CAMELOT Configuration Overview Step-by-Step

Transcription

1 General Mode of Operation Page: 1 CAMELOT Configuration Overview Step-by-Step 1. General Mode of Operation CAMELOT consists basically of three analytic processes running in a row before the reaches the actual SMTP server. CAMELOT behaves like as an SMTP gateway that is visible as a gate to the outside world. It receives like a regular SMTP service, however, there is no immediate delivery of into a user's account. The SMTP gateway first checks the parameters of the current connection during the transaction and prevents the delivery to the mail server from messages sent by unwanted or undesired servers or addresses. The incoming traffic is then transferred directly to the CAMELOT security processor. Messages and attachments are then analyzed based on the pre-set rules in CAMELOT. This contains extensive verifications to identify unwanted and dangerous elements in the message such as computer viruses, unwanted text contents, worms, etc. The delivery to the actual mail server takes place only after the messages have passed a successful examination or analysis. This is handled by the CAMELOT SMTP Forwarder on the basis of pre set CAMELOT profiles. With CAMELOT each domain has the ability to have its own individual configurations. It does not matter if the mail server is sitting on the same machine as CAMELOT or somewhere else on a different machine within the WAN/Internet. CAMELOT Anti-Spam Firewall System Internet SMTP Gateway an Port 25 Security Service Anlagen-Filter Text-Filter Text-Classifier Virus-Scanner HTML-Cleaner Backup Disclaimer SMTP-Forwarder an Port 2525 SMTP Server an Port 2525 Another major feature is the CAMELOT POP3-Collector. This feature can retrieve from external POP3 servers and introduce them into the regular verification process of CAMELOT. accounts that reside on external servers (e.g., with an Internet provider) are easily integrated with CAMELOT and the local mail server system.

2 Installation Page: 2 2. Installation The CAMELOT installation wizard will install the software automatically on your system. All the necessary settings are pre-set and set-up automatically. The installed version is designed to account for a traditional mail server environment within a local network segment. Once the automatic installation is complete, in most cases, very few changes are required in order for CAMELOT to function correctly. The following descriptions below will attempt to identify the various CAMELOT components in more detail.

3 The Forwarders Page: 3 3. Forwarders A forward profile is used to forward the received messages to the actual mail server. The picture above shows that this feature is located at the end of the process chain. To integrate CAMELOT into a existing environment, a view from the back is much more useful. To setup a forward profile, please select the Forward dialog in the CAMELOT Configuration Utility and click on Add. The settings on this page are not very complicated. The most important things are Hostname/IP address and Port. Enter here the hostname or IP address of your mail server. The port filed must contain the port number used by your mail server to accept messages. Note: Normally the standard SMTP port is set to 25. But if CAMELOT is installed on the same machine (IP address) as the mail server, the value for the SMTP port must be changed. This is required because it is not possible to run multiple services on the same IP address and same port. Since CAMELOT is receiving all incoming mail, the port number 25 is assigned to the CAMELOT SMTP gateway and cannot longer be used by the mail server. So, you need to change the inbound port of your SMTP server to another value than 25 (e.g. 2525). You can use any port of choice, but remember to make the changes in you CAMELOT profiles too. The remaining settings for the forward profile contain additional rules for delivery and undeliverable messages, as well as login information to access the destination system. These functions are described in detail in the on-line help CAMELOT.

4 The Forwarders Page: 4 Usually only one forward profile is needed. If you use multiple mail servers for different domains, you need to setup a separate forward profile for each domain. Please note that one of these profiles must be the default profile. This is used when no assignment to a special profile is possible.

5 The Policies Page: 5 4. Policies All security rules in CAMELOT are defined by Policy Profiles. A policy profile describes exactly what kind of transactions are forbidden or allowed. The definition of multiple policy profiles allows the usage of different rules for different network segments or domains. A policy profile consists on the one hand of basic options to check transaction parameters and address lists (e.g. black and white lists) with unwanted and wanted host and addresses. On the other hand, it is defined by a number of content processors for detailed examinations of the message contents. The first step to a secure system is a secure SMTP connection. Not only message contents are part of the security concept, but also the addresses of originator and the sending host. A long year experience has shown that in the most cases of spam also the originator address is bad. Also spam sending mail systems work with wrong names. The dialog tab Envelope contains several options, to check the parameters of a SMTP transaction. A very important thing here are the settings for host and originator address. These options define the most effective way against SPAM, because the transaction will be canceled immediately when a bad parameter is detected. In this case, no data transaction will be done. The CAMELOT Setup Wizard automatically creates a default environment with two policy profiles. One of them is optimized for the local network and the other one for the rest of the world. The settings of these profiles are very different regarding the envelope set-

