mailmarshal smtp 5.5 user guide - trustwave€¦ · • text you must type • text (output)...

User Guide

MailMarshal SMTP 5.5August 2006

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, MARSHAL LIMITED PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Marshal, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Marshal. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Marshal may make improvements in or changes to the software described in this document at any time.

© 2006 Marshal Limited, all rights reserved.

U.S. Government Restricted Rights: The software and the documentation are commercial computer software and documentation developed at private expense. Use, duplication, or disclosure by the U.S. Government is subject to the terms of the Marshal standard commercial license for the software, and where applicable, the restrictions set forth in the Rights in Technical Data and Computer Software clauses and any successor rules or regulations.

Marshal, MailMarshal, the Marshal logo, WebMarshal, Security Reporting Center and Firewall Suite are trademarks or registered trademarks of Marshal Limited or its subsidiaries in the United Kingdom and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

Contents

About This Book and the Library ...........................................................................................................xvConventions ..............................................................................................................................................xviAbout Marshal .........................................................................................................................................xvii

Chapter 1Introducing MailMarshal 1What Does MailMarshal Do? ....................................................................................................................1Where is MailMarshal Installed? ................................................................................................................2How Does MailMarshal Work? .................................................................................................................3Virus Scanning .............................................................................................................................................4Encrypted Email ..........................................................................................................................................4MailMarshal SMTP and MailMarshal Exchange ....................................................................................5What’s New? ................................................................................................................................................5

New Features in MailMarshal 5.5 ..............................................................................................5Online Help ..................................................................................................................................................6

Chapter 2Pre-Installation 7Hardware Required for MailMarshal Server ............................................................................................7Software Required for MailMarshal Server .............................................................................................8Software Required for Other Components .............................................................................................9Email Routing ..............................................................................................................................................9

How MailMarshal Routes Email ..............................................................................................10Setting up Outbound Routing ..................................................................................................10Setting up Inbound Routing .....................................................................................................10When Installing MailMarshal on the Existing Email Server ................................................11

Gathering Information Before Installation ...........................................................................................16

Contents iii

Chapter 3Installation 17Procedures to Install MailMarshal Server ............................................................................................. 18

Preliminary Steps: ..................................................................................................................... 18Configuration Wizard ................................................................................................................ 18Configuring an Existing Email Server .................................................................................... 32MailMarshal and Proxy Servers ............................................................................................... 33

MailMarshal Console Installation ........................................................................................................... 34Console Security Issues ............................................................................................................. 35

MailMarshal Configurator Remote Installation .................................................................................... 36Uninstalling MailMarshal ......................................................................................................................... 37

Chapter 4Monitoring and Control 39The Configurator ...................................................................................................................................... 39

Server Properties ........................................................................................................................ 41Configurator Root ...................................................................................................................... 41Services and Arrays .................................................................................................................... 41Rulesets ........................................................................................................................................ 42User Groups ............................................................................................................................... 42POP3 Accounts .......................................................................................................................... 43Virus Scanners ............................................................................................................................ 43External Commands .................................................................................................................. 43Folders ......................................................................................................................................... 43Email Templates ........................................................................................................................ 43TextCensor Scripts ..................................................................................................................... 44Logging Classifications .............................................................................................................. 44Message Stamps .......................................................................................................................... 44LDAP Connections ................................................................................................................... 44Secure Email ............................................................................................................................... 45News and Support ..................................................................................................................... 45

Windows Event Log ................................................................................................................................. 45

iv User Guide

Windows Performance Counters ............................................................................................................45

Chapter 5Rulesets and Rules 47Best Practices .............................................................................................................................................48Viewing and Printing Rulesets .................................................................................................................49Creating a Ruleset .....................................................................................................................................50Editing a Ruleset .......................................................................................................................................54

To Copy or Move Rules Between Rulesets ............................................................................54To Enable or Disable a Ruleset ................................................................................................54

Order of Evaluation .................................................................................................................................54Adjusting the Order of Evaluation of Rulesets .....................................................................55Adjusting the Order of Evaluation of Rules ..........................................................................55

Creating a New Rule .................................................................................................................................55Copying a Rule ...........................................................................................................................................59Editing a Rule .............................................................................................................................................59User Matching Criteria ............................................................................................................................59

Contents v

Rule Conditions–Standard Rules ............................................................................................................ 61Where message attachment is of type ..................................................................................... 62Where attachment fingerprint is/is not known ..................................................................... 63Where message size is ............................................................................................................... 63Where the estimated bandwidth required to deliver this message is ................................. 64Where message contains attachments named ........................................................................ 64Where message triggers text censor script(s) ......................................................................... 64Where the result of a virus scan is ........................................................................................... 66Where the external command is triggered ............................................................................. 69Where attachment parent is of type ........................................................................................ 69Where message attachment size is ........................................................................................... 70Where number of recipients is count ...................................................................................... 70Where message contains one or more headers ..................................................................... 70Where number of attachments is count ................................................................................. 71Where message is categorized as Category ............................................................................ 72Where message spoofing analysis is based on criteria .......................................................... 72

Rule Actions–Standard Rules .................................................................................................................. 74Copy the message ....................................................................................................................... 75BCC a copy of the message ...................................................................................................... 75Run the external command ...................................................................................................... 75Send a notification message ...................................................................................................... 76Strip attachment ......................................................................................................................... 76Write log message(s) with classifications ................................................................................ 76Stamp message with text ........................................................................................................... 76Rewrite message headers ........................................................................................................... 77Add attachments to valid fingerprints list .............................................................................. 77Route the message to host ........................................................................................................ 78Move the message ...................................................................................................................... 78Park the message ........................................................................................................................ 78Delete the message .................................................................................................................... 78Pass the message to rule ............................................................................................................ 79

vi User Guide

Rule Conditions–Receiver Rules ............................................................................................................80Where message is of a particular size: .....................................................................................80Where sender’s IP address matches address: .........................................................................81Where sender has authenticated ...............................................................................................82Where sender’s IP address is listed in DNS Blacklist ...........................................................83

Rule Actions–Receiver Rules ...................................................................................................................83Accept message ...........................................................................................................................84Refuse message and reply with message .................................................................................84

Chapter 6User Groups 85To Create a New Standard User Group ................................................................................................85To Add Members to a Standard User Group .......................................................................................85To Add an LDAP User Group ...............................................................................................................86To Move and Copy User Groups ...........................................................................................................88

Chapter 7POP3 Accounts 89To Set Up POP3 Accounts ......................................................................................................................90POP3 Accounts for Relaying Authentication .......................................................................................91To Edit POP3 Accounts ..........................................................................................................................91To Delete POP3 Accounts ......................................................................................................................91

Chapter 8Virus Scanners 93Best Practices .............................................................................................................................................95Configuring a New Virus Scanner ..........................................................................................................96Viewing Virus Scanner Properties ..........................................................................................................97

Command Line Scanner Properties .........................................................................................97DLL Scanner Properties ............................................................................................................99

Using Other Virus Scanners ..................................................................................................................100Testing Virus Scanners ...........................................................................................................................101

Contents vii

MailMarshal Directories and Resident Scanning ................................................................................ 101Details of Excluded Directories ............................................................................................ 102

Chapter 9External Commands 105Uses of External Commands ................................................................................................................ 107

Message Release ....................................................................................................................... 107

Chapter 10Folders 111Creating a New Folder ........................................................................................................................... 112

Standard Folders ...................................................................................................................... 112Parking Folders ........................................................................................................................ 113The Mail Recycle Bin ............................................................................................................... 114

Editing an Existing Folder ..................................................................................................................... 114Changing the Default Folder Location ................................................................................................ 115Folder Security ....................................................................................................................................... 115

Chapter 11Email Templates 117Creating an Email Template .................................................................................................................. 118Duplicating an Email Template ........................................................................................................... 119Editing an Email Template .................................................................................................................... 119Deleting an Email Template .................................................................................................................. 120

Chapter 12TextCensor Scripts 121TextCensor Syntax .................................................................................................................................. 122Weighting the Script ............................................................................................................................... 123Adding a TextCensor Script .................................................................................................................. 125Editing a TextCensor Script .................................................................................................................. 127

viii User Guide

Duplicating a TextCensor Script ...........................................................................................................127Importing a TextCensor Script .............................................................................................................128Exporting a TextCensor Script ..............................................................................................................128Testing TextCensor Scripts ....................................................................................................................129Using TextCensor Effectively ...............................................................................................................130

Constructing TextCensor Scripts ...........................................................................................130Decreasing Unwanted Triggering ..........................................................................................131

Chapter 13Logging Classifications 133Creating a Logging Classification ..........................................................................................................134Editing a Logging Classification ............................................................................................................134Duplicating a Logging Classification ....................................................................................................135Deleting a Logging Classification ..........................................................................................................135Logging Classification Usage .................................................................................................................135

Chapter 14Message Stamps 137Creating a New Message Stamp ............................................................................................................138Duplicating a Message Stamp ................................................................................................................139Editing a Message Stamp .......................................................................................................................139Deleting a Message Stamp .....................................................................................................................139

Chapter 15Header Matching and Rewriting 141Header Wizard .........................................................................................................................................142

Field Matching ..........................................................................................................................143Matching/Substitution Options .............................................................................................145Naming and Testing .................................................................................................................148Order of Evaluation .................................................................................................................149

Contents ix

Regular Expression Syntax .................................................................................................................... 149Shortcuts .................................................................................................................................... 149Reserved Characters ................................................................................................................ 150Examples ................................................................................................................................... 152 Map Files .................................................................................................................................. 153

Chapter 16LDAP Connections 155What is LDAP? ....................................................................................................................................... 155Adding a New LDAP Server Connection ........................................................................................... 156Editing an LDAP Server Connection .................................................................................................. 160Deleting an LDAP Server Connection ................................................................................................ 161

Chapter 17Server Properties 163General ..................................................................................................................................................... 165

Export Configuration .............................................................................................................. 166Import Configuration .............................................................................................................. 166

Local Domains ........................................................................................................................................ 167To Create a New Local Domain ............................................................................................ 168To Edit a Local Domain ......................................................................................................... 169Wildcards .................................................................................................................................. 170

Logging ..................................................................................................................................................... 171Secure Email ............................................................................................................................................ 173Internet Access ........................................................................................................................................ 173Updates ..................................................................................................................................................... 174Delivery ................................................................................................................................................... 175Batching & Dial-Up ................................................................................................................................ 177Blocked Hosts ......................................................................................................................................... 181Host Validation ....................................................................................................................................... 183

DNS Blacklist ........................................................................................................................... 184DNS Validation ........................................................................................................................ 185

x User Guide

Header Rewrite ........................................................................................................................................186Anti-Relaying ............................................................................................................................................187

Block suspicious local-part relay attempt ..............................................................................189License Info ..............................................................................................................................................190Advanced ..................................................................................................................................................192

Change Folders .........................................................................................................................192Additional Options ...................................................................................................................193

Chapter 18Reports 199To Install MailMarshal Reports .............................................................................................................201Starting MailMarshal Reports ................................................................................................................202

Report Properties .....................................................................................................................203Generating Reports ..................................................................................................................204Report Parameters ....................................................................................................................205

Report Window .......................................................................................................................................208Toolbar Options .......................................................................................................................208Drill-down .................................................................................................................................209Customizing Reports ...............................................................................................................209

Exporting Reports ..................................................................................................................................210Export Options .........................................................................................................................211

Chapter 19Arrays 215What Information Is Replicated? ..........................................................................................................217What Are the Limitations of Replication? ...........................................................................................217

Prerequisites ..............................................................................................................................217Manual Settings .........................................................................................................................218Items Not Replicated ...............................................................................................................218

Configuring Arrays and Replication .....................................................................................................218Array Wizard .............................................................................................................................219Replication Exclusions .............................................................................................................224

Contents xi

Managing an Array .................................................................................................................................. 226Making Changes to an Array ................................................................................................................. 227

Updating MailMarshal Arrays ................................................................................................ 228

Chapter 20The Console 229Connecting to the MailMarshal Server ................................................................................................ 230

Console Security Issues ........................................................................................................... 231The Main Console Screen ...................................................................................................................... 231The Services Screen ................................................................................................................................ 233

Receiver State ............................................................................................................................ 233Domain Detail .......................................................................................................................... 235Message Folders ....................................................................................................................... 235Message Folder Actions .......................................................................................................... 236Mail History .............................................................................................................................. 240History Search .......................................................................................................................... 240

Alert History ............................................................................................................................................ 243User Options ........................................................................................................................................... 243News and Support .................................................................................................................................. 244

Chapter 21Troubleshooting 245MailMarshal Console .............................................................................................................................. 245Windows Event Viewer ......................................................................................................................... 246MailMarshal Working Directories ........................................................................................................ 246MailMarshal Message Names ................................................................................................................ 247MailMarshal Log Files ............................................................................................................................ 247Running MailMarshal in Debug Mode ................................................................................................ 247Some Common Issues ........................................................................................................................... 248

Error 2140 ................................................................................................................................. 248Host Name or Unable to Determine the Domain ............................................................. 248

Moving MailMarshal to a New Server ................................................................................................. 249

xii User Guide

DNS Blacklists .........................................................................................................................................249Reports Issues ..........................................................................................................................................250

Unable to determine if [Name] is a valid MailMarshal database .......................................250SQL script could not be loaded .............................................................................................251SQL scripts failed to load. View errors? ...............................................................................251

Further Help .............................................................................................................................................251

Chapter 22MailMarshal and the MMC 253Configurator and Console in the Same MMC ....................................................................................254Multiple Console Snap-ins in the Same MMC ....................................................................................254

Appendix AOther Email Servers 257Configuring Microsoft Exchange 5.5 ...................................................................................................258

Exchange 5.5 and MailMarshal on Separate Machines .......................................................258Exchange 5.5 and MailMarshal on the Same Machine .......................................................259

Configuring Lotus Notes 4 ....................................................................................................................261Lotus Notes 4 and MailMarshal on Separate Machines .....................................................261Lotus Notes 4 and MailMarshal on the Same Machine ......................................................261

Configuring Lotus Domino R5 .............................................................................................................263Lotus Domino R5 and MailMarshal on Separate Machines ..............................................263Lotus Domino R5 and MailMarshal on the Same Machine ..............................................264

Index 267

• Contents xiii

xiv User Guide

About This Book and the Library

The User Guide provides conceptual information about MailMarshal SMTP. This book defines terminology and various related concepts.

Intended AudienceThis book provides information for individuals responsible for understanding MailMarshal SMTP concepts and for individuals managing MailMarshal SMTP installations.

Other Information in the LibraryThe library provides the following information resources:

User Guide Provides conceptual information and detailed planning and installation information about MailMarshal SMTP. This book also provides an overview of the MailMarshal SMTP user interfaces and the Help.

MailMarshal Secure User Guide Provides detailed information about how to configure and use the S/MIME secure email functionality in MailMarshal SMTP.

Help Provides context-sensitive information and step-by-step guidance for common tasks, as well as definitions for each field on each window.

About This Book and the Library xv

Conventions

The library uses consistent conventions to help you identify items throughout the documentation. The following table summarizes these conventions.

Convention Use

Bold • Window and menu items• Technical terms, when introduced

Italics • Book and CD-ROM titles• Variable names and values• Emphasized words

Fixed Font • File and folder names• Commands and code examples• Text you must type• Text (output) displayed in the command-line interface

Brackets, such as [value] • Optional parameters of a command

Braces, such as {value} • Required parameters of a command

Logical OR, such asvalue1 | value2

• Exclusive parameters. Choose one parameter.

xvi User Guide

About Marshal

With new threats disrupting business, productivity and wrecking reputations every day, Marshal content security solutions take a proactive approach to identifying email and web vulnerabilities to protect over seven million international users in 17,000 companies from the risks of email and Internet-based threats.

Marshal ProductsMarshal's Content Security solution, which includes MailMarshal SMTP, MailMarshal Exchange and WebMarshal, delivers a complete email and Web security solution to these risks by acting as a gateway between your organization and the Internet. The products sit behind your firewall but in front of your network systems to control outbound documents and their content. By providing anti-virus, anti-phishing and anti-spyware protection at the gateway, Marshal's Content Security solution offers you a strategic, flexible and scalable platform for policy-based filtering that protects your network, and as a result, your reputation.

Contacting MarshalPlease contact us with your questions and comments. We look forward to hearing from you. For support around the world, please contact your local partner. For a complete list of our partners, please see our website. If you cannot contact your partner, please contact our Technical Support team.

Telephone: +44 (0) 1256 848 080 (EMEA)+1 404 564-5800 (Americas)+ 64 9 984 5700 (Asia-Pacific)

Sales Email: [email protected]

Support: www.marshal.com/support

Website: www.marshal.com

About Marshal xvii

mailto:[email protected]

http://www.netiq.com/support

http://www.netiq.com

xviii User Guide

Chapter 1

Introducing MailMarshal

MailMarshal SMTP is a fast, easy-to-use email scanning solution that enforces your organization’s Acceptable Use Policy while protecting against viruses, Spam, and loss of confidential data.

An Acceptable Use Policy for email typically regulates what content can be sent in and out of the organization. A policy may also call for disclaimers or other official message stamps, archive copies of messages, and encryption of sensitive email, as well as controls on the size or volume of email allowed.

What Does MailMarshal Do? MailMarshal scans the content of messages and attachments as they enter or leave the organization. It can scan lexical content (such as subject lines, message text and attached documents). It can also determine the structure and size of messages and attachments. MailMarshal’s proprietary SpamCensor applies a variety of techniques to determine whether messages are Spam. MailMarshal also allows scanning for and cleaning of viruses using third-party virus scanners.

Based on the result of these scans, many actions may be performed. These include blocking or quarantining of messages, making copies, stripping of attachments, sending notifications, adding disclaimers, and many others.

Chapter 1 • Introducing MailMarshal 1

An optional module, MailMarshal Secure, allows signing, encryption and decryption of email messages using the S/MIME standard. Certificate import, renewal, and revocation are managed automatically.

Where is MailMarshal Installed? MailMarshal SMTP is a server-based SMTP (Simple Mail Transfer Protocol) email content scanner that can be easily installed into a new or existing network with other gateway applications. It complements, and is compatible with, traditional Internet firewalls, SMTP mail servers, anti-virus and security applications. The only pre-requisite is that MailMarshal must reside on Windows 2000 Server, Windows XP Professional, or Windows Server 2003.

MailMarshal consists of several pieces of software–the Server, Configurator, Console and Reporting Database.

The MailMarshal Server software is installed as the email gateway of an organization. All email entering or exiting the organization passes through it. MailMarshal can be installed as a standalone server or an array of servers. Depending on load, it can reside on the same physical machine as a corporate email server product (such as Microsoft Exchange). It can also be installed as a standalone POP3 email server for small organizations.

The Configurator is installed on the same machine as the MailMarshal Server software, and can also be run from a remote workstation. This module allows setup of the basic connections required to use MailMarshal. It also allows configuration of email processing rules and components, such as virus scanners and TextCensor scripts.

The flow of email through MailMarshal is monitored using the Console, which can be installed on the email administrator’s workstation. Through the Console MailMarshal’s logs can be reviewed and searched for specific messages, and blocked items can be released if necessary.

MailMarshal can log email activity to a SQL Server database, and use the information to produce detailed reports. The reporting suite, using a runtime version of Crystal Reports (included), can be installed on any workstation.

2 User Guide

How Does MailMarshal Work? MailMarshal is an SMTP gateway and is compatible with any SMTP email server on any platform, e.g. Microsoft Exchange, Sendmail, Novell Groupwise or Lotus Notes. Where the existing email server software is a Windows application, in most circumstances MailMarshal can reside on the same physical server. Full details of installation scenarios are given in Chapter 2, “Pre-Installation.”

The MailMarshal Server consists of four major system services: the Receiver, Engine, Sender, and Controller. All email entering or leaving an organization enters the MailMarshal Server software via the Receiver, and is processed in the Engine. The Engine unpacks each email message (unzipping archive or compressed files if necessary) and splits the message into its individual components. It then tests the whole message and each component against the Rules that have been set up in the Configurator.

Rules are composed of three parts: User Matching, Conditions, and Actions. Details of rule configuration are given in Chapter 5, “Rulesets and Rules.”

User Matching criteria allow filtering of messages by the sender and recipients. Other Conditions may match based on the header information, text content of the message and attachments, attached file types, message size, MailMarshal’s proprietary SpamCensor, virus check by a third-party virus scanner, and other criteria.

Based on the results of User Matching and Condition testing, the email message is accepted, modified or quarantined. Accepted email is passed to the MailMarshal Sender, which then forwards it to the appropriate recipients.

Messages may be stamped with a notice and/or stripped of objectionable attachments. Quarantined messages are placed into one of several folders defined for that purpose. They may be retrieved by the email administrator (using the Console) for examination or re-processing.

Messages which cannot be unpacked or delivered are directed to special DeadLetter folders.

Where MailMarshal takes action on a message, notifications or copies of the original message may be sent as required. These messages can be customized; see Chapter 11, “Email Templates.”


All MailMarshal server activities are logged in detail to a text file. The relevant log may be appended to a notification message.

Virus Scanning MailMarshal invokes other vendors’ virus checking software to detect viruses. A number of commercially available scanners have been tested and shown to work with MailMarshal. For full virus protection, a licensed version of a virus scanner should be installed and its virus definition files kept up to date. MailMarshal can use multiple virus scanners to provide extra protection. Information on virus scanner configuration appears in Chapter 8, “Virus Scanners.” MailMarshal can also invoke selected virus scanning software to clean infected files.

Because many email viruses are associated with known message text or file types, MailMarshal can also block viruses using these criteria. Where best security practices are followed to block suspicious files, MailMarshal can often stop new viruses before scanner updates arrive.

Encrypted Email MailMarshal Secure is an optional module of MailMarshal that provides for server-based handling of encrypted messages. MailMarshal Secure uses the S/MIME (Secure MIME) standard for Public Key Encryption. MailMarshal Secure can communicate securely with any other encryption product that uses the S/MIME standard; communication is not limited to MailMarshal sites.

Where MailMarshal Secure is not installed (or the appropriate encryption key is not available), MailMarshal will recognize the message as encrypted but will be unable to access the message contents. Such messages may be blocked or passed through according to local policy.

Detailed information on MailMarshal Secure may be found in the MailMarshal Secure Manual, which is freely available from the Marshal website.

4 User Guide

MailMarshal SMTP and MailMarshal Exchange MailMarshal SMTP shares many features with MailMarshal for Exchange, the Exchange Server based Email Content Security product from Marshal.

MailMarshal for Exchange provides the ability to scan internal email within the Exchange Server.

MailMarshal SMTP provides several components which are not available within MailMarshal for Exchange, including Receiver Rules and other Receiver based functions, and the MailMarshal Secure module for S/MIME email encryption. Where both sets of functions are required, they can be obtained by running both products in the same environment. MailMarshal for Exchange and MailMarshal SMTP can be run on the same computer (subject to adequate system resources).

Within this Manual, “MailMarshal” always refers to MailMarshal SMTP unless otherwise stated.

What’s New?This section highlights the key new features documented in this manual. For a complete list of changes in a particular release, please refer to the Release Notes and Reports Release Notes included in the MailMarshal distribution package.

New Features in MailMarshal 5.5 • SpamCensor and Category Scripts: Introducing MailMarshal’s proprietary anti-Spam

technology. Complex analysis of messages filters Spam efficiently. Scripts are updated automatically. Additional scripts and exceptions can be created locally.

• Virus Cleaning: DLL based virus scanners can now be used to clean infected attachments.

• Additional Virus Scanners: Symantec AntiVirus Scan Engine and Panda Antivirus join the list of high speed, cleaning-capable scanners.


• More Document Types Scanned: TextCensor now checks within Microsoft Excel, Microsoft PowerPoint, and Adobe PDF files. Embedded objects within Excel and PowerPoint files are extracted.

• Rule-Based DNS Blacklist support: Use DNS Blacklists (such as ORBS or MAPS) within Receiver Rules.

• New Reports:Now report easily on virus related activity and Rules triggered.

• Array Replication: An array of MailMarshal servers can be managed from a master Configurator. Configuration changes can be automatically replicated to other members of the array.

• Join Array on Install: Bypass the Configuration Wizard by choosing to import a complete configuration from an Array master.

• Mail Recycle Bin: Helps guard against accidental deletion of messages from the Console.

Online Help MailMarshal provides online help for assistance during installation and use of the software. Help is accessed through the Help menu or by pressing the [F1] key.

Extended up-to-the-minute support is available on the Marshal website. The website at http://www.marshal.com features news, a support Knowledge Base, User Forum, and maintenance upgrades.

6 User Guide

Chapter 2

Pre-Installation

MailMarshal consists of several components, which may be located on different machines within an organization’s network. The components are:

• MailMarshal Server

• MailMarshal Configurator

• MailMarshal Console

• MailMarshal Reports

All components can be installed under Windows 2000, Windows XP Professional, or Windows Server 2003.

Hardware Required for MailMarshal Server MailMarshal will run on almost any Pentium-class machine. Hardware requirements naturally vary depending on the number of email users and the amount of email traffic. The following minimum specifications are suggested as a guideline:

• 1000 users: Pentium III 600, 5GB HD, 128MB RAM

• 10000 users: Dual Pentium III 1000, 20 GB HD, 512MB RAM

Chapter 2 • Pre-Installation 7

Sites with more than 10000 users may require enhanced hardware. MailMarshal supports multi-processor computers and arrays of servers for very high traffic sites. Please contact Marshal for a recommended configuration.

Software Required for MailMarshal Server All prerequisite software (with the exception of the Windows operating system) is available on the installation CD-Rom, or by download from the Marshal web site. The prerequisites may be installed, if necessary, during the MailMarshal installation from CD-Rom. It is recommended that you install the pre-requisites before installing MailMarshal so as to isolate any installation issues to the specific package. MailMarshal requires:

• Windows 2000, Windows XP Professional, or Windows Server 2003.

• Microsoft Data Access Components (MDAC) 2.7 or above.

• SQL Server 2000 or SQL Server 7.0 to log data for reporting–if not available, Microsoft Data Engine (MSDE) can be installed. MSDE is a free runtime version of SQL Server. The latest Service Pack is recommended for installation on either SQL Server or MSDE.

NoteMailMarshal will not accept new messages if there is less than 100MB of free disk space available in the disk partitions where its working directories reside.

Notes• Due to Microsoft licensing restrictions, MailMarshal cannot be installed on Windows

Server 2003, Web Edition.

• Installation of prerequisites may require system restart.

• MailMarshal must be installed on a NTFS partition. Due to the limitations on database size in MSDE, SQL Server is recommended for sites over 500 users in size.

• Some items previously listed as minimum prerequisites are included in the above operating systems. These include Microsoft Management Console (MMC) 1.2, and Microsoft Internet Explorer (IE) 5.01.

8 User Guide

Software Required for Other Components MailMarshal Configurator, Console, and Reports may be run under Windows 2000, Windows XP Professional, or Windows Server 2003.

For MailMarshal Secure, we recommend a 128 Bit Encryption version of the Windows operating system. (Some early international releases of Windows 2000 were only 40 bit.) To check the encryption level of a machine, within Internet Explorer click on Help > About. The ‘Cipher Strength’ value shows the encryption level installed on the machine. To upgrade to 128 Bit Encryption, install the High Encryption Pack, or Windows 2000 SP2 or above. SQL Server 2000, SQL Server 7.0, or MSDE is required for the MailMarshal Secure Certificate Database. It is strongly recommended that this be present on the local system.

Email Routing Internet email travels from server to server using SMTP (Simple Mail Transfer Protocol). MailMarshal functions as a SMTP relay. Logically, MailMarshal is situated on the local network so that email entering or leaving the organization is routed through it. Physically, MailMarshal Server can be installed in several scenarios. It may share a computer with other software or be run on a dedicated computer. Before installing MailMarshal it is necessary to determine which functions MailMarshal will serve and how it will handle incoming and outgoing email.

In general, SMTP email servers may route email in four ways:

1. By delivering a message to a “local user” (another user on the same server).

2. By sending email for a specific domain (e.g. wellknown.com) to a fixed address entered by the administrator.

NoteWindows 95, Windows 98, Windows ME, and Windows NT 4.0 are no longer supported.


3. By sending all outbound email to a specific server (email relay).

4. By performing a Domain Name Service (DNS) lookup to determine the appropriate email server for a domain, and attempting to contact that host directly.

How MailMarshal Routes Email MailMarshal can use any of the four methods described above.

• If MailMarshal has been configured as a POP3 server, the POP3 mailboxes are “local” to it.

• MailMarshal uses the term “Local Domains” to name the specific domains for which MailMarshal functions as the Internet email gateway. The local domains should include all of the domains hosted by other email servers within the organization (such as Exchange or Groupwise servers). Messages for these domains will be delivered to fixed addresses.

• Where the address does not match any local domain, MailMarshal can be configured to deliver it either using DNS or by relaying to a specific downstream host for delivery.

Setting up Outbound Routing Take note of how the existing email server sends email to the Internet. In general MailMarshal should be configured to use the same process. For instance, email may be delivered to a firewall or ISP (email relay), or directly using DNS.

