GFI MailSecurity 2011 for Exchange/SMTP Getting Started Guide
http://www.gfi.com info@gfi.com Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of GFI Software Ltd. GFI MailSecurity is copyright of GFI SOFTWARE Ltd. 1999-2010 GFI Software Ltd. All rights reserved. Document Version: MSEC-GSG-EN-1.
Contents 1 Introduction ............................................................................................................... 1 1.1 1.2 1.3 2 About GFI MailSecurity ............................................................................................. 3 2.1 2.2 2.3 3 Upgrading from GFI MailSecurity 8 or earlier .................................................. 27 Upgrading from GFI MailSecurity 9 or later.....................................................
9.1 9.2 10 Testing your GFI MailSecurity system................................................................... 41 10.1 10.2 10.3 10.4 10.5 11 Introduction ..................................................................................................... 41 Step 1: Create a Content Filtering rule............................................................ 41 Step 2: Send an inbound test email ................................................................ 41 Step 3: Send an outbound test email ...
1 1.1 Introduction Introduction to GFI MailSecurity Email is frequently used as a means for distributing harmful content (for example, through email attachments). GFI MailSecurity acts as an email firewall to protect an email system against malicious email attacks. The software uses various methods to block malicious emails, such as multiple virus scanning engines and link scanning technology.
Chapter 5 Pre-install actions Describes the actions that need to be taken before installing GFI MailSecurity in various environments. Chapter 6 New installations Provides information on how to install GFI MailSecurity. Chapter 7 Upgrade from earlier versions Describes how to upgrade older versions of GFI MailSecurity to the latest version. Chapter 8 Post-install actions Defines the actions that need to be taken after installing GFI MailSecurity.
2 About GFI MailSecurity 2.1 GFI MailSecurity components GFI MailSecurity scan engine The GFI MailSecurity scan engine analyzes the con tent of all inbound and outbound email. If you install GFI MailSecurity on the Microsoft Exchange server, it will also scan the Microsoft Exchange information store. If you install GFI MailSecurity on a Microsoft Exchange Server 2007/2010 machine with Hub Transport and Mailbox Server Roles, it will also analyze internal email.
2.2 How GFI MailSecurity works This section provides a high-level overview on how GFI MailSecurity works. 2.2.1 Incoming email Screenshot 1 -Incoming email Incoming email is relayed to the GFI MailSecurity machine. Email is scanned by GFI MailSecurity using the email scanning engines and filters configured to scan inbound emails. EMAIL SCANNING ENGINE DESCRIPTION Virus Scanning Engines Scan emails for viruses and malicious code.
2.2.2 Outgoing email Screenshot 2 -Outgoing email Outgoing email is relayed to the GFI MailSecurity machine. Email is scanned by GFI MailSecurity using the email scanning engines and filters configured to scan outbound emails. EMAIL SCANNING ENGINE DESCRIPTION Virus Scanning Engines Scan emails for viruses and malicious code. Some engines also include other features, such as macro checking, link scanning and Sandbox technology.
Information Store Protection Scans the Microsoft Exchange information store using the Virus Scanning Engines. Directory Harvesting Deletes emails addressed to nonexistent users from the Quarantine Store. Quarantine Store A central repository within GFI MailSecurity where all blocked emails are retained until review. 2.3 Licensing For information on licensing, refer to: http://www.gfi.com/products/gfi-mailsecurity/pricing/licensing.
3 Typical deployment scenarios This chapter explains the different scenarios how GFI MailSecurity can be installed and configured. You can install GFI MailSecurity: directly on your mail server, or on a separate machine configured as a mail relay/gateway server. 3.1.1 Installing GFI MailSecurity on your mail server Figure 1 - Installing GFI MailSecurity on your mail server You can install GFI MailSecurity directly on your mail server, without any additional configuration.
3.1.3 Installing GFI MailSecurity in front of your firewall Figure 3 - Installing GFI MailSecurity on a separate machine on a DMZ Recommendation: If utilizing a firewall, a good way to deploy GFI MailSecurity is to install it on a separate machine in front of your firewall or on the firewall itself. This allows you to keep your corporate mail server behind the firewall.
3.2 Which installation mode should I use? A core requirement of GFI MailSecurity is a list of the local mailboxes to protect. GFI MailSecurity can access the list of email users using two modes chosen during the installation: Active Directory mode SMTP mode NOTE: Both modes have the same scanning features and performance.