6 The Policies Page: 6 tings, because the parameters inside the local network are mostly correct. With additional features like authentication a kind of manipulation could be nearly ruled out. The setting at this point can be very different. Everyone needs to set the options regarding his own requirements. The options itself are described in detail in the CAMELOT Online Help. Note: The combination of these options can cause very different results. So, the settings are very different for each environment. All settings must be adjusted to your environment. Wrong settings can stop the whole traffic. Another solution to check server and originator addresses is the Address Lookup feature. With the help of black lists and white lists, special host names and addresses, as well as addresses can be denied or allowed explicitly. The management of these address lists is handled by data stores. The configuration of data stores is described in chapter 7. Data Stores. On the dialog tab Address Lookup, you can select a data store for each list category. The different areas differentiate between lists containing allowed and forbidden addresses. The data stores for host and addresses can be selected separately. Another difference is area of validity, global or user dependent. Global address lists are valid for the whole system. These list are usually managed by the administrator. User dependent lists are different for each user. These lists are managed by the user itself. This separation allows each user to set its own allowed or forbidden addresses.

7 The Policies Page: 7 The usage of lists with allowed addresses (while lists) can be very critical and must be handled with care. The addresses defined on white list have full access to the system. Messages received from such addresses will be handled with low security. If a address was found on a white list, no more examination will be processed. The usage of while lists is very reasonable to detect trusted mail systems and remove them from the default examination process. A inconsiderate usage of white list can cause a big hole in your security system. The dialog tab Content contains a list of defined processors for examination of message contents. You can select different components here to process after another in the process chain. The particular components work independent from each other. If one of the defined content processors detects a invalid message, it will automatically continue with its corresponding action. This allows you to define different action for different kinds of infections. A message containing a virus must handled in another way as a message with a unwanted word in the message text. The particular content processor features are described as follows:

8 Die Viren-Scanner Seite: Virus Scanner The Virus Scanner feature is a interface to a external Virus Scanner. The message will be separated into its parts and forwarded to the virus scanner application. Besides the simple command line scanners, it supports main stream third party products of well named vendors. If a virus infection is detected, the action defined on the dialog tab Action will be executed. Several kinds of further processing are available here. The message can be delivered on the regular way or deleted completely. Also the infected part can be remove and a hint for the recipient inserted in the message text. A detailed description about the other options can be found in the CAMELOT Online Help. The configuration for different actions is described in chapter 4.10 Actions as Result of Content Processing.

9 Der Anlagen-Filter Seite: Attachment Filter The most dangerous things in s are located mostly in attachments. Attachments contains often binary data like executable files or scripts. These files are not always detected by virus scanners, because many of them are no real viruses. Because of this reason, it is very important to remove dangerous attachments and store them on a safe place. This would also protect you against new or unknown viruses. The dialog tab Attachments contains a list with forbidden or allowed file masks. Also a maximum file size can be specified. This options allows to limit the filter processor to files with maximum size. All message bigger than the given value will be handled as invalid. The dialog tab Action contains the same options as virus scanner profile. Some actions here will also affect the whole message and some of them only the invalid parts. The definition of multiple attachments filters for different file types allows you to perform different actions for each file type. In this way, attachments with executable files can be stored in a different Quarantine Area as passive documents.

10 Der HTML-Cleaner Seite: HTML Cleaner The unwanted execution of dangerous program code on workstations is one of the biggest risks, caused by messages. Scripts in HTML messages or references to external internet pages are the most frequent reasons for that. The CAMELOT HTML Cleaner can detect such components in messages and remove them. The dialog tab HTML Settings offers a set of options to define how such messages should be handled. The corresponding action options for invalid messages are identical with the other filters from above and is described in detail in chapter 4.10 Actions as Result of Content Processing. Normally, it is not useful to delete the whole message in this case. Cleaning the found scripts or references is much more effective.

