Setraining 2

IronPort C-Series
Channel Partner
Technical Training
V1.1 21-Jul-04
Course Objectives
Critical SE Skills
How do I install, configure and deliver basic support for the

IronPort C-Series Messaging Gateway appliance?
What guidelines can I give customers for deploying the
appliance in a typical enterprise email environment?
How do I manage and monitor the flow of email through the
appliance?
How do I configure access control policies?
How do I create content filters?
How do I configure the appliance to detect and handle
unwanted spam and viruses?
Copyright 2004 IronPort Systems, Inc. All rights reserved
Course Agenda
IronPort C-Series Overview

Installation and Setup
Access Control
Policy Enforcement, Anti-Spam, and Anti-Virus
Monitoring, Logging, and Troubleshooting
System Administration
Things You Should Already Know
SMTP
TCP/IP
DNS
MIME
CLI and GUI device interfaces
Preview
A Typical New Customer Installation*
Gather customers network information and custom
requirements in advance
30 min
Rack, install, and setup the appliance

30 min
Make custom configuration changes

15 min
Test and demo

30 min
Put the appliance into production

15 min
* Applicable to 90% of deals
1,000 seats
5
Lets Go!
IronPort C-Series
Channel Partner
Technical Training

Module 1
IronPort Products and Services

IronPort A-Series
IronPort C-Series
Bonded SenderProgram
SenderBase
The Worlds Leading Outbound

Email Delivery Platform
Guaranteed Delivery of Legitimate Email
Next Generation Enterprise

Email Security
The Worlds Leading Email Reputation Service
IronPort C-Series is the Next

Generation Email Security Appliance
Revolutionary MTA Platform for High Availability

Threat Prevention with IronPort Reputation Filters
Content Scanning for Policy Enforcement
Spam Detection with Brightmail Anti-Spam
Virus Detection with Sophos Anti-Virus
C-Series = Server Consolidation

BEFORE IRONPORT
AFTER IRONPORT
10
IronPort C-Series Channel Product Line

IronPort C60
2U
Dual processor
4 Drives; RAID 1+0
3 Ethernet Interfaces
Up to: 140 msgs/sec (500,000 msgs/hr)
Protects >> 1,500 Users
IronPort C30
2U
Single processor
2 Drives; RAID 1
Protects 500-1,500 Users
IronPort C10
1U
Single processor
2 Drives; RAID 1
Protects up to 500 Users
11
C-Series Packaging & Licensing

IronPort AsyncOS
MTA, Reputation Filtering, Content Scanning, etc.
Evaluation: 30 day*
Purchase: Perpetual
Optional Components
Brightmail Anti-Spam
Evaluation: 30-day
Subscription: 1-3 years
Sophos Anti-Virus
Evaluation: 30-day
Subscription: 1-3 years
* Extensions in 30-day increments are available upon request

12
Revolutionary MTA Platform
The need for a high performance,

highly available MTA
has never been greater
Email is fundamentally
Different from other
enterprise applications
High level of simultaneous
inbound and outbound
connections
High rate of connection
establishment and teardown;
short-lived connections
Massive File System use for
small, short-lived files
Email requires a Robust &

Purpose-Built Platform
Evolving threats such as MyDoom and Bagel

cripple legacy MTAs
AsyncOS: built for email Availability

Threading model, scheduler, and file
system designed for the mail gateway
IronPort C60 is capable of 140 messages
per second
10,000 simultaneous connections
Ensured email Deliverability
Slow or unavailable domains dont affect

performance; each destination has a
distinct queue and retry schedule

Virtual Gateway technology provides
multiple IP addresses for email delivery
13
Place IronPort Wherever it Fits

in the Network
ip1
ip1
data2
ip1
data1
ip2
data1
data1
ip2
ip1
data1
data2
ip2
data1
ip1
ip1
data1
ip2
14
Common C60/C30 Configuration

One interface for incoming mail from the
Internet (and for sending mail to Internet).
One interface for delivering mail to your
Message Store systems (and for receiving
outgoing mail from those systems).
One interface for system management.
Outside
DMZ
ip1
Inside
data2
ip2
data1
mgmt
15
Common C10 Configuration
One physical interface with one IP for

both incoming and outgoing mail.
Outside
DMZ
Inside
ip1
data1
16
You Already Understand Messaging

TCP Connection:
1.2.3.4,12345
(mail1.from.com)
4.5.6.7,25
(mx1.to.com)
SMTP Session:
EHLO from.com
MAIL FROM: joe@from.com
RCPT TO: user1@eng.to.com
RCPT TO: user2@to.com
Envelope-From
Envelope-To
Body Headers:
Received: from mail1.from.com (1.2...
Subject: Hello
From: Bob <bob@from.com>
To: User One <user1@eng.to.com>
Header-From
Header-To
Message Body:
Hello,
Display name
Envelope
Body
local-part@domain
The body after the first blank line may contain many MIME parts.
Second and following parts are often called attachments; first is
often called body or text. They are really all just parts.
mailbox
17
IronPort C-Series Overview Key Points

IronPort has the features and capabilities that enterprises
need in a messaging gateway appliance
Revolutionary MTA Platform for High Availability

Threat Prevention with IronPort Reputation Filters
Content Scanning for Policy Enforcement
Spam Detection with Brightmail Anti-Spam
Virus Detection with Sophos Anti-Virus
IronPort can integrate easily with the customers existing

messaging backbone
18
References
IronPort AsyncOS 3.8 User Guide
Chapter 1: Introduction
IronPort C-Series Appliance Evaluation Guide

http://support.ironport.com/secure/index.html
Product brochures & data sheets

http://www.ironport.com/products/ironport_c_series.html
White papers
IronPort AsyncOS White Paper

Reputation Filters White Paper
SMTPi White Paper
http://www.ironport.com/download/
19
IronPort C-Series
Channel Partner
Technical Training

Module 2
A Roadmap to Successful Deployment

1 Set the MX record priority appropriately
Evaluation: Set the C-Series as the

secondary MX, so the legacy MTA can
continue to handle production mail while
you test the C-Series
Install IronPort on a live mail

2
stream. You cant test the mail
flow monitoring features if its in a
test lab
3
Dont let the firewall (or
old mail server) proxy.
IronPort needs to see
the actual sending IP
address
Production: Set the C-Series MX as the

primary (flip the switch)
Let the Internet talk to

IronPort. If you dont get
spam & viruses, you cant
see how it works
IronPort needs to talk to the

Internet for SenderBase, Virus,
and Spam updates
data1
ip1
ip2
21
Your configuration determines which

features you can fully test
Mail Flow
Monitor
Reputation
Filtering
Content
Scanning
Spam
Detection
Virus
Protection
Closed Lab Environment

Not connected to the Internet
Cant receive external email
Quietly Listening on the Internet
No MX record in DNS
Unlikely to attract spam or viruses
Sitting Behind Another MTA
Primary MTA transfers all email
Sender IP addresses will be lost
Acting as the Backup MTA
MX record = low priority
Unlikely to attract virus attacks
Acting as the Production MTA
MX record = equal or high priority
C-Series handles all email
22
Lets Agree on Terms

A listener is an SMTP server
awaiting connections from SMTP
clients, typically on TCP port 25
SMTP clients connect to the

listener to send mail
A listener may be called

an SMTP daemon
A listener is also called an

injector, because it injects
email into the IronPort
Listener
Port
IP Interface
Physical Ethernet Interface
An IP interface is the
binding of an IP address
to a Physical Interface
IP address
Relationship Between
Listeners, IP Interfaces, and
Physical Ethernet Interfaces
IronPort
Messaging
Gateway
Physical
Interface
IronPort can have multiple interfaces

and multiple listeners
23
Why More Than One Listener?
IP
Pub1
IP
Pub2
Data2
Security and IP
profiles are different
SSH, 22
SMTP, 25
SSH, 22
SMTP, 25
SSH, 22
SMTP, 25
Incoming mail has

many SMTP senders,
few receivers
IP Private
IP
Mgmt
Data1
Management
Outgoing mail has

few SMTP senders,
many receivers
IronPort provides control,

management, and security
points for SMTP
24
Choose Interfaces and Listeners to

Match Your Network
ip1
data2
ip1
data1
data1
ip1
ip2
data2
ip2
Same Network
Different Network
Same Physical
Interface
Allowed
Allowed
Different Physical
Interface
Not Allowed
Allowed
The C10 has 2 interfaces.

The C30 has 3 interfaces.
25
IP Pub1
5.2.3.11
IP Pub2
5.2.3.12
Data2
00:06:5b:3f:1b:94
= Interface
IP Private
IP
10.0.1.22
Data1
Ethernet
00:06:5b:3f:1b:95
SSH, 22
SSH, 22
TCP
FTP, 21
SMTP, 25
HTTP, 80
SMTP, 25
SSH, 22
SMTP, 8025
SMTP, 25
You Select SMTP and Other Services
IP Mgmt
192.168.1.123
Management
00:03:47:ad:6b:8a
= Listener
26
Common Two-Interface Topology

The Outside or
Public side
Listener: InboundMail
IP Interface: PublicNet (e.g. 192.35.195.101)
Ethernet Interface: Data 2
Ethernet Interface: Data 1

The Inside or
Private side
IP Interface: PrivateNet (e.g. 172.20.0.101)

