Beruflich Dokumente
Kultur Dokumente
SonicWALL, Inc.
2001 Logic Drive
San Jose, CA 95124-3452
Phone: +1.408.745.9600
Fax: +1.408.745.9300
E-mail: info@sonicwall.com
SonicWALL, Inc.
2001 Logic Drive
San Jose, CA 95124-3452
Phone: +1.408.745.9600
Fax: +1.408.745.9300
E-mail: info@sonicwall.com
Copyright Notice
© 2009 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the
manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to
any permitted copies as were affixed to the original. This exception does not allow copies to be made for others, whether or not sold, but all of
the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating
into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
© 2009 SonicWALL, Inc. All rights reserved. SonicWALL is a registered trademark of SonicWALL, Inc. Other product names
mentioned herein may be trademarks and/or registered trademarks of their respective companies.
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days
after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in
materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product.
SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a
replacement product. At SonicWALL's discretion the replacement product may be of equal or greater functionality and may be of either new or
like-new quality. SonicWALL's obligations under this warranty are contingent upon the return of the defective product according to the terms of
SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or
misapplication, or has been modified without the written permission of SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A
COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY
APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION
TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN
IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL
RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and
exclusion shall apply even if the express warranty set forth above fails of its essential purpose.
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN
THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF
INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL,
INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to
Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW
LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
NOTE: The SonicWALL Email Security software service is an annual subscription that is subject to the terms and conditions of SonicWALL,
Inc.’s applicable subscription agreement and includes:
Product updates, SonicWALL threat signature updates, and standard technical support for one (1) year from the date of purchase.
SonicWALL Email Security appliances are integrated hardware and software solutions, which include SonicWALL Email Security software.
SonicWALL Email Security appliances are subject to the terms and conditions of SonicWALL, Inc.’s applicable license agreement. Updates to
the SonicWALL Email Security software, SonicWALL Spam Signature Updates, and technical support may be purchased on an annual basis.
AntiVirus support is optionally available.
Table of Contents
Preface ...................................................................................................................................1
About this Guide............................................................................................................ 1
Documentation Conventions .................................................................................. 1
Documentation Overview ...................................................................................... 1
Finding Online Help .............................................................................................. 1
Index ..................................................................................................................................136
Documentation Conventions
Font Meaning
Documentation Overview
SonicWALL Email Security provides the following documents to help in the installation,
administration, and use of its products to protect email users from phishing, spam, viruses, and to
manage the security policies you define for your organization.
Click the What is this? button for in-depth online help on a specific area of the
SonicWALL Email Security interface.
Click the Help button on any UI web page for information on how to use the UI features on that
page.
CHAPTER 1
Note
z For installation and set up instructions for your SonicWALL Email Security appliance, refer to
the SonicWALL Email Security Series Getting Started Guide document.
For example, if a message is both a virus and a spam, the message will be categorized as a virus
since virus is higher in precedence than spam.
If SonicWALL Email Security determines that the message is not any of the above threats, it is
deemed to be good email and is delivered to the destination server.
When you activate SonicWALL Email Security, the following modules are licensed:
z Email Security Base Key (Server Configuration, Policy & Compliance, User & Group
Management, Junk Box, and Reports & Monitoring)
z Email Protection Subscription and Dynamic Support (Anti-Spam Anti-Phishing)
In addition, you can optionally license one or more of the following modules for an additional cost:
z Compliance Subscription (compliance functionality under Policy and Compliance)
z SonicWALL Email Anti-Virus (McAfee and SonicWALL Time Zero) Subscription
z SonicWALL Email Anti-Virus (Kaspersky and SonicWALL Time Zero) Subscription
SonicWALL Email Security Administrator’s Guide|3
SonicWALL recommends that you deploy SonicWALL Email Security with one or both of the anti-
virus modules to provide the best protection and email management capabilities for your
organization’s inbound and outbound email traffic.
In an All in One configuration, you can also deploy multiple SonicWALL Email Security servers
in a cluster setup wherein all of the gateways share the same configuration and data files. To
set up such a cluster, begin by creating a shared directory, on either one of the
SonicWALL Email Security servers or on another dedicated server (preferred) running the
same operating system. This shared directory will be used to store data including user
settings, quarantine email, etc., from all the SonicWALL Email Security servers in the cluster.
z Split: In a Split network configuration, there are two kinds of servers: Control Centers and
Remote Analyzers. In this configuration there is typically one Control Center and multiple
Remote Analyzers, but the Control Center can be set up in a cluster as well. The Split
configuration is designed for organizations with remote physical data centers.
The Split configuration allows you to manage SonicWALL Email Security so that email
messages are filtered in multiple remote locations through multiple Remote Analyzers. The
entire setup is centrally managed from a single location through the Control Center.
SonicWALL Email Security Administrator’s Guide|4
Control Center clusters are not supported by SonicWALL Email Security appliance.
z The Control Center, in addition to managing all data files, controls, monitors and communicates
with all Remote Analyzers. The data files consist of statistical data such as how much email has
been received, network usage, remote hardware space used, and hourly spam statistics. The
Control Center stores or quarantines junk email it receives from the Remote Analyzers. It also
queries LDAP servers to ensure valid users are logging in to SonicWALL Email Security. End
users can log in to a Control Center to manage their junk mail.
z Remote Analyzers analyze incoming email to determine whether it is good or junk. It sends junk
email to the Control Center where it is quarantined. It routes good mail to its destination server.
Only administrators can log in to a Remote Analyzer.
Note:
z The Replicator is the SonicWALL Email Security component that automatically sends data
updates from the Control Center to the Remote Analyzer, ensuring that these components are
always synchronized. Replicator logs are stored in the Control Center’s logs directory. You can
review replication activity from these logs for troubleshooting purposes.
For inbound email flow, DNS configuration and firewall rules need to be set to direct email traffic to
SonicWALL Email Security. Whereas, for outbound email flow, the downstream email server must
be configured to send all email to Email Security (Smart Host Configuration).
SonicWALL Email Security Administrator’s Guide|5
The SMTP proxy operates by connecting to a destination SMTP server before accepting messages
from a sending SMTP server. Note that SMTP proxys can only send email to one server. Some
benefits of the SMTP proxy are:
z All processing occurs in memory, significantly reducing the latency and providing higher
throughput
z There is no queue and SonicWALL Email Security does not lose any email messages.
SonicWALL Email Security automatically respects your existing fail over strategies if your mail
infrastructure experiences a failure.
The MTA service operates by writing messages to disk and allows for routing of a message. Some
benefits of the MTA are:
z Can route messages to different domains based on MX records or LDAP mapping.
z Can queue messages by temporarily storing messages on disk and retrying delivery later in
case the receiving server is not ready.
z Allows SonicWALL Email Security to be the last touch mail gateway for outbound traffic
SonicWALL strongly recommends that after you deploy the chosen architecture, you do not change
the setup from a Control Center to a Remote Analyzer or vice versa, as there are no obvious
advantages, and some data might be lost. Thus, it is important to make the deployment
architecture decision before installing SonicWALL Email Security.
SonicWALL Email Security Administrator’s Guide|6
In this configuration, SonicWALL Email Security can be configured on the inbound path to be either
a SMTP Proxy or a MTA. On the outbound path, it must be configured to be a MTA. This setup also
can be extended to a cluster with multiple SonicWALL Email Security servers all using a shared drive
for data location. For more information on routing using Smart Host, refer to “Adding an Inbound
Mail Server for All in One Architecture” on page 8.
X To configure SonicWALL Email Security in this configuration, you also need to:
1. Configure SonicWALL Email Security server with a static IP address on your DMZ.
2. In your firewall, add an inbound NAT Rules’s private IP address to an Internet addressable IP
address for TCP port 25 (SMTP).
3. In the public DNS server on the Internet, create an A record, mapping a name such as
smtp.my_domain.com, to the Internet addressable IP address you assigned in step 2.
4. Update your email domain’s MX record to point to the new a record. You need to deploy the
SonicWALL Email Security for each MX record.
SonicWALL Email Security Administrator’s Guide|7
In this configuration SonicWALL Email Security can be configured to be either an MTA or a proxy.
CHAPTER 2
System
Introduction
In this chapter, you will learn how to configure the system more extensively and learn more about
additional system administration capabilities.
To configure SonicWALL Email Security as your desired network architecture, click System >
Network Architecture.
Click the Add Path button in the Inbound Email Flow section. The Add Inbound Path window
appears.
SonicWALL Email Security Administrator’s Guide|9
! SonicWALL Email Security strongly recommends against an open relay. Open relays can
reduce the security of your email network and allow malicious users to spoof your email
domain.
Note:
z You can specify email addresses in addition to domains in this routing table. Also, hostnames
can be specified instead of IP addresses. For example, if you want to route customer service
emails to one downstream server and the rest of the traffic to a different downstream server,
you can specify something like:
service@mycompany.com 10.1.1.1
mycompany.com internal_mailserver.mycompany.com
4. Advanced Settings
5. Use this text instead of a host name in the SMTP banner - Use this text to customize the
HELO banner. By default, the fully qualified domain name will be used
SonicWALL Email Security Administrator’s Guide|10
6. Set the action you want to take for messages for email recipients who are not listed in your
LDAP server. Typically, it is a good practice to set this path to adhere to corporate settings.
7. Enable StartTLS on this path - Check this check box if you want a secure internet
connection for email. If the check box is checked, SonicWALL Email Security uses Transport
Layer Security (TLS) to provide the secure internet connection. When StartTLS is enabled,
email can be sent and received over a secure socket. The source and destination email
addresses and the entire message contents are all encrypted during transfer.
8. Click Add to add an inbound path for this All in One server.
Note:
z You need to use this setting if you configure your SonicWALL Email Security installation to listen
for both inbound and outbound email traffic on the same IP address on port 25.
3. Path Listens On. In this section, you can specify the IP addresses and port number on which
this path listens for connections.
{ Listen for all IP address on this port - This is the typical setting for most environment
as the service listens on the specified port using the machine’s default IP address.
{ Listen only on this IP address and port - If you have multiple IP addresses configured
in this machine, you can specify which IP address and port number to listen to.
4. Destination of Path. In this section, you can specify the destination server for outgoing
email traffic in this path.
{ This is a Proxy. Pass all email to destination server - Use this setting if you want this
path to act as a proxy and relay messages to an upstream MTA. Enter the host name or IP
address of the upstream MTA and the port on which it should be contacted. If the
upstream MTA is unavailable, outgoing messages will not be accepted.
{ This is an MTA. Route email using SmartHost to - This setting is same as the Proxy
option above except that outgoing messages will be accepted and queued if the upstream
MTA is unavailable.
{ This is an MTA. Route email using SmartHost with load balancing to the following
multiple destination servers - When a path is configured with this choice, outbound
messages will be routed to multiple upstream MTAs as follows.
{ If Round robin is specified, email will be load-balanced by sending a portion of the email
flow through each of the MTAs specified in the text box in round-robin order. All of the
MTAs will process email all the time.
{ If Fail over is specified, the first MTA listed will handle all email processing under normal
operation. If the first MTA cannot be reached, email will be routed through the second
MTA. If the second MTA cannot be reached, email will be routed through the third MTA,
and so on.
{ This is an MTA. Route email using MX record routing - Use this setting to configure
this path to route outbound email messages by standard MX (Mail Exchange) records.
{ This is an MTA. Route email using MX record routing with these exceptions - Use
this setting to configure this path to route outbound email messages by standard MX (Mail
Exchange) records except for the specified domains. For the specified domains, route
messages directly to the listed IP address.
SonicWALL Email Security Administrator’s Guide|11
5. Advanced Settings
{ Use this string instead of a host name in the SMTP banner - Use this string to
customize the HELO banner. By default, the fully qualified domain name will be used.
Note:
z If there is a high volume of network traffic, it might take some time before the new Remote
Analyzer is displayed in the System>Network Architecture window.
Any changes you make at the Control Center are propagated to the Remote Analyzers you just
added. You can monitor their status on the Reports page as well.
Note:
z If your Control Center is a cluster, add each individual hostname as a valid Control Center by
repeating steps 2-3.
All other configuration options for the Remote Analyzer are managed by the Control Center.
X Before deleting a Remote Analyzer, ensure there are no messages in the queue for
quarantine
1. Stop SMTP traffic to the Remote Analyzer by turning off the SonicWALL Email Security Service.
Click Control Panel>Administrative Tools>Services>MlfASG Software> Stop.
2. After a few minutes, view the last entry in the mfe log on the Remote Analyzer log.
3. View the mfe log in the Control Center logs directory to ensure the last entry in the mfe log for
the Remote Analyzer is there: this can take a few moments.
Turn off the ability of the associated email server to send mail to this Remote Analyzer, and/or point
the associated email server to another installed and configured Remote Analyzer.
Note:
z It takes 15 seconds for SonicWALL Email Security to refresh its settings. If the first test fails,
try the test again.
Configure MTA
Click the Configure MTA button to specify several parameters for the MTA. You can limit the number
of inbound and outbound connections that SonicWALL Email Security will accept. You can also
restrict email messages based on message characteristics such as message size and number of
recipients.
You can also specify how the MTA will handle the case where it is unable to deliver a message right
away. It will retry delivery on the interval specified in the Retry interval drop-down menu, and it will
stop trying and bounce the message after the length of time specified in the Bounce after drop-
down menu.
LDAP Configuration
SonicWALL Email Security uses Lightweight Directory Access Protocol (LDAP) to integrate with your
organization’s email environment. LDAP is an Internet protocol that email programs use to look up
users’ contact information from a server. As users and email distribution lists are defined in your
mail server, this information is automatically reflected in SonicWALL Email Security in real time.
Many enterprise network use directory servers like Active Directory or Lotus Domino to manage
user information. These directory servers support LDAP and SonicWALL Email Security can
automatically get user information from these directories using the LDAP. You can run
SonicWALL Email Security without access to an LDAP server as well. If your organization does not
use a directory server, users cannot access their Junk Boxes, and all inbound email is managed by
the message-management settings defined by the administrator.
SonicWALL Email Security uses the following data from your mail environment.
z Login Name and Password: When a user attempts to log into the SonicWALL Email Security
server, their login name and password are verified against the mail server using LDAP
authentication. Therefore, changes made to the user names and passwords are automatically
uploaded to SonicWALL Email Security in real time.
z If your organization allows users to have multiple email aliases, SonicWALL Email Security
ensures any individual settings defined for the user extends to all the user’s email aliases. This
means that junk sent to those aliases aggregates into the same folder.
z Email groups or distribution lists in your organization are imported into
SonicWALL Email Security. You can manage the settings for the distribution list in the same way
as a user’s settings.
LDAP groups allow you to assign roles to user groups and set spam-blocking options for user
groups.
Configuring LDAP
Use the LDAP Configuration screen to configure SonicWALL Email Security for username and
password authentication for all employees in the enterprise.
Note
z Complete the LDAP configuration screen to get the complete list of users who are allowed to
login to their Junk Box. If a user does not appear in the User list in the User & Group screen,
their email will be filtered, but they cannot view their personal Junk Box or change default
message management settings.
SonicWALL Email Security Administrator’s Guide|14
Enter the server information and login information to test the connection to the LDAP server.
1. Check the Configure LDAP check box to enable per-user access and management check box
to enable users to log into their Junk Box and change various settings. These settings are
limited according to the preferences you set in the User Management pane. See the
SonicWALL Email Security Administration Guide “User View Setup” in Chapter 6 for details.
2. Enter the following information about your LDAP server:
{ Server Name: The IP address or DNS name of your LDAP server. (Configuration checklist
parameter M)
{ Port: The TCP port running the LDAP service. The default LDAP port is 389. (Configuration
checklist parameter N)
{ SSL Connection: Check this box if your server requires a secured connection.
{ Type of LDAP Server: Choose the appropriate type of LDAP server from the list.
{ Allow LDAP referals: Having this option unchecked will disable LDAP referrals and speed
up logins. You may choose this option if your organization has multiple LDAP servers in
which LDAP server can delegate parts of a request for information to other LDAP servers
which might have more information.
{ LDAP page size: Set the maximum page size to be queried
{ Usermap frequency: Set the number of minutes between refreshes of the list of users on
the system
3. Determine the Login options for your LDAP server.
4. Anonymous Bind Login Name and Password: Enter a username and password for a
regular user on the network. This typically does not have to be a network administrator.
Note:
z Some LDAP servers allow anybody to get a list of valid email addresses out of them. This state
of allowing full access to anybody who asks is called Anonymous Bind. In contrast to Anonymous
Bind, most LDAP servers such as Microsoft's Active Directory require a valid
username/password in order to get the list of valid email addresses. (Configuration checklist
parameter O and P)
5. Click the Test LDAP query button.
A successful test indicates a simple connection was made to the LDAP server. If you are using
anonymous bind access, be aware that even if the connection is successful, anonymous bind
privileges might not be high enough to retrieve the data required by
SonicWALL Email Security.
6. (Optional) Click the Show LDAP Query Panel button to configure advanced LDAP settings.
See LDAP Query Panel below.
7. Click Apply Changes.
Note:
z SonicWALL Email Security does not require you to configure LDAP query information settings
for most installations.
{ Email alias attribute: The LDAP attribute that corresponds to email aliases.
2. Click the Test Group Query button to verify that the configuration is correct.
3. Click the Auto-fill User Fields button to have SonicWALL Email Security automatically
complete the remainder of this form. ‘
Note:
z If you have a lot of user mailboxes, applying these changes could take a several minutes.
This panel provides a way to add additional mappings from one domain to another. For example, a
mapping could be added that would ensure emails addressed to anybody@engr.corp.com are sent
to anybody@corp.com.
It also provides a way of substituting single characters in email addresses. For example, a
substitution could be created that would replace all the spaces to the left of the "@" sign in an email
address with a "-". In this example, email addressed to Leopold Stotch@corp.com would be sent to
Leopold-Stotch@corp.com.