4 System requirements 4.1 Hardware requirements The minimum hardware requirements for GFI MailSecurity are: 2GHz processor 512MB RAM 1.5GB of physical disk space (installation only) 4.2 Software requirements 4.2.1 Supported Operating Systems Windows Server 2008 Standard or Enterprise (x86 or x64) (including R2 edition) Windows Server 2003 Standard or Enterprise (x86 or x64) Windows XP professional Windows Small Business Server 2003 / 2008 4.2.
When installing on Windows Server 2008, the following server roles and services must be enabled: Web Server (IIS) role ASP.NET Windows Authentication Services Microsoft SMTP Services For more information, refer to: http://kbase.gfi.com/showarticle.asp?id=KBID001596 Windows Small Business Server 2003 When using Small Business Server, ensure you have installed Service Pack 1 for Exchange Server 2003.
5 5.1 Pre-install actions Installing on your mail server No additional configuration is required if you are installing GFI MailSecurity directly on your mail server. For information on how to install GFI MailSecurity, refer to New installations chapter. 5.2 Installing on an IIS mail relay server In order to install GFI MailSecurity on a mail relay/gateway machine, it must be running the IIS SMTP service and World Wide Web service.
Screenshot 3 - Assign an IP address to the mail relay server 3. Key in the IP address of the SMTP relay server in the IP address list and click OK. 5.2.3 Step 3: Configure the SMTP service to relay mail to your mail server Now you must configure the SMTP service to relay inbound messages to your mail server. Start by creating a local domain in IIS to route mail: 1. From Control Panel open Administrative Tools and launch Internet Information Services. 2.
Screenshot 4 - SMTP Domain Wizard - Selecting domain type b) Select Remote and then click Next. c) Type the domain name in the Name box and then click Finish. NOTE: Upon installation, GFI MailSecurity will import Local Domains from the IIS SMTP service. If you add additional Local Domains in IIS SMTP service, you must also add these domains to GFI MailSecurity because this does not detect newly added Local Domains automatically. You can add more Local Domains using the GFI MailSecurity configuration.
5.2.5 Step 5: Secure your mail relay server In this step, you will set up your SMTP virtual server‟s mail Relay Restrictions. This means that you must specify which machines may relay email through this virtual server (effectively limiting the servers that can send email via this server). 1. Right-click the Default SMTP Virtual Server node and then click Properties. 2. In the properties dialog box, click the Access tab and then click Relay to open the Relay Restrictions dialog box.
Screenshot 7 - Specify machines which may relay email via virtual server 4. In the Computer dialog box, specify the IP of the mail server that will be forwarding the email to this virtual server. You can specify the IP of a single computer, group of computers or a domain: Single computer: Select this option to specify one particular host that will relay email via this server. If you want to look up the IP address of a specific host, click DNS Lookup.
Screenshot 8 - The Microsoft Internet mail connector 2. Click the Connections tab and in the Message Delivery area click Forward all messages to host. Type the computer name or IP of the machine running GFI MailSecurity. 3. Click OK and restart the Microsoft Exchange Server from the services applet. Microsoft Exchange Server 2000/2003 You will need to set up an SMTP connection that forwards all email to GFI MailSecurity: 1. Start the Exchange System Manager. 2.
3. Click Domains and then click Add Domains. 4. In the Basics section, click Foreign SMTP Domain from the Domain Type field and in the Messages Addressed to area, type “*” in the Internet Domain box. 5. Under the Should be routed to area, specify the IP of the machine running GFI MailSecurity in the Internet Host box. 6. Save the settings and restart the Lotus Notes server. SMTP/POP3 mail server 1. Start the configuration program of your mail server. 2.
1. Test the IIS SMTP inbound connection of your mail relay server by sending an email from an external account to an internal user. Verify that the email client receives the email. 2. Test the IIS SMTP outbound connection of your mail relay server by sending an email to an external account from an internal email client. Verify that the external user receives the email. NOTE: Instead of using an email client, you can send email manually through Telnet. This will give you more troubleshooting information.
6 New installations Before you install GFI MailSecurity, check the points below: 1. Make sure that you are logged on using an account with administrative privileges. 2. Save any pending work and close all open applications on the machine. 3. Check that the machine you are installing GFI MailSecurity on meets the software and hardware requirements specified earlier in this chapter. To install GFI MailSecurity follow these steps: 1.
Screenshot 10 - Define if the server has access to all email users in the Active Directory 7. Select the mode that GFI MailSecurity will use to retrieve the list of your email users. You must select one of the following options: Yes, all email users are available on Active Directory Active Directory mode No, I do not have Active Directory or my network does not have access to Active Directory (DMZ) SMTP mode GFI MailSecurity will retrieve the list of users from Active Directory.
