WorldSecure/Mail Getting Started Guide Release 4.3 012-0068-43
The software described in this document is furnished under license and may be used or copied only according to the terms of such license. Worldtalk Corporation reserves the right to make improvements in the software described in this manual at any time and without notice. The information in this document is subject to change without notice and should not be construed as a commitment by Worldtalk Corporation. Worldtalk Corporation assumes no responsibility for any consequences resulting from errors that may appear in this document. No part of this manual may be reproduced, photocopied, stored in a retrieval system, or transmitted by electronic, mechanical, or any other means for any purpose without the express written permission of Worldtalk Corporation. Copyright 1999 by Worldtalk Corporation. All rights reserved. Printed in the United States of America. Worldtalk, WorldSecure, and the Worldtalk logo are trademarks of Worldtalk Corporation and are registered with the U.S. Trademark Office. All other brand and product names are trademarks or registered trademarks of their respective holders. Worldtalk Corporation 5155 Old Ironsides Drive Santa Clara, CA 95054 Telephone: 408-567-1500 Fax: 408-567-1501 Sales: 800-454-4674 Technical and Customer Support Telephone: (408) 567-1530 Fax: (408) 567-1526 E-mail: support@worldtalk.com Web site: www.worldtalk.com
Contents Chapter 1 Introduction 1 Chapter 2 Installing WorldSecure/Mail 3 WorldSecure/Mail Installation Checklist 4 Configuration Parameters 5 Routing Mail Internally 6 Installing WorldSecure/Mail on the Same Host 6 Installing WorldSecure/Mail on Its Own Host 8 Routing Mail to the Internet 11 Obtaining an Activation Code 12 Verifying Windows NT Privileges 13 Administrative Privileges on the NT Domain 13 Verifying Administrative Privileges 13 Assigning Administrative Privileges 14 Administrative Privileges on the Local Computer 15 Establishing Trust Relationships 16 Running the Setup Program 17 Running the Configuration Wizard 18 Full Installation 19 Remote Administration Installation 20 Assigning Administrative Privileges 22 Testing the SMTP Relay Service 23 1
Chapter Chapter 3 WorldSecure Overview 25 The WorldSecure Configuration Window 26 The SMTP Relay Service 27 Mail Domain Records 29 Host Records 31 The WorldSecure Directory 33 Policy Managers and Wizards 34 Types of Policy Managers 35 Configuring Policy Managers 36 Mail Queues 39 Filtering Messages in Queues 40 Managing Queues 41 Event Log 42 Filtering Events in the Event Log 42 Managing the Event Log 43 Chapter 4 The WorldSecure Directory 45 Directory Objects 46 Folders 46 Domain Records 47 The Wildcard Domain Record 48 User Records 49 Creating Directory Objects 50 Simple Directory Model 51 Viewing Policies 52 Creating Policies 53 Chapter 5 Security Manager 57 Security Manager Overview 58 Key Pairs and Certificates 59 Configuring a Virtual Private Network 60 VPN Policies 70 Configuring Proxy Security 71 Receiving Encrypted Mail by Proxy 71 Sending Encrypted Mail by Proxy 72 Configuring Proxy Security 72 2
Security Manager Policies 84 Plaintext Access 84 Allow Security Stripping 86 Unencrypted Message Filter 87 Client Encryption and Signature 87 Chapter 6 Managing Your Policies 89 Default Policies 89 Testing Your Policies 92 Monitoring Compliance 93 The Quarantine Queue 93 Remote Administration 93 Shared Lists 94 Notifications 94 Archives 94 WorldSecure Event Log 95 Windows NT Event Log 95 Resources 96 Unsolicited Bulk E-Mail 96 Virus Hoaxes 96 Chapter 7 Technical Support 97 Index 1 3
Chapter 4
1 Introduction WorldSecure/Mail is an e-mail firewall that allows e-mail administrators to create, automate, and enforce corporate messaging policies. This guide describes how to install WorldSecure and summarizes its major components: Chapter 2, Installing WorldSecure/Mail, describes how to prepare for installation and install WorldSecure on your network. Chapter 3, WorldSecure Overview, describes the main WorldSecure components and how they relate to one another. Chapter 4, The WorldSecure Directory, describes the WorldSecure Directory objects (folders, domain records, and user records) and how they are used to organize policies. Chapter 5, Security Manager, describes how to set up secure links with remote users and WorldSecure servers, and describes the Security Manager policies. Chapter 6, Managing Your Policies, describes the preconfigured WorldSecure/Mail policies that you can install, and how to test your policies and manage compliance of your policies. It also lists some resources on the Web. Chapter 7, Technical Support, describes how to contact a Worldtalk technical support representative. For more information about WorldSecure, see the WorldSecure Help and the Worldtalk Web site at www.worldtalk.com. 1
Chapter 1 Introduction 2
2 Installing WorldSecure/Mail This chapter describes how to install WorldSecure/Mail. It includes a checklist of information that you must gather and the steps that you must perform before you begin installation. Note After you install and configure WorldSecure/Mail, you can install a special remote management version of WorldSecure on any Windows NT workstation or server. For more information, see Remote Administration Installation on page 20. Caution Do not install WorldSecure/Mail on a computer that runs desktop antivirus software. WorldSecure/Mail writes temporary copies of e-mail messages to the disk. Once your desktop antivirus software disinfects these temporary copies, Virus Manager will not take the appropriate action to clean or block the original messages. End users should still run antivirus software on their computers to detect viruses introduced through other channels. 3
Chapter 2 Installing WorldSecure/Mail WorldSecure/Mail Installation Checklist Use the following checklist as you install and configure WorldSecure/Mail. Each item is explained in the pages that follow. As you work through the checklist, record the appropriate values in Table 2-1 on page 5. 1 Decide how to route mail internally and select the WorldSecure/Mail host. The WorldSecure/Mail host is the Windows NT computer where you install and administer WorldSecure/Mail. You must decide whether to install WorldSecure/Mail on the host where your existing Simple Mail Transfer Protocol (SMTP) server is installed or on a separate host. It is very important that you plan ahead and perform the necessary configurations. See Routing Mail Internally on page 6. 2 Decide how to route mail to the Internet. WorldSecure/Mail can route mail to the Internet using DNS (Domain Name System) or a relay server. See Routing Mail to the Internet on page 11. 3 Obtain an activation code for the WorldSecure/Mail software. WorldSecure/Mail requires a license key and an activation code. See Obtaining an Activation Code on page 12. 4 Verify that you have the necessary Windows NT privileges. You must have administrative privileges on the domain and the computer where you install and administer WorldSecure/Mail. See Verifying Windows NT Privileges on page 13. 5 Run the WorldSecure setup program. The setup program installs the program files and prompts you for a license key and an activation code. See Running the Setup Program on page 17. 6 Run the WorldSecure configuration wizard. See Running the Configuration Wizard on page 18. 4 7 Test the SMTP Relay configuration. See Testing the SMTP Relay Service on page 23.