The existing email server must be reconfigured to forward all outbound Internet email to MailMarshal.

Setting up Inbound Routing Determine how inbound email is currently delivered to your server. If the MailMarshal server retains the IP address and server name of the previous email server (e.g. if MailMarshal is installed on the same physical server as the other email server software), then no change to inbound settings will be required.

10 User Guide

If the MailMarshal server will have a different IP address and server name, in most cases the route must be changed to ensure that inbound email messages are sent to the MailMarshal server.

Before sending email messages to your organization, an email server on the Internet performs a DNS lookup to see which server (IP address) accepts email for your domain. The address returned may be that of your email server, firewall, proxy server or a downstream email relay (e.g. an ISP).

If email messages were formerly sent directly to your organization’s email server (i.e. the DNS MX lookup returned the email server’s IP address), then the DNS MX record should be changed to the IP address of the new MailMarshal machine. Firewall permissions may also require modification to permit SMTP delivery to MailMarshal.

If the DNS lookup returns the address of the firewall, and the firewall employs address translation, the translated address for incoming email must be changed to the address of the MailMarshal machine. If the firewall acts as an email relay, then the address to which it forwards inbound email must be changed to that of the MailMarshal machine.

If the DNS lookup returns the address of an upstream email relay, then the forwarding address setting used by that email relay should be changed to that of the new MailMarshal machine.

When Installing MailMarshal on the Existing Email Server When MailMarshal is installed on the same machine as the existing email server software, normally no changes to the inbound routing are required. However, as MailMarshal will take over the role of listening for SMTP traffic on port 25, the existing email server must be configured to listen for SMTP traffic on another port (port 97 is usually available, but any free TCP port will do).

MailMarshal should be configured, via its Local Domains information, to forward all inbound email messages to the local machine on the new port. It is recommended that you use the localhost IP address 127.0.0.1.

The existing email server should be configured to forward all outbound email messages to the local machine (127.0.0.1) on port 25.

Installation Scenarios


MailMarshal can be installed in a variety of scenarios. More detailed instructions and some examples are given in Chapter 3, “Installation.”

1. On its own physical server, as an email relay within an organization.

In this example, all email sent from within the organization should be delivered to the email server. The email server forwards all external messages to the MailMarshal server for processing and delivery.

The DNS MX record (or the firewall’s relay setting) is also set to deliver all inbound email to the MailMarshal server.

Internet

MailMarshal Server

Firewall

Email Server

SMTPPort 25

SMTPPort 25

Workstation

Workstation

Workstation

Email Admin

12 User Guide

2. As a standalone POP3/SMTP server for a small organization.

In this example, all email sent from within the organization should be sent to the MailMarshal server on port 25 for processing. Email for internal addresses will be delivered to MailMarshal’s POP3 boxes for collection by email clients using port 110. Email to and from external addresses is delivered over a dial-up or other link to an ISP.

Internet connection

ISP

Internet

Workstation

Workstation

Workstation

Email Admin

MailMarshalServer

SMTP Port 25POP3 Port 110


3. On the same physical server as the organization’s email server software.

All email sent from outside the organization should be delivered to the email server computer on port 25. MailMarshal forwards processed inbound email to the other server software using the “localhost” IP address and port 97. The other server sends email for outside delivery to MailMarshal at “localhost” port 25.

Internet

Email Server Computer

Firewall

MailMarshal Port 25

Other EmailSoftware

LocalhostPort 25 Localhost

Port 97

Workstation

Workstation

Workstation

Email Admin

14 User Guide

4. On a separate computer in a DMZ.

The advantage of DMZ installation is that all messages must pass through the firewall twice–there is no direct access through the firewall.

This is a variation on scenario #1. If the administrator Console is required to communicate with the MailMarshal server from the internal network, TCP port 19001 must be opened in the firewall. Use of the logging/reporting function from the internal network will require TCP port 1433 to be opened.

NoteDirect Configurator access through a firewall is not recommended since this would require opening additional NetBios ports. If access through a firewall is required, use of a remote access tool such as Microsoft Terminal Services is recommended

Internet

MailMarshal Server

Firewall

Workstation

Workstation

Email Admin

WorkstationEmail Server

TCP Port

19001

Port 25


Gathering Information Before Installation Before beginning installation of MailMarshal, information about the environment should be gathered. A basic list of required information is given below.

• The organization’s Internet domain name (e.g. ourcompany.com).

• Names of any other local domains for which MailMarshal will process email (e.g. oursubsidiaries.com).

• The IP address of the existing local email server.

• The administrator’s email address.

• The virus scanning software (with an appropriate license) to be used with MailMarshal.

• The IP addresses of DNS servers.

• Who provides DNS? What is the lead time to alter settings, if necessary?

• Are all prerequisites present? (If not, system restart may be required to install them.)

• Is a Firewall in use? If so, who administers it and what is the lead time to change settings, if necessary?

• What is the outbound email delivery method now in use?

• What is the inbound email delivery method–will any changes be required?

16 User Guide

Chapter 3

Installation

The MailMarshal Installation process consists of two parts: installation of the software and any prerequisites onto the server, and configuration of the software to send and receive email.

Installation optionally includes setting up the MailMarshal Reports database, which stores usage information.

After installation and configuration, Rules must be customized to implement the desired policies.

The MailMarshal Server, Configurator, Console, and Reports may be installed on different computers. The Configurator and Console will always be installed on the MailMarshal server computer, but may also be installed elsewhere. MailMarshal Reports installation is covered later in this Manual.

This chapter assumes that decisions have been made as to where in the network MailMarshal will be installed, and how email will be forwarded. Several typical installation scenarios are presented in Chapter 2, “Pre-Installation.”.

Chapter 3 • Installation 17

Procedures to Install MailMarshal Server

Preliminary Steps: 1. Log on to the server as a user with administrative privilege. Insert the MailMarshal

disk into the server CD-Rom drive and select Install MailMarshal 5.5. Or, run the downloaded MailMarshal Installer file.

2. Carefully read the information given on the License Agreement page. By selecting I accept the terms of the license agreement, you agree to the terms of the License.

3. On the Select Setup Type page, select the components to be installed.

4. On the Choose Destination Location page, the default installation location is shown. To change the location, click Change then browse to the desired location.

5. Click Next, then Install to start installation. The selected components (and any required prerequisites, if installing from CD-ROM) will be installed.

6. When the Setup Wizard Completed page appears, choose whether or not to launch the Configurator. You must run the Configurator to complete the installation.

Configuration Wizard When the MailMarshal Configurator is first run, MailMarshal launches a wizard which requests the configuration information needed to complete installation. For more information on configuration options, please refer to Chapter 17, “Server Properties.” The Wizard process includes the following steps:

NoteMailMarshal must be installed on a NTFS partition. For MailMarshal Secure it is strongly recommended that SQL Server 7.0/2000 or MSDE be available on the local system.

18 User Guide

1. Welcome The first page of the Configuration Wizard gives basic welcome information. Click Next to continue.

2. Configuration Source This page allows you to create a new MailMarshal configuration or use an existing one. To create a new configuration on this server, accept the default choice This is a new single computer installation (See below).

To import a configuration (to restore a backup or use a prepared custom configuration), select I have an existing MailMarshal Configuration to import.

Enter or browse to the location of the import file. When you click Next, the Wizard will attempt to import this file. If import is successful, the Wizard will report the key details imported and continue with step 9 (An Array of MailMarshal Servers).


To import a configuration from an existing array of MailMarshal servers, select I wish to join an existing MailMarshal array. Enter or browse to the name of a MailMarshal server in the array. When you click Next, the Wizard will attempt to export the array configuration and import it to your computer. A dialog shows the progress of this process. If import is successful, the Wizard will display the next page (License Key), skip any pages not required, and continue with step 9 (An Array of MailMarshal Servers).

For additional information on the MailMarshal Array facility, see Chapter 19, “Arrays.”

20 User Guide

3. License Key Enter your Company Name. Enter your License Key, provided by Marshal or your local Marshal reseller. If you do not have a License Key, contact Marshal to obtain one.

Click Next. An information box will report the validity details of the key you entered.

NoteBy default, when a license key becomes invalid or expires MailMarshal continues to accept messages, subject to available disk space. The email will be held in the Incoming directory and will not be processed or delivered. To change this behavior see the License Info tab of Server Properties.


4. Local Domains This page specifies the names of local domains for which MailMarshal will accept inbound email (See below). The list should include all (and only) the domains of email addresses your organization actually uses through this gateway. (The Local Domains list should exactly match the DNS MX records pointing at this server.)

Local domains may be of two types: Relay and POP3. Email for a relay domain is sent on to another email server. Email for a POP3 domain is delivered to a mailbox hosted by the MailMarshal server. Most often there will be a single entry in this section for the local email server. However, if the email server handles more than one domain, multiple entries may be needed. Note that all relay servers defined here will also be allowed to relay outbound email through MailMarshal.

NoteIf POP3 service for a domain is already provided by other software (such as Microsoft Exchange), that domain should be configured as a Relay domain in MailMarshal.

22 User Guide

Click New to start the New Local Domain Wizard (See below). Choose whether MailMarshal will host any POP3 mailboxes for the domain. On the final page, enter the domain name. Enter the IP address of the server to which email should be relayed. Optionally enter a second email server address (used only as a fail-over if the first server does not respond).

If this is a POP3 domain, choose the action to be taken for undeliverable messages.

Click Finish to return to the Local Domains page.

Multiple Relay local domains may be entered using wildcards (e.g. *.ourbusiness.com may be entered to direct email for all subdomains of ourbusiness.com to a single address). For a description of MailMarshal’s wildcard syntax, see “Wildcards” on page 170

NoteMailMarshal’s permanent License Keys are bound to the list of local domains specified in this list. Each time the list of domain names changes, a new key is required. Changes in IP addresses or ports, or between relay and POP3 domains, do not require a new key. For information on requesting a new key, see“License Info” on page 190.


Repeat the New Local Domain Wizard for each local domain required. When all domains have been entered, adjust the order of matching by highlighting a domain from the list and using the up and down arrows.

NoteEnsure that local domains are matched in the correct order; otherwise email may be misdirected. E.g. use the following sequence to direct email to POP3 mailboxes within MailMarshal:

pop.example.com POP3 10.2.5.4:25

*.example.com Relay 10.1.2.1:25

If this sequence is reversed, POP3 mailboxes will be ignored and all email will be delivered to the relay address, i.e. 10.1.2.1 port 25, because *.example.com will match for messages addressed to pop.example.com.

24 User Guide

5. Administrative Notifications Administrative notifications (such as DeadLetter reports) will be sent to the address specified in the Recipient Address field. This should be a valid and appropriate mailbox or group alias. Administrative and user notifications and other automated email from MailMarshal will be sent “from” the address entered in the From Address field (See below). This should also be a valid address to allow for replies to notifications.

6. DNS Servers MailMarshal performs DNS lookups independently of the Windows DNS settings.


The primary DNS (Domain Name Server) address used by the organization must be entered, and a secondary address is recommended (See below). These servers should be located no further away than the ISP.

NoteIf MailMarshal must perform DNS lookups through a firewall, the firewall must permit both TCP and UDP based lookups.

26 User Guide

7. Delivery Select how you want MailMarshal to deliver external messages. Two options are available (See below):

MailMarshal will deliver external email itself: This is the default option. MailMarshal will use DNS resolution to determine the appropriate destination for outbound email and attempt to deliver messages directly.

If this option is selected, you may optionally enter the name or IP address of a fallback host. The fallback host will be used as a forwarding host for messages which MailMarshal is unable to deliver immediately (for instance, if MailMarshal encounters a DNS or greeting failure while attempting to connect to the original destination server).


MailMarshal will forward email to another SMTP server: Select this option to immediately send all outbound email (not for local domains) to a firewall or a fixed relay server (such as an ISP). The other server will be responsible for final delivery.

Enter the host name or IP address of the relay or firewall in the Forwarding Host box.

Optionally enter an alternate host (used only if MailMarshal encounters a DNS or greeting failure while attempting to connect to the main forwarding host).

8. Logging MailMarshal can log details of the processing and delivery status of messages to a database. When logging has been enabled, the Mail History can be viewed in the Console and a wide variety of reports run from MailMarshal Reports.

28 User Guide

To enable logging, check the I want to log message details checkbox. Check the I want to report on email attachment details checkbox to enable reporting on attachments within email messages.

To continue processing email if the log records cannot be written to the database, check the box I want MailMarshal to continue if the database becomes unavailable. To stop processing email when the database is unavailable, clear this box. (This option should be chosen if logging of traffic is essential. Email will still be accepted and held in the Incoming directory.)

The MailMarshal Console can log operator actions to the MailMarshal logging database. Logged actions include deleting messages, moving messages into or out of the mail recycle bin, emptying the mail recycle bin, passing through messages, forwarding messages and moving messages from one folder to another.

Check the box I want to log file actions to the database to enable logging of these actions. Uncheck the box to disable logging of these actions.

It is also possible to log selected types of console actions by adjusting a registry value. See the Marshal Knowledge Base for details. Select the period for log retention (the default is 100 days). Most installations will want to retain logs for several months to allow flexibility in reporting periods.

NoteLogging console actions can make a difference to perceived console speed, especially when large numbers of messages are affected by a single action.


Click Select Database to choose the location of the SQL database where the information will be stored.

In the Create/Select Database dialog, enter the name of the SQL Server (or MSDE) computer in the first box. You can browse the network if necessary. Enter the name of the database you wish to use, and the SQL user name and password. If you believe that a MailMarshal database has previously been installed in the given location and you wish to overwrite it, check the box to recreate the database.

If more than one MailMarshal server will be logging to the same database, check the box I have more than one MailMarshal server on my site.

NoteThe database password may be changed using SQL administration tools or command-line SQL entry. However this procedure must be used with caution if other applications may be using the database. For further information please see Marshal Knowledge Base article Q10251.

30 User Guide

9. An Array of MailMarshal Servers If you have joined an array, or the box I have more than one MailMarshal server on my site is checked on the Logging page, this page is displayed. Select a letter from the drop-down box to uniquely identify logging records from this MailMarshal Server. If you have joined an array, letters already in use will not be shown.

If a configuration has been imported, the box I have more than one MailMarshal server on my site appears on this page. If more than one MailMarshal server will be logging to the same database, check the box then select a letter.

10. Finished Basic configuration of the MailMarshal Server is now complete. The MailMarshal Configurator starts automatically on completion of the Wizard.

Changes to the configuration may be made through the Tools > Server Properties menu in the Configurator. Several additional and advanced selections, including dial-up configuration, are also available in that menu. For complete information see Chapter 17, “Server Properties.”

To configure S/MIME (MailMarshal Secure) settings, check the box and the appropriate tab of Server Properties will be presented when the Wizard exits.

Before MailMarshal can be put into production, the following steps should be taken within the MailMarshal Configurator:

1. Configure virus scanners within MailMarshal, if desired. Most installations use a virus scanner. See Chapter 8, “Virus Scanners.”

2. Customize Rulesets and enable Rule processing. See Chapter 5, “Rulesets and Rules.”

3. Start MailMarshal Services.

The following additional steps may be required:

1. Configure an existing email server to pass email through MailMarshal.

2. Install and configure third party virus scanning software.


Configuring an Existing Email Server Typically MailMarshal receives inbound email, processes it, then relays it to the organization’s internal email server as specified in the Local Domains list. Outbound email is passed from the internal email server to MailMarshal for processing and external delivery. For a variety of installation scenarios, see Chapter 2, “Pre-Installation.”

The internal email server software must be configured to send outgoing email to MailMarshal for processing and delivery.

Where MailMarshal is installed on the same computer as the existing email server software, the two applications must use different “ports” to receive email In this case, the following steps are typically necessary:

• As the MailMarshal receiver is now accepting SMTP traffic on port 25, change the SMTP port that the other email server uses for SMTP (port 97 is usually available, although any free TCP port will do).

• Configure the other email server software to forward all Internet email to the local machine (use the “localhost” IP address 127.0.0.1, port 25).

• Check that MailMarshal is configured, via its Local Domains information, to forward all inbound email to the local machine on the alternative port (again, use the localhost IP address and port, e.g. 127.0.0.1:97).

Specific details for configuring Microsoft Exchange 5.5 and Lotus Notes 4 and 5 are given in Appendix A, “Other Email Servers.” For more detailed information, and to configure other email server software, please refer to the product documentation for the other software. The Marshal Knowledge Base also contains some additional setup information.

32 User Guide

MailMarshal and Proxy Servers MailMarshal can be installed in the same network as a proxy server, such as Microsoft ISA Server or Microsoft Proxy Server 2.0. There are two possible scenarios:

• MailMarshal can be installed on a machine “inside” the proxy server (on the trusted network) when the proxy server has two network cards. This scenario will require the proxy server to be configured to route incoming connection requests through to the MailMarshal receiver.

• MailMarshal can be installed as an email gateway separate to the proxy server. In this case, MailMarshal could be installed on the same machine as the proxy server and could replace an existing email relay. MailMarshal could also be installed on a separate machine with two network cards and be used to route email from the Internet to an internal email server.

Information on configuring MailMarshal with Microsoft Proxy 2.0 is available in Marshal Knowledge Base article Q10279. Information on configuring MailMarshal with Microsoft ISA Server is available in Marshal Knowledge Base article Q10380. To obtain information on configuring other proxy server software, contact the proxy software manufacturer.

NoteMicrosoft Proxy can be configured to implement security at user level. Where this has been done, MailMarshal should initially be configured to run under the same user account as your existing email server, email relay or gateway.


MailMarshal Console Installation The MailMarshal Console provides day-to-day administrative access to the MailMarshal server and email stream, including a real-time view of email processing and management of rejected and quarantined messages. The console is installed automatically on the MailMarshal Server when a server install is performed. If the MailMarshal Console software is to be used on any other machine it must also be installed on that machine. It may be installed directly from the MailMarshal CD-ROM or from an install folder copied from the CD-ROM. For a list of software prerequisites for the Console, see Chapter 2, “Pre-Installation.”

To install the MailMarshal Console:

1. Log in with sufficient access rights to install software onto the local machine and to access the install folder for MailMarshal.

2. Run the MailMarshal installation program or setup.exe to install the MailMarshal Console software.

3. Under Setup, select Custom Setup and choose only the MailMarshal Console component.

4. Run the newly installed software.

5. If the MailMarshal Server is not running on the same machine, a Change Server dialog will prompt for the IP Address or name of the MailMarshal Server machine. This dialog can be reached at any time by right-clicking on the MailMarshal Console folder in the Console menu tree.

Configuration information for MailMarshal Console is stored in the client machine registry.

NoteWhenever you update or upgrade the MailMarshal Server you must also upgrade the Console on remote machines.

34 User Guide

Console Security Issues MailMarshal Console uses the Windows secure RPC mechanism to communicate (via TCP port 19001) with the MailMarshal Server. A console user must have an account and password that can be validated by the MailMarshal Server. If the MailMarshal machine is in a different domain you can either set up a trust relationship or create local accounts on the MailMarshal Server computer. If the Console and the Server are separated by a firewall (e.g. if the Server is located in a DMZ), port 19001 must be opened in the firewall to allow remote Console access.

To view the messages in the quarantine folders the account in use must have read access to the folders. If you wish to make changes to items (e.g. forward email, kill messages) the account will also need write access. Access to the folders should be limited by using Windows security.

To implement access control for other features, edit the access permissions on the MailMarshal.key file (in the MailMarshal folder on the server). Read access to this file allows the user to view the service status, queued domains and mail history. Write access to this file gives the ability to kill messages, dial now, retry domains and reload services.

NoteTo change the Console communication to another port, see the Advanced Properties dialog found on the Advanced tab of Server Properties.


MailMarshal Configurator Remote Installation The MailMarshal Configurator software provides access to all setup functions for MailMarshal, including server configuration and setup of Rules and Rule elements. The Configurator is installed automatically on the MailMarshal Server when a server install is performed. If the MailMarshal Configurator software is to be used on any other machine it must also be installed on that machine. It may be installed directly from the MailMarshal CD-ROM or from an install folder copied from the CD-ROM. For a list of software prerequisites for the Configurator, see Chapter 2, “Pre-Installation.”

To install the MailMarshal Configurator:

• Log in with sufficient access rights to install software onto the local machine and to access the install folder for MailMarshal.

• Run the MailMarshal installation program to install the MailMarshal Configurator software.

• Under Custom Setup, select only the MailMarshal Configurator component.

• Run the newly installed software.

• If the MailMarshal Server is not running on the same machine, a Change Server dialog will prompt for the IP Address or name of the MailMarshal Server machine. This dialog can be reached at any time by right-clicking on the MailMarshal Configurator element in the left pane of the Configurator.

NoteIt is not recommended to connect the Configurator to the MailMarshal Server through a firewall, as additional NetBios ports must be opened to make this possible. If access through a firewall is required, use of a remote access tool such as Microsoft Terminal Server is recommended.

NoteWhenever you update or upgrade the MailMarshal Server you must also upgrade the Configurator on remote machines.

36 User Guide

Uninstalling MailMarshal Use the following steps to uninstall MailMarshal.

1. Before uninstalling, ensure that any settings changes made to the email system (e.g. the DNS MX records and email server settings) are revised to exclude MailMarshal from email processing.

2. If you are uninstalling one member of an array, use the MailMarshal Configurator to remove the server from the array. For more information, see Chapter 19, “Arrays.”

3. Uninstall MailMarshal using the Control Panel Add/Remove Programs applet. System restart may be suggested to remove some files.

4. Uninstall the MailMarshal Configurator, Console and Reports software on workstations.

5. If appropriate, drop the MailMarshal and MailMarshalCertStore databases using SQL administration tools.


38 User Guide

Chapter 4

Monitoring and Control

Operation of MailMarshal is monitored and controlled through three applications: the Configurator, the Console and the Reports. Additional monitoring and control functions are available through the Windows Event Log, Windows Performance Counters, and the Message Release external command.

Detailed information on the Console, Reports, and External Commands (including Message Release) is provided in other chapters of this manual.

The Configurator The MailMarshal Configurator is used to set up and modify the Rules and rule elements that control how email is processed by the MailMarshal Server. The Configurator also allows advanced setup and modification of the Server Properties, which determine how MailMarshal sends and receives email. The Configurator is always installed on the MailMarshal Server computer during initial setup. It may also be installed on any workstation.

The MailMarshal Configurator is implemented as a snap-in to the Microsoft Management Console (MMC). For general information and tips about the MMC, see Chapter 22, “MailMarshal and the MMC.” This manual assumes that the MMC is displaying both the left (menu tree) and right (details) panes

Chapter 4 • Monitoring and Control 39

Start the Configurator from the Start menu. Ensure that the MailMarshal Configurator folder is expanded. The left menu pane presents the top level functions of MailMarshal. Detailed information is presented in the right pane.

The following elements are available in the Configurator. Many of these elements are covered in more detail in following chapters of this manual.

NoteThe Configurator should be closed when it is not actively in use. Automatic processes such as Category Script updates and array replication will be affected if unused Configurators are running. Only one instance of the MailMarshal Configurator can be active per MailMarshal Server. Attempting to start a second Configurator results in the notice “MailMarshal settings are locked.”

40 User Guide

Server Properties Click Tools > Server Properties in the menu to view the MailMarshal Server Properties dialog. The various tabs of this dialog allow setup of MailMarshal’s email delivery and receipt options, report logging database, and receiver Header Rewrite function, as well as several minor options. Backup and restore of the MailMarshal configuration is also available. Detailed information on this dialog is available in Chapter 17, “Server Properties.”

Configurator Root When the Configurator is connected to a running MailMarshal Server, the server icon (captioned MailMarshal Configurator) shows a green arrow. If the Configurator is connected to another server (not the local computer), the name of the server is shown in the caption. When changes to the Rules or rule elements have been made in the Configurator but not yet reloaded on the Server, the caption will be followed by -*- . If the changes require the services to be restarted, the caption will be followed by -!- To reload the Server or restart the services, click the Reload icon on the toolbar. Changes will take effect immediately. Restarting the services takes only a few seconds and does not seriously affect email flow.

Services and Arrays When this item is selected in the left pane, the status of the MailMarshal services is shown in the right pane. These will include the Engine, Receiver, and Sender. They may also include the POP3 service if this option has been configured, and the Encrypt and Decrypt services if MailMarshal Secure is installed and enabled. If this MailMarshal server is a member of an array, summarized information about all members of the array is shown.

To start or restart the MailMarshal services, click the Restart icon in the toolbar. To stop the services, click the Stop icon in the toolbar. To reload the Server, click the Reload icon on the toolbar.

If this server is a member of an array, these actions can optionally be applied to the entire array or the local server.


An individual service may also be started or stopped by right clicking it then selecting the appropriate menu item. The start/stop status of these services persists through server restarts.

More information about arrays is available in Chapter 19, “Arrays.”

User Preferences By default, MailMarshal prompts the user when the configuration must be reloaded or services restarted. These prompts may be disabled through a selection on the prompting message boxes. The prompts and default behavior may be set from the Tools > Preferences menu.

Rulesets Select this item to view a list of MailMarshal’s Rulesets in the right pane. Rulesets contain the Rules which determine how email messages are processed. Rules may depend on recipient, message size, and other factors. Available actions include content scanning, third-party virus scanning, message stamping, and others. For detailed information on Rules and Rulesets, see Chapter 5, “Rulesets and Rules.”

User Groups Select this item to view a list of MailMarshal’s User Groups. These Groups may be used to apply different Rules to various email users–for instance, to apply different message stamps to outbound email from various departments. User Groups may be created within MailMarshal or imported via LDAP from any available directory server. For detailed information see Chapter 6, “User Groups.”

NoteWhen this item is selected, click the Print icon in the toolbar to view and optionally print a list of all currently configured Rulesets and Rules.

42 User Guide

POP3 Accounts Select this item to view a list of POP3 accounts which have been set up on the MailMarshal server. MailMarshal is effective as a POP3 server for up to 300 users. POP3 accounts may also be used to provide relay access to MailMarshal’s rule processing and SMTP sending abilities for remote users, even if inbound email is not delivered to POP3 mailboxes. For detailed information please see Chapter 7, “POP3 Accounts.”

Virus Scanners Select this item to view a list of third-party virus scanners which have been configured for use by MailMarshal. Scanners in the list may be used to check message content and attachments. For more information on configuring virus scanners, please see Chapter 8, “Virus Scanners.”

External Commands Select this item to view a list of external commands which MailMarshal can invoke. Most command-line executable programs can be used in this way. DLLs can also be invoked. External commands can be used either to test the content of a message, or to perform an action as a result of a condition being triggered by a message. For more information, please see Chapter 9, “External Commands.”

Folders Select this item to view a list of folders into which MailMarshal can place email items. Folders may be used to quarantine items based on content, to take copies of selected items, and to park messages for later delivery. Folder names, subfolders, and physical locations may be changed. For more information please see Chapter 10, “Folders.”

Email Templates Select this item to view a list of templates which may be used when MailMarshal sends an automated message. Templates may contain variables and may have attachments. They can be created and modified to suit any need. For more information please see Chapter 11, “Email Templates.”


TextCensor Scripts Select this item to view a list of MailMarshal’s TextCensor Scripts. These Scripts are used within Rules to review the content of email messages and attachments. A number of scripts are installed by default. They may be edited and new scripts added. For more information, please see Chapter 12, “TextCensor Scripts.”

Logging Classifications Select this item to view a list of classifications available when message traffic is logged by MailMarshal. Classifications may be added and modified to suit local need. For more information, please see Chapter 13, “Logging Classifications.”

Message Stamps Select this item to view a list of message stamps which may be appended by MailMarshal. Stamps may be used for disclaimers, or to notify a recipient of action taken by MailMarshal. Message stamps may be in HTML and plain text format, and may be inserted at the top or bottom of an email message. For more information please see Chapter 14, “Message Stamps.”

LDAP Connections Select this item to view a list of LDAP (Lightweight Directory Access Protocol) server connections which have been configured in MailMarshal. LDAP allows MailMarshal to populate User Groups from remote directory servers. LDAP is also used by MailMarshal Secure to retrieve user Certificates from a remote store. For more information on configuring LDAP connections, please see Chapter 16, “LDAP Connections.” Information on LDAP User Groups may be found in Chapter 6, “User Groups”; information on using LDAP certificate stores is found in the chapter “Secure Email Rules” of the MailMarshal Secure User Guide.

44 User Guide

Secure Email Select this item to work with items related to email signing and encryption. These features are only available if MailMarshal Secure has been installed and enabled. For more information please see the MailMarshal Secure Manual.

News and Support Select this item to view the Marshal website in the right pane. This site features the latest support information, including a Knowledge Base and a User Forum. To access the full range of resources, customers should log in to the site. Obtain login details, if necessary, by contacting Marshal.

Windows Event Log MailMarshal logs a number of events and alerts to the Windows Event Log. Each event type is given a unique Event ID number. These events may be reviewed in the Event Viewer. They may also be used to trigger automatic actions (e.g. pages, service restarts, or popup notifications) via third-party products. The Event Log may be opened from the Configurator by selecting Tools > Open Event Viewer.

