: Policy management logs all messages as events regardless of
the action specified.
Permanently delete
The email message is permanently deleted and no further processing
occurs in any Dell SonicWALL Email Security module occurs. This
option does not allow the user to review the email and can cause good
email to be lost.
Store in Junk Box
The email message is stored in the Junk Box. It can be unjunked by
users and administrators with appropriate permissions. The user has
the option of unjunking the email.
Store in Approval Box
The email message is stored in the Approval Box. It will not be delivered
until an administrator approves it for delivery.
Bounce back to sender
The message is returned to sender with an optional message indicating
that it was not deliverable.
Deliver and bounce
The message is delivered to the recipient and is bounced back to the
sender with an optional message.
Deliver and skip Spam and
Phishing Analysis
The message is delivered without spam or phishing analysis.
Route to
The message is routed to the specified email address. The message
can be routed to only one email address.
Deliver and route to
Deliver to the recipients and also route to the specified email address.
The message can be routed to only one email address
Policy & Compliance | 133
Action
Effect
Tag subject with
The subject of the email is tagged with a the specified term.
Strip all attachments
Remove all the attachments from the email.
Append text to message
The specified text is appended to the message body.
Issue email notification
Sends an email notification to the recipients of the email that triggered
the rule.
Add X-header to message
Adds an X-header to the email.
Remove X-header from message
Removes an X-header from an email.
Route to IP
The message is routed to the specified IP address. The message can
be routed to only one IP address.
Deliver and Route to IP
Deliver to the recipients and also route to the specified IP address. The
message can be routed to only one IP address
Route Copy to Archive
A copy of the message is routed to the archive.
Encrypt
Message is sent to the encryption center for encryption. This action is
used for outbound messages. The administrator must provide a name
or IP address of SMTP server for encryption at the Policy & Compliance > Compliance Module > Encryption page.
Decrypt
Message is sent to the decryption center for decryption. This action is
used for inbound messages. The administrator must provide a name or
IP address of SMTP server for encryption at the Policy & Compliance
> Compliance Module > Encryption page.
When no additional filtering is required on a message, select the Stop processing policy
filters checkbox. This checkbox is automatically selected and grayed out when you have
selected a terminal action. If additional actions need to be performed on the same message,
select the plus sign (+) to the right. You cannot add the same action more than once to a
specific filter rule. As a result, once an action has been selected, it will not be available in the
drop-down list for further selection within the current filter rule.
3.
Type a descriptive name in the Filter Name text box.
4.
Select a policy group you want to apply this filter to. By default, All Groups will be selected
and this filter will apply to all email messages.
5.
Click the Save This Filter button.
Language Support
Policy management supports filtering messages based on non-English terms in the Search
Value. For example, you can search for a Japanese word or phrase in the body of a message.
However, Dell SonicWALL Email Security does not support adding text strings to email
messages in languages other than English and does not support foreign language filter names.
Note To view messages in Asian languages, you might need to install East Asian Language
Packs on the server where you run Email Security (for Windows only). This applies to
deployments using the Dell SonicWALL Email Security Software Edition.
134 | Dell SonicWALL Email Security Administrator Guide
Managing Filters
The main Policy Management page lists all the filters created in the system for the Inbound
and Outbound path. From this view, you can Add New Filter, Change the order of filters, Edit
or Delete filters. Filters that have been enabled are indicated with a green tick mark.
Editing a Filter
To change a filter that has been saved, follow the procedures below:
1.
Click the Edit button adjacent to the filter to be changed.
2.
Change any of the filter conditions.
3.
Click Save This Filter.
Deleting a Filter
To delete a filter, click the Delete button adjacent to the filter.
Changing Filter Order
Filters are processed in the order they appear.
To change the order of the filters, use the up and down arrow icons to the left of the filters.
Advanced Filtering
Creating a Multi-Layered Filter
You can create filters with multiple conditions chained together and multiple actions to be
performed on the message, if the specified conditions are met.
For an example, if the email message is
sent from NASA and
the body contains the word Mars
then take the following actions:
•
•
•
•
Tag the subject with the term [Mars Update from NASA] and
Route the message to engineering.
To create a multi-layered filter, follow the procedures below:
Policy & Compliance | 135
1.
Click the Add New Filter button from the Policy & Compliance > Filters > Inbound
module.
2.
Select All conditions to be met
3.
With Specific Words operation, search for nasa.org in the message part From.
4.
Select the + button to the right to add another condition
5.
With Specific Words operation, search for Mars in the message part Body. Enable Match
Case to get an exact case match.
6.
Select the action Tag Subject With. Set the Tag field to [Mars Update from NASA].
Make sure and stop processing policy filters checkbox is not enabled.
7.
Select the + button to the right to add another action
8.
Select the action Route To and set the To field to engineering@company.com. Select
and Stop Processing Policy Filters checkbox to stop further policy filtering on this
message.
9.
Select the Save This Filter button.
Configuring a Policy Filter for Outbound Email to Include
a Company Disclaimer Message
To add a company disclaimer to the end of each outgoing message from your organization, you
would set the policy filter in this way.
If an email is sent from anyone at sonicwall.com, then take the following actions: Append text
to the end of the message,
This is my company disclaimer
To create the outbound policy filter, perform the following steps:
1.
In the Email Security management interface, browse to the Policy & Compliance > Filters
screen, and click the Outbound tab.
2.
Click the Add New Filter button.
3.
Select All conditions to be met.
4.
Select From in the Select drop-down list, and select Contains in the Matching drop-down
list.
5.
In the Search Value field, type ‘sonicwall.com’.
6.
To protect against internal spammers or zombies, click the plus sign icon to add another
condition.
7.
Select Judgement in the Select drop-down list, and select is good in the Matching dropdown list.
8.
Select the action Append text to message.
9.
In the Message text write: This is my company disclaimer.
10. Name the filter Outbound Disclaimer.
11. Select Apply to Everyone from the dropdown menu in the Apply this filter to: section.
12. Click the Save This Filter button.
136 | Dell SonicWALL Email Security Administrator Guide
Configuring a Policy Filter for Inbound Email
To filter email messages sent to your organization that are not judged as spam but contain the
words “job application” in the subject or body of the email message you would set the policy
filter this way:
If an email is
Not judged as spam
The subject or body of the email contains the words job application
then take the following actions:
•
•
•
route the email to hr@sonicwall.com
To create the inbound policy filter, follow the procedures listed:
1.
Select Add New Inbound Filter button.
2.
Select All conditions to be met.
3.
Judgement operation, matching is not spam.
4.
Select the + button to the right to add another condition.
5.
With specific phrase operation, search for job application in the message part
Subject or Body.
6.
Select the action Route to and enter the email address hr@sonicwall.com in the To:
field.
7.
Name the filter Resume Routing.
8.
Select Apply to Everyone from the dropdown menu in the Apply this filter to: section.
9.
Select the Save This Filter button.
Exclusive Actions
The action named Permanently delete is an exclusive action and is terminal in nature and no
further policy filtering will be possible after this action has been performed. The Stop
Processing Policy Filters checkbox will be automatically enabled and grayed out if an
exclusive action is selected.
Parameterized Notifications
Dell SonicWALL Email Security supports parameterized notifications wherein you can use predefined parameters in the text fields for the Issue Email Notification action. These parameters
will get substituted with corresponding values when the message is processed. You can use
these parameters in either the Subject or Message Text fields of the Issue Email Notification
action. The parameters can be used multiple times and are substituted each time they are used.
Each parameter entered should start and end with % symbol.
Parameter
Value
%SUBJECT%
the Subject: content from the triggering email
%FROM%
the From: content from the triggering email
%ATTACHMENT_NAMES a comma-separated list of attachment names from the triggering
%
email
Policy & Compliance | 137
Parameter
Value
%FILTER_NAME%
the name of the policy filter which took the action on the triggering
email
%MATCHED_RECORDID the Record ID file name which has a matching pattern in the trigger%
ing email
%MATCHED_TERM%
the Dictionary term which matched in the triggering email
Policy Groups
In some cases, it may be appropriate to associate a policy filter to a group of users rather than
the entire organization. For example, you may want a policy filter to be applied to all incoming
email messages sent to your sales team and no one else in your organization.
If you want policy filters you create to be applied to particular group of users, you first have to
create policy groups from LDAP. Policy groups, once created, can be associated with either
inbound or outbound policies.
To manage policy groups, select Policy Groups link under Policy & Compliance module.
From this screen, you can manage all policy groups for your Dell SonicWALL Email Security
setup.
To add a new policy group, select the Add New Group button.
From the pull down menu, select one of three methods to locate a desired group
equal to (fast)
search using the actual name
starting with
(medium)
search using the first few characters
containing (slow)
search using a substring of characters
Once the list of group names is displayed, select the checkbox of the group you wish to add.
Click on the Add Group button.
To remove a group, check the group(s) to be removed and select the Remove Group button.
You can view the members of a group by selecting that group and clicking on the List Group
Members button.
If a user is present in more than one group, that user is treated to be a member of the group
that is listed highest in the list. You can change group ordering, by clicking on the arrows to the
left of listed groups. To change the order in which groups are listed, use the up and down arrow
icons to the left of the groups.
For example in the above illustration, if jdoe@company.com is listed under both
SalesEngineering and Sales, the policy filter that is associated with SalesEngineering will be
applied to email messages for jdoe@company.com.
138 | Dell SonicWALL Email Security Administrator Guide
Multiple LDAP Groups
To manage policy groups from multiple LDAP servers, follow the procedures listed:
1.
Navigate to the Policy & Compliance > Policy Groups page.
2.
Select the LDAP source and click the Go button. You are connected to that LDAP server.
3.
Click the Add Group button. The groups on that LDAP server are retrieved and presented.
4.
Choose the groups you want to add policies to.
5.
When you have selected the groups, click the Add Group button. Your groups are added.
6.
You can now apply policies to these groups. If a user is a member of more than one group,
actions will only be taken on the first group the system reads.
Email Address Rewriting
In a multiple LDAP server environment, administrators can map incoming or outbound email
addresses to new apparent domains. This feature also allows you to expand an email list into
its constituent members. To configure Email Address Rewriting on a per-LDAP basis, perform
the following procedures:
1.
Log in as the Email Security administrator.
2.
Navigate to the System > Network Architecture page.
3.
Click the Add New Rewrite Operation button.
4.
In Type of Operation, choose LDAP Rewrite to Primary. If you are on the Inbound tab,
you could also choose LDAP Email List Expansion.
5.
Enter the information for the operation you have chosen.
6.
Enter a name for the rewrite operation.
7.
Click Save This Rewrite Operation.
Policy & Compliance | 139
Compliance Module
This module is accessible through the optional purchase of a Compliance Subscription License
Key and enables organizations to make efforts in ensuring that email complies with relevant
regulations and/or corporate policies.
Once the Compliance Module is activated, the network administrator has access to the new
Encryption and Archiving features in addition to features such as additional filtering tools that
enhance the Standard Module.
Note When the Compliance Module license expires, filters that were created during the valid
license period will continue to work, taking advantage of the advanced features. However,
the administrator will not be able to add any new filters to use licensed features until a
license to the module is obtained.
Dictionaries
A dictionary is a convenient collection of set of words or phrases that you can group together
for use in policy filters. A dictionary can be specified as a search value in a policy filter.
Dictionaries can be created or modified either manually or by importing from a file in the file
system.
A predefined dictionary is a group of words or phrases all belonging to a specific theme such
as medical or financial terms, which can be used as a database of words that filters can look
for. By default, Email Security provides two pre-installed dictionaries:
Medical Drug Names
PGP_AnyPartMsg_SpecificPhrase
• PGP_EmailHeader_SpecificWord
• Financial Terms
• PGP_AnyPartMsg_SpecificWords
These dictionaries may be modified by clicking the edit button.
•
•
Add New Dictionary
To manually add a dictionary, follow the procedures listed below:
1.
Click on the Add New Dictionary button.
140 | Dell SonicWALL Email Security Administrator Guide
2.
Enter a word or phrase under Dictionary Terms and click Add Term. Repeat for all the
terms you want to add to the dictionary.
3.
Give your dictionary a name.
4.
Click Save Dictionary. You will automatically be returned to the Policy & Compliance >
Compliance > Dictionaries module.
Import Dictionary
To import a dictionary from a file on the file system, follow the procedures listed:
1.