Configuration Parameters Configuration Parameters The following table lists the parameters required in the WorldSecure setup program and configuration wizard. Record the values in this table as you work through the installation checklist on page 4. Table 2-1 Parameters for WorldSecure Setup and Configuration Wizard Configuration Parameter Default Value Value User Name Company Name Path to Program Files License Key Activation Code Host Computer Name Primary E-Mail Domain Name External Routing Method Relay Host Name or IP Address (if using a Relay server) Internal Routing Method Port number of WorldSecure (if installing on same computer) Port number of SMTP Server (if installing on same computer) Host Name or IP Address of SMTP Server (if installing on different computer) C:\Program Files\Worldtalk\ WorldSecure (Read from Windows NT registry) (Read from Windows NT registry) DNS Same Machine 25 26 5
Chapter 2 Installing WorldSecure/Mail Routing Mail Internally Before you install WorldSecure/Mail, you must decide how you want to integrate it with your current SMTP messaging environment. You have three choices: Install WorldSecure/Mail on the host where your current SMTP server is installed. With this configuration, you do not need to purchase a new computer or change your DNS configuration. However, you must reassign your current SMTP server to a different port which, in some cases, is not possible to do. Install WorldSecure/Mail on a host other than the one where your current SMTP server is installed. Although this option requires you to modify the DNS configuration, the result is a clean, modular network design that efficiently distributes the throughput load on your system and results in better performance. Route mail using DNS. This option should be used only by administrators who manage sophisticated SMTP message systems with multiple DNS servers. Installing WorldSecure/Mail on the Same Host Before you attempt to install WorldSecure/Mail on the host where your current SMTP server is installed, make sure that: Your current SMTP server allows you to change the port on which it listens for mail. WorldSecure/Mail listens for mail on port 25. Because your current SMTP server most likely listens for mail on port 25, you must reassign it to a different port to avoid a conflict with WorldSecure/Mail. Your current SMTP server can route mail to port 25 on the same computer. When WorldSecure/Mail and the SMTP server are installed on the same host, the SMTP server must route mail to port 25 but listen for mail on a different port (for example, port 26). Some SMTP servers cannot be configured to do so. 6
Routing Mail Internally If your current SMTP server meets these conditions, do the following: 1 Configure the SMTP server to listen on a free port. The port number that you select can be any number, as long as it is a free port. Worldtalk recommends port 26. 2 Configure the SMTP server to route mail to port 25. See your server documentation for more information. 3 Configure the SMTP server to route all mail to WorldSecure/Mail. Typically, this involves specifying the IP address of the WorldSecure/Mail host computer and making sure the port is set to 25 where WorldSecure/Mail is listening. For more information, refer to your server documentation. 4 Record the port numbers in Table 2-1 on page 5. Before you install WorldSecure/Mail, your network looks something like Figure 2-1. Figure 2-1 Network Before Installing WorldSecure/Mail Internet Other e-mail systems or clients SMTP Server 0124 7
Chapter 2 Installing WorldSecure/Mail After you install WorldSecure/Mail on the same computer where your SMTP server is installed, your network will look something like Figure 2-2. Figure 2-2 Network After Installing WorldSecure/Mail on the Same Host port 25 WorldSecure Server Internet SMTP Server port 26 Other e-mail systems or clients SMTP Server and WorldSecure Server 0126 Installing WorldSecure/Mail on Its Own Host To install WorldSecure/Mail on its own host: 1 Modify your Mail Exchange (MX) record to route mail to the WorldSecure/Mail host instead of to the current SMTP server. Typically, mail is routed to your SMTP server using an MX record in your DNS configuration. In the following example, mail was routed to an SMTP server on a host computer named mail.deming.com before WorldSecure/Mail was installed. WorldSecure/Mail was added on a host computer named ws.deming.com. Changes are marked in bold. Note Access to and configuration of MX records vary widely. The format in your version of DNS might be different. 8
Routing Mail Internally Before: ;Mail Servers deming.com. IN MX 0 mail.deming.com. ;Specific Host Addresses mail.deming.com. IN A 192.168.131.9 After: ;Mail Servers deming.com. IN MX 0 ws.deming.com. ;Specific Host Addresses mail.deming.com. IN A 192.168.131.9 ws.deming.com. IN A 192.168.131.13 2 Log on to the computer where your current SMTP server is installed. 3 Configure the SMTP server to route all mail to WorldSecure/Mail. Typically, this involves specifying the IP address of the WorldSecure/Mail host computer and making sure the port is set to 25 where WorldSecure/Mail is listening. For more information, refer to your server documentation. 4 Record the host name or IP address of your SMTP server in Table 2-1 on page 5. Important If WorldSecure/Mail will route mail for more than one SMTP server, you must add an e-mail domain record for each server in the Domains tab in the SMTP Relay Properties dialog box in WorldSecure/Mail. See Mail Domain Records on page 29. Before you install WorldSecure/Mail, your network looks something like Figure 2-3. 9
Chapter 2 Installing WorldSecure/Mail Figure 2-3 Network Before Installing WorldSecure/Mail Internet Other e-mail systems or clients SMTP Server 0124 After you install WorldSecure/Mail on a different computer from where your SMTP server installed, your network looks something like Figure 2-4. Figure 2-4 Network After Installing WorldSecure/Mail on Its Own Host Internet Other e-mail systems or clients SMTP Server WorldSecure Server 0125 10
Routing Mail to the Internet Routing Mail to the Internet Before you install WorldSecure/Mail, you must decide how you want to route outbound mail from WorldSecure/Mail to the Internet. There are two choices: Route external mail using DNS. Route external mail to a single relay server. You must specify the host name or the IP address of the relay server in the WorldSecure configuration wizard. After WorldSecure/Mail is installed, the default Internet mail routing is shown in the Routing tab in the SMTP Relay Properties dialog box. Note The default Internet mail routing is also used for mail to any domain that does not have its own routing specified in the Domains tab in the SMTP Relay Properties dialog box. See Mail Domain Records on page 29. 11
Chapter 2 Installing WorldSecure/Mail Obtaining an Activation Code You must enter a license key and an activation code during WorldSecure/Mail installation. The Base license key is included in your WorldSecure package. Follow the instructions below to obtain an activation code for the Base license. Note If you do not have a license key, or if you do not have a Web browser, call 800-454-4674 or 408-567-5168. Tell the Worldtalk representative your license key number if you have one. The representative will ask for additional information and assign you an activation code. To obtain an activation code: 1 Point your browser to www.worldtalk.com. 2 Click Download/Activate. 3 Select WorldSecure/Mail under Activate. 4 Follow the instructions for obtaining an activation code. 12