Note:
z This feature does not make changes to your LDAP system or rewrite any email addresses; it
makes changes to the way SonicWALL Email Security interprets certain email addresses.
To access the Advanced LDAP Settings, click the Advanced LDAP Settings button in the LDAP
Configuration window.
The following table describes the actions that can be taken on a group, domain, or global level.
Policy Y Y Y
Reporting Y - Y
Roles - Y Y
Settings Y* Y Y
Once a domain administrator is logged in, she can modify the Email Security settings for her
domain, including the anti-spam settings.
The Email Security administrator can see all the LDAP servers attached to SonicWALL Email
Security. The ES administrator logs in with no domain specified.
3. Click the server name link or the Edit (pencil) button associated with the friendly name of the
LDAP server you want to change.
4. Edit the details of the LDAP server using the information you have collected.
5. In the Global Configurations section, you can enter aliases for your pseudo-domains. In this
example, the administrator can configure aliases (on the right side) to correspond with the
pseudo-domain. Aliases must be unique and can consist of lowercase alpha-numeric
characters and underscores. Aliases are separated by commas. If you set an alias to the
domain name, users can log in using their email address.
6. In the Settings subsection, choose whether you want the domains to appear in the login
dropdown box. If this box is checked, all users will be able to see all domains. If it remains
unchecked, users must log in with their fully-qualified login, such as user@sonicwall.com. You
can also choose how often SonicWALL ES refreshes the LDAP usermap.
Note:
z Do not change the NetBIOS domain mappings. Doing so will break the links to the pseudo-
domain.
7. When you are done, click Apply Changes and use the test button to confirm that the LDAP
server is properly connected and configured.
The Default Message Settings window allows you to choose default settings for messages that
contain spam, phishing, virus, and policy management issues.
1. Choose the Number of Junk Box days from the drop-down list.
Set the enterprise-wide policy for the number of days email messages will remain in the Junk
Box before being automatically deleted. The maximum number of days is 180. This can be
adjusted for an individual user by an administrator or the user, if you allow it (See Configuring
the User View Setup on page 68.)
2. Choose the number of items to display in the Message Center from the drop-down list.
3. Review the four check box options that allow the user to define conditions for tagging
messages incoming to their inbox. Each of the tags below will be prefixed to the subject line of
the message.
{ To tag unjunked messages, check the Tag unjunked messages with this text added
to the subject line checkbox, and input word(s) to be used for tagging.
{ To tag messages which were considered as junk but will be delivered because the sender’s
domain is on the user’s Allow list, check the Tag messages considered junk, but
delivered because sender/domain/list is in Allowed list with the text added to
the subject line checkbox, and input word(s) to be used for tagging.
{ To tag messages which were considered as junk but will be delivered because of a Policy
action in effect, check the Tag messages considered junk, but delivered because of
a Policy action with the text added to the subject line checkbox, and input word(s)
to be used for tagging.
{ To tag all those messages that are processed by Email Security 6.0 Server for testing,
check Tag all messages processed by Email Security for initial deployment testing
with this text added to the subject line checkbox, and input word(s) to be used for
tagging.
4. Click the click here links to manage spam, virus, phishing, and policy.
5. Click the Apply Changes button.
Users can unjunk items listed in the Junk Box Summary email by clicking links in the email. When
unjunking there is an option not to add a sender to the Allowed list.
The message summary can come from the individual user or another email address which you
enter here. Be aware that if summaries are sent because the address doesn’t exist, the
message summary message will bounce as well.
8. Select the name to be displayed in end user’s email client for the summary emails.
{ Subject
Enter the subject line for the Junk Box Summary email.
{ URL for User View
This text box is filled in automatically based on your server configuration and is included in
the Junk Box Summary email. Clicking on the email link will allow users to unjunk
messages. Test the link if you make any changes to ensure connectivity. If you have
multiple SonicWALL Email Security deployments, enter the virtual hostname here.
{ Test this Link
Users unjunk items in the Junk Box summary email by clicking links in the email. To test
the URL, click Test this Link. If the test fails, check that the URL is correct. (Installation
checklist parameters B, C, D)
9. Click the Apply Changes button.
{ Check the Allow users to download SonicWALL Junk Button for Outlook check box
to allow users to download SonicWALL Email Security Junk Button for Outlook. Junk
Button is a lightweight plugin for Microsoft Outlook. It allows users to mark emails they
receive as junk, but does not filter email.
4. Determine the settings for quarantined junk mail:
{ Check the Users can preview their own quarantined junk mail checkbox to enable
users to view their individual mail that is junked.
{ Choose which other types of users can preview quarantined junk mail. These roles are
configured within SonicWALL Email Security.
5. Users are not usually shown reports which include information about users, such as email
addresses. Select the Reports view settings checkbox to give user access to those reports.
6. Enter an Optional login help URL.
An administrator can specify a URL for any customized help web page for users to view on the
Login screen. If no URL is entered, SonicWALL Email Security provides a default login help
screen. If a URL is entered, that page is launched when the user clicks the Login Help link.
7. Click Apply Changes.
Updates
SonicWALL Email Security uses collaborative techniques as one of many tools in blocking junk
messages. The collaborative database incorporates thumbprints of junked email from MailFrontier
Desktop and SonicWALL Email Security users. Your SonicWALL Email Security communicates with
a data center hosted by SonicWALL (using the HTTP protocol) to download data used to block spam,
phishing, virus and other evolving threats.
SonicWALL Email Security recommends that you check for spam, phishing, and virus blocking
updates at least every twenty minutes.
Check the Submit unjunk thumbprints check box to submit thumbprints to the
SonicWALL Email Security data center when users unjunk a message. Thumbprints sent from
SonicWALL Email Security contribute to the collaborative community by improving junk-blocking
accuracy. They contain absolutely no readable information.
Check the Submit generic spam blocking data check box to send generic spam-blocking data to
the SonicWALL Email Security data center to assist in customer support and to help improve spam
blocking. No emails, email content, header information or any other uniquely identifiable
information is ever sent.
If your organization routes HTTP traffic through a proxy which requires basic authentication, you
can enter the username and password to configure SonicWALL Email Security to authenticate with
the HTTP proxy server.
Monitoring
Use the Monitoring page to enter the email addresses of administrators who receive emergency
alerts and outbound quarantine notifications. If this field is left blank, notifications will not be sent.
The Monitoring page is also used to set up the postmaster for the MTA. If SonicWALL Email Security
has been configured to be an MTA, enter the email address to which postmaster notifications
generated by the MTA should be sent. Notifications are not sent more than once every ten minutes.
You can also enter the names or IP addresses of backup SMTP servers. If you are running
SonicWALL Email Security in split mode, and you route outbound email through
SonicWALL Email Security, you must enter the IP addresses or fully-qualified domain names of any
Remote Analyzers through which outbound email is routed in this text box on the Control Center.
Use the monitoring page to configure the Syslog settings. Options include setting external servers
for logging and alerts.
To create a customized signature, enter text in the text box. This text appears at the bottom of all
email alerts.
About Alerts
Alerts in SonicWALL Email Security provide the following details:
z A summary of the alert
z Details that include the following:
{ Host Name
{ Two to three lines of description of an alert or trigger
{ A trigger message if available
z A time stamp
{ In local time
{ In GMT
Using Syslog
The log files for SonicWALL Email Security are now configurable. Syslog supports ES Alerts and
Subset of MFE lines. You can choose specific notifications and have them sent to external servers
automatically. You can also use the syslog to report email events directly to the Windows Event
Viewer.
3. Set your Log Level. Changing your log level will only affect the syslog.
4. If you are running SonicWALL Email Security as a software installation on a Windows system,
you can check Local to send the log information to the Windows Event Viewer. This option is
also available for Appliances. The log information will be sent to
/opt/emailsecurity/logs/essyslog.log.
5. If you want to send your log information to a remote logging server, check the Remote box. If
you choose this option, you must configure at least one remote server.
6. Click Send Message Details. This will enable or disable the subset of MFE lines on the syslog.
7. Enter the server and port which will receive logged events. The secondary server is not a
failover. If two servers are configured, both will receive event notifications.
8. Click Save. In the save process, your external logging server, if any, is validated, and you are
alerted if there is a problem.
3. Scroll down to Download System/Log Files. The contents of the Choose Specific Files field
change, depending on the type of file you have selected. For example, choosing the Data
Directory regenerates the page and offers you several choices, including SW-ES-MIB.txt, a file
that describes the MIB identifiers for Email Security-specific events.
4. Click Download or Email To to send the log file you have selected.
Connection Management
The Connection Management section uses technology to slow or drop unwanted email traffic. As
part of Connection Management, SonicWALL Email Security rejects messages with an invalid MAIL
FROM setting.
Intrusion Prevention
To access the Intrusion Prevention portion of the Connection Management module, go to System
> Connection Management.
Expose the users in your directory to spammers—The people at your organization need their privacy
in order to be effective. To expose them to malicious hackers puts them and the organization at
significant risk from a variety of sources.
Users whose email addresses have been harvested are at risk. Once a malicious hacker knows their
email, users are at risk for being spoofed: someone can try to impersonate their email identity. In
addition, exposed users can be vulnerable to spoofing by others. IT departments routinely receive
email from people pretending to be providing upstream services, such as DNS services.
Expose users to phishing—Exposed users can be targeted to receive fraudulent email. Some receive
legitimate-appearing email from banks or credit cards asking for personal or financial information.
Some exposed users have been blackmailed; Reuters reported cases where users were told if they
did not pay up, their computers would be infected with viruses or pornographic material.
Expose your organization to Denial of Service Attacks—DHA can lead to denial of service attacks
because malicious hackers can send lots of information to valid email addresses in an effort to
overwhelm the capacity of your mail server.
Expose your organization to viruses—DHA provides a highly effective means of delivering virus-
infected email to users.
Exposes users to fraudulent email masquerading as good email—Directory Harvest Attacks can
perpetuate fraudulent email messages by giving malicious hackers the ability to target your users
individually and by name.
SonicWALL Email Security Administrator’s Guide|25
The following table outlines the available options for messages that are sent to email addresses that
are not configured in your LDAP server.r
Options Consequences
Directory Harvest Attack (DHA) No directory protection.
protection off.
Process all messages the same (whether or
not email address is in LDAP)
No action is taken on messages to invalid
recipients.
Permanently Delete The sender does not receive notification about
All email addressed to users not in the the email they have sent. This option can lead
organization’s directory is permanently to permanently deleting legitimate mail with a
deleted. typographical error in the address.
Reject invalid email addresses Responses to those invalid recipient commands
(Tarpitting) are delayed for some time period to slow down
SMTP clients that specify invalid recipients the rate that they can attack an organization’s
will be tarpitted. mail system. Warning: Enabling tarpitting
protection uses your system resources (CPU,
memory) that may slow down your server.
Always store in Junk Box (regardless SonicWALL Email Security recommends this
of spam rating). option to protect the confidentiality of your
Email that is sent to an invalid address is directory population.
stored in the Junk Box.
SonicWALL Email Security does not process
the email to determine if it is spam or
another form of unwanted email.
Options Consequences
Apply to all recipient domains. Applies DHA protection to all recipient domains.
SonicWALL recommends that most
organizations choose Apply to all recipient
domains.
Apply only to the recipient domains Applies DHA protection to the recipient
listed below. domain(s) listed.
Apply to all recipient domains except Applies DHA protection to all recipient domains
those listed below. except for those listed.
Denial of Service attacks can threaten your network in the following ways:
z Bandwidth consumption—The available bandwidth of a network is flooded with junkmail
addressed to invalid recipients.
z Resource starvation—The mail servers of an organization are overwhelmed trying to process the
increased volume of messages coming from infected computers, which leads to the mail servers
to run out of resources (CPU, memory, storage space).
The Denial of Service Attack Protection adds an extra level of security to thwart an attack.
SonicWALL Email Security Administrator’s Guide|26
Quality of Service
To access the Quality of Service portion of the Connection Management module, go to System >
Connection Management and scroll down to the Quality of Service section.
The following sections describe how to configure the Quality of Service components:
z “BATV” on page 26
z “Sender IP Reputation” on page 27
z “Throttling (Flow control)” on page 30
z “Connections” on page 31
z “Messages” on page 31
BATV
BATV adds a stamp to the envelope of all outbound mail. If the mail is bounced and does not reach
a recipient, the stamp alerts the inbound mail processor that this email originated within your
organization. False bounce messages, which will not have the stamp, will not be passed through the
inbound mail processor.
To use BATV, SonicWALL Email Security must touch all outbound mail. For maximum efficiency of
processing inbound bounces, SonicWALL Email Security should be your first-touch inbound mail
processor. SonicWALL Email Security will read the bounce message envelope, determine whether
or not it is legitimate, and only download and pass through legitimate messages. The added BATV
tag is removed before the email is passed to the users.
BATV is not enabled by default. Although BATV is a powerful tool to eliminate false bounce
messages, some configurations on other mail servers may cause the BATV system to reject
legitimate bounce messages. The user who sent out the message would not know it did not reach
the intended recipient. Reasons for "false positives" might include:
z LDAP upstream of SonicWALL Email Security
z Null reverse paths instead of "From" fields
z Divergent SonicWALL Email Security configuration
z Incorrect or altered reverse mail paths
Users might also get "false negatives" where they get false bounce messages even though they did
not send the originals. False negatives might come from a spambot or zombie infection of the
organization. In that case, the spam would be properly stamped as it left the organization.
To enable BATV, you must turn it on for both your outbound and inbound SonicWALL Email Security
servers, if they are different. If you are running an all-in-one system, you only have to turn it on
once. BATV will work best if your SonicWALL portal is the last-touch for outbound mail and the first-
touch for inbound mail.
SonicWALL Email Security Administrator’s Guide|27
Note:
z For the first 4-5 days after you enable BATV, your users may not receive legitimate bounce
messages. This is because there are email messages which are still trying to reach an invalid
destination, and when they come back, they will not have the appropriate stamp.
X To enable BATV
1. Log into your Email Security as an administrator.
2. Choose System from the left navigation bar.
3. Choose Connection Management.
4. Scroll down to the Quality of Service section.
5. Click in the Bounced Address Tag Validation to enable BATV.
6. Click Apply Changes.
BATV is now enabled. If you have different servers for inbound and outbound mail, make sure that
it is enabled on both servers.
BATV is a solution to email backscatter caused by spoofed email addresses. Only messages sent
from within your organization will be returned as bounces. This drastically reduces the bounce
traffic. BATV must be enabled on both inbound and outbound servers to work.
Sender IP Reputation
This section describes the SonicWALL GRID Connection Management with Sender IP Reputation
feature. GRID Network Sender IP Reputation is the reputation a particular IP address has with
members of the SonicWALL GRID Network. When this feature is enabled, email is not accepted from
IP addresses with a bad reputation. When SonicWALL Email Security will not accept a connection
from a known bad IP address, mail from that IP address never reaches the Email Security server.
This feature is useful only for Email Security servers that are running as the “first touch” server
(receiving email directly from the internet). SonicWALL recommends disabling GRID Connection
Management Network IP Reputation if Email Security is not first touch.
GRID Network Sender IP Reputation checks the IP address of incoming connecting requests against
a series of lists and statistics to ensure that the connection has a probability of delivering valuable
email. The lists are compiled using the collaborative intelligence of the SonicWALL GRID Network.
Known spammers are prevented from connecting to the SonicWALL Email Security server, and their
junk email payloads never consume system resources on the targeted systems.
Benefits:
z Because as much as 80 percent of junk email is blocked before it ever reaches your servers,
you need fewer resources to maintain your level of spam protection.
z Your bandwidth is not wasted on receiving junk email on your servers, only to analyze and
delete it.
z A global network watches for spammers and helps legitimate users restore their IP reputations
if needed.
SonicWALL Email Security Administrator’s Guide|28
Evaluation Description
Reputation-list If the IP address is not in the previous lists, the SonicWALL Email
Security server checks with the GRID Network to see if this IP address
has a bad reputation.
Defer-list Connections from this IP address are deferred. A set interval must pass
before the connection is allowed.
DoS If the IP address is not on the previous lists, the SonicWALL Email
Security server checks to see if the IP address has crossed the Denial of
Service threshold. If it has, the server uses the existing DoS settings to
take action.
Throttling If the IP address has crossed the throttling threshold, the server uses
the existing throttling settings to take action.
Not-grey-list* This IP address has already been through (and passed) the grey-list
filter.
Grey-list* If this is the first time this IP address has attempted to connect with the
server, add it to the grey list.
Only if the IP address passes all of these tests does the SonicWALL Email Security server allow that
server to make a connection and transfer mail. If the IP address does not pass the tests, there is a
message from the SonicWALL server to the requesting server indicating that there is no SMTP
server. The connection request is not accepted.
You may also see changes in the reporting statistics. Blocked connections are added to the Junk
Email Breakdown report. Each connection might have delivered many junk messages, but we
cannot tell how many emails were blocked by rejecting a connection from an IP address. Instead,
we keep a tally of rejected IP connections and a log of why they were rejected.
All inbound connection requests will be evaluated for reputation. If the connection fails to meet the
standards set by SonicWALL Email Security, the connection request is dropped. The error message
sent back to the requesting server is “544 No SMTPd Here”.
Greylisting
In this section you can enable or disable Greylisting. Greylisting is disabled by default in SonicWALL
Email Security. The Greylisting feature in SonicWALL Email Security discourages spam without
permanently blocking a suspicious IP address. When Greylisting is enabled, Email Security assumes
that all new IP addresses that contact it are suspicious, and requires those addresses to retry before
it will accept the email. The assumption is that most spammers do not waste time retrying failed
connections. Therefore, forcing enterprise level Mail Transfer Agents (MTAs) to retry the connection
a second time should reduce the amount of spam received by your organization.
The Greylist is the list of IP addresses which have contacted SonicWALL Email Security once, and
have been sent a request to retry the connection. The Greylist is cleared and restarted every night.