Click on the Import Dictionary button.
2.
Choose to name a new dictionary or to replace an existing dictionary by selecting the
appropriate radio button next to your selection.
3.
Find the import file by browsing to the correct location.
The imported file should contain one word or phrase per line and each line should be
separate by <CR>.
4.
Click the Import button.
Approval Boxes
An Approval Box is a list of stored email messages that are waiting for an administrator to take
action. They will not be delivered until an administrator approves them for delivery. The View
Approval Box drop-down list allows you to have two different views of Approval Boxes: The
Manager view and the individual approval box view.
Policy & Compliance | 141
To see a list of the Approval Boxes that have been created, select Approval Box Manager from
the pull-down menu in the View box from this list. The Approval Box Manager view allows you
to edit or delete existing Approval Boxes, and to create new Approval Boxes.
To see the contents of a particular Approval Box, choose the desired Approval Box name from
the View Approval Box for drop-down list. This page allows you to search the messages
stored in that Approval Box and to take action on any of those messages.
Note Only users who have administrative rights can see the contents of an approval box. See
Users, Groups & Organizations on page 159for managing user rights and privileges.
To store messages in an Approval Box, follow the procedures listed:
1.
Create the Approval Box by clicking the Add New Approval Box button in the Policy &
Compliance > Compliance Module > Approval Boxes page.
2.
Enter a name for this Approval Box. This name appears in the page that shows the list of
approval boxes and in the drop-down list that allows you to select the detailed view of
individual approval boxes.
3.
From the Default action pull-down menu, select an action to be taken. This action will
automatically be taken on the message waiting for approval if the administrator does not
respond to the notification within the period of time specified.
None
Approve & Deliver
Delete
Bounce Back to Sender
4.
No action is taken. The email remains in the Approval Box.
The email is passed to the recipient.
The email is deleted.
The email is automatically bounced back to the sender and removed
from the Approval Box after the specified length of time elapses.
Enter a list of Notification recipients in the text box. Separate multiple email addresses
with a carriage return.
Note Make sure that the email recipients you enter are users that have administrative rights to the
Email Security appliance. If they do not have administrative access, they will not be able to
view the approval boxes when they receive email notification.
5.
Select a Frequency of notifications value from the dropdown list for this approval box.
Approval box notification emails for this approval box will be sent according to the schedule
you choose here.
6.
Write the Email subject line for this notification.
7.
Click the Apply Changes button to save your changes to this approval box notification.
142 | Dell SonicWALL Email Security Administrator Guide
8.
Go to the Policy & Compliance > Filters page and create a policy filter that has the Action
as Store in Approval Box. Then, choose the desired Approval Box for email messages
caught by that filter.
Encryption
The Policy & Compliance > Compliance Module > Encryption section is used to configure
the servers used to encrypt and decrypt messages. Once configured, you may create a policy
filter for which the action is to encrypt or decrypt messages.
A policy action of encrypt can be used to direct confidential outbound messages to the
encryption server. A policy action of decrypt can be used to direct confidential inbound
messages to the decryption server.
Record ID Definitions
A Record ID Definition can be used to detect specific IDs described by a series of generic
patterns. The Policy & Compliance > Compliance Module > Record ID Definitions section
allows the administrator to predefine a cluster or clusters of letters and numbers into logical
sets of groups such as social security numbers, patient medical record numbers, or credit card
Policy & Compliance | 143
numbers. When these patterns are discovered, compliance actions can be taken to ensure that
the organization's privacy and security regulations are met. The filter will stop processing a
message after it finds the first matching Record ID Definition.
By default, Dell SonicWALL Email Security provides the following Record ID Definitions preinstalled:
•
•
•
•
•
•
•
ABA Bank Routing Number
Canadian Social Security Number
Credit Card Number
Date
Phone Number
Social Security Number
Zip Code
Adding a New Record ID Definition
1.
Click the Add New Record ID Definition button. The following window displays:
2.
Enter a name in the Record Definition Name field.
3.
Enter a ‘term’ including correct spacing, dashes or other symbols. Use the key to set values
to the sets of characters
4.
Click Add Pattern to add the term to the Record ID. Repeat this step for each Record ID
as necessary.
5.
Click Save Definition when finished. The new Record ID Definition displays on the Policy
& Compliance > Compliance Module > Record ID Definitions screen.
Archiving
The Policy & Compliance > Compliance > Archiving section is used to configure how
messages are archived. Once configured, you may create a policy filter for which the action is
“Route copy to archive.” Messages can be archived either to a remote archive server or to a file
system.
144 | Dell SonicWALL Email Security Administrator Guide
Archiving to a Remote Server
To have messages archived to a remote server, click the External SMTP Server radio button.
Then, enter the IP address of the server to which email messages should be routed for
archiving in the IP address of archive server field.
Archiving to a File System
To have messages archived to a file system, click the File system radio button.
1.
Select the archive settings for both inbound and outbound emails. The following options are
available:
– Do not archive emails—Email messages are not archived.
– Archive emails that are delivered to users in your organization—Email messages
that are delivered are archived. Quarantined email messages are not archived.
– Archive all inbound emails—All emails are archived, including those that are
quarantined in the Junk Box.
2.
Select a length of time for emails to be archived.
3.
Click the Apply Changes button.
Policy & Compliance | 145
146 | Dell SonicWALL Email Security Administrator Guide
Chapter 9
Encryption Service
The Encryption Service feature works in tandem with Dell SonicWALL Email Security as a
Software-as-a-Service (SaaS), which provides secure mail delivery solutions. The mail
messages that have [SECURE] as part of the Subject will be encrypted and securely delivered
to the recipient via the Encryption SaaS.
Important notes:
•
•
•
It is the customer's responsibility to protect user passwords and use care in spelling email
addresses when sending emails, especially emails containing sensitive information.
Encrypted emails automatically expire after 30 days and are not recoverable.
The subject lines of email messages are not encrypted and should not include electronic
protected health information (ePHI) or confidential information.
This chapter contains the following sections:
•
•
•
•
•
•
•
How Encryption Service Works on page 147
Enabling the Secure Mail Policy on page 148
Licensing Email Encryption Service on page 149
Configuring Encryption Service on page 150
Whitelisting IP Addresses on page 151
Users in Encryption Service on page 151
Sending Secure Mail Messages on page 158
How Encryption Service Works
The Encryption Service works with both outbound and inbound email messages. The
Encryption Service must first be licensed through the System > License Management page.
The administrator will then enable the default policy filter that enables sending secure email via
Encryption Service | 147
the Encryption Service. After adding the necessary sender domains and public IP addresses,
the administrator can then add users that are licensed to use Encryption Service.
Outbound Messages
Outbound messages flow in the following order:
1.
A user in an organization sends a secure email message. It is sent through the exchange
email server of the organization.
2.
The message is then processed by the Dell SonicWALL Email Security appliance. The
Email Security appliance will be able to recognize the message as Secure Mail based on
the auto sender domains or any other policy set to ‘Route to Encryption Service.’
3.
The message is sent from the Dell SonicWALL Email Security appliance via TLS to the
Dell SonicWALL Email Encryption Cloud. The Email Encryption Cloud will be able to
determine this is a secure message based on the auto sender domains or any other policy
set to ‘Route to Encryption Service.’
4.
The Email Encryption Cloud then sends a notification email to the recipient. This email
includes a URL to the secure message.
5.
The Secure Mail recipient clicks the URL and is required to log into the Email Encryption
Cloud to retrieve the message. Once the recipient views the message, the sender gets a
notification mail from Email Encryption Cloud indicating that the secure message has been
viewed.
Enabling the Secure Mail Policy
In order to begin using the Secure Mail Service, you must first enable the default outbound
policy to Send Secure Mail. Follow the procedures listed below to successfully enable the
Secure Mail policy.
To enable Outbound Secure Mail:
1.
Navigate to the Policy & Compliance > Filters page of your Email Security appliance.
2.
Click the Outbound tab.
3.
Locate the Send Secure Mail: Deliver Message via Encryption Service filter, and click
the Edit button. The Edit Filter screen displays.
4.
Click the Enable this filter checkbox. You can either keep the default settings or edit the
settings for this filter. When finished, click Save This Filter.
148 | Dell SonicWALL Email Security Administrator Guide
Note The Policy & Compliance > Filters page allows you to drag-and-drop filters, changing the
precedence order of policies, which may be useful for your specific corporate needs.
Licensing Email Encryption Service
Because Encryption Service is a subscription service, you must purchase a license by logging
in to your MySonicWALL account or by contacting your Dell SonicWALL reseller.
Note The Encryption Service subscription license must match the Email Protection Subscription
(Anti-Spam and Anti-Phishing) user count. If not, you will receive an error message.
To license the Secure Email Encryption Service, follow the procedures listed:
1.
Navigate to the System > Licence Management page of your Email Security appliance,
and click the Activate link for Secure Email Encryption Service.
2.
Enter the information required on the Email Encryption Service Subscription page:
– Email Encryption Service Activation Keys—Enter the Encryption Service Activation
Key(s) provided upon purchase on MySonicWALL or by your Dell SonicWALL reseller.
For multiple activation keys, separate each key by using a comma.
Encryption Service | 149
– Data Center nearest to you—Select your respective Data Center from the drop down
list. The Data Center is the location of the Encryption Service servers.
– Company Name—Enter the company name associated with the Encryption Service.
– Admin Email Address—Enter the email address of the designated Secure Mail
administrator. This administrator is responsible for adding, editing, or deleting Secure
Mail users. Note that you will be able to add/designate multiple administrators in
another screen.
– Auto Sender Domains—Enter the list of domains that Secure Mail users will be
sending email messages from, for example dell.com. Messages from the listed
domains are auto-provisioned as Secure Mail senders. For multiple domains, separate
each domain by using a comma.
3.
Click Submit.
Configuring Encryption Service
Once you have successfully enabled the Secure Mail outbound policy and licensed the Email
Encryption Service through the License Management screen, you can begin configuring
settings for the service.
1.
Navigate to the Encryption Service page on your Dell SonicWALL Email Security
appliance.
2.
The Company Name field auto-populates with the name specified in Licensing Email
Encryption Service on page 149. Edit the Company Name, if needed.
3.
Enter the Auto Sender Domains in the space provided, if needed. The Auto Sender
Domains field auto-populates with the domains specified in Licensing Email Encryption
Service on page 149.
4.
Enter the list of public IP addresses to be Whitelisted from the Email Encryption Service
in the field provided. Once added to the whitelisted IP address list, Email Encryption
Service will accept mail from your organization, originating from these IP addresses.
150 | Dell SonicWALL Email Security Administrator Guide
5.
Select the checkbox to enable the use of TLS for secure mail sent from the Encryption
Service to your organization. If you decide to enable this feature, verify that all your inbound
paths have TLS enabled, located in the Network Architecture > Server Configuration
page.
6.
Click Apply Changes when finished.
Whitelisting IP Addresses
The Encryption Service also supports whitelisting IP addresses. You can enter a list of public
IP addresses that are responsible for delivering outgoing mail recognized as Secure. Then, you
can enter the IP address and any associated domain that is responsible for receiving incoming
mail messages from the Encryption Service. If no inbound addresses are specified, the MX
Records are used instead to deliver mail messages to your organization.
Users in Encryption Service
Dell SonicWALL recommends that the administrator should add users to the Encryption
Service. If any mail messages are sent to the Email Encryption Cloud from a sender account
not already created, the Email Encryption Cloud will automatically create a Secure Mail sender
account, as long as the domain in the email address is one of the Auto Sender domains.
Adding a New User
To add a new user to the Secure Mail Encryption Service, follow the directions listed below:
1.
Navigate to the Encryption Service page on the Dell SonicWALL Email Security
appliance.
2.
Scroll down to the User View Setup section, and click the Add button.
3.
Enter the following fields:
– Email Address—Enter the email address for the user.
– First Name—Enter the first name of the user.
– Last Name—Enter the last name of the user.
– Role—Select the role of the user from the drop down list. The available options are
User or Admin.
4.
Click Add to finish. The new user displays in the User View Setup list.
Encryption Service | 151
Note You may need to click the Refresh button to synchronize user accounts and settings from
the Secure Email Encryption server if it does not automatically display.
Updating an Existing User
To update the information of an existing user, follow the directions below:
1.
Select the checkbox corresponding to the user you want to update.