Verifying Windows NT Privileges Verifying Windows NT Privileges To install and administer WorldSecure/Mail: You must be logged on to Windows NT as a domain user with administrative privileges. See Administrative Privileges on the NT Domain next. The domain user must also have administrative privileges on the local computer. See Administrative Privileges on the Local Computer on page 15. Administrative Privileges on the NT Domain You must have administrative privileges on the Windows NT domain to run setup. The simplest way to obtain administrative privileges is to log on to the domain as Administrator. If that is not possible, you must ask the Windows NT network administrator to assign administrative privileges to the domain account that you will use to install WorldSecure. Verifying Administrative Privileges 1 Log on to the domain where WorldSecure/Mail will be installed. Log on to Windows NT, specifying the domain where WorldSecure will be installed as the domain in the Logon Information dialog box. 2 Open the User Manager dialog box. Select StartProgramsAdministrative Tools (Common)User Manager for Domains from the taskbar. 3 Double-click your user account name to open the User Properties dialog box. 4 Click Groups to open the Group Memberships dialog box. 5 Verify that the Member of list contains the entry Administrators. If it does, close the dialog boxes and proceed with WorldSecure setup. 13
Chapter 2 Installing WorldSecure/Mail If it does not, see Assigning Administrative Privileges on page 14. Assigning Administrative Privileges If you do not have administrative privileges on your Windows NT network administrator to do the following: 1 Log on to the domain where WorldSecure/Mail will be installed as a user with administrative privileges. Log on to Windows NT, specifying the domain where WorldSecure will be installed as the domain in the Logon Information dialog box. 2 Open the User Manager dialog box. Select StartProgramsAdministrative Tools (Common)User Manager for Domains from the taskbar. 3 In the lower pane, double-click the Administrators group. The Local Group Properties dialog box appears. 4 Click Add to open the Add Users and Groups dialog box. 5 In the List Names From menu, select the domain of the user to whom you are assigning administrative privileges. If the domain does not appear in the list, it is not a trusted domain. See Establishing Trust Relationships on page 16. 6 Select the user in the Names list and click Add. 7 Click OK. The domain user name should appear in the form DOMAIN\user in the Members list in the Local Group Properties dialog box. 8 Click OK. 9 Close the User Manager dialog box and log off. 14
Verifying Windows NT Privileges Administrative Privileges on the Local Computer You must have administrative privileges on the local computer to run setup. To assign administrative privileges on the local computer: 1 Verify administrative privileges on the Windows NT domain. If you have not already done so, follow the steps in Administrative Privileges on the NT Domain on page 13. 2 Log on as the local administrator to the computer where you will install WorldSecure/Mail. Log on to Windows NT as the administrator, specifying the computer name as the domain in the Logon Information dialog box. 3 Open the User Manager dialog box. Select StartProgramsAdministrative Tools (Common)User Manager for Domains from the taskbar. 4 In the lower pane, double-click the Administrators group. The Local Group Properties dialog box appears. 5 Click Add to open the Add Users and Groups dialog box. 6 Select the account that will be used to install WorldSecure/Mail and click Add. 7 Click OK. The domain user name should appear in the form DOMAIN\user in the Members list in the Local Group Properties dialog box. 8 Click OK. 9 Close the User Manager dialog box. 10 Before running the WorldSecure setup program, log off, and then log on again as the domain user. 15
Chapter 2 Installing WorldSecure/Mail Establishing Trust Relationships Establishing a domain as trusted requires setting up at least a one-way trust relationship between the domains. This requires two steps: The local domain, on which WorldSecure resides, must add the remote domain to its Trusted Domains list. The remote domain must add the local domain to its Trusting Domains list. Note Only the administrator for a domain can establish trust relationships on that domain. The administrators for the local and remote domains may have to work together to complete these steps. 1 Define the local domain as the trusting domain. Perform the following steps on the server on the remote domain. 1 Select StartProgramsAdministrative Tools (Common)User Manager for Domains from the taskbar. 2 Choose Select Domain from the User menu. 3 Select the remote domain and click OK. 4 Select Trust Relationships from the Policies menu. 5 Next to the Trusting Domains list, click Add. 6 Type the local domain name and any required password information. 7 Click OK and close the Trust Relationships dialog box 2 Define the remote domain as the trusted domain. Perform the following steps on the server on the local domain. 1 Select StartProgramsAdministrative Tools (Common)User Manager for Domains from the taskbar. 2 Choose Select Domain from the User menu. 3 Select the local domain and click OK. 4 Select Trust Relationships from the Policies menu. 5 Next to the Trusted Domains list, click Add. 6 Type the remote domain name and any required password information. 7 Click OK and close the Trust Relationships dialog box. 16
Running the Setup Program Running the Setup Program Before running the setup program, check the WorldSecure/Mail Release Notes for Windows NT Service Pack requirements and other prerequisites. Note When installing WorldSecure/Mail from a remote drive, you must first map the shared CD-ROM to a network drive. You cannot run the WorldSecure setup program from an unmapped drive. To run the setup program: 1 Log on to Windows NT as a user with administrative privileges for both the domain and the local computer. See Verifying Windows NT Privileges on page 13 for more information. 2 Open the Control Panel. Select StartSettingsControl Panel from the taskbar. 3 Double-click Add/Remove Programs. 4 Click Install in the Install/Uninstall tab. 5 Follow the instructions in the wizard. Refer to Table 2-1 on page 5 for required information. 17
Chapter 2 Installing WorldSecure/Mail Running the Configuration Wizard The WorldSecure configuration wizard appears either at the end of the setup program or the first time you start WorldSecure. Use the wizard to specify the following values as recorded in Table 2-1 on page 5. Click Help for more information. Host Name The name of the computer where WorldSecure/Mail is installed. The wizard reads this name from the Windows NT registry, but you should verify it. Primary E-Mail Domain Name The primary Internet e-mail domain that the WorldSecure/Mail e-mail firewall will protect. The wizard reads this name from the Windows NT registry, but you should verify it. External Routing Method The method that you will use for routing mail from WorldSecure/Mail to the Internet. If you will route mail to a relay server, specify the host name or IP address of the relay server. See Routing Mail to the Internet on page 11. Internal Routing Method The method that you will use for routing mail internally. If you will route mail to an SMTP server on the same computer, specify the ports. If you will route mail to an SMTP server on a different computer, specify the host name or IP address of that computer. See Routing Mail Internally on page 6. Default Mail Policies Select the preconfigured mail policies that you want WorldSecure/Mail to install. Worldtalk recommends installing all default mail policies. They can assist you in creating your own policies, and they can be disabled or deleted at any time. For descriptions of these policies, click Help or see Default Policies on page 89. 18