Windows Performance Counters Each core service of MailMarshal (the Engine, Receiver, and Sender) makes several counters available to the Windows Performance Monitor. The Performance Monitor may be opened from the Configurator by selecting Tools > Open Performance Monitor.


Please see the Performance Monitor documentation for full information on its capabilities including remote monitoring.

NoteAfter installation of MailMarshal, system restart may be required before the MailMarshal Performance Counters are visible in the Performance Monitor.

46 User Guide

Chapter 5

Rulesets and Rules

Rules define how MailMarshal treats email messages. For convenience, all Rules are defined within Rulesets (groups of Rules that share base User Matching conditions). Conditions defined for a Ruleset must be satisfied before any Rule in that Ruleset is evaluated.

An organization may have just a few Rulesets, or many. For example, one Ruleset might apply to all messages outbound from the organization, and another Ruleset apply to all inbound messages. Alternatively or in addition, an organization may be divided into departments, with Rules governing email to and from each department grouped into a separate Ruleset. While some default Rulesets and Rules are provided with MailMarshal, changes and additions should be made to meet local needs. A minimum of two Rulesets is recommended: one for incoming email and one for outgoing email.

Each Rule has three parts: User Matching, Conditions, and Actions. The User Matching and Conditions sections are used to evaluate each message. Messages which meet the specified criteria are subjected to the specified Actions.

Chapter 5 • Rulesets and Rules 47

Best Practices A wide variety of Rules may be created within MailMarshal. Marshal recommends the following basic practices to ensure security and ease of administration:

• Keep rules simple. Simple rules are easier to debug and often faster to run.

• Archive messages. Archiving gives an extra layer of backup in case of email server or delivery problems, as well as being useful for rule testing.

• Block most attached files by default (both by file extension and by file type). MailMarshal is shipped with example Rules to accomplish this.

• Block password protected attachments.

• Block encrypted attachments (e.g. files of type ‘Encrypted Word Document’).

• Block encrypted messages which MailMarshal cannot decrypt (e.g. PGP messages, and S/MIME messages if MailMarshal Secure is not installed).

• Subscribe to email notification lists for virus outbreaks (such lists are offered by many anti-virus software companies). When an outbreak occurs, block the offending messages by subject line or other identifying features.

48 User Guide

Viewing and Printing Rulesets To view and optionally print a list of all currently configured Rulesets and Rules first select Rulesets in the left pane of the Configurator. Click the Print icon in the toolbar to view the Ruleset and Rule definitions in a new window (see example below). To view an individual ruleset, select that ruleset in either pane and click the Print icon.


Creating a Ruleset To create a Ruleset, in the MailMarshal Configurator, select Rulesets in the left pane. Then click the New Ruleset icon in the toolbar to start the New Ruleset Wizard.

Select the conditions under which the Ruleset should be used by checking boxes in the upper pane. Scroll down to see the full list of conditions. The conditions selected will be presented in the lower pane.

Where the matching condition requires specific information to be completed, the incomplete information appears in the rule description as a red hyperlink. Click on the hyperlink to bring up a dialog allowing this information to be entered. Where specific information has been entered the rule description displays the specifics as a blue hyperlink; click on this link to edit them.

50 User Guide

Clicking on the hyperlink People opens the Enter Users dialog.

This dialog presents a list of MailMarshal User Groups. Expand any group in the right pane of this dialog to see its members. Double-click on any user group or individual address to add it to the list.

A new user may be added to the list by clicking New User. A new User Group may be created by clicking New User Group.

Once the ruleset has been created the group should be populated using the functions available in the User Groups item of the Configurator tree.

Delete a group or address from the list by clicking Delete. Close this dialog and return to the New Ruleset Wizard by clicking OK.


On the final page of the New Ruleset Wizard, give the Ruleset a name.

Choose whether to enable the Ruleset. Optionally choose a starting and/or ending date for the Ruleset to be enabled. Check the boxes for “from” and “to” then enter dates, or click the arrow to view a calendar.

52 User Guide

Optionally choose a daily or weekly schedule for the Ruleset. Check the box then click Schedule to open the Ruleset Schedule dialog.

Alter the schedule block if desired:

• Drag using the left mouse button to add to the blue “enabled” area.

• Drag using the right mouse button to erase from the blue “enabled” area.

• To reset the schedule to the default time block, click on Set Default Schedule. • Choose to “snap” the schedule times to the nearest full, half or quarter hour using

the Snap to menu.

Click OK to save the schedule, or Cancel to lose any changes.

Finally, choose whether to launch the New Rule Wizard. A Ruleset must contain at least one Rule to have any effect.


Editing a Ruleset To edit a Ruleset, in the MailMarshal Configurator, select Rulesets in the left pane. Right click the Ruleset to be edited in the right pane and select Properties from the context menu. The Ruleset is presented in a dialog with two tabs, “General” and “Filtering”, which allow all information in the Ruleset to be modified.

To Copy or Move Rules Between Rulesets To move a Rule between Rulesets, select the Rule’s parent Ruleset in the left pane of the Configurator. Drag the desired rule from the list in the right pane to a different Ruleset in the left pane.

To copy a Rule, hold down the <CTRL> key while dragging the Rule.

To Enable or Disable a Ruleset To enable or disable a Ruleset, edit it then check or uncheck the box Enable ruleset after next reload. Alternatively, right click the Ruleset in the right pane and select All Tasks > Enable or All Tasks > Disable from the popup menu.

Order of Evaluation The order in which Rulesets and Rules are evaluated is significant. Certain Rule actions are terminal (they stop further Rule processing). This is indicated in the Rule description.

For instance, a virus scanning rule will normally be evaluated first, and if a virus is found the message will be quarantined immediately–no further rules will be evaluated.

Rulesets are evaluated in “top down” order as shown in the Configurator.

54 User Guide

Adjusting the Order of Evaluation of Rulesets To adjust the order of evaluation of Rulesets, select Rulesets in the menu pane. Select a Ruleset in the right pane, and move it up or down using the arrows in the toolbar. Click the Reload Server Rules icon to effect the change in order.

Adjusting the Order of Evaluation of Rules To adjust the order of evaluation of Rules, expand a Ruleset. Select a Rule in the right pane, and move it up or down using the arrows in the toolbar. Click the Reload Server Rules icon to effect the change in order.

Creating a New Rule To create a new Rule, in the left pane of the Configurator, expand the Ruleset that should contain the new Rule. Click the New Rule icon in the toolbar to start the Rule Wizard.

On the first page of the Rule Wizard, select the appropriate rule type.

Standard Rules These rules are processed by the MailMarshal Engine and offer the full range of Conditions and Actions. Most rules will be of this type.

Receiver Rules These rules are processed by the MailMarshal Receiver before the receipt of the message body. A limited number of conditions is available for Receiver Rules. The advantage of Receiver Rules is that they may reduce traffic volume by refusing delivery of messages before the body is received.

NoteA rule containing a “Goto” action (Pass the message to rule) cannot be moved below the rule it is set to go to. Attempting such a move raises a warning notice. See “Rule Conditions–Standard Rules” on page 61 for more information.


Secure Email Rules (available only when MailMarshal Secure is enabled) These rules control the encryption, decryption and signing of S/MIME messages. For information on Secure Email Rules, please see the chapter “Secure Email Rules” in the MailMarshal Secure User Guide.

The next page of the Rule Wizard, User Matching, specifies to whom the rule will apply.

Check the appropriate boxes in the upper pane to add matching conditions to the rule description. Scroll down to see the full list of conditions.

NoteIf no User Matching boxes are checked, the Rule will apply to all messages (subject to the limitations imposed by the parent Ruleset). Matching conditions determined by the parent Ruleset are displayed in grey text and cannot be edited here. If these conditions must be changed, edit the properties of the parent Ruleset.

56 User Guide

Where the matching condition requires specific information to be completed, the incomplete information appears in the rule description as a red hyperlink. Click on the hyperlink to bring up a dialog allowing this information to be entered. Where specific information has been entered the rule description displays the specifics as a blue hyperlink; click on this link to edit them.

The third page of the Rule Wizard, Conditions, specifies other tests to be performed on the message and its attachments. Choices are made as on the previous page. Detailed lists of Conditions are presented later in this chapter.

The fourth page of the Rule Wizard, Actions, sets the actions to be taken if a message meets the specified conditions. Choices are made as on the previous pages. Detailed lists of Actions are presented later in this chapter.


The fifth and final page of the Rule Wizard, Finish, presents the complete Rule in the description pane where it may be edited. The rule must be named. By default the rule is “turned on” (used to process messages).

NoteNew Rules and changes do not take effect until the Rules are reloaded (using either the Reload Server Rules icon in the toolbar or the menu item Tools > Reload Rules on Server).

58 User Guide

Copying a Rule To copy a Rule, right-click it in the Configurator. To make a copy in the current Ruleset, choose Duplicate from the context menu. To make a copy in another Ruleset, choose Copy from the context menu; then right-click the target Ruleset and choose Paste.

Editing a Rule To edit a Rule, double click it in the right pane of the Configurator. The rule will be presented in the Finish page of the Rule Wizard. Hyperlinked details may be edited from this pane. If more basic changes to conditions or actions are required, use the Back button to view the User Matching, Conditions, and Actions pages.

User Matching Criteria When creating Rulesets and Standard and Receiver Rules, the following User Matching criteria are available:

Where message is incoming Action will be taken if the message is addressed to a domain within MailMarshal’s Local Domains list.

Where message is outgoing Action will be taken if the message is addressed to a domain outside MailMarshal’s Local Domains list.


Where addressed to people Action will be taken if a recipient of the message is found in the list of addresses specified. See “Creating a Ruleset” on page 50 for details on choosing which “people” are included in these conditions.

Where addressed from people Action will be taken if the sender of the message is found in the list specified.

Where addressed either to or from peopleAction will be taken if a recipient or sender of the message is found in the list specified.

Where addressed both to and from people Action will be taken if the sender of the message is found in the first list specified, and the recipient of the message is found in the second list specified.

Except where addressed to people Action will not be taken if a recipient of the message is found in the list specified.

Except where addressed from people Action will not be taken if the sender of the message is found in the list specified.

Except where addressed either to or from people Action will not be taken if a recipient or sender of the message is found in the list specified.

Except where addressed both to and from people Action will not be taken if the sender of the message is found in the first list specified, and the recipient of the message is found in the second list specified.

NoteWhenever a list of “people” is required in a condition, the list may contain individual email addresses, domains, and MailMarshal user groups.

Note“Except” matching criteria are the key to creating exception based policies. Rules which apply to all recipients with the exception of small specific groups help to ensure that security policies are uniformly applied. For instance, a rule may apply Where the message is incoming except where addressed to

Managers.

60 User Guide

Rule Conditions–Standard Rules The following conditions are available for use in Standard Rules. They are further explained below:

• Where message attachment is of type

• Where attachment fingerprint is/is not known

• Where message size is

• Where the estimated bandwidth required to deliver this message is

• Where message contains attachment(s) named (file names)

• Where message triggers text censor script(s)

• Where the result of a virus scan is

• Where the external command is triggered

• Where attachment parent is of type

• Where message attachment size is

• Where number of recipients is count

• Where message contains one or more headers (header match)

• Where number of attachments is count

• Where message is categorized as category

• Where message spoofing analysis is based on criteria

NoteIf many conditions are specified in a single rule they must all be satisfied for the Rule action to be taken. To match any of several single conditions, place each one in its own Rule. It pays to keep rules simple and ensure they are logical–it is possible to create nonsensical rules in MailMarshal!


Where message attachment is of type MailMarshal checks the structure of all attached files to determine their type. Over 175 types are recognized as of this writing. Selecting the hyperlink file types opens a selection dialog including several categories of files.

Select an entire category by checking the associated box. Expand any category to see the list of types included, and check the required boxes. When satisfied click OK to return to the Rule Wizard.

NoteAdditional types can be added locally by entering the signature information in a file. Information on the required procedures and structure of the file can be found in Marshal Knowledge Base article Q10199.

62 User Guide

Where attachment fingerprint is/is not known The “fingerprint” identifies a specific file (such as a particular image). Click the hyperlink and choose to base the condition on fingerprints which are known or unknown. To add a file to the list of “known” files, use the “add to valid fingerprints” rule action, or select Add Fingerprints while processing messages in the Console (see Chapter 5, “Rulesets and Rules” for further information). To delete a file from the list of “known” files, delete the file from the ValidFingerprints subfolder of the MailMarshal install folder then reload the MailMarshal configuration.

Files may also be made known by placing them in the ValidFingerprints sub-folder and restarting the Engine; however this must be done with care. See Marshal Knowledge Base article Q10543 for further information.

Where message size is The size of the entire message, before unpacking, will be considered. Choose a size and matching method using the Message Size dialog.

NoteThis condition may be useful to exclude certain images, such as corporate logos or signatures, from triggering quarantine rules. E.g. to take action only on unrecognized images, use the following conditions: When a message arrivesWhere message attachment is of type IMAGE And where attachment fingerprint is not known

NoteMailMarshal checks the size of the received message in its encoded format. This is typically 33% larger than the size reported by an email client.


Where the estimated bandwidth required to deliver this message is The bandwidth required to deliver a message is calculated by multiplying the message size by the number of unique domains to which it is addressed. The intended use of this criterion is to move high-bandwidth messages to a “parking” folder for delivery outside peak hours. They could also be blocked entirely.

Where message contains attachments named Enter a list of file names, separated by semi-colons. The * and ? wildcards are supported (e.g. *.SHS;*.VBS;*.DO?). This condition is particularly useful for quickly blocking dangerous file types such as VBS, or known virus attachments such as “creative.exe”. However, it checks only the file name and not the internal type; use “Where message attachment is of type” to check files by structure.

Where message triggers text censor script(s) Choose a TextCensor script to be used in evaluating the message. Depending on the settings of the individual script, various parts of the message and its attachments may be scanned.

64 User Guide

Within the Select TextCensor Script dialog, select a script and click Edit Script to view or change it; click New Script to create a new script which will be automatically selected when you return to the dialog. See Chapter 12, “TextCensor Scripts” for detailed information on creating Scripts.

NoteMore than one TextCensor script may be included in a rule. However, for the rule to be triggered all included scripts must trigger.


Where the result of a virus scan is Choose the desired virus scanning action and the results to be checked for, using the Select Virus Scanner Results dialog.

Scan message with: This option allows you to choose the virus scanners used by this condition.

• All Scanners: All configured virus scanners will be used to scan all parts of the message and attachments. This option is the equivalent of earlier MailMarshal virus scanning rules.

• Specific scanners: To limit the virus scan to specific installed scanners,

NoteWith the exception of Contains Virus and Unexpected scanner error, these options can only be used with DLL based scanners. If you attempt to select the other options when no DLL based scanner is selected, a warning notice will be given.

66 User Guide

choose this option then select the desired scanners from the list. This setting may be useful for instance if only some installed scanners support virus cleaning.

Where the result is: This option allows you to choose the scanner results that will cause this condition to trigger. Check the appropriate boxes.

• Contains Virus: The condition will trigger if any part of the message contains a virus. This is the basic condition.

• ...and is Cleaned: When this box is checked, the condition will only trigger if the code returned indicates that the virus was cleaned. This condition can be used in a Clean Viruses rule. You cannot choose this option if any non-DLL scanners are selected. See below for further information on setting up virus cleaning rules.

• ...and Name Matches: When this box is checked, the condition will only trigger if the name of the virus as returned matches the text in the field. This condition can be used in a rule to modify MailMarshal's response based on certain virus behaviors (for instance to not send sender notifications for viruses known to spoof the “from” address).

• Password Protected: When this box is checked, the condition will trigger if the scanner reports the file as password protected.

• File is corrupt: When this box is checked, the condition will trigger if the scanner reports the file as corrupt.

• Virus scanner signatures out of date: When this box is checked, the condition will trigger if the scanner reports its signature files are out of date.


• Could not fully unpack or analyze file: When this box is checked, the condition will trigger if the scanner reports that it could not unpack the file.

• Unexpected scanner error: When this box is checked, the condition will trigger if the scanner reports an unknown error or the code returned is unknown.

Setting Up Virus CleaningTo “clean” viruses from email messages, at least one DLL based virus scanner must be installed. Two rules are required (and provided in the default configuration for new installations of MailMarshal).

The first rule must have these options selected:

• Contains Virus

• and is Cleaned

The second rule must be a standard virus blocking rule (using the option Contains Virus and invoking a move to folder or other blocking action).

If a virus cannot be cleaned, all remaining rules will be applied. If no quarantine (move to folder) or other blocking rule is triggered after all rules have been applied, MailMarshal will deadletter the affected message. The message log and MailMarshal Engine log will indicate that the message still contains a virus.

In the MailMarshal Console view, a message that has not been cleaned will be shown with an exclamation mark icon. If you choose to forward or process the affected message, a popup warning will be raised indicating that the message contains a virus.

NoteThese detailed failure results depend on the availability of return codes provided by the individual scanner vendors. The option “Unexpected scanner error” can be used to specify an action to take when the code returned by the scanner is not configured in MailMarshal. If this option is not selected in a rule condition, an unexpected return code will result in the message being deadlettered. For command line scanners, the list of return codes can be configured in the virus scanner properties.

68 User Guide

Where the external command is triggered Select one or more external commands to be used to test the message. If more than one command is specified, all commands must be triggered for this condition to be triggered. External commands can be executable programs or batch files. See Chapter 9, “External Commands” for more information.

Where attachment parent is of type This condition is intended to be used with the condition Where message attachment is of type, and causes MailMarshal to consider the file type of the parent container as well as that of the attachment (for instance, Microsoft Word documents containing images). Clicking the hyperlink “parent types” opens a selection dialog offering all valid parent types. The dialog also allows the condition to be applied to types in or out of the selected list..

NoteThis condition may be useful to exclude images and other inclusions within MS Word documents from quarantine rules. E.g.

When a message arrivesWhere message attachment is of type IMAGEAnd where attachment parent is not of type: DOC

See also the condition Where attachment fingerprint is/is not known.


Where message attachment size is The size of each attachment is evaluated after all unpacking, unzipping, etc. is complete. An attachment size may be larger than the size of the original message, due to decompression of archive files.

Where number of recipients is count This condition is typically used to block messages with large recipient lists as suspected Spam.

Where message contains one or more headers This condition may be used to check for the presence, absence, or content of any message header, including custom headers. It would typically be used to check for blank or missing headers, or to reroute email.

Within the Header Match dialog (See below), click New to create a new header match using the Header Matching Wizard.

See Chapter 15, “Header Matching and Rewriting” for more information on this Wizard.

More than one header match may be used in a single condition; however all matches must be true for the condition to be true (logical ‘and’). To match any of several header conditions (logical ‘or’), include more than one Rule with one condition per Rule.

70 User Guide

To edit any Header Match condition (or view its details), highlight it then click Edit to restart the Header Matching Wizard. To delete a Header Match condition, highlight it then click Delete.

Where number of attachments is count This condition is typically used to block messages with large numbers of attachments. The number of attachments may be counted using top level attachments only, or top level attachments to email messages including any attached messages, or all attachments at all levels.

NoteHeader Match conditions are only available within the Rule where they are created. To use the same condition in more than one Rule, create it in each Rule.

Note“Top level attachments” are the files explicitly attached by name to an email message. Other files, such as the contents of a zip archive or images within a Microsoft Word document, may be contained within the top-level attachments.


Where message is categorized as Category This Rule condition allows action to be taken on messages that trigger a category script. Select a category script file using the Select Category Script dialog.

Updates to the category scripts (currently including the Spam category script) can be downloaded automatically. Automatic download is enabled by default. To disable the automatic download or update immediately, see the Internet Access tab of Server Properties.

Category scripts can also be created and customized locally. See the example category scripts provided with MailMarshal, and the Marshal Knowledge Base, for syntax and suggested usage.

Where message spoofing analysis is based on criteria This Rule condition allows action to be taken on messages that may be “spoofed” (they may not have originated within the domain of the claimed sender email address).

This condition will only be evaluated when the sender address (“From:” header or SMTP “Mail From:” address) of a message is within a Local Domain (as specified on the Local Domains tab of Server Properties).

NoteThe automatic category download depends on HTTPS connection to the Internet. Connection settings can be configured on the Internet access tab.

72 User Guide

In the Spoofing Criteria dialog, select any of the detailed criteria to determine how this condition is triggered.

The originating IP address: Select this condition to check for spoofing based on the IP address of the computer which originated the message. Choose one of the following options to determine how the IP address is checked:

• Is not considered local as defined by the anti-relaying settings: When this option is selected, email with a local sender address will be considered “spoofed” if it does not originate from a computer allowed to relay. The list of computers allowed to relay is determined by the IP address ranges entered on the Anti-Relaying tab of Server Properties. This option can be selected if multiple servers and workstations in the local network are allowed to route email directly through MailMarshal.

• Does not match the IP address for that specific local domain: When this option is selected, email with a local sender address will be considered “spoofed” if it is not delivered to MailMarshal from the correct Local Domain email server. The Local Domain server is the computer to which MailMarshal delivers messages for the specific SMTP domain of the “From:” address.

NoteThis is the more restrictive option as it requires all email originating within the organization to have been routed to MailMarshal from a trusted internal email server. (Messages accepted by the internal email server will be accepted by MailMarshal.) This option can stop local users from “spoofing” addresses within the local domains.


The originating system did not use ESMTP authentication: Select this condition to check for spoofing based on the login given by the system routing the message to MailMarshal. Use this condition (and not an IP address based condition) if roving users are allowed to send email through MailMarshal using the POP3 Relaying Authentication feature.

Rule Actions–Standard Rules The following actions are available for selection in Standard Rules. Details of each action are given below.

• Copy the message to folder

• BCC a copy of the message

• Run the external command

• Send a notification message

• Strip attachment

• Write log message(s) with classifications

• Stamp message with message stamp

• Rewrite message headers

• Add attachments to valid fingerprints list

• Route the message to host

• Move the message (terminal action)

• Park the message (terminal action)

NoteBefore implementing the requirement for ESMTP authentication, check which servers are required to authenticate. See Server Properties > Advanced > Additional Options > Receiver. Be sure that all affected systems, possibly including internal email servers such as Microsoft Exchange, are configured to authenticate when connecting to MailMarshal.

74 User Guide

• Delete the message (terminal action)

• Pass the message to rule

If a terminal action is performed, no further rules will be processed for the affected message.

By default the following options are checked: send notification message, write log message, move the message (to a folder).

Copy the message Copy the email message file to the specified folder. To make the message processing log available in the same folder, check the box at the bottom of the dialog. The message log showing how the message was processed will then be available in the Console. If a new folder is required, click New Folder to start the New Folder Wizard (see Chapter 10, “Folders” for more information).

BCC a copy of the message Send a blind copy of the message to one or more email addresses. These should be entered as complete SMTP addresses (e.g. [email protected]), separated by semi-colons. The original message will not be modified in any way by this action, so the original recipient would not know a copy had been taken.

Run the external command Choose one or more commands to be run from the list of pre-defined external commands. See Chapter 9, “External Commands” for information on defining external commands. To run the same application with different parameters under different conditions, use more than one external command definition.

NoteYou can use this action in combination with Delete the message to effectively forward messages to a different recipient.


Send a notification message Send one or more email messages based on the templates checked in the selection dialog. To view or edit the details of a particular template, select it then click Edit Template. To create a new template, click New Template; the new template will automatically be selected for use when you return to the template selection dialog. For further information on templates, see Chapter 11, “Email Templates.”

Strip attachment Where the rule conditions are triggered by a specific attachment, remove this attachment from the message. This action would typically be used to remove attachments of specific file types or file names.

Write log message(s) with classifications Select one or more logging classifications from the list. Check the box to write a logging classification for every component of the message (e.g. a separate record for each image file in a message). To view or edit the detailed information in the classification, click Edit in the selection dialog. To create a new classification, click New in the selection dialog. For details on classifications, see Chapter 13, “Logging Classifications.”

Stamp message with text Choose one or more message stamps to be added to the message body. Stamps will be at the top or bottom of the message as selected when they were created. To view or edit the details of a particular message stamp, select it then click Edit Stamp. To create a new stamp, click New Stamp; the new message stamp will automatically be selected when you return to the stamp selection dialog. See Chapter 14, “Message Stamps” for details.

NoteWhen an attachment is stripped, normally the original message should be copied for later retrieval if necessary, and stamped to inform the recipient that an attachment has been stripped.

76 User Guide

Rewrite message headers This action may be used to modify, add, or delete any message header, including custom headers. It would typically be used to repair blank or missing headers, to insert a notification into the subject, or to reroute email.

Within the Header Rewrite dialog, click New to create a new header rewrite rule using the Header Rewrite Wizard. See Chapter 15, “Header Matching and Rewriting” for more information on this Wizard.

More than one Rewrite rule may be included in the same action. The order of application of the rules may be significant. Adjust the order by selecting a rule and using the up and down arrows in the Header Rewrite dialog.

Add attachments to valid fingerprints list Add the attachments to MailMarshal’s list of “valid fingerprints” (normally used for images or other files which require special treatment, such as company logos). Choose whether to add all attachments, or only images, to the list. See the rule condition Where attachment fingerprint is/is not known for more information.

NoteHeader Rewrite rules are only available within the Rule where they are created. To perform the same action in more than one Rule (or within a Rule and the Header Rewrite function of the MailMarshal Receiver), create it in each place.


Route the message to host This action allows the message to be delivered to a selected server. This action might be used to implement dynamic routing based on the recipient or other message headers. Enter a host name or IP address to which the message should be delivered. This address will be used when delivery is attempted, even if the message is “parked” first. If several Rules invoke this action, the last selected address will be used.

Move the message Move the email message file to the specified folder. To make the message processing log available in the same folder, check the box at the bottom of the dialog. The message log explaining how the message was processed will then be available in the Console. If a new folder is required, click New Folder to start the New Folder Wizard (see Chapter 10, “Folders” for more information). This is a terminal action–no further rules will be processed for a message if this action is performed.

Park the message Move the email message file to the specified parking folder for release according to the schedule associated with that Folder. If a new folder with a different schedule is required, click New Folder to bring up the New Folder Wizard (see Chapter 10, “Folders” for more information). This is a terminal action–no further rules will be processed for a message if this action is performed.

Delete the message Delete the email message file. Do not send the message to its original destination. This is a terminal action–no further rules will be processed for a message if this action is performed.

NoteThis action is not a terminal action. It sets the destination for the message, but it does not send the message immediately or stop rule evaluation. All remaining applicable rules will be evaluated. Do not use the action Delete the message with Route to Host: the message will be deleted and not delivered!

78 User Guide

Pass the message to rule If no “terminal” rule action has been taken, this action allows a choice of which further rules to apply.

Several choices are available (See below), including

• Skip the next rule (do not apply it).

• Skip to the next ruleset (do not apply further rules in this ruleset).

• Skip all further rules (pass the message through to the intended recipients).

• Skip to a particular ruleset or rule.

NoteIt is only possible to skip to a rule which is evaluated after the current rule. (The order of evaluation may be changed; see “Order of Evaluation” on page 54.)

When skipping to a rule in a different ruleset, remember that the parent ruleset conditions may prevent its having any effect. For instance, skipping from MailMarshal’s default Inbound ruleset to the Outbound ruleset is allowed, but rules in the Outbound ruleset will have no effect on inbound messages.


Rule Conditions–Receiver Rules The following conditions are available for use in Receiver Rules.

• Where message is of a particular size

• Where sender’s IP address matches address

• Where sender has authenticated

• Where sender’s IP address is listed in DNS Blacklist

Where message is of a particular size: This condition is normally used with a “refuse message” action to refuse large messages. Choose the size criteria in the Message Size dialog.

NoteReceiver processing of this condition depends on an ESMTP connection from the outside server. This condition should be repeated in a Standard Rule to include messages received from non-ESMTP sources.

80 User Guide

Where sender’s IP address matches address: This condition can be used to permit relaying, or to refuse messages, from one or more ranges of IP addresses. The configured ranges are shown in the Sender IP Address dialog. To add a range to the list, click New to open the Enter Match IP Address dialog.

To modify an existing address, highlight it then click Edit. To delete an existing address from the list, highlight it then click Delete.

In the Match IP Address dialog, add or modify an address or range.


Select one of the three choices using the option buttons:

• An IP Address: Enter a single IP address in dotted quad format.

• A range of IP addresses: Enter the starting and ending IP addresses (two dotted quads).

• An entire network range: Enter an IP address and a netmask in dotted quad format. For instance, enter “10.2.0.4” and “255.255.255.0” to match the entire 10.2.0.0 subnet.

The checkbox at the bottom of the dialog controls whether this address or range will be included or excluded from the condition match.

• To include the address or range, check the box.

• To exclude the address or range, clear the box.

Where sender has authenticated This condition will trigger if the remote system has authenticated using a POP3 account and password. See Chapter 7, “POP3 Accounts” for information on setting up accounts for authentication.

This condition is normally used with the Accept message action to allow relaying by specific users.

NoteA typical use of included and excluded ranges would be to match all IP addresses in a given range, with one or two exceptions. For instance, all computers in the 10.2.0.0 subnet might be excluded from relaying, except for a specific email server 10.2.0.55.