Listener: OutboundMail
27
Welcome to the
Command Line Interface (CLI)
interfaceconfig
The CLI is hierarchical
You must commit for

configuration changes to take
effect
NEW
Name:
Address:
Interface:
etc
EDIT
DELETE
Interface:
Name:
Address:
Interface:
etc
Interface:
smtp.scu.com> alertconfig
Please enter the email address(es) to send alerts.
Separate multiple addresses with commas.
Enter the word "DELETE" to clear the default and disable alerts.
[postmaster@scu.com]> helpdesk@scu.com
Debounce timeout (seconds):
[300]> <cr>
Would you like to enable AutoSupport, which sends system alerts and
weekly status reports to IronPort Customer Care? (Enabling AutoSupport is
recommended.) [N]> <cr>
smtp.scu.com> commit
Please enter some comments describing your changes:
[]> change alert address to helpdesk@scu.com
Changes committed: Mon Mar 22 16:19:49 2004
28
The CLI Has Line Editing You Need

to Learn
Use tab for command
smtp.scu.com> inter<tab>faceconfig
or filename completion
Currently configured interfaces:
1. Management (192.168.42.42/24: ironport.example.com)
2. PrivateNet (172.20.0.42/24: smtp-priv.scu.com)
Selection lists are
3. PublicNet (192.35.195.42/24: smtp.scu.com)
Choose the operation you want to perform:
used frequently
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.
[]> edit
Subcommand prompt is [ ]>
Enter the number of the interface you wish to edit.
[]> 1
Type ? or help to see commands.
IP interface name (Ex: "InternalNet"):
Get command line history with
[Management]> InternalNet
up arrow, down arrow, ^p or ^n
Defaults are
IP Address (Ex: 192.168.1.2):
[192.168.42.42]> <cr>
given inside [ ]
Ethernet interface:
1. Data 1
2. Data 2
3. Management
^C
[3]> ^C
smtp.scu.com> showchanges
No changes
{}
smtp.scu.com> clear
of prompt string
gets you out with no changes
Clear always clears all changes
29
Getting Going Is Fast And Easy

Option 1: Manual Setup
Set up IP addresses on
physical interfaces
interfaceconfig
Get your IP routing right

setgateway
routeconfig
Set up SMTP listeners on the

interfaces
listenerconfig
smtproutes
Tidy up SMTP routing

(if needed)
Option 2: Quick Setup

ironport.example.com> systemsetup
WARNING: The system setup wizard will completely delete any existing
'listeners' and all associated settings including the 'Host Access Table' mail operations may be interrupted.
Are you sure you wish to continue?
[Y]>
Before you begin, please reset the administrator password to a new value.
Old password: ironport
New password: password
Retype new password: password
The
systemsetup
wizard configures
everything needed
for a basic
configuration
*****
You will now configure the network settings for the IronPort C60.
Please create a fully qualified hostname for the IronPort C60 appliance
(Ex: "ironport-C60.example.com"):
[]> smtp.scu.com
*****
You will now assign an IP address for the "Management Interface". This is
the default interface you will use for connecting to the system to configure
it.
Enter the IP address to use for the management interface. (Ex:
"192.168.1.1")
[]> 192.168.1.1
What is the netmask for this IP address? (Ex: "255.255.255.0" or
"0xffffff00"):
[255.255.255.0]> <cr>
What is the broadcast address for this IP address?
[192.168.1.255]> <cr>
You have successfully configured the Management interface.
*****
You will now assign an IP address for the "Data 1" interface.
Please create a nickname for the "Data 1" interface (Ex: "PrivateNet"):
[]> PrivateNet
Enter the static IP address to use for "PrivateNet" on the "Data 1"
interface: (Ex: "10.1.1.1"):
[]> 172.20.0.11
30
interfaceconfig Sets IP Addresses

IronPort> interfaceconfig
1. Management (192.168.42.42/24: IronPort)
[]> new
Manual
Setup
Please enter a name for this IP interface (Ex: "InternalNet"):

[]> PrivateNet
IP Address (Ex: 192.168.1.2):
[]> 172.20.0.42
Ethernet interface:
1. Data 1
2. Data 2
3. Management
[1]> 1
This is an unconfigured box with

only the default Management
interface. Lets add an interface.
Netmask (Ex: "255.255.255.0" or "0xffffff00"):

[255.255.255.0]> <cr>
Broadcast address:
[192.168.0.255]> <cr>
Hostname:
[]> smtp-priv.scu.com
The hostname on the private side

is what will appear on the SMTP
banner. Make this unique to help
in debugging.
31
interfaceconfig Controls the

Protocols Available
Do you want to enable FTP on this interface? [N]> y
Which port do you want to use for FTP? [21]> <cr>
Do you want to enable Telnet on this interface?
[N]> <cr>
Do you want to enable SSH on this interface? [N]> y

Which port do you want to use for SSH? [22]> <cr>
Do you want to enable HTTP on this interface?
[N]> <cr>
Control
FTP,
SSH,
HTTP, and
HTTPS access
on this interface.
Do you want to enable HTTPS on this interface? [N]> y

Which port do you want to use for HTTPS? [443]> <cr>
You have not entered an HTTPS certificate. To assure privacy, run
'certconfig' first. You may use the demo certificate,
but this will not be secure.
Do you really wish to use a demo certificate? [Y]> <cr>
1. Management (192.168.42.42/24: ironport.example.com)
[]> <cr>
IronPort> commit
Enter <cr> at the subcommand

prompt to go up one level
Please enter some comments describing your changes:

[]> configure private interface 172.20.0.42
Changes committed: Tue Mar 23 11:28:37 2004
Use etherconfig to
set FDX/HDX/Auto
ethernet properties
Dont forget to
commit changes!
Next: Create the
PublicNet interface
32
Define Default and Static IP Routes

IronPort> setgateway
Warning: setting an incorrect default gateway may cause the
current connection to be interrupted when the changes are
committed.
Enter new default gateway:
[]> 192.35.195.1
Dont forget to
IronPort> commit
commit changes!
Manual
Setup
IronPort> routeconfig
Currently configured routes:
1. R&D net Destination: 172.20.2.0/24 Gateway: 172.20.0.254
2. QA net Destination: 172.20.3.0/24 Gateway: 172.20.0.254

- NEW - Create a new route.
- EDIT - Modify a route.
- DELETE - Remove a route.
- CLEAR - Clear all entries.
[]>
You can add static

routes if you need them
33
Use listenerconfig to Define a

Public Listener
IronPort> listenerconfig
Currently configured listeners:
- NEW - Create a new listener.
[]> new
Manual
Setup
The listener type selects

defaults appropriate for
public or private listeners.
Please select the type of listener you want to create.

1. Private
2. Public
Create a public listener
3. Blackhole
on the public interface
[2]> 2
Please create a name for this listener (Ex: "InboundMail"):
[]> InboundMail
Please choose an IP interface for this Listener.
[1]> 3
34
listenerconfig Public:
Accept and Route Mail
Enter the domains or specific addresses you want to accept mail for.
Hostnames such as "example.com" are allowed.
Partial hostnames such as ".example.com" are allowed.
Usernames such as "postmaster@" are allowed.
Full email addresses such as "joe@example.com" or "joe@[1.2.3.4]" are
allowed. Separate multiple addresses with commas.
[]> exchange.scu.com
Would you like to configure SMTP routes for
exchange.scu.com? [Y]> y
Accept mail only for

exchange.scu.com
Enter the destination mail server where you want mail for
exchange.scu.com to be delivered. Separate multiple entries with
commas.
Route all mail to the Exchange system
[]> 172.20.0.30
Do you want to enable rate limiting per host?
[Y]> n
Would you like to change the default host access

policy? [N]> n
Listener InboundMail created.
Defaults have been set for a Public listener.
Say no to rate
limiting. You can
always add it later.
35
You Also Set up a Private Listener

1. InboundMail (on PublicNet, 192.35.195.102) SMTP TCP Port 25 Public
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]> new
Please select the type of listener you want to create.
1. Private
2. Public
Notice the default is not what you want.
3. Blackhole
[2]> 1
Read the selection lists carefully!
Please create a name for this listener (Ex: "OutboundMail"):
[]> OutboundMail
Please choose an IP interface for this Listener.
[1]> 2
Choose a protocol.
1. SMTP
2. QMQP
[1]> 1
The Private Listener will do either SMTP or

QMQP. The standard is SMTP, of course
Please enter the TCP port for this listener.

[25]> <cr>
36
listenerconfig Private:
Select Relays and Policy Defaults
Please specify the systems allowed to relay email through the IronPort C60.
Hostnames such as "example.com" are allowed.
IP addresses, IP address ranges, and partial IP addresses are allowed.
Separate multiple entries with commas.
[]> 172.20.0.0/24
You must specify
Do you want to enable rate limiting for this

listener? Rate limiting defines the maximum
number of recipients per hour you are willing
to receive from a remote domain.) [N]> n
what
hosts in your network will
be allowed to send mail
out through the IronPort.
Otherwise, no mail will
be allowed through.
Default Policy Parameters

==========================
Maximum Message Size: 100M
Maximum Number Of Connections From A Single IP: 600
Maximum Number Of Messages Per Connection: 10,000
Maximum Number Of Recipients Per Message: 100,000
Maximum Number Of Recipients Per Hour: Disabled
Use SenderBase for Flow Control: No
The default limits
Virus Detection Enabled: Yes
Allow TLS Connections: No
Would you like to change the default host access policy? [N]> <cr>
are vast enough!
Listener OutboundMail created.

Defaults have been set for a Private listener.
Use the listenerconfig->EDIT command to customize the listener.
37
Use smtproutes to Override DNS

scu.com
notes.scu.com
MX
MX
smtp.scu.com
smtp.scu.com
smtproutes table
bob@scu.com
Domain
Route
scu.com
172.20.0.30
notes.scu.com
172.20.0.20
172.20.0.30
smtp.scu.com
172.20.0.20
carol@notes.scu.com
Domain
Route
scu.com
172.20.0.30
notes.scu.com
172.20.0.20
You could also

use DNS names if you want to
depend on DNS
38
Use systemsetup to Quickly Configure:
Interfaces
Listeners
HTTP and HTTPS access
Admin password
System alert email destination
Autosupport
Anti-Virus & -Spam

SMTP hostname
Default gateway
Smtproutes
NTP and timezone
DNS
Quick
Setup
IronPort> systemsetup
Before you begin, please reset your password to a new value.

