sms smtp planning guide

Symantec Mail Security for SMTP

Planning Guide

Symantec Mail Security for SMTPPlanning Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

April 17, 2006

Copyright noticeCopyright © 2006 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, Symantec TurnTide, and SESA are U.S. registered trademarks of Symantec Corporation. LiveUpdate, LiveUpdate Administration Utility, Symantec AntiVirus, and Symantec Security Response are trademarks of Symantec Corporation. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be “commercial computer software” and “commercial computer software documentation” as defined in FAR Sections 12.212 and DFARS Section 227.7202.

Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014http://www.symantec.com

Printed in the United States of America.10 9 8 7 6 5 4 3 2 1

Technical supportAs part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for spam and virus definitions, and security signatures that ensure the highest level of protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registrationIf the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical SupportCustomers with a current support agreement may contact the Technical Support group via phone or online at http://www.symantec.com/enterprise/

Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at https://www-secure.symantec.com/platinum/

When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer ServiceTo contact Enterprise Customer Service online, go to http://www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec's technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

http://www-secure.symantec.com/platinum/

http://www-secure.symantec.com/platinum/

Contents

Chapter 1 Introducing Symantec Mail Security for SMTPKey features ............................................................................................................ 7Functional overview .............................................................................................. 8Architecture ............................................................................................................ 9New features for all users ................................................................................... 10Changes for Symantec Mail Security for SMTP users ................................... 11

New feature names ...................................................................................... 13Discontinued features ................................................................................. 13

Changes for Symantec Brightmail Antispam users ....................................... 13Where to get more information ......................................................................... 15

Chapter 2 Planning your deploymentGeneral deployment considerations ................................................................. 17

MTA usage .................................................................................................... 17Configuring Scanners .................................................................................. 17Positioning with other filtering products ................................................ 18Filtering internal deliveries ....................................................................... 18LDAP compatibility ..................................................................................... 18Load balancing ............................................................................................. 19Adjusting MX records .................................................................................. 19Adjusting RAM and MySQL threads ......................................................... 19

Deployment models ............................................................................................. 20Basic gateway deployment ......................................................................... 20Multi-tier gateway deployment ................................................................. 21Post-gateway deployment .......................................................................... 23

Chapter 3 Configuring message filteringUnderstanding email filtering ........................................................................... 25

Notes on filtering actions ........................................................................... 25Deployment considerations ............................................................................... 26

6 Contents

Chapter 4 Understanding system requirementsHardware and software requirements ............................................................. 27

Minimum hardware requirements ............................................................ 27Minimum software requirements ............................................................. 28Reserved ports .............................................................................................. 31

Factors that affect performance ....................................................................... 32Hardware components that affect performance .................................... 32Environmental factors that affect performance .................................... 33Settings that affect performance .............................................................. 33

Index

Chapter
1
Introducing Symantec Mail Security for SMTP

This chapter includes the following topics:

■ Key features

■ Functional overview

■ Architecture

■ New features for all users

■ Changes for Symantec Mail Security for SMTP users

■ Changes for Symantec Brightmail Antispam users

■ Where to get more information

Key featuresSymantec Mail Security for SMTP offers enterprises an easy-to-deploy, comprehensive gateway-based email security solution through the following:

■ Antispam technology – Symantec’s state-of-the-art spam filters assess and classify email as it enters your site.

■ Antivirus technology – Virus definitions and engines protect your users from email-borne viruses.

■ Content Compliance – These features help administrators enforce corporate email policies, reduce legal liability, and ensure compliance with regulatory requirements.

■ Group policies and filter policies – An easy-to-use authoring tool lets administrators create powerful, flexible ad hoc filters for userss and groups.

8 Introducing Symantec Mail Security for SMTPFunctional overview

Functional overviewYou can deploy Symantec Mail Security for SMTP in different configurations to best suit the size of your network and your email processing needs.

A Symantec Mail Security for SMTP host can be deployed in the following ways:

■ Scanner – Deployed as a Scanner, a Symantec Mail Security for SMTP host filters email. Your installation can have one or many Scanners. Symantec Mail Security for SMTP runs alongside your email or groupware server(s).

■ Control Center – Deployed as a Control Center, a Symantec Mail Security for SMTP host is a Web-based configuration and administration center. Use it to configure and manage email filtering, SMTP routing, system settings, and all other functions. Your enterprise-wide deployment of Symantec Mail Security for SMTP can have multiple Scanners but only one Control Center, from which you configure and monitor all the Scanner hosts.

The Control Center provides status for all Symantec Mail Security for SMTP hosts in your system, system logs, and extensive customizable reporting. Use it to configure both system-wide and host-specific details.

The Control Center provides the Setup Wizard, for initial configuration of all Symantec Mail Security for SMTP instances at your site, and also the Add Scanner Wizard, for adding new Scanners.