2.
Click the Update button. The Update User account screen displays.
3.
Edit the First Name, Last Name, or Role. Note that you cannot update the User Email
Address.
4.
Click Update to save changes made and update the user information.
Adding an Existing User
If you have LDAP configured, you can add existing users to the Secure Email Encryption
Service. To add existing users, follow the directions below:
1.
Navigate to the Encryption Service page on the Dell SonicWALL Email Security
appliance.
2.
Click the Add Existing Users button.
3.
A list of users displays based on what you have configured for your LDAP directory. You
can search for an existing user by email address in the search field.
4.
Select the user you wish to add, then click the Add button. The new user displays in the
User View Setup list.
Importing Users
If there are multiple users you would like to add, you can import a .txt list of users to be added
to the Secure Email Encryption Service.
152 | Dell SonicWALL Email Security Administrator Guide
The .txt file must use a <TAB> delimiter between the primary email address, first name, last
name, and role of each user. You must use <CR> to separate entries. See the following
example:
primary_email@company.com<TAB>firstname<TAB>lastname<TAB>admin<CR>
primary_email@company.com<TAB>firstname<TAB>lastname<TAB>user<CR>
Note that the Primary email address is mandatory, while the other fields are optional.
To import users, follow the directions below:
1.
Navigate to the Encryption Service page on the Dell SonicWALL Email Security
appliance.
2.
Click the Import Users button.
3.
Click the Choose File button to select the file containing the list of users.
4.
Click Import.
Exporting Users
You can export the list of Secure Email Encryption Service users by performing the following
steps:
1.
Navigate to the Encryption Service page on the Dell SonicWALL Email Security
appliance.
2.
Click the Export Users button. The list exports a .txt file and saves to your local system.
Cobrand and Reporting
The Secure Email Encryption Service allows you the option to customize features on the
management console. You can also customize reports from the Secure Email Encryption
Service.
The following are Cobrand and Reporting settings you can configure through the Secure Email
Encryption server portal:
•
•
•
•
•
•
Company and User Type Properties on page 153
Cobrand Management Console on page 154
Message Tracking Report on page 155
User Logon Report on page 155
User Reports by Message Size, Volume, Date, and Summary on page 156
Total View Report on page 157
Company and User Type Properties
The Company Configuration > Company Information page allows you to edit your
organization’s information. The following fields are editable:
•
•
Company Name—This is the Company Name specified in the
Dell SonicWALL Email Security System > License Management page upon licensing the
Encryption Service.
Email Address—This is the Admin Email Address specified in the
Dell SonicWALL Email Security System > License Management page upon licensing the
Encryption Service.
Encryption Service | 153
The Company Configuration > Company Properties page allows you to edit the
Automatically Create Sender Accounts setting. Select one of the following options: Off, On,
or Off Send Plain Text.
Cobrand Management Console
The Cobrand Management Console page allows you to edit your organization’s existing
cobrand settings or create a new cobrand. Perform the following steps:
1.
Under the Cobrand Information section, select (Create a New Cobrand) from the drop
down list to create a new cobrand. To edit an existing cobrand, select it from the drop down
list.
2.
Specify the following cobrand settings:
– Company Name—A descriptive name that is associated with the cobrand and will be
displayed in the drop down list for editing.
– Default URL—The URL where users are directed when they click the cobrand image.
Note that you must include the protocol/scheme (“http://”) in the URL.
– Cobrand Color—The web color used for the login panel, top and bottom ribbon bars
(menu and status bars) for Webpages on the server portal. The web color is identified
with 6-character hexadecimal number, commonly used with HTML, CSS, and other
applications. You can also identify the cobrand color using the Color Selector box that
displays upon editing the hexadecimal number.
– Top HTML (Optional)—Allows you to specify a block of HTML coding to be used in
place of the cobrand image in the page header. The HTML can contain text, links,
graphics, and columns, or follow an HTML style sheet.
Note that if the Top HTML field contains boilerplate code, do not delete it unless you
intend to replace it with customized HTML.
– Loaded Image (Optional)—Displays the database server path and internal filename
for the uploaded cobrand image. Click the Clear Image button to immediately remove
the image from the cobrand.
– Allow users to stay signed in—Select the checkbox to enable, and then specify the
amount of time for users to stay signed in.
3.
Filter Messages—Allows you to limit the messages that users see in their mailbox to
messages related to the cobranded company. If enabled, the Secure Mail recipient’s
mailbox only displays messages from or to the cobranded company, as long as the recipient
accesses the server using the notification email link.
4.
Select Image—Select a cobrand image, such as an organization or company logo, that
displays at the top of all the server portal pages. This is an efficient and easy way to create
professional branding without requiring the use of HTML. Click the Choose File button to
select the image you want assigned to the cobrand.
154 | Dell SonicWALL Email Security Administrator Guide
5.
Click the Save button to save your changes and apply the cobrand to your organization.
Message Tracking Report
The Message Tracking Report enables you to search through email addresses and subject
lines of Secure Mail messages (message bodies are not included in the search). To generate
a Message Tracking Report:
1.
Click the Message Tracking Report link from the Secure Mail Encryption Service portal.
2.
Enter the search parameters into the Email Address or Pattern, Start Date, and End Date
fields. The To/From drop down list specifies whether to search for the parameters in the To
or From field of email messages.
3.
Click Generate Report link. The report displays all messages matching the specified
criteria.
User Logon Report
The User Logon Report generates reports about user log on activity. You can search activity
based on specific users, defined timeframes, and also how the user logged into the service. To
generate a User Logon Report:
1.
Click the User Logon Report link from the Secure Mail Encryption Service portal.
Encryption Service | 155
2.
Enter the search parameters into the Email Address or Pattern, Start Date, and End Date
fields. The Logon Source drop down list specifies which service the user accessed. The
default is All, which includes every service the user may have used.
3.
Click the Generate Report link. The report generates all log on events for the user, based
on the specified criteria.
User Reports by Message Size, Volume, Date, and Summary
There are several types of user reports, each of which can be filtered for sent or received
messages (or both) for each user. These reports are summaries of user statistics, differing from
the more detailed reports such as the Message Tracking Report.
The following types of reports can be generated:
Report Type
Description
Message Size Statistics
Shows the size of messages sent and received by each user
Message Date Statistics
Shows when messages have been sent by the users (first and last
messages for each user)
Message Volume Statistics
Shows the number of messages sent/received by the user
Message Summary Data
Shows the fields of the other statistics reports on one screen.
To access any User Report:
1.
Click the User Reports by Message Size, Volume, Date, and Summary link from the
Secure Mail Encryption Service portal.
156 | Dell SonicWALL Email Security Administrator Guide
2.
Click on the Report to view the information.
Total View Report
The Total View Report provides complete tracking of all messages sent through the Secure Mail
system. The report contains a record of every messages sent along with the tracking data for
the message (and attachments) in a single report. This report is provided as a CSV file.
The Total View Report includes the following fields:
•
•
•
•
•
•
•
•
•
•
•
Message ID
Date
From Email
To Email
Subject
Notification Timestamp
Message Status (Opened / Not Opened)
Message Open Time
Attachment Name
Attachment (Accessed /Not Accessed)
Attachment Open Time
Note Each message and every attachment within a message is reported separately. For example,
a message to two recipients with two attachments will generate four rows of data: Two for
each recipient, with one attachment listed on each line per recipient.
To generate a Total View Report:
1.
Click the Total View Report link from the Secure Mail Encryption Service portal.
2.
Specify the Date range for the report. For more efficiency, you can click one of the quick
links: Last day, 30 days, or 60 days. This will automatically select the specified time period.
3.
Click the Generate Report link.
Encryption Service | 157
4.
Click the Download Report link to save the CSV file to your local system. Click Select
Different Dates to return to the previous screen and conduct a new search with different
dates.
Sending Secure Mail Messages
To send a Secure Mail message from your organization’s exchange email server, you must first
download the plug-in for the Secure Mail button.
Note The Secure Mail button plug-in is currently available for Microsoft Outlook (32 and 64-bit).
To download the plug-in, follow the instructions listed:
1.
Navigate to the Downloads page of the Email Security interface.
2.
Click the link for Secure Mail Outlook plugin that applies to your version of Outlook (32bit or 64-bit). This will begin a download to your local system.
3.
Run the installer to complete installation.
4.
Once the plug-in is successfully installed, launch Outlook and click New E-mail to compose
a new message. The Secure Mail button now appears in place of the Send button.
158 | Dell SonicWALL Email Security Administrator Guide
Chapter 10
Users, Groups & Organizations
The Users, Groups, and Organizations management function allows you to:
Manage the list of users who can log in to the Email Security product
Assign roles to individual users or groups of users
• Set spam blocking options for groups of users
This chapter also describes how to assign a delegate to manage your Junk Box. For more
information, see Junk Box Settings on page 183.
•
•
Note To manage users and groups from within this module, you need to have configured your
Email Security setup to synchronize with your organization’s LDAP server. You can
configure LDAP settings and queries on the System > LDAP Configuration page.
This chapter contains the following sections:
•
•
•
•
•
Working with Users on page 159
Working with Groups on page 163
Working with Organizations on page 172
Email Security User Roles on page 174
Users and Groups in Multiple LDAP on page 175
Working with Users
To manage users in Email Security, navigate to the Users, Groups & Organizations > Users
page. From this screen, you can sign in as any user, set their message management settings
to corporate default, and edit their privileges in the system. Select the Source to use from the
dropdown list, then click Go.
Finding All Users
If there are too many users to display in a window, you can conduct a search using the “Find
all users in column” section.
1.
Select from the dropdown list to do a search by User Name or Primary Email.
2.
Next, select from the next dropdown list if the search parameter is equal to, starts with,
or contains. Note that each of these fields determines the speed of the search, where
equal to is the fastest type of search and contains is the slowest.
3.
Select if you want the search to Show LDAP entries or Show non-LDAP entries by
selecting the checkboxes next to either option.
4.
Enter the search parameter in the blank field, and click Go.
Users, Groups & Organizations | 159
Sort
To sort the list of users by that column, click the User Name or Primary Email heading.
Signing In as a User
Administrators can sign in as any user, see their Junk Box, and change the settings for that
user. In addition, you can sign in as a particular user to manage their delegates for them. Click
the checkbox next to the User Name, then click the Sign In as User button.
Edit User Rights
Administrators can assign different privileges to different users in the system by assigning them
pre-defined roles. To assign a role to a user, select the user and click on Edit User Rights
button. Select which role to assign to a user, then click Apply Changes.
For information regarding User Roles, see the Email Security User Roles on page 174.
Resetting User Message Management Setting to Default
Select one or more users and click Set Message Management to Default to restore all settings
to the defaults. Be aware that this overrides all individual user preferences the user might have
set.
160 | Dell SonicWALL Email Security Administrator Guide
Add
The administrator can add individual non-LDAP users. Fill out the Primary Address and Alias
fields, then click Add. Add an existing user with an alias and the user will have that alias added
to them. This is not dependent on LDAP status.
Note Users added in this way remain non-LDAP users. Their User Rights cannot be changed.
Their source will be listed as Admin. Users can edit their Junk Box setting only if the
administrator sets the Junk Box setting: Enable “Single Click” viewing of messages to
“Full Access” in the System > Junk Box Summary page.
Remove
The administrator can remove individual non-LDAP users. First select a non-LDAP user by
using the checkbox in front of the name, then click the Remove button to delete the name from
the list.
Users, Groups & Organizations | 161
Import
The administrator can add multiple non-LDAP users by importing a list of names. The list is
made up of the primary addresses followed by the corresponding aliases of the users. The
imported file can be appended to the existing names, or overwrite them. The format of the file
is tab-delimited. One may use an Excel spreadsheet to generate a user list and save it as a tabdelimited file. To import the list, click the browse button to locate the file and click Import.
Export
The administrator can download a tab-delimited list by clicking this button. The file generated
lists multiple non-LDAP users and can later be imported using the Import feature.
162 | Dell SonicWALL Email Security Administrator Guide
Working with Groups
Navigate to the Users, Groups & Organizations > Groups page to manage Group settings.
Note that the settings on this page are optional.
About LDAP Groups
This section describes how the Email Security lets you query and configure groups of users
managed by an LDAP server. Most organizations create LDAP groups on their Exchange server
according to the group functions. For example, a group configured on their Exchange server
called support represents the technical support groups in Exchange.