Full Installation Full Installation When you choose the Full Installation option during setup, the WorldSecure setup program does the following: Installs the WorldSecure SMTP Relay service as a Windows NT service. The service is set to Manual until you successfully complete the configuration wizard. It is then set to Automatic and started. The service restarts whenever the computer is started. Installs the WorldSecure program files in the specified folder. The default folder is C:\Program Files\Worldtalk\WorldSecure. Creates a MsgStore folder within the installation folder, which is used to store messages being processed or held. Creates a Database folder within the installation folder, which is used to store information about users and domains added to the WorldSecure Directory. Creates a Log folder within the installation folder, which is used to store log files. Installs Data Access Object (DAO) and Open Database Connectivity (ODBC) drivers in the System folder or the Shared Components folder. Adds two system Data Source Names (DSNs) to the ODBC setup: one for WorldSecure Logging, and one for WorldSecure Directory. To access the DSNs, double-click ODBC in the Control Panel. Creates several registry entries in HKEY_LOCAL_MACHINE\ SOFTWARE\Worldtalk\WorldSecure that store configuration information about the WorldSecure Directory, policy managers, and SMTP Relay service, plus performance counters that are required to monitor WorldSecure in the Windows NT Performance Monitor. Creates a simple structure in the WorldSecure Directory that consists of three folders, two domain records, and the policies that you chose in the configuration wizard. The WorldSecure Directory can be modified at any time. For more information about the default directory structure, see The WorldSecure Directory on page 45. Configures WorldSecure to begin enforcing policies after you start the SMTP Relay service. 19
Chapter 2 Installing WorldSecure/Mail Remote Administration Installation The WorldSecure setup program includes a Remote Administration option that allows you to install only those files necessary to remotely manage WorldSecure. Certain tasks in WorldSecure cannot be managed remotely, including: Configuring properties for the remote server object. Backing up and restoring the remote WorldSecure configuration. Viewing, adding, or removing license keys. Importing, generating, and associating S/MIME key pairs and certificates. Updating pattern files in Virus Manager. The remote administration software can be installed on any Windows NT workstation or server, but the remote administrator must be in the Local Administrators Group on the local domain (the domain where the WorldSecure to be remotely administered is installed). If the remote administrator is not in the Local Administrators Group, but is a user in the local domain, he or she can be added to the group when you enable remote administration as described below. If the remote administrator is not in the Local Administrators Group and is also not in the local domain (even if he or she is in a trusted domain), see Assigning Administrative Privileges on page 22. To enable remote administration: 1 In the configuration window of the WorldSecure to be remotely administered, right-click the Local Server object and select Properties. The Local Server Properties dialog box appears and lists the users in the Local Administrators Group for the local domain. 2 Select Allow these users to remotely administer WorldSecure. 3 If the remote administrator is not in the list, click Add. The Add Remote Administrator dialog box appears, and lists all of the users and groups in the local domain. Select the remote administrator and click OK. If the remote administrator is not in the local domain, see Assigning Administrative Privileges on page 22. 20
Remote Administration Installation 4 Click OK in the Local Server Properties dialog box. 21
Chapter 2 Installing WorldSecure/Mail Assigning Administrative Privileges A remote WorldSecure administrator must have administrative privileges on the domain where the WorldSecure to be remotely administered is installed. To assign administrative privileges: 1 Log on as the administrator on the computer where the WorldSecure to be remotely administered is installed. 2 Open the User Manager dialog box. Select StartProgramsAdministrative Tools (Common)User Manager for Domains from the taskbar. 3 Choose Select Domain from the User menu. 4 Type the name of the local server in the form \\Servername and click OK. 5 In the lower pane of the User Manager dialog box, double-click the Administrators group. The Local Group Properties dialog box appears. 6 Click Add to open the Add Users and Groups dialog box. 7 In the List Names From menu, select the domain of the user to whom you are assigning administrative privileges. If the domain does not appear in the list, it is not a trusted domain. See Establishing Trust Relationships on page 16. 8 Select the user in the Names list and click Add. 9 Click OK. The domain user name should appear in the form DOMAIN\user in the Members list in the Local Group Properties dialog box. 10 Click OK. 11 Close the User Manager dialog box and log off. 22
Testing the SMTP Relay Service Testing the SMTP Relay Service If you route internal mail to an SMTP server, you must ensure that the WorldSecure SMTP Relay service, and not your SMTP server, is listening on port 25. In the following example, WorldSecure is installed on a host named ws.deming.com with an IP address of 192.168.131.13. 1 Open a DOS prompt, preferably on the WorldSecure host computer. 2 Type telnet 192.168.131.13 25. You should see something similar to the following: 220 ws.deming.com WorldSecure SMTP Relay vx.x Service Ready 3 Type quit to close the connection. If you installed WorldSecure on the same host where your SMTP server is installed, you had to reassign the SMTP server port. To make sure you properly reconfigured the port, repeat the previous test for your original SMTP server. For example, if the name of your original server is mail.deming.com, its IP address is 192.168.131.9, and you reassigned its port to 26, type the following: 1 Type telnet 192.168.131.9 26 You should see something similar to the example in the previous test. 2 Type quit to close the connection. 23
Chapter 2 Installing WorldSecure/Mail 24
3 WorldSecure Overview This chapter briefly describes the main components of WorldSecure and how those components interact. 25
Chapter 3 WorldSecure Overview The WorldSecure Configuration Window The WorldSecure configuration window appears when you start WorldSecure. Double-click here to configure the SMTP Relay service. Double-click these objects to configure the various policy managers. When you select an object in the left pane, its contents appear here. Create your policies in a directory of hierarchical folders. Access messages in the queues by clicking these objects. Administer remote WorldSecure installations. Use the WorldSecure configuration window to configure and manage the Simple Mail Transfer Protocol (SMTP) relay service, the WorldSecure Directory, policy managers, policies, mail queues, and the event log. Many of these tasks can be performed both locally and remotely. To add or remove remote administrators, right-click the Local Server object and select Properties. To administer a remote WorldSecure, right-click the WorldSecure object and select New Server. 26