Old password: ironport
The default password of an unconfigured
New password: password
Retype new password: password
box
Please use password in all lab exercises!
You will now configure the network settings for the IronPort C60.
Please create a fully qualified hostname for the IronPort C60 appliance
(Ex: "ironport-C60.example.com"):
[]> smtp.scu.com
This is the name used in the SMTP banner

39
C30
System
Setup
ip1
data2
Choose a New Password for the admin account: *

Fully Qualified Hostname of IronPort C-Series appliance: *
Data 1
Choose an Interface Name (e.g. PrivateNet): *
IP Address: *
Netmask: *
Broadcast Address: *
Data 2
Choose an Interface Name (e.g. PublicNet):
IP Address:
Netmask:
Broadcast Address:
Default Router (gateway) IP Address: *
Enable web interface?
data1
ip2
* Indicates
Required
Information
Primary DNS Server IP Address:

Secondary DNS Server IP Address:
Public listener
Choose a Listener Name (e.g. InboundMail):
IP Interface for this listener (from above):
Local domains or specific addresses to accept
email for: [Initial RAT entry]
SMTP routes for domains or specific addresses:
Enable rate limiting?
Private listener Choose a Listener Name (e.g.OutboundMail): *
Systems allowed to relay email through this
listener:
Alert email address (i.e., where to send email system alerts)
Enable AutoSupport?
System Time
NTP Server (IP address or hostname):
If yes: HTTP
or HTTPS
DNS
40
C10
System
Setup
Choose a New Password for the admin account: *

Fully Qualified Hostname of IronPort C-Series appliance: *
Data 1
Choose an Interface Name (e.g. MailNet): *

IP Address: *
Netmask: *
Broadcast Address: *
Default Router (gateway) IP Address: *

If yes: HTTP or
HTTPS
Enable web interface?

DNS
ip1
data1
Primary DNS Server IP Address:

Secondary DNS Server IP Address:
Listener for
accepting and
relaying email
Choose a Listener Name (e.g. MailDaemon):

Local domains or specific addresses to accept
email for: [Initial RAT entry]
SMTP routes for domains or specific addresses:
Systems allowed to relay email through this
listener:
* Indicates
Required
Information
Alert email address (i.e., where to send email system alerts)

Enable AutoSupport?
System Time
NTP Server (IP address or hostname):

41
You Often Will Add to systemsetup

smtp.scu.com> interfaceconfig
2. PrivateNet (172.20.0.42/24: smtp.scu.com)
Use interfaceconfig
to enable FTP and
SSH access on the
private interface

[]> edit
Enter the number of the interface you wish to edit.
[]> 2
Do you want to enable FTP on this interface?
Other things you might want

to do or change:
dnsconfig
ntpconfig or settime
setgateway
routeconfig
[N]> y
Which port do you want to use for FTP? [21]> <cr>

Do you want to enable Telnet on this interface?
Do you want to enable SSH on this interface?
[N]> <cr>
[N]> y
Which port do you want to use for SSH? [22]> <cr>
Dont forget to
commit changes!
42
Firewall Port Configuration

Port
Protocol
In/Out
Description
20/21
TCP
In or Out
FTP for aggregation of log files.
22
TCP
In
SSH access to the CLI, aggregation of log files.
22
TCP
Out
SSH upgrades, aggregation of log files.
23
Telnet
In
Telnet access to the CLI, aggregation of log files.
23
Telnet
Out
Telnet upgrades, aggregation of log files.
25
TCP
Out
SMTP to send email.
25
TCP
In
SMTP to receive bounced email or if injecting email from

outside firewall.
80
TCP
In
HTTP access to the GUI for system monitoring. Sophos virus

scanning engine updates are retrieved via HTTP from port 80.
53
UDP
In & Out
DNS if configured to use Internet root servers or other DNS

servers outside the firewall.
123
UDP
In & Out
NTP if time servers are outside firewall.
389/3268
LDAP
In & Out
LDAP if LDAP directory servers are outside firewall.
443
TCP
In
Secure HTTP (https) access to the GUI for system monitoring.

Brightmail Rules are downloaded directly over HTTPS, by
default, unless a proxy server is configured.
628
TCP
In
QMQP if injecting email from outside firewall.

43
Verify Your Installation With

Troubleshooting Tools
DNS
DNS layer: nslookup

Use for A and MX record lookup for any
names anywhere in your configuration
IP layer: ping,traceroute
SMTP, 25
SSH, 22
Use to verify that the listeners are

responding everywhere you think it should
be and is coming up with a reasonable
banner
SSH, 22
Mail layer: telnet to port 25
SMTP, 25
Use from outside to verify you can ping

your IronPort
Use from the IronPort to verify that you go
the right direction for any packets
IP Public
IP Private
Data2
Data1
44
Installation & Setup Key Points
Interfaces, IP addresses, and Services (such as SMTP) are all

distinct and controllable entities. You have the flexibility to do
whatever you want.
Youre going to use the CLI whether you like it or not, but you get a
lot of help along the way
You can quickly setup the system using systemsetup, or you can
do it manually with interfaceconfig, setgateway,
routeconfig, listenerconfig, and smtproutes
The CLI offers traditional IP debugging tools such as ping,

traceroute, and nslookup. Use them.
Make sure you open all of the firewall ports for the services you
configure
45
References
Chapter 2: CLI Overview
Chapter 3: Setup and Installation
46
IronPort C-Series
Channel Partner
Technical Training
Access Control
Module 3
HATs and RATs Give Control When the

Message is Being Received
Host Access Table
Controls access to the

TCP port based on
senders IP identity
Recipient Access
Table
InboundMail listener
TCP Connection
SMTP Session
Body Headers
Message Body
Controls which mail is

accepted based on
envelope recipient
Host Access Table
TCP Connection
SMTP Session
Body Headers
Message Body
OutboundMail listener
Controls access to the

TCP port based on
senders IP identity
Recipient Access
Table
No RAT for outbound

mail - who needs one?
48
The Host Access Table Gives You

Control Based on IP Addresses
Identify senders by their
IP addresses:
Complete address
Partial address
CIDR block
Range of addresses
SenderBase score for
an address
Domain name
(DNS PTR record)
Partial domain name
(DNS PTR record)
DNS List lookup
Who?
What?
192.35.195.42
ACCEPT
216.255.128.0/19
REJECT
.aol.com
THROTTLE
TCP Connection:
1.2.3.4,12345
(mail1.from.com)
4.5.6.7,25
(mx1.to.com)
SMTP Session:
EHLO from.com
Body Headers:
Subject: Hello
From: Joe joe@from.com
To: User One user1@eng.to.com
Message Body:
Hello,
49
The Left Hand Side of a HAT is a List of

WHO?
Sender Groups
A Sender Group is a collection of senders (the Who?)
HATs use Sender Groups to apply a Policy (Right Hand Side,
the What?) to the whole group at once
Built-in Sender Groups include WHITELIST, BLACKLIST,
SUSPECTLIST, UNKNOWNLIST, and RELAYLIST
Example: SUSPECTLIST is a built-in Sender Group whose
connections will be throttled if they send too much mail. It
might contain entries such as these.
Sender
Comment
209.237.250.106
They sent us spam once
216.255.128.0/19
DIGEX is frequently a source of spam
.mx.AOL.COM
AOL is just too big to not throttle
209.237.224-255.
Someone on United Layer was bugging us

50
Sender Groups Can Have Many

Different Types of Members
Sender Group Syntax
WHO?
Meaning
192.35.195.42
Full IP Address
216.255.128.
Partial IP Address - matches any IP address

beginning with this string
216.255.128-159.
Range of IP addresses
216.255.128.0/19
CIDR address block
mailin-01.mx.AOL.COM
A fully-qualified domain name
.mx.AOL.COM
Everything within the partial host domain
SBRS[-10.0:-7.0]
SenderBase Reputation Score range
SBO:177
SenderBase Network Owner ID number
dnslist[domain]
DNS List query against domain dns server
ALL
Special keyword that matches ALL addresses
* Square brackets not needed in GUI

51
The Right Hand Side of the HAT is the

WHO? WHAT?
Mail Flow Policy
HAT for a Public Listener (C30)
This Sender Group:
Uses this Mail Flow Policy:
WHITELIST
$TRUSTED
BLACKLIST
$BLOCKED
SUSPECTLIST
$THROTTLED
UNKNOWNLIST
$ACCEPTED
ALL
$ACCEPTED
HAT for a Private Listener (C30)

This Sender Group:
RELAYLIST
$RELAYED
ALL
$BLOCKED
Default entry which cannot be removed

52
The Right Hand Side of the HAT is the

WHO? WHAT?
Mail Flow Policy
HAT for an Inbound / Outbound Listener (C10)
This Sender Group:
RELAYLIST
$RELAYED
WHITELIST
$TRUSTED
BLACKLIST
$BLOCKED
SUSPECTLIST
$THROTTLED
UNKNOWNLIST
$ACCEPTED
ALL
$ACCEPTED
Default entry which cannot be removed

53
Mail Flow Policies Define a Set of

Actions and Limitations
Default Mail Flow Policies
Policy Name
Action
Throttling
Anti-spam
Anti-virus
$RELAYED
RELAY
NO
NO
YES
$TRUSTED
ACCEPT
NO
NO
YES
$BLOCKED
REJECT
N/A
N/A
N/A
$THROTTLED
ACCEPT
YES
YES
YES
$ACCEPTED
ACCEPT
NO
YES
YES
54
Mail Flow Policies Control and

Throttle Mail
Access Control
Processing Control
Accept connection
Reject SMTP connection
Refuse TCP connection
Relay mail
Require or bypass Anti-Spam

Require or bypass Anti-Virus
TCP Connection:
1.2.3.4,12345
(mail1.from.com)
Throttle across
TCP connections
Max recipients
per hour
Max recipients
per hour error
code
Max recipients
per hour text
WHAT?
4.5.6.7,25
(mx1.to.com)
SMTP Session:
250 OK
452 Too many recipients
452 Too many recipients this hour
Throttle within a
TCP connection
Max messages per
connection
Max recipients per
message
Max message size
Max concurrent
connection
Body Headers:
Subject: Hello
Message Body:
Hello,
55
IronPort Provides Default Entries

for all HATs
This Sender Group:
WHITELIST
$TRUSTED
BLACKLIST
$BLOCKED
SUSPECTLIST
$THROTTLED
UNKNOWNLIST
$ACCEPTED
ALL
$ACCEPTED
These groups start out empty;

you add to them as you
develop your policy.
Order matters:
HAT entries are
consulted in
order, and the
first match wins
The initial policy is all hosts are

accepted.
56
Private Listener HATs Allow Inside to

Send Out (Relay!)
This Sender Group:
RELAYLIST
$RELAYED
ALL
$BLOCKED
The RELAYLIST Sender Group is

initially empty, and no mail will pass
through this listener.
The default HAT entry