Thus, if the connection is not retried before the Greylist is restarted, that server will be asked to
retry the connection again when it sends a retry of the initial connection request.
SonicWALL Email Security also keeps track of the MTAs that have successfully retried the connection
and are now deemed to be responsible MTAs. These IP addresses are added to a separate list.
Connections from MTAs on this “Responsible MTA List” are accepted without further retry requests,
but the data from the connection is subjected to the rigorous checking performed by SonicWALL
Email Security on all incoming email.
Notes:
z The Greylisting feature is useful only for Email Security servers that are running as the "first
touch" server (receiving email directly from the Internet). SonicWALL recommends disabling
Greylisting if Email Security is not first touch.
z Enabling Greylisting may cause good email to be delayed. The mail should be delivered within
15 minutes, depending on the configuration of the sending MTA.
Benefits of Greylisting
The benefits of enabling Greylisting are:
z Increased effectiveness – Less spam received into the gateway translates to less spam
delivered to the Inbox.
z Better performance – Greylisting can reduce the volume of traffic at the gateway, as well as
traffic to the downstream (e.g., the Exchange server). As a result of the reduced volume,
valuable system resources are freed up (e.g., sockets, memory, network utilization, etc.,)
allowing SonicWALL Email Security to process more good mail in the same amount of time.
z Storage requirements – With the increasing focus on archiving, Greylisting will reduce the
amount of junk that gets stored in an archive, again saving valuable resources.
If Greylisting is enabled, the Source IP address will be cross-checked against the SonicWALL Email
Security Connection Management components, in the following order:
z Allow-list—If an IP address is on this list, it gets a free pass through Connection Management
(the message is still subject to plug-in chain processing)
z Block-list—This IP address is already blocked from connecting to SonicWALL Email Security
z Defer-list—Connections from this IP address are already configured to be deferred
SonicWALL Email Security Administrator’s Guide|30
z DoS—Check to see if the IP address has crossed the DoS threshhold, and if so, take the
appropriate action
z Throttling—Check to see if the IP address has crossed the throttling threshhold, and if so, take
the appropriate action
z Responsible MTA List—This IP address has already been through and passed the Greylisting
filter
z Greylist—If this is the first time this IP address has contacted us, add it to the Greylist
Note:
z When the Greylisting feature is first enabled, it automatically runs in evaluation mode for the
first 24 hours. During that time, IP addresses will be collected, but no connections will be
deferred. After 24 hours the Greylisting feature will operate fully.
Note:
z Some scenarios can be implemented with either Denial of Services Attack Protection or
Throttling settings. You can choose to throttle mail from clients above one threshold and
choose to block clients above a second threshold.
SonicWALL Email Security Administrator’s Guide|31
Connections
In this section you can impose a limit on the number of simultaneous inbound and outbound
connections that your SonicWALL Email Security server can accept.
On the inbound path, this value limits the number of simultaneous connections external hosts can
make to SonicWALL Email Security. On the outbound path, this value limits the number of
simultaneous connections internal hosts can make to SonicWALL Email Security to deliver
messages. When the connections limit is exceeded SonicWALL Email Security will send a transient
failure (421 error code).
Messages
In this section, you can limit messages based on message characteristics such as message size and
number of recipients.
SonicWALL Email Security will return a transient failure (4xx error code) if too many recipients are
specified in a message and a permanent failure (5xx error code) if the message size limit is
exceeded.
Note:
z For limiting message size, SonicWALL Email Security depends on the SMTP client to specify the
message size in the ESMTP transaction.
When an IP address is added to the Allowed list, Email Security will continue to check for spam and
phishing attacks in messages from that IP address. However, messages from IP addresses in the
Allowed list will not be blocked, deferred, or throttled even when the IP address is affected by
connection management rules that would do so. To stop checking for spam and phishing attacks in
messages from a certain IP address, you can configure a policy. See “Configuring a Policy Filter for
Inbound Email” on page 67.
When the SMTP server receives a connection from an IP address on a blocked list, it will respond
with a "554 No SMTP service here" error and reject the TCP/IP connection. In the case of a
connection from a deferred IP address, the transient message is “421 4.4.5 Service not available,
connection deferred.” and a connection from a list of throttled addresses, “421 4.4.5 Service not
available, too many connections due to throttling.”
Backup/Restore Settings
On the System > Backup/Restore page, the administrator can decide what and how SonicWALL
Email Security will backup and restore collected data.
Note:
z It is not necessary to perform either of these functions. Executing these functions depends on
the needs of your organization.
SonicWALL Email Security Administrator’s Guide|32
Manage Backup
In the Manage Backups section, the administrator can select from the following backup
configurations:
z Settings -- Select this setting for backing up your user settings, such as user profiles.
SonicWALL recommends that at minimum, you back up your settings, since this data loss would
require a complete re-configuration of your settings.
z Junk Box -- Select this backup setting to enable a snapshot of your Junk box for future
recovery. Enabling this backup setting requires sufficient disk space and requires 30 to 60
minutes to complete the backup snapshot.
z Archive -- Select this backup setting to enable a backing up the archive. This setting backs up
all messages that have been archived on this server's file system. It does not back up messages
that have been archived to an external SMTP server.
z Reports Data -- Select this backup setting to enable a snapshot of your reports data. This
backup setting is the least critical of the three backup settings. Reports data does not include
critical information for system recovery.
Manage Restores
In the Manage Restore section, the administrator can restore data from a snapshot file, from the
following restore configurations:
z The administrator can select either to restore the data from a snapshot file from the SonicWALL
Email Security server or to upload a snapshot from the local hard drive.
A snapshot is saved on the computer work station and not on the SonicWALL Email Security
appliance.
z The administrator can select the snapshot files by checking the boxes of what is to be restored.
From the three selections of Settings, Junk box, and Reports data, the administrator has
the flexibility to choose options suitable for system recovery or system management.
Host Configuration
You can use this page to make changes to the server on which SonicWALL Email Security is
installed.
Note:
z The system will perform a reboot upon a host name change and clicking the Apply Change
button.
Changing the hostname will cause a number of changes to be made to SonicWALL Email Security
settings, configuration files, and will rename some of the directories in the
SonicWALL Email Security installation and data directories.
If you are running the SonicWALL Email Security appliance in split mode, you must also make
changes to the hostname on the other servers. If you rename a Remote Analyzer, you must log in
to the Control Center and click the System > Network Architecture page. Then remove the old
Remote Analyzer hostname from any of the Control Centers with which it is associated, and add the
new Remote Analyzer hostname. If you rename a Control Center, you must login to the Remote
Analyzers and click the System > Network Architecture page. Then remove the old Control
Center hostname and add the new one.
SonicWALL Email Security Administrator’s Guide|33
Networking
To configure network settings, such as the IP address, use the Networking panel. If DHCP
(Dynamic Host Configuration Protocol) is chosen, all the necessary settings will be automatically
found from the network DHCP server. If static IP settings are chosen, additional information must
be entered in the remaining fields.
The More Settings panel allows you to change the date and time of the host machine, restart all
the SonicWALL Email Security services, or reboot the host machine.
! The Advanced page contains tested values that work well in most configurations. Changing
these values can adversely affect performance.
Note:
z Do not adjust the log level unless you are troubleshooting a specific problem.
z Customize the SMTP banner. Use this setting to customize the SMTP banner.
When remote SMTP servers contact SonicWALL Email Security to send email through it, they
see an SMTP header that identifies the server with whom they are communicating as a
SonicWALL Email Security server. Some companies might want to hide this information and
present their own custom SMTP banner header information. Be sure to use valid characters
and syntax for an SMTP header.
z Replace SonicWALL in “Received:” headers: Use this setting to replace the name in the
Received: header. If you do not want to have the SonicWALL Email Security name in the
“Received” headers when sending good email downstream to your servers, use this field to
specify another value.
z LDAP Page Size: use this setting to change the LDAP size.
Many LDAP servers, such as Active Directory, specify the maximum page size to query. If
SonicWALL Email Security exceeds this page size, it can cause performance problems both on
the LDAP server and on SonicWALL Email Security.
z Large Junk Box mode limit: (in megabytes): When the size of all the messages in the Junk
Box exceeds this setting, SonicWALL Email Security automatically switches from the normal
Junk Box view to the Large Junk Box mode providing detailed search.
The Large Junk Box mode limit defines the number of megabytes of data to display in the
administrator's Junk Box. When the enterprise Junk Box contains a lot of data, SonicWALL
Email Security changes the display so that you can more easily manage and view large
volumes of information. When displaying a large amount of data, the Large Junk Box mode
provides a powerful search mechanism within an individual day of quarantined data. However,
with this display you cannot sort by column as you can in the small Junk Box view.
Depending on your preferences, you can configure this limit lower in order to have a higher
performance Junk Box. Alternatively, you can configure the limit higher to display the small
Junk Box view for larger amounts of data. The default value is 5MB.
The Large Junk Box mode limit does not affect the per-user Junk Box view.
SonicWALL Email Security Administrator’s Guide|34
z Click the Test Connectivity to reports database button to verify that you can access the
Reports database. See the Reports and Monitoring chapter in this guide for more information
on accessing and customizing reports.
z Usermap frequency (in minutes): Use this setting to change the usermap frequency.
A Usermap is a local cache of the LDAP server containing the list of email aliases per user.
Usermap frequency is the interval between refreshes of the list of users on
SonicWALL Email Security. This does not affect user's ability to log on, because that is always
a real-time reflection of the LDAP directory. This setting applies to the list of aliases and lists of
members of groups. In most cases, this setting is only increased to lower the load on your
LDAP server. Depending on your other SonicWALL Email Security settings, accessing the user
list once every 24 hours is acceptable and results in less load on the LDAP server.
z DNS timeout for Sender ID: Enter the number of seconds to search for the DNS record of the
sender. If SonicWALL Email Security cannot find the DNS record in the number of seconds you
specify, it times out and does not return the DNS record of the sender. The default value is two
seconds. You can set this value from 1 to 30 seconds. For more information about SPF, see
“About Sender ID and SPF” on page 40.
z Permit users to add members of their own domain to their Allowed Lists: Use this check
box to enables users to add people within your domain to their Allowed List. For example, if you
work at example.com and check this check box, all users at example.com can be added to your
Allowed list. As a result, their email messages to internal users are not filtered by
SonicWALL Email Security. You can either add people manually or SonicWALL Email Security
automatically adds each person to whom users send email.
The default setting is On.
z Data in the reports database will be removed when older than: Enter the number of days
of data that you want to preserve for reporting information. Lowering this number means less
disk space will be used, but you will not have report data older than the number of days
specified. The default value is 366 days. If your organization's email volume is very high, you
may want to consider reducing this number.
z Save a copy of every email that enters your organization: When email archiving is
enabled, folders containing the entire contents of every email are created in the logs directory
of each SonicWALL Email Security server that analyzes email traffic.
z Save a copy of every email that leaves your organization: When email archiving is
enabled, folders containing the entire contents of every email are created in the logs directory
of each SonicWALL Email Security server that analyzes email traffic.
z Save will automatically be deleted when older than: Enter the number of days of data that
you want to preserve for archiving purposes. Lowering this number means less disk space will
be used, but email archives older than the number of days specified will not be available. The
default value is 10 days. If your organization's email volume is very high, you may want to
consider reducing this number.
Upload Patch
When a new SonicWALL Email Security software update becomes available, the SonicWALL Email
Security appliance automatically downloads the update and alerts the administrator via email that
it is available. Upon logging in to the SonicWALL Email Security administrative interface, a pop-up
screen displays, prompting the administrator to either click to update now or wait to update later.
In some instances an administrator may want or need to apply a patch manually. For example, if
an administrator has multiple servers running in split configuration mode (Remote Analyzer/Control
Center configuration), updates must be applied manually.
Note:
z Updating servers in split mode configuration requires that the Remote Analyzer be updated first
and the Control Center updated last.
You can define multiple methods of identifying spam for your organization; users can specify their
individual preferences to a lesser extent. In addition, SonicWALL Email Security provides updated
lists and collaborative thumbprints to aid in identifying spam and junk messages.
Spam Identification
SonicWALL Email Security uses a multi-prong approach to identifying spam and other unwanted
email. It is useful to understand the general operation so you can build your lists appropriately.
When an email comes in, the sender of the email is checked against the various allowed and blocked
lists first, starting with the corporate list, then the recipient’s list, and finally
theSonicWALL Email Security-provided lists. If a specific sender is on the corporate blocked list but
that same sender is on a user’s allowed list, the message is blocked, as the corporate settings are
a higher priority than a user’s.
More detailed lists take precedence over the more general lists. For example, if a message is
received from aname@domain.com and your organization’s Blocked list includes domain.com but a
user’s Allowed list contains the specific email address aname@domain.com, the message is not
blocked because the sender’s full address is in an Allowed list.
After all the lists are checked, if the message has not been identified as junk based on the Allowed
and Blocked lists, SonicWALL Email Security analyzes messages’ headers and contents, and use
collaborative thumbprinting to block email that contains junk.
Response Effect
Response Effect
Store in Junk Box The email message is stored in the Junk Box. It
can be unjunked by users and administrators
(default setting)
with appropriate permissions.
This option is the recommended setting.
Send to Enter the email address of the person to receive
this email.
2. Check the Accept Automated Allowed List check box to accept automated lists that are
created by User Profilers. User Profilers analyze your outbound traffic and automatically
populate per user white lists. This helps reduce the false positives.
Note
z If this check box is unchecked in the Corporate, Group, or User windows, User Profilers have no
effect.
3. Check the Skip spam analysis for internal email to exclude internal emails from spam
analysis.
4. Check the Allow users to delete junk to allow users to control the delete button on
individual junk boxes.
Note:
z When you go on vacation, deselect this box so that your vacation-response reply does not
automatically place all recipients on your Allowed list.
5. Click Apply Changes.
If the sender-ID check fails, the Allowed list entry will be ignored.
This page displays the email address of senders on the organization’s Allowed or Blocked lists. The
source of the address is shown in the right-hand column.
If you attempt to add your own email address or your organization’s domain, SonicWALL Email
Security will display a warning. A user’s email address is not automatically added to the allowed list,
because spammers sometimes use a recipient’s own email address. Leaving the address off the
allowed list does not prevent users from emailing themselves, but their emails are evaluated to
determine if they are junk.
SonicWALL Email Security Administrator’s Guide|38
Note
z These settings apply to the entire organization. Individual users can add or block people for
their personal lists by clicking Anti-Spam Techniques > People in their
SonicWALL Email Security user accounts. To see an individual user’s lists, you must log in as
that user. For more information, see “Signing In as a User” on page 73.
To search for an address, enter all or part of the email address. For example, entering sale displays
sales@domain.com as well as forsale@domain.com.
Notes:
z You cannot put an address in both the Allowed and Blocked list simultaneously. If you add an
address in one list that already exists on the other, it is removed from the first one.
z SonicWALL Email Security will warn you if you attempt to add your own email address or your
own organization.
z Email addresses are case-insensitive; SonicWALL Email Security converts the address to
lowercase.
z SonicWALL Email Security will ignore any entries to the Allowed list if the sender-ID (SPF) check
fails. For more information on SPF, see “Effects of SPF on Email Security Behavior” on page 41.
Companies or Domains
You can allow and block email messages from entire domains. If you do business with certain
domains regularly, you can add the domain to the Allowed list; SonicWALL Email Security allows all
users from that domain to send email. Similarly, if you have a domain you want to block, enter it
here and all users from that domain are blocked.
Note:
z SonicWALL Email Security does not support adding top-level domain names such as .gov or
.abc to the Allowed and Blocked lists.
Notes:
z A domain cannot be on both the Allowed and Blocked list at the same time. If you add a domain
to one list and it already exists on the other, it is removed from the first list.
z Domain names are case-insensitive and are converted to lowercase.
SonicWALL Email Security Administrator’s Guide|39
Mailing Lists
SonicWALL Email Security enables you to add mailing lists, such as listserv lists, to your Allowed
list.
Mailing list email messages are handled differently than individuals and domains because
SonicWALL Email Security looks at the recipient’s address rather than the sender’s. Because many
mailing list messages appear spam-like, entering mailing list addresses prevents misclassified
messages.
Anti-Spam Aggressiveness
The Anti-Spam Aggressiveness window allows you to tailor SonicWALL Email Security to your
organization’s preferences. Configuring this window is optional. SonicWALL Email Security
recommends using the default setting of Medium (or 3) unless you require different settings for
specific types of spam blocking.
You can adjust SMART Network settings to customize the level of influence community input has on
spam blocking for your organization. Updates are provided to your gateway server at defined
intervals.
To adjust your settings, click one of the radio buttons from Mild (1) to Strong (5). A setting of 5
indicates that you are comfortable with the collective experience of the SonicWALL Email Security
user community, and do not want to see more email. A setting of 1 or 2 indicates that want to judge
more email for yourself and rely less on the collective experience of SonicWALL Email Security's
user community.
Use these settings to specify how stringently SonicWALL Email Security evaluates messages.
z If you choose Mild (check box 1 or 2), you are likely to receive more questionable email in your
mailbox and receive less email in the Junk Box. This can cause you to spend more time weeding
unwanted email from your personal mailbox.
z If you choose Medium (check box 3), you accept SonicWALL Email Security’s spam-blocking
evaluation.
z If you choose Strong (check box 4 or 5), SonicWALL Email Security rules out greater amounts
of spam for you. This can create a slightly higher probability of good email messages in your
Junk Box.
SonicWALL Email Security Administrator’s Guide|40
For example, the administrator has determined that they want to receive no email with sexual
content by selecting Strong (5). They are less concerned about receiving advertisements, and
selected Mild (1). You can also choose whether to allow users to unjunk specific flavors of spam.
SonicWALL Email Security uses the following system to determine if the sender is authorized to
send email from the purported address:
1. Stores the IP address of the SMTP client that delivered the message, which is the Source IP
address.