The SMTP Relay Service The SMTP Relay Service The WorldSecure SMTP Relay service runs as a native Windows NT service and performs the following functions: Inbound Mail Listens for e-mail on port 25. Assembles the data packets that it receives into readable messages. Passes messages to the policy engine, where they are processed by the policy managers. Outbound Mail Accepts messages from the policy engine. Disassembles the messages into data packets for delivery. Performs DNS lookup of message recipients and sends the data packets. If you do not use DNS, it sends the data packets to the relay server that you specify. 27
Chapter 3 WorldSecure Overview The following are some of the options that you can configure in the WorldSecure SMTP Relay Properties dialog box. To open the dialog box, double-click SMTP Relay in the WorldSecure configuration window. Start and stop the WorldSecure SMTP Relay service (General tab). Enable/disable the WorldSecure/Mail policy engine (General tab). During your transition to WorldSecure, it may be useful to turn on the WorldSecure SMTP Relay service, but delay the implementation of your mail policies until you are confident that your network is properly configured. Allow/disallow external-to-external mail routing (General tab). By disallowing external-to-external mail routing, you can prevent users outside your organization from using the SMTP Relay to send mail to other external users. Set message expiration and retry intervals (Routing tab). Configure WorldSecure to route mail to the Internet via DNS or a relay server (Routing tab). Designate e-mail domains and subdomains as internal to WorldSecure and specify their routing (Domains tab). See Mail Domain Records on page 29. Designate hosts as internal to WorldSecure (Hosts tab). See Host Records on page 31. Specify the hosts that can and cannot connect to WorldSecure (Inbound tab, Outbound tab). For example, use the Inbound tab to reject connections from servers that send out junk mail, or use the Outbound tab to disallow outbound connections to hosts outside your organization. Keep the SMTP Relay operating smoothly and keep WorldSecure from overtaxing your system (Limits tab). For more information about mail routing and the WorldSecure SMTP Relay service, see the WorldSecure/Mail Help. 28
The SMTP Relay Service Mail Domain Records Mail domain records serve two functions. They specify routing methods for e-mail domains, and they designate e-mail domains as internal to WorldSecure. If an mail domain does not have a routing method specified, the method used is the default Internet mail routing specified in the Routing tab in the SMTP Relay Properties dialog box. Designating e-mail domains as internal is important when external-toexternal mail routing is disallowed in the General tab in the SMTP Relay Properties dialog box. When external-to-external mail routing is disallowed, only internal domains are allowed to receive mail from external hosts. (External hosts are those not listed in the Hosts tab.) Note Mail domain records should not be confused with directory domain records, which are used to implement policies and define security properties. See The WorldSecure Directory on page 33. To create an e-mail domain record: 1 Open the SMTP Relay Properties dialog box. 1 Expand the tree under the WorldSecure object. 2 Under Content Sources, double-click SMTP Relay. 2 Click the Domains tab. Your primary domain is already listed. If your internal domains are all subdomains of the primary domain, and the routing to each is the same, you are done. 29
Chapter 3 WorldSecure Overview To create a mail domain record for a domain other than your primary domain, or for a subdomain with special routing, click Add. 3 Click Add to open the Domain Record dialog box. For each internal domain that does not resolve to the primary domain or requires a different routing configuration from that of the primary domain, complete the Domain Record dialog box. Press F1 for more information. 1 Type the fully qualified name of the mail domain. 2 Indicate that the domain is internal. 3 Specify the method for routing mail to this domain. The typical configuration for internal domains is to override the default Internet mail routing and route to a relay server. 4 Click OK. 30
The SMTP Relay Service Host Records Host records designate e-mail hosts within your organization as internal to WorldSecure. This is important whenever WorldSecure is configured to disallow communication with external hosts in one of the following ways: External-to-external mail routing is disallowed in the General tab. When this is the case, a user s mail host must have a host record before he or she can send mail to external recipients. An external recipient is one whose domain does not have a mail domain record. Reject external connections, except as listed below is selected in the Inbound tab. When this is the case, any host that does not have a host record is considered to be external. Disallow external connections, except as listed below is selected in the Outbound tab. When this is the case, any host that does not have a host record is considered to be external. To create a host record: 1 Open the SMTP Relay Properties dialog box. 1 Expand the tree under the WorldSecure object. 2 Under Content Sources, double-click SMTP Relay. 2 Click the Hosts tab. 31
Chapter 3 WorldSecure Overview 3 Click Add to open the Host Record dialog box. 4 Specify the IP address and subnet mask. If your internal hosts span a range of IP addresses, use a subnet mask to specify that range and create a single host record. For example, the host record shown on the previous page specifies all IP addresses that begin with 206.63.131 and end with any three digits. 5 Click OK. 32
The WorldSecure Directory The WorldSecure Directory You create, store, and organize your policies in the WorldSecure Directory. The directory uses a system of hierarchical folders that determine how and when to apply policies. Each object in the directory binds a user or a group of users to a set of policies that you define. For example, to apply a policy to every message that flows through your organization, create the policy in the directory s root folder. All objects beneath the root folder inherit the policy. Organize your policies using the objects in the directory: A folder can contain domain records, user records, and other folders. The policies that you create in a folder apply to the objects in that folder. A domain record represents a group of users with a common Internet e-mail domain. A domain record contains the policies created specifically for that domain and inherits the policies of the folder in which it is stored. To further customize the policies applied to a domain, inherited policies can be disabled. A user record represents an individual user who warrants a unique set of policies. A user record contains the policies created specifically for that user and inherits the policies of the folder in which it is stored. To further customize the policies applied to a user, inherited policies can be disabled. Note User records do not inherit policies from domain records. For more information, see The WorldSecure Directory on page 45. 33