It also hosts the Spam and Suspect Virus Quarantines, for storage of spam and virus messages respectively. End users can access the Control Center to view their quarantined spam messages and set their preferences for language filtering and blocked and allowed senders. Alternatively, you can configure the Spam Quarantine for administrator-only access.

■ Scanner and Control Center – A single Symantec Mail Security for SMTP host performs both functions.

Note: Symantec Mail Security for SMTP provides neither mailbox access for end users nor message storage; it is not intended for use as the only MTA in your email infrastructure.

Note: Symantec Mail Security for SMTP does not filter messages that don’t flow through the SMTP gateway. For example, if two mailboxes reside on the same MS Exchange server, or on different Exchange servers the same organization, messages will not pass through Symantec Mail Security for SMTP filters.

9Introducing Symantec Mail Security for SMTPArchitecture

ArchitectureYour Symantec Mail Security for SMTP installation processes a email message as follows. For the sake of discussion, our sample message passes through the Filtering Engine to the Transformation Engine without being rejected.

10 Introducing Symantec Mail Security for SMTPNew features for all users

■ The incoming connection arrives at the inbound MTA via TCP/IP.

■ The inbound MTA accepts the connection and moves the message to its inbound queue.

■ The Filtering Hub accepts a copy of the message for filtering.

■ The Filtering Hub consults the LDAP SyncService directory to expand the message’s distribution list.

■ The Filtering Engine determines each recipient’s filtering policies.

■ The message is checked against Blocked/Allowed Senders Lists defined by administrators.

■ Virus and configurable heuristic filters determine whether the message is infected.

■ Content Compliance filters scan the message for restricted attachment types or keywords, as defined in configurable dictionaries.

■ Spam filters compare message elements with current filters published by Symantec Security Response to determine whether the message is spam. At this point, the message may also be checked against end-user defined Language settings.

■ The Transformation Engine performs actions per recipient based on filtering results and configurable Group Policies.

New features for all usersTable 1-1 lists features that are new for both Symantec Mail Security for SMTP users and Symantec Brightmail Antispam users.

Table 1-1 New features for Symantec Mail Security for SMTP and Symantec Brightmail Antispam

Category Features Description

Threat protection features

Improved Email Firewall Protects against directory harvest attacks, denial of service attacks, spam attacks, and virus attacks.

Sender Authentication Protects against phishing attacks, using the Sender Policy Framework (SPF), Sender ID, or both.

Improved virus protection Additional virus verdicts protect against suspected viruses, spyware and adware, and encrypted attachments.Email messages that may contain viruses can be delayed in the Suspect VIrus Quarantine, then refiltered, with updated virus definitions, if available. This feature can be effective in defeating virus attacks before they are widely known.View a continuously updated list available of virus definitions.

11Introducing Symantec Mail Security for SMTPChanges for Symantec Mail Security for SMTP users

Changes for Symantec Mail Security for SMTP usersFor users of Symantec Mail Security for SMTP 4.1, Version 5.0 provides a host of expanded and improved capabilities. In addition to the new features listed in

Inbound and outbound content controls

True file type recognition for content compliance filtering

Automatically detects file types without relying on file name extensions or MIME types.

Keywords filtering within attachments, keyword frequency filtering

Scan within attachments to find keywords from dictionaries you create or edit. Specify a number of occurrences to look for.

Regular expression filtering Use regular expressions to further customize filter conditions by searching within messages and attachments.

Support for third party archival tools

Specify conditions that result in email being sent to an archival email address or disk location.

Flexible mail management

LDAP integration and synchronization for policies

Dynamic group population via any of several supported LDAP servers

Expanded variety of actions and combinations

More than two dozen actions that can be taken on messages, with many combinations of multiple actions available.

Expanded mail controls SMTP connection management, support for secure email (TLS encryption), user-based routing, address masquerading, invalid recipient handling, control over delivery queue processing, support for static routes

Aliasing Distribution lists automatically expanded, mail filtered and delivered correctly for each user

Improved reporting and monitoring

Extensive set of pre-built reports, scheduled reporting, additional alert conditions, remote syslog support

More than 50 graphical reports that you can generate ad-hoc or on a scheduled basis. Reports can be exported for offline analysis and emailed.

Message tracking View a trail of detailed information about a message, including the filtering processing applied to a message.

Expanded administration capabilities

IP-based access control Control which hosts and networks can access your Control Center.

Control over Quarantine size limits

Specify user-based and total limits, configure automatic message deletions.

Table 1-1 New features for Symantec Mail Security for SMTP and Symantec Brightmail Antispam


12 Introducing Symantec Mail Security for SMTPChanges for Symantec Mail Security for SMTP users

Table 1-1, additional new features for Symantec Mail Security for SMTP users only are listed in Table 1-2.

Group Policies introduce expanded flexibility in mail filtering and message handling. Group Policies enable you to specify groups of users, based on email addresses, domains, or IP addresses, and customize mail filtering for each group. See the Symantec Mail Security for SMTP Administration Guide for more information.