2. Finds the sender of the message, and stores the domain that the message claims to be from.
3. Using the Domain Name System (DNS), queries the domain for its Sender ID record, if it is
published. Those records are published by many domain owners, and create a list of IP
addresses that are authorized to send mail for that domain.
4. Validates that the domain authorizes the Source IP address in its SPF record.
Note:
z SonicWALL Email Security performance might vary if you enable Sender ID because each email
is placed on hold while the DNS server is being queried.
In cases where a certain domain is on a user’s Allowed list, an SPF soft or hard failure will still
prevent spam based on spoofed use of the allowed domain. Once Email Security determines that a
domain has been spoofed in an incoming message, it disables checking of the Allowed list.
To see an example of an SPF record, you can use a tool such as nslookup from your favorite shell.
As an example, to query SPF records for AOL, type:
Languages
You can allow, block, or enter no opinion on email in various languages. If you enter No opinion,
SonicWALL Email Security judges the content of the email message based on the
SonicWALL Email Security modules that are installed.
Note:
z Some spam email messages are seen in English with a background encoded in different
character sets such as Cyrillic, Baltic, or Turkish. This is done by spammers to bypass the anti-
spam mechanism that only scans for words in English. In general, unless used, it is
recommended to exclude these character sets. Common languages such as Spanish and
German are normally not blocked.
Note:
z SonicWALL Email Security performance may vary if you add Black List Services because each
email is placed on hold while the BLS service is queried.
Add
Click Add and enter the server name of the black list service, for example list.dsbl.org. Each
black list service is automatically enabled when you add it.
SonicWALL Email Security Administrator’s Guide|42
Note:
z The email addressed to not_spam@es.your_domain.com and
this_is_spam@es.your_domain.com must pass through SonicWALL Email Security so that it
can be operated on. The same domain as the domain that is used to forward emails to. Using
a domain that does not route, such as “fixit.please.com”, is recommended.
The email administrator can define two email addresses within the appropriate configuration page
in SonicWALL Email Security, such as this_is_spam@es.your_domain.comand
not_spam@es.your_domain.com. As SonicWALL Email Security receives email sent to these
addresses, it finds the original email, and appropriately updates the user’s personal Allowed and
Blocked list.
Note:
z Users must forward their miscategorized email directly to these addresses after you define them
so that SonicWALL Email Security can learn about miscategorized messages.
SonicWALL Email Security Administrator’s Guide|44
Note:
z Create an A and an MX record in your internal DNS that resolves es.your_domain.com to your
SonicWALL Email Security server's IP address.
2. Tell users to forward mail to this_is_spam@ES.your_domain.com or
not_spam@ES.your_domain.com.
The mail goes directly to the SonicWALL Email Security servers.
Probe Accounts
Probe accounts are accounts that are established on the Internet for the sole purpose of collecting
spam and tracking hackers. SonicWALL Email Security suggests that you use the name of a past
employee as the name in a probe account, for example, fredjones@example.com.
Configure the Probe Email Account fields to cause any email sent to your organization to create
fictitious email accounts from which mail is sent directly to SonicWALL, Inc. for analysis. Adding this
junk email to the set of junk email messages that SonicWALL Email Security blocks enhances spam
protection for your organization and other users. If you configure probe accounts, the contents of
the email will be sent to SonicWALL, Inc. for analysis.
! A probe account should NOT contain an email address that is used for any purpose other than
collecting junk email. If you enter an email address that is in use, the owner of that email
address will never receive another email - good or junk - again, because all email sent to that
address will be redirected to the SonicWALL corporation’s data center.
Anti-Phishing
SonicWALL Email Security’s Anti-Spam Anti-Phishing module protects organizations against email
containing fraudulent content. There are two audiences for fraud: the consumer and enterprise
users. SonicWALL Email Security focuses on preventing fraud that enters the enterprise via email.
Email is an entry point for malicious hackers.
Phishing aimed at the IT group in the organization can take the following forms:
z Email that appears to be from an enterprise service provider, such as a DNS server, can cause
your organization’s network to virtually disappear from the Web.
z Hacking into your web site can cause it to be shut down, altered, or defaced.
z Email might request passwords to highly sensitive databases, such as Human Resources or
strategic marketing information. The email might take the form of bogus preventive
maintenance.
z Other information inside the organization’s firewall, such as Directory Harvest Attacks (DHA) to
monitor your users.
Phishing can also take the form of malicious hackers spoofing your organization. Email is sent that
appears to come from your organization can damage your community image and hurt your
customers in the following ways:
z Spoofed email can ask customers to confirm their personal information.
z Spoofed email can ask customers to download new software releases, which are bogus and
infected with viruses.
Preventing Phishing
Phishing harms organizations and consumers by raising the price of doing business, which raises
the cost of goods and services. SonicWALL Email Security prevents phishing through:
Anti-Virus Techniques
SonicWALL Email Security’s Anti-Virus modules protect your organization from inbound email-
borne viruses and prevent your employees from sending viruses with outbound email. Once
SonicWALL Email Security has identified the email message or attachment that contains a virus or
is likely to contain a virus, you choose how to manage the virus-infected email.
When any one of the virus-detection engines is activated, you also get the benefit of
SonicWALL Email Security’s Time Zero Virus Technology. This technology uses heuristic
statistical methodology and virus outbreak responsive techniques to determine the probability that
a message contains a virus. If the probability meets certain levels, the message is categorized as
Likely Virus. This technology complements virus-detection engines and enabling this technology
provides the greatest protection for time zero viruses, the first hours that a virus is released, when
major anti-virus companies have not yet modified their virus definitions to catch it.
If you have licensed more than one virus-detection engines, they will all work in tandem.
Licensed virus-detection engines can be used on both inbound and outbound paths.
X To determine how frequently you want to check for virus definition updates
1. Click System > Updates.
The Updates window appears.
2. Choose a time interval from the dropdown list adjacent to Check for Spam, Phishing, and
Virus Blocking Updates.
You can choose every 5 minutes to every 2 hours.
3. Click the Apply Changes button
SonicWALL Email Security Administrator’s Guide|49
SonicWALL Email Security's Zombie and Spyware Protection technology brings the same high
standard of threat protection available on the inbound email path to email messages leaving your
organization through the outbound path.
To enable Zombie and Spyware Protection, navigate to the Anti-Virus Techniques page, click
on the Outbound tab and check the box Enable Zombie and Spyware Protection.
Table 0-1
Action Description
Action for messages identified Select one of the following settings:
as Definite Viruses leaving z Definite Virus filtering off (deliver message to
your organization:
users)—Virus filtering is disabled and messages are
delivered to users without stripping the viruses or likely
viruses.
z Permanently delete—The email message is
permanently deleted.
z Bounce back to sender—The email message is sent
back to the sender with the virus removed.
z Store in Junk box (recommended for most
configurations)—Identified email messages that
contain viruses are stripped of the virus attachment and
stored in the Junk Box. If you click the Allow Users to
Unjunk button, users can receive the message with the
virus or likely virus removed.
z Send to—Enter a designated email address.
Action for messages SonicWALL's Time Zero Virus Technology uses a
identified by SonicWALL’s combination of Predictive and Responsive techniques to
Time Zero Virus identify messages with a possible virus. This technology is
Technology as Likely most useful when a virus first appears and before a virus
Viruses leaving your signature is available to identify, stop and clean the virus.
organization:
Select one of the following settings:
z Likely Virus filtering off (deliver message to users)
— Virus filtering is disabled and messages are delivered
to users without stripping the viruses or likely viruses.
z Permanently delete—The email message is
permanently deleted.
z Bounce back to sender—The email message is sent
back to the sender with the virus removed.
z Store in Junk box (recommended for most
configurations)—Identified email messages that
contain viruses are stored in the Junk Box. If you click
the Allow Users to Unjunk button, users can receive
the message with the virus or likely virus removed.
z Send to—Enter a designated email address.
SonicWALL Email Security Administrator’s Guide|50
Table 0-1
Action Description
Enable Zombie and Spyware This feature is not enabled by default. Select this checkbox
Protection to block spam, to enable Zombie and Spyware Protection. Once the
phishing attacks, and virus Zombie and Spyware Protection is selected, the fields in
zombies and to alert the three sections below become active.
administrators immediately
when a zombie has infected
your organization:
Monitoring for Zombie and These settings do not take any action other than alerting the
Spyware Activity: administrator of a potential zombie infection.
Auditing
SonicWALL Email Security’s Auditing module enables the user to monitor all emails, both inbound
and outbound, that pass through SonicWALL Email Security. This allows the user to monitor where
emails have filtered into or locate the destination of a particular email.
Email Auditing
The Email Auditing window can track the path of any message that passes through SonicWALL Email
Security. The Email Auditing window contains a search display that the administrator uses to search
inbound or outbound emails. SonicWALL now uses a search engine to search on audit and junk
messages. Refer to “Supported Search in Audit and Junkbox” section on page 84 for more
information about the search types.
Outbound emails processed by SonicWALL Email Security are those that come from the recipients
of your organization. This includes both junk emails and good emails.
2. To search for specific email threat types, or in specific mail locations, select the desired
checkboxes.
3. Click Search.
Messages matching your search criteria are displayed. To move quickly through results pages, click
in the field that says “Page 1 of 14” and type the result page you want to view. You can also change
the number of messages displayed on each page. As an example, suppose you wanted to see only
messages that were Spam or Likely Spam. Clear all the checkboxes except the Show *Spam and
Show Likely Spam check boxes. Leave all the locations selected and click Search.
SonicWALL Email Security Administrator’s Guide|53
Configure Auditing
The Configure Auditing window allows you to tailor SonicWALL Email Security to your organization’s
preferences for auditing emails. Configuration in this window is optional. SonicWALL Email Security
sets the default in the on positions with a default of 30 days for keeping auditing files.
Message Audit
SonicWALL Email Security enables you to diagnose why an email failed through the Message Audit
window. To activate the window, click on the desired email address which is displayed in the inbound
or outbound tab. SonicWALL Email Security displays the message audit.
When the message audit window is open, data is displayed about the actions of the email, such as
the IP address of the computer that sent the email, and also the details about the email itself, such
as the subject heading and message size.
Table 1:
Message Field Description
Subject Subject title of the email
From Sender’s email address
To Recipient’s email address
Date Received Date and time, taken from the email header
Message Size Message size
Threat Identifies the threat status of the email
Category Identifies the subtype of spam the email is categorized with
Attachment Attachment
SonicWALL Email Security Administrator’s Guide|54
Judgment Details
The SonicWALL Judgment Details feature allows administrators to view blocked email and
determine why it was blocked. This additional information allows them to tune their filters better
and reduce false postives.
Judgment Details are a description of why a particular email message was flagged as junk or
possible junk by SonicWALL Email Security. This might include keywords, suspicious headers, or
other data that indicates a message is not legitimate. This information is only available to
administrators.
SonicWALL Email Security has always collected data on why a particular email was rejected. A
simplified version of the judgment details appears to users in their junk boxes, explaining that their
messages were flagged as having attributes of a particular category of junk mail, including phishing
or gambling. Judgment Details for administrators is a much more fine-grained tool that identifies
exactly which words, phrases, headers, or contents caused SonicWALL Email Security to put the
message in the Junk Box.
Only emails that are sorted after the auditing for judgment details is turned on will have full details.
When judgment detail is being audited, an administrator can view a message. In addition to the
existing message details, there will be a list of judgment details.
Your judgment details appear as a part of this window. The specific fields recorded depend on
whether the message was inbound or outbound. Not all fields will appear all the time - fewer
judgment details are collected on outbound messages.
SonicWALL Email Security Administrator’s Guide|55
You manage policy by creating filters in which you specify the words to search for in content,
senders, or other parts of the email. After filtering for specified characteristics, you can choose from
a list of actions to apply to the message and its attachments.
SonicWALL Email Security Administrator’s Guide|57
All other punctuation is used as word separators to split words. Punctuation included in this category
includes the following characters:
~ ! # ^ * + = { } [ ] ; " < > , ? \ | `()"
For example, X~Y is treated as two words, X and Y.
Bzip .bz
Compress .Z
Disguised text identification is as simple and intuitive as traditional word matching; and is more
powerful than using regular expressions to find specific words or terms. In addition, it is far easier
to use and less potentially dangerous than regular expressions.
Note:
z Disguised text identification might result in false positives due to unexpected conditions, and
can be computationally intensive.
Disguised text identification is not meant to be a spam catcher. SonicWALL Email Security has
developed extensive heuristic statistical techniques for catching spam. Instead, this feature allows
you to detect terms that are important to your organization and build policies based on them. You
can use this feature to capture specific terms, for example, route incoming messages with your
product’s name with appropriate trademarks for your sales departments. It can also be used to filter
outgoing mail. As an example, if your organization prohibits sending source code outside of the
company, you could use various programming keywords as search terms and route messages with
those terms to the appropriate manager.
See the Managing Filters section on page 65 for examples of adding inbound and outbound
policies.
SonicWALL Email Security Administrator’s Guide|60
Filters
A Policy Filter is an action or actions you want SonicWALL Email Security to take on messages that
meet the conditions you define. SonicWALL's Policy Management module enables you to filter email
as it enters or exits your organization. Policy Management is a tool only for administrators: policies
cannot be managed individually and are not user-configurable.
Note:
z The fields in the window will change based on the action you choose.
4. The Enable this Filter checkbox is checked by default. Uncheck the checkbox to create rules
that do not go into effect immediately.
5. Choose whether the filter matches All of the conditions or Any of the conditions
{ All - Causes email to be filtered when any of the filter conditions apply (logical AND)
{ Any - Causes email to be filtered when any of the conditions apply (logical OR)
6. Choose the part of the message to filter.
SonicWALL Email Security Administrator’s Guide|62
Select Definition
Judgement The server’s assessment of a categorized message threat
Subject or Body Filter based on information in the subject and body of the email
Subject, Body, or Filter based on information in the subject, body, and attachments of
Attachments the email
Message header Filter by the RFC822 information in the message header fields, which
includes information including the return path, date, message ID,
received from, and other information
7. Choose the matching operation. The choices for matching operation vary with the message
part being matched against. The following table describe the matching operations available.
With Specific Equivalent to “Find complete z Search for the words “is Mail” from the
Phrase phrase” subject line “This is Mail” will match.
z Search for the word “is Mail” from the
subject line “This is MailFrontier” will not
match.
Starts With The message part being Search for “This” from the subject line “This is
searched for should start with Mail” will match.
the search value
Ends With The message part being Search for “is Mail” from the subject line “This
searched for should end with the is Mail” will match.
search value
SonicWALL Email Security Administrator’s Guide|63
Is Only the search criteria should z Search for the word “Mail” from the
exist (exact match). subject line “This is Mail” will not match.
z Search for “is Mail” from the subject line
“is Mail” will match.
Is Not Only the search criteria should Search for the phrase “is Mail” from the
not exist subject line “This is MailFrontier”, will match.
Contains Substring search Search for “is Mail” from the subject line “This
is Mail” will match.
8. Enter the words or phrase that you want to filter in the Search Value text box. Select the
appropriate check boxes.
{ Match Case - Filters a word or words sensitive to upper and lower case.
{ Intelligent Attachment Matching - Filters attachment names, such as .exe or .zip.
{ Disguised Text Identification - Filters disguised words through the sequence of its letters,
for example Vi@gr@.
Note:
z Disguised Text Identification cannot be used together with Match Case and can be selected only
for Body and Subject message parts.
If the Compliance Module is active, the administrator has additional filtering conditions that can be
set. The Use Dictionary option of using terms from a dictionary can be selected, as well as the
Use Record Match option which looks for numbers such as telephone numbers or social security
numbers.
1. Click the plus sign (+) to add another layer of filtering. See “Junk Emails with Attachments
over 4MB” on page 60.
You can add up to 20 filters.
Filters are similar to rock sifters. Each additional filter adds further screens that test email for
additional conditions.
2. Choose the response action from the Action drop-down list.
Action Effect
Log as event The email message is logged. No further processing in Policy
management occurs (default). This option stores a log of all messages
so that the administrator has a record and can analyze traffic patterns.
The log is in the mfe log.
NOTE: Policy management logs all messages as events regardless of
the action specified.
Permanently delete The email message is permanently deleted and no further processing
occurs in any SonicWALL Email Security module occurs. This option
does not allow the user to review the email and can cause good email
to be lost.
Store in Junk Box The email message is stored in the Junk Box. It can be unjunked by
users and administrators with appropriate permissions. The user has
the option of unjunking the email.
Store in Approval Box The email message is stored in the Approval Box. It will not be delivered
until an administrator approves it for delivery.
Bounce back to sender The message is returned to sender with an optional message indicating
that it was not deliverable.
SonicWALL Email Security Administrator’s Guide|64
Action Effect
Deliver and bounce The message is delivered to the recipient and is bounced back to the
sender with an optional message.
Deliver and skip Spam The message is delivered without spam or phishing analysis.
and Phishing Analysis
Route to The message is routed to the specified email address. The message can
be routed to only one email address.
Deliver and route to Deliver to the recipients and also route to the specified email address.
The message can be routed to only one email address
Tag subject with The subject of the email is tagged with a the specified term.
Strip all attachments Remove all the attachments from the email.
Append text to message The specified text is appended to the message body.
Issue email notification Sends an email notification to the recipients of the email that triggered
the rule.
Route to IP The message is routed to the specified IP address. The message can be
routed to only one IP address.
Deliver and Route to IP Deliver to the recipients and also route to the specified IP address. The
message can be routed to only one IP address
Encrypt Message is sent to the encryption center for encryption. This action is
used for outbound messages. The administrator must provide a name
or IP address of SMTP server for encryption at the Policy &
Compliance > Encryption page.
Decrypt Message is sent to the decryption center for decryption. This action is
used for inbound messages. The administrator must provide a name or
IP address of SMTP server for encryption at the Policy & Compliance
> Encryption page.