Configure LDAP groups on your corporate LDAP server before configuring the rights of users
and groups on Email Security in the LDAP Configuration screen.
Dell SonicWALL Email Security allows you to assign roles and set spam-blocking options for
user groups. Though a user can be a member of multiple groups, Email Security assigns each
user to the first group it finds when processing the groups. Each group can have unique settings
for the aggressiveness for various spam prevention. You can configure each group to use the
default settings or specify settings on a per-group basis.
Updates to groups settings in this section do not get reflected immediately. The changes will be
reflected the next time Email Security synchronizes itself with your corporate LDAP server. If
you want to force an update, click on the Refresh Users & Groups button.
Add a New Group
To add a new group, click the Add New Group button. The Add Group window appears with a
list of all the groups to which you can assign roles. You can also add new groups in this window.
Users, Groups & Organizations | 163
Finding a Group
1.
From the Add Group screen, search for the group you want by entering the name in the text
box. Choose the search mechanism and search speed: equal to (fast), starts with
(medium), or contains (slow). Click Go to begin the search.
OR
Scroll through the list of groups to locate the group you want to add.
2.
Click the checkbox to include the group.
3.
Click Add Group.
A message appears stating that the group was added successfully.
Removing a Group
1.
Click the checkbox adjacent to the group(s) to remove.
2.
Click the Remove Group button. A success message appears.
Listing Group Members
1.
Click the checkbox adjacent to the group to list.
2.
Click the List Group Members button.
Users belonging to that group will be listed in a pop-up window.
Setting an LDAP Group Role
All members of a group are also given the role assigned to the group. To set the role of a group,
follow the procedures listed:
1.
Click the checkbox adjacent to the group to edit.
2.
Click Edit Role. A window appears with the group’s name and current role.
3.
Click the radio button for the appropriate role that you want to assign to the group.
4.
Click Apply Changes.
A message appears stating that the group was changed successfully.
164 | Dell SonicWALL Email Security Administrator Guide
Note Email Security queries your corporate LDAP server every hour to update users and groups.
Changes made to some settings in this section may not be reflected immediately on
Email Security, but are updated within an hour.
User View Setup
This controls what options are available to the users in this group when they login to server
using their user name and password. You can change the settings on the following items:
•
•
•
•
•
•
Login Enabled—Enables users in this group to log into their Junk Box.
Anti-Spam Techniques—Allows or blocks specified people, companies, lists,
aggressiveness, foreign languages.
– Full user control over anti-spam aggressiveness settings—Allows users full
access to configuring Anti-Spam aggressiveness settings.
Reports—Allow users in this group to look at their Spam reports.
Settings—Enables users in this group to view their settings.
– Junk mail management—Allows users access to junk mail management settings.
Quarantined Junk Mail Preview Settings—Click the Users in this group are allowed to
preview quarantined junk mail checkbox to enable this setting for users.
Click Apply Changes.
Users, Groups & Organizations | 165
Anti-Spam Aggressiveness
You can configure Anti-Spam Aggressiveness settings for this group.
1.
Choose the appropriate Grid Network Aggressiveness level for this group.
Note that selecting a stronger setting will make Email Security more responsive to other
users who mark a message as spam.
2.
Choose the appropriate Adversarial Bayesian Aggressiveness level for this group.
Note that selecting a stronger setting will make Email Security more likely to mark a
message as spam.
3.
Select the checkbox to Allow users to unjunk spam. If the checkbox is unchecked, users
are not able to unjunk spam messages.
4.
For each category of spam, determine level and whether members of the group are allowed
to unjunk their Junk Boxes.
5.
Click Apply Changes.
166 | Dell SonicWALL Email Security Administrator Guide
Languages
You can determine the foreign language emails that groups can receive.
•
•
•
•
Select Allow All to allow all users in a group to receive email in the specified language.
Select Block All to block all users in a group from receiving email in the specified language.
Click No opinion to permit email to be subject to the spam and content filtering of
Dell SonicWALL Email Security.
Click Apply Changes.
Users, Groups & Organizations | 167
Junk Box Summary
You can manage the way in which you receive the Junk Box summary of emails. To configure
settings for the Junk Box for groups:
1.
Select the Frequency of Summaries sent to users.
2.
Select the Time of Day users receive junk summary emails.
3.
Select the Day of the Week users receive junk summary emails.
4.
Select if the Summaries include All Junk Messages or Only Likely Junk.
5.
Select from the dropdown list the Language of Summary Email.
6.
Choose to send Plain Summary or Graphic Rich Summary.
7.
Select the checkbox to Send Junk Box Summary to Delegates. Note that when this
checkbox is selected, the summary email is sent to the delegate, not to the original
recipient.
8.
Click Apply Changes.
168 | Dell SonicWALL Email Security Administrator Guide
Spam Management
You can manage how groups deal with spam through the Spam Management window. To
manage messages marked as Definite Spam or Likely Spam for this group:
Choose what you want done with messages:
•
•
•
•
•
•
•
Spam Filtering Off—Passes all messages to users without filtering.
Permanently Delete—If determined Definite or Likely Spam, messages are permanently
deleted.
Bounce back to sender—Messages are sent back to the sender.
Caution: In cases of self-replicating viruses that engage the sender’s address book, this
can inadvertently cause a denial-of-service to a non-malicious user.
Send to—Specify an email address for the recipient.
Tag with—Label the email to warn the user. The default is [SPAM] or [LIKELY_SPAM].
Select the checkbox This Group accepts automated Allowed Lists if you want
automated Allowed Lists to apply to this group.
Click Apply Changes.
Users, Groups & Organizations | 169
Phishing Management
The phishing management window gives you the option of managing phishing and likely
phishing settings at a group level. Just like Spam Management options, it allows to you deal
with phishing differently for different groups. However, unlike Spam Management options, these
settings cannot be altered for individual users.
170 | Dell SonicWALL Email Security Administrator Guide
Virus Management
The virus management window gives you the option to manage Definite Virus and Likely Virus
settings at a group level. Just like Spam Management options, it allows to you deal with viruses
and likely viruses differently for different groups. However, unlike Spam Management options,
these settings can not be altered for individual users.
Forcing All Members to Group Settings
Select the checkbox next to the Group(s) you want to adhere to Group Settings. Then, click the
Force All Members to Group Settings button. All individual settings are overwritten by the
Group Settings.
Users, Groups & Organizations | 171
Assigning Delegates
Delegates are people who have full access to your individual Junk Box. This includes the ability
to change your Junk Box settings and manage the messages in your Junk Box. The most
common use of delegates is for an administrative assistant to act as a delegate of the CEO of
a company. The assistant frequently has access to all of the CEO's email, so the assistant now
would have access to the CEO's Junk Box and Junk Box settings as well.
To assign a delegate to manage your Junk Box, follow the procedures listed:
1.
Sign in to your individual user account; click the Sign in as any user link at the bottom of
most Email Security windows and sign in with your username and password.
2.
Go to Settings > Delegate.
3.
To add a delegate, click the Add button. The Add New Delegate screen appears.
4.
Enter the email address of the delegate in the text box.
5.
Click Go. A group of people who match the email address appears.
6.
Click the checkbox adjacent to the preferred delegate.
7.
Click Add Delegate.
To remove a delegate, click the Remove button on the Delegate window.
Working with Organizations
The Users, Groups & Organizations > Organizations page lists the available Organizational
Units paired with the Email Security solution.
Organizations are a smaller group of domains set by the Global Administrator as an efficient
way of managing an entire enterprise-sized Email Security system setup. These subset groups,
also known as an Organizational Unit (OU), are managed by a sub-Administrator, called the OU
Administrator. The OU Administrator role has full administrative rights to the OU he has been
assigned to by the Global Administrator.
The OU Admin can log in as any other user within the group of domains assigned to edit a
user’s individual settings, edit group settings for groups within their OU, and manage Junk
Boxes, and view Reports. The OU Admin is not able to add or remove domains from an
Organization, regardless if he is the OU Admin of that Organization; only the Global
Administrator has the ability to perform these tasks.
To add an organization, follow the procedures listed:
1.
From the Users, Groups & Organizations > Organizations page, click the Add
Organization button.
2.
Enter the Primary Domain. Acceptable domains follow the form of domain.com or
sub.domain.com. The Organization Admin Login ID is automatically populated based on
what is entered as the Primary Domain.
3.
Enter the Organization Admin Password.
4.
Type the Domain(s) in the provided space, separating multiple domains with a comma.
172 | Dell SonicWALL Email Security Administrator Guide
5.
Then, click the Add button. A notification appears, stating that old data will now be migrated
to the organization level. Acknowledge the notification by clicking OK.
Note the following when creating a new organization:
•
•
•
•
•
User settings are migrated to the newly created organization.
LDAP configured at the Global Administrator level is not automatically migrated when
creating a new organization. The OU Admin needs to reconfigure the LDAP for his
organization. Neglecting to configure the LDAP can potentially break user authentication
for domains of that organization.
Group Settings configured at the Global Administrator level are not automatically migrated
when creating a new organization. The OU Admin needs to reconfigure the Group Settings
for his organization.
User Rights configured at the Global Administrator level is not automatically migrated when
creating a new organization. The OU Admin needs to reconfigure the User Rights for the
users in his organization.
Group Roles configured at the Global Administrator level are not automatically migrated
when creating a new organization. The OU Admin needs to reconfigure the Group role for
the groups in his organization.
Note Any domains added in the Create Organization screen that are not already listed in the
Network Architecture > Server Configuration page are not automatically added to the
server. The Global Administrator needs to add these domains to the Network Architecture
path separately.
Signing In as an OU Admin
As a Global Administrator, you can sign in to any Organization as an OU Admin. Click the Sign
in as OU Admin icon. You are automatically directed as the OU Admin to the respective OU in
a new window. Click the Log Out icon to log out as the OU Admin.
Configuring OU Settings
As a Global Administrator, you can also elect to subscribe to alerts for a specific Organization
so that you are notified about updates and changes made to this Organization. Click the
Settings icon of the Organization you want alerts for. Then, click the Subscribe to alerts
checkbox, and click Save.
Users, Groups & Organizations | 173
Removing an Organization
To delete an Organization, click the Remove button of the Organization you wish to delete.
Email Security User Roles
Roles are a set of privileges that you can grant any individual user or group of users in the
Email Security system. The possible roles that can be assigned to any user or groups are:
•
•
•
•
•
•
OU Administrator —The Organizational Unit (OU) Administrator role has full
administrative rights to a specific list of domains the Global Administrator specifies.
Typically, the Global Administrator of an enterprise-sized organization may wish to delegate
the management of a smaller group of domains, or Organizational Units, between several
users requiring administrative rights for successful management of these OUs. The OU
Admin can log in as any other user within the group of domains assigned to change a user’s
individual settings, view and manage Junk Boxes, and configure other areas of the
Email Security system.
For more information regarding OU Administrators and Organizational Units, refer to the
Working with Organizations on page 172.
Help Desk—A user assigned as Help Desk has access to the corporate Junk Box and can
unjunk items. This role also allows the user to log in as any user to change that user’s
individual settings and view Junk Boxes. The Help Desk role does not allow the user to
change global settings or other server configurations.
Group Admin—A group administrator role is similar to the Help Desk role except that this
role’s privileges are limited to users for the group that they are specified to administer. The
Group Admin role is always associated with one or more groups added to the Spam
Blocking Options for Groups section.
Manager—A user assigned as Manager has access to corporate Reports and Monitoring
screens. The user cannot change any configuration settings, nor are they able to sign in as
any other user.
User—A user role is only allowed to log in to the Email Security system, has access to his
own individual user settings, and can only customize his own settings.
Adhere to Group rights—If the user is part of a group, selecting this option forces the user
to inherit the rights assigned to the members of that group.
174 | Dell SonicWALL Email Security Administrator Guide
Users and Groups in Multiple LDAP
The administrators of each organization can create a master LDAP group that encompasses all
their users and groups. That master group can then be used to administer Email Security
settings across the organization, even if there are multiple domains. With a group that contains
all the members of the LDAP, the administrator effectively administers the LDAP.
Users
When an administrator logs in and views the Users, Groups & Organizations > Users page,
she sees all the email addresses that exist on that instance of Email Security. The administrator
can then narrow the view to only the entries from that LDAP.