82 User Guide

Where sender’s IP address is listed in DNS Blacklist This condition allows the DNS Blacklist (MAPS RBL and compatibles) tests to be applied selectively. Choose the Blacklists to be used from the list in the DNS Blacklists dialog.

The dialog shows a list of all enabled Blacklists. Check the box for each Blacklist you wish to use. Clear the box for any Blacklist you do not wish to use in this Condition.

For details of how MailMarshal reacts when a Blacklist cannot be reached, see Chapter 21, “Troubleshooting.”

Click OK to return to the Receiver Rule Wizard.

Rule Actions–Receiver Rules The following actions are available for use in Receiver Rules.

NoteBefore selecting this Condition, enable at least one blacklist using the Host Validation tab of Server Properties. Each DNS Blacklist you want to use in this Condition should have the “Enable this DNS Blacklist” checkbox checked.


Accept message If selected, this condition permits receipt of the message by MailMarshal for delivery subject to Standard Rules. Furthermore the message may be relayed to an address outside MailMarshal’s local domains. This condition is intended to be used in conjunction with the condition Where sender has authenticated or an IP address match, to allow relaying by specific email users.

Refuse message and reply with message MailMarshal will refuse the message. A SMTP response refusing delivery will be transmitted to the sending server. This action is intended to be used in conjunction with a size-limiting condition to conserve bandwidth, or to refuse messages sent from specific problem addresses as detected by User Match, IP Address, or DNS Blacklist Conditions.

Select the message to be returned using the Reply Message dialog.

In this dialog, enter the SMTP response code and message to be returned as the message refusal.

• Message Number: Enter a SMTP message number (between 400 and 599) to return. The default number 550 is a standard SMTP “message refused” response.

• Message Description: Enter a short message giving details of the reason for refusal. Within this message, the following variables are available:

{Recipient} will be replaced by the “To:” SMTP address of the original message.

{Sender} will be replaced by the SMTP address of the sender. Uses the address in the “From” field unless it is empty, in which case the “Reply to” address is used.

{SenderIP} will be replaced by the IP address of the sender.

84 User Guide

Chapter 6

User Groups

MailMarshal User Groups are used within Rulesets and Rules to specify to whom the Rules apply. MailMarshal uses SMTP email addresses to perform user matching. User Groups may be created and populated within MailMarshal by entering email addresses manually (wildcards may be used). User Groups may also be imported from an LDAP server (such as Microsoft Exchange or Lotus Notes), in which case their membership is updated automatically on a defined schedule.

To create and maintain User Groups, in the Configurator, expand the element User Groups.

To Create a New Standard User Group Click the New User Group icon in the toolbar to open the New User Group dialog. Enter a name for the User Group.

To Add Members to a Standard User Group Select the appropriate User Group from the right pane of the Configurator. Click the New Member icon in the toolbar to open the Insert into User Group dialog.

Chapter 6 • User Groups 85

In this dialog, enter an individual SMTP address, a wildcarded address, or a domain name in the field. (The available wildcards are the same as those used for local domain names–see “Wildcards” on page 170 for details.) Click Add (or use the <Enter> key) to add the value. The dialog remains open and additional values may be added. If an individual address was entered, the domain name portion of the address is retained and only the new user name need be entered.

To Add an LDAP User Group LDAP user groups are used in the same way as standard MailMarshal user groups. However, MailMarshal populates an LDAP group by retrieving a list of members from an LDAP server, such as Lotus Notes. The membership of LDAP groups is automatically updated on the schedule specified in the LDAP connection dialog.

To work with LDAP User Groups, you must configure at least one LDAP User Group Connection (see Chapter 16, “LDAP Connections”).

Click on the Add LDAP User Group icon, or right-click on User Groups in the tree then click on New, then on LDAP user group... to open the New LDAP User Group dialog.

Select the LDAP connection to be worked with from the drop down menu and click OK. If no entries appear in the menu, no LDAP user group connections have been configured.

86 User Guide

MailMarshal will then query the server for a list of available user groups, and display the results in a list. (If MailMarshal is unable to connect to the server no groups will be shown.)

Select an LDAP group from the list. This group will appear in the list of User Groups. The group name will consist of the LDAP Connection name and the group name as retrieved from the server. Repeat this action to add other user groups. When done, click OK.

Initially, an LDAP group will be empty of users; it will be populated at the next scheduled update. A group can also be populated by right clicking it in the list of groups, and selecting All Tasks > Reload from LDAP Server. An LDAP user group can immediately be specified in any MailMarshal rules; however, such rules should not be made effective (i.e. the server should not be reloaded) until the group has been populated.

NoteAlthough MailMarshal does not prohibit adding and deleting members from LDAP groups, such changes will not be sent to the LDAP server, and they will be lost during the next scheduled update from the LDAP server.

Any changes to membership of these groups must be made at the LDAP server.

Chapter 6 • User Groups 87

To Move and Copy User Groups To copy a User Group, right-click it in the Configurator. To make a copy, choose Duplicate from the context menu.

To move a User Group so that it is included within another User Group, drag it over the target Group.

To copy a User Group so that it is included within another User Group, hold down the <CTRL> key while dragging.

88 User Guide

Chapter 7

POP3 Accounts

MailMarshal can function as a POP3 server for local domains (as specified during setup or in Server Properties). A POP3 login must be created for each mailbox that will be hosted by MailMarshal.

If MailMarshal receives an email message addressed to the POP3 domain but no matching account has been created, the message will be dealt with (forwarded or refused) according to the options set up for the domain. See“Local Domains” on page 167 for more information on POP3 domains.

If a POP3 domain exists, MailMarshal automatically starts an additional service to respond to POP3 requests. This POP3 service appears in the list of services in the Configurator and Console.

POP3 accounts also permit email relaying. Since the MailMarshal server functions as an email gateway, it is likely to be available from anywhere on the Internet. Traveling email users who wish to send email from their business address, using the scanning and stamping features of MailMarshal, can do so if they have MailMarshal POP3 accounts. See “POP3 Accounts for Relaying Authentication” on page 91.

NoteThe relaying authentication feature may be used regardless of where MailMarshal delivers messages for an address, and without any POP3 local domains being configured. See “POP3 Accounts for Relaying Authentication” on page 91.

Chapter 7 • POP3 Accounts 89

To Set Up POP3 Accounts In the left pane of the Configurator, select POP3 Accounts. Click the New POP3 Account icon in the toolbar. Enter the details for the account holder and authentication information in the New POP3 Account dialog.

If the account will be used for email delivery (if MailMarshal is operating one or more POP3 local domains), MailMarshal will automatically enter an appropriate SMTP alias for email delivery to this account’s mailbox. Make any desired changes to this alias, and enter any additional SMTP addresses for which email should also be delivered to this account’s mailbox. (The domain name of each alias address must be one for which MailMarshal is functioning as a POP3 local domain server.)

If more than one POP3 account has the same SMTP alias, messages directed to that alias will be delivered to all of the mailboxes.

If the password fields are left blank, MailMarshal will use Windows NT authentication to determine access for this account. In this case, ensure that the account name matches the name of a valid Windows NT user account permitting access to files on the MailMarshal server computer.

Click Add to add the account. When all accounts have been added, click Close.

90 User Guide

POP3 Accounts for Relaying Authentication A “POP3 account” may be used for relaying authentication only, and not for message delivery. This feature may be useful, for instance, to traveling email users who wish to send email from their business address, using the scanning and stamping features of MailMarshal. In this case, enter an arbitrary value (such as “none”) in the SMTP Address field. Delete any valid SMTP addresses that MailMarshal may have inserted automatically.

Before you can enable relaying authentication, MailMarshal must be configured to request ESMTP authentication. See the Receiver tab of the Advanced Properties dialog (found on the Advanced tab of Server Properties). The users’ email client software must be configured to use authentication when sending outbound messages. Consult the client software documentation for further information on how to do this.

To enable authentication on the MailMarshal server, create a rule using the Condition Where sender has authenticated and the Action Accept Message.

To Edit POP3 Accounts To edit an existing POP3 account, select POP3 Accounts in the left pane of the Configurator. Double-click the account to be edited. Change the password and aliases as required, then click OK.

To Delete POP3 Accounts To delete a POP3 account, select POP3 Accounts in the left pane of the Configurator. Select the account to be deleted then click the Delete icon in the toolbar.

Chapter 7 • POP3 Accounts 91

92 User Guide

Chapter 8

Virus Scanners

MailMarshal is not a traditional virus scanner; however MailMarshal does provide substantial proactive protection against viruses through file name and file type checking, as well as TextCensor scanning for virus-related text and harmful commands.

MailMarshal can also invoke third-party virus scanners to check email messages and attachments for viruses. Nearly all MailMarshal installations use third-party virus scanning.

MailMarshal allows one or more virus scanners to be used to check email for viruses. Because virus scanners have differing architecture, some organizations choose to use multiple scanners.

MailMarshal invokes the virus scanner after unpacking all elements of an email message. MailMarshal then passes the elements to the scanner software for analysis, and takes action based on the code returned from the scanner.

Selected virus scanners can be used to attempt to clean infected files.

Sample virus scanning and cleaning Rules are included in the MailMarshal default Rules. These Rules may be modified to suit local conditions. For details on configuring virus scanning Rules, see Chapter 5, “Rulesets and Rules.”

Chapter 8 • Virus Scanners 93

To work with MailMarshal, a virus scanner must have a command-line interface or a special MailMarshal DLL. The scanner must return a documented response indicating whether or not a virus is detected. Most commercially available virus scanners meet these specifications.

The virus scanners listed below have been tested and validated for use with MailMarshal as of this writing. Appropriate parameters for these scanners are pre-coded in the Configurator, ready for selection. (Please see Marshal Knowledge Base article Q10923 for the latest list.)

• Marshal Integrated McAfee Antivirus (DLL, Supports cleaning)

• Norman Virus Control (DLL, Supports cleaning)

• Panda Antivirus (DLL, Supports cleaning)

• Sophos Anti-Virus (DLL, Supports cleaning)

• Symantec AntiVirus Engine (DLL, Supports remote installation and cleaning)

• InnoculateIT 6.x

• Network Associates Netshield and McAfee Command Line Scanner

• NOD

• Vet Anti-Virus for NT Server

• PestPatrol (Requires additional software, available in USA only)

NoteDLL based scanners are significantly faster than command line scanners, because the scanner is always memory resident. Marshal recommends the use of DLL scanners for sites with high message traffic.

94 User Guide

Each virus scanner to be used should be installed on the MailMarshal Server computer (or remotely, if remote access is available) according to the manufacturer’s instructions.

Best Practices Marshal recommends the following basic practices to ensure security with respect to viruses and virus scanning:

• Block messages and attachments which MailMarshal cannot scan, such as password protected attachments and encrypted attachments (e.g. files of type ‘Encrypted Word Document’).

• Block encrypted messages which MailMarshal cannot decrypt, such as PGP and S/MIME messages.

• Block executable and script files by type and name. This helps to ensure that unknown viruses will not be passed through.

• Subscribe to email notification lists for virus outbreaks (such lists are offered by many anti-virus software companies). When an outbreak occurs, block the offending messages by subject line or other identifying features.

NoteMarshal Integrated McAfee Antivirus requires installation of the Marshal Integrated McAfee Antivirus Console, available in a separate download from Marshal.

This interface is enabled through a special MailMarshal product key. MailMarshal trial keys have this feature enabled. Permanent keys for Marshal Integrated McAfee Antivirus are available from Marshal suppliers.

NoteIf resident or “on access” virus scanning is enabled, MailMarshal’s working folders must be excluded from scanning. See “MailMarshal Directories and Resident Scanning” on page 101.


Configuring a New Virus Scanner To configure a new virus scanner within MailMarshal, in the left pane of the Configurator select Virus Scanners. Click the New Virus Scanner icon in the toolbar to start the New Virus Scanner Wizard.

Select a pre-configured scanner from the list, or select “Custom Scanner” to enter full information about a scanner not on the list of supported scanners.

On the next wizard page, enter (or browse to) the location where the main executable scanner file is located (e.g. c:\McAfee\Scan.exe). DLL based scanners do not require this information to be entered. If this is a custom scanner, enter the other required information–see “Viewing Virus Scanner Properties” for information on the fields.

If this scanner is installed remotely, enter the server name or IP address and port where the scanner can be accessed.

On the final page, click Finish to add the virus scanner; it will appear in the right pane of the Configurator. When at least one scanner is configured, virus scanning rules may be enabled.

NoteIf further information about a pre-configured scanner is required, click Vendors Web Site to open the manufacturer’s web site in a web browser window.

96 User Guide

Viewing Virus Scanner Properties Double click the name of any virus scanner in the right pane to review and change MailMarshal’s configuration information for that scanner.

The fields shown will vary depending on whether the scanner is a command line or DLL based scanner.

Command Line Scanner Properties The Name is MailMarshal’s friendly name for this scanner. The Command Line refers to the location of the executable file. The Parameters field allows entry of any necessary additional command line parameters to ensure operation compatible with MailMarshal.

The Timeout values indicate how long MailMarshal will wait for the scanner to complete its task. The default values are generous. If review of the MailMarshal logs indicates that the virus scanner is timing out, these values may be adjusted; however repeated timeouts probably indicate a need for greater system resources.


The checkbox Single Thread indicates whether the scanner must operate on one message at a time, or may be invoked multiple times. Command line scanners will generally have this box checked.

The two remaining fields are used to enter trigger values which specify the meaning of the code returned from the virus scanner.

The field Command is triggered if return code is should include values used by the virus scanner to indicate the presence of a virus or errors encountered scanning the file. When one of these values is returned, the MailMarshal Rule condition Where message contains a virus is triggered.

The field Command is not triggered if return code is should include values used by the virus scanner to indicate the absence of a virus. When one of these values is returned, the MailMarshal Rule condition Where message contains a virus is not triggered.

If the code returned matches neither field, the associated email message is moved to the “Undetermined” deadletter folder and an email notification is sent to the MailMarshal administrator.

Entries in both fields may be exact numeric values, ranges of values (e.g. 2-4), greater than or less than values (e.g. <5, >10). More than one expression may be entered in each field, separated by commas (e.g. 1-6,8,>10). Consult the virus scanner documentation for details on return codes.

NoteBefore entering new values for scanner parameters in MailMarshal, test the scanner from the command line using the new parameters. If MailMarshal invokes a scanner with invalid parameters, the result may cause all messages to be treated as infected.

98 User Guide

DLL Scanner Properties This dialog is used to view and modify the parameters for communication between MailMarshal and DLL based virus scanners. Most parameters cannot be changed.

The Name is MailMarshal’s friendly name for this scanner. The Manufacturer is the name of the scanner manufacturer.

Version indicates the engine version of the installed scanner. Virus Signatures lists the currently installed virus signature update.

Status indicates whether the scanner is installed and functioning correctly. If the scanner supports virus cleaning this will also be noted.

Click Visit Web Site to open a web browser window to the scanner manufacturer's web site.


Scanner Install Location: If the scanner can be installed remotely, this section of the dialog will be enabled. A choice of install location will have been made when the scanner was first configured in MailMarshal. If you make a change here, MailMarshal will verify the presence of the scanner in the location you specify before accepting the change.

• The scanner is installed on the local server: Select this option if the scanner is installed locally.

• The scanner is installed on a remote server: Select this option if the scanner is installed on a remote server. Enter the following information:

Server Name: The name or IP address of the server where the scanner is installed.

Server Port: The port on which scanning requests are accepted.

Using Other Virus Scanners Most commercial virus scanners can be used as command line scanners with MailMarshal. Generally, the following considerations apply when using an alternative virus scanner.

Verify that a Windows 2000 (or XP) compatible version is available. The product must have a command line interface and must be capable of running silently in the background.

When entering the virus scanner information in the New Virus Scanner Wizard, choose Custom Scanner. Enter the path to the executable file and the parameters for silent operation. In the Parameters field, use the string “{CmdFileName}” (including the quotation marks) to indicate to the scanner software which folders it is to scan. Review the parameter syntax for a pre-configured scanner to understand the use of this entry.

100 User Guide

Testing Virus Scanners Virus scanner setup may be tested by clicking the Test Virus Scanners icon in the toolbar (visible when the Virus Scanners node is selected in the left pane of the Configurator). You will be prompted to choose a file. All configured scanners will be used to scan the selected file. The results will be displayed in a dialog.

If MailMarshal virus scanning rules are enabled, scanning can be checked by sending a test virus in an email message. To create a test virus, open a new text file and paste in the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TESTFILE!$H+H*

Save the file as “eicar.com”. (A copy of this file may be found in the MailMarshal install directory). Attach the file to an email message and send it through MailMarshal to an external test email account. If the virus scanner and scanning Rule are correctly configured to stop outbound viruses, your MailMarshal installation should take action on the message. Alternatively, send an email message to [email protected] to receive information on how to receive a message containing the file eicar.com (this is an automated service).

MailMarshal Directories and Resident Scanning Network servers are usually protected by virus scanning packages to search disk directories for contaminated files, particularly newly-created or imported files.

However, you must ensure that certain directories, which are used by MailMarshal to process and quarantine infected email messages, are excluded from any existing resident or “on-access” anti-virus scanning. These include the Incoming, Explode (MMExp), and Rulesets directories.


By default new MailMarshal installations create all of these directories within the MailMarshal install directory. If the locations are changed then virus scanning exclusions must be changed to reflect the new locations. The locations of these directories may be verified from the Advanced tab of Server Properties.

MailMarshal checks for resident file scanning by attempting to write the standard test virus file eicar.com (not a real virus) in each of the directories which must be excluded from scanning. If any of these files are removed or cleaned by a resident scanner, or MailMarshal is denied access to the files, the MailMarshal engine may not start and the email administrator will be notified.

If the check succeeds, MailMarshal deletes the eicar.com files (except for one copy left in MMExp\avcheck.)

Please refer to the virus scanner manufacturer’s documentation for information on excluding directories from on-access scanning (e.g. in Networks Associates NetShield, exclusions are set via the Exclusions tab in Scan Properties). If the virus scanner does not have the facility to exclude the appropriate directories, on-access scanning must be disabled completely.

Details of Excluded Directories Incoming

MailMarshal places received email in this directory before processing it.

Explode (MMExp)MailMarshal copies files to the Explode directory and invokes virus scanners explicitly to check for viruses. If a resident virus scanner found and cleaned a file here, MailMarshal's virus scanning might then determine the file to be clean. MailMarshal would then pass the original message through with the virus still present.

NotePrior to version 5.0, MailMarshal placed the default Explode directory in the root of the system drive (e.g. C:\MMExp). This location will not be changed during product upgrade, but may be changed from the Advanced tab of Server Properties if desired.

102 User Guide

RulesetsFolders within the Rulesets directory are used to store messages, including those “quarantined” by virus scanning rule actions.


104 User Guide

Chapter 9

External Commands

An external command is a custom executable or batch file that can be run by MailMarshal. The command can be used to check email messages for a condition, or to perform an action when a message meets some other condition. MailMarshal is provided with an external command for message release (see below), and some other suggested uses are given later in this chapter.

In order for an external command to be used to check for a condition, the command must return a standard return code.

Chapter 9 • External Commands 105

External commands must be defined within MailMarshal before they can be used in Rules. To create a new external command, in the left pane of the Configurator select External Commands. Click the New External Command icon in the toolbar to see the New External Command dialog.

Enter a name for the external command. Type the path for the executable file (or browse to it using the button provided). In the Parameters field, enter any command line parameters necessary.

The Timeout and Timeout per MB values control how long MailMarshal will wait for a response before ignoring the external command. The default values are very generous.

The Single Thread setting indicates whether the scanner must operate on one message at a time, or may be invoked multiple times. In most cases this checkbox should be left checked. Certain executables and DLL applications may be run multi-threaded.

The Only execute once for each message setting determines whether an external rule condition command will be run for each component of a message, or only once. E.g. if an external command definition is being used for policy-based virus scanning, this box should be unchecked to ensure that each component of each message is scanned.

106 User Guide

Where the external command will be used as a Rule condition, set the trigger return code information. This information should be specified in the documentation of the executable.

Two fields are used to enter trigger values which further specify the meaning of the code returned from the virus scanner.

• If the code returned matches any value entered in the field Command is triggered if return code is, MailMarshal will consider the condition to be satisfied.

• If the code returned matches any value entered in the field Command is not triggered if return code is, MailMarshal will consider the condition not to be satisfied.

• If the code returned matches neither field, the file is moved to the Undetermined deadletter folder and an email notification is sent to the MailMarshal administrator.

Entries in both fields may be exact numeric values, ranges of values (e.g. 2-4), greater than or less than values (e.g. <5, >10). More than one expression may be entered in each field, separated by commas (e.g. 1,4,5,>10).

Uses of External Commands Custom executables or batch files may be used with the Rule condition Where message triggers an external command. For instance, fgrep.exe can be used for advanced expression matching.

Custom executables may also be used with the Rule action Run the external command. For instance, a particular email subject line might invoke a batch file to start or stop a system service, or to send a page or network notification to an administrator.

Message Release MailMarshal is provided with a pre-configured external command, MMReleaseMessage.exe This command allows email users to release selected messages from MailMarshal folders. (Messages can also be released using the MailMarshal Console.)


To Use Message Release 1. Create or modify a Mail Marshal Rule which moves certain messages to a Folder.

2. In this Rule, include a Rule Action which sends a Notification message. The body of this message must contain the variable {ReleaseProcessRemaining} or {ReleasePassThrough}. These variables allow a choice of release actions; see “Processing a Message” on page 237 for details. MailMarshal includes a pre-configured template, Automatic Message Release Outbound, which includes the {ReleaseProcessRemaining} variable.

3. To process message release requests, create a MailMarshal Rule similar to the following:

When a message arrivesWhere addressed to [email protected] the external command Message ReleaseAnd write log message(s) with Release RequestsAnd delete the message

(The logging classification “Release Requests” is pre-configured.)

Automatic Message Release should be used sparingly as it tends to defeat MailMarshal's purpose. The {ReleaseProcessRemaining} variable is preferred because it forces all messages to be evaluated against all Rules.

NoteThe From address must be one which guarantees that replies will pass through MailMarshal. Do not use a local domain address to process requests from internal users. The address need not be valid but it must be well-formed. For instance, the template Automatic Message Release Outbound uses a From address of [email protected]

108 User Guide

Advanced Usage of Message Release • If MailMarshal is used in an array, more complex Rules are required to route the

release requests to the correct MailMarshal server. Please contact Marshal support for more information.

• If you want to be notified of failed message release attempts, run the external command as a rule condition rather than an action. The Message Release executable returns 0 on success and 1 on failure.

• By default the Message Release executable deletes the message after releasing it.

To leave a copy of the message on the server after releasing it, edit the external command definition. In the properties, change the parameters field to read {MessageName} -l (the last character is a lower case letter L).

NoteThis option can result in a message being sent more than once.


110 User Guide

Chapter 10

Folders

MailMarshal uses folders for several purposes related to rule processing.

An email message which triggers a rule may be copied or moved to a folder. This action is commonly taken for messages which are suspected of containing viruses, but may also be used for archival or other purposes.

An outgoing email message may be “parked” to a folder for scheduled later delivery.

An email message which cannot be processed (due to addressing or structure problems) will be placed in a subfolder of the DeadLetter folder.

MailMarshal also maintains a “Mail Recycle Bin” folder. By default, messages deleted by user action within the Console are moved to this folder and retained for the period specified in the folder properties.

To work with folders, select Folders in the left pane of the Configurator.

Chapter 10 • Folders 111

Creating a New Folder To create a new folder, click the New Folder icon in the toolbar to start the New Folder Wizard.

On the first page of the Wizard, choose whether the folder is to be a Standard or a Parking folder. On the next page of the Wizard, give the folder a name. Further options depend on whether the folder is a Standard or a Parking folder.

Standard Folders A time limit may be set for message retention in the folder. This option is typically used for “quarantine” folders where the message may be released on request from the user to an administrator. Messages will be deleted automatically after the set time.

112 User Guide

Subdirectories may be created periodically within the folder This option is typically used where a substantial volume of email is expected, so that messages are easier to find.

Check the box Folder is used for message archiving to create an Archive folder (See below). Within the MailMarshal Console, messages in Archive folders are assumed to be “stored”: they may be viewed and forwarded but not deleted. Messages in other Standard folders are assumed to be “in process” and they may be reprocessed or deleted, among other actions. See Chapter 20, “The Console” for further information.

Click OK to create the folder, or Cancel to lose any changes.

Parking Folders When a Rule moves a message to this type of folder, it will be “parked” if the time is within the blue schedule block and released (or sent immediately) when the time is outside the blue schedule block.


Use the checkbox Continue processing rules on release to determine what happens to parked messages when they are released from this Folder for delivery. If the box is checked, the message will be evaluated against all rules after the Rule which placed the message in this Folder).


• Drag using the left mouse button to add to the blue “parking” area.

• Drag using the right mouse button to erase from the blue “parking” area.

• To reset the schedule to the default time block, click Set Default Schedule.

• Choose to “snap” the schedule times to the nearest full, half or quarter hour using the drop down box.

Click OK to create the folder, or Cancel to lose any changes.

The Mail Recycle Bin This folder exists by default and cannot be deleted. A time limit may be set for message retention in the folder. Messages moved to the Recycle Bin (using the MailMarshal Console) will be permanently deleted after the set time. The default retention time is 7 days.

Editing an Existing Folder To edit the properties of an existing Folder, double-click its name in the right hand pane of the configurator. Make any required changes, then click OK.

114 User Guide

Changing the Default Folder Location The default location for message folders is the Rulesets subfolder of the MailMarshal install directory. The base physical path for all folders can be changed to any location on a local drive. Please see “Advanced” on page 192 for details.

Folder Security Permission to use the MailMarshal Console (to view and take action on messages in folders) is controlled by setting user permissions on the MailMarshal.key file. See “Console Security Issues” on page 231.

In some cases it may be desirable to set different access permissions for different folders (for instance, if archived messages are to be available to the users who sent them). Such permissions may be set using standard Windows security procedures for the physical folder.

NoteIf the folder physical path is changed, any messages in the old location must be moved manually to the new location.


116 User Guide

Chapter 11

Email Templates

Email Templates allow notification email messages to be sent based on the outcome of Rule processing. This facility is most often used to notify appropriate parties when a message is blocked.

Notifications are a very powerful tool to inform and modify user behavior. When well thought out and constructed, they can save the administrator a lot of time.

Notifications may also be used as a general autoresponder based on message headers or content. For instance, a message to [email protected] with the subject “Send Catalog” might trigger a rule returning the product catalog to the sender as an email attachment.

The same Rule outcome may send several notification messages. For instance, if a virus is detected the email administrator, external sender, and intended internal recipient of the message might each receive a different message.

Attachments to a notification may be made. Attachments may include the original message, the MailMarshal processing log for the message, and any other file (such as a virus scanner log file).

To work with Templates, select Email Templates in the left pane of the Configurator.

Chapter 11 • Email Templates 117

MailMarshal is provided with numerous templates by default. These are a good source of ideas for the creation of new templates.

Creating an Email Template Click the New Template icon in the toolbar to see the New Email Template dialog.

NoteIn addition to Rule notification templates, MailMarshal uses a number of pre-configured templates for administrative notifications (such as delivery failure notifications). To modify these templates, see the Advanced tab of MailMarshal Server Properties.

118 User Guide

Give the Template a name.

MailMarshal allows variable information to be inserted into the message headers and body from the original email (which triggered a Rule, invoking this Template). Variables are enclosed within braces { }. To see a list of variables available in any field, type { to bring up a context menu. Additional information on the variables is available in the online help for this dialog.

Enter appropriate information in the Header Details section. For instance, enter the email address to which replies should be sent in the Return Path field.

To attach the original message, the MailMarshal message processing log, or another file to the notification, check the appropriate box and enter the file name if necessary.

Enter an appropriate message in the Message Body field. Variables marked with braces { } may be used. Variables may be nested and Windows environment variables may be included using the variable {env=}

A file may be included in the body of a notification message using the variable {file=filepath}

Duplicating an Email Template To copy a Template, right-click it in the Configurator. Choose Duplicate from the context menu. After duplicating the Template, make any required changes to the copy.

Editing an Email Template To edit a Template, double-click on its name in the right hand pane of the Configurator. Make the required changes then click OK.

NoteWhen sending a notification to the original sender of an email message, use the {ReturnPath} variable in the To: field to reduce the chance of looped messages.

Chapter 11 • Email Templates 119

Deleting an Email Template To delete a Template, select it in the right hand pane of the Configurator then click the Delete icon in the toolbar.

120 User Guide

Chapter 12

TextCensor Scripts

TextCensor scripts are used to check for the presence of particular lexical content in an email message. The check may include all parts of the message, including the message headers, message body, and any attachments that can be lexically scanned. It may also be limited to one or more of these areas.

A script may include many conditions based on text combined with Boolean and proximity operators. Triggering of the script is based on the weighted result of all conditions.

TextCensor scripts are invoked by Standard Rules.

To work with TextCensor Scripts, select TextCensor Scripts in the left pane of the Configurator.

