Implementing MDaemon as an Email Security Gateway to ... · SecurityPlus is an integral tool in...

PHONE: (519) 633-9551 EMAIL: [email protected] WEB SITE: www.ccsoftware.ca

Implementing MDaemon as an Email Security Gateway to Exchange Server

Introduction MDaemon is widely deployed as a very effective antispam/antivirus gateway to Exchange. For optimum performance, we recommend that MDaemon be installed on a separate physical machine. This document details the steps required to install and configure MDaemon for use as an email security gateway. NOTE: These instructions assume that Exchange users are utilizing either Outlook Web Access (OWA) or an Exchange profile (not Internet Mail) in Outlook to connect to the Exchange server.

Technical Overview To implement MDaemon as an email security gateway, we need to force all inbound SMTP traffic through MDaemon so that messages can be scanned for viruses, filtered for spam, and subjected to content filter rules. To accomplish this, port 25 in the router/firewall needs to be reconfigured to pass inbound traffic to MDaemon instead of to Exchange. Inbound messages (from non-local to local domains) are received by MDaemon, scanned and filtered, then passed over to Exchange for processing. Internal messages (from local accounts to local accounts) are processed entirely by Exchange. Outbound messages (from local to non-local domains) are normally left to Exchange to deliver. However, there are scenarios where for archival, logging, or security considerations, administrators would like Exchange to route outbound email through MDaemon as well. If this is the case, after completing the steps in this setup document, also make the changes outlined in Appendix A – Configuration for Outbound Delivery Through MDaemon.

Licensing Considerations MDaemon is licensed according to the number of email accounts and/or gateways that you need to configure. When acting as a gateway, you need one user license for the gateway domain itself. As no actual user mailboxes need to be configured in MDaemon, the smallest MDaemon license size (6 User) is all that is required. The Standard version of MDaemon does not include the antispam component, therefore MDaemon Pro is required.


An integral component of the MDaemon email security solution is the SecurityPlus plugin. SecurityPlus provides the antivirus scanning engine, as well as an extra layer of “real-time” protection from new outbreaks of spam and viruses. The licensing for the SecurityPlus Plugin requires that a user license be purchased for each mail account that is being protected, meaning that you need a license size large enough to cover the number of Exchange mailboxes. For example, to license an MDaemon email security gateway to protect a 25 user Exchange server, you would require a 6 User MDaemon Pro and a 25 User SecurityPlus license. For pricing information, please visit our web site at www.ccsoftware.ca


MDaemon Installation The current version of MDaemon can always be downloaded from on our web site at www.ccsoftware.ca (follow the link to Products, then MDaemon | Download). When you launch the MDaemon installation, after accepting the License Agreement and selecting the installation folder, you are prompted for Registration Information. What you enter in the “License name” and “Company or Distributor” fields is entirely up to you. If you have already purchased MDaemon, enter your license key in the field provided. Leave this field blank if you have not yet purchased an MDaemon license, and the installer will automatically generate a trial license to allow you to fully evaluate MDaemon with no restrictions for 30 days. After the installer has copied the necessary files, you will be prompted to enter a domain name. It is very important that you enter anything EXCEPT the “real” email domain name for the messages that MDaemon will be processing. For example, if the Exchange server is hosting mail for mycompany.com, you would want to set MDaemon’s domain name to something different, such as mycompany.mail (this should not be a real domain). You will be prompted to set up a first account, go ahead and do so. This account will be the “postmaster” account, to which MDaemon will send certain notification and error messages. You are “making up” the information you enter here, it does not need to match an existing Exchange user account. We will configure this account to forward messages to an Exchange administrator later in the configuration process. Next you will be prompted to configure DNS. In most cases, the default “Use Windows DNS settings” is acceptable. You would only want to change this if you know that the DNS server(s) specified in Windows cannot resolve external domains. If that is the case, uncheck the “Use Windows DNS settings” and enter in your ISP’s primary and secondary DNS servers. You are then prompted for which “mode” to run MDaemon in. Select “Run MDaemon in Advanced mode”. The last step in the installation is to configure MDaemon to run as a service. When running as a service MDaemon will start automatically at system restart, this is normally recommended.