Note The Using Source selection allows administrators to access users who were added directly
to Email Security, and did not come in through an LDAP entry. These entries will not be
deleted with an LDAP deletion.
This section contains the following subsections:
•
•
•
•
Filtering through User View Setup on page 175
Finding a Specific User on page 176
Adding a New User on page 176
Deleting a User on page 176
Filtering through User View Setup
To filter the user view setup by source, follow the procedures listed:
1.
Log in as the Email Security administrator.
2.
Click Users, Groups & Organizations, and then Users.
3.
Scroll down to User View Setup.
4.
From the Using Source drop-down menu, choose the LDAP source associated with the
users you want to view. Click Go.
You will see only the users associated with that LDAP source. The list of users can be sorted
by user name, primary email address, user rights, or source. If you have already filtered by
source, sorting by source will not retrieve anything outside the filter.
To sort a list of users, click on the column heading that describes the sort type. Click again to
sort in reverse order.
Each LDAP user record has a checkbox next to it. To edit a user or users, select the box. If you
select one user, you can log in as that user or edit that user’s rights, for example, to elevate
them to group admin or help desk-level rights. If you select more than one user, you can only
change their message management style to the default style.
Users, Groups & Organizations | 175
Finding a Specific User
Because there are usually many records in an LDAP source, Email Security has provided
several ways of looking for a specific user. To find a specific user, follow the procedures listed:
1.
Log in as the Email Security administrator.
2.
Click Users, Groups & Organizations, and then click Users.
3.
Scroll down to User View Setup.
4.
From the Find all users in column drop-down menu, choose either the username or the
primary email address to search on.
5.
Choose which type of search you want. Exact matches are the fastest, but matches contain
your search term may help you more if you cannot remember the exact username or
address you are looking for.
6.
Enter your search term.
7.
Click Go. You will see the users who mach your search criteria.
Adding a New User
If you want to add a user who does not appear in the automatically-generated list from your
LDAP, you can choose to manually add an account. If an LDAP is not provided, the user will be
added to the default LDAP source. You cannot add users to your LDAP from the
Dell SonicWALL Email Security interface.
To add a user, follow the procedures listed:
1.
Log in as the Email Security administrator.
2.
Click Users, Groups & Organizations, and then click Users.
3.
Scroll down to User View Setup.
4.
Click Add.
5.
Enter the user’s fully-qualified email address, choose a source (if any), and any aliases you
wish to associate with the user.
Deleting a User
To delete a user, follow the procedures listed:
1.
Log in as the Email Security administrator.
2.
Click Users, Groups & Organizations, and then Users.
3.
Scroll down to User View Setup.
4.
Select the user you wish to delete. Deleting a user will not remove the user’s LDAP entry,
only the entry in the Email Security system.
5.
Click Add.
176 | Dell SonicWALL Email Security Administrator Guide
Groups
Use the Users, Groups & Organizations > Groups page to incorporate or extend existing
LDAP groups. You can also change a group’s security role in the Email Security system and
view the membership of a group.
This section contains the following subsections:
•
•
•
•
Filtering through the Group View on page 177
Changing a Group’s Role on page 177
Viewing Members of a Group on page 178
Setting Junk Blocking by Group on page 178
Filtering through the Group View
To filter the group view by source, follow the procedures:
1.
Log in as the Email Security administrator.
2.
Click Users, Groups & Organizations, and then Groups.
3.
Scroll down to Assign Roles to Groups Found in LDAP.
4.
From the Using Source drop-down menu, choose the LDAP source associated with the
groups you want to view. Click Go.
5.
If you do not see the group you want, click the Add Group button. You can choose an
existing group from one of your sources. You cannot create a group that does not exist.
Changing a Group’s Role
You can change each group’s role in Email Security. Email Security roles determine a user’s
permissions to changeEmail Security settings, including user settings. To change a group’s
role, follow the procedures listed:
1.
Log in as the Email Security administrator.
2.
Click Users, Groups & Organizations, and then Groups.
3.
Scroll down to Assign Roles to Groups Found in LDAP.
4.
Select the box next to the group you want to change.
5.
Click Edit Role.
6.
In the pop-up window, choose the role you want that group to have. You can choose only
one role per group. If a user is in multiple groups, permissions are granted in the order in
which the groups are listed in the user’s profile.
7.
Click Apply Changes. You will see a status update at the top of the page.
Users, Groups & Organizations | 177
Viewing Members of a Group
You can view the members of a group in Email Security. To view the members of a particular
group, follow the procedures listed:
1.
Log in as the Email Security administrator.
2.
Click Users, Groups & Organizations, and then Groups.
3.
Scroll down to Assign Roles to Groups Found in LDAP.
4.
Select the box next to the group you want to see the membership of.
5.
Click List Members.
A pop-up window displays that lists the group’s membership by primary email address.
Setting Junk Blocking by Group
You can use the existing LDAP groups to configure the filtering sensitivity for different user
groups. For example, your sales group might need to receive email written in foreign
languages. To set junk blocking by group, follow the procedures below:
1.
Log in as the Email Security administrator.
2.
Click Users, Groups & Organizations, and then Groups.
3.
Scroll down to Set Junk Blocking Options for Groups Found in LDAP.
4.
Under Using LDAP, select your LDAP.
5.
Select a group to edit.
6.
Click Edit Junk Blocking Options. The Group Junk Blocking Options window displays.
Follow the recommendations described in Chapter 4, “Anti-Spam” .
178 | Dell SonicWALL Email Security Administrator Guide
Chapter 11
Junk Box Management
The Junk Box chapter contains the following sections:
•
•
•
•
•
Junk Box—Simple View on page 180
Junk Box—Advanced View on page 180
Supported Search in Audit and Junkbox on page 182
Junk Box Settings on page 183
Junk Box Summary on page 184
The Junk Box allows you to review and process email messages that have been flagged as
spam, virus-infected, organization policy violations, or phishing. You can unjunk or release a
falsely identified message. When you or the recipient unjunks an incoming message,
Email Security adds the sender of the message to the recipient’s Allowed list and delivers the
email to the recipient.
The size of the junk box can grow rapidly. By default, the messages are stored in the junk box
for 30 days and deleted after that. You may need to customize this setting depending on your
organization’s policies and storage capacity on the shared data directory for messages are
stored. To change this setting, go to Junk Box Management > Junk Box Settings > Number
of days to store in Junk Box before deleting, and choose a value between 1 and 180 days.
Messages in junk box can be quickly sorted and viewed by threat types. Messages that contain
definite spam, phishing, and viruses have red asterisks (*) adjacent to them. Messages that
contain likely spam, phishing, and viruses do not have any marks.
Type of Message
Display
Spam (definite)
*Spam
Likely Spam
Spam
Phishing (definite)
*Phishing
Likely Phishing
Phishing
Virus (definite)
*Virus
Likely Virus
Virus
Junk Box Management | 179
Junk Box—Simple View
The Junk Box Management > Junk Box window displays all the messages that have been
categorized as the selected threats. You can also:
•
•
Search for messages containing specific strings in the following fields: Subject, From, To,
or Unique Message ID. Search is not case sensitive.
Select a specific date to search on any particular date.
Junk Box—Advanced View
Additional search capabilities give administrators the ability to support users more effectively,
audit more selectively, and dispose of unwanted messages with more granularity. To use
Advanced Search, follow the procedures below:
1.
On the Junkbox Management > Junk Box page, click the Advanced View button.
180 | Dell SonicWALL Email Security Administrator Guide
2.
To search for specific email threat types, select the checkboxes in the Threats section.
3.
Click Search.
Messages matching your search criteria are displayed. To move quickly through results pages,
click in the field that says “Page 1 of 4814641” and type the result page you want to view. You
can also change the number of messages displayed on each page. As an example, suppose
you wanted to see only messages that were Spam or Likely Spam. Clear all the checkboxes
except the Show Spam and Show Likely Spam checkboxes. Leave all the locations selected
and click Search.
Outbound Messages Stored in Junk Box
To display the outbound messages in junk box, navigate to the Junk Box Management > Junk
Box page and click on the Outbound tab. Outbound message management detects messages
sent by users in your organization that contain viruses, likely viruses, and message that trigger
policy alerts. Outbound message management also quarantines outbound spam, phishing, and
UAS.
Note Messages stored in the Outbound Junk Box cannot be reviewed by the senders. The
senders will not see their messages in their Junk Box Summary notifications. Only
administrators can review and process messages quarantined in the Outbound Junk Box.
Messages in the Junk Box are deleted after the number of days shown at the top of the Junk
Box page. This setting can be changed in the Junk Box Management > Junk Box Settings
page.
Junk Box Management | 181
Supported Search in Audit and Junkbox
The following types of search can be performed in the To, From, or Subject field:
Boolean Search
•
•
•
OR Operator—This is the default search. Add OR in between search words. The results
will contain any of these search words.
AND Operator—Add ‘+’ before the search word (or) AND in between search words. Each
result must contain these words.
NOT Operator—Add ‘-’ before the search words (or) NOT in between search words. The
results must not contain these search words.
Wildcard Search
•
•
* operator—Add * to the middle or end of the word. This substitutes more than one
character to the search word, and attempts to perform a search on all possible words.
? operator—Add ? to the middle or end of the word. This substitutes one character and will
find the match for the word.
Note Wildcard operators should be added to the middle or end of the text, rather than at that
beginning.
Phrase Search
A phrase is a group of words surrounded by “quotes”. The exact phrase will be searched.
Fuzzy Search
Add ‘~’ to the end of the word to search for the closest possible match. This search is useful
when search words have an error, or the exact spelling for the text is unknown.
Proximity Search
This searches for words closer to each other. The syntax is “word 1 word2”~distance.
182 | Dell SonicWALL Email Security Administrator Guide
Junk Box Settings
The Junk Box Management > Junk Box Settings screen contains the General, Action,
Miscellaneous Message Settings sections, which enable the administrator to set default
settings for users’ messages.
General Settings
The General Message Settings window allows you to choose default settings for messages that
contain spam, phishing, virus, and policy management issues.
•
Choose the Number of Junk Box days from the drop-down list.
Set the enterprise-wide policy for the number of days email messages will remain in the
Junk Box before being automatically deleted. The maximum number of days is 180. This
can be adjusted for an individual user by an administrator or the user, if you allow it (See
Configuring the User View Setup on page 165.)
•
Choose the Number of items to display in the Message Center from the drop-down list.
Select one of the following for When a user unjunks a message:
– Automatically add the sender to the recipient’s Allowed List
•
– Ask the user before adding the sender to the recipient’s Allowed List
– Do not add the sender to the recipient’s Allowed List
Action Settings
The Action Message Settings define conditions for tagging messages delivered to users’
inboxes.
•
Review the four check box options that allow the user to define conditions for tagging
messages incoming to their inbox. Each of the tags below will be prefixed to the subject line
of the message.
– To tag unjunked messages, check the Tag unjunked messages with this text added
to the subject line checkbox, and input word(s) to be used for tagging.
– To tag messages which were considered as junk but will be delivered because the
sender’s domain is on the user’s Allow list, check the Tag messages considered junk,
but delivered because sender/domain/list is in Allowed list with the text added to
the subject line checkbox, and input word(s) to be used for tagging.
– To tag messages which were considered as junk but will be delivered because of a
Policy action in effect, check the Tag messages considered junk, but delivered
because of a Policy action with the text added to the subject line checkbox, and
input word(s) to be used for tagging.
– To tag all those messages that are processed by Email Security Server for testing,
check Tag all messages processed by Email Security for initial deployment
testing with this text added to the subject line checkbox, and input word(s) to be
used for tagging.
Miscellaneous
The Miscellaneous Message Settings provide links that direct you to configure message
management for the Anti-Spam, Anti-Virus, Anti-Phishing, and Policies modules. By clicking
the Click here links, you are directed away from the Junk Box Management > Junk Box
Settings screen.
Junk Box Management | 183
•
Click the Apply Changes button.
Junk Box Summary
Both administrators and users receive Junk Box summaries listing the incoming email that
Email Security has classified as junk. From these email messages, users can choose to view
or unjunk an email if the administrator has configured these permissions.
From the Junk Box Management > Junk Box Summary window, users can determine the
language, frequency, content, and format of Junk Box summaries. Configure the following for
Junk Box Summaries:
Frequency Settings
•
•
•
•
Select the Frequency of summaries from the dropdown list
Select the Time of day to send summary. You can select Any time of day or specify an
hour to send.