When no additional filtering is required on a message, select the and stop processing policy
filters checkbox. This checkbox is automatically selected and grayed out when you have selected
a terminal action.If additional actions need to be performed on the same message, select the plus
sign (+) to the right. You cannot add the same action more than once to a specific filter rule. As a
result, once an action has been selected, it will not be available in the drop-down list for further
selection within the current filter rule.
3. Type a descriptive name in the Filter Name text box.
4. Select a policy group you want to apply this filter to. By default, All Groups will be selected
and this filter will apply to all email messages.
5. Click Save This Filter.
SonicWALL Email Security Administrator’s Guide|65
Language Support
Policy management supports filtering messages based on non-English terms in the Search Value.
For example, you can search for a Japanese word or phrase in the body of a message. However,
SonicWALL Email Security does not support adding text strings to email messages in languages
other than English and does not support foreign language filter names.
Note:
z To view messages in Asian languages, you might need to install East Asian Language Packs on
the server where you run SonicWALL Email Security (for Windows only). This applies to
deployments using the SonicWALL Email Security Software Edition.
Managing Filters
The main Policy Management page lists all the filters created in the system for the Inbound and
Outbound path. From this view, you can Add New Filter, Change the order of filters, Edit or
Delete filters. Filters that have been enabled are indicated with a green tick mark.
Editing a Filter
Deleting a Filter
To delete a filter, click the Delete button adjacent to the filter.
To change the order of the filters, use the up and down arrow icons to the left of the filters.
Advanced Filtering
then take the following actions: Append text to the end of the message,
This is my company disclaimer
If an email is
z Not judged as spam
z The subject or body of the email contains the words job application
Exclusive Actions
The action named Permanently delete is an exclusive action and is terminal in nature and no further
policy filtering will be possible after this action has been performed. The Stop Processing Policy
Filters checkbox will be automatically enabled and grayed out if an exclusive action is selected.
Parameterized Notifications
SonicWALL Email Security supports parameterized notifications wherein you can use pre-defined
parameters in the text fields for the Issue Email Notification action. These parameters will get
substituted with corresponding values when the message is processed. You can use these
parameters in either the Subject or Message Text fields of the Issue Email Notification action. The
parameters can be used multiple times and are substituted each time they are used. Each
parameter entered should start and end with % symbol.
Parameter Value
%FILTER_NAME% the name of the policy filter which took the action on the triggering
email
%MATCHED_RECORDID% the Record ID file name which has a matching pattern in the
triggering email
Policy Groups
In some cases, it may be appropriate to associate a policy filter to a group of users rather than the
entire organization. For example, you may want a policy filter to be applied to all incoming email
messages sent to your sales team and no one else in your organization.
If you want policy filters you create to be applied to particular group of users, you first have to
create policy groups from LDAP. Policy groups, once created, can be associated with either inbound
or outbound policies.
To manage policy groups, select Policy Groups link under Policy & Compliance module. From
this screen, you can manage all policy groups for your SonicWALL Email Security setup.
To add a new policy group, select the Add New Group button.
From the pull down menu, select one of three methods to locate a desired group
equal to (fast) search using the actual name
starting with search using the first few characters
(medium)
containing (slow) search using a substring of characters
Once the list of group names is displayed, select the checkbox of the group you wish to add. Click
on the Add Group button.
To remove a group, check the group(s) to be removed and select the Remove Group button. You
can view the members of a group by selecting that group and clicking on the List Group Members
button.
If a user is present in more than one group, that user is treated to be a member of the group that
is listed highest in the list. You can change group ordering, by clicking on the arrows to the left of
listed groups. To change the order in which groups are listed, use the up and down arrow icons to
the left of the groups.
For example in the above illustration, if jdoe@company.com is listed under both SalesEngineering
and Sales, the policy filter that is associated with SalesEngineering will be applied to email
messages for jdoe@company.com.
Compliance Module
This module is accessible through the optional purchase of a Compliance Subscription License Key
and enables organizations to make efforts in ensuring that email complies with relevant regulations
and/or corporate policies.
Once the Compliance Module is activated, the network administrator has access to the new
Encryption and Archiving features in addition to features such as additional filtering tools that
enhance the Standard Module.
Note:
z When the Compliance Module license expires, filters that were created during the valid license
period will continue to work, taking advantage of the advanced features. However, the
administrator will not be able to add any new filters to use licensed features until a license to
the module is obtained.
Dictionaries
A dictionary is a convenient collection of set of words or phrases that you can group together for
use in policy filters. A dictionary can be specified as a search value in a policy filter. Dictionaries can
be created or modified either manually or by importing from a file in the file system.
A predefined dictionary is a group of words or phrases all belonging to a specific theme such as
medical or financial terms, which can be used as a database of words that filters can look for. By
default, SonicWALL Email Security provides two pre installed dictionaries:
z Financial Terms
z Medical Drug Names
Approval Boxes
An Approval Box is a list of stored email messages that are waiting for an administrator to take
action. They will not be delivered until an administrator approves them for delivery. The View
Approval Box for drop-down list allows you to have two different views of Approval Boxes: the
Manager view and the individual approval box view.
To see a list of the Approval Boxes that have been created, select Approval Box Manager from
the pull-down menu in the View box from this list. The Approval Box Manager view allows you to
edit or delete existing Approval Boxes, and to create new Approval Boxes.
To see the contents of a particular Approval Box, choose the desired Approval Box name from the
View Approval Box for drop-down list. This page allows you to search the messages stored in that
Approval Box and to take action on any of those messages.
Note:
z Only users who have administrative rights can see the contents of an approval box. See Chapter
7, “User and Group Management” for managing user rights and privileges.
4. Enter a list of email recipients in the text box. Separate multiple email addresses with a
carriage return.
Note:
z Make sure that the email recipients you enter are users that have administrative rights to the
SonicWALL Email Security appliance. If they do not have administrative access, they will not be
able to view the approval boxes when they receive email notification.
SonicWALL Email Security Administrator’s Guide|71
5. Select a notification frequency for this approval box. Approval box notification emails for this
approval box will be sent according to the schedule you choose here.
6. Write the email subject line for this notification.
7. Click the Apply Changes button to save your changes to this approval box notification.
Encryption
This section is used to configure the servers used to encrypt and decrypt messages. Once
configured, you may create a policy filter for which the action is to encrypt or decrypt messages.
A policy action of encrypt can be used to direct confidential outbound messages to the encryption
server. A policy action of decrypt can be used to direct confidential inbound messages to the
decryption server.
Record ID Definitions
A Record ID Definition can be used to detect specific IDs described by a series of generic patterns.
This section allows the administrator to predefine a cluster or clusters of letters and numbers into
logical sets of groups such as social security numbers, patient medical record numbers, or credit
card numbers. When these patterns are discovered, compliance actions can be taken to ensure that
the organization's privacy and security regulations are met. The filter will stop processing a
message after it finds the first matching Record ID Definition.
By default, SonicWALL Email Security provides the following Record ID Definitions pre installed:
z ABA Bank Routing Number
z Canadian Social Security Number
z Credit Card Number
z Date
z Phone Number
z Social Security Number
z Zip Code
Archiving
This section is used to configure how messages are archived. Once configured, you may create a
policy filter for which the action is “Route copy to archive”. Messages can be archived either to a
remote archive server or to a file system.
To have messages archived to a remote server, click the External SMTP Server radio button, and
enter the IP address of the server to which email messages should be routed for archiving in the
Route to Archive Email Address field.
This chapter also describes how to assign a delegate to manage your Junk Box. For more
information, see “Assigning Delegates” on page 78.
Notes:
z To manage users and groups from within this module, you need to have configured your
SonicWALL Email Security setup to synchronize with your organization’s LDAP server. You can
configure LDAP settings and queries on the System > LDAP Configuration page.
z SonicWALL Email Security queries your corporate LDAP server every hour to update users and
groups. Changes made to some settings in this section may not be reflected immediately on
SonicWALL Email Security, but are updated within an hour.
From this screen, you can sign in as an user, set their message management settings to corporate
default and edit their privileges in the system.
Sort
Click User Name or Primary Email to sort the list of users by that column.
Signing In as a User
Administrators can sign in as any user, see their Junk Box, and change the settings for that user. In
addition, you can sign in as a particular user to manage their delegates for them.
SonicWALL Email Security Administrator’s Guide|74
Import
The administrator can add multiple non-LDAP users by importing a list of names. The list is made
up of the primary addresses followed by the corresponding aliases of the users. The imported file
can be appended to the existing names, or overwrite them. The format of the file is tab-delimited.
One may use an Excel spreadsheet to generate a user list and save it as a tab-delimited file. To
import the list, click the browse button to locate the file and click Import.
Export
The administrator can download a tab-delimited list by clicking this button. The file generated lists
multiple non-LDAP users and can later be imported using the Import feature.
Add
The administrator can add individual non-LDAP users. Fill out the Primary Address and Alias fields
and click Add. Add an existing user with an alias and the user will have that alias added to them.
This is not dependent on LDAP status.
Note:
z Users added in this way remain non-LDAP users. Their User Rights cannot be changed. Their
source will be listed as Admin. Users can edit their Junk Box setting only if the administrator
sets the Junk Box setting, Enable "Single Click" viewing of messages to "Full Access" in the
System > Junk Box Summary page.
Remove
The administrator can remove individual non-LDAP users. First select a non-LDAP user by using the
checkbox in front of the name, then click the Remove button to delete the name from the list.
Configure LDAP groups on your corporate LDAP server before configuring the rights of users and
groups on SonicWALL Email Security in the User and Group Management screen.
SonicWALL Email Security allows you to assign roles and set spam-blocking options for user groups.
Though a user can be a member of multiple groups, SonicWALL Email Security assigns each user
to the first group it finds when processing the groups. Each group can have unique settings for the
aggressiveness for various spam prevention. You can configure each group to use the default
settings or specify settings on a per-group basis.
SonicWALL Email Security Administrator’s Guide|75
Updates to groups settings in this section do not get reflected immediately. The changes will be
reflected the next time SonicWALL Email Security synchronizes itself with your corporate LDAP
server. If you want to force an update, click on the Refresh From LDAP button.
X To find a group
1. Search for the group you want by entering the name in the text box. Choose the search
mechanism and search speed: equals (fast), starts with (medium), or contains (slow). Click
Go to begin the search.
or
Scroll through the list of groups to locate the group you want to add.
2. Click the checkbox to include the group.
3. Click Add Group.
A message appears stating that the group was added successfully.
Removing a Group
1. Click the checkbox adjacent to the group(s) to remove.
2. Click the Remove Group button.
A success message appears.
Note:
z The Adhere to Corporate/Group Defaults box is checked by default. By opening this screen, you
are now editing the spam blocking options for this one group. There is an Adhere to Corporate
Defaults check box at the very top of each sub-page in this dialog, this check box only applies
to the values on one page and for the current group only. For example, you can adhere to the
corporate defaults for the two pages User View Setup and Rules and Collaboration, and uncheck
the box and set custom settings for this one group for Foreign Language and then uncheck the
box for and set custom settings for this group for Spam Management.
To enable the specified group to have special privileges, deselect the Adhere to
Corporate/Group Defaults box.
z For each category of spam, determine level and whether members of the group are allowed to
unjunk their Junk Boxes.
z Click Apply Changes.
Spam Management
You can manage how groups deal with spam through the Spam Management window.
Phishing Management
The phishing management window gives you the option of managing phishing and likely phishing
settings at a group level. Just like spam management options, it allows to you deal with phishing
differently for different groups. However, unlike spam management options, these settings cannot
be altered for individual users.
Virus Management
The virus management window gives you the option to manage virus and likely virus settings at a
group level. Just like spam management options, it allows to you deal with viruses and likely viruses
differently for different groups. However, unlike spam management options, these settings can not
be altered for individual users.
SonicWALL Email Security Administrator’s Guide|78
Assigning Delegates
Delegates are people who have full access to your individual Junk Box. This includes the ability to
change your Junk Box settings and manage the messages in your Junk Box. The most common use
of delegates is for an administrative assistant to act as a delegate of the CEO of a company. The
assistant frequently has access to all of the CEO's email, so the assistant now would have access
to the CEO's Junk Box and Junk Box settings as well.
Users
When an administrator logs in and views the Users page, she sees all the email addresses that exist
on that instance of SonicWALL Email Security. The administrator can then narrow the view to only
the entries from that LDAP.
Note:
z The Using Source selection allows administrators to access users who were added directly to
SonicWALL Email Security, and did not come in through an LDAP entry. These entries will not
be deleted with an LDAP deletion.
You will see only the users associated with that LDAP source. The list of users can be sorted by user
name, primary email address, user rights, or source. If you have already filtered by source, sorting
by source will not retrieve anything outside the filter.
To sort a list of users, click on the column heading that describes the sort type. Click again to sort
in reverse order.
SonicWALL Email Security Administrator’s Guide|79
Each LDAP user record has a checkbox next to it. To edit a user or users, check the box. If you select
one user, you can log in as that user or edit that user’s rights, for example, to elevate them to group
admin or help desk-level rights. If you select more than one user, you can only change their
message management style to the default style.
Because there are usually many records in an LDAP source, SonicWALL Email Security has provided
several ways of looking for a specific user.
If you want to add a user who does not appear in the automatically-generated list from your LDAP,
you can choose to manually add an account. If an LDAP is not provided, the user will be added to
the default LDAP source. You cannot add users to your LDAP from the SonicWALL Email Security
interface.
X To add a user
1. Log in as the Email Security administrator.
2. Click Users & Groups and then Users.
3. Scroll down to User View Setup.
4. Click Add.
5. Enter the user’s fully-qualified email address, choose a source (if any), and any aliases you
wish to associate with the user.
X To delete a user
1. Log in as the Email Security administrator.
2. Click Users & Groups and then Users.
3. Scroll down to User View Setup.
4. Select the user you wish to delete. Deleting a user will not remove the user’s LDAP entry, only
the entry in the Email Security.
5. Click Add.
Groups
Administering groups
Use groups within SonicWALL Email Security to incorporate or extend existing LDAP groups. You
can also change a group’s security role in SonicWALL Email Security and view the membership of a
group.
4. From the Using Source drop-down menu, choose the LDAP source associated with the groups
you want to view. Click Go.
5. If you do not see the group you want, click the Add Group button. You can choose an existing
group from one of your sources. You cannot create a group that does not exist.
You can change each group’s role in SonicWALL Email Security. Email Security roles determine a
user’s permissions to change Email Security settings, including user settings.
You will see a pop-up window that lists the group’s membership by primary email address.
Junk Box
The Junk Box allows you to review and process email messages that have been flagged as spam,
virus-infected, organization policy violations, or phishing. You can unjunk or release a falsely
identified message. When you or the recipient unjunks an incoming message,
SonicWALL Email Security adds the sender of the message to the recipient’s Allowed list and
delivers the email to the recipient.
The size of the junk box can grow rapidly. By default, the messages are stored in junk box for 30
days and deleted after that. You may need to customize this setting depending on your
organization’s policies and storage capacity on the shared data directory for messages are stored.
To change this setting, go to System > Default Message Management > Store in Junk Box
and delete after and choose a value between 1 and 180 days.
Messages in junk box can be quickly sorted and viewed by threat types. Messages that contain
definite spam, phishing, and viruses have red asterisks (*) adjacent to them. Messages that contain
likely spam, phishing, and viruses do not have any marks.
2. To search for specific email threat types, clear the check boxes under the Search text box to
remove the information you want excluded.
3. Click Search.
SonicWALL Email Security Administrator’s Guide|83
Messages matching your search criteria are displayed. To move quickly through results pages, click
in the field that says “Page 1 of 14” and type the result page you want to view. You can also change
the number of messages displayed on each page. As an example, suppose you wanted to see only
messages that were Spam or Likely Spam. Clear all the checkboxes except the Show *Spam and
Show Likely Spam check boxes. Leave all the locations selected and click Search.
Unjunk
This button is available only on the inbound junk box. Select Unjunk to forward the selected
messages to the recipient and add the sender of each message to the recipient’s Allowed list.
Unjunking a message removes it from the Junk Box.
Send Copy To
Select Send Copy To to forward a copy of the messages (including attachments, if any) to the
specified email address. The message will still remain in the Junk Box. This button will only be
available to members of administrative group and only if they are allowed to view the messages in
the Junk Box.
Release
This button is available only on the outbound junk box. Select Release to release the selected
messages from the queue and forward them to the recipients. The message will be removed from
the Junk Box.
Delete
Deletes the selected messages. Messages are automatically deleted after a set number of days, so
there is no need to do this on a regular basis. Set the number of days messages are kept in the
junk box through the System > Default Message Management > Number of days to store
messages in the Junk Box field.
Message Details
You can scroll through the messages and click the Subject field to view more information about the
message in plain text. Depending on your user access set up, you might see the content of the
messages. To control who is allowed to preview the content of messages, go to System > User
View Setup.
From the Junk Box Summary window, users can determine the language, frequency, content, and
format of Junk Box summaries.
Boolean Search
z OR Operator: This is the default search. Add OR in between search words. The results will
contain any of these search words.
z AND Operator: Add ‘+’ before the search word (or) AND in between search words. Each result
must contain these words.
SonicWALL Email Security Administrator’s Guide|85
z NOT Operator: Add ‘-’ before the search words (or) NOT in between search words. The results
must not contain these search words.
Wildcard Search
z * operator: Add * to the middle or end of the word. This substitutes more than one character
to the search word, and attempts to perform a search on all possible words.
z ? operator: Add ? to the middle or end of the word. This substitues one character and will find
the match for the word.
Note: Wildcard operators should be added to the middle or end of the text, rather than at that
beginning.
Phrase Search
A phrase is a group of words surrounded by “quotes.” The exact phrase will be searched.
Fuzzy Search
Add ‘~’ to the end of the word to search for the closest possible match. This search is useful when
search words have an error, or the exact spelling for the text is unknown.
Proximity Search
This searches for words closer to each other.