Chapter 12 • TextCensor Scripts 121

TextCensor Syntax TextCensor scripts contain one or more lines, each consisting of a word or phrase.

• The wildcard character * may be used at the end of a word only (e.g. “be*” matches “being” and “behave”).

• Parentheses should be used to set the order of evaluation and for grouping.

• Each line may include Boolean and proximity operators. The operators must be entered in capital letters. The six supported operators are:

When you use NEAR and FOLLOWEDBY, a “word” is defined as any group of one or more contiguous alphanumeric characters, bounded at each end by non-alphanumeric characters. If any non-alphanumeric characters have been included as “special characters”, each single special character is also counted as a “word”.

Operator Function Example

AND Matches when all terms are present Dog AND cat

OR Matches when any term is present dog OR catdog OR (cat AND rat)

NOT Logical negation of terms; use after other operators; means “anything else but.”

Dog AND NOT catDog FOLLOWEDBY (NOT house)

NEAR Matches when two terms are found within the specified number of words of each other. The default is 5.

Dog NEAR=2 bone

FOLLOWEDBY Matches when one term follows another within the specified number of words. The default is 5.

Dog FOLLOWEDBY=2 house

INSTANCES Matches when a term is found the specified number of times. You must specify a value.

Dog INSTANCES=3

122 User Guide

For instance, by default “S-P-A-M” counts as four words. If the “-” character is entered as a “special character,” then the same text counts as 7 words.

Weighting the Script Each script is given a trigger level, expressed as a number. If the total score of the content being checked reaches or exceeds this level, the script is triggered. The total score is determined by summing the scores resulting from evaluation of the individual lines of the script.

NoteThe INSTANCES operator is provided for compatibility with earlier TextCensor scripts, but its use is discouraged. The use of appropriate weighting (see below) will produce the same result with improved performance.

NoteThe script will be applied separately to each part of a message. E.g. if both Headers and Message Body are selected for evaluation, the script will be evaluated once for the headers, then again for the body. Script triggering is not cumulative over the parts.


Each line in a script must be given a positive or negative weighting level and a weighting type. The type determines how the weighting level of the line is figured into the total score of the script. There are four weighting types:

Negative weighting levels and trigger levels can be used to allow for the number of times a word may appear in an inoffensive message. For instance: if “breast” is given a positive weighting in an “offensive words” script, “cancer” could be assigned a negative weighting (since the presence of this word suggests the use of “breast” is medical/descriptive).

Weighting Type

Description Details

Standard Each match of the words or phrases will add the weighting value to the total.

If the weighting level of this item is 5, every match will add 5 to the total.

Decreasing Each match of the words or phrases will add a decreasing (logarithmic) weighting value to the total. Each additional match is less significant than the one before.

If the weighting level of this item is 5, the first five matches will add 5, 4, 4, 3, and 3 to the total.

Increasing Each match of the words or phrases will add an increasing (exponential) weighting value to the total. Each additional match is more significant than the one before.

If the weighting level of this item is 5, the first five matches will add 5, 5, 6, 6, and 7 to the total.

Once Only Only the first match of the words or phrases will add the weighting value to the total.

If the weighting level of this item is 5, this item will contribute at most 5 to the total, no matter how many times it matches.

NoteBecause script evaluation stops when the trigger level is reached, items with negative weighting should be evaluated first. Use the Sort List button to set the order of evaluation correctly.

124 User Guide

Adding a TextCensor Script Click the New TextCensor Script icon in the toolbar to see the New TextCensor Script dialog.

Give the script a name. Check the various boxes to select which portions of an email message will be scanned by this script.

NoteThe script will be applied separately to each part. E.g. if both Headers and Message Body are selected, the script will be evaluated once for the headers, then again for the body. Script triggering is not cumulative over the parts.


By default only alphanumeric characters may be entered in TextCensor items. If any non-alphanumeric characters are required, click on the checkbox to enable matching for special characters and enter any special characters to be matched. For instance, to match the HTML tag fragment “<script” you must enter the < in this field. To match parentheses () you must enter them in this field.

Click on New to obtain the New TextCensor Item dialog.

Select a weighting level and type for this item (see “Weighting the Script” on page 123 for more information)

Enter the item, optionally using the operators described earlier in this section, e.g.

(Dog FOLLOWEDBY hous*) AND NOT cat

In this example the item weighting will be added to the script total if the scanned text contains the words “dog house” (or “dog houses”, etc.) in order, and does not contain the word “cat”.

Click Add (or press <Enter>) to add the item to this script. The dialog box remains open and additional items may be created. When all items have been entered, click Close to return to the New TextCensor Script dialog.

NoteTextCensor items are case insensitive by default. However, quoted content is case sensitive. For instance, “textcensor” would not trigger on the title of this chapter.

126 User Guide

Select a Weighting Trigger Level. If the total score of the script reaches or exceeds this level, the script will be triggered. The total score is determined by evaluation of the individual lines of the script.

Click Sort List to set the order of evaluation. Items with negative weighting levels will be set to evaluate first.

Editing a TextCensor Script Double-click the script to be edited in the right pane to bring up the Edit TextCensor Script dialog.

A line may be edited by double-clicking on it or deleted by selecting it then clicking Delete.

The script name, parts of the message tested, special characters, and weighting trigger level may be changed. Use the Sort List button if necessary to adjust the order of items.

Click OK to accept changes or Cancel to revert to the stored script.

Duplicating a TextCensor Script To copy a TextCensor Script, right-click it in the Configurator. Choose Duplicate from the context menu. After duplicating the Script, make any required changes to the copy.

NoteBecause evaluation of a Script stops when the trigger level is first reached, setting evaluation order is important.


Importing a TextCensor Script TextCensor Scripts may be imported from XML or CSV (comma separated) files.

Click the New TextCensor Script icon in the toolbar. Click Import.

Choose the file to be imported, and click Open. In the Edit TextCensor Script dialog, click OK.

Exporting a TextCensor Script TextCensor Scripts may be exported to XML or CSV (comma separated) files.

Double-click the script to be exported in the right pane to bring up the Edit TextCensor Script dialog.

Click Export. Enter the name of the file to which the script should be exported, and click Save.

In the Edit TextCensor Script dialog, click OK.

NoteTextCensor Scripts exported from MailMarshal 4.2.5 and earlier versions do not include the Weighting Trigger Level, Special Characters, and Apply to following parts settings. When importing such a script, this information must be added manually.

128 User Guide

Testing TextCensor Scripts A TextCensor script may be tested against a file or pasted text. In the New or Edit TextCensor Script dialog, click Test to use the Text TextCensor dialog.

• Select Test script against file. Enter the name of a file containing the test text (or browse using the button provided).

• Select Test script against text. Type or paste the text to be tested in the field.

Click Test. The result of the test (including details of the items which triggered and their weightings) will be shown in the Test Results pane.


Using TextCensor Effectively The effective use of TextCensor scripts depends on understanding how the Text Censor facility works and what it does.

Text censor rules are evaluated against text portions of messages (including headers, message bodies, and attachment content).

Constructing TextCensor Scripts The key to creating good TextCensor scripts is to enter exact words and phrases that are not ambiguous. They must match the content to be blocked. Also, if certain words and phrases are considered to be more undesirable than others, those words and phrases should be given a higher weighting to reflect the level of undesirability.

In creating TextCensor scripts, a balance must be struck between over-generality and over-specificity. For instance, suppose a script is required to check for sports-related messages. To enter the words “score” and “college” alone would be ineffective in that those words could appear in many messages. Hence the script would trigger too often, potentially blocking general email content.

The same script (to find sports-related messages) would be better constructed using the phrases “extreme sports”, “college sports” and “sports scores” as these phrases are sport specific. However, using only a few very specific terms may mean that the script does not trigger often enough.

Again using the sports example used above, the initials NBA and NFL, which are very sports specific, should be given a suitably higher weighting (i.e. promoting earlier triggering) than, e.g. “college sports”.

130 User Guide

Decreasing Unwanted Triggering TextCensor scripts may trigger on message content which is not obviously related to the content types they are intended to match. The recommended procedure to troubleshoot this problem is:

1. Use the problem script in a Rule which copies messages and their processing logs to a folder (e.g. “suspected sports messages”).

2. After using this rule for some time, check on the messages that have triggered the script. Review the message logs to determine exactly which words caused the script to trigger (see “Interpreting Message Logs” on page 238).

3. Revise the script by changing the weighting, weighting type, or key words, so as to trigger only on the intended messages.

4. When satisfied, modify the Rule so as to block messages that trigger the script, and to notify the sender and/or the intended recipient.


132 User Guide

Chapter 13

Logging Classifications

Log records are further categorized by Logging Classifications. Messages may be classified within Standard Rule Actions. Both MailMarshal Reports and the Console Message History/Search can show the classification of a message.

Each Rule should include a logging action. MailMarshal’s default Rules include such actions.

Logging Classifications may be added and customized. To work with Logging Classifications in the Configurator, select Logging Classifications from the left hand menu tree.

For general information on logging and reporting see Chapter 18, “Reports.”

Chapter 13 • Logging Classifications 133

Creating a Logging Classification Click the New Logging Classification icon in the toolbar to see the New Logging Classifications dialog.

In the dialog, enter a meaningful name for the classification.

Enter a number as the classification code for this classification. Reports can be generated using these codes. By default the next available number in sequence is used for a new classification; however, any unused number may be entered.

Give a brief description of the classification and its purpose. This description will be used in the Console and Reports, and may contain {} variables as in the Email Templates.

Click OK to add the classification.

Editing a Logging Classification To edit an existing logging classification, double-click it in the right pane of the configurator to view its properties. Make any required changes then click OK.

134 User Guide

Duplicating a Logging Classification To copy an existing logging classification, right-click it in the Configurator. Choose Duplicate from the context menu. After duplicating the classification, make any required changes to the copy.

Deleting a Logging Classification To delete a logging classification, select it in the right pane of the configurator, then click the Delete icon in the toolbar.

Logging Classification Usage Logging classifications are most commonly used to report on broad categories, such as viruses or executable files quarantined. However they may also be used to record very specific occurrences such as a specific file or size of file being sent. E.g. the question “How many PDF files over 500K in size were sent by Sales” could be answered by creating a Rule to log sending of such files.

Chapter 13 • Logging Classifications 135

136 User Guide

Chapter 14

Message Stamps

Message stamps are short blocks of text which may be applied to the top or bottom of an email message body. MailMarshal message stamps may include a plain text and an HTML version. The appropriate stamp format will be applied to the body text of the same type in the message.

Message stamps are typically used for corporate disclaimers or advertising on outgoing email. Message stamps can also be used by MailMarshal to notify the recipient that a message has been processed (e.g. by having an offending attachment stripped).

To work with message stamps in the Configurator, select Message Stamps in the left pane. Message stamps may also be created and edited from the stamp selection dialog during Rule creation.

Chapter 14 • Message Stamps 137

Creating a New Message Stamp In the Configurator, click the New Message Stamp icon to bring up the New Message Stamp dialog.

Give the stamp a name and select whether it is to appear at the top or the bottom of messages.

Enter a plain text version of the message stamp in the Plain Text tab. Then enter an HTML version of the stamp, if desired, in the HTML tab. Various formatting, including hyperlinks, may be applied to the HTML text using the buttons provided.

To view the raw HTML, right-click in the HTML pane and select Edit Raw HTML. Edit the HTML, or paste HTML source from another editor, then click OK to return to the message stamp dialog.

138 User Guide

Click OK to add the new stamp to the list of available message stamps.

Both plain text and HTML message stamps may include the same variables available within email notification templates. You will find more information on variables in the example stamps provided with MailMarshal, the online help for this dialog, and Chapter 11, “Email Templates.”

Duplicating a Message Stamp To copy a Message Stamp, right-click it in the Configurator. Choose Duplicate from the context menu. After duplicating the Message Stamp, make any required changes to the copy. Remember to make changes to both the Plain Text stamp and the HTML stamp.

Editing a Message Stamp To edit a Message Stamp, double-click on its name in the right hand pane of the Configurator. Make the required changes then click OK. Remember to make changes to both the Plain Text stamp and the HTML stamp.

Deleting a Message Stamp To delete a Message Stamp, select it in the right hand pane of the Configurator then click the Delete icon in the toolbar.

NoteIf RTF message stamping is enabled, the plain text message stamp will be used with RTF messages. To enable RTF stamping, see the Advanced tab of Server Properties.

Chapter 14 • Message Stamps 139

140 User Guide

Chapter 15

Header Matching and Rewriting

MailMarshal can apply Regular Expression matching to find and/or modify email header and envelope detail.

Header matching is available as a Standard Rule condition. Header rewriting can be performed as a global action by the MailMarshal Receiver during email message receipt, or by a Standard Rule action.

Regular expressions are extremely powerful but somewhat difficult to construct. Especially in the case of rewriting, great care should be taken to ensure that the rules perform as expected.

Basics of Regular Expression syntax are given later in this chapter.

Some examples of actions that can be performed are

• Address modification - for example, changing [email protected] to [email protected].

• Field removal - for example, stripping out the received: lines from outbound messages.

• Alias substitution - for example, replacing addresses via a lookup table, as in [email protected] being replaced by [email protected].

• Domain masquerading - for example, replacing all addresses in thisdomain.com with identical addresses in thatdomain.com.

Chapter 15 • Header Matching and Rewriting 141

• Subject line modification - for example, notifying a user that attachments have been stripped from a message.

• Adding header lines - for example, to mark a message as having been processed.

Header Wizard Header matching and rewriting rules are created using a wizard. To start the wizard, click New within the parent dialog (Rule condition, Rule action, or Header Rewrite tab). The pages in the wizard are as follows:

• An introduction page that gives warning information (for Rewriting only).

• A field matching page to select the header or envelope fields to be matched, and the portion of the field to be modified.

• A substitution options page where matching and substitution expressions are entered.

• A naming and test page for naming the rule and testing the matching and substitution.

In addition, the order of evaluation of header rewriting rules may be adjusted using the arrows at the bottom of the parent dialog. See “Order of Evaluation” on page 149.

NoteTest any rewriting rules thoroughly, as errors may cause all affected messages to be undeliverable.

142 User Guide

Field Matching On this page of the Wizard, select the fields to be matched or rewritten from the list.

If the field you want is not in the list, click Add custom field then enter the field name (e.g. x-Custom-Field).

Choose the appropriate parsing method using the drop-down list.

As an example of different parsing methods, consider the following To: header.

To: (A User) [email protected], “Another user at domain2.com” [email protected]

NoteIf inserting a custom field, use the parsing method Entire Line.


The following table shows the field data that is passed to the substitution engine for the various parsing methods.

When matching or modifying address fields in the email header you would usually select the field parsing method Email Address. Each email address in the field is then passed to the substitution engine, while no other characters will be changed.

If the box Match Case is checked, field matching will be case sensitive. If this box is cleared, matching will not be case sensitive.

Parsing method Data passed to the substitution engine

Entire line (A User) [email protected] , “Another user at domain2.com” [email protected]

Email address [email protected] [email protected]

Domain domain.com domain2.com

NoteWhen matching email addresses be sure to clear this box. Email addresses are not case sensitive.

144 User Guide

Matching/Substitution Options On this page of the Wizard, set up the rules which match the selected fields.

Shortcuts to some common Regular Expression features are available from the arrow to the right of each field. See “Regular Expression Syntax” on page 149 for details of the available options.

Optional Exclusion Filter This field allows you to ensure the Header Match or Rewrite does not occur, regardless of whether the Field Search Expression is matched. The exclusion filter is provided since it can be difficult to express exclusions in regular expressions.

To use the exclusion filter, check the box. In the field, enter a Regular Expression. If the selected header(s) match this expression, they will not be matched or rewritten by the rule.


Field Search Expression In this field, enter a Regular Expression that is used to select the data for matching or rewriting. If the selected header(s) match this expression, they will be matched or rewritten by the Rule (subject to the exclusion filter, above).

Substitution Actions When rewriting, three actions are available to be taken on the data matched.

Substitute into field using expressionThis action allows the matched data to be replaced using a sed or Perl-like syntax. Sub-expressions which were generated from the field search can be used here as $1 through $9.

Map using file This action provides for substitutions from a file, to allow a level of indirection in resolving what to substitute into the field. A map file must be plain text. Each line of the file must contain a key and value pair separated by a comma–for example

[email protected], [email protected] [email protected], [email protected]

The first entry in the line is a lookup key. The second value is the result to be substituted in place of the original field when the key is matched. If the key value is not found in the map file then it is returned unchanged as the result.

NoteWhen replacing the entire contents of a field, be sure to terminate the text with a CRLF (\r\n). This value is available for insertion through the arrow to the right of the field. If $0 (the tagged expression containing the entire input line) is entered at the end of the substitution expression, a CRLF will already be included.

146 User Guide

Delete the field When Entire line is selected in the parsing options, selecting Delete the field removes the entire header line from the email.

A possible use may be to remove Received: lines from outbound email to hide internal routing information from external recipients.

To achieve this effect, select the Received: field and a parsing method of Entire line, then provide a search expression that will match the hosts you wish to hide and select Delete field. For instance, your search expression might look like

from (secret.host | private.host).my.domain.com

Insert if missing If any selected header does not exist, the text of this field will be used to create it. E.g. if you have added the custom header x-My-new-field then you might enter the value Created by Header Rewrite.

NoteWhile such deletions give a higher level of security, they are not generally recommended as they make tracing any email problems difficult.

NoteWhen you insert a new field, MailMarshal automatically appends a CRLF (\r\n) to the text.


Naming and Testing On the final page of the Header Wizard, enter a name for the new Rule. Optionally enter a comment which should explain the purpose of the rule.

Rule Test Enter an input string in the Source field and click Test. The result will appear in the Result field. For rewriting actions, the result will be the rewritten string. For matching, the result will be “matched” or “not matched”.

If this is a rewriting rule, it is possible to select whether the changes will be actually applied and/or logged. Check the box Enable field changes to apply this rule to messages. Check the box Log changes to write a log of changes to the MailMarshal logs for the message. If only Log changes is checked, the logs will show the changes that would have occurred but no changes will actually be made.

148 User Guide

Order of Evaluation When satisfied with the new Rule, click Finish to return to the parent dialog (Rule condition, action, or Header Rewrite tab).

If several header matching rules are used within a single Standard Rule condition, all must evaluate true for the condition to be true.

If several rewriting rules are in use for global Header Rewrite or used within a single Standard Rule action, the order of evaluation will be significant. Rewriting actions will be applied in top-down order as shown in the dialog. Adjust the order of evaluation using the arrows provided below the list of rewriting actions.

Regular Expression Syntax MailMarshal implements a full-featured regular expression syntax. Full documentation of this syntax is beyond the scope of this manual. Additional documentation and links to further information may be found in Marshal Knowledge Base article Q10520.

A few basics are given below.

ShortcutsThe arrow to the right of each field on the matching/substitution page of the header rule wizard provides access to some commonly used Regular Expression features.

Selection Inserts Usage

Any Character . Matches any single character.

Character in range [ ] Enter a range or set of characters to be matched within the brackets. For instance, to match lower case characters you could enter a-z between the brackets.

Character not in range [^] Enter a range or set of characters after the ^. Matches any character not in the set.


Reserved CharactersSome characters have special meanings within regular expressions.

Beginning of line ^ Text to the right of the ^ will only match if found at the beginning of the line.

End of line $ Text to the left of the $ will only match if found at the end of the line.

Tagged expression ( ) The content within the parentheses will be considered as a single expression for repeat purposes. This expression will be saved for use within the substitution field.

Or | The field will be matched if it matches either the expression before the | or the expression after the |.

0 or more matches * The expression before the * will be matched if it is repeated any number of times, including zero.

1 or more matches + The expression before the + will be matched if it is repeated at least once.

Repeat { } Enter a number or two numbers separated by a comma within the braces. The expression before the braces will be matched if it is repeated the number of times specified. See “Repeat Operators * + ? {}” on page 151.

Whitespace [[:space:]] Matches a single whitespace character (space, tab, and so on.).

Alphanumeric character [[:alnum:]] Matches a single letter or number character.

Alphabetic character [[:alpha:]] Matches a single letter character.

Decimal digit [[:digit:]] Matches a single number character 0-9.

Selection Inserts Usage

150 User Guide

OperatorsThe following characters are reserved as regular expression operators:

* . ? + ( ) { } [ ] $ \ | ^

To match any of these characters literally, precede it with \

For example, to match marshal.com enter marshal\.com

Wildcard Character .The dot character (.) matches any single character.

Repeat Operators * + ? {}A repeat is an expression that occurs an arbitrary number of times.

An expression followed by * can be present any number of times, including zero. An expression followed by + can be present any number of times, but must occur at least once. An expression followed by ? may occur zero times or once only. You can specify a precise range of repeated occurrences as a comma-separated pair of numbers within {}. For instance,

ba* will match b, ba, baaa, etc.

ba+ will match ba or baaaa for example but not b.

ba? will match b or ba.

ba{2,4} will match baa, baaa and baaaa.

Parentheses ( )Parentheses serve two purposes:

• To group items together into a sub-expression. You can apply repeat operators to sub-expressions in order to search for repeated text.

• To mark a sub-expression that generated a match, so it can be used later for substitution.


For example, the expression (ab)* would match all of the string

ababab

The expression “ab” would be available in a variable (tagged expression) with a name in the range $1...$9 (see the matching and substitution examples in following sections).

AlternativesAlternatives occur when the expression can match either one sub-expression or another. In this case, each alternative is separated by a |. Each alternative is the largest possible previous sub-expression (this is the opposite to repetition operator behavior).

a(b|c) could match ab or ac

abc|def could match abc or def

ExamplesThe following sections show examples of matching and substitution strings.

MatchingThe expression

(.+)@(.+)\.ourcompany\.com$will match a sequence of 1 or more characters followed by an @ followed by another sequence of 1 or more characters, followed by .ourcompany.com at the end of the field.

That is, it will match [email protected] and [email protected] but not [email protected]

SubstitutionUsing the example given in the preceding section, the substitution expression

$1@$2.co.uk.eu

152 User Guide

would yield [email protected], [email protected] and [email protected] respectively. The last result may be somewhat surprising, but data that does not match part of the regular expression is simply copied across.

Map FilesMailMarshal SMTP allows substitution using regular expressions to search for an entry in text file known as a map file. Each line in the map file contains two values separated by a comma. If the search expression matches the first value in a line, MailMarshal SMTP substitutes the second value. If the search expression does not match the first value in any line, MailMarshal SMTP substitutes the search expression.

A typical use of map files is to redirect incoming email to arbitrary addresses. The following simple example modifies email addresses using a map file.

Map [email protected], [email protected]@domain.co.uk, [email protected]

Search expression(.+)@domain\.co\.uk$

Lookup [email protected]


Sample resultsThe following table shows the matching addresses when the sample mapping file above is used.

Input Email Address Result

[email protected] [email protected]



154 User Guide

Chapter 16

LDAP Connections

What is LDAP? LDAP (Lightweight Directory Access Protocol) is a system for retrieving directory information, such as lists of users, from a remote source. The source may be public (available for anonymous use) or private. Servers providing LDAP support include:

• Lotus Notes

• Microsoft Exchange

• Microsoft Active Directory

• Novell GroupWise

• Many Sendmail systems

Within MailMarshal, LDAP connections are used to import user and group information for User Groups. MailMarshal Secure can use LDAP to retrieve Security Certificates for use in S/MIME encryption. See Chapter 6, “User Groups” in this manual, and the MailMarshal Secure Manual, for further information.

Before LDAP can be used to retrieve information, a connection to the remote LDAP server must be established.

Chapter 16 • LDAP Connections 155

Adding a New LDAP Server Connection Highlight LDAP Connections in the menu tree, then click the New LDAP Connection icon in the toolbar to start the New LDAP Connection wizard.

In the first page of the wizard, choose whether this connection will be used to retrieve User Groups or Certificates.

On the LDAP Connection Wizard–Server page, enter the name of the server to be queried into the LDAP Server field. This may be a fully qualified Internet server name or simply the name of a server on the local LAN. Examples of LDAP server names are:

ldap.netscape.com directory.baycorpid.co.nz IBMMAIL01

NoteTo retrieve both User Groups and Certificates from the same server, create two connections.

156 User Guide

If desired use the browse button provided to select a server on the LAN.

The Port number field is used to enter the port on which the remote LDAP server accepts queries. The default value is port 389. However this may be changed where more than one LDAP server is hosted at the same IP address. For example, when running Microsoft Exchange 5.5 on a Windows 2000 Active Directory server, both Exchange and Active Directory provide LDAP services. The network administrator will configure the servers to use different port numbers.

Enter the logon name and password, if required, in the appropriate fields. If using Windows integrated security, enter the logon domain as well.

Select an LDAP Search Root, if necessary, in the next page. The Search Root is used to limit the amount of information returned in LDAP queries, and specifies the root container of the LDAP server to be searched. This field is usually left blank; however, if the search does not work, ask the LDAP server administrator for an entry. Typically the entry would be the base LDAP Distinguished Name for the organization (e.g. dc=ourcompany.com or o=OurCompany Corporation).

Alternatively, check the box to populate the list of available search roots from the remote server (this may take some time). Then select a root from the list.

NoteServer name, port, and login information should be obtained from the LDAP server administrator.


In the final page of the Wizard, enter a name that will be used to identify the LDAP connection (within MailMarshal only.)

If this is a User Groups connection, select an Update Interval. The default period between updates is 240 minutes (4 hours). All groups derived from this connection will be updated at the time specified. A shorter time may be desirable if, for example, this option is used to synchronize user information between MailMarshal and Microsoft Exchange Server, and many new users are being added. Conversely, if few users are ever added, setting a longer interval will reduce overhead.

158 User Guide

The field Next Update shows the time when the next update is due.

A User Group may also be updated by right clicking it in the Configurator User Groups list and selecting All Tasks > Reload from LDAP Server.

If this is a Certificates connection, it may be used to renew Certificates automatically for any designated MailMarshal User Group. Click Add to select a User Group which will be added to the field Automatically renew certs... Highlight a group and click Remove to remove it from the list. To set the schedule for automatic renewal, see the Processing tab of the Security Policies dialog (reached from the Secure Email tab of Server Properties).

Check the box Test the connection on finish then click Finish to test that the server details are correct.

• If the connection type is User Groups, MailMarshal should state that the connection has been made and some groups and members found.

• If the type is Certificates, MailMarshal will request an email address for which to seek a certificate, and state whether one was found.

NoteIf the Next Update time is reset, updates will occur at the time set and at each Update Interval thereafter. E.g. if the Next Update field is changed to 14:30 today and the Update Interval field shows 240 minutes, the updates will occur at 14:30, 18:30, and each 4 hours thereafter.

The Controller checks every 5 minutes to see if any LDAP user groups need updating. If the Next Update field is used to schedule an immediate update, this may not occur for up to 5 minutes.


When all details are correct, click Finish in the New LDAP Connection wizard. The LDAP connection is ready to be used. See Chapter 6, “User Groups,” and the MailMarshal Secure Manual, for further information about using the connection.

Editing an LDAP Server Connection To edit an existing LDAP connection, double-click it in the right pane of the Configurator to restart the LDAP Connection Wizard.

NoteIf you enter an email address for which the LDAP server holds no certificate, MailMarshal will report that no certificate was found. However, this result means that the server name, logon, password and port number are correct.

Other messages are less specific. The information given (e.g. “no groups found”) may not necessarily pinpoint the problem entry, so all information entered must be checked. If necessary contact the LDAP server administrator.

A local network or LDAP server may be configured to allow access only from certain machines or users. The Test button only tests the connection from the Configurator. Because the MailMarshal Controller service may have different security permissions, be sure to check that the Controller is updating LDAP groups correctly. The Controller log file may show messages from the LDAP action. The membership of the groups should change appropriately.

160 User Guide

Deleting an LDAP Server Connection To delete an existing LDAP connection, select it in the right pane of the Configurator then click the Delete icon in the toolbar.


162 User Guide

Chapter 17

Server Properties

MailMarshal’s Server Properties include a variety of server setup information and advanced options. During installation a wizard gathers enough of this information to enable the product to function. To access the full range of Server Properties for maintenance and reconfiguration purposes, choose Tools > Server Properties from the Configurator menu to view the Server Properties dialog. This dialog includes the following tabs, which are covered in detail in the sections of this chapter:

General: Alter server email address information; import and export configurations.

Local Domains: Select how MailMarshal should deliver inbound email.

Logging: Choose whether, where, and how much information should be logged for reporting.

Secure Email: Enable and configure S/MIME features.

Internet Access: Configure proxy settings for Updates and S/MIME CRL retrieval.

Delivery: Select how MailMarshal should deliver outbound email.

Chapter 17 • Server Properties 163

Batching & Dial-Up: Configure settings for batched email sending and Dial-Up connectivity.

Blocked Hosts: Select which hosts may not send email to local domains.

Host Validation: Enable DNS record checking; configure DNS Blacklists.

Header Rewrite: Set up rules to modify message headers at the Receiver.

Anti-Relaying: Choose which hosts if any may relay email through MailMarshal.

Updates: Configure automatic Category Script updates.

License Info: Make a Permanent Key request; see details of the current license key; enter a new key.