In addition, if you were using Version 4.1 without Premium AntiSpam, Version 5.0, with or without Premium AntiSpam provides much more extensive capabilities for customizing both message filtering and the actions taken on filtered messages.

Table 1-2 New features for Symantec Mail Security for SMTP users



Centralized, Web-based administration

Use the Control Center to manage all aspects of email management and spam, virus, and content filtering across all servers with one interface.

Group Policies Create separate inbound and outbound policies for an unlimited number of groups of users. You can specify groups of users based on email addresses, domains, LDAP groups, or IP addresses. For each category of email, you can specify custom message handling for each group.

Expanded notification capabilities

Automatically send emails notifying specific persons or groups when certain message conditions are encountered during message filtering. Create different notifications for different conditions or user groups.


Improved attachment blocking

Strip attachments within container files. Search within attachments using regular expressions.


Aggregated logging and reporting

Access logs for all messages from all servers via the Control Center. Manage reports for all servers via the Control Center. Note that many of the reporting features in SMS for SMTP 4.1 have been replaced in SMS for SMTP 5.0 by the message tracking feature.


Delegated administration

Multiple administrator roles with view only or modify access to different portions of the management interface.

13Introducing Symantec Mail Security for SMTPChanges for Symantec Brightmail Antispam users

New feature namesMost features in Version 5.0 have similar names to the corresponding Version 4.1 features. Table 1-3 provides a cross-reference between selected Symantec Mail Security for SMTP 4.1 features and Symantec Mail Security for SMTP 5.0 features that have different names.

Discontinued featuresThe following Symantec Mail Security for SMTP 4.1 features are not included in Symantec Mail Security for SMTP 5.0:

■ Auto-generated whitelist

■ Logging of SMTP conversations

■ Hold Queue, automatic reordering of the Slow Queue

■ Return code support for DNS Blacklists

■ Configurable administrator timeout for the management interface

Changes for Symantec Brightmail Antispam usersAlthough the product name has changed, if you were a Symantec Brightmail Antispam user you will find the user interface for Symantec Mail Security for SMTP 5.0 quite familiar. Most features are named similarly, and the organization of the user interface is quite similar. Most of the changes are new features.

For users of Symantec Brightmail Antispam, Symantec Mail Security for SMTP Version 5.0 provides significant new and expanded capabilities. In addition to

Table 1-3 Version 4.1 to Version 5.0

Symantec Mail Security for SMTP 4.1 Feature Name

Symantec Mail Security for SMTP 5.0 Feature Name

Accounts Administration

Custom disclaimer Annotation

Scan policy Settings > Virus > Exclude Scanning tab

Routing Settings > Hosts > Edit > SMTP tab

14 Introducing Symantec Mail Security for SMTPChanges for Symantec Brightmail Antispam users

the new features listed in Table 1-1, additional new features for Symantec Brightmail Antispam users only are listed in Table 1-4.

While the names of features are largely the same, you will find some changes to the organization of menus. Most importantly, you will now find a Policies menu at the top level, breaking out Group Policies (under the Settings menu in Symantec Brightmail Antispam 6.0.3), and including other items as well. See the Symantec Mail Security for SMTP Administration Guide for an updated explanation of how settings and policies interact.

Table 1-4 New features for Symantec Brightmail Antispam users


Threat protection features

Improved virus processing

LiveUpdate support for virus definitions, list of file types to exclude from virus scanning, expanded container limit controls

Outbound filtering Provides spam, virus, and content compliance filtering on outbound email messages. Specify different outbound and inbound policies for each user group.


More flexible Group Policies

Use LDAP groups to populate groups for Group Policies.

Multiple actions Specify more than one action to take on specific categories of messages to specific groups of recipients.


Expanded content compliance filtering capabilities

Expanded set of actions available on filtered messages, support for multiple actions on the same messages

Attachment blocking Create lists of attachment types to remove. Strip attachments within container files.

Annotations Automatically append or prepend text, such as legal disclaimers or marketing tag lines, to messages.

Notifications Automatically send emails notifying specific persons or groups when certain message conditions are encountered during message filtering. Create different notifications for different conditions or user groups.


Expanded virus monitoring

Virus outbreak alerts, expanded logging of virus events

Expanded logging Symantec Security Information Manager (SSIM) logging support


Global reject or pause of message scanning

During a virus outbreak, you can temporarily pause scanning until new virus filters are in place.

15Introducing Symantec Mail Security for SMTPWhere to get more information

Where to get more informationIn addition to this Planning Guide, your Symantec Mail Security for SMTP product comes with the following documentation:

■ Symantec Mail Security for SMTP Installation Guide

■ Symantec Mail Security for SMTP Administration Guide

■ Symantec Mail Security for SMTP Getting Started

Symantec Mail Security also includes a comprehensive help system that contains conceptual and procedural information.