Select the Day of week to send summary. You can select Any day of the week or specify
a day.
Specify the Time Zone for the Email Security system.
184 | Dell SonicWALL Email Security Administrator Guide
Message Settings
•
•
•
Select to include All Junk Messages or Only likely junk (hide definite junk) in Junk Box
Summaries.
Note that if All Junk Messages is selected, both definite and likely junk messages are
included. If Only likely junk is selected, only likely junk messages are included in the
summary.
Select the Language of summary email from the dropdown list.
Send plain summary—Select this checkbox to send junk box summaries without graphics.
The following image shows a Plain Summary:
Junk Box Management | 185
The following image shows a Graphic Summary:
•
Select the Display junk statistics in summary email checkbox if you prefer to have junk
statistics included in the Junk Box Summary.
Miscellaneous Settings
•
•
Select the Send Junk Box Summary to delegates checkbox to have summary emails sent
directly to a user’s delegates. With this option enabled, users with delegates no longer
receive summary emails.
Select the radio button next to the Enable “single click” viewing of messages setting.
You can select from the following:
– Off—The “single click” viewing of messages setting is not enabled.
– View messages only—Users are able to preview messages without having to type
their name or password.
– Full Access—Users can click any link in a Junk Box Summary and are granted full
access to the particular user’s settings.
186 | Dell SonicWALL Email Security Administrator Guide
•
•
•
Select the Enable Authentication to Unjunk checkbox to require authentication for
unjunking messages in the Junk Box Summary.
Select the Only send Junk Box Summary emails to users in LDAP checkbox to only
include LDAP users as recipients of the Junk Box Summary emails. With this setting
selected, users not associated with the LDAP do not receive Junk Box Summary emails.
To enable authentication for non-LDAP users, click the link. You are automatically directed
to the Users, Groups & Organizations > Users screen. For more information regarding
LDAP and non-LDAP users, refer to the Working with Users on page 159.
Other Settings
•
Specify the Email address from which summary is sent. Select from the following:
– Send summary from recipient’s own email address
– Send summary from this email address. Specify the email address in the space
provided.
•
•
•
•
Specify the Name from which summary is sent in the space provided.
Specify the Email Subject in the space provided.
Specify the URL for User View in the space provided. The Junk Box Summary includes
this URL for User View to allows users to easily view quarantined emails, unjunk
quarantined emails, and to log in to the Email Security system.
Click the Test Connectivity button to verify the URL specified in the URL for User View
field properly connects.
Junk Box Management | 187
188 | Dell SonicWALL Email Security Administrator Guide
Chapter 12
Reports and Monitoring
Dell SonicWALL Email Security allows you to view system status and data through the Reports
& Monitoring screen. You can view statistics for different time periods on the local system or
the mail transfer agent (MTA). Monitor the flow of email traffic passing through the
Email Security system in real time. The Reports & Monitoring screen also allows you to use
SNMP to send information to a monitoring agent.
This chapter contains the following sections:
•
•
•
•
•
•
•
•
•
•
•
Monitoring Methods on page 189
Reporting in Email Security on page 194
Overview Reports on page 195
Anti-Spam Reports on page 199
Anti-Phishing Reports on page 199
Anti-Virus Reports on page 200
Policy Management Reports on page 200
Compliance Reports on page 201
Directory Protection on page 203
Connection Management Reports on page 203
Scheduled Reports on page 206
Monitoring Methods
For a description of the different monitoring methods available in Email Security, see the
following sections:
•
•
•
•
System Status on page 189
MTA Status on page 190
Real-Time System Monitor on page 191
Performance Monitoring on page 191
System Status
The Monitoring > System Status window shows the status of the Email Security system and
the status of connections with other systems that Email Security needs to communicate with. A
green check icon indicates the system is functioning as expected, while a red X icon indicates
the system is not.
Reports and Monitoring | 189
The lower half of the System Status window in the Control Center Status section shows system
statistics, including the disk space used by the Junk Box, free disk space on the data drive, and
free disk space on the install drive.
MTA Status
The Monitoring > MTA Status page gives details on the status of the mail transfer agent (MTA)
if one or more paths have been configured to act as MTAs.
MTA Status
•
•
One or more paths are configured to be MTAs—This option is set to Yes if one or more
paths have been configured to act as MTAs; if not, this option is set to No.
MlfMTA service is running—If the MTA is running as expected, this field will show a green
circle with a check mark icon. If the MTA is not running as expected, the field will show a
red circle with an X icon.
MTA Totals by Host
If one or more paths are configured to act as MTAs, this section provides additional information
about their host.
•
•
•
•
Host—This column shows the name of the host(s).
Number of messages delivered in last hour—This column shows the number of
messages delivered by the MTA in the last hour.
Number of messages in all queues combined—This column shows the sum of messages
in the queues of all the MTAs.
Number of message recipients in all queues combined—This column shows the sum of
the messages in the queues of all the MTAs.
190 | Dell SonicWALL Email Security Administrator Guide
MTA Status on Inbound/Outbound Paths
If one or more paths are configured to act as MTAs, these two sections will provide additional
information about the paths. The columns and the values they represent are:
•
Host (src/listen/dest)—This column shows the various paths you configured in the
Network Architecture section.
– src is the source IP contacting path; the IP address of a machine that is allowed to
connect to and relay email through this path.
– listen is the IP address and port on which this path listens for connections.
– dest is the destination to which this path routes email.
Path is configured to be an MTA—This column shows whether the listed path is
configured to be a proxy or an MTA.
• Number of message recipients in queue—This column lists the number of messages in
the queue if the path is an MTA. If it is a proxy, messages are not queued and this column
will indicate N/A.
To see details about the messages in a queue, click the Show Details link for that queue. To
see details for messages on a particular server, you must log in to the Dell SonicWALL
appliance on that server.
•
Real-Time System Monitor
The Monitoring > Real-Time System Monitor page provides real-time information on the flow
of email passing through the Dell SonicWALL Email Security system.
The Message Throughput History graph shows the number of emails processed by this
server per second.
The Message Bandwidth History graph shows the total bandwidth used for email in bytes per
second. The bandwidth is the sum of the sizes of all the messages passing through this
Dell SonicWALL Email Security server per second.
Performance Monitoring
The Monitoring > Performance Monitoring page allows administrators to view and compare
performance metrics with the Email Security interface without downloading and formatting CVS
files. The performance monitoring section displays data that has always been collected by
Dell SonicWALL Email Security.
Performance monitoring allows administrators to monitor a single metric over a period of time,
or to compare two metrics. Once an administrator creates a graph, the graph can be saved or
emailed to share with others who do not have administrator privileges.
Reading Performance Monitoring
There are two ways of viewing the data: By viewing multiple metrics for a given date, or by
comparing data of the same process metric across several days.
The Performance Graph for Multiple Metrics option creates a graph which contains one or
two process metrics for a given date. If there are two metrics, a second y-axis scale will appear
at the right-hand side of the graph for the interpretation of the second metric.
Reports and Monitoring | 191
The Performance Graph for Multiple Days option creates a graph for a single process metric
across multiple days. Each day's worth of data is a line of a different color. Up to six data files
can be displayed.
Graphs are shown for a 24-hour period starting and ending at midnight GMT+0. Once a graph
is specified, it will not display or redraw until the Refresh button is clicked. To view the raw data
files used to build a particular graph, click either the Download or the Email To... buttons and
a ZIP file containing the data files and the bitmap will be provided accordingly.
Creating a Performance Monitoring Graph
To create a performance monitoring graph, complete the following procedures:
1.
Log into your Email Security system as an administrator.
2.
Navigate to the Reports & Monitoring > Monitoring > Performance Monitoring page.
3.
Choose the type of performance graph you want.
4.
For the multiple metrics graph:
– Select the date you want information on from the select data file dropdown box.
– Click in the first select process box and choose a process.
– Click in the first select metric box and choose a metric of the selected process.
– If you want to compare a second metric, repeat the process with the second set of
dropdown boxes.
Click the Refresh button. You will see the performance graph for those metrics on that day.
5. For the multiple days graph:
•
– Select the process and metric you want information on.
– Select your dates from the data file dropdown boxes.
•
Click the Refresh button. You will see the performance graph for that metric on those days.
Monitored Metrics
The following processes are currently monitored and available as data files. These data files
have always existed, but the information is now more readily accessible.
•
•
•
•
•
•
•
•
•
Monitoring Service
Tomcat Service
Replicator Service
SMTP Server
Thumb Updater Service
Database Service
Operating System
MTA Service
Message Statistics
192 | Dell SonicWALL Email Security Administrator Guide
Metrics List
These are the process metrics that are being tracked and stored in the data files. Most of these
metrics exist in each process. The most common metrics appear in the table below. Metrics not
shown in the list are usually System process monitoring.
Process Metric
Description
DHA Msgs
Number of messages classified as directory harvest attacks. DHA messages are addressed to invalid users at your domain.
%Disk Time
The percentage of elapsed time that the selected disk drive was busy
servicing read or write requests.
Fraud Msgs
Number of messages identified as fraudulent and delivered to the junk
box.
Good Msgs
Number of messages which were delivered without any noted problems.
Likely Fraud
Number of messages which are delivered but marked as probable
fraud.
Likely Spam
Number of messages which are delivered but marked as probable
spam.
Likely Virus
Number of messages which are delivered but marked as probably
virus-infected.
Policy Msgs
Number of messages with triggered a policy action.
Spam Msgs
Number of messages sent to the junk box as spam.
Total Msgs
Total number of messages processed by
Dell SonicWALL Email Security
Virus Msgs
Number of messages with a virus attached.
%Processor Time
The percentage of elapsed time that all of process threads used to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is
the object created when a program is run. Code is executed to handle
some hardware interrupts and trap conditions
Available Bytes
The amount of physical memory, in bytes, available to processes running on the computer.
This is calculated by adding the amount of space on the Zeroed, Free,
and Standby memory lists. Free memory is ready for use; zeroed memory consists of pages of memory filled with zeros to prevent subsequent processes from seeing data used by a previous process; standby
memory is memory that has been removed from a process' working
set, but is still available to be recalled. This counter displays the last
observed value only; it is not an average.
Avg. Disk Bytes/Transfer
The time, in seconds, of the average disk transfer.
Avg. Disk Queue Length
The average number of read and write requests queued for the
selected disk during the sample interval.
Buffer Bytes
Used in Linux systems. Buffer Bytes is the number of bytes consumed
by the kernel.
Cache Bytes
The sum of the Memory\\System Cache Resident Bytes, Memory\\System Driver Resident Bytes, Memory\\System Code Resident Bytes, and
Memory\\Pool Paged Resident Bytes counters. This counter displays
the last observed value only; it is not an average.
Reports and Monitoring | 193
Process Metric
Description
Committed Bytes
The amount of committed virtual memory, in bytes. Committed memory
is the physical memory which has space reserved on the disk paging
file(s). There can be one or more paging files on each physical drive.
This counter displays the last observed value only; it is not an average.
Connections Established
The number of TCP connections for which the current state is either
ESTABLISHED or CLOSE-WAIT.
Connection Failures
The number of times TCP connections have made a direct transition to
the CLOSED state from the SYN-SENT state or the SYN-RCVD state,
plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN-RCVD state.
Connections Reset
The number of times TCP connections have made a direct transition to
the CLOSED state from either the ESTABLISHED state or the CLOSEWAIT state.
Handle Count
The total number of handles this process currently has open. This number is the sum of the handles currently open by each thread in this process.
Install Dir Free Space
For Windows, the number of bytes remaining free on the installation
drive.
Private Bytes
Private Bytes is the current size, in kilobytes, of memory that this process has allocated which cannot be shared with other processes.
Segments Retransmitted/sec
The rate at which segments are retransmitted, that is, segments transmitted containing one or more previously transmitted bytes.
Segments/sec
The rate at which TCP segments are sent or received using the TCP
protocol.
Swap Available Bytes
Used in Linux systems. Swap Available Bytes is "Swap space which is
still free to use".
Thread Count
The number of threads currently active in this process. An instruction is
the basic unit of execution in a processor, and a thread is the object
that executes instructions. Every running process has at least one
thread.