The syntax is “word 1 word2”~distance
CHAPTER 9
Status Reports
For a description of the different monitoring methods available in SonicWALL Email Security, see the
following sections:
z “System Status” on page 86
z “MTA Status” on page 86
z “Real-Time System Monitor” on page 87
z “Performance Monitoring” on page 87
System Status
The System Status window shows the status of SonicWALL Email Security and the status of
connections with other systems that it needs to communicate with. A green check indicates the
system is functioning as expected and a red X indicates it is not.
The lower half of the System Status window in the Control Center Status section shows system
statistics, including the disk space used b the Junk Box, free disk space on the data drive, and free
disk space on the install drive.
MTA Status
The MTA status page gives details on the status of the mail transfer agent (MTA) if one or more
paths have been configured to act as MTAs
If one or more paths are configured to act as MTAs, this section will provide additional information
about their host.
{ Host - This column shows the name of the host(s).
{ Number of messages delivered in last hour - This column shows the number of
messages delivered by the MTA in the last hour.
{ Number of message recipients in all queues combined - This column shows the sum
of the messages in the queues of all the MTAs.
z MTA Status on Inbound/Outbound Paths
If one or more paths are configured to act as MTAs, these two sections will provide additional
information about the paths. The columns and the values they represent are:
{ Host (src/listen/dest) - This column shows the various paths you configured in the
Network Architecture section.
src is the source IP contacting path: the IP address of a machine that is allowed to connect
to and relay email through this path.
{ listen is the IP address and port on which this path listens for connections.
dest is the destination to which this path routes email.
{ Path is configured to be an MTA - This column shows whether the listed path is
configured to be a proxy or an MTA.
{ Number of message recipients in queue - This column lists the number of messages in
the queue if the path is an MTA. If it is a proxy, messages are not queued and this column
will indicate N/A.
To see details about the messages in a queue, click the Show Details link for that queue. To see
details for messages on a particular server, you must log in to SonicWALL Gateway on that server.
The Message Throughput History graph shows the number of emails processsed by this server per
second.
The Message Bandwidth History graph shows the total bandwidth used for email in bytes per
second. The bandwidth is the sum of the sizes of all the messages passing through this SonicWALL
Email Security server per second.
Performance Monitoring
This feature allows administrators to view and compare performance metrics with the Email
Security interface without downloading and formatting CVS files. The performance monitoring
section displays data that has always been collected by SonicWALL Email Security.
Performance monitoring allows administrators to monitor a single metric over a period of time, or
to compare two metrics. Once an administrator creates a graph, the graph can be saved or emailed
to share with others who do not have administrator privileges.
The "View Multiple metrics for a given date" option creates a graph which contains one or two
process metrics for a given date. If there are two metrics, a second y-axis scale will appear at the
right-hand side of the graph for the interpretation of the second metric.
SonicWALL Email Security Administrator’s Guide|88
The "Compare many data files for a single performance metric" option creates a graph for a single
process metric across multiple days. Each day's worth of data is a line of a different color. Up to six
data files can be displayed.
Graphs are shown for a 24-hour period starting and ending at midnight GMT+0. Once a graph is
specified, it will not display or redraw until the "Refresh Reports" button is clicked. To view the raw
data files used to build a particular graph, click either the "Email to…" or the "Download" buttons
and a ZIP file containing the data files and also the bitmap will be provided accordingly.
Monitored Metrics
The following processes are currently monitored and available as data files. These data files have
always existed, but the information is now more readily accessible.
z Monitoring Service
z Tomcat Service
z Replicator Service
z SMTP Server
z Thumb Updater Service
z Database Service
z Operating System
z MTA Service
z Message Statistics
SonicWALL Email Security Administrator’s Guide|89
Metrics List
These are the process metrics that are being tracked and stored in the data files. Most of these
metrics exist in each process. The most common metrics appear in the table below. Metrics not
shown in the list are usually System process monitoring.
%Disk Time The percentage of elapsed time that the selected disk drive was busy
servicing read or write requests.
Fraud Msgs Number of messages identified as fraudulent and delivered to the junk
box.
Good Msgs Number of messages which were delivered without any noted
problems.
Likely Fraud Number of messages which are delivered but marked as probable
fraud.
Likely Spam Number of messages which are delivered but marked as probable
spam.
Likely Virus Number of messages which are delivered but marked as probably
virus-infected.
%Processor Time The percentage of elapsed time that all of process threads used to
execute instructions. An instruction is the basic unit of execution in a
computer, a thread is the object that executes instructions, and a
process is the object created when a program is run. Code is executed
to handle some hardware interrupts and trap conditions
Avg. Disk Bytes/Transfer The time, in seconds, of the average disk transfer.
Avg. Disk Queue Length The average number of read and write requests queued for the
selected disk during the sample interval.
Buffer Bytes Used in Linux systems. Buffer Bytes is the number of bytes consumed
by the kernel.
Connections Established The number of TCP connections for which the current state is either
ESTABLISHED or CLOSE-WAIT.
Connection Failures The number of times TCP connections have made a direct transition to
the CLOSED state from the SYN-SENT state or the SYN-RCVD state,
plus the number of times TCP connections have made a direct
transition to the LISTEN state from the SYN-RCVD state.
Connections Reset The number of times TCP connections have made a direct transition to
the CLOSED state from either the ESTABLISHED state or the CLOSE-
WAIT state.
Handle Count The total number of handles this process currently has open. This
number is the sum of the handles currently open by each thread in this
process.
Install Dir Free Space For Windows, the number of bytes remaining free on the installation
drive.
Private Bytes Private Bytes is the current size, in kilobytes, of memory that this
process has allocated which cannot be shared with other processes.
Segments The rate at which segments are retransmitted, that is, segments
Retransmitted/sec transmitted containing one or more previously transmitted bytes.
Segments/sec The rate at which TCP segments are sent or received using the TCP
protocol.
Swap Available Bytes Used in Linux systems. Swap Available Bytes is "Swap space which is
still free to use".
Thread Count The number of threads currently active in this process. An instruction
is the basic unit of execution in a processor, and a thread is the object
that executes instructions. Every running process has at least one
thread.
Virtual Bytes The current size, in kilobytes, of the virtual address space the process
is using. Use of virtual address space does not imply corresponding use
of either disk or main memory pages. Virtual space is finite, and the
process can limit its ability to load libraries.
Per-domain reports are available for custom and scheduled reports. See “Generating Per-Domain
Reports” on page 91.
SonicWALL Email Security also provides several reports for Managed Service Provider (MSP) related
data, including the following:
z Email breakdown (custom/scheduled report only)
z Bandwidth (custom/scheduled report only)
z Good v Junk per domain (custom/scheduled report only)
SonicWALL Email Security Administrator’s Guide|91
Note:
z SonicWALL Email Security uses the Firebird Database Engine to generate reports. Make sure
that there is no other installation of the Firebird Database Engine on the same server as
SonicWALL Email Security.
By default, SonicWALL Email Security retains 366 days of reporting information in the database.
You can change this setting in System > Advanced > Data in reports database will be
removed after field. Lowering this number means less disk space will be used, but you will not
have report data older than the number of days specified. If your organization's email volume is
very high, you may want to consider lowering this number.
For descriptions of the different report types, see the following sections:
z “Overview Reports” on page 91
z “Anti-Spam Reports” on page 94
z “This report displays the users in your organization who receive the most spam.” on page 94
z “Anti-Virus Reports” on page 94
z “Policy Management Reports” on page 95
z “Compliance Reports” on page 95
z “Directory Protection Reports” on page 95
z “Advanced” on page 96
Email Security provides a way for administrators to specify the domain for which data should be
displayed. Only administrators can configure the per-domain setting. It is disabled for managers or
other roles.
In per-domain reporting, sub-domains are not considered to be separate domains. For example,
email sent to matthew@sales.sonicwall.com, brian@engr.sonicwall.com, and sarah@sonicwall.com
will all be included in reports for sonicwall.com.
Overview Reports
The following report types are available in the Overview Reports section of the Email Security
management interface. See the following sections:
z “Reports Dashboard” on page 92
z “Return on Investment” on page 93
z “Bandwidth Savings” on page 93
z “Inbound Good vs Junk” on page 93
SonicWALL Email Security Administrator’s Guide|92
Reports Dashboard
SonicWALL Email Security displays the Dashboard window on administrator login. The
Dashboard provides a lot of information about SonicWALL Email Security at a glance. These charts
are updated hourly and display the statistics for the last 24 hours.
Spam Caught
Displays the number of email messages that are definitely spam and the number of messages that
are likely spam.
You can also find this information in “Junk Email Breakdown” on page 93.
Return on Investment
SonicWALL Email Security provides a tool to help determine the Return on Investment (ROI) for
your organization’s investment in SonicWALL Email Security. You can customize this tool to reflect
your organization’s costs of doing business.
You can determine your organization’s return on investment on a daily, weekly, or monthly basis
from using the SonicWALL Email Security product. ROI numbers are computed from a formula and
data accumulated by SonicWALL Email Security’s mlfUpdater and the usermap.xml file is input into
the formula.
Bandwidth Savings
The Bandwidth Savings report displays the number of megabytes of bandwidth that
SonicWALL Email Security saves your organization. SonicWALL Email Security lowers your
organization's network costs through the following actions:
z Removing the high volume of junk messages that go through your network.
z Quarantining junk messages in the Junk Box.
z Deleting junk messages before they enter your network.
Anti-Spam Reports
SonicWALL Email Security provides the following anti-spam reports.
Spam vs Likely Spam This report displays the total number and
percentage breakdown of spam and likely spam
messages.
Top Spam Origination Domains This report displays the alleged domains that
sent your organization the most spam emails
during the time period you select.
Anti-Phishing Reports
SonicWALL Email Security provides the following Anti-Phishing report.
Anti-Virus Reports
If you have licensed the Anti-Virus module, you can view the number of viruses detected by the
SonicWALL Email Security and the names of the most prevalent viruses detected.
Compliance Reports
The set of Compliance Reports are accessible upon licensing of the Compliance Module.
Top Outbound Approval Boxes The top outbound approval boxes by name. The
report lists the approval boxes with data on a
daily, weekly, or monthly basis.
Top DHA Domains The alleged domains from which the most
frequent Directory Harvest Attacks (DHA)
originate.
Most junk messages use spoofed addresses,
therefore the domains listed in this report may
not be the actual originators of the message.
Advanced
Scheduled Reports
SonicWALL Email Security allows you to schedule email delivery of reports. You can choose the type
of report, a time span the data covers, the list of recipients, etc.
Data in scheduled reports is displayed in the time zone of the server on which
SonicWALL Email Security stores email data (either an All in One or a Control Center), just like the
reports in the Reports & Monitoring section of the UI. Scheduled report emails are sent according
to the time zone on that computer as well.
8. Specify the name of the sender of report emails. This is a human-readable name that will
appear in your mail client as the sender of the report email. This does not need to be a real
name.
Examples: Charles Nelson Really, My Daily Scheduled Report, SonicWALL Email Security
Administrator, Joe Bloggs
Please use only 7-bit ASCII text.
9. Specify the email address from which this report is sent.
10. Enter a list of email recipients in the text box. Separate multiple email addresses with a
comma.
11. Enter a name for this scheduled report. This name will appear in the page that shows the list
of scheduled reports. It will also be the subject line for the email message when the scheduled
report is sent.
Custom Reports
SonicWALL Email Security allows you to customize reports. You can choose the type of report, a
range of dates for the data, or a number of hours for the data. You can also email the reports to
another user.
X To customize reports
1. Select the type of report from the Report Name drop-down list.
2. Select the Start and End Dates from the Date Range.
3. Select Hourly, Daily, or Monthly from the Breakdown drop-down list.
You can select a period of up to 48 hours for hourly reports.
4. Select either the Display or the Email to radio button.
{ To run a report now, select Display and click the Generate This Report link.
{ To email a report, select Email to and enter the recipients’ email addresses in the text
box. Separate each address with a comma. You can optionally enter a subject in the
subject text box.
Note:
z The Custom Reports page displays the generated report in a new window. If you have
configured a popup blocker for your web browser, it may interfere with displaying the window
with the data. Configure your browser to allow popup windows from your organization's
SonicWALL Email Security site.
SNMP Monitoring
SNMP monitoring allows you to configure your own SNMP application to query statistics from your
SonicWALL Email Security system. In split-mode environments, the statistics are gathered on the
SonicWALL Email Security environment as a whole, not the individual remote analyzers. All
statistics are recorded from the time the system was upgraded or restarted.
For appliances, the SNMP agent runs on UDP port 161 and is accessed by an external NMS. The
SNMP module is a shared object named sonicwallEmailSec.so. SonicWALL supports the Net-SNMP
library. By default, SNMP is turned on in the command-line interface.
Before you can configure SNMP monitoring, you must have the Microsoft SNMP service configured
and running. You must also have the community string for your network management station (NMS)
configured to the correct string for SonicWALL Email Security.
For software-only installations, all requests for SonicWALL Email Security statistics are forwarded
to the Email Security SNMP agent by the Microsoft SNMP agent. The Email Security installer creates
the snmpagent.dll file in the installer directory.
The following table describes the monitorable application statistics and their addresses.
Statistic
OID Email Security Application Statistic
Name
Other statistics are stored in the log directory in the snmpstats.txt file.
APPENDIX A
Overview
This appendix provides managed service providers with a suite of tools that will allow them to
administer SonicWALL Email Security for multiple clients. The core administration of SonicWALL
Email Security remains the same, but adding support for multiple LDAP servers expands the ease-
of-use for providers. Providers can offer their clients customized reports that show only the
statistics for that client’s domain. Clients can configure DHA and other SonicWALL Email Security
features on a per-domain basis, instead of applying a one-size-fits-all solution.
This appendix is intended as a supplement to the information in the Administrator Guide, not as a
replacement.
The following table describes the actions that can be taken on a group, domain, or global level.
Policy Y Y Y
Reporting Y - Y
Roles - Y Y
Settings Y* Y Y
Feature Overview
The core administration of SonicWALL Email Security remains the same, but adding support for
multiple LDAP servers expands the services providers can offer. Providers can also offer their clients
customized reports that show only the statistics for that client's domain. Clients can configure DHA
and other SonicWALL Email Security features on a per-domain basis, instead of applying a one-size-
fits-all solution.
Once a domain administrator is logged in, she can modify the Email Security settings for her
domain, including the anti-spam settings.
The Email Security administrator can see all the LDAP servers attached to SonicWALL Email
Security. The ES administrator logs in with no domain specified.
SonicWALL Email Security Administrator’s Guide|101
4. Edit the details of the LDAP server using the information you have collected.
5. In the Global Server Mapping section, you can enter aliases for your pseudo-domains. In
this example, the administrator can configure aliases (on the right side) to correspond with the
pseudo-domain. Aliases must be unique and can consist of lowercase alpha-numeric
characters and underscores. Aliases are separated by commas.
Note:
z Do not change the NetBIOS domain mappings. Doing so will break the links to the pseudo-
domain.
z Choose whether to show drop-down aliases. If so, administrators must use username@alias to
log in.
6. When you are done, click Apply Changes and use the test button to confirm that the LDAP
server is properly connected and configured.
Users
When an administrator logs in and views the Users page, she sees all the email addresses that exist
on that instance of SonicWALL Email Security. The administrator can then narrow the view to only
the entries from that LDAP.
Note:
z The Using Source selection allows administrators to access users who were added directly to
SonicWALL Email Security, and did not come in through an LDAP entry. These entries will not
be deleted with an LDAP deletion.
SonicWALL Email Security Administrator’s Guide|102
You will see only the users associated with that LDAP source. The list of users can be sorted by user
name, primary email address, user rights, or source. If you have already filtered by source, sorting
by source will not retrieve anything outside the filter.
To sort a list of users, click on the column heading that describes the sort type. Click again to sort
in reverse order.
Each LDAP user record has a checkbox next to it. To edit a user or users, check the box. If you select
one user, you can log in as that user or edit that user’s rights, for example, to elevate them to group
admin or help desk-level rights. If you select more than one user, you can only change their
message management style to the default style.
Because there are usually many records in an LDAP source, SonicWALL Email Security has provided
several ways of looking for a specific user.
If you want to add a user who does not appear in the automatically-generated list from your LDAP,
you can choose to manually add an account. If an LDAP is not provided, the user will be added to
the default LDAP source. You cannot add users to your LDAP from the SonicWALL Email Security
interface.
X To add a user
1. Log in as the Email Security administrator.
2. Click Users & Groups and then Users.
3. Scroll down to User View Setup.
4. Click Add.
5. Enter the user’s fully-qualified email address, choose a source (if any), and any aliases you
wish to associate with the user.
X To delete a user
1. Log in as the Email Security administrator.
2. Click Users & Groups and then Users.
3. Scroll down to User View Setup.
4. Select the user you wish to delete. Deleting a user will not remove the user’s LDAP entry, only
the entry in the Email Security.
5. Click Add.
SonicWALL Email Security Administrator’s Guide|103
Groups
Administering groups
Use groups within SonicWALL Email Security to incorporate or extend existing LDAP groups. You
can also change a group’s security role in SonicWALL Email Security and view the membership of a
group.
You can change each group’s role in SonicWALL Email Security. Email Security roles determine a
user’s permissions to change Email Security settings, including user settings.
You will see a pop-up window that lists the group’s membership by primary email address.
SonicWALL Email Security Administrator’s Guide|104
You can use the existing LDAP groups to configure the filtering sensitivity for different user groups.
For example, your sales group might need to receive email written in foreign languages.
Policy Groups
Email Security provides a way for administrators to specify the domain for which data should be
displayed.
The following procedure describes how to generate a single-domain report for the Inbound Good
versus Junk statistic. For each of the reports, selecting a single domain to report for has the same
steps.