Advanced: Control folder location and special settings including ports, timeouts, server threads and greeting strings.

(The tabs General, Delivery, Local Domains, and Logging are presented in the Installation Wizard when MailMarshal is installed.)

164 User Guide

General Administrative notifications (such as DeadLetter reports) will be sent to the address specified in the Recipient address field. This should be a valid and appropriate mailbox or group alias, which is regularly monitored by the email administrator. Administrative notifications and other automated email from MailMarshal will be sent “from” the address entered in the From address field. (Template generated messages may have a different “from” address). This address should also be a valid SMTP address to allow for replies to notifications.


Export Configuration The MailMarshal configuration data, including server properties, Rulesets, and Rule elements, is stored in the Windows Registry (with the exception of user group information, which is found in the file UserGroups.txt in the MailMarshal install folder, and files with known fingerprints, which are stored in the subfolder ValidFingerprints of the MailMarshal install folder).

To export configuration data, click Export Configuration. Enter an appropriate file name and location. To save User Group information, copy UserGroups.txt. To save user-defined file type signatures, copy filetype.cfg. To save fingerprint information, copy the folder ValidFingerprints and its contents.

Import Configuration MailMarshal Registry information can be imported, either to restore a previously created configuration or to merge a partial configuration (See below).

To import configuration data, click Import Configuration. Enter or browse to the appropriate file name. Choose to overwrite or merge configurations using the radio buttons. Click OK to perform the import. If User Group information is needed, copy UserGroups.txt to the MailMarshal install folder. If user-defined file type signatures are needed, copy filetype.cfg. If attachment fingerprint information is needed, copy the required files to the folder ValidFingerprints in the MailMarshal install folder.

WarningExport configuration data safely before performing an import. The Merge function requires a specially created file, and should be used only on advice from Marshal Support.

NoteIf MailMarshal is being moved to a new server, you must also copy the Sequence file. See “Moving MailMarshal to a New Server” on page 249.

166 User Guide

Local Domains This tab specifies the names of local domains for which MailMarshal will accept inbound email. The list should include all (and only) the domains of email addresses your organization actually uses through this gateway. Each entry in this list should be matched by DNS MX records (and firewall relay settings, if necessary) so that email for these domains is passed to MailMarshal for delivery.


Local domains may be of two types: Relay or POP3. Email for a relay domain is sent on to another email server. Email for a POP3 domain is typically delivered to a mailbox hosted by the MailMarshal server. Often there will be a single entry in this section for the local email server. However, if the email server handles more than one domain, multiple entries may be needed. Note that by default all relay servers defined here will also be allowed to relay outbound email through MailMarshal.

To Create a New Local Domain Click New to start the New Local Domain Wizard. Choose the type of local domain (relay to another server, or POP3). On the final page, enter the domain name.

Enter the IP address of the server to which email should be relayed. Optionally enter a second email server address (used only if the first server is unavailable). Multiple Relay local domains may be entered using wildcards (e.g. *.ourbusiness.com may be entered to direct email for all subdomains of ourbusiness.com to a single address). See “Wildcards” on page 170 for a description of MailMarshal’s wildcard syntax.

If this is a POP3 domain, choose the action to be taken for messages addressed to non-existent mailboxes:

• Forward the message to the administrator account - The administrator email address is entered in the installation wizard and may be changed on the General tab of Server Properties.

• Reject the message - A non-delivery message will be returned to the sender with a “Mailbox/User is unknown” reason code.

• Forward the message to the following Mail Server IP Address/Port - this allows for messages not destined for POP3 accounts in MailMarshal to be passed on to another email server for final delivery.

168 User Guide

Click Finish to return to the Local Domains tab.

Repeat the New Local Domain Wizard for each local domain required. When all domains have been entered, adjust the order of matching by highlighting a domain from the list and using the up and down arrows.

To Edit a Local Domain Select the domain to be edited from the list and click Edit to start the Local Domain Wizard. Make any changes required, then click Finish.

NoteMailMarshal’s permanent License Keys are bound to the list of local domains specified here. Each time the list of domain names changes, a new key is required. Changes in IP addresses or ports, or between relay and POP3 domains, do not require a new key. See “License Info” on page 190 for information on requesting a new key.

When invalidated because of a domain change, the key reverts to a fully functional 14 day trial. This allows ample time to contact Marshal for a new permanent key. There is no charge for the new key.

NoteEnsure that local domains are matched in the correct order; otherwise email may be misdirected. E.g. to enable a POP3 subdomain use the following sequence:

pop.example.com POP3 10.2.5.4:25

*.example.com Relay 10.1.2.1:25

If the sequence is reversed, POP3 mailboxes will be ignored and all email will be delivered to the first address, i.e. 10.1.2.1 port 25, because all subdomains match *.example.com.

NoteTo change a domain from POP3 to Relay or vice versa, the entry must be deleted and recreated.


Wildcards Local domains may be entered using several wildcard characters. The same characters are used in User and Group matching for standard and receiver rules.

The following syntax is supported:

Examples

*.ourcompany.com matches

pop.ourcompany.com,hq.ourcompany.com, etc.

mail[0-9].ourcompany.com matches

mail5.ourcompany.com but not maila.ourcompany.com

mail[!0-9].ourcompany.com matches

mails.ourcompany.com but not mail3.ourcompany.com

Character Function

* Matches any number of characters

? Matches any single character

[abc] Matches a single character from a b c

[!abc] or [^abc] Matches a single character except a b or c

[a!b^c] Matches a single character from a b c ! ^

[a-d] Matches a single character in the range from a to d inclusive

[^a-z] Matches a single character not in the range a to z inclusive

NoteThe !, -, and ^ are special characters only if they are inside [ ] brackets. To be a negation operator, ! or ^ must be the first character within [ ].

170 User Guide

Logging To enable logging of MailMarshal’s message processing, check the box Enable Logging. When logging has been enabled, the Mail History can be viewed in the Console and a wide variety of reports run from MailMarshal Reports.

Click Create/Select Database to choose the location of the SQL database where the information will be stored. In the Create/Select Database dialog, enter the name of the SQL Server (or MSDE) computer in the first box. Browse the network if necessary using the button provided. Enter the name of the database to use, and the SQL user name and password. The option Connect using TCP may be chosen where the database is behind a firewall. TCP port 1433 must be opened through the firewall in this case.


If you believe that a MailMarshal database has previously been installed in the given location and you do not wish to use it, check the box to recreate the database.

For maximum detail, check the Log Attachment Details checkbox. To continue processing email if the log records cannot be written to the database, check the box Continue Processing even if database becomes unavailable. To stop processing email when the database is unavailable, clear this box. (This option should be chosen if logging of traffic is essential. Email will still be accepted and held in the Incoming directory.)

The MailMarshal Console can log operator actions to the MailMarshal logging database. Logged actions include:

• deleting messages

• moving messages into or out of the mail recycle bin

• emptying the mail recycle bin

• passing through messages

• forwarding messages

• moving messages from one folder to another

To enable logging of these actions, check the box Enable console auditing. Uncheck this box to disable logging of these actions.

NoteThe database password may be changed using SQL administration tools or command-line SQL entry. However this procedure must be used with caution if other applications may be using the database. For further information please see Marshal Knowledge Base article Q10251.

NoteLogging console actions can make a difference to perceived console speed, especially when large numbers of messages are affected by a single action.

You can choose to log only certain types of actions, by setting a value in the Registry. See the Marshal Knowledge Base for details.

172 User Guide

Choose the period for retention of data (the default is 100 days). If more than one MailMarshal server will log to this database, check the box MailMarshal is used in an Array and select a unique letter for each server.

Secure Email This tab allows configuration of the S/MIME email features of MailMarshal Secure. See the MailMarshal Secure User Guide for further information.

Internet Access This tab is used to configure the path for HTTP and FTP connection to the Internet. This connection is used by the MailMarshal Category Update. It is also used by the MailMarshal Secure (S/MIME) module to retrieve certificate revocation and renewal information.

Select the method by which MailMarshal’s Internet connection should be configured using the radio buttons:

• Preset Configuration: MailMarshal uses the Windows (Internet Explorer) configuration settings for the account under which the MailMarshal Controller service is running.

• Direct access: No special configuration is required; the Internet is available from this computer without a proxy.

• Proxy: MailMarshal connects to the Internet using the proxy server details provided.

NoteBy default the Controller service runs under the Local System account. For this selection to be useful the Controller should be run using another account with administrator privilege.


Name may be a local computer name, fully qualified domain name, or IP address.

Port is the port number on which the proxy server accepts requests (typically port 80).

User name may include Windows domain information in “backslash” format (e.g. ourcompany\username).

Password is the associated password (entered twice for confirmation).

Updates Check the box Automatically update to enable MailMarshal to check or updates to Category Scripts daily. The update will occur at a random time. Clear this box to turn off automatic updating.

Click Update Now to initiate an immediate check for Category Script updates.

WarningIf an update is downloaded, the configuration must be reloaded (or in some cases services must be restarted) before the change takes effect. If the MailMarshal Configurator is open on any workstation when an automatic update occurs, the reload cannot be completed. In this case a notification dialog will be raised. It is strongly recommended that the Configurator be closed when it is not in use.

NoteIf an update is downloaded, the configuration must be reloaded (or in some cases services must be restarted) before the change takes effect. When you “Update Now” you will be asked to reload or restart as appropriate.

174 User Guide

Delivery The primary DNS (Domain Name Server) address used by the organization must be entered in the first field of this tab, and a secondary address is recommended. These servers should be in the local network if possible, but in any case no further away than the ISP. They must be able to resolve domain names outside your organization.

NoteIf MailMarshal must perform DNS lookups through a firewall, the firewall must permit both TCP and UDP based lookups.


Two delivery options are available:

• MailMarshal will deliver external email itself: This is the default option. MailMarshal will use DNS resolution to determine the appropriate destination for outbound email and attempt to deliver messages directly.

If this option is selected, you may optionally enter the name or IP address of a fallback host. The fallback host will be used as a forwarding host for messages which MailMarshal is unable to deliver immediately (for instance, if MailMarshal encounters a DNS or greeting failure while attempting to connect to the original destination server).

• MailMarshal will forward email to another SMTP server: Select this option to immediately send all outbound email (not for local domains) to a firewall or a fixed relay server (such as an ISP). The other server will be responsible for final delivery.

Enter the host name or IP address of the relay or firewall in the Forwarding Host box.

Optionally enter an alternate host (used only if MailMarshal encounters a DNS or greeting failure while attempting to connect to the main forwarding host).

176 User Guide

Batching & Dial-Up MailMarshal supports batch receipt and sending of email messages where on-demand connection to the downstream email server is not desired. Normally this option will be used with a dial-up connection. It may also be used with ADSL connections where the MailMarshal server does not have a fixed IP address, or in situations where frequent connections incur high cost. Check the box Enable Mail Batching to enable the fields on this tab.

NoteMail Batching must be enabled whenever Dial-Up Networking is used.


Click Configure Schedule to see the Delivery/Polling Schedule dialog.


• Drag using the left mouse button to add to the blue “business hours” area.

• Drag using the right mouse button to erase from the blue “business hours” area.

• To reset the schedule to the default time block, click on Set Default Schedule.

• Choose to “snap” the schedule times to the nearest whole, half or quarter hour using the drop down box.

178 User Guide

• Select the frequency of connection for inbound and outbound email for business and out-of-business hours.

• Click OK to return to the Batching & Dial-Up tab.

Next choose how email retrieval will be requested.

If the downstream server controls delivery select No Action.

To send an ETRN command to a server, select Via ETRN to domain and enter the host name or IP address of the downstream email server.

To collect email from a POP3 account, select Via POP3 account then click Modify... to use the POP3 Email Collection dialog.

NoteWhen MailMarshal delivers outgoing email it will always poll the server for inbound email unless the “Never” option is selected in the Check for incoming mail every drop-down list.

NoteThe selected Mail Batching schedule can be overridden from the MailMarshal Console using the Send/Receive Now button at the bottom of the Console window.


Complete the fields in this dialog and click OK. (POP3 can be used for multiple addresses within a single account. The downstream server will have a POP3 account containing an email alias for each user.)

The list of POP3 recipient fields is used by MailMarshal to determine the recipients for messages addressed to multiple users. Additions and deletions should be made only if problems with delivery occur. Consult the ISP for information on custom address headers which may be added.

To collect email using a custom executable command, select Execute the following command, then enter (or browse to) the full path of the executable application. For instance, some ISPs use the finger command, e.g.

c:\winnt\system32\finger [email protected].

If a command is required, the ISP or downstream server operator will provide instructions.

If outbound email is to be delivered over a dial-up connection, check the box Use Dial-Up Networking and fill in the appropriate information. Select a RAS entry from the drop-down list, or click on New Phonebook Entry to add the appropriate information. Fill in other information as appropriate. The correct settings should be obtainable from existing email server settings or from the ISP.

NoteTest Dial-Up connections using the standard Windows Dial-Up Networking capabilities.

180 User Guide

Blocked Hosts This tab is used to enter the names or IP addresses of SMTP servers which are not allowed to deliver email to MailMarshal. MailMarshal will refuse SMTP connections from these servers.

To activate host blocking, click the checkbox then click New. Enter a host name or IP address in the field provided.

Host names must be entered in full. Wildcards are not supported for names.

You can also enter a single IP address, or a network block range.


For example, enter 10.2.0.1 to block connections from the single IP address. Enter 10.2.0.0/24 to block all connections from the 10.2.0.n subnet.

• To add an additional entry, click New again.

• To edit an entry in the list, double-click it to enable editing.

• To delete an entry, select it then click Delete.

NoteBecause a variety of formats is possible, limited syntax checking is done on Blocked Host entries. Make entries carefully.

182 User Guide

Host Validation This tab is used to configure email blocking based on domain name information.

Messages may be blocked outright, or logged, if they come from a host listed in a DNS Blacklist (MAPS compatible) database. These databases list open email relays and other Spam related hosts.


Messages may also be blocked based on reverse DNS lookups to confirm the identity of the sending host.

DNS Blacklist This section allows configuration of DNS Blacklist databases, used in the Receiver Rule condition Where sender's IP address is listed in DNS Blacklist.

To add a new DNS Blacklist database to the list, click New to use the New DNS Blacklist dialog.

The checkbox Enable this DNS Blacklist specifies whether the service will be available for selection in Receiver Rules. To enhance processing speed, only the DNS blacklists that are actually used in rules should be enabled here.

In the first text box, enter a name by which the service will be known within MailMarshal.

In the second text box, enter the domain name of the service (e.g. blackholes.mail-abuse.org).

Click OK to return to the Host Validation tab.

To edit a DNS Blacklist database listing, select it and click Edit.

NoteThese features may intentionally refuse email messages from sites that fail the validation criteria. DNS Blacklist databases, in particular, are subject to change without warning. Enable and use these features only after careful consideration and monitor the results periodically.

184 User Guide

To delete a listing entirely, select it and click Delete.

DNS Validation To validate hosts sending incoming email against DNS information, click on the appropriate checkbox. MailMarshal will perform a reverse DNS lookup on the IP address from which email is being sent.

Select an option using the radio buttons.

• Choose to Accept unknown hosts if hosts without appropriate DNS information are to be allowed to send email, but logged to the Windows event log. This option annotates the message header as “not validated”. It is usually used for testing or debugging purposes.

• Choose Host must have a PTR record to block messages from any host that does not have a valid DNS PTR record.

• Choose PTR Record must match the HELO connection string to block messages from hosts whose PTR domain does not match the HELO identification sent by the server. This is the most restrictive option.

NoteIf MailMarshal is attempting to query a blacklist server that is not responding, you may experience some delays in processing. (The same issue can arise with a subscription database if you are not a subscriber.) See “DNS Blacklists” on page 249 for more information.

NoteValid email traffic may be blocked by DNS checking if the sending site does not have PTR records or they are faulty.


Header Rewrite MailMarshal can modify email header and envelope detail (e.g. to allow email aliasing). In addition to rewriting by Standard Rule actions, global modifications can be performed by the MailMarshal Receiver during email message receipt. Global rewriting is controlled through the Header Rewrite tab.

NotePlease note that this is an advanced option and most sites will not need to use this facility. Test any rules thoroughly, as errors may cause all affected messages to be undeliverable.

186 User Guide

To create a new global Header Rewrite rule, click New. To edit an existing rule, highlight it and click Edit. To delete a rule, highlight it and click Delete.

Information on the syntax and options for Header Rewrite rules is found in Chapter 15, “Header Matching and Rewriting.”

The order of evaluation of header rewrite actions may be significant. To adjust the order, select a rule and use the arrows to move it up or down in the list.

Anti-Relaying This tab is used to control SMTP Relaying through MailMarshal.


Relaying is the passing of messages to another server for delivery. If an email server allows open relaying, anyone (including bulk and spam senders) can use the name and resources of that server. Best practices require relaying to be tightly controlled (See below).

MailMarshal relaying control may be configured in three locations and by three different methods: POP3 accounts (see Chapter 7, “POP3 Accounts”), Receiver rules (see Chapter 5, “Rulesets and Rules”), and this Server Properties tab.

By default MailMarshal is configured to stop all external domains relaying email through it.

The list of “local network” addresses determines which additional computers are allowed to relay email through MailMarshal. For instance, if email clients such as Eudora send email directly to MailMarshal, their addresses (or the entire internal network) should be added.

To disable anti-relaying completely (not recommended), click to uncheck the checkbox Prohibit Relaying.

To add the addresses of local servers or networks to the list permitted to relay, click New to use the New Local Network dialog.

• Enter the IP address of a computer or network in the dotted box.

• Enter the network mask. A 32 bit mask defines a single address (255.255.255.255); a 24 bit mask includes a class C network (255.255.255.0)

NoteThe local domain email servers, entered in the Installation Wizard or the Local Domains tab of Server Properties, are always allowed to relay through MailMarshal.

188 User Guide

• Select the appropriate radio button to choose whether this range of addresses is to be included in the local network (permitted to relay) or excluded (forbidden to relay).

• Click OK to add the address range to the list.

To edit an existing range, select it then click Edit. To delete a range, select it then click Delete.

Block suspicious local-part relay attempt A specially formatted Recipient field may be interpreted by some email systems as a relay instruction. This may appear as an embedded standard email address within quotes ("user@domain"@domain), or an embedded % or ! character in the “user name”. If this function is correctly handled by other servers in your environment, uncheck the box to allow these messages.

NoteSince addresses not specifically permitted to relay will be forbidden, exclusions here are only used for exceptions within a permitted group. For instance, a university using POP3 email clients might include its entire private net block as permitted to relay, but exclude the portion of the block assigned to public access computers.


License Info This tab displays the details of the current Product License Key.

A new key must be requested if the local domain names are changed. A key may also be requested to increase the licensed user count, or to purchase the product (if it is running as a free trial).

190 User Guide

To request a new key click Request Key.

Enter the appropriate contact information in the form. MailMarshal automatically appends the current local domain list and key details. Enter any additional comments (such as the number of new user licenses desired) in the Additional Information field. Click Send Request to email the data to Marshal.

NoteChanging or adding a local domain name will invalidate the license key. When invalidated for this reason, the key reverts to a 14 day trial. This allows ample time to contact Marshal for a new permanent key. There is no charge for this service.


Use the check box to select how MailMarshal behaves if a license key becomes invalid or expires. In all cases, MailMarshal continues to accept messages, subject to available disk space.

• Select Pass through to allow email delivery to continue, but without any evaluation of content or virus scanning. Typically this option would be chosen for trial sites.

• Select Halt all processing to hold messages in the Incoming directory. Messages will be held until a valid key is entered or this choice is changed. This is the more secure option.

To enter a key click Enter Key, type or paste the key provided by Marshal, then click OK. An information box will report the validity details of the key you entered.

Advanced This tab collects several rarely changed but useful features.

Change Folders Locations of the folders used by MailMarshal may be altered. Stop all MailMarshal services using the Configurator before changing locations. The physical location of folders should be on the local computer.

Before changing folder locations here, the new locations should be planned. MailMarshal will create the folders, if necessary, during the change process. Any data (such as message files) must be manually moved to the new folders.

WarningChanging the directory paths may damage the MailMarshal installation if performed incorrectly. Current settings and data should be backed up before performing this procedure.

Folder locations are discussed in Marshal Knowledge Base article Q10423.

192 User Guide

Click Change Folders to see the MailMarshal Folders dialog. Enter or browse for the appropriate location for each folder.

When done, click OK to close the dialog and return to Server Properties, or Cancel to discard any folder location changes.

Additional Options Clicking this button opens the Advanced Options dialog. The various tabs of this dialog give access to a variety of rarely changed settings. To restore the default settings (for any individual tab or all tabs within this dialog), click Default.

General Engine:

• Enable RTF Stamping: Check this box to enable message stamping of messages generated in RTF format by Microsoft software.

• Maximum Attachment Unpacking Depth: The number of levels of archive recursion (e.g. zip file within a zip file) that MailMarshal will attempt to unpack before deadlettering the email as “suspicious.”

• Maximum MIME Nesting Depth: The number of levels of MIME (email encoding) recursion (e.g. message within a message) that MailMarshal will attempt to unpack before deadlettering the email as “suspicious.”

Sender:

• Send HELO instead of EHLO: Check to use the SMTP (rather than ESMTP) protocol when sending.

• Specify host name: MailMarshal requires a default domain name to be specified, so it can identify the domain of origin for email it sends.

The preferred method of entering a host name is to insert a domain suffix within Windows networking properties (see “Host Name or Unable to Determine the Domain” on page 248 for more information).


To override the value set in Windows, check the Specify Host Name box and enter a host name in the field (for example mailfilter.netgate.example.com).

Templates This tab allows alternatives to the “built-in” administrative email messages used by MailMarshal. To alter any of these messages, first create a suitable email template. Then select your newly created template using the appropriate drop-down menu on this tab. Please see Chapter 11, “Email Templates” for more details. The following functions are covered by these templates:

• Dead Letter (Engine): Sent to the Administrator when the MailMarshal Engine places an email in the DeadLetter folder.

• Undetermined: Sent to the Administrator when the MailMarshal Engine places an email in the DeadLetter - Undetermined folder.

• Bad Domain: Sent to the “return path” address when MailMarshal is unable to deliver a message to a remote domain (because the domain could not be found in the DNS).

• Dead Letter (Sender): Sent to the Administrator when the MailMarshal Sender places an email in the DeadLetter - Routing folder.

• Expired: Sent to the “return path” address when MailMarshal cannot deliver a message to a remote domain within the specified retry time.

• Failure: Sent to the “return path” address when MailMarshal cannot deliver a message to a remote domain (for other reasons).

• Overdue: Sent to the “return path” address when MailMarshal encounters delay in delivering a message to a remote domain.

• Forward Unknown: Sent to the Administrator when MailMarshal is configured to deliver email for a domain to a local POP3 box, but no box has been configured for the specific recipient.

• Undeliverable: Sent to the Administrator when MailMarshal cannot deliver a message and cannot return it (usually because the failed message was auto-generated).

194 User Guide

• Certificate Expired: Sent to the Administrator when a S/MIME security Certificate that is about to expire is used by the MailMarshal Secure module.

• CRL Update Failed: Sent to the Administrator when a configured automatic update of a Certificate Revocation List fails.

Ports • Controller RPC Port: The port used by the MailMarshal Configurator and Console

to communicate with the MailMarshal Server.

• Receiver SMTP Port: The port on which the MailMarshal Server accepts incoming email.

• Bind Receiver to: By default MailMarshal accepts email on every IP address available. To limit MailMarshal to accept email on a single IP address, select the appropriate radio button and enter the desired IP address.

• Sender SMTP Port: The port on which the MailMarshal Server sends outgoing email.

Receiver • Maximum number of recipients: If a remote host attempts to deliver a message

for more than this number of recipients, the Receiver will refuse delivery.

• ESMTP Authentication: MailMarshal can require authentication (using a Receiver Rule) before allowing an external system to send email. Authentication is by MailMarshal POP3 account and password. Choose the desired behavior using the drop-down box:

Disabled: Do not advertise ESMTP authentication. Authenticated connections from external systems will not be available.

NoteThe MailMarshal Controller service must be restarted (from the Service Control Manager) in order for a change in this port assignment to take effect. Remember to restart all dependent services. The port setting must then be changed in the Configurator and Console.


Enabled: Advertise ESMTP authentication for all connections. The Receiver Rule condition Where sender has authenticated can be used to control connections.

External only: Advertise ESMTP authentication only for connections from clients outside the local “allowed to relay” network. The Receiver Rule condition Where sender has authenticated can be used to control external connections. This is the default value.

• Block bare line feeds: The LF (linefeed) character without a preceding CR character is not allowed in email messages according to Internet standards, but some legitimate email systems generate email with this character. Check this box to strictly enforce blocking of email with bare LF characters. Clear the box to allow such email (this is the default value).

• Greeting String: The text of the message sent to a remote system with the initial 220 “ready” response.

• Received Header: The text of the “received” header appended to each incoming message.

Server Threads Settings for small and large sites are preconfigured. Click on a radio button to select the appropriate size site. The thread settings selected will be displayed, grayed out, in the spin boxes.

If a custom setup is required, click the Custom Thread Settings radio button to enable the spinner windows. The choices available for configuration are:

• Total Receiver Threads: the maximum number of simultaneous connections that will be accepted by the MailMarshal Receiver.

• Total Engine Threads: the maximum number of simultaneous threads which will be used by MailMarshal Engine to process messages.

• Total Sender Threads: the maximum number of simultaneous threads which will be used by MailMarshal Sender to deliver messages.

196 User Guide

• Local Domain Threads: the maximum number of sender threads used to deliver messages to local domains.

• External Domain Threads: the maximum number of sender threads used to deliver messages to any one non-local domain.

Times These settings control the time before timeout for various functions.

SMTP Transmission Timeouts:

• Initial Host Greeting: number of seconds MailMarshal will wait for a HELO response when connecting to a remote server.

• Protocol/Data Send: number of seconds MailMarshal will wait for a response after sending data (e.g. a RCPT or message body).

• Protocol/Data Receive: number of seconds MailMarshal will wait to receive data after connecting or acknowledging previous data.

Message Transmission:

• Retry Periods: comma separated list of periods (in minutes) between attempts to send messages to a remote domain. After each period has been used once, the final value in this list will be used until the “expiration” time is reached.

• Expiration: Number of minutes for which MailMarshal will attempt to send a message. The default is 4320 minutes (72 hours).

• Notification: Number of minutes before MailMarshal will send the first “delay” notification to the sender. Optionally a comma separated list of three values (used for high, normal, and low priority messages).

• Renotification: Number of minutes before MailMarshal will send an additional “delay” notification to the sender. Optionally a comma separated list of three values (used for high, normal, and low priority messages).


198 User Guide

Chapter 18

Reports

MailMarshal Reports allows generation of reports based on the information logged by the MailMarshal Server. A wide range of reports is available including overall summaries and per-user information.

In order for reports to be generated, logging must first be enabled, either in the MailMarshal installation wizard or from the Reports tab of Server Properties.

Chapter 18 • Reports 199

MailMarshal Reports may be installed on any Windows 2000, Windows XP, or Windows Server 2003 workstation which can connect to the logging database. MailMarshal Reports is implemented as a MMC snap-in using a licensed runtime version of Crystal Reports. For general information and tips on the MMC, please see Chapter 22, “MailMarshal and the MMC.” This manual assumes that the MMC is displaying the left (menu tree) pane as well as the right (details) pane.

200 User Guide

To Install MailMarshal Reports The Reports application is included on the MailMarshal distribution CD-Rom, or as a separate download from the Marshal website. Insert the MailMarshal CD-Rom and choose Install Reports from the autorun or Setup Wizard application. Alternatively, run the downloaded MailMarshal Reports installation file. Carefully read and accept the license information. Choose a destination location and program folder. The location of the MailMarshal database from which to produce reports is made when the Reports application is run (see below).

NoteIf the MailMarshal Reports application will be run by users who do not have administrative rights (e.g. username “sa”), the administrator should run MailMarshal Reports immediately after setup, connect to the database and select Tools > Load SQL Scripts. The result should be “SQL scripts successfully loaded.” This need only be done once and should prevent subsequent access rights failures. For further information, see “Reports Issues” on page 250.


Starting MailMarshal Reports Run the MailMarshal Reports application from the Start menu. Enter appropriate information in the Database tab of the Report Group dialog, if it appears.

• SQL Server Name: the name of the computer where the MailMarshal Reports database resides. Type in the name of the SQL Server (or MSDE) computer where the MailMarshal database resides, or browse the local network using the browse button provided.

• Windows NT or SQL Authentication: Choose whether to connect using the NT logon of the active user, or a SQL username and password.

• User Name: If using SQL authentication, enter the SQL user name associated with the MailMarshal database. By default the user name is “sa”

• Password: If using SQL authentication, enter the SQL password for the database. By default the password for the “sa” account is blank.

• Database Name: Enter the name of the MailMarshal database. Choose a name from the drop-down list, or type in a new name.

202 User Guide

• Always request database details: If this box is checked, this database connection dialog will appear each time MailMarshal Reports is started.