MDaemon Configuration

Create & Configure the Gateway Under the Gateways menu, select New Gateway Gateway Tab

• in the Domain Name Field, enter the Internet domain name for the Exchange users mail that will be passing through the server (ie. mycompany.com)

Forwarding Tab

• click the “Forward mail to this domain” box and enter the Exchange server’s internal LAN IP address

• check the box for “Don’t send forwarded mail to smart host on errors”. Options Tab

• verify that the “Enable Antivirus” and “Enable Antispam” boxes are checked The above settings are all that are required for a basic gateway configuration. MDaemon will accept all mail for the domain you specify, filter the messages for viruses and spam, then pass them over to the Exchange server for delivery to a local account. It is recommended that you go a step further than this by configuring MDaemon to verify that the recipient addresses on incoming messages are valid before accepting the message. This ensures that mail addressed to non-existent accounts is rejected, and therefore does not have to be processed by either MDaemon or Exchange. If you would like to set up Active Directory verification, please refer to the steps outlined in Appendix B – Verifying Addresses by Querying Active Directory.


Configure Anti-Spam While achieving the absolute optimum spam-filtering results may require some occasional tweaking by the administrator, the following instructions will provide you with a good starting point. You are encouraged to learn more about each spam component so that you can customize these generalized settings to your particular environment. Under the Security menu, select Spam Filter. Spam Filtering Tab

• On this tab you have three choices for how you want spam dealt with:

1. Just delete the message completely – with this option selected, any message that MDaemon determines to be spam will simply be deleted. No notification will be sent to either the sender or recipient.

2. Put the message in the spam trap public folder – with this option selected, all spam will be moved into MDaemon’s Spam Trap. This spam trap can be accessed using several methods, the most convenient being WebAdmin, the built-in web-based administration tool for MDaemon. For more information on managing the spam trap


through WebAdmin, please refer to Appendix C – Using WebAdmin to Manage the Spam Trap.

3. Flag the message but let it continue down the delivery path – with this option selected, MDaemon will “mark” spam by putting a note in the subject, then go ahead and deliver it to Exchange. It is possible to reroute all spam-marked messages to a single mailbox on the Exchange server, if you would like to do this please refer to Appendix D – Routing all Spam to a Single Exchange Mailbox.

• Increase the setting for “Don’t filter messages larger than” to 350 KB. What we are

setting here is the maximum size of a message that the spam filter will examine. We do not want to pass large messages with attachments through the filter as these are rarely spam and would be a waste of resources, but we need this setting to be large enough to include messages which may be spam.


Heuristics Tab • Ensure that the “Enable Heuristic message scoring system” box is checked. The default

score for spam is set to 5.0, we recommend lowering this slightly to 4.8. This will catch more spam without resulting in increased false positives. The second number on this screen, “SMTP rejects messages.....”, is a way to minimize the amount of obvious spam that is either being placed in the Spam Trap, or flagged and sent to Exchange. MDaemon’s spam filter performs two scans on each incoming message. The first “preliminary” scan is done during the SMTP session as a message is arriving. The second “full” scan is done after the message has been accepted. A setting of 12 here means that if a message receives more than 12 points during the preliminary, MDaemon will simply refuse to accept it. If the message receives less than 12 points, it will be accepted and processed as usual by the spam filter. At that point, if the message receives more points that your spam score (i.e. 4.8), then it will be dealt with according to your “how to deal with spam” setting.

• If you have elected to flag spam, you may want to modify the Subject tag field to something shorter that will make the original subject of the email message easier to read in the email client software (i.e. **SPAM**).


Step 3: Forward System Messages to Exchange Admin During the installation, you had created one MDaemon account. This account is aliased to “postmaster”, and this is where MDaemon will send system messages such as AV and Spam Filter update notifications, license renewal notices, etc. Because no one is normally monitoring this account, we want these system messages forwarded to an Exchange user account. To forward the Postmaster mail to an Exchange account, follow these steps:

• under the Accounts menu select Account Manager • double-click on the account you created to open the Account Editor screen • click on the Forwarding tab • check the box for “This account is currently forwarding mail” and enter a valid

Exchange email address • uncheck the box for “Retain a local copy of forwarded mail” • OK out to save your changes

Step 4: SecurityPlus Installation & Setup SecurityPlus is an integral tool in MDaemon’s antispam arsenal, and it is highly recommended that this component be implemented. The current version of SecurityPlus can always be downloaded from our web site at www.ccsoftware.ca. To install, simply launch the installation program and follow the prompts. The installer will shut down MDaemon and restart it once the installation is complete.


Step 5: Configure Updater and Delivery Schedules Under the Setup menu, select Event Scheduling. Send & Collect Mail Tab

• uncheck the box “Send mail at this interval”, and check the boxes for “Send mail immediately after getting queued” and “including mail stored for gateway domains”.

Antivirus Updates Tab

• in the Antivirus Updates section, configure this to “Wait 240 minutes after the last antivirus update before conducting another one.”