4. Choose an option that determines how the domains you name will be handled.
5. Type the first domain. After each domain, press enter and type the next domain.
6. When you have added all the domains, click Apply Changes.
APPENDIX B
LDAP
This Appendix details specific LDAP configuration settings for popular mail server environments,
such as Microsoft Exchange and Lotus Domino.
LDAP Server
Server Name (configuration parameter M): In this field, enter the IP address or DNS name of one
of your Active Directory servers. Different Active Directory servers in the same domain tree
replicate their information amongst each other. Any AD server should have all the data required by
SonicWALL Email Security. If you have more than one tree then specify the Global Catalog.
Port (configuration parameter N): The default LDAP port is 389. Unless your Active Directory server
has been configured for another port (highly unlikely), use the default port number. If you are
specifying a Global Catalog, use port 3268.
Login Information
Anonymous Bind: Do not use this setting with Active Directory. Active Directory servers can be
configured to allow for anonymous access. However, by default, Active Directory the anonymous
access setting does not provide enough directory information for SonicWALL Email Security.
Login (configuration parameter O): Specify a user login that has access to browse the Active
Directory and has site-level permissions to add and delete people in the directory. By default, Active
Directory allows all users to browse the directory. However, if your Active Directory does not allow
this, use a login name with administrative privileges.
Note:
z This user must have site-level permissions; otherwise, mail will be halted.
NT-DOMAIN\USERNAME
For example, if your NT Domain is MYCORP, the syntax for the login name is:
MYCORP\Administrator. If you do not know your DOMAIN name, see “Windows Domains” on
page 108.
SonicWALL Email Security Administrator’s Guide|107
LDAP Query
Directory Node to Search (configuration parameter Q):
Specify your top level Active Directory domain using LDAP syntax. For example, if your top level
Active Directory domain name is mycorp.com, the LDAP syntax is:
dc=mycorp,dc=com.
Note:
z If you have more than one Directory Node that you intend to use, you can separate multiple
nodes by separating them with an ampersand (&). For example:
DC=sales,DC=xyz,DC=com&DC=engr,DC=xyz,DC=com
All your Active Directory domains are listed in this window. In the example, spamurus.com is the
Active Directory Domain name. The LDAP syntax is:
dc=spamurus,dc=mailfrontier,dc=com
Filter: The Active Directory default filter for getting the users is the following:
(&(|(objectClass=group)(objectClass=person))(mail=*)(sAMAccountName=*))
This filter provides SonicWALL Email Security with all the necessary information for users and
distribution lists. The default filter for getting groups is:
(objectClass=group)
User Login Name Attribute: The Active Directory default user login attribute is the following:
sAMAccountName
Email Alias Attribute: The Active Directory default email alias attributes are:
proxyAddresses, legacyExchangeDN
SonicWALL Email Security Administrator’s Guide|108
Group Name Attribute: The Active Directory default group name attribute is:
cn
Group Member Attribute: The Active Directory default attribute that contains the members of a
group is:
member
Attributes indicate groups that users belong to: The Active Directory default attribute that contains
the groups a user belong to is:
memberOf
Windows Domains
User authentication requires the use of Windows NT/NetBIOS Domain Names. Just like the Windows
login screen, the SonicWALL Email Security login screen has three elements, the User name,
Password and Domain. Enter each of your Windows Domains into the Domain List. (configuration
parameter R)
X To discover your Windows Domain Name, enter these commands from an Active
Directory server
1. Go to Start > Programs > Administrative Tools > Active Directory Domains and Trusts.
2. Select one of the Active Directory domains listed on the left side of the screen.
3. Click Action > Properties from the menu.
The value in the Domain name (pre-Windows 2000) is your Windows Domain Name.
LDAP Server
Server Name (configuration parameter M): In this field, enter the IP address or DNS name of one
of your Exchange 5.5 servers. Different Exchange servers replicate their information amongst each
other. Any Exchange server should have all the data required by SonicWALL Email Security,
provided they are all within the same Exchange Organization.
Port (configuration parameter N): The default LDAP port is 389. Unless your Exchange server has
been configured for another port (highly unlikely), use the default port number.
Note:
z By default, the LDAP service for Microsoft Exchange 5.5 is turned on. If your LDAP service is
not enabled, launch Exchange Administrator, go to Configuration > Protocols > LDAP, and click
the Enable check box.
Login Information
Anonymous Bind: Do not use this setting with Microsoft Exchange 5.5. Exchange 5.5 servers can
be configured to allow for anonymous access. However, by default, the anonymous access setting
does not provide enough directory information for SonicWALL Email Security.
Login (configuration parameter O): Specify a user login that has access to browse the Exchange
5.5 Directory. By default, Exchange 5.5 allows all users to browse the directory. However, if your
Exchange server does not allow this, use a login name with administrative privileges.
For example, if your Exchange 5.5 user name is bsmith, the exact syntax would be: cn=bsmith.
LDAP Query
Directory Node To Search (configuration parameter Q).
Specify your Exchange Organization name using LDAP syntax. For example, if your Exchange
Organization name is MyCorp the LDAP syntax is o=MyCorp.
NOTE:
z If you have more than one Directory Node that you intend to use, you can separate multiple
nodes by separating them with an ampersand (&). For example:
DC=sales,DC=xyz,DC=com&DC=engr,DC=xyz,DC=com
SonicWALL Email Security Administrator’s Guide|110
In the example, the Exchange Organization name is SonicWALL Email Security, Inc. The LDAP
syntax is:
o=”MailFrontier, Inc.”
Note:
z Quotation marks (“ “) are required if your Exchange Organization name has spaces, like the
example shown.
This filter will provide SonicWALL Email Security with all the necessary information for users and
distribution lists. The default filter for getting groups is:
(objectClass=groupOfNames)
User Login Name Attribute: The Exchange 5.5 default user login attribute is the following:
uid
Email Alias Attributes: The Exchange 5.5 default email alias attributes are:
distinguishedName, otherMailbox, rfc822Mailbox
Group Name Attribute: The Exchange 5.5 default group name attribute is:
cn
Group Member Attribute: The Exchange 5.5 default attribute that contains the members of a
group is:
member
Attribute to indicate groups that users belong to: The Exchange 5.5 default attribute that
contains the groups a user belong to is:
memberOf
SonicWALL Email Security queries your LDAP server for all the email addresses under the directory
node you specified. By default, your Lotus server is configured to return all the entries requested;
however, you may have changed the configuration to limit the number of entries returned per query.
If the LDAP Configuration page warns you about not able to get the complete list of users, or if you
notice users missing from the User Management page, change your Domino Server LDAP
Configuration to increase the maximum limit.
LDAP Server
Server Name (configuration parameter M): In this field, enter the IP address or DNS name of one
of your Lotus Domino servers. Different Domino servers replicate their information amongst each
other. Any Domino server should have all the data required by SonicWALL Email Security.
Port (configuration parameter N): The default LDAP port is 389. Unless your Domino server has
been configured for another port (highly unlikely), use the default port number.
Note:
z By default, the LDAP service for Lotus Domino R5 is turned off. If your LDAP service is not
enabled, run the LDAP Server task from the Domino Administrator->Server console. For more
information about the LDAP Server, please refer to the Lotus Domino R5 documentation.
Login Information
Anonymous Bind: Do not use this setting with Lotus Domino R5. Domino R5 servers can be
configured to allow for anonymous access. However, by default, the anonymous access setting does
not provide enough directory information for SonicWALL Email Security.
Login (configuration parameter O): Specify a user login that has access to browse the Domino
Directory. By default, Domino allows all users to browse the directory. However, if your Domino
server does not allow this, use a login name with administrative privileges.
shortname
For example, if your Domino short name is bsmith, the exact syntax would be bsmith.
Note:
z To successfully connect to the Domino Server, your Domino ID must have an Internet Password.
LDAP Query
Directory Node to Search (configuration parameter Q):
Specify your Lotus Domino Domain name using LDAP syntax. For example, if your Lotus Domino
Domain name is MyCorp, the LDAP syntax is
o=MyCorp.
Note:
z If you intend to use more than one Directory Node, you can separate multiple nodes by
separating them with an ampersand (&), for example:
DC=sales,DC=xyz,DC=com&DC=engr,DC=xyz,DC=com
SonicWALL Email Security Administrator’s Guide|112
Filter: The Lotus Domino R5 default filter can be configured in two ways, depending on whether
your users will want to connect via their short name (that is, bsmith) or common name (that is,
Bob Smith). If you would like to use the short name, use the following filter:
(&(objectClass=person)(mail=*)(shortname=*))
If you would like to use the common name, use this filter:
(&(objectClass=person)(mail=*)(cn=*))
Either of these filters will provide SonicWALL Email Security with all the necessary information for
users. The default filter for getting groups is:
(objectClass=dominoGroup)
User Login Name Attribute: If you would like the users to connect via their short name, use the
following:
shortname
If you would like the users to connect via their common name, use the following:
cn
Email Alias Attributes: The Lotus Domino default email alias attribute is:
shortname
Note:
z Lotus Domino R5 allows SMTP aliases to be defined in the short name or user name fields.
However, SonicWALL Email Security only supports SMTP aliases defined in the short name field.
The user name is not exposed via LDAP.
Group Name Attribute: The Lotus Domino default group name attribute is:
cn
Group Member Attribute: The Lotus Domino default attribute that contains the members of a
group is:
member
Attribute to indicate groups that users belong to: There is no Lotus Domino default for this
attribute
Windows Domains (configuration parameter R) Windows Domains are not needed for Lotus
Domino R5.
Note:
z SonicWALL Email Security depends on a person document having an internet password defined.
If an Internet password is not defined, SonicWALL Email Security will not be able to
authenticate the password provided by the user.
SonicWALL Email Security Administrator’s Guide|113
LDAP Server
Server Name (configuration parameter M): In this field, enter the IP address or DNS name of your
SunOne/iPlanet Directory server.
Port (configuration parameter N): The default LDAP port is 389. Unless your Domino server has
been configured for another port (highly unlikely), use the default port number.
Login Information
Anonymous Bind: Do not use this setting with SunOne/iPlanet Directory Server. SunOne/iPlanet
Directory servers can be configured to allow for anonymous access. However, by default, the
anonymous access setting does not provide enough directory information for
SonicWALL Email Security.
Login (configuration parameter O): Specify a user login that has access to browse the
SunOne/iPlanet Directory. By default, SunOne/iPlanet allows all users to browse the directory.
However, if your SunOne/iPlanet server does not allow this, use a login name with administrative
privileges.
The easiest ID to use is the Directory Manager. If you choose to use Directory Manager, use the
following syntax:
cn=Directory Manager
Note:
z You can use a specific user for binding purposes. However, you must know the full distinguished
name for this user. For example:
uid=joe,ou=People,o=mycorp.com,o=internet
LDAP Query
Directory Node to Search (configuration parameter Q):
Specify your SunOne/iPlanet Messaging server User Directory Subtree using LDAP syntax. An
example of a root level node is:
“o=mycorp, o=internet”
Note:
z If you have more than one Directory Node that you intend to use, you can separate multiple
nodes by separating them with an ampersand (&); for example:
DC=sales,DC=xyz,DC=com&DC=engr,DC=xyz,DC=com
Note:
z This is sometimes called the Netscape Console.
Your User Directory Subtree is listed on the main properties screen of the Console.
This default filter will provide SonicWALL Email Security with all the necessary information for users
and distribution lists. The default filter for getting groups is:
(|(objectClass=inetMailGroup)(objectClass=groupOfUniqueNames))
SonicWALL Email Security Administrator’s Guide|114
User Login Name Attribute: The SunOne/iPlanet default user login attribute is the following:
cn
Email Alias Attributes: The SunOne/iPlanet default email alias attribute is:
mailalternateaddress
Group Name Attribute: The SunOne/iPlanet default group name attribute is:
cn
Group Member Attribute: The SunOne/iPlanet default attribute that contains the members of a
group is:
uniquemember
Attribute to indicate groups that users belong to: The SunOne/iPlanet default attribute that
contains the groups a user belong to is:
memberOf
Note:
z For large organizations, the default LDAP query window might be too small to retrieve all the
users. If all the users in your organization do not appear in SonicWALL Email Security, you must
increase the limit.
1. Open the SunOne/iPlanet console.
2. Double-click the Directory Server icon and select Configuration->Database.
3. Under the Performance tab, increase the Look through limit to a large enough number.
For example, if you have 50,000 users and distribution lists in your organization, make this
number 50,000.
Windows Domains (configuration parameter R): Windows Domains are not needed for
SunOne/iPlanet Directory.
The SonicWALL ES CLI can make it easier to setup new SonicWALL appliances and do repetitive
tasks. However, it requires a strong familiarity with using a command-line interface and
SonicWALL ES. We recommend caution when using this tool.
Notes:
z The CLI can not replace the GUI in all its functionality. The CLI is meant to for initial
configuration, automating repetitive tasks, and for debugging purposes.
z The CLI is installed only on the Email Security appliances. The CLI can not be used on the
software version of Email Security.Refer to the ES Administrator Guide to assign CLI permission
to users.
This chapter describes how to log into the command line interface (CLI) and how to execute
commands in a script format.
Note:
z SSH access is enabled by default on the Email Security appliance. If SSH is disabled, the CLI
will not be available except through the direct console.
1. Open a SSH client.
2. Input the IP address of your ES appliance:
3. A the first login: login as snwlcli.
4. Use proper administrator credentials to login. The credentials are the same as for the standard
GUI on the Email Security appliance.
5. Perform any of the commands described in “This section describes how to use the command
line interface. It describes each CLI command, detailing its syntax and arguments. The
commands are listed in alphabetic order.” on page 116.
6. To exit from the SonicWALL ES CLI, type:
SNWLCLI> quit
SonicWALL Email Security Administrator’s Guide| 116
Scripting
To script the cli apis, for example, for api “tsr”, you can write your own script as the following way:
Remember to substitute admin, password to your own id and password, also substitute
10.50.14.41 to your own host address.
There are two types of commands: executable and system variables. Calling a system variable by
itself will have the CLI return the current value of the variable. To update a variable, call it followed
with a proper value. Some executable commands take an argument, but most do not.
cleanupdcdatabase
SNWLCLI> cleanupdcdatabase
This command will restart the appliance and delete the following:
PluginDefault/collab/thumbprint.db (the Updater services will download the thumbprint data from
the datacenter and import it into the database.)
PluginDefault /collab/data/*.tld
PluginDefault/crbl/crbl.db
PluginDefault /crbl/data/*.crbl
Arguments: none
Defaults: none
Type: Executable
configurehttps
SNWLCLI> configurehttps <on port <generic | selfsign domain> | off>
This function configures the https protocol. Use this command to place the Web interface on a
different port.
Arguments:
<port>: Three digit port HTTPS will use.
<domain>: Domain name HTTPS will use instead of generic.
Defaults: none
Type: Executable
createreportdb
SNWLCLI> createreportdb
Run this command to create a new, empty database. The start and stop of the operation will be
logged to MlfMfelmportSetup.log, along with how long it took.
Arguments: none
Defaults: none
SonicWALL Email Security Administrator’s Guide| 117
Type: Executable
date
SNWLCLI> date
This variable displays the date on an appliance.
Arguments: none
Defaults: none
deletebookmarks
SNWLCLI> deletebookmarks
Arguments: none
Defaults: none
Type: Executable
deletelastnotifiedfiles
SNWLCLI> deletelastnotifiedfiles
This command deletes the lastnotified.xml and lastnotified_race.xml files.Use this command to
solve issues related to junk mail notification not being sent out. This command will not force all
notification emails to be resent.
Arguments: none
Defaults: none
Type: Executable
deletereportdb
SNWLCLI> deletereportdb
Arguments: none
Defaults: none
Type: Executable
dig
SNWLCLI> dig <@server> <name> <type>
This is the standard dig command from the bind-tools package. Use this command to troubleshoot
DNS related issues such as:
z Connectivity to DNS server
z Outbound emails being queued
SonicWALL Email Security Administrator’s Guide| 118
Arguments
<-h>: brief summary of the dig command’s arguments and options.
Defaults: none
Type: Executable
dns
SNWLCLI> dns [--nameserver <ip>]... [--search <domain>]...
This variable controls the DNS configuration settings on an appliance. Called with no arguments it
will return the current configuration.
Arguments
<ip>: IP address to be assigned to the server
<domain>: Domain name to be searched for
Defaults
<ip>: current configuration
<domain>: current configuration
Type: System Variable
esdu
SNWLCLI> esdu <directory name>
Arguments
<directory name>: Applicable directories are: logs, reports, quarantine, peruser.
Defaults: none
Type: executable
eshostname
SNWLCLI> eshostname <newname>
This variable stores the appliance hostname. Calling it with no argument will return the current
name. Passing it a new name will overwrite the current one and update all related directories.
Arguments
<newname>: The new host name that will overwrite the current one.
Defaults
<newname>: current name
Type: System Variable
esps
SNWLCLI> esps
Arguments: none
Defaults: none
SonicWALL Email Security Administrator’s Guide| 119
Type: Executable
exit
SNWLCLI> exit
Arguments: none
Defaults: none
Type: Executable
fdatadisk
SNWLCLI> fdatadisk
This function returns the amount of free harddisk space allocated for the data directory in MB.
Arguments: none
Defaults: none
Type: Executable
fetchurl
SNWLCLI> fetchurl [-q]<URL>
Arguments
<URL>: The URL being requested.
-q: quiet
-S: dump header in addition to response body
Defaults: none
Type: Executable
get
SNWLCLI> get <arg> [arg]
Arguments:
[arg]: Valid arguments that can be retrieved: ntp, ntpservers, syslogservers, tz
Defaults: none
Type: Executable
gms
SNWLCLI> gms <interval>
This variable stores the interval time between GMS heartbeat messages. Heartbeat messages allow
GMS to monitor the Email Security Appliance.
Arguments:
<interval>: time in seconds between GMS heartbeat messages.