• Connect to database using TCP/IP: If this box is checked, the database connection will be attempted using TCP/IP. This setting may be useful where the database server and the Reports workstation are separated by a firewall or not within the same local network.

To view the list of available reports, expand the various branches of the left pane menu tree. Basic information about each folder and report is given in the Description column.

Report Properties To view the full definition of a particular report, highlight it then click the Properties icon in the toolbar.

The Report Properties dialog has four tabs.

• General: the report name (as shown in the MMC) and a more complete description are shown.

• Parameters: the report title (as seen when the report is generated) is shown. Click Edit to view and change the parameters using the parameters detail dialog.

If the box Request parameters before running report is checked, the parameters detail will be presented (for confirmation or change) each time the report is generated. If this box is not checked, the parameters will not be requested when the report is generated.

• Report: Information on the report definition file and DLL is shown.

• Select: A new report definition file may be selected from the list. This should only be done when creating a new custom report.


Generating Reports Begin generating a report by double-clicking on it in the right pane. Choose detailed parameters in the parameter detail dialog.

When all options are chosen, click OK to view the report in a new window.

The title of the dialog shows the title of the report as it will be generated. To change the title use the Parameters tab of the Report Properties dialog.

NoteNot all options are available for all reports.

204 User Guide

Report Parameters

Reporting Period The period may be selected in any of 5 ways, each represented by a tab. When entering a date, use the drop-down arrow at right of the date field to view a calendar.

• Common: Select a standard period from the list by clicking a radio button.

• Special: Select a reporting period by period type (e.g. month, day), number, and starting day.

• Period: Select a reporting period by period type (e.g. month, day), number, and starting date (dd/mm/yyyy).

• Date: Select a reporting period by starting and ending dates. If Inclusive is checked, the ending date will be included in the report.

• Time: Select a reporting period by starting and ending dates and times.

Sort By Many sorting options are provided. Not all options are available for all report types.

Domain, User, Subject, Message Name, Classification, Description Optionally enter text to search for in any or all of these fields. Wildcard syntax is available as supported in the Configurator for local domains. For a full description of the syntax, see “Wildcards” on page 170.

A menu of available wildcards is available through the button at right of each field. The following functions are available:

• Any Character: Match any single character (inserts “?” into query).

• Any String: Match any number of characters (inserts “*” into query).

• Character in Range: Match any character in the given range (inserts [ ] into query; add a range of characters e.g. a-z).


• Character not in range: Match any character not in the given range (inserts [^] into query; add a range of characters e.g. a-z after the ^).

• All: show all items without limits.

• Starting With: show items starting with the characters entered.

• Ending With: show items ending with the characters entered.

• Containing: show items containing the characters entered.

For the Classification field, click the button to the right of the field and choose Select... to view a list of available items. To include one or more items in a report, check the appropriate boxes.

Size Enter a minimum (and optionally a maximum) message size to search for. Select a size unit from K (Kilobytes) or M (Megabytes).

Sent Messages Counted If present this option provides a choice of the way in which sent messages are counted:

• Once (count of messages sent to MailMarshal by the sender.)

• Per Session (count of resulting messages sent outbound, normally one per recipient domain.)

• Per Recipient (count of all recipients for all messages.)

NoteEither the Select option or wildcards may be used.

NoteThe “per session” method most closely reflects Internet bandwidth usage.

206 User Guide

Local Domains Only When this box is checked only information on Local Domains will be reported.

Include Internal Traffic When this box is checked messages sent through MailMarshal between Local Domains will be included in the totals.

Costing Enter values for the cost to send and to receive one megabyte of data. Do not include a currency symbol; it will be supplied from the system settings.

Message Only When this box is checked, only a list of messages will be shown. When the box is not checked (default), actions taken on the messages will also be shown on the main page of the report.


Report Window Within the Report window, several options may be available to customize the view and see additional details. The Help menu includes two choices: general help and help about the specific report.

Toolbar Options • Close Current View: close the drill-down tab currently showing.

• Print: print a copy of the report, or selected pages. (Printer setup is available from the File menu)

• Toggle group tree: show a list of available detail items in a separate pane. Double-click on any of these items to jump to it in the main report. If the item is a group, click the + icon to view the members of the group.

208 User Guide

• Magnification: choose the magnification of the report on screen.

• Page selector: shows the number of pages in the report. Choose the page to view.

• Stop button (available while report is being generated): Stop generating the report. Optionally show the partial report.

• Find: search the report for text.

Drill-down Some fields in a report are linked to detailed information or limited views. The mouse pointer shows a magnifying glass when moved over these fields. In addition, a tool tip will indicate that drill-down is possible. Double-click to see the drill-down report.

Drill-down items which have been viewed within the current report window are saved as tabs at the top of the window. Click any tab to view the associated report. Use the Close current view icon to delete a drill-down view and its tab.

Customizing Reports Existing MailMarshal Reports can be customized with local parameters. These reports can then be run simply by double-clicking. Customized reports may be based on existing reports, or on the default report types.

NoteThe scroll bar in the report window is limited to the current page. Use the page selector to move between pages.

NoteIf the text in a field is truncated, hold the mouse over the field to see the complete information.

NoteIt is not currently possible for users to create new report types.


Reports Based on Existing Reports Choose an existing report type to use as a template. Make a copy of this report by dragging it to the desired location while holding down the <CTRL> key.

Edit the copy of the report by double-clicking it (or right-click and select Properties). Within the Report Properties dialog, make any desired customizations and changes.

To allow the report to be run without confirmation, uncheck the box Request parameters before running report.

When satisfied, click OK in the Report Properties dialog. The custom report is now available.

Reports Based on Default Types Select the group (folder icon) where the custom report is to be placed. Choose New > Report... from the Action menu to use the New Report wizard.

Complete the pages of the wizard to place the newly customized report in the group. Details of the information required are given in “Report Properties” on page 203.

Exporting Reports MailMarshal Reports can be exported (saved) in a variety of formats (as provided by the Crystal Reports engine). The presentation quality varies depending on the format selected. In general the best formats to use are: Crystal Report, DHTML, text, Excel, and RTF.

NoteIf the <CTRL> key is not held down the existing report will be moved.

210 User Guide

Export may be started by right-clicking on the report name and choosing Export, or by clicking the Export icon from the report window toolbar.

Export Options The Export Options dialog is presented when Export is selected (from the report window or by right-clicking on a report name).

This dialog can also be accessed by right-clicking on a report name and choosing Export Options. The options selected are retained as the defaults for the report instance.

NoteDrill-down pages are only available in the Crystal Report 8.0 export format. All other export formats show only the main report view.


On the first page of the Export Options dialog, choose how to create the export.

• File: saves the export as a file. A name will be entered by default. To select a specific name, use the browse button or type a file name in the field.

• Application: opens the export directly in the required application (such as Internet Explorer or Lotus 123). Uncheck the box Use Temporary File to save the data in a permanent named file as well.

• Email: attaches the exported data to an email message using the default email application.

Depending on the type of export chosen, additional options may be available.

Email Options The report will be attached to the email as a file of the type chosen in the export options page.

• Send to: Enter the email address to which the message should be sent.

• Copy to: Optionally enter an email address to which the message should be CC'd.

• Subject: Optionally enter a subject for the email message.

• Message: Optionally enter a message body describing the attachment.

HTML Options • Generate navigation buttons: add links at the bottom of each page to jump to the

first, next, previous, or last page of the report.

• Create all output on one page: Use one HTML document for all output. Page divisions will be indicated graphically.

Pagination Options • Lines per page: set the number of output lines between page break characters, using

the spin box. This option is used for export of a report to paginated text.

212 User Guide

Separator Options These options are used when creating a values text file (character separated values, comma separated values, data interchange format, and tab separated values).

• Format numbers as in report: Numbers are output with text formatting (such as comma separation of thousands). Unchecking this option causes numbers to be output in a basic format.

• Format dates as in report: Dates are output with text formatting. Unchecking this option causes numbers to be output in a basic format.

The following additional options are available for character separated values only:

• Field separator: the character (or characters) marking the boundary between two fields. In addition to printable characters, special separators include:

• String delimiter: the character (or characters) marking the beginning and end of field text. The same choices are available as for field separators. This field may also be blank, in which case no delimiter is inserted

Field Entry Separator used

\t Tab character

\n New Line character

\r Carriage Return

\0 NUL character (Hexadecimal 00)

\\ \ (backslash)

\xHH Any character (two hexadecimal digits)


214 User Guide

Chapter 19

Arrays

MailMarshal provides support for arrays of servers.

Configuration information can be replicated from a master server to other servers in the array.

Most often, all servers in the array will service a single gateway.

Multiple servers can log to the same SQL database. The log records show which server processed a specific message. Reports will cover activity on all servers.

Chapter 19 • Arrays 215

Each server in the array could be running Microsoft Windows Network Load Balancing (NLB) Clustering to share an IP address. Email will flow through this array in the same way as through a single MailMarshal server.

It is also possible to configure arrays with separate servers for inbound and outbound traffic, or separate servers for different local domains.

Arrays can also be used to replicate content security rules between geographically separate gateways. In this case the logging databases and delivery information would typically be different for each gateway.

NoteReplication requires several RPC related NetBios ports to be open on all servers. The master server must have access to the Windows Registry on all other servers. For these reasons, replication across the public Internet is not recommended.

Internet

Microsoft NLB Cluster

Firewall

Configurator: Master IP

Port 19001

MailMarshal Master Server

MailMarshal Slave Server

Replication Email Server

Email Admin

SMTP Traffic: Cluster Internal

IP Port 25

SMTP Traffic: Cluster External

IP Port 25

216 User Guide

What Information Is Replicated? The following configuration elements are replicated by default. (You can also exclude certain items from replication; see “Replication Exclusions” on page 224 for more details).

• Rulesets and Rules.

• Rule Elements, such as User Groups, Folder names and settings, TextCensor Scripts, and Schedules.

• Database configuration for logging and Certificate storage (MailMarshal Secure).

• LDAP import configuration (used for User Group synchronization with other email systems).

• Server Properties configuration.

• User account and connection details.

• POP3 Accounts (see “Replication Exclusions” on page 224 for cautions).

• Product License Keys.

• Custom filetype signatures.

What Are the Limitations of Replication?

Prerequisites The following prerequisites must be loaded manually on each server before the associated rule changes are made:

• Virus scanning software used in Rules.

• External Command executables.

• Cryptographic Providers (used by MailMarshal Secure only). The defaults provided with the Windows operating system will be sufficient in most cases.


Manual Settings The following configuration elements must be copied or added manually on each member of the array:

• Private Keys for S/MIME encryption and decryption (MailMarshal Secure).

• The Host Name entry (not required in most installations; see “Host Name or Unable to Determine the Domain” on page 248).

Items Not Replicated The following configuration elements cannot be replicated:

• The ValidFingerprints directory. (The list of Valid Fingerprints will be maintained for each server.)

• Updated SpamCensor files. (Each server must retrieve the updates individually from the Internet.)

• The contents of the MailMarshal Folders.

When an array is configured, all configuration changes should be completed through the array master server. Changes made directly on other servers will be overwritten by the next replication.

When MailMarshal is updated to a new version, all servers in the array must be updated at the same time. After updating all servers, reload the array configuration.

Configuring Arrays and Replication A new array can be created, or a MailMarshal server can be joined to an array, from the Services and Arrays node of the Configurator.

NoteReplicating the contents of these items using Microsoft replication tools may be possible; however this solution is not recommended or supported by Marshal.

218 User Guide

When this node is selected in the left pane of the MMC, the status of the MailMarshal services and array members (if any) is shown in the right pane.

For each server configured in an array, the server name and array logging ID are shown. The status column indicates whether the server is running or some services are stopped, and any other problems. The master server in the array is indicated.

To create a new array using the current server as master, click the Create/Join Array icon in the toolbar to start the Array Wizard.

To add a server to an existing array, click the Add A New Member icon in the toolbar to start the Array Wizard.

It is also possible to join a server to an array during initial server configuration. For details of this process, see “Configuration Wizard” on page 18.

Array Wizard This Wizard is used to create a new array of MailMarshal servers or add servers to an existing array.

The initial page of the wizard indicates whether you have chosen to create or join an existing array, or to add another server to an array. Click Next to continue.

NoteBefore you add or delete servers from an array, make sure that the MailMarshal Configurator you are using is the only one running. If another Configurator is running, you will be notified. Close the other Configurator and try again.


Create or Join Array: If you have chosen to create or join an array, this page is shown. Choose whether to create a new array or join an existing array.

If you create a new array, the server you are connected to will be the master of the new array.

If you choose to join an existing array, enter the name of a server in the array. You can browse the network neighborhood by clicking Browse [...].

Click Next to continue to the Array Member Logging ID page.

220 User Guide

Add Array Member: If this server is already part of an array and you have chosen to add a member, this page is shown. Enter the name of the new server to be added. You can browse the network neighborhood by clicking Browse [...]. Click Next to continue to the Array Member Logging ID page.


Array Member Logging ID: On this page of the wizard, select a letter which will uniquely identify the server you have just added. This letter will be used to identify the server in log records and message names. You can choose any letter that is not already in use in this array.

Click Next to continue.

222 User Guide

Array Replication Values: If you are creating a new array, this page will be shown. This page also appears when you view the properties of an existing array.

Select the items to be replicated. The following choices are available:

• Tightly coupled array: Select this choice to replicate all settings that can be replicated, including the database location and connection information. (See earlier sections of this chapter for a discussion of the settings that can be replicated.) This selection is appropriate where an array of MailMarshal servers is used at the same gateway location.

• Geographically separated array: Select this choice to replicate content security settings only. The following items will not be replicated (see “Replication Exclusions” on page 224 for more information):

- Logging and S/MIME database location and connection accounts

- Internet connection details

- LDAP connection details


- DNS settings

- Forwarding host setting

• Custom: Select this choice to activate the list of individual items. Select items to be replicated by checking the boxes in the list. See “Replication Exclusions” on page 224 for more information on each item.

Click Next to continue to the final page of the Wizard. Information about the changes that will be made is shown.

Click Finish to commit the changes. If a new server has been added to an existing array, the configuration will be replicated to the new server. The Replicate Configuration dialog allows you to monitor the replication.

Replication Exclusions When you are replicating configuration to an array, you may wish to exclude some configuration items. You can choose which items to exclude within the Array Wizard when you create an array. All servers within the array will have the same exclusions.

Typically all items will be replicated where the array services a single gateway. Some items may be excluded where replication is used to maintain common content security rules between multiple gateways, or in other special cases.

The following items can be excluded:

• License Key: Typically the MailMarshal license key will be identical for all servers within an organization. However, if different members of the array accept email for different local domains, they will have different license keys.

• Logging Database information: Having all members of an array log to the same database allows reporting to cover the entire array. If the array covers multiple geographically separated gateways, a separate logging database should be configured close to each MailMarshal server. The database name/location and login details (Logging tab of Server Properties) are affected by this setting.

NoteBefore putting any additional servers into production, make sure that all elements not included in replication are installed on all servers.

224 User Guide

• Internet Connection details: If the array covers multiple geographically separated gateways, Internet access from each may be through a different proxy server. The server name, port, and login details (Internet Access tab of Server Properties) are affected by this setting.

• Local Domains: The servers in an array can process messages for different local domains. This could be true either for a single gateway or separate gateways. The information on the Local Domains tab of Server Properties is affected by this setting.

• User Groups: If the array covers multiple geographically separated gateways, each will have a different internal email server and different users. User Group membership can be different.

• LDAP connection details: If LDAP is used to retrieve user group information from separate internal email servers at geographically distinct gateways, different LDAP connections may be required to populate the user groups. See the LDAP Connections node of the Configurator.

• POP3 Accounts: When ESMTP authentication by POP3 account is in use, account information should be replicated. See the POP3 Accounts node of the Configurator.

• DNS settings: MailMarshal servers in an array could require access to different DNS servers, particularly when they are geographically separate. See the Delivery tab of Server Properties.

NoteRemember that servers configured with different Local Domains require different license keys.

NoteRemember that all User Groups named in the rules must exist on all servers.

NotePOP3 accounts should generally not be used for email delivery on an array, since there would be no single location from which clients could collect email. POP3 accounts could be used for email delivery if each array member processes messages for different local domains.


• Forwarding host: If MailMarshal is configured to send all outgoing email to a specific host, geographically separate gateways will probably send through different hosts. See the Delivery tab of Server Properties.

• Certificate database location: When MailMarshal Secure is in use, the Certificate database is used to store information relative to S/MIME certificates. If the array covers multiple geographically separated gateways, a separate certificate database should be configured close to each MailMarshal server. Even where only one gateway is involved, for speed and availability a separate database could be configured using MSDE on each MailMarshal server. See the Secure Email tab of Server Properties.

Managing an Array All changes to replicated information should be completed through the array master server. Changes made directly on other servers will be overwritten by the next replication (subject to the Replication Exclusion settings).

If you open the MailMarshal Configurator to a server which is not the master of the array it belongs to, you will be given the chance to connect to the array master instead.

To make configuration changes, use the MailMarshal Configurator as usual. Make sure that any external items, such as virus scanner software and external commands, are present on all members of the array.

NoteIf more than one Certificate Database is used, you must have a system to guarantee that the information in the databases is replicated appropriately. Private keys associated with certificates cannot be replicated automatically and must be copied to each server.

226 User Guide

If changes require rules to be reloaded or services to be restarted, you will be notified as usual. Click the Reload icon on the toolbar. A dialog allows you to apply your action to all servers in the array, or the local server only. The Reload progress dialog details the actions MailMarshal is performing to update the array.

Information on using the Console to manage email flowing through an array of servers is given in Chapter 20, “The Console” and Chapter 22, “MailMarshal and the MMC.”

Making Changes to an Array To add servers to an array, see the discussion earlier in this chapter.

To promote a server to be the master server of an array, expand the Services and Arrays node, highlight the desired server, and click the Promote icon in the toolbar.

To delete a server from an array, select it in the right pane then click the Delete icon in the toolbar.

NoteIf you have chosen to reload and/or restart automatically, this process will be applied to all servers.


When a server is deleted from an array, it will continue to process email using its current configuration settings. After deleting a server from an array, you can change its configuration by connecting to it directly with the Configurator. If this server is no longer part of the same gateway, you should change the logging database location so that Mail History and Reports can be viewed separately.

To adjust array replication properties and exclusions, select the Services and Arrays node then click the Properties icon in the toolbar. The Array Member Replication Exclusions page will be shown. For details of this page, please see the section on the Array Member Replication Exclusions page of the Array Wizard, earlier in this chapter. Any changes will affect all servers in the array and will take effect when you click OK or Apply.

Updating MailMarshal Arrays When MailMarshal is updated to a new version, all servers in the array must be updated at the same time. Any remotely installed Configurator or Console must be updated before it can be used.

After updating the software on all servers, reload the array configuration.

NoteYou cannot delete the master server from an array. If the current master server must be deleted, promote another server to master first.

228 User Guide

Chapter 20

The Console

The MailMarshal Console is used for day-to-day administration of the MailMarshal Server. Actions available from the Console include:

• Viewing the status of the MailMarshal services.

• Viewing information on queued outbound email messages.

• Reviewing messages that MailMarshal has moved or copied to folders.

• Releasing or reprocessing messages from folders if appropriate.

• Viewing a list of messages processed and their disposition.

• Searching for messages by header information (address, subject, etc.).

• Viewing service alerts.

• Viewing the status of Mail Batching, if configured.

• Viewing news and support information from the Marshal web site.

The Console is installed on the MailMarshal Server computer and may also be installed on any Windows 2000, Windows XP, or Windows Server 2003 workstation in the local network. For prerequisites and detailed instructions, see Chapter 3, “Installation.”

The Console is implemented as a snap-in to the Microsoft Management Console (MMC). For general information and tips on the MMC, see Chapter 22, “MailMarshal and the MMC.”. This manual assumes that the MMC is displaying the left (menu tree) pane as well as the right (details) pane.

Chapter 20 • The Console 229

Connecting to the MailMarshal Server When the Console is first run, or if one console is used to connect to more than one Server, it is necessary to make a connection. Select Action > Connect to Server from the menu.

Choose the name of the server from the drop-down list, or browse the network using the button provided. If the Server expects connections on a port other than the default 19001, enter the correct value. (To change this value at the Server, in the Configurator see Server Properties > Advanced.)

To connect as a user other than the current Windows user, select the appropriate radio button then enter the user information.

Click OK to attempt to connect.

NoteTo include connections to more than one Server in a single Console, see Chapter 22, “MailMarshal and the MMC.”

230 User Guide

Console Security Issues MailMarshal Console uses the Windows secure RPC mechanism to communicate with the MailMarshal Server. A console user must have an account and password that can be validated by the MailMarshal Server. If the MailMarshal machine is in a different domain you can either set up a trust relationship or create local accounts on the MailMarshal Server computer. If the Console and the Server are separated by a firewall (e.g. if the Server is located in a DMZ), port 19001 must be opened in the firewall to allow remote Console access.

To view the email in the quarantine folders the account in use must have read access to the folders. If you wish to make changes to items (e.g. forward email, kill messages) the account will also need write access. Access to the folders should be limited by using Windows security.

To implement access control for other features, edit the access permissions on the MailMarshal.key file (in the MailMarshal folder on the server). Read access to this file allows the user to view the service status, queued domains and mail history. Write access to this file gives the ability to kill messages, dial now, retry domains and reload services.

The Main Console Screen In the left pane, expand the element MailMarshal Console to see the console menu tree. Select MailMarshal Console to view the main Console screen in the right pane. This screen provides summary information on MailMarshal operation.

The top section displays the status, version number, and number of messages processed for each MailMarshal Service. Click View Detailed Status to see details in the MailMarshal Services screen.

The middle section displays recent Service Alerts. Click View Alert History to see a complete list in the Alert History screen.


The bottom section displays information on Remote Access (dial-up connectivity) and Mail Batching, including the next scheduled send and polling times. Click Send/Receive Now to initiate an immediate check and dispatch of queued messages.

NoteMessages processed today for each service will not generally be equal. Not all messages received are delivered (e.g. due to quarantine Rules), and MailMarshal’s notification messages are delivered but not received.

232 User Guide

The Services Screen Select the item Services in the menu tree to view the Services screen in the right pane.

The upper pane of this screen gives information about the MailMarshal Receiver; the lower pane gives information about the MailMarshal Sender.

Receiver State The following information about the Receiver is available:

Internal Msgs: the number of messages, addressed to recipients in MailMarshal’s local domains, which have been processed today.

External Msgs: the number of messages, addressed to recipients outside MailMarshal’s local domains, which have been processed today.


Message details: a pane shows details of each message being processed by the Receiver, and its status.

Active Threads: the number of messages currently being processed by the Receiver service.

Licensed Users: the number of users recorded in the MailMarshal License Key.

Current Users: the number of local email addresses from which email has been received in the last 28 days.

Sender State The following information about the Sender is available:

Internal Msgs: the number of messages, addressed to recipients in MailMarshal’s local domains, which have been processed today.

External Msgs: the number of messages, addressed to recipients outside MailMarshal’s local domains, which have been processed today.

Message details: a pane shows details of each message being processed by the Sender, and its status.

Active Threads: the number of messages currently being processed by the Sender service.

Msgs Queued: the number of messages waiting to be sent.

Domains Queued: the number of unique Internet domains to which messages are waiting to be sent.

NoteThe Current Users value will be displayed in red if the value exceeds the licensed number. Rule processing and sending will continue as normal. If this condition persists, please contact Marshal or your reseller to obtain additional licenses.

234 User Guide

Sender Actions A message visible in the detailed Sender list can be killed (deleted) by selecting it and clicking the Kill Message button.

A detailed list of information about domains for which email is queued (waiting to be sent) can be viewed by clicking the button View Domains (or the menu tree item Queued Domains). The listing also shows the number of messages queued, number of sender threads dedicated to this domain, number of times delivery has been attempted, and the next retry time.

To delete all messages queued for delivery to a domain, select the domain from the list and click the Delete icon in the toolbar.

Domain Detail Double-click on a domain record in the Queued Domains screen to view details in the Domain dialog. The upper pane of this dialog shows a list of MX records found for the domain. The lower pane shows details of each message awaiting delivery to this domain.

Highlight one or more messages in the lower pane then click Kill Message to delete the messages. Click the Retry Domain Now icon in the toolbar to force an immediate attempt to deliver messages to this domain.

Message Folders To view a list of MailMarshal’s message folders, expand the menu item Mail Folders. These Folders include the Archive, Parking and regular folders into which messages are placed through Rule action, as well as the Dead Letter folders used for messages which cannot be processed, and the Mail Recycle Bin used to hold deleted items for a period.

NoteBe sure that you really want to delete all messages for this domain. This action may be useful to quickly stop spam or virus generated email.

NoteThese actions will be grayed out if the user does not have sufficient permissions.


To view the contents of a folder, select it in the left pane. The contents will be displayed in the right pane. Folders may have subfolders created periodically if this option has been set up in the Configurator. By default no more than 1000 items will be retrieved for each folder. This number may be adjusted by choosing Tools > Options from the menu.

Message Folder Actions To search for a message by its MailMarshal message name, use the search icon in the toolbar. (If Mail History is enabled, a more powerful search is available; see “History Search” on page 240.)

Messages in folders may be forwarded, deleted, processed, and viewed.

Forwarding a Message To forward a message, select it then click the Forward icon on the toolbar (or open it then click the Forward icon on the message window toolbar). To forward to multiple addresses, enter them separated by semi-colons (e.g. [email protected]; [email protected]).

NoteWithin the folders, the icon denotes a message that contains a virus, which was not successfully cleaned. Forwarding or passing through such a message is not recommended.

Notes• Message folder actions can be logged to the MailMarshal logging database for

auditing purposes. Logging may have an effect on the speed of response, particularly where a large number of items are affected. You can enable and disable logging of message folder actions from the Logging tab of Server Properties (in the MailMarshal Configurator).

• Users who have read-only access to a folder cannot delete messages.

• Messages in Archive folders cannot be deleted.

236 User Guide

Deleting a Message To delete one or more messages, select them then click the Delete icon. The message(s) will be sent to the Mail Recycle Bin folder. To delete the message(s) permanently, hold down <SHIFT> while clicking the Delete icon.

Messages will be purged from the Mail Recycle Bin on the schedule associated with that folder.

Restoring a Message To restore one or more messages from the Mail Recycle Bin to their original location, select them then click the Restore icon.

Processing a Message One or more messages may be selected for processing. Clicking the Process Message(s) icon raises the Process Message dialog. The following actions are available:

Continue processing the message: this option continues processing the message after the Rule which placed it in the current folder. This action may be used to release a message from quarantine while testing it for any further violations of policy.

Reprocess the message: this option resubmits the message for processing by the current set of MailMarshal Rules. This option may be useful when rules have been adjusted.

Pass the message through: this option allows the message to be queued for delivery with no further evaluation.

If the checkbox Only apply this action to the following users is checked, the selected option will be effective for one or more recipients of the message as selected using the detail checkboxes.

NoteThe “Continue Processing” and “Pass Through” options can also be requested using a specially formatted email message. See “Message Release” on page 107.


The following additional options are available:

• Delete the message after processing (selected by default): Once the selected actions have been performed, the message is deleted from the folder.

• Add attachment fingerprints: Attachments (including images embedded in MS Word documents) will be saved in the folder ValidFingerprints (located in the MailMarshal install folder). The unique “fingerprint” of each attachment will be loaded by the MailMarshal Engine. These attachments can be the subject of a Rule condition if they are found in the future. See the Standard Rule condition “where attachment fingerprint is/is not known” for more details. All attachments, or only images, may be “fingerprinted.”

Viewing a Message and Message Log To view a message and its associated processing log (which indicates the reason for its placement in the folder), double-click on it in a Message folder or History view.

The message headers may be examined by clicking the View Message Header icon in the message window toolbar.

Interpreting Message Logs A message log includes information on the structure of the message, and records any Rules which it triggered and the reasons for triggering.

NoteA file can be removed from the list of recognized fingerprints by deleting it from the ValidFingerprints folder and reloading the configuration.

MailMarshal automatically deletes a fingerprint (and the associated file) if it does not trigger a condition for six months.

NoteProcessing logs are only available if copied by the Rule which placed the item in the folder. The message and log text may be truncated. See “User Options” on page 243 to adjust the amount shown.

238 User Guide

The below figure shows a message which MailMarshal has identified as BA0000000c.0000000c.mml. The message contains a message header (MHDR), two message bodies (Text and HTML) (MBODY), an attached ZIP archive (ZIP), and an executable file (EXE) included within the archive (inclusion is indicated by the indentation of the line in the log).

The message log also indicates which Rules were applied to the message, which if any were triggered, and what action was taken. The log line for a triggered Rule includes the notation “TRUE” and actions taken follow this line. In the example below, the executable triggered the rule “Block EXECUTABLE Files” in the ruleset “Inbound Messages”.