You can visit the Symantec Web site for more information about your product. The following online resources are available:

Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions

www.symantec.com/techsupp/ent/enterprise.html

Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration

www.symantec.com/licensing/els/help/en/help.html

Provides product news and updates www.enterprisesecurity.symantec.com

Provides access to the Virus Encyclopedia, which contains information about all known threats; information about hoaxes; and access to white papers about threats

www.symantec.com/avcenter/global/index.html

http://www.symantec.com/techsupp/ent/enterprise.html

http://www.symantec.com/licensing/els/help/en/help.html

http://www.enterprisesecurity.symantec.com

http://www.symantec.com/avcenter/global/index.html

16 Introducing Symantec Mail Security for SMTPWhere to get more information

Chapter
2
Planning your deployment


■ General deployment considerations

■ Deployment models

General deployment considerationsThis section provides information about integrating Symantec Mail Security for SMTP into your network.

MTA usageSymantec Mail Security for SMTP contains a Message Transfer Agent (MTA), which processes and relays messages to support filtering activities.

Note: Symantec Mail Security for SMTP provides neither mailbox access for end users nor message storage; it is not suitable for use as the only MTA in your email infrastructure.

Configuring ScannersDuring installation, you can use a wizard to add a Scanner. Depending on your filtering requirements and messaging environment, you may want to deploy multiple Scanners and administer them via a single Control Center. In such cases, you can dedicate Scanners to specific functions. For example, you might want one Scanner to filter inbound mail and another to filter outbound mail.

18 Planning your deploymentGeneral deployment considerations

Positioning with other filtering productsIn order for Symantec Mail Security for SMTP’s spam and Content Compliance filters to function properly, you should avoid placing the product behind other filtering products (such as content filters) or MTAs that alter or remove pre-existing message headers or modify the message body.

Filtering internal deliveriesYou can force internal mail through Symantec Mail Security for SMTP to avoid propagation of viruses and spam generated by email mass-mailing worms that may have been picked up by individuals via Web browsing or downloading.

LDAP compatibility Symantec Mail Security for SMTP supports LDAP for Spam Quarantine authentication and synchronization.

The system’s LDAP SyncService feature synchronizes user, alias, and group data from your company’s LDAP accessible directories with its own database. SyncService lets Symantec Mail Security for SMTP re-normalize and index the data to fit the needs of Scanner, Control Center, and Spam Quarantine while minimizing impact on your directory infrastructure.

LDAP SyncService supports the following LDAP servers:

■ Windows 2000 Active Directory

■ Windows 2003 Active Directory

■ Sun Directory Server 5.2, Patch 4 (formerly known as the iPlanet Directory Server) on Solaris 8 and 9, and Red Hat Linux

■ SunOne LDAP Server 5.2 , Patch 4

■ Lotus Domino LDAP Server 6.5

■ Exchange 5.5

■ other (used for authentication only)

Note: Only one LDAP source may be used for authentication. While the same source may also be used for synchronization purposes, no other LDAP directories may be used for authentication. This is especially important with regard to Spam Quarantine. If email is being sent to Spam Quarantine where end users will then process their quarantined messages, then all end users must exist in the LDAP source used for authentication.

19Planning your deploymentGeneral deployment considerations

For information on using LDAP SyncService, see the Symantec Mail Security for SMTP Administration Guide.

Load balancing Symantec Mail Security for SMTP is not intended to be used for load balancing. Administrators can associate only one host name or IP address as the MTA to which email is relayed. You must implement multiple Scanners to perform load balancing.

Adjusting MX recordsWhen you implement Symantec Mail Security for SMTP in front of a separate MTA that receives inbound messages, you must to change the DNS mail exchange (MX) records. The records must point incoming messages to the system. Symantec Mail Security for SMTP should have a higher priority than the existing MTA.

However, if you simply list Symantec Mail Security for SMTP as a higher- weighted MX record in addition to the existing MX record, spammers can look up the previous MTA’s MX record. This allows them to send spam directly to the old server, bypassing your spam filtering. To prevent spammers from circumventing the new spam-filtering servers, you should do one of the following:

■ Remove the previous MTA’s MX record from DNS.

■ Block off the MTA from the Internet using a firewall.

■ Modify the firewall’s network address translation (NAT) tables to route external IP addresses to internal non-routable IP addresses. You can then map from the old server to Symantec Mail Security for SMTP.

■ When naming Symantec Mail Security for SMTP, ensure that the name you choose does not imply its function. For example, antispam.yourdomain.com, symantec.yourdomain.com, or antivirus.yourdomain.com are not good choices.

Adjusting RAM and MySQL threadsThe Control Center is a combination of Tomcat and MySQL applications. Tomcat provides the Web-based interface, and MySQL is the database storage. Their default configuration performs well in installations with a single Scanner and low volume email traffic. In installations where multiple Scanners or large amounts of spam are processed, increasing the amount of RAM allocated to

20 Planning your deploymentDeployment models

Tomcat and increasing the number of listener and consumer threads in MySQL improves performance.