Virtual Bytes
The current size, in kilobytes, of the virtual address space the process
is using. Use of virtual address space does not imply corresponding
use of either disk or main memory pages. Virtual space is finite, and the
process can limit its ability to load libraries.
Reporting in Email Security
Dell SonicWALL Email Security provides many types of reports. All reports allow you to
optionally download the data in CSV or HTML format. You can also create custom reports by
specifying a time period for the data, and download the report for analysis or email the report.
Per-domain reports are available for custom and scheduled reports.
Dell SonicWALL Email Security also provides several reports for Managed Service Provider
(MSP) related data, including the following:
•
•
•
Email breakdown (custom/scheduled report only)
Bandwidth (custom/scheduled report only)
Good v Junk per domain (custom/scheduled report only)
194 | Dell SonicWALL Email Security Administrator Guide
Note Dell SonicWALL Email Security uses the Firebird Database Engine to generate reports.
Make sure that there is no other installation of the Firebird Database Engine on the same
server as Email Security.
By default, Dell SonicWALL Email Security retains 366 days of reporting information in the
database. You can change this setting in System > Advanced > Reports data will be deleted
when older than field. Lowering this number means less disk space will be used, but you will
not have report data older than the number of days specified. If your organization's email
volume is very high, you may want to consider lowering this number.
For descriptions of the different report types, see the following sections:
•
•
•
•
•
Anti-Spam Reports on page 199
Anti-Phishing Reports on page 199
Anti-Virus Reports on page 200
Directory Protection on page 203
Scheduled Reports on page 206
Generating Per-Domain Reports
When Email Security is being used as an email server for several different organizations, you
can generate reports that are specific to each domain. This is especially useful in a Managed
Service Provider (MSP) environment. For example, you could generate reports that show data
only for sonicwall.com or only for mailfrontier.net.
Email Security provides a way for administrators to specify the domain for which data should
be displayed. Only administrators can configure the per-domain setting. It is disabled for
managers or other roles.
Per-domain reporting is supported for the following seven report types:
Inbound Good versus Junk
Junk Email Breakdown
• Spam Caught
• Messages Identified as Phishing
• Inbound Viruses Caught
• Inbound Policy Messages Filtered
• Number of Attacks
Per-domain reporting is not available for dashboard reports or static reports.
•
•
In per-domain reporting, sub-domains are not considered to be separate domains. For
example, email sent to matthew@sales.sonicwall.com, brian@engr.sonicwall.com, and
casey@sonicwall.com will all be included in reports for sonicwall.com.
Overview Reports
The following report types are available in the Overview Reports section of the Email Security
management interface. See the following sections:
•
•
•
Dashboard on page 196
Inbound Good vs Junk on page 198
Outbound Good vs Junk on page 198
Reports and Monitoring | 195
•
•
Spam Caught on page 199
Top Spam Domains on page 199
Dashboard
The Overview Reports > Dashboard provides a lot of information about
Dell SonicWALL Email Security at a glance. These charts are updated hourly and display the
statistics for the last 24 hours. Click the Refresh Reports button to update the data in the
reports with the most current data.
Good Email vs Junk Email
Displays the number of Good Email messages in comparison to the Junk messages received.
The Junk Email messages include spam, likely spam, phishing, likely phishing, viruses, likely
viruses, Directory Harvest Attacks (DHA), and messages that trigger policy events. The
information in this chart can also be found in the Reports & Monitoring > Overview Reports
> Inbound Good vs. Junk report.
Spam Caught
Displays the number of email messages that are Definite Spam compared to the number of
messages that are Likely Spam. The information on this chart can also be found in the AntiSpam Reports > Spam Caught report.
Junk Email Breakdown
Displays the number of Junk messages, classified into the following categories:
Spam (Definite Spam and Likely Spam)
• Phishing (Definite Phishing and Likely Phishing)
• Virus (Definite Virus and Likely Virus)
• Policy
• Directory Harvest Attack (DHA)
• Connection Management (CM)
You can also find this information in the Reports & Monitoring > Overview Reports > Junk
Email Breakdown report page.
•
Inbound vs. Outbound Email
Displays the number of inbound emails compared to the number of outbound email messages.
You can also find this information in the Reports & Monitoring > Overview Reports >
Inbound vs Outbound Email report.
System Load Average (15 min)
Displays the system load as sampled every fifteen minutes. This chart is incremented in
thousands of messages. Use this chart to judge your peak system load, and your loads through
the day. If you are viewing a Remote Analyzer, this is one of the available charts.
196 | Dell SonicWALL Email Security Administrator Guide
System % Processor Time (15 min)
Displays what percentage of the processor is used, as sampled every fifteen minutes. This
chart is incremented in processor percentage. Use this chart to judge whether you have
sufficient processor power for your needs. If you are viewing a Remote Analyzer, this is one of
the available charts.
Top Spam Recipients
Displays the volume of spam received by the Top 12 Recipients in your organization within the
last 24 hours. This information is also available in the Reports & Monitoring > Overview
Reports > Top Spam Recipients report.
Top Outbound Email Senders
Displays the number of outbound email messages sent by the top 12 senders in your
organization in the last 24 hours. This information is also available in the Reports &
Monitoring > Overview Reports > Top Outbound Email Senders report.
Return on Investment
Dell SonicWALL Email Security provides a tool to help determine the Return on Investment
(ROI) for your organization’s investment in Email Security. You can customize this tool to
reflect your organization’s costs of doing business.
Determine your organization’s return on investment on a daily, weekly, or monthly basis by
using the Dell SonicWALL Email Security product. ROI numbers are computed from a formula
and data accumulated by Email Security’s mlfUpdater and the usermap.xml file is input into the
formula.
Determining the ROI for Your Organization
To determine the savings from preventing unwanted email, click Change Assumptions to
enter figures that reflect your organization. An input window appears with default values.
To change the values so that they match your organization’s experience:
1.
Enter the appropriate values for your organization for salary, number of users, and other
factors that contribute to the cost of dealing with unwanted email.
2.
Click the Recalculate Report button after you enter your values; a revised ROI report
appears.
Bandwidth Savings
The Bandwidth Savings report displays the number of megabytes of bandwidth that
Email Security saves your organization. Dell SonicWALL Email Security lowers your
organization's network costs through the following actions:
Removing the high volume of junk messages that go through your network.
Quarantining junk messages in the Junk Box.
Deleting junk messages before they enter your network.
•
•
Reports and Monitoring | 197
Inbound Good vs Junk
This page displays the total number of inbound messages processed by
Dell SonicWALL Email Security along with the total number of junk messages versus good
messages.
You can view the Inbound Good messages versus Junk messages by specific time periods.
Click the Hourly, Daily, or Monthly tabs to view data for each period. By default, the Daily tab
displays.
Outbound Good vs Junk
This report displays the total number of outbound messages processed by Email Security along
with the total number of junk messages and good messages.
You can view the Outbound Good versus Junk by specific time periods. Click the Hourly, Daily,
or Monthly tabs to view data for each period. By default, the Daily tab displays.
Inbound vs Outbound Email
The number of inbound and outbound messages processes by Email Security. Note that this
report is available only if the outbound email module is licensed.
You can view the Inbound versus Outbound Email by specific time periods. Click the Hourly,
Daily, or Monthly tabs to view data for each period. By default, the Daily tab displays.
Top Outbound Email Senders
The number of outbound email messages sent by the top 12 senders in your organization. This
report is available only if outbound module is licensed.
You can view the Top Outbound Email Senders by specific time periods. Click the Today, This
Month, or This Year tabs to view data for each period. By default, the This Month tab displays.
Junk Email Breakdown Report
This report gives a percentage and numeric breakdown of the various categories of junk
received, including Spam, Likely Spam, Viruses, Likely Viruses, Phishing, Likely Phishing,
Policy Events, Directory Harvest Attacks (DHA), and Connection Management (CM).
You can view the Junk Email Breakdown by specific time periods. Click the Hourly, Daily, or
Monthly tabs to view data for each period. By default, the Daily tab displays.
198 | Dell SonicWALL Email Security Administrator Guide
Anti-Spam Reports
Dell SonicWALL Email Security provides the following reports specific to the category of AntiSpam: Spam Caught, Top Spam Domains, and Top Spam Recipients.
Spam Caught
The Spam Caught report displays the number of messages filtered by
Dell SonicWALL Email Security that are definitely Spam compared to the amount that are
Likely Spam. This report also gives a percentage breakdown.
You can view the Spam Caught report by specific time periods. Click the Hourly, Daily, or
Monthly tabs to view data for each period. By default, the Daily tab displays.
Top Spam Domains
The Top Spam Domains report presents the domains or IP addresses that send the most spam
to your organization.
Note that this report only contains useful information if your Email Security server is running as
“first touch.” If your server is not first touch, the IP addresses displayed are those of the server
that routes mail to the Email Security server.
You can view the Top Spam Domains by specific time periods. Click the Today, This Month,
or This Year tabs to view data for each period. By default, the This Month tab displays.
Top Spam Recipients
The Top Spam Recipients report lists the email addresses in your organization that receive the
most spam.
You can view the Top Spam Recipients report by specific time periods. Click the Today, This
Month, or This Year tabs to view data for each period. By default, the This Month tab displays.
Anti-Phishing Reports
Phishing Messages are an especially pernicious form of fraud that use email with fraudulent
content to steal consumers’ personal identity data and financial account credentials.
Phishing Messages
This report displays the number of messages that were identified as Phishing Attacks and
Likely Phishing Attacks.
You can view the Phishing Messages by specific time periods. Click the Daily, Weekly, and
Monthly tabs to view the data for each period. By default, the Weekly tab displays.
Reports and Monitoring | 199
Anti-Virus Reports
The Anti-Virus Report allows you to view the number of viruses detected by the
Dell SonicWALL Email Security.
Inbound Viruses Caught
The Inbound Viruses Caught report displays the number of viruses caught in inbound email
traffic.
You can view the Inbound Viruses Caught by specific time periods. Click the Hourly, Daily, or
Monthly tabs to view the data for each period. By default, the Daily tab displays.
Top Inbound Viruses
The Top Inbound Viruses report lists the names of the viruses that have been detected most
often in inbound email traffic sent through Email Security and the amount of times each virus
has been detected.
You can view the Top Inbound Viruses by specific time periods. Click the Today, This Month,
or This Year tabs to view the data for each period. By default, the This Month tab displays.
Outbound Viruses Caught
The Outbound Viruses Caught report displays the number of viruses caught in outbound email
traffic.
You can view the Outbound Viruses Caught by specific time periods. Click the Hourly, Daily,
or Monthly tabs to view the data for each period. By default, the Daily tab displays.
Top Outbound Viruses
The Top Outbound Viruses report lists the names of the viruses that have been detected most
often in outbound email traffic sent through Email Security and the amount of times each virus
has been detected.
You can view the Top Outbound Viruses by specific time periods. Click the Today, This Month,
or This Year tabs to view the data for each period. By default, the This Month tab displays.
Policy Management Reports
If you have created policy filters in Email Security to manage email traffic, the following policy
reports provide statistics on messages that trigger the policy filters.
Inbound Policies Filtered
The Inbound Policies Filtered report displays the total number of inbound email messages that
Email Security has filtered based on policies that you have configured.
200 | Dell SonicWALL Email Security Administrator Guide
You can view the Inbound Policies Filtered by specific time periods. Click the Hourly, Daily, or
Monthly tabs to view the data for each period. By default, the Daily tab displays.
Top Inbound Policies
The Top Inbound Policies report displays the policy filter names that are triggered most often
in inbound email traffic sent through Email Security and the amount of times each policy has
been triggered. Policies are triggered when the contents or attachments of a message contain
information that you have configured as a policy filter to detect.
You can view the Top Inbound Policies report by specific time periods. Click the Today, This
Month, or This Year tabs to view the data for each period. By default, the This Month tab
displays.
Outbound Policies Filtered
The Outbound Policies Filtered report displays the total number of outbound email messages
that Email Security has filtered based on policies that you have configured.
You can view the Outbound Policies Filtered by specific time periods. Click the Hourly, Daily,
or Monthly tabs to view the data for each period. By default, the Daily tab displays
Top Outbound Policies
The Top Outbound Policies report displays the policy filter names that are triggered most often
in outbound email traffic sent through Email Security and the amount of times each policy has
been triggered.