Antispam Updates Tab

• check the box to “Activate spam filter updates”


Step 6: Going Live Once you have everything configured, you can now make the router changes necessary to bring MDaemon on-line. Currently, port 25 on your router/firewall will be configured to pass inbound traffic to the Exchange server. You want to change this so that inbound SMTP traffic is passed to the MDaemon server’s internal IP address. The setup is now complete, congratulations! MDaemon will begin accepting inbound messages, processing them according to your spam filter and antivirus settings, then passing them over to Exchange for delivery to local mailboxes.


APPENDIX A – Configuration for Outbound Email Through MDaemon Exchange Configuration If you would like Exchange to send all outbound email through MDaemon, you must configure the Exchange SMTP Connector to use a Smart Host in place of DNS for external mail delivery. Exchange 2000/2003 If you have no SMTP connector, in the Exchange System Manager select "Servers" | [Your Server] | Protocols | SMTP. Select "Default SMTP Virtual Server" and choose Properties. In this dialog select the Delivery tab, then Advanced. Enter the MDaemon server’s internal IP address in the Smart host field. You must restart Exchange for this change to take effect. If you have an SMTP connector, in the Exchange System Manager select “Connectors” | [Your SMTP Connector] | Properties. On the General tab select “Forward all mail through this connector to the following smart hosts” and enter the MDaemon server’s internal IP address. You must restart Exchange for this change to take effect. Exchange 5.5 In the Exchange Administrator, select the IMS (Internet Mail Service) and click on the Connections tab. Enable “Forward all messages to host” and enter the MDaemon server’s internal IP address as the host address. You must restart the IMS for this change to take effect. MDaemon Configuration [1] Under the Setup menu select Primary Domain.

Domain Tab • ensure that the entry in the "FQDN for this server" is a valid domain that will

correctly resolve to the public IP of the mail server. Normally the FQDN matches the MX record (i.e. mail.mycompany.com).

• check the box for “Always use the above FQDN value in SMTP 220 greeting” Delivery Tab

• select the first option - "Always send all outbound email directly to the recipient's mail server"

DNS Tab

• in the "A and MX record processing" section you will see 5 checkboxes, check all of them except the last one


[2] Under the Gateways menu select Edit Gateway. Select your Gateway and click OK.

Options Tab • uncheck the box for "Authentication is required when sending mail as a user of

this gateway" [3] Under the Security menu, select IP Shielding/Auth/POP Before SMTP

IP Shield Tab • enter the Internet mail domain for the gateway in the Domain field (ie.

mycompany.com), enter the Exchange server’s internal IP in the IP Address field, then click Add (this is ensuring that MDaemon will only send mail out on behalf of gateway users if the message is coming from the Exchange server)

[4] Under the Security menu, select Relay/Trusts...

Relay Settings Tab • check the boxes in the top "Mail relaying" section for "unless sent from a trusted

host or IP" and "unless sent from a gateway user" Trusts Tab

• enter the Exchange server's IP as a new Trusted IP [5] Under the Security menu, select Spam Filter

Spam Filtering Tab • ensure that the 2 boxes in the middle are checked - "Don't filter messages sent

from local sources" and "Don't filter messages from trusted or authenticated sources"


APPENDIX B – Verifying Addresses by Querying Active Directory To ensure that only mail for valid Exchange users is accepted by MDaemon, it is possible to configure MDaemon to perform an LDAP query of the Active Directory to test the validity of recipient email addresses. If the LDAP query reports that the incoming email address is valid, then the message is processed by MDaemon and delivered to Exchange. If the LDAP query reports that the incoming email address does not exist in the Active Directory, MDaemon returns a “550 <e-mail address>, Recipient unknown” error and the SMTP session is ended. Legitimate senders will receive notification from their own mail servers that the message was not delivered. From the main MDaemon window, click on the Gateways menu and select Edit Gateway. Double-click on the Gateway that you want to set up address verification for, then click the LDAP Verify tab.