Deployment modelsYou can deploy Symantec Mail Security for SMTP in the following ways:

■ Basic gateway deployment

■ Multi-tier gateway deployment

■ Post-gateway deployment

Basic gateway deploymentThis is the simplest deployment model. Symantec Mail Security for SMTP resides at the outermost gateway layer, processing inbound and outbound mail, providing Secure Email Services, and relaying mail to other relay layers or to the user-facing mail server layer.

On all configured server computers, port 443 must be configured to permit outbound connections to Symantec to download content updates.

The following figure shows Symantec Mail Security for SMTP deployed at the gateway, behind a firewall.

Figure 2-1 Basic gateway deployment

Advantages■ Because spam emanates from the outside world, the gateway is the logical

and effective place to deploy Symantec Mail Security for SMTP.

■ When you deploy the system closer to the gateway, you can minimize mail processing and storage requirements as well as network bandwidth via Email Firewall filtering.

21Planning your deploymentDeployment models

Considerations■ Some organizations prefer to have secure gateways with no other services

running. In these environments, all other services run behind the first gateway layer.

■ Some smaller organizations do not have dedicated gateway servers or a gateway layer. Instead, they deploy gateway servers and internal mail servers on the same computers.

■ Symantec Mail Security for SMTP cannot be installed on the server running Exchange.

Multi-tier gateway deployment

Note: This model may be implemented with one or more Scanner hosts.

The following figure shows Symantec Mail Security for SMTP in a multi-tier gateway deployment, with multiple Scanners in the DMZ and a Control Center behind a second firewall.

Figure 2-2 Multi-tier gateway deployment

Advantages ■ This configuration meets a common security audit requirement in that all

data stores are in the second tier, including the Control Center and Spam Quarantine databases.

■ Inbound traffic may be load balanced across multiple scanners with this model.


■ Compared with basic gateway deployment, this configuration eliminates a single point of failure for message scanning.

■ This model allows administrators to take individual Scanners offline for maintenance without incurring downtime.

■ This scenario enables load balancing of filtered mail across multiple downstream MTAs.

Considerations ■ This approach requires more administrative overhead and complex

networking than a basic gateway deployment.

■ With increased hardware and maintenance costs, this model could require a higher total cost of operation.

23Planning your deploymentDeployment models

Post-gateway deployment

Note: This model may be implemented with one or more SMTP gateway MTAs and one or more Scanner hosts.

As shown below, MTAs at the gateway layer accept unfiltered mail from the Internet then relay it to Symantec Mail Security for SMTP. The system filters mail from the gateway layer and relays mail to other MTAs downstream.

Figure 2-3 Post-Gateway deployment

Advantages ■ If you have a customized MTA or specific business needs, then running this

configuration may outweigh the extra overhead and loss of functionality.

Considerations■ This configuration limits Scanner functionality as IP-based defenses are

nullified.

■ Unless the SMTP Gateway is performing filtering, all email is processed by the gateway (read, stored, and forwarded) then sent to the system, which must then read, filter, and take some action based on the verdict. Such redundancy may add overhead, thereby decreasing throughput.

Chapter
3
Configuring message filtering


■ Understanding email filtering

■ Deployment considerations

Understanding email filteringSymantec Mail Security for SMTP provides a wide variety of actions for filtering email, and allows you to either set identical options for all users, or specify different actions for distinct users or groups.

You can specify groups of users based on email addresses, domain names, or LDAP groups. For each group, you can specify an action or group of actions to perform, given a particular verdict.

Each category of unwanted email includes one or more verdicts, conclusions reached on a message by the filtering process. Symantec Mail Security for SMTP performs actions on a message based on the verdict applied to that message, and the groups that include the message recipient as a member.

For detailed descriptions of email filtering verdicts, refer to the Symantec Mail Security for SMTP Administration Guide.

Notes on filtering actionsWhen configuring email filtering, consider the following limitations:

■ All Virus verdicts except suspicious attachments share the same available actions. Two additional actions, Delay message delivery and Strip and hold

26 Configuring message filteringDeployment considerations

in Suspect Virus Quarantine, are available only for the suspicious attachment verdict.

■ All Spam verdicts share the same available actions.

■ All Content Compliance verdicts share the same available actions.

■ Messages from senders in the Allowed Senders Lists are always delivered directly to end-user mailboxes, bypassing spam filtering.

■ When using the Modify the subject action, you can specify the character set encoding to use. If the encoding you choose is different than the encoding used by the original message, either the message or the modified subject line will not be displayed correctly.

■ When using the Save to disk action on Solaris or Linux, you must specify a writeable directory.