ALL - $BLOCKED
prevents an open relay.
systemsetup or listenerconfig
for a private (or C10) listener asks:
Please specify the systems allowed
to relay email through the IronPort
C60
It adds these hosts to the RELAYLIST

Sender Group.
57
Default HATs Satisfy Most Customers

Needs
Public Listener (C30)
Sender Group
Policy Name
Action
Inbound
Anti-spam Anti-virus
Throttling
WHITELIST
$TRUSTED
ACCEPT
NO
NO
BLACKLIST
$BLOCKED
REJECT
N/A
N/A
N/A
SUSPECTLIST
$THROTTLED
ACCEPT
YES
YES
YES
UNKNOWNLIST $ACCEPTED
ACCEPT
Moderate
YES
YES
ALL
ACCEPT
Moderate
YES
YES
$ACCEPTED
YES
Private Listener (C30)

Sender Group
Policy Name
Action
Inbound
Throttling
RELAYLIST
$RELAYED
RELAY
NO
NO
YES
ALL
$BLOCKED
REJECT
N/A
N/A
N/A
58
Default HATs Satisfy Most Customers

Needs
Inbound / Outbound Listener (C10)
Sender Group
Policy Name
Action
Inbound
Throttling
WHITELIST
$TRUSTED
ACCEPT
NO
NO
BLACKLIST
$BLOCKED
REJECT
N/A
N/A
N/A
SUSPECTLIST
$THROTTLED
ACCEPT
YES
YES
YES
UNKNOWNLIST $ACCEPTED
ACCEPT
Moderate
YES
YES
RELAYLIST
$RELAYED
RELAY
NO
NO
YES
ALL
$ACCEPTED
ACCEPT
Moderate
YES
YES
YES
59
Use the GUI to Modify Your Configuration
Each tab
has subtabs
The GUI is organized

with these five tabs:
Incoming Mail
Scanning
Outgoing Mail
Reporting
System
60
Use the Incoming Mail Configuration

Tab to Edit Your HAT
Choose the listener
CLI: listenerconfig - edit - hostaccess
Example: Add a trusted

sender to the WHITELIST
Sender Group of the
61
Use the GUI to Add a Trusted Sender

to the Whitelist
IP, IP Range, Domain Name

SBRS
DNS List
Identify sender by IP or domain name, or

by using a SenderBase Reputation
Score, or with a DNS List lookup
Be careful to include .mypartner.com,

which will match any subdomains
they use
Changes in the GUI are

automatically committed
when you save
62
Mail Flow Monitor Makes Controlling

Problem Domains Easy
Click
Clickon
onany
anyproblem
problemdomain
domainand
and
add
addititto
toone
oneofofthe
theSender
SenderGroups
Groups
63
Add the Selected Domain to a Sender

Group to Apply Associated Policy
Q: What policy is associated with this Sender Group?
A: See next slide

64
View Entries in Your Sender Groups

With the GUI
65
How To Use Sender Groups and

Mail Flow Policies in Your HAT
Most common things you want to do in the HAT:
Add senders to WHITELIST, BLACKLIST or
SUSPECTLIST
Less common things you might want to do in the HAT:
Make new Sender Groups to distinguish classes of
senders beyond WHITE/BLACK/SUSPECT
Add SenderBase score ranges to Sender Groups
Very uncommon:
Perform a DNS List lookup during SMTP connection for
either whitelist or blacklist purposes
66
Say Who You Accept Mail For

In The RAT
Recipient Syntax
Meaning
Division.example.com
Fully-qualified domain name
.example.com
Everything within the .example.com domain
Less common usages:

User@domain
Complete email address
User@
Anything with the given username
User@[1.2.3.4]
Username at a domain literal address

(square brackets required)
Q: When do you add to the RAT?

A: When you acquire a new domain.
67
The Recipient Access Table Is

Checked For Each SMTP Recipient
TCP Connection:
1.2.3.4,12345
(mail1.from.com)
Identify recipients by
domain or local-part:
Complete domain
Partial domain
Local-part (username)
Local-part@domain
RAT Table
to.com
ACCEPT
eng.to.com
ACCEPT
oldname.com
REJECT
4.5.6.7,25
(mx1.to.com)
SMTP Session:
MAIL FROM: is not
EHLO from.com
checked in the RAT;
only recipients
Body Headers:
Subject: Hello
Message Body:
Hello,
(with custom
SMTP message)
68
The RAT Lets You Accept or Reject

Each Recipient
TCP Connection:
1.2.3.4,12345
(mail1.from.com)
4.5.6.7,25
(mx1.to.com)
RAT Control Mechanisms

Accept recipient
SMTP Session:
250 OK
550 No such user
Reject recipient
Accept recipient and
bypass throttling
Body Headers:
Subject: Hello
Message Body:
Hello,
69
Use listenerconfig to
View and Edit RAT Settings
smtp.scu.com> listenerconfig
[]> edit
[]> 1
(InboundMail)
(SERVICE) smtp.scu.com> listenerconfig

1. InboundMail (on PublicNet, 192.35.195.42) SMTP TCP Port 25 Public
2. OutboundMail (on PrivateNet, 192.168.0.42) SMTP TCP Port 25 Private
Enter "NEW" to create a new listener, "EDIT" to modify, "DELETE" to remove, or
"SETUP" to change global settings.
[]> edit
Enter one of the following commands to change this listener's se

NAME, INTERFACE, LIMITS, HOSTACCESS, SETUP, RCPTACCESS, BOUNCECO
DOMAINMAP, ANTISPAM, ANTIVIRUS
[]> rcptaccess
Enter the name or number of the listener you wish to edit.

[]> 1
Name: InboundMail
Type: Public
Interface: PublicNet (192.35.195.42/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain map: disabled
TLS: No
Antispam: Deliver, Prepend "[SPAM] " to Subject
Suspectedspam: inactive
Bounce Profile: Default
Use SenderBase For IP Profiling: Yes
LDAP: off
AntiVirus: Scan and Clean
Recipient Access Table
There are currently 2 recipients.

Default Access: REJECT
You must edit

the RAT to see
whats in it
Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to

"PRINT" to display the list, "IMPORT" to import a list,
"EXPORT" to save the list, or "CLEAR" to clear the list.
following commands to change this listener's settings:
[]> print
LIMITS, HOSTACCESS, SETUP, RCPTACCESS,
BOUNCECONFIG,
Enter one of the

NAME, INTERFACE,
[]> rcptaccess
scu.com ACCEPT
ALL REJECT

Type print to see

the whole RAT
Enter "NEW" to create a new entry, "EDIT" to modify, "DELETE" to remove,

[]> print

70
You Must Use the CLI to Edit the RAT

smtp.scu.com> listenerconfig
[]> edit
[]> 1
(InboundMail)


[]> new
Enter the recipient address for this entry.

Hostnames such as "example.com" and "[1.2.3.4]" are allowed.
Full email addresses such as "joe@example.com" or "joe@[1.2.3.4]" are allowed.
[]> scu.net
[]> new
Enter the recipient address for this entry.

Hostnames such as "example.com" and "[1.2.3.4]" are allowed.
Partial hostnames such as ".example.com"
are
Add an entry in
theallowed.
RAT
accept mail for another
SMTP response?
[N]> email addresses such asto
Full
"joe@example.com"
or "joe@[1.2.3.4]" are allowed.
control for this
entry? [N]>multiple addresses with
Separate
commas.
domain
name
[]> scu.net
Select the action to apply to this address:

1. Accept
2. Reject
[1]> 1
Would you like to specify a custom
Would you like to bypass receiving
Select the action to apply to this address:

1. Accept
You can see the
2. Reject
[1]> 1
entry count go up

[]>
Name: InboundMail
Type: Public
Interface: PublicNet (192.35.195.42/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain map: disabled
TLS: No
Antispam: Deliver, Prepend "[SPAM] " to Subject
Suspectedspam: inactive
Bounce Profile: Default
Use SenderBase For IP Profiling: Yes
LDAP: off
AntiVirus: Scan and Clean
Would you like to specify a custom SMTP response?
[N]>
Would you like to bypass receiving control for this entry?

Enter one of the following commands to change this listener's settings:

NAME, INTERFACE, LIMITS, HOSTACCESS, SETUP, RCPTACCESS, BOUNCECONFIG,
[]>
Dont forget to commit!

71
How to Avoid an Open Relay

With the RAT
RAT for a Public Listener
This Recipient:
Has This Action Applied:
mycompany.com
ACCEPT
ALL
REJECT
Order does NOT matter
in the RAT - the most
specific entry matches
systemsetup or listenerconfig
for a public listener asks:
Enter the domains or
specific addresses you want
to accept mail for.
The default RAT entry

ALL - REJECT
prevents an open relay.
Note that an overly broad

recipient rule like user@ could
be exploited by spammers
It adds these hosts as ACCEPT

entries in the RAT.
72
[N]>
Best Practice for Validating Inbound

Recipients
1. Use the RAT to validate the domain
2. Use a centralized LDAP server or groupware
server (e.g. Exchange, Notes) to validate the
local-part (username)
Prevent directory harvest attacks!
Use the ldapconfig command
local-part@domain.com
LDAP
RAT
73
There are several ways to re-write

envelope addresses
Inbound: Envelope-to
Alias table
Domain map
LDAP
aliasconfig
domainmap
ldapconfig
Jane_Doe@mycompany.com
jdoe@exchange.mycompany.com
Outbound: Envelope-from
Masquerading
listenerconfig
OutBoundMail
jdoe@exchange.mycompany.com
EDIT
MASQUERADE
Jane_Doe@mycompany.com
74
Access Control Key Points
The HAT is consulted at TCP connect time;

The RAT at SMTP dialog time for each recipient
Sender Groups are the Left Hand Side of the HAT;

Mail Flow Policies are the Right Hand Side of the HAT
Incoming (public listener) HATs are different from

Outgoing (private listener) HATs
Theres a bunch of parameters that give you fine-grained control over

the behavior of the Mail Flow Policies, although the default may be
fine (depending on your customer)
The RAT defines who (as in which domain names) you are willing to
receive mail for
Various mechanisms available (e.g. LDAP) to validate and re-write

recipient addresses
75
References
Chapter 4: Configuring the Gateway to Receive Email
Chapter 5: Configuring Email Routing and Delivery
76
IronPort C-Series
Channel Partner
Technical Training
Policy Enforcement,
Anti-Spam, and Anti-Virus
Module 4
Content Scanning Overview
Content Scanning with Message Filters