On this tab, we are configuring the location of the LDAP server to query (in this case, the Active Directory), supplying credentials and parameters specifying where in the AD to search (Base and Bind DN’s), and what to search for (Search filter). NOTE: The following settings work for the vast majority of configurations. If you have multiple Active Directory domains, or a configuration that these settings don’t seem to address, please email us at [email protected], we’ll be happy to help. Click the Verify accounts using an LDAP server checkbox, then complete the fields on this tab as follows:

Host name or IP: enter the IP address of the server that holds the Active Directory (in most instances, this will be the Exchange server) Port: enter 389 (unless the Active Directory Service is running on a different port) Base entry DN: This entry is constructed using domain information displayed in the Active Directory Users and Computers window. If your AD domain is “mycompany.local”, then the Base entry DN would be: DC=mycompany, dc=local If your AD domain is “mycompany.com”, then the Base entry DN would be: DC=mycompany, dc=com If your domain does not have an extension (i.e. It is only “mycompany”), then your Base entry DN would be: DC=mycompany Bind DN: Here we supply the account name portion of the credentials that we will pass to the AD when we request the search, a context for the search, and the domain information. For example, if you are using the Windows Administrator account to authenticate, and your Base entry DN is :”DC=mycompany, dc=local”, then your Bind DN would be: cn=Administrator, cn=users, DC=mycompany, dc=local The “cn=users” portion always remains the same, so the syntax is: cn=account_for_verification, cn=users, <the base DN> Bind Password: for the LDAP query to be successful, you need to supply the credentials of an account that has Administrator level access to the Active Directory. Enter here the password for the admin-level account that you specified in the Bind DN. Search Filter: In most cases, the following search filter works perfectly. It will pick up email addresses, aliases and mail-enabled public folders: (&(objectclass=Top)(|(mail=$EMAIL$)(mail=SMTP:$EMAIL$)(ProxyAddresses=SMTP:$EMAIL$)))


Test the LDAP Connection Once you have completed the required fields on the LDAP Verification tab, you can test the connection by clicking the Test button. If the information has been entered correctly, a window similar to the following will be displayed:

Don’t concern yourself with the “* is not a valid account”, the important thing to look for is the “Looks like it’s working”. If you are not able to get a “looks like it’s working” successful test, review your settings. If your settings appear to match the examples above but the lookup continues to fail, it could be that your Active Directory setup is more complex than normal and different Base and Bind DN’s need to be configured. If that is the case, contact our support team at [email protected] and we’ll be glad to help. Watching the Verification in Action As mail arrives for the Gateway, you will be able to see the results of the LDAP lookup in the inbound SMTP session as in the following example: Thu 2007-01-18 13:36:07: ---------- Thu 2007-01-18 13:36:41: Session 15; child 1; thread 932 Thu 2007-01-18 13:36:38: Accepting SMTP connection from [205.145.8.25 : 3880] Thu 2007-01-18 13:36:38: --> 220 mail.mycompany.com ESMTP MDaemon 9.5.4; Thu, 18 Jan 2007 13:36:38 -0500 Thu 2007-01-18 13:36:38: <-- EHLO mdbathlon Thu 2007-01-18 13:36:38: --> 250-mail.mycompany.com Hello mdbathlon, pleased to meet you Thu 2007-01-18 13:36:38: --> 250-ETRN Thu 2007-01-18 13:36:38: --> 250-AUTH=LOGIN Thu 2007-01-18 13:36:38: --> 250-AUTH LOGIN CRAM-MD5 Thu 2007-01-18 13:36:38: --> 250-8BITMIME Thu 2007-01-18 13:36:38: --> 250 SIZE 0 Thu 2007-01-18 13:36:38: <-- MAIL FROM: <[email protected]> Thu 2007-01-18 13:36:38: --> 250 <[email protected]>, Sender ok Thu 2007-01-18 13:36:38: <-- RCPT TO: <[email protected]> Thu 2007-01-18 13:36:38: LDAP lookup - 192.168.1.10:389 - mail, proxyAddresses:[email protected] Thu 2007-01-18 13:36:38: LDAP server says [email protected] is not a valid account Thu 2007-01-18 13:36:38: --> 550 <[email protected]>, Recipient unknown Thu 2007-01-18 13:36:41: <-- QUIT