■ By default, inbound and outbound messages containing a virus or mass-mailing worm, and unscannable messages, including malformed MIME messages, will be deleted. You may want to change the default setting for unscannable messages if you are concerned about losing important messages. See the Symantec Mail Security for SMTP Administration Guide for more information.

Deployment considerationsThe following table lists deployment considerations for select actions.

Table 3-1 Deployment considerations

Action Consideration

Clean the message If many messages need to be cleaned, there may be high demand on the system.

Delete the message This eliminates the need for spam storage, though users cannot check for misidentified messages. When you’re comfortable with your system’s low false positive rate, you may want to configure spam to be deleted.

Deliver message normally This setting is useful for testing. Spam and suspected spam are still counted as such in message statistics for reports.

Deliver the message to recipient's Spam folder

Symantec Mail Security for SMTP supports the Symantec Spam Folder Agent for Exchange using X-header markup for Microsoft Exchange 5.5 and Exchange 2000 internal messaging systems. The Symantec Spam Folder Agent for Exchange may also be run on an Exchange 2003 host. Note that Exchange 2000 and Lotus Domino configurations require installation of lightweight agents to folder spam.

Modify the message A modified message will be delivered to end-user mailboxes, unless it contains a virus or worm.

Chapter
4
Understanding system requirements


■ Hardware and software requirements

■ Factors that affect performance

Hardware and software requirementsThis section gives detailed requirements for each supported platform.

Minimum hardware requirementsHardware requirements vary depending on the number of email users and the amount of email traffic. The minimum specifications in “Minimum hardware requirements” on page 28 are suggested guidelines. These apply to computers with the following software installed:

■ Control Center

■ Scanner

■ Control Center and Scanner

28 Understanding system requirementsHardware and software requirements

Note: The recommended disk space minimums include Spam Quarantine program files, but not quarantined messages.

Minimum software requirementsFollowing are the minimum software requirements for Symantec Mail Secuity for SMTP.

Note: Symantec Mail Security for SMPTP does not support Scanners running on different platforms within the same email filtering evinronment; all Scanners must use the same operating system (for example, Linux or Windows).

Table 4-1 Minimum hardware requirements

Platform Hardware required

Windows ■ Intel Pentium 4 processor or compatible

■ 1 GB RAM minimum (2 GB or more recommended)

■ 512 MB disk space minimum (2 GB or more recommended)

Solaris ■ UltraSPARC processor



Linux ■ Intel Pentium IV processor or compatible



Table 4-2 Requirements for Windows

Windows Platform Requirements

Operating System

■ Windows 2000 Server (SP4)

■ Windows Server 2003 (SP1)

■ Windows Server 2003, Japanese version (SP1)

Mail Server/MTA

■ Microsoft Internet Information Services (IIS)

■ Windows SMTP service

The MTA included with Symantec Mail Security for SMTP relays mail to existing email servers. It does not provide final mail delivery functions nor client access to mail via POP.

29Understanding system requirementsHardware and software requirements

Browser A secure Web connection using one of the following browsers:

■ Microsoft Internet Explorer 6.0

■ Firefox 1.5

Foldering Support

Spam Folder Agent: Exchange 5.5, Exchange 2000, or Exchange Server 2003

Symantec Spam Folder Agent for Domino: Lotus Domino 5, 6, or 6.5

Exchange foldering using Spam Confidence Level: Symantec Mail Security for SMTP must be installed on an Exchange Server 2003 server. Exchange Server 2003 must be installed on the back-end message store. Users must enable the Junk Mail Filter in Outlook 2003 or Outlook Web Access 2003.

Note: Foldering agents must reside on machines running their corresponding message server; they cannot run on machines which also run Symantec Mail Security for SMTP.

Privileges and permissions

For installation: You must be an administrator of the local computer to install any Symantec Mail Security for SMTP component on that computer.

After installation: The subfolder where Symantec Mail Security for SMTP is installed and its subdirectories are created with the default permissions relative to their location. If security is a concern, and since the configuration file is accessible via the network, it is recommended that you verify that the permissions are acceptable after installation, and modify them if necessary. Ensure that at least local administrators retain full access to everything, so that the various system components can continue to function properly.

Service Permissions: Except for the Spam Folder Agent, Symantec Mail Security for SMTP Services run as the Local System Account, which gives them full access to system information and resources. Should you wish to change this, it is imperative that the services run with a user belonging to the local administrators group. You choose the account that the Spam Folder Agent runs as.

LDAP Necessary if you want to have LDAP-based group policies or alias expansion.

Table 4-2 Requirements for Windows (Continued)

Windows Platform Requirements

30 Understanding system requirementsHardware and software requirements

Table 4-3 Requirements for Solaris/SPARC or Linux

Solaris/SPARC or Linux Platform Requirements

Operating System ■ Sun Solaris 9 or 10

■ Red Hat Enterprise Linux AS 3.0 (Update 5)

■ Red Hat Enterprise Linux ES 3.0 (Update 5)

Browser A secure Web connection using one of the following browsers:

■ Microsoft Internet Explorer 6.0

■ Firefox 1.5

Access privileges Root access using su or sudo

Accounts and directories

Symantec Mail Security for SMTP software runs as user mailwall in the bmi group. See the Symantec Mail Security for SMTP Installation Guide for more information.