11 Der Textmuster Analysator Seite: Text Pattern Analyzer The Text Pattern Analyzer searches the messages text for known words and phrases to identify unwanted contents. Even advertising can be detected very often by special words. In the dialog Edit Text Pattern Analyzer, you can select the data stores to use with that filter. The data stores for global and user dependent data handling can be selected separately. The data stores contain tables with known text pattern, used to analyze the message text. The table data inside that data stores can be edited with the Edit Data Store feature. More information about data stores is available in chapter 7. Data Stores. The value for the number of matching conditions defines when the message is declared as invalid. The message is invalid when the given number of forbidden words or pharses was found in the message text. In this case, the predefined action will be executed. The action settings are similar to other components described before. Detailed information about action are available in chapter 4.10 Actions as result of Content Processing.

12 Die Bayes sche Text Klassifikation Seite: Bayesian Text classification Bayesian text classification is another feature to examine textual contents. The message text will be classified using the Bayesian Theorem for Conditional Probability. This feature is also based on existing data. However, the big advantage is the ability to learn. If a messages is declared as SPAM using the training feature, all other messages containing the same or similar contents can be also detected. In the Bayesian text classification dialog, you can select the data store to use. The dialog contains also feature to train existing message as SPAM or NOT SPAM. The Bayesian Data Manager Utility offers additional features to control the class data stores. This utility is very useful to keep the data stores clean and expand them with usable message data. Another way to train the Bayesian system given by special addresses for training. These addresses are defined in the domain section and can be set for each domain separately. A detailed description about Bayesian classification is available in the CAMELOT Online Help. Please read also the Understanding Bayesian Class Data guide. Note: The results of a Bayesian classification are never 100% unique. It describes only the probability for a special case. The result of a text pattern filter is always 100%, but it works only with known text patterns. The Bayesian classification also returns usable results for unknown contents.

13 Die Bayes sche Text Klassifikation Seite: 13 You should always use a text pattern analyzer first. This returns a exact result for all known words and phrases. The power of Bayesian classification is rather the processing of unknown contents..

14 Der Disclaimer Seite: Disclaimer The Disclaimer component does not filter anything. With the help of the feature, you can expand the message text with commercial or legal hints (Disclaimer). This hint text can be defined in the dialog Edit Disclaimer. Normally, CAMELOT uses special templates to generate this text, but you can also use regular text files. The usage of a disclaimer not reasonable for incoming messages, but for outgoing mails. A disclaimer item in the policy profile outgoing messages is a guarantee that all outgoing messages contain the disclaimer text. This is required by law in some countries. Detailed information about templates and other disclaimer options are available in the CAMELOT Online Help.

15 Weitere Leistungsmerkmale zur Inhalts-Verarbeitung Seite: Pornographic Image Analyzer The pornographic Image Analyzer searches for pornographic contents in images, using the skin tone method. This method detects shapes with skin like colors and rates them. The recognition of naked skin work quite reliable, but close-ups of faces can also end in a hit. The dialog tab Image Filter contains a list of file masks to handle by the processor. The Validation section contains additional options to set die minimum picture size or the minimum deviation of the detected skin tones. A bigger value causes more hits, but works less exactly. The minimum allowed score defines when the file must be rated invalid. The options on the dialog tab Action are identical with the components above. Some of the actions affect the whole message and some of them only the infected part.

16 Weitere Leistungsmerkmale zur Inhalts-Verarbeitung Seite: RFC822 Header Field Filter The header information of a message consist of fields defined RFC822. The RFC822 Header Field Filter checks the contents of these fields and executes the defined action if the filter condition matches with the fields contents. This feature allows you to manipulate the message delivery, because of special header information. All available header information can be checked with this filter, also custom field names. The different filter condition can be combined by AND and OR operations and arranged in hierarchic levels. The options for the corresponding action are described in earlier chapters. A detailed description of the particular options are available in the CAMELOT Online Help.

17 Weitere Leistungsmerkmale zur Inhalts-Verarbeitung Seite: Other Content Processing Features The Executable feature allows you to integrate external command line application into the CAMELOT process chain. CAMELOT calls the given application at the right place and continues the message handling based on its return values. CAMELOT also contains features for automatic backup and auto responders for predefined message responses. These features are also described in the CAMELOT Online Help.