... 1452 15:44:57.576 1 user(s) match rule - Block EXECUTABLE Files 1452 15:44:57.576 Name=U1\B000000001.00000001.mml (MAIL,55320) False 1452 15:44:57.576 Name=U2\MsgHeader.txt (MHDR,602) False 1452 15:44:57.576 Name=U2\Plain (MBODY,14) False 1452 15:44:57.576 Name=U2\Fgrep.zip (ZIP,39657) False 1452 15:44:57.576 Name=U3\fgrep.exe (EXEW32,82944) TRUE Terminal 1452 15:44:57.576 Requesting Action <Inbound Messages:Block EXECUTABLE Files:MailTemplate> be run 1452 15:44:57.746 Requesting Action <Inbound Messages:Block EXECUTABLE Files:LogMessage> be run 1452 15:44:57.746 Requesting Action <Inbound Messages:Block EXECUTABLE Files:MoveMessage> be run 1452 15:44:57.746 Action LogMessage for Component U3\fgrep.exe 1452 15:44:57.756 Action MoveMessage for Component U3\fgrep.exe...

If a TextCensor script is triggered, the details of the script evaluation are included in the log. In the following excerpt, two expressions in the Generic Chain Letters script were triggered:

... 1452 16:02:24.551 1 user(s) match rule - Block Chain Letters 1452 16:02:24.551 TextCensor triggered: Script Generic Chain Letters Triggered Expression: chain letter* Triggered 1 times weighting 5 Expression: send this FOLLOWEDBY=6 (many OR all OR friends OR anyone OR others OR people OR every*) Triggered 1 times weighting 5

1452 16:02:24.551 Name=U1\B000000002.00000001.mml (MAIL,2998) TRUE Terminal ...


Mail History Mail History is a record of recent messages processed by MailMarshal. By default no more than 1000 items will be retrieved. This number may be adjusted by choosing Tools > Options from the menu.

This information is derived from the report logging database, so logging must be enabled to view the history.

To view the history, select Mail History in the console tree.

Messages which were successfully sent display a yellow envelope icon and Sent To: information in the Status column.

Messages which passed the Rule processing but could not be sent display an icon with a red “x” and the failure reason in the Status column.

If a message triggers a rule which generates a logging classification, the icon will be blue and the Status column will display the text associated with the classification. In addition, the Class Code column shows the numerical logging classification code.

Double-click any message to view it. Only messages held in the MailMarshal Folders may be viewed.

History Search Messages in the MailMarshal Message History may be searched by size, header information, or delivery time.

To start a search, select Mail History or History Search Results, then choose Action > Search from the menu.

NoteIf an array of MailMarshal servers is configured to log to the same database, the Mail History will include items processed by all servers. However, the Mail Folders include only a single server’s items. To include connections to more than one Server in a single Console, see Chapter 22, “MailMarshal and the MMC.”

240 User Guide

The following search criteria may be used in the Search Details dialog. The results are available by double-clicking the History Search Results node in the menu tree. All fields are optional.

• Period: Enter “from” and “to” dates and times (or select them using the date controls and spin boxes). The button provides the pre-configured settings for “yesterday”, “today”, “last hour”, and “last 24 hours”, as well as “Now” which resets the “to” time to the current time.

• Size: Enter a minimum message size (and optionally a maximum size). Choose whether these sizes are expressed in Kilobytes or Megabytes. The default is to search for all messages regardless of size (minimum size of 0).

• Sender: Enter values for the user and domain. To search for all messages from a domain, leave the user field blank. To search for messages from or to an address, check the “or receiver” checkbox.

• Recipient: Enter values for the user and domain as for the sender.

• Subject: Enter a value.


• Delivery time: Enter a minimum value in seconds.

• Classification: Enter a numerical classification code (as defined in the Configurator under Logging Classifications). Enter zero to ignore classification codes.

Wildcard Functions The Sender, Recipient and subject fields may be searched using the same wildcard syntax supported in the Configurator for local domains. For a full description of the syntax, see “Wildcards” on page 170.

A menu of available wildcards is available through the button at right of each field. The following functions are available:

Any Character: Match any single character (inserts “?” into query).

Any String: Match any number of characters (inserts “*” into query).

Character in Range: Match any character in the given range (inserts [ ] into query; add a range of characters e.g. a-z).

Character not in range: Match any character not in the given range (inserts [^] into query; add a range of characters e.g. a-z after the ^).

All: show all items without limits.

Starting With: show items starting with the characters entered.

Ending With: show items ending with the characters entered.

NoteIt is always possible to search for messages by their MailMarshal Message Name, regardless of the Logging setting. See “Message Folder Actions” on page 236.

242 User Guide

Containing: show items containing the characters entered.

Alert History To view a historical list of service alerts, select Alert History in the menu tree.

User Options You can adjust several options for convenience in using the Console. To open the Console Options dialog, select Tools > Options from the menu.


The following options can be adjusted:

• Maximum history items to retrieve: This setting affects the number of items shown in the message history and history search screens.

• Maximum folder items to retrieve: This setting affects the number of items shown when viewing any folder.

• Maximum message and log text to retrieve: This setting affects the amount of message text and log text shown when viewing a message in the message window. The message text will be truncated after the number of bytes selected. The log text will be truncated in the middle so that the beginning and end of the log are always shown. The truncation of the log text is indicated by an ellipsis (...) in the text.

• Services screen refresh interval: This setting controls the frequency with which the Console polls the MailMarshal services to update the queued domains and messages sent/received information.

News and Support Select this item to view the Marshal website in the right pane. This site features the latest support information, including a Knowledge Base and a User Forum. To access the full range of resources, customers should log in to the site. Obtain login details, if necessary, by contacting Marshal.

NoteFor history and folder items, the number of items actually retrieved is shown in the Console window status bar. You may wish to increase the values if the maximum number of items is being retrieved. Increasing the values may slow the console performance.

244 User Guide

Chapter 21

Troubleshooting

A number of problems may arise when using email systems that can interfere with MailMarshal operation. Therefore, if a problem occurs it may be that MailMarshal is reflecting an external or internal email or network problem.

When analyzing problems, the following resources may be useful.

MailMarshal Console Check to see that the MailMarshal services are running. The Alert History shows stop and start information for each service. If necessary, restart the services using the Configurator.

Check the Console Services screen to see whether email is being processed. Check the Mail History screen to see whether email has being sent, and any errors that the Sender may have encountered. If there are many “Failed to connect” or “Unable to resolve domain” messages this usually indicates a downstream network, SMTP, or DNS problem.

NoteIf the MailMarshal Controller service is stopped, the other services cannot continue and the Console and Configurator will indicate “Failed to Connect”. Restart the MailMarshal Controller using the Windows Control Panel Services applet.

Chapter 21 • Troubleshooting 245

Windows Event Viewer If there are difficulties when starting any of the MailMarshal services, or there are any pop-up error messages, start the Windows Event Viewer and check the application log.

MailMarshal Working Directories Check the MailMarshal sub-directories to see where email messages are trapped.

The normal flow of email is as follows: The MailMarshal Receiver accepts SMTP connections for all email (both inbound and outbound). Receiver Rules control the rejection of messages at this point. The Receiver places each accepted message in a file in the Incoming directory. The Engine then retrieves each message file from the Incoming directory, unpacks it and processes it according to the Standard Rules. A message which is not blocked or moved by a Rule is placed into the ProcessedOK directory. The Sender then takes the message file from that directory and places it in the Sending directory for delivery.

Email queued in the Incoming directory indicates a problem with the Engine service–either the engine has stopped or the rules are incorrectly configured. Email queued in the Sending directory points to a problem with the sender service.

NoteIf MailMarshal Secure is installed and Secure Email Rules are in use, files from the Incoming folder are processed by the MMDecrypt service which places the files in the Decryption folder for the Engine. Messages to be sent are placed in the Encryption folder for processing by MMEncrypt.

246 User Guide

MailMarshal Message Names MailMarshal assigns a name to each message it processes or generates. These names are used as the file names for message files and the associated log files; they are also used to identify the messages in log files.

Message names beginning with “B” are SMTP messages which MailMarshal receives and processes. Notifications generated by the MailMarshal Sender have names beginning with “C”. Notifications generated by the MailMarshal Engine have names beginning with “D”. Notifications generated by the MailMarshal Controller have names beginning with “E”. When an array of MailMarshal servers is configured to log to the same database, the second letter of the message name is the array ID of the server that processed the message.

In addition to MailMarshal’s message names, the SMTP Message ID of each message is retained throughout processing and recorded in the processing logs.

MailMarshal Log Files Each MailMarshal service creates its own daily log file. Routine processing and problems encountered are all recorded in these log files. The most recent information is at the end of the log file. The files are found in the MailMarshal Logging Directory. By default the last 5 days of log files are kept.

Running MailMarshal in Debug Mode MailMarshal services can also be run in debug mode from a command prompt. Using this facility, the user can see the results of the system logging in real time–which is particularly useful for resolving problems, testing new rules, or determining why a service fails to start.

To use this facility, ensure that the service(s) to be debugged are stopped. Then go to the MailMarshal directory and enter one or more of the following:


mmengine -debug

mmreceiver -debug

mmsender -debug

For example, to test the passage of a particular email message, run the Receiver and Engine services in debug mode. Use an email client (such as Outlook Express) to send email and monitor its progress through the Receiver and Engine.

Some Common Issues

Error 2140 This message is a generic Windows error message meaning that one or more of the services were unable to start. The error may be related to invalid TextCensor scripts or other setting problems.

To determine the specific cause of the error, first check the Windows event viewer (application log), or the MailMarshal logs. If necessary start the MailMarshal services in debug mode.

Host Name or Unable to Determine the Domain The following message may appear in the Event Log: “Unable to determine the domain this machine belongs to. Check the TCP/IP protocol properties for a valid domain name.” Alternatively, a Host Name page may appear in the Configuration Wizard requesting that a Host Name be set.

MailMarshal requires a domain to be specified. This information is used when sending and receiving SMTP email. The Primary DNS suffix of the computer should be set to the email domain name of the MailMarshal Server (e.g. ourcompany.com)

In Windows 2000, this information should be entered as a Primary DNS setting (in the Control Panel under System > Network Identification > Properties > More).

In Windows XP this information is entered in the Control Panel under System Properties > Computer Name > Change > More.

248 User Guide

If the Host Name is entered in the Configuration Wizard, it can be edited from the General tab of the Advanced Properties dialog.

Moving MailMarshal to a New Server When moving the MailMarshal Server to a new computer, the following steps are required:

1. Export the MailMarshal configuration from the old server (using the Advanced tab of Server Properties

2. Import the configuration to the new server.

3. Copy the file UserGroups.txt, the file filetype.cfg (if present), and the contents of the subdirectory ValidFingerprints from the old MailMarshal install directory to the new one.

4. To continue logging to the existing MailMarshal database, copy the file SequenceFile from the old MailMarshal install directory to the new one. Failure to do this will corrupt the database.

5. Ensure that email routing is adjusted to use the new server (both inbound and outbound).

For additional information on MailMarshal Server and database migration please see Marshal Knowledge Base article Q10409.

DNS Blacklists MailMarshal can use DNS blacklist based validation in Receiver rules and in Category Scripts (including the user defined portion of the SpamCensor facility).


If MailMarshal is attempting to query a blacklist server that is not responding, processing of the specific message will be delayed until the request times out repeatedly (about 75 seconds). MailMarshal will then place the affected server on a watch list. MailMarshal will not attempt to contact this server again for at least 60 seconds. MailMarshal will continue to process messages without checking against the specific blacklist.

DNS blacklist activity is recorded in two MailMarshal log files: the Receiver log (for Receiver rules) and the Engine log (for Category Scripts). Examples of messages you may see in these logs are:

• DNS Blacklist look up failed. blacklist.example.com could not be

contacted

• DNS server is now reachable.

• 192.168.1.2 listed in <Example Blacklist>

Reports Issues These errors are most likely to occur where the default “sa” SQL authentication is not being used.

Unable to determine if [Name] is a valid MailMarshal database This error indicates that the “GetVersion” stored procedure could not be run or returned an unexpected result. Generally this means that the database is not a MailMarshal database.

This error may also occur if the user has no execution rights for GetVersion. To resolve this issue, connect to the database (from MailMarshal Reports) as a user with administrative rights. Once an administrator has used the reports database, all users are automatically granted the right to execute GetVersion

NoteA remote server may fail to respond due to transient network conditions, because it is out of service, or in some cases because you do not have a subscription.

250 User Guide

SQL script could not be loaded This error indicates that the user does not have sufficient rights to initialize the stored procedures in the database. If this occurs, connect to the database (from MailMarshal Reports) as a user with administrative rights. Select Tools > Load SQL Scripts. The result should be “SQL scripts successfully loaded.”

SQL scripts failed to load. View errors? Click Yes to see the Load Errors dialog (also available by right-clicking on the MailMarshal Reports root in the left pane of the MMC). This dialog provides the detailed error message. Most errors will be related to database permissions.

Further Help For any problems not listed here, please see the Knowledge Base and Forum on the Marshal website. If these resources do not resolve the issue please contact your Marshal Distributor or Marshal’s support desk.

Web: http://www.marshal.com/support

Email: [email protected]


252 User Guide

Chapter 22

MailMarshal and the MMC

The MailMarshal Configurator and Console are implemented as snap-ins to the Microsoft Management Console (MMC). Users of other MMC applications (such as WebMarshal Console and Microsoft SQL Server) will be familiar with this interface.

By default, the MMC features a tool bar, a menu, and two main panes. The left pane contains a menu tree, while detailed information appears in the right pane.

• To expand an element (branch) of the menu tree, click on the associated + symbol. This will show the elements contained within this branch.

• To select an item in either pane, click on it to highlight it.

• Selecting an item in the left pane will display the associated detail information in the right pane.

• To collapse an expanded menu element click on the associated -symbol.

• If the left pane is not visible, click the Show/Hide Console Tree icon in the toolbar. It should appear “pushed in.”

NoteThe tool bar and menu bar of MMC are context dependent. The available icons and choices depend on which item is selected in the main panes. If an icon referred to is not visible, ensure that the appropriate item is selected. For instance, the arrow icons, which allow rules to be moved up or down in order of evaluation, are only visible when a rule is selected in the right pane.

Chapter 22 • MailMarshal and the MMC 253

While this Guide usually refers to choices from the tool bar, in many cases the MMC also provides equivalent choices from pop-up context menus, which are made available by right-clicking on the selected item.

Configurator and Console in the Same MMC Where more than one MMC snap-in (such as the MailMarshal Configurator, MailMarshal Console, and WebMarshal Console) is to be used from the same machine, a new MMC Console can be created which contains all the required snap-ins.

To create a custom MMC Console, run mmc.exe from a command prompt. Choose File > Add/Remove Snap-in from the main menu. In the Add/Remove Snap-in dialog, click Add to see a list of available snap-ins. Double-click each desired snap-in to add it to the list. When done, click Close, then OK.

To save the custom Console, choose File > Save from the main menu. Select a location for the .msc file.

Double-click this file to run the custom console.

Multiple Console Snap-ins in the Same MMC If an array of MailMarshal servers is in use, it may be useful to include multiple Console snap-ins in the same MMC.

A new MMC Console can be created which contains more than one instance of the MailMarshal Console snap-in. This will allow access to the Mail Folders, queued domains, and service information for each server.

NoteOnly one instance of the MailMarshal Configurator may be active per MailMarshal Server. Attempting to start a second Configurator results in the notice “MailMarshal settings are locked.”

254 User Guide

Create a custom MMC Console as above. Add as many instances of the MailMarshal Console as there are MailMarshal servers.

For each MailMarshal Console, a Connect to Server dialog will be presented. Enter the appropriate details for the various servers.

NoteEnter the server names explicitly (rather than “localhost”) to make this custom file usable from any server which has the MailMarshal Console installed.

Chapter 22 • MailMarshal and the MMC 255

256 User Guide

Appendix A

Other Email Servers

Typically MailMarshal receives inbound email, processes it, then relays it to the organization’s internal email server as specified in the Local Domains list. Outbound email is passed from the internal email server to MailMarshal for processing and external delivery. See Chapter 2, “Pre-Installation” and Chapter 3, “Installation.”

Once MailMarshal has been installed, the internal email server software must be configured to send outgoing email to MailMarshal for processing and delivery.

Appendix A • Other Email Servers 257

Where MailMarshal is installed on the same computer as the existing email server software, the two applications must use different “ports” to receive email In this case, the following steps are typically necessary:

• As the MailMarshal receiver is now accepting SMTP traffic on port 25, change the SMTP port that the other email server uses for SMTP (port 97 is usually available, although any free TCP port will do).

• Configure the other email server software to forward all Internet email to the local machine (use the “localhost” IP address 127.0.0.1, port 25).

• Check that MailMarshal is configured, via its Local Domains information, to forward all inbound email to the local machine on the alternative port (again, use the localhost IP address and port, e.g. 127.0.0.1:97). Specific details for configuring Microsoft Exchange 5.5, Lotus Notes 4, and Lotus Domino R5 are given below. For more detailed information, and to configure other email server software, please refer to the product documentation for the other software. The Marshal Knowledge Base also contains some additional setup information.

Configuring Microsoft Exchange 5.5

Exchange 5.5 and MailMarshal on Separate Machines On the Microsoft Exchange Server, run Microsoft Exchange Administrator. Under the Configuration container, select Connections, then select Internet Mail Service.

NoteThe following integration examples assume SMTP connectivity has been set up and is running properly–all that is required here is the introduction of MailMarshal to an already operating environment.

258 User Guide

Under the Connections tab, change the Message Delivery option from DNS to Forward all messages to host, and enter the MailMarshal server IP address, e.g. “10.1.1.1”. This will ensure that outgoing messages are passed to the MailMarshal machine. Click OK.

Stop and start the Microsoft Exchange Internet Mail Service from the Services Control Panel applet.

Exchange 5.5 and MailMarshal on the Same Machine On the Microsoft Exchange Server, run the Microsoft Exchange Administrator. Under Configuration, select Connections, then select Internet Mail Service.


Under the Connections tab, change the Message Delivery option from DNS to Forward all messages to host, and enter “127.0.0.1” to identify the local machine. This will ensure that out-going messages are passed to MailMarshal on the same machine as Microsoft Exchange Server.

Because MailMarshal is installed on the same machine, Microsoft Exchange must be configured to listen for SMTP traffic on a different port to the SMTP default of 25.

Microsoft Exchange uses the Windows NT services file to determine which port to listen on for inbound SMTP messages. It is necessary to edit the services file to change the default SMTP port for Microsoft Exchange to a new value, for example 97.

The Windows NT services file is located in the folder

%systemroot%\system32\drivers\etc (where %systemroot% is usually C:\WINNT)

In this folder, edit the file named Services using Notepad. Add an explanation and the new port details.

Locate the text

smtp 25/tcp mail

Comment out the line by prefixing it with the “#” character, and add the new material:

# smtp 25/tcp mail

# Change default smtp port to 97 to allow both Microsoft

# Exchange and MailMarshal to exist on same machine

smtp 97/tcp mail

Save the Services file and close Notepad. Stop and start the Microsoft Exchange Internet Mail Service from the Services Control Panel applet.

NoteThis example uses port 97, but any available port number may be chosen as long as it does not conflict with any other service on the same machine.

260 User Guide

Configuring Lotus Notes 4

Lotus Notes 4 and MailMarshal on Separate Machines On the Lotus Notes Server, shut down SMTPMTA from the Notes console. Open the Public Address Book. Expand the Server section, and select the Connections view. Open the Internet Hosts Document.

Change the Relay host field to the IP address of the MailMarshal machine, e.g. “192.168.2.218”. This will ensure that out-going messages are passed to the MailMarshal machine.

Restart the SMTPMTA.

Lotus Notes 4 and MailMarshal on the Same Machine On the Lotus Notes Server, shutdown SMTPMTA from the Notes console. Open the Public Address Book, expand the Server section, and select the Connections view. Open the Internet Hosts Document.

Change the Relay Host field to “127.0.0.1” to identify the local machine. This will ensure that out-going messages are passed to MailMarshal on the same machine as Lotus Notes.


Because MailMarshal is installed on the same machine as Lotus Notes, the SMTP component must be configured to listen to a different port to the SMTP default of 25.

Lotus Notes uses the Notes.INI file to determine which port to listen to for inbound SMTP messages. The file must be edited to change the default SMTP port for Lotus Notes, e.g. “97”.

The Notes.INI file is located in the WINNT folder (e.g. C:\Winnt).

Using Notepad, edit the Notes.INI file and add the following item at the end of the file.

262 User Guide

SMTPMTA_IPPORT=

Then specify the port number on which MailMarshal was configured and to which internal email is to be forwarded, e.g.

; Changed default smtp port to 97 to allow both

; Lotus Notes and MailMarshal to exist on same

; machine

SMTPMTA_IPPORT=97

Restart the SMTPMTA.

Configuring Lotus Domino R5 All changes must be made through Domino Server Administrator, and not by editing files or using the Notes Client.

Lotus Domino R5 and MailMarshal on Separate Machines

Configure Domino to forward outgoing SMTP traffic to MailMarshal 1. Select the Domino Server for which the mail relay setting must be changed.

2. Click on the Configuration Tab.

3. Select Messaging, Messaging Settings.

4. On the Basics Tab find the entry for Relay hosts leaving the local Internet Domain; enter the IP address of the MailMarshal server, e.g. 10.2.1.7.

From the server console or a remote session from the Domino Administrator type the following

>Tell SMTP quit

Once the message that the SMTP service has stopped has appeared on screen type the following


>load SMTP

The new settings should now be active. The SMTP listening ports can be checked by typing

>sh tasks

Lotus Domino R5 and MailMarshal on the Same Machine

Change the SMTP Inbound port from port 25 to port 97 As MailMarshal will take over the role of listening for SMTP traffic on port 25, the port that Domino listens on must be changed. You can use any unused port (Port 97 is usually free).

1. Select the Domino Server for which the SMTP listening port must be changed.


3. Select Server, Current Server Document.

4. Click on the Ports Tab, then Internet Ports Tab, then Mail Tab.

5. Change the Mail SMTP Inbound setting from 25 to 97.

Configure Domino to forward outgoing SMTP traffic to MailMarshal 1. Select the Domino Server for which the mail relay setting must be changed.


3. Select Messaging, Messaging Settings.

4. On the Basics Tab find the entry for Relay hosts leaving the local Internet Domain; enter 127.0.0.1.

From the server console or a remote session from the Domino Administrator type the following

>Tell SMTP quit

264 User Guide

Once the message that the SMTP service has stopped has appeared on screen type the following

>load SMTP

The new settings should now be active. The SMTP listening ports can be checked by typing

>sh tasks


266 User Guide

Index

AAcceptable Use Policy 1Accounts (POP3) 89, 179Actions. See Rule ActionsActive Directory 155Administrator email addresses 25, 165Advanced Options 192Alert History 243Alert history 229Aliases, email 141Anti-Relaying 187Archiving 48, 113, 235, 236Array of servers 2, 6, 173, 215, 240Arrays 215Attachment details, logging 29, 76Attachment fingerprints 63, 77, 166, 238Attachment parent 69Attachments 62–72, 76, 77, 121, 125

Stripping 76Unpacking Depth 193

Automatic Message Release 107

BBacking up

Configuration 166, 192Batching (Email Delivery) 177Best practices 48, 95, 188Block Receipt 84Blocked Hosts 181

CCategory Scripts 72, 174Certificates (S/MIME) 156Classifications. See Logging ClassificationsConditions. See Rule ConditionsConfiguration, import and export 19, 128,

166Configurator 36, 39, 254Console 34, 229, 245, 254Contact Information xviiController, MailMarshal 160, 195, 245Crystal Reports 200

Index 267

DDatabase

Logging 28, 199Unavailable 29

Database, Logging 171Dead Letter 98, 107, 111, 235Debug Mode 247Delivery, Email 9, 27, 167, 175, 177

See also RoutingDial-Up 177DMZ 15, 231DNS 10, 11, 12, 16, 22, 25, 37, 184, 185DNS Blacklist 83, 84, 183, 184DNS Validation 185Domains 10, 16, 28

Queued 35See also Local Domains

Drill-down 209

EEmail Headers. See Header RewritingEmail servers 11, 22, 32, 257Email Templates. See TemplatesEncrypted email 4, 48Engine, MailMarshal 3, 55, 193, 246, 247Error 2140 248ESMTP 74, 80, 91, 193, 195ETRN 179Event Log 45, 185, 248Exchange. See Microsoft ExchangeExporting configuration 128, 166Exporting reports 210External Commands 69, 75, 105

FFiltering 3, 54

Header Matching 145Fingerprints. See Valid FingerprintsFirewall 10, 11, 16, 26, 28, 35, 36, 167, 171,

175, 176, 231Folder actions, Console 172, 236Folders 111, 192, 235

Archive 235Dead Letter 98, 107Mail Recycle Bin 6Parking 111Security 231Standard 112

GGoto action 55, 79

HHardware Requirements 7Header 141Header Matching 70, 142, 145

Map Files 153Header Rewriting 141Help xvHistory. See Alert History, Mail HistoryHost Validation 183

IImporting Configuration 19, 128, 166Installation 17, 201Internet Explorer 9ISP 10, 11, 26, 175, 180

268 User Guide

KKeys, MailMarshal License 21Knowledge Base 6

LLDAP 86, 155, 160License Key. See KeysLicensing 190, 224, 225Local Domains 10, 11, 22, 32, 59, 168Local Part Relay Attempt 188Localhost 14, 32, 258Logging 28, 44, 133, 171, 199, 215, 216, 217,

222, 224, 247Logging Classifications 133Logs, Message 238Lotus Notes 261

MMail

Batching 177History 35, 240, 245Recycle Bin 114, 235, 237See also Email

MailMarshal Secure 2MAPS. See DNS BlacklistMessage Folders. See FoldersMessage Log 131, 238Message Names 222, 247Message Parking 64, 112, 113Message Release 107Message Stamp 76, 138, 139, 193Microsoft Active Directory Server 157Microsoft Exchange 2, 257Microsoft ISA Server 33

Microsoft Management Console (MMC) 8, 253

Microsoft Proxy Server 2.0 33Microsoft SQL Server 8, 201Microsoft Windows Network Load

Balancing 216Monitoring 39Moving MailMarshal 249MSDE 8, 18, 171, 202MX Record 11, 22, 37

OOnline Help 6Order of Evaluation 54, 79, 122, 124, 127,

149, 187

PPass Message to Rule 55, 75Performance Monitor 45Periodic Site Notifications 233Permanent Key 191, 192PGP 48POP3 10, 22, 23, 43, 74, 82, 89, 168, 169, 179Ports. See TCP PortsPrerequisites 8, 217, 229Process message 237Proxy Servers 33

QQuarantine Folders. See FoldersQuarantined messages 112, 231, 237Queued Domains 231, 234, 235Queues, message 231, 232, 234, 246

Index 269

RRAS 180Receiver, MailMarshal 3, 33, 55, 77–80, 195,

233, 246, 247Recycle Bin. See Mail Recycle BinRegular Expressions 149–154Relay Domains 22, 167Relaying 10, 81, 82, 91

POP3 Authentication 91See Also Anti-Relaying

Release message 238Reload Rules 41Replication 217, 218

Exclusions 224, 225Reports 8, 28, 171, 199, 200, 213

Exporting 210Restoring Configuration 18, 128, 166Routing, email 9, 10, 248

Rule based 76RTF message stamping 139, 193Rule Actions

Reciever 80, 83Standard 74–79

Rule ConditionsStandard 61–74

Rule User Matching 59–60Rules 54–84

Global Header Rewrite 186Rulesets 47, 47–54

Enabling 54Printing 49

SS/MIME 4, 173Scanners. See Virus Scanners

Schedule 217Folder 75, 113, 238LDAP reload 86, 159Mail Batching 177, 232Ruleset 50–51

Security Issues 115, 160, 192, 231Sender, MailMarshal 3, 193, 194, 195, 235,

245, 247Server Properties 163–192Server Threads 196Service Alerts 231, 244Services MailMarshal 32, 41, 233, 245SMTP 3, 5Software Requirements 9, 200, 229Spam 59, 70, 183, 188, 234Spoofing 72, 74SQL Scripts 201, 251SQL Server, see Microsoft SQL ServerSubject Line 48, 77, 95, 124, 125Support 251

TTCP Ports 195

1433 15, 17119001 3525 11, 13, 32, 258389 15797 11, 32, 258

Templates 117Templates (email notification) 76, 117–119,

194Testing

Header Matching and Rewrite 148LDAP Connections 159, 160TextCensor Scripts 127–129Virus Scanners 99

TextCensor Scripts 121–130

270 User Guide

Troubleshooting 245Reports 250

UUDP 175Uninstalling MailMarshal 37Updates 174User Groups 51, 85–88, 155, 158, 159, 166User Matching, see Rule User MatchingUser Options (Console) 243User Preferences (Configurator) 41

VValid Fingerprints 61, 63, 74, 77, 164, 218,

238Variables 84, 108, 119, 134, 139Virus Cleaning 67–69, 226Virus Scanners 31, 66, 93–102, 107

WWebsite, Marshal 4Whats New? 5Wildcards 64, 168, 170, 242Working Directories 246

Index 271

272 User Guide

mailmarshal smtp 5.5 user guide - trustwave€¦ · • text you must type • text (output)...

Documents