Chapter 3 WorldSecure Overview Policy Managers and Wizards Each policy manager is a specialized Dynamic Link Library (DLL) that plugs into WorldSecure. Together, the policy managers build the WorldSecure e-mail firewall. Each policy manager automates and enforces a specific set of policies, and is a specialist in a particular task. When WorldSecure processes a message, each policy manager acts on the message, based upon the policies created. Policies are created with policy wizards. Each wizard displays your policy in short English phrases as you work. To modify a phrase, click the underlined text and make your changes. Depending on how a policy is written, its policy manager can: Add annotations to messages. You can create annotations for a specific policy manager or a specific policy. Send notifications (messages). You can create notifications for a specific policy manager or a specific policy. Add recipients to messages. Log an event in the WorldSecure Event Log. Archive messages. Drop messages so that they are never delivered. Return messages to the sender. Quarantine messages in the Quarantine queue. Defer delivery of messages to off-peak hours. In addition, most policy wizards let you specify the following: Whether the policy can be overridden (disabled) in directory objects that inherit the policy. Whether the policy should apply to the sender of a message or to the recipients of a message. The conditions under which to apply the policy. The exceptions to the conditions under which to apply the policy. The actions to take when the policy is invoked. See Creating Policies on page 53. 34
Policy Managers and Wizards Types of Policy Managers Access Manager Access Manager scans message headers for the size, subject, sender, recipients, and other message header information specified in your policies. Its primary role is to eliminate spam and other junk mail. Content Manager Content Manager scans message headers, message text, and attached files for information that you specify in your policies. Its primary role is to act on messages that contain disallowed or sensitive information. Format Manager Format Manager has a dual role: to convert UUENCODED data to MIME format, and to remove or change message header fields that contain sensitive information. Security Manager Security Manager allows you to exchange secure mail using S/MIME, and enforces mail policies based on message content or state of security. The tasks of exchanging secure mail are performed at the server level so that individual users do not need S/MIME clients on their desktops. For more information, see Security Manager on page 57. Virus Manager Virus Manager examines messages for infected file attachments. It uses an extensive virus pattern file (updated on a regular basis) to detect known viruses and unknown mutations of known viruses. 35
Chapter 3 WorldSecure Overview Configuring Policy Managers Policy managers are configured globally in the Countermeasures Properties dialog box, and individually in their own Properties dialog boxes. To open the Countermeasures Properties dialog box, right-click the Countermeasures object and select Properties. Word lists, address lists, and attachment lists, which are common to all policy managers, are configured in their respective dialog boxes. To access these dialog boxes, click Common Lists under the Countermeasures object and double-click an object in the right pane. This section describes the global configuration options in the Countermeasures Properties dialog box and the common list configuration options in the List dialog boxes. Notifications A notification is an e-mail message that WorldSecure generates and sends when called for in a policy. Use this tab to specify: An administrator address for notifications sent to the administrator. A WorldSecure return address for notifications. The text to display in the Subject field of notifications. Annotations An annotation is text that is added to a message, either inline or as an attachment, when called for in a policy. Use this tab to specify: A name for WorldSecure as it will appear in annotations. Where in the body text to paste inline annotations. Characters or text to include before or after inline annotation text. For example, you might want to include the time, date, and server name, and a border to separate the annotation from message body. Archives Policies can be designed to archive messages. Use this tab to specify a format for message archives. 36
Policy Managers and Wizards Peak Time Policies can be designed to defer message delivery to off-peak hours. Use this tab to specify when e-mail traffic peaks in your organization. The default is 8:00 A.M. to 5:00 P.M., Monday through Friday. WorldSecure stores deferred messages in the Defer queue. FTP Proxy Some policy managers can automatically retrieve updated files from servers on the Internet using File Transfer Protocol (FTP). For example, Virus Manager can automatically retrieve the latest pattern file from Worldtalk. Complete this tab if you have a proxy server between your internal network and the Internet. Word Lists Word lists are lists of words, phrases, expressions, or strings that you use in your policies. The lists that you create are available in all policy wizards that detect specific words. Use this dialog box to create, modify, or delete word lists. To create a list, click Add and specify: A name for the list. Use a name that will help you to easily identify the contents of the list from within a policy wizard. Whether to create a new list or reference an external source file. External files must be formatted as one entry per line. Select Automatically update to always use the latest version of the file. The words, phrases, expressions, or strings in the list. Whether to use keyword weighting and assign a numerical value, or weight, to each expression in the list. You can then use cumulative keyword weight to specify when policies should be invoked. 37
Chapter 3 WorldSecure Overview Address Lists Address lists are lists of e-mail addresses or domains that you commonly use in your policies. The lists that you create are available in all policy wizards that detect specific addresses or domains in message headers. Use this dialog box to create, modify, or delete address lists. To create a list, click Add and specify: A name for the list. Use a name that will help you to easily identify the contents of the list from within a policy wizard. Whether to create a new list or reference an external source file. External files must be formatted as one entry per line. Select Automatically update to always use the latest version of the file. The e-mail addresses or domains in the list. Attachment Lists Attachment lists are lists of file names, file types, or MIME types that you commonly use in your policies. The lists that you create are available in all policy wizards that detect specific attachments. Use this dialog box to create, modify, or delete attachment lists. To create a list, click Add and specify: A name for the list. Use a name that will help you to easily identify the contents of the list from within a policy wizard. Whether to create a new list or reference an external source file. External files must be formatted as one entry per line. Select Automatically update to always use the latest version of the file. The file names, file types, or MIME types in the list. 38