18 Aktionen aufgrund der Inhalts-Überprüfung Seite: Actions as Result of Content Processing The performed action for invalid messages can be set on the dialog tab Action of the corresponding content processor profile. This allows to define different actions depending on the results of different content processors. The action Continue with regular message delivery does not change anything on the message itself. The message will be delivered in the same ways as valid messages are delivered. This feature is usable e.g. for HTML cleaner profiles. These profile do clean the message from unwanted contents. So, it can be forwarded on the regular way. The additional option Add the following prefix to subject line tags the message with the given word. So, if the subject line starts e.g. with the word [Spam], you can see in your mail client that the message was detected as a invalid message. Many mail client support filters to detect this and forward the messages to special folders. This guarantees a additional availability on the recipient side. The option Forward message to quarantine area stops the message delivery process. The message will be stored in the selected quarantine area and is available on the server side for the time as defined in the quarantine profile. More information about quarantine management can be found in the CAMELOT Online Help. Select the Delete whole message option, if you want to delete the whole message. Message delivery will not continue in this case. The message will no longer available. The action Delete invalid message part deletes only the parts from the message where invalid contents were found. This is very useful with attachment filters. The forbidden attachments will be removed from the message, but the message text will saved. If the Insert Annotation option is set, the system will put a special hint for the recipient into the message text that the part was removed. The different actions are available for all content processors described above, but the signification is very different. Deleting message parts is very useful for attachment filter or virus scanner profiles. With text patterns analyzer or Bayesian class profiles, the usage quarantine areas would be more reasonable. After the execution of a HTML clean, the regular delivery should be possible solution. The dialog tab Action offers also additional notification options. If a invalid message was found, the originator as well as the administrator can be notified automatically. If a fake undeliverable report will be sent to the originator, the originator thinks that the recipient address does no exist. This feature is useful to prevent mass mailing. Many spam mailers recognize such undeliverable reports and don not send messages to this address again. All return message and hint texts are defined by special templates. The available options for templates are described in detail in the CAMELOT Online Help.

19 Die Domänen Seite: Network Profiles Network Profiles are used to defined the different network segments, where incoming connections can originate from. Usually, there are at least two different network segments, the local area network and the rest of the world. Since the security policies for these areas are very different, the address range if each areas must be defined in a network profile. To create a network profile, please open the Network dialog. The Add button will create a new profile. The first network profile must describe the address range of the local area network. Here you must enter the network address and subnet mask of the local network segment into the Address/Subnet field. The permission must be set to Access allowed. The Access denied option ins only useful, if a special network area needs to be blocked explicit. On the second dialog tab Security, you can select the security policy to use. This policy (e.g. Local) defines all rules to be used for that network area. The rest of the options are described in detail in the CAMELOT Online Help.

20 Die Domänen Seite: 20 If your local network consists of multiple network segments, you need to define one network profile for each network area. This is also necessary for other trusted networks outside our local network, if special security rules are needed for these areas. The last profile must be the profile for the Rest of the world. This profile defines all network addresses not defined in other profiles. In this case, the Address/Subnet field needs to be set to All IP Addresses and the permission also must be Access allowed. The Policy must be set to the policy profile to use with that network profile. This is usually the default profile. Note: The processing of network profiles takes place from top down. Please take care that the profile for the rest of the world is always the last in the list. Otherwise, the other profiles cannot be assigned correctly.

21 Die Domänen Seite: Domains The handling of local domains is very different from external domains. If the originator and recipient domain is external, we have a case of Relaying. This case is usually not wanted, because nobody is interested in to provide external user with services. Because the system needs to detect that difference, all local domains must be defined. Open the Domain dialog and click on Add to create a new domain. The most important item here is the domain name itself. This makes the responsibility for the domain clear. If you have defined more than one Forwarder profiles for different domains, you can select here which forwarder should be used to deliver messages for the domain. Usually the default forwarder options works fine here.