Alias Create a mail alias for the mailwall account so that all mail sent to mailwall is read by an administrator.

Domain name A fully qualified domain name is required for each computer running the software.

tar program Because the tar file names exceed the 40 character file name limit of native Solaris tar, GNU tar is required to install Symantec Mail Security for SMTP on Solaris. GNU tar for Solaris is available fromhttp://www.sunfreeware.com and other Web sites.

LDAP Necessary if you want to have LDAP-based group policies or alias expansion.

MTA The MTA included with Symantec Mail Security for SMTP relays mail to existing email servers. It does not provide final mail delivery functions nor client access to mail via POP.

http://www.sunfreeware.com

31Understanding system requirementsHardware and software requirements

Reserved portsThe following tables list ports reserved for Symantec Mail Security for SMTP components and functions. Reserved ports are classified as either locally bound (Table 4-4) or external listening (Table 4-5).

Table 4-4 Reserved locally-bound ports

Port Component or function

22 Control Center to internal server connection

3306 MySQL database connection

11000 – 11004 LDAP sync

11011 – 11013 LDAP sync

41025 Spam Quarantine

41000 BMI client

Table 4-5 Reserved external listening ports

Port Component or function

21 Control Center to FTP server connection

25 Inbound mail SMTP connection

389 LDAP server TCP/IP connection

3268 LDAP Global Catalog connection

5001 Relay Hub

8086 SESA agent

41002 Agent

41080 Tomcat HTTP

41443 Tomcat HTTPS connection

32 Understanding system requirementsFactors that affect performance

Factors that affect performanceThe performance of Symantec Mail Security for SMTP can be affected by many factors. This section provides guidelines regarding those factors, and suggestions that may improve performance.

Overall performance involves several factors, some depending on the configuration and deployment options you choose, and others depending on external factors, such as the percentage of your organization’s email that is spam.

Hardware components that affect performanceThe components that make up the system affect its performance. Increase performance by increasing the physical make-up of your system. If you run the Control Center and Scanner on different computers, consider the following recommendations:

■ Processing power – Scanners need less disk storage, but powerful CPUs and memory; especially if virus scanning is enabled.

■ Disk space – The Control Center likely needs much more disk space (depending on the volume of logging, reporting, and quarantined messages retained). It should also have a much higher sustained I/O throughput capacity than what is specified for Scanners.

Consider the following recommendations for computers running Symantec software:

■ Network – Consider using switched 100 Mb/s fast Ethernet or gigabit network connections between the Control Center and each Scanner.

■ CPU (speed and type) – increase the number and speed of CPUs per server. We recommend dual Intel Xeon processors if your email traffic rate warrants it.

■ RAM (speed and type) – Track memory usage and increase RAM as necessary to minimize or avoid disk swapping. Tomcat can use as much as 600 MB of RAM when completing certain tasks. MySQL can also use a large amount of RAM.

■ Disk Type and I/O speeds – Improve MySQL database performance by using a fast RAID and/or attached disk array. MySQL is used by the Control Center.

33Understanding system requirementsFactors that affect performance

Environmental factors that affect performanceHistorical usage patterns of your particular deployment will affect system performance. Prior to installation, collect information about your environment to understand typical usage patterns:

■ Outgoing SMTP connections – This can cause additional overhead by swelling disk queues with email destined for remote email servers which may not be immediately accepting new email. Larger queues on disk result in reduced MTA performance. Ideally, inbound and outbound mail streams should be configured to work on separate machines.

■ Microsoft Indexing Service – If you are running Windows, stopping or disabling Microsoft Indexing Service can improve disk I/O time and boost performance. See your Microsoft Windows documentation for more information.

■ External MTA performance – If appropriate, determine the performance of the MTA sending incoming email to your MTA, and the performance of your gateway MTAs and message store.

The characteristics of messages sent and received can impact performance. Key parameters to identify are:

■ Median message size

■ Average number of messages per day

■ Number of messages with attachments

■ Average attachment size

■ Types of attachments

■ Percentage of virus-infected messages in the email traffic

■ Types of end-users (ISP or enterprise)

Settings that affect performanceThe choices you make when configuring Symantec Mail Security for SMTP affect its performance.

Filtering performance considerationsMultiple group policies – If a message has more than one recipient, each with different group policies, then the Scanner may need to bifurcate the message (split it into one or more messages) for modification prior to delivery. Bifurcated messages resulting from many group policies may degrade performance. Use


group policies as necessary but be aware that using a large number of policies may affect performance.