Mail Queues Mail Queues Four mail queues are represented in the WorldSecure configuration window. The default path to the mail queues is C:\Program Files\Worldtalk\WorldSecure\MsgStore. Some queues serve as temporary repositories for messages in transit through the WorldSecure SMTP Relay; others serve as storage bins for messages that must be processed manually. Quarantine This queue contains messages that the policy engine sets aside for further analysis by the administrator. For example, you might have a policy that quarantines infected messages. Retry This queue contains messages that the SMTP Relay could not deliver. Messages are stored in this queue while WorldSecure attempts to deliver them according to the retry interval. The retry interval and message expiration are specified in the Routing tab in the SMTP Relay Properties dialog box. Dead Letter This queue contains messages that WorldSecure cannot deliver to its intended recipient and cannot return to the sender. Examples include messages trapped in a mail loop and messages that the SMTP Relay receives that it has already attempted to return to the sender. Defer This queue contains messages that the policy engine temporarily sets aside until off-peak hours. For example, you might have a policy that defers delivery of large messages to off-peak hours. 39
Chapter 3 WorldSecure Overview Filtering Messages in Queues You can filter queued messages in two ways: Create a filter that affects which messages are displayed in one of the mail queues. Create a filter that affects which messages are displayed in a special folder beneath one of the mail queues. For example, you might want to create a folder beneath the Quarantine queue that displays only those messages quarantined in August. To filter messages in a queue: 1 Right-click the queue object and select Edit Filter. 2 In the Message Filter wizard, specify which messages to display in the queue. To filter messages in a new folder in a queue: 1 Right-click the queue object and select New Filter. 2 Type a name for the filter and click OK. A new icon appears beneath the queue object. 3 Right-click the new icon and select Edit Filter. 4 In the Message Filter wizard, specify which messages to display in the folder. Note When you create a policy that quarantines messages, you can specify tags with which to mark them in the Quarantine queue. You can then filter messages in the Quarantine queue based on their tags. 40
Mail Queues Managing Queues The following are actions that you can perform in each queue: Threshold actions. Right-click a mail queue object and select Properties to specify actions to take when the queue reaches a specific size. Preview messages. Click a message to view its contents in the lower right pane. Act on messages. Double-click a message to: View the message, message header, or reason that the message was placed in the queue. Send the message. Return the message to the sender. Delete the message. Annotate the message. Save the message to disk. Add, modify, or drop recipients. Batch process messages. Right-click a mail queue object, choose Select All, and then right-click the selected messages to choose any of the following commands: Send, to send all of the messages. Return to Sender, to return all the messages to their respective senders. Annotate, to append new text to all of the messages. Delete, to delete all of the messages. Sort messages. Use the headings in the message viewer to sort messages by sender, subject, or date. 41
Chapter 3 WorldSecure Overview Event Log WorldSecure maintains a log file that stores information about its actions. To view the log entries, click Event Log in the WorldSecure configuration window. Filtering Events in the Event Log You can filter log events in two ways: Create a filter that affects which events are displayed in the Event Log. Create a filter that affects which events are displayed in a special folder beneath the Event Log. For example, you might want to create a folder that displays only error events. To filter events in the Event Log: 1 Right-click the Event Log object and select Edit Filter. 2 In the Log Event Filter dialog box, specify which events to display in the Event Log. To filter events in a new folder in the Event Log: 1 Right-click the Event Log object and select New Filter. 2 Type a name for the filter and click OK. A new icon appears beneath the Event Log object. 3 Right-click the new icon and select Edit Filter. 4 In the Log Event Filter dialog box, specify which events to display in the folder. Note When you create a policy that logs an event, you can assign the event a numerical ID between 300 and 399. You can then filter events in the Event Log based on their event IDs. 42
Event Log Managing the Event Log The following are actions that you can perform in the Event Log: Configure event logging. Double-click the Event Log object, select the appropriate tab, and specify the type of event logging to perform and the number of days to store log files. Clear the Event Log. Right-click the Event Log object, and select Clear All Events. Sort events. Use the headings in the log viewer to sort the entries by type, date, time, category, component, or event ID. 43
Chapter 3 WorldSecure Overview 44
4 The WorldSecure Directory The WorldSecure Directory is a tool for creating, organizing, and maintaining your policies. With the directory, you can apply policies across your organization, to a specific domain, or to a specific end user. This chapter describes the objects in the WorldSecure Directory, how they are related, and how they are used to organize your policies. How you organize your WorldSecure Directory determines the complexity of your policies, which in turn determines the complexity of your maintenance tasks. Worldtalk recommends that you identify the needs of your organization and then implement the simplest directory structure that will accommodate those needs. 45
Chapter 4 The WorldSecure Directory Directory Objects The WorldSecure Directory contains three types of objects: folders, domain records, and user records. Each object in the directory binds a user or group of users to a set of policies that you define. Folders The WorldSecure Directory stores policies and the individuals and groups to whom they apply in a hierarchical system of folders. Folders can contain domain records, user records, and other folders. The policies that you create in a folder apply to the objects in that folder; the only exception is when a policy is disabled at a particular object. The WorldSecure setup program creates a single top-level folder in your directory called All, and two folders beneath it called Internal and External. The Internal folder is for users and domains within your organization. The External folder is for users and domains outside your organization. You can use this directory structure or create your own. 46