Ensure intellectual property does not leave the network
Scan for company confidential or words specific to your
business
Protect intellectual property and track offenders
Eliminate illicit content at the gateway

Prevent inappropriate files, movies, etc. from entering your
network
Minimize legal liability

Ensure compliance with industry laws and standards
Swiss Army Knife

Unlimited ways to filter and act upon specific types of mail
78
1.2TCP C
.3.
on
(ma
il1.4f ,1234necti
rom 5 on:
SM
.co
m) (4.5.6
EH TP S
mx .7,2
1.to 5
MA LO froessio
.co
RC IL FR m.co n:
m)
PT OM m
TO : jo
: us e@
Bo
d
e
f
r1@ rom
Re y H
to.c .com
Fro ceive eader
om
s:
To: m: bod: from
use b@
ma
f
r
r
1
@t om. il1.f
Me
Hel ssag o.comcom rom
lo, e B
ody
:
Message Filters Redirect and Modify

Messages As You Require
Message filters are a

flexible way to
customize the behavior
of the system.
Message filters
are a script-like
logical syntax
that are applied
to every
message
passed through
the system
79
Filters Can Look For Things and

Take Actions
Things You Can Look for
Destination host
Encryption
Sender
Recipient
Subject
Text in the message or
attachment
Attachment type
SBRS score
Message size
Actions You Can Take
Drop messages
Bounce messages
Insert/Delete headers
Drop attachments
Redirect message
Route to mail host
BCC, copy or archive
Notify someone
Skip spamcheck
Skip viruscheck
Change bounce profile
Stamp footer
80
Anatomy of a Filter
A filters rules appear after the if and before
the opening curly brace {.
Label
drop_all:
Rule
Expressions are of the form

<rule> <operator> <value>
where <value> may be a regular expression.
A filter may have any number of expressions,
associated by Boolean operators AND, OR,
and NOT.
if (true) {
insert-header('X-SBRS', '$Reputation');
}
Labels must be unique among

all filters on the system.
Labels are case sensitive.
Labels must start with an
underscore (_) or a letter (Az). After the first character,
labels may also include
hyphens (-) or numbers (0-9).
Action
Final Actions:
Drop, Bounce, and Deliver
drop()
Aborts the incoming message.
The message will not be delivered.
Action
Variable
Action variables contain
information the system knows
about this message that can
be used in rules or actions
81
After a final action,

filter processing
stops immediately.
The rest of the filter
is not checked, and
no other filters are
checked.
bounce()
Bounces the incoming message.
The original message will not be delivered to anyone.
deliver()
Short-circuits the filtering system.
The message will go on to Anti-Spam/Anti-Virus processing, if
configured, otherwise it will be enqueued for delivery immediately.
82
Examples
Bounce Messages > 6 MB
BounceOver6MB:
if (body-size > 6M) {
bounce();
}
NotifyAndDropOver6MB:
notify('$EnvelopeFrom');
drop();
}
It would be smarter to not
send the entire huge
message back
Looking for text in the body of a message

ConfidentialFilter:
if (body-contains('(?i)Company Confidential')) {
notify ('postmaster@scu.com');
}
You can also check against
a content dictionary instead
of a static string
83
More Examples
Drop attachments
drop_all_dangerous:
if (true) {
drop-attachments-by-filename
drop-attachments-by-filetype
}
('(?i)\\.pif$');
('(?i)\\.bat$');
('(?i)\\.scr$');
('(?i)\\.com$');
('Executable');
Stamp message footer

stamp_forward_looking:
if (recv-listener == 'Outbound') {
add-footer ('Forward_Looking_Disclaimer');
}
This is a text
object you define
with textconfig
84
Create Filters with the CLI or Using

Import / Export
smtp.scu.com> filters
Available filter commands: NEW, DELETE, IMPORT, EXPORT, MOVE, SET, LIST,
DETAIL, LOGCONFIG, ROLLOVERNOW.
[]> list
Num Active Valid Name
1
Y
Y
flowdet-skip-spamcheck
2
Y
Y
dropbadmail
3
Y
Y
BounceOver6MB
Available filter commands: NEW, DELETE, IMPORT, EXPORT, MOVE, SET, LIST,
DETAIL, LOGCONFIG, ROLLOVERNOW.
[]> delete 3
1 filters deleted.
[]> new
You can also import / export

your entire list of filters
Enter filter script. Enter '.' on its own line to end.

NotifyAndDropOver6MB:
notify('$EnvelopeFrom'); Q: what happens when you re-import a filter of same name?
A: It will replace an existing filter with the same case sensitive name.
drop();
}
.
1 filters added.
85
Anti-Spam Overview
Reputation Filters block

spam before messages are
even accepted
Uses SenderBase scoring
similar to a credit rating service
for sender IP addresses
Typically blocks up to 50% of all
spam
Yields higher performance since
blocked messages dont have to
be queued and processed
Spam Detection scans

messages for spam
Scans for known spammers and
spammy message content
Configurable system-wide
spam thresholds
Decide whether to drop, forward,
tag, archive or quarantine
Handle spam and suspected
spam differently
86
IronPort SenderBase
Reputation Service
Rolls data up into a reputation
score between -10 to +10
-10 is very bad
0 is not enough traffic to be positive
and no bad reports
+10 is very good
Tracks objective network data

about senders
Global volume
Complaints
Blacklists and whitelists
Geographic information
www.senderbase.org
Security threats
87
Drill Down on a Senders IP or Domain
GUI: Incoming - IP address search
88
What do those SBRS numbers mean,

anyway?
An IP address controlled by a
spam house or a known open
proxy generating massive
volume of complaints and
hitting many spamtraps.
Almost guaranteed to be spam.
-10
An IP on one or more
reliable blacklists or
belonging to a
suspicious new
sender with some
complaints and
spamtrap hits
-5
May be a dynamic IP
(e.g., dialup) sending
direct to Internet or an
email marketer with
poor practices, or a
legitimate enterprise
with an open server
Spam houses
generating complaints
and hitting spam
traps. IP listed on
one or more open
proxy lists. Almost
always spam.
A known enterprise, or
sender who has
undergone third-party
certification, with no
complaints and a long
sending history.
Some
sending
history, low
or moderate
complaints
+5
+10
Long sending
history, few
complaints
89
Configure Reputation Filters in the HAT

5
Apply the appropriate Mail Flow Policy

250 - Recipient Accepted
or 452 - Too many recipients this hour
or 554 - Access Denied
TCP/IP
Connect
3
64.12.2.8
SenderBase
Affiliate
Network
64.12.2.8
4
SBRS = x.x
SBRS Scoring Engine

Rule hits for
64.12.2.8
SBRS
Database
Global complaint data

Global volume data
Blacklists
Open Proxy Lists
Additional SenderBase Data Services
90
How to Create a Reputation Filter

1. Define an SBRS range in a sender group
2. Bind an appropriate mail flow policy to the sender group
THROTTLED
91
IronPort Suggests A Two-Phased

Approach to Reputation Filters
SenderBase
Reputation Score
(SBRS)
Phase 1
Phase2
-10, -9, -8, -7
$THROTTLED
[ -10.0 : -7.0 ]
$BLOCKED
[-10.0 : -7.0 ]
-6, -5, -4, -3, -2
$ACCEPTED*
[ -7.0 : -2.0 ]
$THROTTLED
[ -7.0 : -2.0 ]
-1, 0, 1, 2, 3, 4, 5
6, 7, 8, 9, 10
$ACCEPTED*
[ -2.0 : 6.0 ]
$TRUSTED
[ 6.0 : 10.0 ]
* This is the default mail flow policy

92
Use Brightmail for Content-based

Spam Detection
Probe
Network
Internet
Brightmail Rules
HTTPS
SMT
P
HTTPS
SMTP
Brightmail Logistics and

Operations Center
Po
rt:
41
Qu
02
5
a
me ran
ss tine
ag
d
es
Mailbox server
Brightmail Quarantine
(optional)
Users can also send

suspected messages from
their message store to the
Brightmail Quarantine
End users and

administrators view the
quarantine via HTTP
93
Brightmail Configuration Means

Making Many Decisions
Suspected
Spam
TCP Conn
SMTP
Body Hdrs
Body
Spam
Pick
One
Not Spam or
Reinserted
from
Quarantine
Pick
One
Stop
Drop
Stop
Drop
Deliver
Deliver
Redirect?
Modify Subject?
Add header?
Archive?
Deliver
Redirect?
Modify Subject?
Add header?
Archive?
Bounce
Bounce
Processing
Quarantine
To Quarantine
Host
Bounce
Bounce
Processing
Quarantine
To Quarantine
Host
94
Configure Brightmail Through the GUI
Enable Brightmail
Brightmail score which

will be considered
suspected spam
95
Accept the Brightmail License

Agreement to get to The Question
Accept the Brightmail License Agreement
and answer The Question
Hint: Choose Yes,

because you cant
change your mind.
96
Choose How to Deal With Spam

Deliver
Bounce
Drop
Quarantine
Enabled
You have the same

choices for Spam and
Suspected Spam
Modify
Modifythe
themessage
message
ififyou
youwant
wantto
todeliver
deliver
suspected
spam
suspected spamand
and
mark
markititsomehow
somehow
Redirect,
Redirect,quarantine,
quarantine,
or
orarchive
archivethe
themessage
message
ififyou
want
you wantto
toavoid
avoid
normal
normaldelivery
delivery
97
Anti-Virus Overview
Content Scanning can identify

virus or worm-generated email
Match messages with your own
criteria
Decide whether to drop, forward,
tag, archive or deliver identified
messages
Handle encrypted messages
differently
Virus Protection under your

control
Decide whether to drop,
forward, tag, archive or deliver
attachments containing viruses
Handle cleanable and
uncleanable messages
differently
Up to 55 msgs/second at this
point in the funnel
98
IronPort uses
Sophos for Anti-Virus Protection
IronPort
Support Center
Internet
HTTP
Anti-Virus Updates
Sophos Updates
SMTP
SMTP
HTTP
Anti-Virus
Definitions
Mailbox Server
99
Sophos Configuration Means Making