22 Die Domänen Seite: 22 Furthermore, you can define here what policy profile should be used for that domain. By default, the policy does not change during the whole operation. So, the system will keep the same policy profile as already selected by the network profile. But, if this domain should be handled by special rules, you can select here the policy you want to use for this domain. The second dialog tab Network shows the available network profiles. Select here the network areas where the domain is allowed to sent messages from. If a domain sends messages from one of these network areas, no authentication is needed. If the domain send a message from any other area, the system will no accept it without successful authentication. The list of allowed aliases on the dialog tab Aliases contains all accepted aliases for this domain. This alias list is a extended security feature. All message addressed to aliases not on the list will be denied. This prevents unnecessary data transfer. Is the list id empty, all aliases will be accepted.

23 Die Domänen Seite: 23 A additional list with trusted aliases is located on the Exceptions tab. Incoming messages addressed to aliases on that list will not be processed by the security system. These messages will be forwarded immediately to the destination mail system. Since this feature can cause increased security risk, you should use it only in exceptional cases. The rest of the options are described in detail in the CAMELOT Online Help.

24 Die Datenpools Seite: Data Stores CAMELOT uses special profiles to access data lists (e.g. back host lists). These profiles define exactly where database is located and what type and origin the data has. Such a profile is named as Data Store. The usage of data stores allows you to integrate existing data sources into the CAMELOT security system. Since the system does not interact with the data source itself, you can edit the data store settings without to change any of the corresponding profiles (e.g. Policies). The data store profile differentiates basically between four data types, Hsot names and addresses, addresses, text patterns and Bayesian class data. All of these types can be global or user depended. Global data stores contain system wide data, handled independent from any user addresses. Also the type of data source is defined here and where the physical data source is located. This can be a simple file or a SQL database. The CAMELOT Setup Wizard creates all needed Profiles automatically. If you want to integrate existing data in CAMELOT,you need adapt the profiles to your personal needs. The usage of data stores is described in detail in the CAMELOT Online Help. Further information about the used database can be found in the documentation of the database system.

25 Die POP3-Profile Seite: POP3 Collectors The category POP3 Collectors is used to manage external POP3 accounts. These accounts are located on remote POP servers and can be queried automatically by the CAMELOT POP3 Collector. Messages received on this way will be forwarded to the regular message queue examination and will be forwarded by SMTP to the destination mail system after successful examination. With the help of a POP3 collector profile, messages can be collected from personal user accounts and forwarded to the corresponding user account on the local system. The actual advantage of the feature is the handling of shared POP2 accounts (Catch-All- Accounts). These accounts contain normally messages addresses to different recipients. The POP3 collector is forwarding these messages automatically to the respective recipient on the local system based on information of the message header. Click on the Add button on the Collectors dialog to create a new POP3 collector profile. The dialog tab Settings contains all the important information about the POP3 server. The hostname/ip address field, as well as the login name and password fields, define exactly where the messages should be collected from and how to authenticate at the remote system.

26 Die POP3-Profile Seite: 26 On the dialog tab Rules, you can set when the profile should be executed. A recurring interval is very useful here, but it should not be too short to prevent unnecessary traffic. The Policy option defines the security rules to use with messages collected by this POP3 profile. The Delivery option on the Options tab is used to set the kind of delivery inside the local system. If the collector profile works for a personal user account, you can specify here the destination address where all messages should be delivered too. If a shared POP3 account is used, you select here what header fields are used to determine the destination address automatically.

27 Die POP3-Profile Seite: 27 Note: Please note that the header fields To: and Cc. do not always contain usable information. These fields are not used for the delivery itself, but rather as information for the recipient. Even in redirected messages is this information not usable. Many mail system save the original envelope information in special header fields like X- Envelope-To. Please ask your administrator or ISP for the right fields to use. Wrong settings at this place can cause lost messages or multiple delivery.

28 Allgemeine Einstellungen Seite: Common Settings The Settings page in the CAMELOT Configuration Utility contains all basic application parameters. Some of the CAMELOT security features are based on DNS requests. This purpose requires a valid DNS server. Please enter this value into the Nameserver field on the SMTP Settings tab. In this area, you need also to specify the hostname of the local system. Please enter here the official name of the host, as defined in the DNS (e.g. mail.atrium-software.com). This name is used by the CAMELOT SMTP gateway to introduce itself against other mail systems. Since the CAMELOT SMTP Gateway acts as the official mail server, the name must be the same as the name of your actual mail server. On other settings pages, you can setup quarantine areas, templates, etc. A detailed description can be found in the CAMELOT Online Help.