SonicWALL Email Security Administrator’s Guide| 120
Defaults: none
help
SNWLCLI> help <command>
This function will print help messages describing available commands from the CLI. Calling it with
no arguments will print out a list of available commands. It can take a command name as an
argument and will print out more detailed explanation of the given command.
Arguments:
<command>: name of a valid CLI command.
Defaults: none
Type: Executable
interface
SNWLCLI> interface <ifname <ip / bits | ip netmask>> <media <<10 | 100> / <FD | HD>>
| auto>
This variable controls the configuration of interfaces. With no arguments, it will return the
configuration of all available interfaces. Passing it an interface name as the only argument will
return all data related to the given interface. Passing it an interface name and an IP address will
overwrite the current configuration. The media keyword covers both the speed and duplex and is
set to auto-detect by default.
Arguments:
<ifname>: name of interface to be configured
<ip>: new IP address to be assigned to interface
<bits>: bit rate to be assigned to interface
<netmask>: netmask to be assigned to interface
Defaults:
<ifname>: none
<ip>: current configuration of interface
<bits>: current configuration of interface
<netmask>: current configuration of interface
media: auto-detected
Type: System Variable
Example:
SNWLCLI> interface eth0 192.168.168.169 255.255.255.0
SNWLCLI> interface eth0 media 100/HD
iostat
SNWLCLI> iostat [options...] [<interval> [<count>]]
This is the standard iostat command. Refer to Linux documentation for more information.
Defaults: none
SonicWALL Email Security Administrator’s Guide| 121
Type: Executable
mlfdnstest
SNWLCLI> mlfdnstest
This function is a diagnostic tool that tests the effectiveness of your DNS.
Arguments: none
Defaults: none
Type: Executable
mlfmta
SNWLCLI> mlfmta [status | version]
This system variable holds information about the version and status of the appliance MTA. This
variable can not be manually edited, and must be passed an argument.
Arguments:
[status]: Displays status of appliance.
[version]: Displays version of appliance.
Defaults: none
ns
SNWLCLI> ns
This function is a build-in system command identical to netstat -a. It is used to determine the
number of active connections. ES will support a finite number of open connections.
Arguments: none
Defaults: none
Type: Executable
ntp
SNWLCLI> ntp <on|off> [<default servers | <server> [<server>]...>]
This variable controls the NTP (Network Time Protocol) on an appliance. With no arguments, it will
print out the current NTP configuration. In order to change NTP configuration pass “on” or “off” as
a first argument and then list of NTP servers to use. Use this command to synchronize the time with
a NTP tine server
Arguments:
<on>: Enables NTP using currently configured NTP servers.
<off>: Turn off NTP.
<default servers>: Enables NTP and resets list of servers to the built-in defaults.
<server>: specifies a server to be set in NTP list
Defaults:
Current configuration
Type: System Variable
SonicWALL Email Security Administrator’s Guide| 122
ping
SNWLCLI> ping [-c COUNT] [-s SIZE] [-q] host
This function is the standard ping function. Use this command to test connectivity. It also tests the
appliance’s DNS lookup values
Arguments:
host: target of ping
<count>: number of packets being sent out
<size>: size of packets being sent out
Defaults: none
Type: Executable
quit
SNWLCLI> quit
Arguments: none
Defaults: none
Type: Executable
raidadd
SNWLCLI> raidadd
Arguments: none
Defaults: none
Type: Executable
raiddrives
SNWLCLI> raiddrives
This function prints out various information about the RAID devices in the box.
Arguments: none
Defaults: none
Type: Executable
raidinfo
SNWLCLI> raidinfo
This function prints out various information about the RAID devices in the box.
Arguments: none
Defaults: none
SonicWALL Email Security Administrator’s Guide| 123
Type: Executable
raidports
SNWLCLI> raidports
This function prints out information about the RAID ports in the box.
Arguments: none
Defaults: none
Type: Executable
raidrebuild
SNWLCLI> raidrebuild [<--start <m:h:D|now> [--drive <drive>]|--remove<job>>]
This function will set up the rebuild a drive within the raid array. With no arguments, it will display
the rebuild status and scheduled jobs. Scheduling rebuilding operations is recommended as they
can take a lengthy amount of time. SonicWALL recommends setting aside a full night for it.
Arguments:
<m:h:D>: scheduled rebuild start time using an optional specified drive or the first available
spare. Specify starting time uses rontab standard from Linux.
<drive>: drive to be rebuilt
<job>: rebuild job to be removed.
Defaults: none
Type: Executable
raidremove
SNWLCLI> raidremove
This function removes a defective drive from the RAID array. It takes the name of the drive to be
removed as an argument.
Arguments: none
Defaults: none
Type: Executable
raidstatus
SNWLCLI> raidstatus
This function prints out information about the status of the RAID devices in the box.
Arguments: none
Defaults: none
Type: Executable
raidverify
SNWLCLI> raidverify [<--start <m:h:D|now>|--stop<m:h:D|now>|--remove<job>>]
This function will verify the raid array. With no arguments, it will display the verification status and
scheduled jobs. Scheduling verifying operations is recommended as they can take a lengthy amount
of time. SonicWALL recommends setting aside a full night for it.
Arguments:
<m:h:D>: scheduled rebuild start or stop time using an optional specified drive or the first
available spare. Specify starting time uses rontab standard from Linux.
<job>: rebuild job to be removed.
Defaults: none
Type: Executable
reboot
SNWLCLI> reboot
Arguments: none
Defaults: none
Type: Executable
rebuildreplicatorindex
SNWLCLI> rebuildreplicatorindex
Run this command to rebuild the replicator gsn.idx file. The command will output the new content
of the gsn.idx file.
Arguments: none
Defaults: none
Type: Executable
rebuildsearchdb
SNWLCLI> rebuildsearchdb
Arguments: none
Defaults: none
Type: Executable
rebuildwebroot
SNWLCLI> rebuildwebroot
Run this command to rebuild the webapps ROOT and SearchEngineRmiService. This command will
delete the ROOT and SearchEngineRmiService directory, then restart tomcat. Use this command if
the Web interface or SearchEngine becomes corrupted or unavailable.
Arguments: none
SonicWALL Email Security Administrator’s Guide| 125
Defaults: none
Type: Executable
recreatereportdb
SNWLCLI> recreatereportdb
Run this command to make a new empty report database and to reset the report bookmark files to
the oldest mfe logs on system. The start and stop of the operation will be logged to
MlfMfelmportSetup.log, along with how long it took.
Arguments: none
Defaults: none
Type: Executable
redirecthttp
SNWLCLI> redirecthttp <on|off>
To have the appliance redirect http calls to https, turn this variable on; otherwise turn it off.
Arguments: none
Defaults: on
Usage Example:
SNWLCLI> redirecthttp on
In a browser, enter http://<ip_of_appliance> in the address bar, user will be directed to
https://<ip_of_appliance>:<https_port_number>
SNWLCLI> redirecthttp off
In a browser, enter http://<ip_of_appliance> in the address bar, user will not be directed to
https://<ip_of_appliance>
reinitializetofactorysettings
SNWLCLI> reinitializetofactorysettings
Run this command to reset the appliance to a its original settings. A warning message will be shown
before this command is executed.
Arguments: none
Defaults: none
Type: Executable
repairdb
SNWLCLI> repairdb <level number>
Run this command to repair the report database. The command takes the level number as an
argument. The levels indicate how the time and effectiveness of the repair. Level 1 is quicker while
level 2 is more thorough. A message will be printed to stderr detailing how long the operation took.
The start and stop of the operation will be logged to MlfMfelmportSetup.log, along with how long it
took.
Arguments
<level number>: 1 or 2. Level 1 is quicker while level 2 is more thorough
SonicWALL Email Security Administrator’s Guide| 126
Defaults: none
Type: Executable
reportdbalert
SNWLCLI> reportdbalert <on|off>
This system variable controls whether or not the Email Security appliance will generate reporting
alerts.
Arguments: none
Defaults: on
reportdbupdate
SNWLCLI> reportdbupdate <on|off>
This system variable enables the automatic report database updates. It can be turned on or off.
Arguments: none
Defaults: on
reportdbupdatetocurver
SNWLCLI> reportdbupdatetocurver
This function will have the Email Security appliance upgrade to the newest available firmware.
Arguments: none
Defaults: none
Type: Executable
restart
SNWLCLI> restart
This function manages running services. It takes a service name as an argument. The list of services
is application-specific, except for the special name “allservices” which will cause application startup
scripts to be used.
Arguments: none
Defaults: none
Type: Executable
route
SNWLCLI> route <--add <target> --destination <destination>|--remove <route>>
This function acts like a system variable. With no argument, it will display stored routes. It can add
routes if provided with an interface name or a gateway IP, or remove an existing route. Use this
command to troubleshoot routing problems.
SonicWALL Email Security Administrator’s Guide| 127
Arguments:
<target>: an IP address, net as IP/CIDR, or ‘default’ to be added as a target to the new route
<destination>: an interface name or a gateway IP
<route>: path to be removed
Defaults: none
Type: Executable
sethostinheader
SNWLCLI> sethostinheader <on|off>
This system variable controls wether or not Email Security will mask the header of an email. This
variable can only be modified from the CLI.
Arguments: none
Defaults: off
setlog
SNWLCLI> setlog <size in MB> <count>
This system variable controls the size and number of MlfAsgSMTP log files while in debug mode.
Values are updated in the server.xml file.
Arguments:
<size in MB>: max size of each log. Ranges from 1 to 100 MB.
<count>: number of logs. Ranges from 1 to 20.
Defaults:
<size in MB>: 50
<count>: 6
Type: System Variable
Run this command to modify the searchengine configuration. Tomcat should be restarted after
executing this command. Set -1 to the configuration prarameter to use default value.
Arguments:
-memory 750 Will set 750 MB heap size to Java process. This setting
should be modified when there is an issue with out of
memory.
-sort false Will disable sort on date time. This setting should be
modified when there is an issue with out of memory and
there is not enough RAM to allocate to Java process.
-stats 10 Will post the number of most indexed terms (10) to the
datacenter. Set to -1 will not fetch this data from the
database.
SonicWALL Email Security Administrator’s Guide| 128
Type: Executable
snmp
SNWLCLI> snmp <on|off>
Arguments: none
Defaults: on
sshd
SNWLCLI> sshd <on|off>
This variable holds the sshd status. This controls wether or not the appliance accepts SSH
connections. It can be turned on or off.
! This will terminate your CLI session as access to the Email Security appliance is through SSH.
Although the CLI is not available if SSH is disabled, it is still accessible via direct console.
Arguments: none
Defaults: on
start
SNWLCLI> start <service>
This function manages running services. It takes a service name as an argument. The list of services
is application-specific, except for the special name “allservices” which will cause application startup
scripts to be used.
Arguments:
<service>: service to start
Defaults: none
Type: Executable
stop
SNWLCLI> stop <service>
This function manages running services. It takes a service name as an argument. The list of services
is application-specific, except for the special name “allservices” which will cause application
shutdown scripts to be used.
Arguments:
<service>: service to stop
Defaults: none
Type: Executable
testdbspeed
SNWLCLI> testdbspeed <line number>
This function is a diagnostic tool. Its argument is a positive interger signifying the number of lines
it will write to test the speed of the report database.
Arguments:
<line number>: the number of lines to be written to test the speed of the database.
Defaults: none
Type: Executable
telnet
SNWLCLI> telnet <host> [<port>]
This functions just like the interactive network communication program with the same name. It
takes a host and a port as arguments. Use this tool to establish connectivity issues with a SMTP
server. It is also useful to check if outbound SMTP rules on a firewall are well configured
Arguments:
<host>: hostname of telnet target
<port>: port number
Defaults: none
Type: Executable
time
SNWLCLI> time <YYYY/MM/DD hh:mm> <timezone>
This variable displays or sets the date, time, and the time zone.
Arguments:
<YYYY>: year
<MM>: month
<DD>: day
<hh>: hours
<mm>: minutes
<timezone>: timezone
Defaults: none
traceroute
SNWLCLI> traceroute <host>
This function operates like traceroute. It takes a host as an argument. Use this command to
troubleshoot routing problems.
Arguments:
<host>: hostname to be traced to.
Defaults: none
SonicWALL Email Security Administrator’s Guide| 130
Type: Executable
tsr
SNWLCLI> tsr
This function outputs an internal system state report. It does not take any arguments.
Arguments: none
Defaults: none
Type: Executable
validatedb
SNWLCLI> validatedb
Run this command to validate the database. A message will be printed to stderr detailing the time
it took to perform the operation. The start and stop of the operation will be logged to
MlfMfelmportSetup.log, along with how long it took.
Arguments: none
Defaults: none
Type: Executable
APPENDIX D
Note:
z DMZ traffic is usually heavily filtered by multiple firewalls. Ensure that all the inbound and
outbound ports SonicWALL Email Security requires are open.
Ports and protocols used between components of SonicWALL Email Security and other parts of the
network:
Glossary
Term Definition
All-in-One Architecture An architecture for the SonicWALL Email Security where one server manages all email
protection that receives all enterprise email. See also Split Architecture on page 135.
Allowed List (Whitelist) Lists of users, domains, and mailing lists that are allowed to send email to users in your
organization.
Anti-Virus Software that detects viruses in email message bodies and attachments.
Blocked List (also known as Lists of users, domains, or mailing lists from whom you or your users do not want to
Black Lists) receive email.
Collaborative Settings SonicWALL Email Security administers its own content-based email signature network
with a collaborative community of users and junk mailboxes worldwide. You can select
collaborative settings to customize the level of influence community input has on
enterprise spam blocking.
Control Center Manages all data files; it controls and communicates with one or more of the remote
analyzers. It stores or quarantines mail it receives from the remote analyzer, and queries
LDAP servers to ensure valid users can log in to SonicWALL Email Security.
Dashboard A high level overview of the system statistics.
Cluster A group of SonicWALL Email Security servers that act like a single system and enable high
availability and, in some cases, load balancing and parallel processing.
Directory Harvest Attack Spammers stage Directory Harvest Attacks (DHA) to get lists of all users in an
(DHA) organization’s directory. DHA makes organizations vulnerable to increased attacks, spam,
and fraudulent messages.
DMZ The logical space between two firewalls where an email gateway typically resides. This
term was derived from De-Militarized Zone, an area between two warring countries where
tanks were not permitted.
Envelope Information in RFC-821 format, which includes the address from which the mail came and
the receipt-to address.
First-touch server A configuration where emails arriving into your organization are delivered the Email
Security server first, as opposed to going through another MTA. The purpose of
configuring Email Security as your “first-touch” server is to capture the sender’s IP
address.
SonicWALL Email Security Administrator’s Guide|134
Internet Message Access A method of accessing electronic mail messages that are kept on a mail server. IMAP
Protocol (IMAP) permits a client email program to access remote message stores as if they were local.
Keystore The keystore file contains your public and private keys.
Junk Box A Web page interface that displays all quarantined email.
Junk Box Summary A daily email sent to users summarizing email messages that have been quarantined
because they contained spam, viruses, or other undesired mail content.
Lightweight Directory An Internet protocol that email programs use to look up contact information from a
Access Protocol (LDAP) server.
LDAP Groups Allow you to assign roles to user groups and set spam-blocking options for user groups.
This is an optional configuration that enables you to fine-tune user access by group.
LDAPS LDAP run over SSL provides a secure LDAP connection
Master Account The initial account you log in to when configuring SonicWALL Email Security. This is also
the master administrative account.
Mail Transfer Agent (MTA) Email software that runs on an outward-facing server that delivers mail to an
organization.
Phishing Sending email or creating a replica of an existing Web page to fool a user into submitting
personal, financial, or password data. In the enterprise, phishers seek enterprise
passwords and sensitive information. Phishers might use enterprise email to send
fraudulent information to customers and business partners.
Post Office Protocol A protocol used to retrieve email from a server.
Version 3 (POP3)
Policy Management A customizable module that enables the administrator to filter the content of email
messages and attachments that enter SonicWALL Email Security.
Profiler A software component that collects users’ outgoing email addresses, which can optionally
be stored as known good addresses. The Profiler can be configured to work with each
supported email client.
Probe Account Similar to a Honeypot, an account that is established on the Internet for the sole purpose
of collecting spam and tracking hackers.
Quarantine A means of containing suspect email messages in a Junk Box.
Realtime Blackhole List. A list of Internet TCP/IP addresses known to send spam, or by hosts considered friendly
(RBL) to spam.
Remote Analyzer An SMTP proxy placed in the email flow, and performs a spam analysis to determine
whether email is good or junk. It sends junk mail to the control center where it is
quarantined, and routes good mail to its destination server.
Privilege Roles Users can be assigned privileges so that they can administer all email, log in as another
person or for a helpdesk role, can view SonicWALL Email Security reports, or view their
own Junk Box.
Sender ID A mechanism that determines whether the alleged domain address of each email is
authentic, which is one factor SonicWALL Email Security uses to determine whether the
message is junk.
Simple Mail Transfer A protocol designed to transfer mail reliably and efficiently.
Protocol (SMTP)
Secure Socket Layer (SSL) A protocol for transmitting private documents via the Internet. SSL uses a private key to
encrypt data that is transferred over the SSL connection.
Spam Any unsolicited commercial email that a user does not want. Spam frequently contains
false advertising, get-rich-quick schemes, and other offensive material.
SonicWALL Email Security Administrator’s Guide|135
M R
mail servers real-time system monitor 87
testing 12 record ID 71
mail transfer agent status 86 Redirect access from HTTP to HTTPS 19
mailing lists 39 regular expressions 59
adding entries 39 Remote Analyzer
messages description 4
resetting defaults in message Remote Analyzers 11, 12
management 74 replication 4
Microsoft Exchange report all fraudulent email 46
5.5 109 Reports 19
SonicWALL Email Security Administrator’s Guide|139
T
TCP
SonicWALL, Inc.
2001 Logic Drive T +1 408.745.9600 www.sonicwall.com
San Jose, CA 95124-3452 F +1 408.745.9300