Many Decisions
Message
TCP Conn
SMTP
Virus
Found
Is Repair
enabled?
Body Hdrs
Body
Yes
No Virus
Found
Attempt
to Clean
Deliver
unscannable
(possible virus)
Encryption
detected
(unscannable
portions)
No
Failure
Pick
One
Success
Drop
No
Is Drop infected
attachments enabled?
Yes
Archive original?
Notify anyone?
Drop
Attachment
Deliver
Modify Subject?
Add header?
Archive original?
Notify anyone?
Deliver
Deliver as
Attachment
Modify Subject?
Add header?
Redirect?
Route to alternate host?
Archive original?
Notify anyone?
100
Configure Sophos with the GUI
Enable Sophos and set

the update interval
Note that all updates come from IronPort
Edit settings on a listener
101
Choose Your Actions When a Virus

Is Found
GUI: Scanning - Sophos - edit InboundMail
Enable on this listener
Scan and Repair viruses

Scan for Viruses only
Choose scan
behavior when a
virus is found
102
Choose Your Actions When a Virus

Is Successfully Repaired
GUI: Scanning - Sophos - edit InboundMail
Alert the recipient

You can provide
custom headers
for mail agents
to sort on
103
Drop
Deliver as Attachment to New Message
Deliver As Is
Choose
Choose Your
Your
Actions
Actions When
When aa
Virus
Virus Cannot
Cannot be
be
Repaired
Repaired
You get separate configurations for
each case:
Encrypted message
Message unscannable
Virus-infected message
104
Policy Enforcement Key Points

Filters can be used to look within a message, including the
message body, attachments, and headers
Filters allow you to drop, bounce, deliver, redirect and modify
messages
Filters should be used with care but can be a powerful tool
Reputation filters can be used to drop, throttle, or tag mail based
on the SenderBase Reputation Score (SBRS)
Brightmail Anti-spam allows you to control what happens to
spam and suspected spam
Sophos Anti-virus allows you to control what happens to viruses
105
References
Chapter 6: Anti-Spam
Chapter 7: Anti-Virus
Chapter 8: Policy Enforcement
IronPort Reputation Filters White Paper

106
IronPort C-Series
Channel Partner
Technical Training
Monitoring,
Logging, and Troubleshooting
Module 5
Regular Monitoring Makes for Happy

Mail Systems
Periodic
Reactive
Daily checks
Report status
Is my system
healthy?
Troubleshooting
Configuration changes
I need to make this
change: Will it work?
Does it do what I expect?
Monthly checks
Report details
What happened
last month?
Troubleshooting
Problem / query
What happened to a
particular message?
Is this change I am
making correct?
108
The IronPort GUI Gives You Five Views

Into Your System
109
Incoming Mail Overview Shows How

Effective Your Policy Is
Your time range
setting is saved in a
browser cookie
Get an instant view of your

recipient load and which
Mail Flow Policies are
being exercised
110
Incoming Reports Show How Your

Policies Perform - Use Standard Reports
Top IPs by recipients blocked (past day)
Top domains by recipients blocked (past day)
Top domains by unclassified recipients (past day)
Top network owners by unclassified recipients (past day)
111
Incoming Reports Show How Your

Policies Perform - Create Custom Reports
IP
Domains
Network Owner
Recipients Received
% Change Recipients
Rcpts. Blocked by Rate Limit
% Brightmail Positive
% Brightmail Suspect
Virus Positive
Connections Rejected
SBRS
Past Hour
Past Day
Past Week
Past Month
20
50
100
112
Verify You Got Your Anti-Virus and

Anti-Spam Updates
The Sophos Overview also

shows latest anti-virus
update time
113
Outgoing Overview Shows Any

Delivery Problems
CLI: tophosts
Check the Status of Outbound Mail
Active Recipients are

messages in the
IronPort work queue
Concurrent
connections
Totals since last

counter reset
You can sort by any of these columns
Click on a recipient host to see

status information
114
System Overview Shows Queue Size

and Connection Rates
Learn what queue
size is normal for
your system
Set each graph to the
subject and interval you
want for your system
Do the math: Of 2,375 recipients

received, about 1,100 are out of the
system. That means 1275 are in
the work queue.
115
Generate Periodic Reports

Automatically
Report
Configuration
Report Type
Frequency
Send Result
To
Result
Formats
Save
Previous
Reports
Components
to Include
Avaliable
Selections
Incoming
Volume
System
Summary
Daily
Weekly
Monthly
Email
(multiple)
CLI / text
GUI / HTML
Text
HTML
CSV
XML
Specify a
number
Report
specific
You can configure what

periodic reports you
want, what to include in
the report, what format
you want them in, and
where to send them
Report Type
Available Components
Incoming Volume
Virus Senders
Spam Senders
Unclassified Recipients
Rejected Connections
Recipients Received
Received Bytes
Accepted TLS Connections
Rejected TLS Connections
System Summary
System Statistics
Spam Statistics
Virus Statistics
Message Flow Histogram
116
Choose the Periodic Reports You Want
117
Configure the report

deliveries you want
Set Up
Periodic
Reports the
Way You
Want Them
Specify what
data you want
118
See the HTML Reports From the GUI
119
Overview of Troubleshooting Tasks

Periodic
Reactive
Daily checks
Report status
Is my system
healthy?
Troubleshooting
Configuration changes
I need to make this
change: Will it work?
Does it do what I expect?
Monthly checks
Report details
What happened
last month?
Troubleshooting
Problem / query
What happened to a
particular message?
Is this change I am
making correct?
120
Use Debugging Tools After Changing

the System Configuration
The trace utility (GUI or CLI) simulates how policy
acts on a message
Various logs record the passage of a message
through the system and its final disposition (CLI)
mail_logs records a summary trail of connection to a listener,
acceptance of the message, processing, and delivery
Use tail to look at logs from the console, or ftp

logs to your workstation to use tail and grep
(CLI)
121
mail_logs Records Every Step In

Processing A Message
Contain details of message receiving, delivery, and bounces
Status information is also logged every minute
Does not include delivery codes
Use cases
Track the receipt, processing, and delivery of specific messages
Track Anti-Spam and Anti-Virus checking results
Analyze system performance
How event records are identified
ICID
MID
RID
DCID
New
Start
Incoming Connection ID
Message ID
Recipient ID
Delivery Connection ID
New connection initiated; ICID created
New message started; MID created
122
Track One Message from Beginning

to End in the mail_logs
New connection initiated; ICID created
Mon Apr 7 19:56:22 2003 Info:
address 10.1.1.209
Mon Apr 7 19:57:20 2003 Info:
New message started;
MonMID
Aprcreated
7 19:57:20 2003 Info:
Mon Apr 7 19:58:06 2003 Info:
Mon Apr 7 19:59:52 2003 Info:
<sender@remote-host.com>
Mon Apr 7 19:59:59 2003 Info:
Message
ID Info:
Mon Apr 7 20:10:58
2003
address 10.5.3.25
Mon Apr 7 20:10:58 2003 Info:
Mon Apr 7 20:10:58 2003 Info:
Mon Apr 7 20:11:03 2003 Info:
Incoming Connection ID
New SMTP ICID 5 interface Management

Start
MID 6
MID 6
MID 6
MID 6 ICID 5
ICID 5 From:<sender@remotehost.com>
ICID 5 RID 0 To:<mary@yourdomain.com>
ready 100 bytes from
Recipient ID
ICID 5 close
New SMTP DCID 8 interface 192.168.42.42
Delivery start DCID 8 MID 6 to [0]
Message done DCID 8 MID 6 to [0]
DCID 8 close
Delivery Connection ID
123
To Retrieve the Whole Log File,

Use Log Subscriptions
Open for writing
Log file names:

mail.current
Saved mail.text.@20040317T173729.s
Currently configured logs:
1. "antivirus" Type: "AntiVirus mail.@20040324T160804.c
Logs" Retrieval: FTP Poll
complete
<etc>
Enter "NEW" to create a new log or "EDIT" to modify or "DELETE" to remove or
"SETUP" for general settings or "LOGHEADERS" to set up headers to log.
[]> edit
Enter the number of the log you wish to edit. []> 9
smtp.scu.com> logconfig
Open for writing
Log level:
1. Error
2. Warning
3. Information
4. Debug
5. Trace
[3]> <cr>
Log level should be Information

unless you are troubleshooting
something really hard
This is the directory name
Please enter the name for the log: [mail_logs]> <cr>

Choose
1. FTP
2. FTP
3. SCP
[1]> 1
the method to retrieve the logs.

Poll
Push
Choose FTP Poll for now
Push
This is the first part

of the file name
Please enter the filename for the log: [mail]> <cr>

124
Retrieve Logs With FTP

jlt:~ jlt$ ftp smtp.scu.com
Connected to smtp.scu.com.
220 smtp.scu.com IronPort FTP server (V1.37.10.1) ready.
Name (smtp.scu.com:jlt): admin
331 Password required.
Password: password
These are all directories
230 Login successful.
with log files below
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
150 Opening ASCII mode data connection for file list
drwxrwx--2 root
log
512 May 19 06:21 brightmail_logs
drwxrwx--2 root
config
512 May 22 04:50 configuration
drwxrwx--2 root
log
1024 May 19 06:21 domain_logs
drwxrwx--2 root
log
1024 May 22 04:50 system_logs
drwxrwx--2 root
log
512 May 22 04:50 cli_logs
drwxrwx--2 root
log
512 May 19 06:21 bounce_logs
drwxrwx--2 root
log
512 May 22 04:51 rptd_logs
drwxrwx--2 root
log
1024 May 22 04:51 sntpd_logs
drwxrwx--2 root
log
512 May 22 04:51 antivirus
drwxrwx--2 root
log
1024 May 22 04:51 mail_logs
drwxrwx--2 root
log
512 May 22 04:51 brightmail
drwxrwx--2 root
log
512 May 22 04:51 status
drwxrwx--2 root
log
512 May 22 04:51 bounces
drwxrwx--2 root
log
1024 May 22 04:51 error_logs
drwxrwx--2 root
log
512 May 22 04:51 ftpd_logs
drwxrwx--2 root
log
1024 May 22 04:51 avarchive
125
CLI tail Shows You Logs in Real Time

smtp.scu.com> tail
Currently configured logs:
1. "antivirus" Module: thirdparty Format: AntiVirus
2. "avarchive" Module: mail Format: AntiVirus Archive
3. "bounces" Module: bounces Format: Bounces
4. "brightmail" Module: thirdparty Format: Brightmail
5. "cli_logs" Module: system Format: CLI Audit Logs
6. "error_logs" Module: mail Format: IronPort Text
7. "ftpd_logs" Module: ftpd Format: IronPort Text
8. "gui_logs" Module: gui Format: IronPort Text
9. "mail_logs" Module: mail Format: IronPort Text
10. "rptd_logs" Module: rptd Format: IronPort Text
11. "sntpd_logs" Module: sntpd Format: IronPort Text
12. "status" Module: mail Format: Status Logs
13. "system_logs" Module: system Format: IronPort Text
Enter the number of the log you wish to tail.
[]> 9
Press Ctrl-C to stop.
Fri Mar 26 09:53:11 2004
Fri Mar 26 09:53:11 2004
Fri Mar 26 09:53:14 2004
Fri Mar 26 09:53:19 2004
211.133.243.25
Fri Mar 26 09:53:19 2004
^C
Info:
Info:
Info:
Info:
MID
MID
MID
New
Tail runs
continuously until
^C, so start it
before you send
a test message
659 ICID 561 RID 1 To: <anestra@scu.com>