You can view the Top Outbound Policies report by specific time periods. Click the Today, This
Month, or This Year tabs to view the data for each period. By default, the This Month tab
displays.
Compliance Reports
The set of Compliance Reports are accessible upon licensing of the Compliance Module.
Inbound Messages Decrypted
The Inbound Messages Decrypted report lists the number of inbound messages decrypted.
You can view the Inbound Messages Decrypted report by specific time periods. Click the
Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab
displays.
Inbound Messages Archived
The Inbound Messages Archived report lists the total number of inbound messages that were
archived. These messages triggered a policy filter that, as a result, routed them for archiving.
Reports and Monitoring | 201
You can view the Inbound Messages Archived report by specific time periods. Click the Hourly,
Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays.
Top Inbound Approval Boxes
The Top Inbound Approval Boxes report lists the Approval Boxes in which inbound email
messages sent through Email Security are stored most often, and the amount of messages that
have been stored in each one. Note that the messages may have been released from the
Approval Boxes since they were first stored there. These messages triggered a policy filter that,
as a result, stored them in an Approval Box.
You can view the Top Inbound Approval Boxes report by specific time periods. Click the Today,
This Month, or This Year tabs to view the data for each period. By default, the This Month tab
displays.
Outbound Messages Encrypted
The Outbound Messages Encrypted report lists the number of outbound messages encrypted.
You can view the Outbound Messages Encrypted report by specific time periods. Click the
Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab
displays.
Outbound Messages Archived
The Outbound Messages Archived report lists the total number of inbound messages that were
archived. These messages triggered a policy filter that, as a result, routed them for archiving.
You can view the Outbound Messages Archived report by specific time periods. Click the
Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab
displays.
Top Outbound Approval Boxes
The Top Outbound Approval Boxes report lists the Approval Boxes in which outbound email
messages sent through are stored most often, and the amount of messages that have been
stored in each one. Note that the messages may have been released from the Approval Boxes
since they were first stored there. These messages triggered a policy filter that, as a result,
stored them in an Approval Box.
You can view the Top Outbound Approval Boxes report by specific time periods. Click the
Today, This Month, or This Year tabs to view the data for each period. By default, the This
Month tab displays.
202 | Dell SonicWALL Email Security Administrator Guide
Directory Protection
Dell SonicWALL Email Security provides protection against directory attacks. Following
directory protection reports are available to give more information on the directory attacks
targeted towards your organization.
Number of Directory Harvest Attacks (DHA)
This report displays the number of messages with invalid email addresses that were sent to
your organization. If this number is large, your organization may be experiencing one or more
Directory Harvest Attacks (DHA), in which spammers try to harvest a list of all your email
addresses.
You can view the Number of DHA Attacks by specific time periods. Click the Hourly, Daily, or
Monthly tabs to view the data for each period. By default, the Daily tab displays.
Top DHA Domains
Use the Top DHA Domains page to view the IP addresses from which the most frequent
Directory Harvest Attacks (DHA) originate, and the number of invalid recipient addresses in
those attacks.
You can view the Top DHA Domains report by specific time periods. Click the Today, This
Month, or This Year tabs to view the data for each period. By default, the This Month tab
displays.
Connection Management Reports
Dell SonicWALL Email Security provides connection management to reduce the traffic your
system must analyze and automatically reject connections from bad IP addresses. You can
configure which IP address to ignore and also use the GRID network to add bad IP addresses
to the Blocked Connection list.
Allowed vs Blocked Connections
The Allowed versus Blocked Connections report displays the number of SMTP connections that
were allowed versus those that were blocked, deferred, or throttled as a result of the
Connection Management settings.
You can view the Allowed vs Blocked Connections report by specific time periods. Click the
Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab
displays.
Blocked Connection Breakdown
The Blocked Connection Breakdown report displays the SMTP connections that have been
blocked, deferred, or throttled as a result of the Connection Management settings. The
following list contains the description of the blocked connection:
•
Grid Network IP Reputation (REPTN)
Reports and Monitoring | 203
Blocked
Deferred
• Greylisted
• Throttled based on connections (TCNXN)
• Throttled based on messages (TMSGS)
• Throttled based on recipient commands (TRCPT)
You can view the Allowed vs Blocked Connections report by specific time periods. Click the
Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab
displays.
•
•
Greylisted Connections
The Greylisted Connections report displays the number of SMTP connections that were
blocked due to the Greylisting component of your Connection Management settings versus the
number of connections that were later retired and allowed.
You can view the Greylisted Connections report by specific time periods. Click the Hourly,
Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays.
DMARC Reporting
The following report types are available in the DMARC Reports section of the Email Security
management interface: DMARC Reports and Configure Known Networks.
DMARC Reports
When the Email Security Mail Server plays the role as email sender and RUA receiver, it
extracts and aggregates daily RUA files from the email receiver and from RUA providers, such
as Google, Yahoo, etc. The DMARC Reporting Scheduler then imports the RUA files hourly into
its database.
Based on date range and data filter, you can obtain five different types of reports: One report
is graphic chart. The other four are tabulated reports.
The Reports include:
DMARC Statistic Report (Graphic Chart)
• DMARC Master Detail Report
• Source IP Aggregation Report
• Provider Aggregation Report
• Source IP and Provider Aggregation Report
All five reports are able to be rendered in HTML format and downloadable PDF file. (HTML
reports allow you to mouse over 'Alignment' value to see alignment reason description.)
•
Dell SonicWALL recommends that the administrator enters the IP addresses of 'my server' on
the 'Configure Known Networks' page before users (admin or manager role) view DMARC
Reports because it retrieves reports data associated with those IP addresses by default.
Select Date Range
•
Last x days—Click the radio button for Last and select from the drop-down list of values.
Last x days means the number of day(s) before the latest date of imported data.
204 | Dell SonicWALL Email Security Administrator Guide
•
Start Date and End Date—Click the radio button to specify the dates. If no RUA data is in
the database, the pop-up calendar displays the current date. If RUA data exists in the
database, the calendar dates before the minimum date and after the maximum date display.
Only data available on those available dates can be selected.
•
Filter—Click this button to create a new filter. If a filter already exists, clicking this button
allows you to edit the filter. See the Set Filter page for more information.
Save—After creating a new filter, click this button to save the newly configured settings.
Clear—Clears all settings of the current filter.
Apply Filter—Select from a drop-down list of the available filters. When selected, its
bulleted settings display in the Filter section.
Delete—To delete a filter, select it from the Apply Filter drop-down list and click this button.
Bullet icons—Each bullet icon represents a filter condition. Click the condition to open the
Set Filter dialog box, or click the small 'x' symbol on bullet to delete the condition from the
filter.
Select Report list—Select a type of report from the drop-down list. The available reports
include: DMARC Statistic Report, DMARC Master Detail Report, Source IP Aggregation
Report,Provider Aggregation Report, Source IP and Provider Aggragation Report.
Generate—After selecting a report from the drop-down list, click this button to generate a
report. Note: Some reports may take a few minutes to generate.
Set Filter
•
•
•
•
•
•
•
Reports will be shown in a window below the 'Set Filters' section.
For the statistic report, it will display either horizontally or vertically, depending on the date
range. If days of selected date range are less than 15 days, three (3) bar charts will be
horizontally display. If the date range is greater than 15 days, the bar charts will vertically
display. For tabulated reports, scrolling the mouse over the 'Alignment' value displays the
Alignment Reason. For example, if the 'Alignment' is 'No', moving the mouse over this 'No'
makes the Title Box show: "No DKIM and SPF is passed, On SPF Relaxed, SPF Organization
Domain(sina.com) Not Matched From Header Domain(sonicwall.com)"
This message will be useful for DMARC troubleshooting.
Download PDF Report—Click this button to download a PDF report once the HTML report is
generated. The PDF report name includes the Report Name and a time stamp.
Configure Known Networks
There are two types of Known Networks you can configure: My Servers and External Trusted
Servers.
My Servers
This is usually the list of company-owned IP addresses, labeled in the server group as 'my
servers.'
When setting the filter to generate a DMARC report, you have the option to select My Servers
from the Known Network group. By default, all the IP addresses in the My Servers group are
Included for the filter. Select Exclude to exclude the IP addresses in the My Servers group.
If you choose not to use My Servers, you can set the filter to Source IP, and will have to
manually enter the Source IP addresses to include in the report.
Reports and Monitoring | 205
External trusted servers
This is the list of IP addresses of company-trusted external servers and customers, labeled as
'external trusted servers.'
Note that this is not a default condition. When setting the filter to generate a DMARC report,
you can select External trusted servers from the Known Network group. Using include or
exclude, you can select which IP addresses to view for the filter.
•
•
•
Add—Add a new server group and its respective IP addresses. You can add either 'My
servers' or 'External trusted servers.'
Edit—Edit the Server Group label and its respective IP addresses.
Delete—Delete the Server Group label and its respective IP addresses.
Scheduled Reports
Dell SonicWALL Email Security allows you to schedule email delivery of reports. You can
choose the type of report, a time span the data covers, the list of recipients, etc.
Data in scheduled reports is displayed in the time zone of the server on which Email Security
stores email data (either an All in One or a Control Center), just like the reports in the Reports
& Monitoring section. Scheduled report emails are sent according to the time zone on that
computer as well.
Customize a Report
Clicking the Customize button on any Report screen brings up the Custom Reports dialog box.
You can generate a report based on the following settings:
•
•
•
•
•
•
•
Which Report—Select from the dropdown list the report you want to generate.
Date Range—Specify the period of dates you want to report to include.
List Results By—Select for the results to be listed by Hour, Day, Week, or Month.
Delivery—Select if you want the report to Display (in a separate window) or if you want the
report Emailed To the specified email address.
Name from which report is sent—The sender of the report. This field defaults to ‘admin.’
Email address from which report is sent—The email address of the sender. This field
defaults to ‘postmaster.’
Subject—Add a subject name for the report.
206 | Dell SonicWALL Email Security Administrator Guide
Enter all the specifications for a report, then click the Generate This Report button.
Note The Custom Reports page displays the generated report in a new window. If you have
configured a popup blocker for your web browser, it may interfere with displaying the window
with the data. Configure your browser to allow popup windows from your organization's
Dell SonicWALL Email Security site.
Add Scheduled Report
You can add a Scheduled Report by clicking the Add New Scheduled Report button. A dialog
window displays where you can specify the following settings:
•
•
•
•
•
•
•
•
Which Report—Select from the dropdown list of reports.
Frequency of Report Email—Select from the dropdown list how frequent the chosen
report is sent.
Time of Day to Send Report—Select either to send the report at Any time of day or
Within an hour of the time you specify.
Day of Week to Send Report—Select either to send the report Any day of the week or
Send report on the day you specify.
Language of Report Email—Select the language for the report.
Report has Data for the Last—Select the period of how many days to include in the report.
Report Lists Results By—Select for the results to be listed by Day, Week, or Month.
Name From Which Report is Sent—Type in the name from which the report is sent (i.e.
Admin).
Reports and Monitoring | 207
Email Address From Which Report is Sent—Type in the email address from which the
report is sent (i.e. admin@easypaymail.com).
• Recipients of Report Email—Type in the email address(es) of who receives the report
email.
• Report Name—Specify the name of the report.
Click Save Scheduled Report when finished.
•
Download Report
You can instantly download all reports from the Reports & Monitoring page to your local
system. Click the Download Report button, then click Open or Save to view the report.
208 | Dell SonicWALL Email Security Administrator Guide
Chapter 13
Downloads
This chapter provides information about the tools available for you to download to enhance your
spam-blocking experience. Select one of the following to download and install to your local
component.
Anti-Spam Desktop for Outlook
The Anti-Spam Desktop for Outlook and Outlook Express link is a trial version of the
Dell SonicWALL Anti-Spam Desktop feature. This download provides “Junk” and “Unjunk”
buttons for you to help customize your own Email Security solution.
Junk Button for Outlook
The Junk Button for Outlook link provides a “Junk” button for you to install on your own
Microsoft Outlook program, which helps to customize your own Email Security solution.
“Send Secure” for Outlook
The “Send Secure” button for Outlook link provides a button for you to install on your own
Microsoft Outlook program. This button allows you to send Secure messages using the
Encryption Service. For more information regarding Encryption Service, see Encryption Service
on page 147.
Downloads | 209
210 | Dell SonicWALL Email Security Administrator Guide
| 211
Download PDF