Screenshot 11 - Define your SMTP server and GFI MailSecurity virtual folder details. 8. In the IIS Setup dialog, configure the following options: The website to create the GFI MailSecurity virtual directory Select the website where you want to host the GFI MailSecurity virtual directories. The GFI MailSecurity Configuration virtual directory Specify a name for the GFI MailSecurity virtual directory.
NOTE: When installing on a Microsoft Exchange 2007/2010 machine, this screen is not displayed. Local domains are configured in the Post-Installation Wizard. 10. Setup will now ask you to select a folder where to install GFI MailSecurity. Click Change… to specify a new installation path or click Next to install in the default location and proceed with the installation. 11. Click Install to start the installation process.
Screenshot 12 - Local domains list 2. The wizard displays the accepted domain list collected from Microsoft Exchange Server 2007/2010. Only emails sent to or received from these domains will be scanned by GFI MailSecurity. If there are any other local domains, type each domain in the Local domains box and click Add. If you want to remove a domain from this page, select it from the list and click Remove. NOTE: The local domains you add from this page affect the GFI MailSecurity installation only.
Screenshot 13 - Server roles detected and list of components to install. 3. A list of the Microsoft Exchange Server 2007/2010 server roles detected on the machine and a list of the GFI MailSecurity components that need to be registered are displayed. Click Next to install the required GFI MailSecurity components. 5. Click Finish to close the wizard.
7 Upgrade from earlier versions 7.1 Upgrading from GFI MailSecurity 8 or earlier Due to fundamental architectural changes between GFI MailSecurity 8 and previous versions, and newer versions, it is not possible to install GFI MailSecurity on top of an existing installation of GFI MailSecurity 8. This section shows you how to: Replace your current GFI MailSecurity 8 installation with a newer version. Convert and import the GFI MailSecurity 8 configuration settings to the new configuration format.
Screenshot 14 - GFI MailSecurity 8 configuration settings migration tool 6. In the migration dialog, click Browse and select the avapicfg.rdb file from the Data sub-folder under the GFI MailSecurity 8 root folder. 7. Click Migrate. 8. When the migration process completes, click OK to close the information dialog box and click the close button to close the migration tool. 9. You now need to start all the services stopped in step 4 above. 10.
7.3 Upgrading the Quarantine Starting from GFI MailSecurity 10 SR8, Quarantine information is stored in a Firebird database format. When upgrading from versions 9 or 10, GFI MailSecurity includes a Quarantine Upgrade Tool to automate migration from the old database to the new database format. The old quarantine data will not be available until imported. 7.3.1 Using the Quarantine upgrade tool Screenshot 15 - Quarantine upgrade tool 1.
8 Post-install actions 8.1 Add GFI MailSecurity to the Windows DEP Exception List Data Execution Prevention (DEP) is a set of hardware and software technologies that perform memory checks to help prevent malicious code from running on a system.
1. Navigate to Start ► Control Panel ► Internet Options. 2. From the Internet Properties dialog select Security tab and click the Trusted sites icon from the Web content zone list. Screenshot 16 - Internet properties dialog 3. Click Sites. 4. From the Trusted sites dialog specify http://127.0.0.1 in the Add this Web site to the zone text box. 5. Click Add. 6. Click Close and OK to apply settings. 8.2.
Screenshot 17 - GFI MailSecurity SwitchBoard Configure the Active Directory accounts or groups to allow access to the Configuration and Quarantine Store. 1. From the GFI MailSecurity Switchboard, click Security….
Screenshot 18 - Configuration / Quarantine store Access Control Lists 2. In the IIS mode access control list dialog, configure the users to allow access to the GFI MailSecurity configuration and the quarantine store in separate access control lists. 3. To allow access to a particular user or group, select Allow checkbox. To deny access, select the check box under the Deny column. 4. If there are users or groups to allow access to but are not listed, click Add to specify and add to the list.
8.3 Securing access to the GFI MailSecurity Quarantine RSS feeds You can configure GFI MailSecurity to create quarantine RSS feeds on specific quarantine folders. To configure who can subscribe to the quarantine RSS feeds: 1. Navigate to Start ► Programs ► GFI MailSecurity ► GFI MailSecurity SwitchBoard. Screenshot 19 - GFI MailSecurity SwitchBoard 2. Click RSS Security….
Screenshot 20 - Quarantine RSS feeds Access Control Lists 3. In the IIS mode access control list dialog box, configure which users/groups can subscribe to the quarantine RSS feeds. Click Add or Remove buttons to add or remove users or groups from the list. For each entry, select Allow or Deny checkboxes to allow or deny access. 4. Click OK to finalize access permissions. 5. Click OK and wait while applying the new settings. 6. On completion, click OK. 8.