Thu 2007-01-18 13:36:41: --> 221 See ya in cyberspace Thu 2007-01-18 13:36:41: SMTP session successful (Bytes in/out: 91/351) Thu 2007-01-18 13:36:41: ---------- The bolded sections above show the LDAP lookup taking place. In this case, the Active Directory responds that the recipient address is invalid. MDaemon then returns a 550 error and the session is ended. Following is another example showing a message arriving that is addressed to a valid recipient: Thu 2007-01-18 13:36:41: ---------- Thu 2007-01-18 13:38:25: Session 16; child 1; thread 960 Thu 2007-01-18 13:38:19: Accepting SMTP connection from [205.145.8.25 : 3904] Thu 2007-01-18 13:38:19: --> 220 mail.mycompany.com ESMTP MDaemon 9.5.4; Thu, 18 Jan 2007 13:38:19 -0500 Thu 2007-01-18 13:38:19: <-- EHLO mdbathlon Thu 2007-01-18 13:38:19: --> 250-mail.mycompany.com Hello mdbathlon, pleased to meet you Thu 2007-01-18 13:38:19: --> 250-ETRN Thu 2007-01-18 13:38:19: --> 250-AUTH=LOGIN Thu 2007-01-18 13:38:19: --> 250-AUTH LOGIN CRAM-MD5 Thu 2007-01-18 13:38:19: --> 250-8BITMIME Thu 2007-01-18 13:38:19: --> 250 SIZE 0 Thu 2007-01-18 13:38:19: <-- MAIL FROM: <[email protected]> Thu 2007-01-18 13:38:19: --> 250 <[email protected]>, Sender ok Thu 2007-01-18 13:38:19: <-- RCPT TO: <[email protected]> Thu 2007-01-18 13:38:19: LDAP lookup - 192.168.1.1:389 - mail, proxyAddresses:[email protected] Thu 2007-01-18 13:38:19: LDAP server says [email protected] is a valid account Thu 2007-01-18 13:38:19: --> 250 <[email protected]>, Recipient ok Thu 2007-01-18 13:38:22: <-- DATA Thu 2007-01-18 13:38:22: Creating temp file (SMTP): c:\mdaemon\temp\md50000000003.tmp Thu 2007-01-18 13:38:22: --> 354 Enter mail, end with <CRLF>.<CRLF> Thu 2007-01-18 13:38:22: Message creation successful: c:\mdaemon\inbound\md50000000004.msg Thu 2007-01-18 13:38:22: --> 250 Ok, message saved <Message-ID: > Thu 2007-01-18 13:38:25: <-- QUIT Thu 2007-01-18 13:38:25: --> 221 See ya in cyberspace Thu 2007-01-18 13:38:25: SMTP session successful (Bytes in/out: 4296/430) Thu 2007-01-18 13:38:25: ---------- TIP: One thing to keep in mind during testing is that MDaemon keeps a cache of LDAP lookup results. This cache is held in the \mdaemon\app\ldapcache.dat file. If you test and find that your search filter is not working, after making changes to your settings you will need to delete the ldapcache.dat file and restart MDaemon before retesting. If you do not, then MDaemon will simply look in the cache, see that it had already rejected that address, and will not attempt to perform another lookup.


APPENDIX C – Using WebAdmin to Manage the Spam Trap If you have configured MDaemon’s spam filter to place messages marked as spam into the public Spam Trap folder, you need some method to manage the contents of this folder. There are a number of ways that the administrator can access and manage spam that has been filtered into MDaemon’s Spam Trap folder. These include using an IMAP client (i.e. Outlook or Outlook Express), from the MDaemon interface itself, or using a browser and accessing WebAdmin (our recommended method). WebAdmin is a built-in browser-based administration tool for MDaemon. In addition to allowing you to access most of MDaemon’s settings remotely, WebAdmin is an excellent tool for managing MDaemon’s Spam Trap. WebAdmin is accessed using a web browser by entering http://your_server_ip:1000. For example, if the IP address of your MDaemon machine is 192.168.0.1, you would access WebAdmin from the internal network using this URL: http://192.168.0.1:1000 Log into WebAdmin using the credentials for the ‘postmaster’ user that you had created during the MDaemon install. Once logged in, the Spam Trap management page can be accessed by selecting Security - Spam Trap Folder as shown here:

This screen will show you all of the messages that MDaemon has determined to be spam and placed into the Spam Trap. If you see any legitimate messages that should not be marked as spam, simply highlight the message and click the ‘Release + Copy to non spam folder’ button as shown here:


This will remove the “SPAM” tag from the subject and forward the message to the intended recipient. It will also cause a copy of the message to be examined by the Spam Filter’s Bayesian learning engine to reduce the possibility of a similar message being incorrectly tagged as spam in the future. Once you have released any messages that were incorrectly classified as spam, you can simply highlight and Delete those that remain.


APPENDIX D – Routing Spam to a Single Exchange Mailbox If you would like all messages tagged as spam to be forwarded to a single mailbox on the Exchange server, you can easily accomplish this with the use of a Content Filter rule as follows: Under the Security menu, select Content Filter Create a new rule that watches the REMOTE queue for messages that contain your spam flag in the Subject Header (i.e. **SPAM**), copies the message to the appropriate Exchange account, then deletes the (original) message.

Implementing MDaemon as an Email Security Gateway to ... · SecurityPlus is an integral tool in...

Documents

Transcript of Implementing MDaemon as an Email Security Gateway to ... · SecurityPlus is an integral tool in...