Unresolved messages– Deleting quarantined messages with unresolved recipients can improve performance significantly.

Note: This feature is only available if you are using LDAP for authentication. For information on configuring LDAP servers and Spam Quarantine, refer to the Symantec Mail Security for STMP Administration Guide.

Data pruning – Following are recommendations for improving performance by minimizing data overhead. Note that these numbers are suggestions only. If you are legally bound to retain data longer, you should consider archiving it and storing it offline.

■ Set log levels to Warning and specify a 7-day retention limit.

■ Set report retention to 7 days and only store report data that you need.

■ Set Spam Quarantine message retention to 7 days.

Note: For information on these operations, refer to the Symantec Mail Security for STMP Administration Guide.

Control Center performance considerationsThe Control Center is used to start and stop servers; view logs and reports; set configuration options; backup, restore, and reset system software; and consolidate statistics, report data, and logs. Consider the following regarding its configuration:

■ Number of Scanners – The number of Scanners a Control Center collects logging and statistics from can impact the Control Center's performance. As you add Scanners to a Control Center, monitor the Control Center's performance to ensure that it does not degrade to unacceptable levels.

■ Log level – The higher the log levels, the more data the Control Center must consolidate over the network. Consider keeping log levels relatively low unless you are troubleshooting. You can also set logs to be expunged more frequently.

■ Message Tracking – Through message tracking, Symantec Mail Security for SMTP components create audit events based on the incremental steps an email message takes in its passage through the mail flow. By viewing the Message Tracking Log, administrators can determine easily the fate of a given message.

35Understanding system requirementsFactors that affect performance

Warning: A typical entry in the Message Tracking Log occupies 800 bytes of storage space. While occasionally useful, message tracking can degrade system performance, especially when audit events must be logged and stored for high volume email traffic. You should use it judiciously.

■ Scheduled reports – Schedule reports for times when utilization is low. Also bear in mind that advanced reporting can impair performance.

■ Role of Control Center host - In cases where the Control Center host is also a busy Scanner host, the Scanner and Control Center must share the resources of a single machine, which may affect performance.

Spam Quarantine and LDAP performance considerationsConsider the following Spam Quarantine and LDAP performance implications.

■ Number of messages expected per day into Spam Quarantine – The more messages placed in the Spam Quarantine, the larger the database, and the more processing required. Reduce the maximum size of the Spam Quarantine database by deleting spam, or by reducing spam retention time.

■ Number of end users logging into the Spam Quarantine interface – More connections to end users results in more overhead for the system. Symantec recommends Spam Quarantine for user populations of 30,000 users or less.

■ LDAP server throughput – LDAP lookups for message recipients against a limited capacity LDAP server will severely impair Spam Quarantine and SyncService performance. Ensure that you have adequate capacity on your LDAP server, and/or consider creating a LDAP server replica.

■ Message queues – Because the Spam Quarantine database is stored on the Control Center, Spam Quarantine's SMTP server may slow down, causing the Scanner’s delivery MTA to back up when the destination MTA is accepting messages either slowly or not at all. If this occurs, some legitimate mail messages may be delayed.

Index

Aarchitecture, overview 9

Bbalance, load 19basic gateway deployment 20browsers, supported 29, 30

CControl Center 8

performance considerations 34

Ddeployment

considerations 17gateway 20models 20multi-tier gateway 21, 22post-gateway 23

Eemail filtering, overview 25environmental factors that affect performance 33

Ffactors that affect performance 32features 7

discontinued from Symantec Mail Security for SMTP 4.1 13

name changes 13Symantec Brightmail Antispam, new or

changed features from 13Symantec Mail Security for SMTP, new or

changed features 11filtering

intra-enterprise 18performance considerations 33

Filtering Engine 10

Filtering Hub 10filters

email categories for 25verdicts 25

flow, of messages 9

Ggateway deployment

advantages 20basic 20considerations 21multi-tier 21

general deployment considerations 17

Hhardware requirements 27, 28help 15how Symantec Mail Security appliances work 8

Kkey features 7

LLDAP

compatibility 18performance considerations 35supported servers 18

load balancing 19logs, performance impact 34

Mmail flow 9message filtering

intra-enterprise 18overview 25performance considerations 33

MTAs, using additional 17multi-tier gateway deployment 21

38 Index

advantages 21considerations 22

MX records, adjusting 19

Pperformance

Control Center 34environmental factors 33factors affecting 32filtering 33LDAP 35log levels 34settings 33Spam Quarantine 35

ports, reserved 31positioning with other filtering products 18post-gateway deployment 23

advantages 23considerations 23

Rrequirements 27, 28reserved ports 31

SScanners 8

configuring 17settings that affect performance 33Spam Quarantine performance considerations 35supported browsers 29, 30supported LDAP servers 18system requirements 27

TTransformation Engine 9

Vverdicts 25

sms smtp planning guide

Business

smtpplanning guide

symantec mail security