659 ICID 561 RID 2 To: <tbu@scu.com>
659 ready 872 bytes from <ekwtrw@yahoo.com>
SMTP ICID 562 interface PublicNet address
Info: Start MID 660 ICID 562
126
Verify Connectivity With CLI Tools

smtp.scu.com> ping 192.245.12.8
PING 192.245.12.8 (192.245.12.8): 56 data bytes
64 bytes from 192.245.12.8: icmp_seq=0 ttl=253 time=2.174 ms
^C
--- 192.245.12.8 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.187/1.479/2.174/0.403 ms
smtp.scu.com> ping
Which interface do you want to send the pings from?
1. Auto
3. PrivateNet (192.168.0.42/24: inside.scu.com)
[1]> 4
Please enter the host you wish to ping.
[]> 192.245.12.8
ping and traceroute

can take a command line
argument, or will let you
select the source
interface

PING 192.245.12.8 (192.245.12.8) from 192.35.195.42: 56 data bytes
^C
--- 192.245.12.8 ping statistics --2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.226/1.545/1.864/0.319 ms
127
Learn to Talk To Your SMTP Receivers

smtp.scu.com> telnet
Please select which interface you want to telnet from.
1. Auto
Use telnet to test
3. PrivateNet (192.168.0.42/24: inside.scu.com) connectivity to port 25.
Dont forget to test from
[1]> 4
other side coming in!
the
Enter the remote hostname or IP.

[]> 192.245.12.8
Enter the remote port.
[25]> <cr>
smtp.scu.com>
mailconfig
Please enter the email address to which

you want to send the configuration
Trying 192.245.12.8...
file.
Connected to viola.opus1.com.
Escape character is '^]'.
[]> trumbo@opus1.com
220 Viola.Opus1.COM -- Server ESMTP (PMDF V6.2-X17#9830)
quit
The configuration file has been sent to
221 2.3.0 Bye received. Goodbye.
trumbo@opus1.com.
Connection closed by foreign host.
mailconfig is a quick way to test
that the IronPort can send mail
128
Debugging DNS Problems
dnsflush will flush the DNS cache on the IronPort

dnsstatus gives statistics on requests and cache usage
Check DNS entries with nslookup on the IronPort
Use nslookup or dig on other systems to see other points of view
Send email to dnscheck@ironport.com for a report on your IronPorts
DNS presence on the net
smtp.scu.com> nslookup
Please enter the host or IP to
resolve.
[]> torba.com
Choose the query type:
1. A
2. CNAME
3. MX
Unlike other nslookups,
4. NS
the IronPort nslookup
5. PTR
will
recurse until it gets
6. SOA
a final answer
7. TXT
[1]> 3
MX=torba.com PREF=10 TTL=36m33s
Greetings from IronPort customer care. You've emailed

dnscheck@ironport.com to perform basic DNS checks on your
system. Here are your results:
FAILED - DNS PTR record (the IP resolves to hostname)
FAILED - DNS A record (PTR hostname resolves to the IP)
FAILED - HELO match (PTR hostname matches HELO)
PASSED - mail server exists to accept delayed bounce
messages
The need for these configurations and details of your results are
included
below.
Regards,
IronPort Customer Care
customercare@ironport.com
Detailed test results:
129
Troubleshooting Clip-n-Save
tail
logconfig
ping
traceroute
telnet
nslookup
mailconfig
rate
topin
hostrate
deleterecipients
bouncerecipients
delivernow
suspendlistener
resumelistener
suspenddel
resumedel
suspend
resume
workqueue
showchanges
clear
Places to Start in the GUI
Outgoing Mail - Overview
System - Overview
130
Monitoring, Logging, and

Troubleshooting Key Points
The GUI offers many different views of system performance and

status, plus a variety of tools for email monitoring
Use the GUI Reporting feature to automatically generate and deliver

periodic reports on system operation
Use logconfig, tail, and FTP to configure and view log files
Use tools like ping, traceroute, nslookup, and telnet to

troubleshoot the network, transport, and presentation layers
IronPorts dnscheck service can give you an outside view
Use the trace tool to test how the IronPort will process a test
message, especially after you change the system configuration
131
References
Chapter 9: Managing and Monitoring via the CLI

Chapter 11: Using the GUI
Chapter 12: Logging
Chapter 13: Reporting
Chapter 14: Testing and Troubleshooting
132
IronPort C-Series
Channel Partner
Technical Training
Module 6
System Administration Means
Starting and stopping

Managing the presence on your network
Controlling access
Software version control and licenses
Alerting
Configuration management
Disaster recovery and backup
134
Starting and Stopping the IronPort

Shutdown/reboot
When is a mail appliance
not a mail appliance?
When its a UNIX system.
Avoid power cycles.
Call support if the box
loses power for a health
check
Use suspend to quiesce the
system gracefully
Use shutdown or reboot to
take your IronPort down
Use resume following reboot if
you did a suspend, to
resume normal operations
suspend
Stops accepting all
inbound connections
on all listeners
Stops delivering all
outbound messages
Waits for any current
connections to
complete
Stays suspended
across reboots
TCP Connection
SMTP Session
Body Headers
resume
Resumes all normal
operations
Message Body
OutboundMail listener
135
IronPort Network Configuration

Command Summary
sethostname
Sets the SMTP hostname. This should match the forward and
reverse DNS entries for the public listener
dnsconfig
Act as a caching nameserver with direct access to the Internet root
nameservers, or configure to forward to your local nameservers
routeconfig
Add static routes
setgateway
Sets the default route
etherconfig
Sets Full / Half Duplex and 10 /100 Mb speed on interfaces
interfaceconfig
Sets basic IP address configuration on interface
resetconfig
Erase all configuration and reset to factory default
136
Add Users With Different Privileges

User Group
Description
Administrators
Accounts in this group have full access to all

configuration settings of the system. However, only
the admin user can issue the upgradecheck and
upgradeinstall commands
Operators
User accounts in this group are restricted from:

- Creating or editing user accounts
- Issuing any of these commands: resetconfig,
upgradecheck, upgradeinstall
Otherwise, they have the same privileges as
Administrators
Guests
User accounts in this group may only view status

information
Permissions apply to both the GUI and the CLI
Add users with the userconfig command.

The password command changes the password of the logged in user
137
License New Features or Check

License Expiration Dates
smtp.scu.com> featurekey
Module
Quantity
Sophos
1
Brightmail
1
Receiving
1
Enter feature key, or press
[]> <cr>
Time Remaining
24 weeks 3 days 35 mins
24 weeks 3 days 35 mins
23 weeks 2 days 1 hours
Enter to go to the main
smtp.scu.com> version
Current Version
===============
Model C60
Version: 3.7.2-026
Build Date: 2004-04-02
Serial #: 000D5670320E-89NMS31
55 secs
18 secs
24 mins 26 secs
prompt.
Features that require licenses

IronPort AsyncOS
Brightmail Anti-Spam
Evaluation: 30 day*
Purchase: Perpetual
Evaluation: 30-day
Purchase: 1-3 years
Sophos Anti-Virus
Evaluation: 30-day
Purchase: 1-3 years
* Extensions available upon request

138
Performing Upgrades
smtp.scu.com> upgradecheck
All interaction with the upgrade server is done using ssh. By default this
protocol is run over TCP on port 22. If you are behind a firewall you may
want to run this protocol over a non-standard port.
Please choose a port to use:
1. port 22, default SSH
2. port 25, normally SMTP
3. port 53, normally DNS
4. port 80, normally HTTP
5. port 443, normally HTTPS
6. port 4766, IronPort reserved
[1]> <cr>
A large upgrade can

take over 10 minutes.
Your mileage will vary.
Checking for upgrades that are available.

Upgrades available:
1. AsyncOS 3.8b1 upgrade, 2004-04-16 Build 061 (36,809,399 bytes)
[1]> <cr>
Downloading AsyncOS 3.8b1 upgrade, 2004-04-16 Build 061
The upgrade has been downloaded. This upgrade will require a reboot of the
system after it finishes. Do you wish to install it now? [Y]> n
smtp.scu.com> upgradeinstall
Decompressing the upgrade.
Installing the upgrade.
IronPort Messaging Gateway Appliance(tm) Upgrade
The upgrade will start in 10 seconds.
You probably want to

say No here, and do a
suspend first, then
resume later
This upgrade will require a reboot of the system after it finishes.