9 Accessing the GFI MailSecurity Configuration and Quarantine Store This section provides information on how to access the GFI MailSecurity Configuration and Quarantine Store from the local or a remote machine. The GFI MailSecurity Configuration loads depending on the access mode configured in the GFI MailSecurity SwitchBoard application. IIS mode (default) GFI MailSecurity loads in your default web browser using the IIS setup settings configured during installation.
9.1 Accessing the configuration from the GFI MailSecurity machine Navigate to Start ► Programs ► GFI MailSecurity and click GFI MailSecurity. The GFI MailSecurity Configuration loads depending on how it is configured in the GFI MailSecurity SwitchBoard application.
9.2 Accessing the configuration from a remote machine To access the GFI MailSecurity configuration or quarantine store from a remote machine ensure that GFI MailSecurity is set to IIS mode (default setting) in the GFI MailSecurity Switchboard. 9.2.1 Accessing the configuration 1. Start Microsoft Internet Explorer. 2.
Screenshot 22 - Accessing the quarantine 40 GFI MailSecurity 2011 Accessing the GFI MailSecurity Configuration and Quarantine Store
10 Testing your GFI MailSecurity system 10.1 Introduction GFI MailSecurity is now ready to start protecting your mail system from threats. This section shows you how to create a custom content filtering rule and test the operation of GFI MailSecurity by breaching this rule. 10.2 Step 1: Create a Content Filtering rule 1. Launch the GFI MailSecurity console. 2. Navigate to GFI MailSecurity ► Scanning & Filtering ► Content Filtering node. 3. Click Add Rule…. 4. In Rule name key in „Test Rule‟. 5.
Screenshot 23 - Ensuring that test emails are blocked and quarantined 42 GFI MailSecurity 2011 Testing your GFI MailSecurity system
11 Uninstalling GFI MailSecurity 11.1 Introduction This chapter describes how to uninstall GFI MailSecurity for all supported operating systems. NOTE 1: If you are planning to uninstall and reinstall GFI MailSecurity to fix problems encountered during installation, it is recommended to first read the Troubleshooting chapter in this manual. NOTE 2: Third-party components which are required by GFI MailSecurity, such as Microsoft .NET Framework or Microsoft Messaging Queuing Service, will not be uninstalled.
12 Troubleshooting 12.1 Introduction The troubleshooting chapter explains how you should go about resolving any issues that you might encounter. The main sources of information available to users are: The manual - most issues can be solved by reading this manual. GFI Knowledge Base articles Web forum Contacting GFI Technical Support 12.2 Knowledge Base GFI maintains a Knowledge Base, which includes answers to the most common problems. If you have a problem, consult the Knowledge Base first.
Solution If any legitimate emails are moved to the failedmails folder, these can be manually re-processed for delivery. For more information how to do this in various environments refer to: http://kbase.gfi.com/showarticle.asp?id=KBID003263 GFI MailSecurity returns the following error: “The file was blocked by the attachment filtering module at file type checking stage. The attachment claimed to be a which is identified as being an attachment in category .
13 Appendix - Installing on a Microsoft Exchange 2003 cluster A Microsoft Exchange cluster can be set up in one of 2 modes: active/active or active/passive. This appendix describes how to install GFI MailSecurity on a Microsoft Exchange 2003 Active/Passive cluster NOTE: Installing GFI MailSecurity on a Microsoft Exchange 2003 Active/Active cluster is currently not supported. NOTE: Installing GFI MailSecurity on a Microsoft Exchange Server 2007 cluster environment is currently not supported.
NOTE: To access product configuration from a remote machine you must configure the GFI MailSecurity SwitchBoard application, making sure that the MAILCLUSTER name/IP is specified for IIS Mode. For more information, refer to Securing access to the GFI MailSecurity configuration/quarantine section in this chapter.
14 Glossary Active Directory A technology that provides a variety of network services, including LDAP directory services. AD See Active Directory Anti-virus software Software that detects malware such as Trojan horses in emails, files and applications. Botnet A network of infected computers that run autonomously and are controlled by a hacker/cracker. Decompression engine A scanning module that decompresses and analyzes archives attached to an email.
Malware All malicious types of software that are designed to compromise computer security and which usually spread through malicious methods. Microsoft Message Queuing Services A message queue implementation for Windows Server operating systems.
Index A K Active Directory, 9, 22, 27, 49 Kaspersky, 31 Active/Passive cluster, 47, 48 anti-virus, 12 ASP.
V Windows XP, 11, 31 Virtual directory, 39, 47 Wizard, 15, 24, 25 W Web content zone, 32