You may log in again after this is done.
139
Alerts Show Up To Tell You About

Issues and Potential Problems
Message: DNS cache
An application fault occurred: (('dns_cache', 'send_request',
'183'), 'exceptions.OSError', "[Errno 49] Can't assign requested
address",
'[smtp_client|run|576] [smtp_client|_run|616]
[smtp_client|_connect|659]
[omh|get_prioritized_ip_list|258]
[omh|get_prioritized_ip_list|265][PrioritizedIP|fetch_mx_array|11
7] [PrioritizedIP|_fetch_mx_data|147]
[dns_cache|query|486]
[dns_cache|best_nameserver|446][dns_cache|bootstrap_cache|290]
[dns_cache|_bootstrap_cache|306][dns_cache|query_by_ip|687]
[dns_cache|do_query|255][dns_cache|send_request|183]')
Meaning
The DNS cache initializes at boot time. This failure is not fatal, since the cache initializes
again at a defined interval. If you see this error message only once or twice, the DNS cache
must have initialized successfully at one of the subsequent intervals. If the appliance failed
to finalize the appliance consistently, the appliance would be unable to resolve hostnames
and IP addresses for all messages.
140
Configure Where System Alerts Go

Please enter the email address(es) to send alerts.
(Ex: "administrator@example.com")
Enter the word "DELETE" to clear the default and disable alerts.
[postmaster@scu.com]> <cr>
Debounce timeout (seconds):
[300]> <cr>
Period to wait before

sending an identical alert
Would you like to enable IronPort AutoSupport, which automatically emails

system alerts and weekly status reports directly to IronPort Customer Care?
(Enabling AutoSupport is recommended.) [N]> y
Would you like to receive a copy of the weekly AutoSupport reports?
Get the Alert Messages

Definitions document from
the Support site for a
detailed explanation of alerts
[Y]> y
AutoSupport is a
Good Thing and is
highly recommended!
141
Why Call IronPort? They Can Call You!

Your IronPort Can Notify Support
You Can Generate a Request Yourself
smtp.scu.com> supportrequest
Would you like to enable IronPort

AutoSupport, which automatically
emails system alerts and weekly
status reports directly to
IronPort Customer Care?
Do you want to send the configuration

information via email to
customercare@ironport.com? [Y]> <cr>
(Enabling AutoSupport is
recommended.) [N]> y
Do you want to send the configuration

information via email to additional
recipient(s)? [N]> y
Please enter the email address(es) to
which you want to send the
configuration information. Include
anyone in your organization that
should be included on future
correspondence for this issue.
Separate multiple addresses with
commas.
[]> trumbo@opus1.com
Please enter some comments describing
your issue, providing as much detail
as possible to aid in diagnosing any
issues:
[]> I am having difficulty getting
ftp push to work to my Mac OSX
machine
142
The IronPort Configuration is in

One Big File
CLI
updates
FTP
XML
config
data
Document Type Definitions

are essential to interpreting
XML data
GUI
updates
XML
DTD
data
XML config + AsyncOS version + model no. = complete system description
143
The Configuration File is in XML Format

<config>
<!-**************************************************
*
Network Configuration
*
**************************************************
-->
<hostname>smtp.scu.com</hostname>
<interfaces>
<interface>
<interface_name>PublicAlpha</interface_name>
<ip>192.35.195.101</ip>
</interface>
</interfaces>
<dns>
<local_dns>
<ip>192.245.12.50</ip>
</local_dns>
<rbl_dns>
<rbl_negative_ttl>1800</rbl_negative_ttl>
<rbl_timeout>3</rbl_timeout>
</rbl_dns>
</dns>
Some parts of the

configuration are
specific to one IronPort
gateway
Other parts of the
configuration might
apply to all IronPorts in
your network
You can manage your

configuration by importing XML
sections.
You could manage the common
configurations with one common
file.
144
Tools To Manage Your

Configuration File
showconfig - see the XML file
saveconfig - save the XML
file to a file in the ftp directory
mailconfig - mail the XML file

XML
config
data
FTP
You must also copy the

config.dtd with FTP
XML
config
data
Document Type Definitions

are essential to interpreting
XML data
CLI or
GUI
updates
loadconfig import XML into the

configuration
XML
DTD
data
/configuration/config.dtd
145
You Can Review Commit Comments in

the System Log
/system_logs/system.@20040410T160102.s
Sat Apr 10 16:01:01 2004 Info: Begin Logfile
Sat Apr 10 16:01:01 2004 Info: System is coming up
Sat Apr 10 16:30:38 2004 Info: PID 233: User system commit changes: Automated
Alert MX Cache Update
Sat Apr 10 17:14:25 2004 Info: PID 390: User admin commit changes: Create
nomercy bounce profile and apply it to InboundMail listener
Sat Apr 10 17:31:54 2004 Info: PID 390: User admin commit changes: rename
bounceconfig nomercy to NoMercy
Sat Apr 10 17:40:11 2004 Info: PID 390: User admin commit changes: add exhange
into setgoodtable
Sun Apr 11 10:29:40 2004 Info: PID 623: User admin commit changes: add
dropbadmail filter
Sun Apr 11 12:07:43 2004 Info: PID 623: User admin commit changes: add
bodysize filter to bounce over 20 MB files
Sun Apr 11 12:13:35 2004 Info: PID 623: User admin commit changes: enable
delivery log
Sun Apr 11 12:28:39 2004 Info: PID 623: User admin commit changes: add filter
DropOver6MB
Sun Apr 11 12:56:35 2004 Info: PID 623: User admin commit changes: replace
BounceOver6MB filter with NotifyAndDropOver6MB
Sun Apr 11 13:11:44 2004 Info: PID 623: User admin commit changes: tune
dropbadmail filter
146
High Availability Configuration
Pseudo load balancing:

DNS round robin using
equal-priority MX records
147
Disaster Recovery
Buy two IronPorts
Call support if one dies
Save the configuration on a regular basis
Write an off-box script (cron job) to login (SSH) and do a
showconfig or saveconfig or mailconfig
148
System Administration Key Points

Upgrades are easy with upgradecheck and
upgradeinstall. You can control upgrade timing
and behavior.
Alerting on exceptional events via email is a
preferred technique of the IronPort (and you can
control how this behaves).
Configuration management using showconfig /
mailconfig / loadconfig / saveconfig should be
part of your disaster recovery plan.
149
References
Chapter 10: System Administration
150
IronPort C-Series
Channel Partner
Technical Training
Course Wrap-Up
Review
Course Objectives
Critical SE Skills
How do I install, configure and deliver basic support for the

IronPort C-Series Messaging Gateway appliance?
What guidelines can I give customers for deploying the
appliance in a typical enterprise email environment?
How do I manage and monitor the flow of email through the
appliance?
How do I configure access control policies?
How do I create content filters?
How do I configure the appliance to detect and handle
unwanted spam and viruses?
152
Review
A Typical New Customer Installation
Gather customers network information and custom
requirements in advance
30 min
Rack, install, and setup the appliance

30 min
Make custom configuration changes

15 min
Test and demo

30 min
Put the appliance into production

15 min
153
Questions & Answers

Access Control
Policy Enforcement, Anti-Spam, and Anti-Virus
Monitoring, Logging, and Troubleshooting
154
Where do I go next?
IronPort Sales Resources

IronPort C-Series Appliance Evaluation Guide
IronPort Technical Resources
IronPort Customer Care
155
IronPort Sales Resources

C-Series product brochures and data sheets
http://www.ironport.com/products/ironport_c_series.html
IronPort company profile

http://www.ironport.com/about/index.html
IronPort product overview presentation slides

Contact your IronPort Channel Partner Rep. for latest version
156
IronPort C-Series Appliance

Evaluation Guide
Designed to help system administrators evaluate
the IronPort C-Series appliance
Make sure all prospective customers read this guide!
Provides an overview of the key product features,

along with guidelines for setting up and testing
those features
Available on the IronPort Support Web site
157
IronPort Technical Resources

Product documentation
IronPort QuickStart Guide

IronPort AsyncOS User Guide
IronPort AsyncOS Release Notes
White papers
IronPort AsyncOS White Paper

Reputation Filters White Paper
SMTPi White Paper
158
Closing Comments
159

Setraining 2

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Setraining 2

Transféré par

Droits d'auteur :

Formats disponibles

IronPort C-Series

How do I install, configure and deliver basic support for the

Copyright 2004 IronPort Systems, Inc. All rights reserved

IronPort C-Series Overview

Things You Should Already Know

Copyright 2004 IronPort Systems, Inc. All rights reserved

Rack, install, and setup the appliance

Make custom configuration changes

Test and demo

Put the appliance into production

Copyright 2004 IronPort Systems, Inc. All rights reserved

IronPort C-Series Overview

IronPort Products and Services

The Worlds Leading Outbound

Guaranteed Delivery of Legitimate Email

Next Generation Enterprise

The Worlds Leading Email Reputation Service

Copyright 2004 IronPort Systems, Inc. All rights reserved

IronPort C-Series is the Next

Revolutionary MTA Platform for High Availability

C-Series = Server Consolidation

Copyright 2004 IronPort Systems, Inc. All rights reserved

IronPort C-Series Channel Product Line

C-Series Packaging & Licensing

* Extensions in 30-day increments are available upon request

Copyright 2004 IronPort Systems, Inc. All rights reserved

Revolutionary MTA Platform

The need for a high performance,

Email requires a Robust &

Evolving threats such as MyDoom and Bagel

AsyncOS: built for email Availability

Ensured email Deliverability

Slow or unavailable domains dont affect

distinct queue and retry schedule

Place IronPort Wherever it Fits

Copyright 2004 IronPort Systems, Inc. All rights reserved

Common C60/C30 Configuration

Common C10 Configuration

One physical interface with one IP for

Copyright 2004 IronPort Systems, Inc. All rights reserved

You Already Understand Messaging

IronPort C-Series Overview Key Points

Revolutionary MTA Platform for High Availability

IronPort can integrate easily with the customers existing

Copyright 2004 IronPort Systems, Inc. All rights reserved

IronPort C-Series Appliance Evaluation Guide

Product brochures & data sheets

IronPort AsyncOS White Paper

Installation and Setup

Copyright 2004 IronPort Systems, Inc. All rights reserved

A Roadmap to Successful Deployment

Evaluation: Set the C-Series as the

Install IronPort on a live mail

Production: Set the C-Series MX as the

Let the Internet talk to

IronPort needs to talk to the

Your configuration determines which

Closed Lab Environment

Copyright 2004 IronPort Systems, Inc. All rights reserved

Lets Agree on Terms

SMTP clients connect to the

A listener may be called

A listener is also called an