Directory Objects Domain Records A directory domain record represents a specific e-mail domain and its subdomains. Domain records have the following essential functions: To inherit the policies in the parent folder (unless you disable those policies in the domain record) and apply those policies to all users in that domain who do not have a user record in the WorldSecure Directory. To store additional policies that are specific to a particular domain and apply those policies to all users in that domain who do not have a user record in the WorldSecure Directory. To store and manage the information required to set up and maintain a Virtual Private Network (VPN) with a specific domain. See Configuring a Virtual Private Network on page 60 for more information. Domain records make it easy to create a broad set of policies to be applied to everyone in a specific domain. You might find it useful to create a domain record for each of your internal domains, and for each domain outside your organization with which you exchange mail on a regular basis. If you have a user in a specific domain who requires a set of policies distinct from those in the domain record, create a user record for that user. See User Records on page 49. Note User records do not inherit policies from domain records. The WorldSecure setup program creates a domain record for your primary e-mail domain and places the domain record in the Internal folder. You can delete it or move it to another folder. Note Domain records in the WorldSecure Directory should not be confused with e-mail domain records, which are used to route mail. See Mail Domain Records on page 29. 47
Chapter 4 The WorldSecure Directory The Wildcard Domain Record The wildcard domain record represents all e-mail domains that do not have a domain record in your WorldSecure Directory. Typically, it represents all unknown e-mail domains outside your organization. For example, if you receive mail from ads.com and you do not have a domain record in place for ads.com, the policies in your wildcard domain record determine how WorldSecure processes that mail. If you do not have a wildcard domain record in place, mail from ads.com is not subjected to any mail policies. The wildcard domain record has the following essential functions: To inherit the policies in the parent folder (unless you disable those policies in the wildcard domain record) and apply those policies to all users in unknown domains. To store additional policies that are specific to unknown domains and apply those policies to all users in those domains. The WorldSecure setup program creates a wildcard domain record for you and places it in the External folder. You can delete it or move it to another folder. 48
Directory Objects User Records A user record represents a specific individual in your organization who requires his or her own distinct set of policies. For example, a CEO might have unique security needs, and would therefore require a user record to specify the necessary Security Manager policies. User records have the following essential functions: To inherit the policies in the parent folder (unless you disable those policies in the user record) and apply those policies to the user whom the user record represents. To store additional policies that are specific to a particular user and apply those policies to mail to or from that user. To store and manage the information required to set up and maintain proxy security for a specific user. See Configuring Proxy Security on page 71 for more information. To store and manage user aliases. Note User records do not inherit policies from domain records. User records are helpful for users whose needs are different from the norm. For example, if you have a group of users who share a common set of policies but do not share a common e-mail domain, you can create a folder for them, set policies in that folder, and then create a user record within the folder for each person in the group. A user record is essential for a person who is not part of a VPN but to whom you plan to send signed or encrypted mail. You must associate the user s S/MIME certificate with his or her user record. In most cases, user records should be used sparingly. Because a domain record represents all users in a domain, you can avoid unnecessary maintenance by structuring your directory and policies around specific domains rather than specific users. 49
Chapter 4 The WorldSecure Directory Creating Directory Objects To create a folder, domain record, or user record: 1 Right-click the directory object under which you want to create the new object, and select New. For example, to create an object in the All folder, right-click the All folder and select New. The Add Directory Entry wizard appears. 2 Select the type of directory object that you want to create and click Next. 3 Enter the requested information. 4 Click Finish. 50
Simple Directory Model Simple Directory Model One efficient way to structure your directory is to create a set of global polices for all users, and then create a set of policies for users within your organization and another set of policies for users outside your organization. The WorldSecure setup program creates this directory structure by default. You can use this structure as follows: 1 The folder named All should contain the policies to apply to all mail flowing in or out of your organization. 2 The folder named External should contain the policies to apply to users in external organizations; a domain record for each external domain with which you regularly exchange mail; and the wildcard domain record, which represents all e-mail domains that are unknown to your organization. 3 The folder named Internal should contain the policies to apply to users within your organization, and a domain record for each of your internal domains. 51
Chapter 4 The WorldSecure Directory Viewing Policies The policies in place for a particular directory object can be viewed in the Policies tab of that object s Properties dialog box. For example, to view the Infected Message policies that are created by default in the Internal folder (if selected in the WorldSecure configuration wizard): 1 Right-click the Internal folder and select Properties. 2 Click the Policies tab. There are two Infected Message policies: one for recipients and one for senders. 3 Select the sender policy in the list. 4 Read the policy in the lower pane. The policy instructs WorldSecure to scan all mail for viruses. If it detects a virus, it quarantines the message and sends notifications to the administrator and the sender. 52
Creating Policies Creating Policies Policies are created with policy wizards. They are created in the directory object to which you want the policy to apply. For example, to create a policy in the Internal folder: 1 Right-click the Internal folder and select Properties. 2 Click the Policies tab. 3 Click Add to open the Add Policy dialog box. 4 Specify the policy type. 1 Select a policy manager. 2 Select a policy. 3 Click OK. 53
Chapter 4 The WorldSecure Directory 5 Define the policy. 1 Type a name for the policy. This option turns the policy off and on. This option specifies whether directory objects that inherit this policy can disable or enable the policy. 2 Specify whether this policy applies to messages sent to or from these users. Read the policy in this pane. 3 Click Next to continue. 6 Specify the conditions under which this policy will be invoked. 1 Select the conditions. 2 Click the red underlined text to set the criteria for each condition. 3 Click Next to continue. 54
Creating Policies 7 Specify the exceptions to the conditions under which this policy will be invoked. 1 Select the exceptions to the conditions. 2 Click the red underlined text to set the criteria for each exception. 3 Click Next to continue. 8 Specify the actions that this policy will perform. 1 Select all of the actions that this policy will perform. 2 Click the red underlined text to specify the details of an action. 3 Click Next to continue. 55
Chapter 4 The WorldSecure Directory 9 Review and implement the policy. 1 Read the policy. Click the blue underlined text to change it. 2 Click Back to modify the policy if necessary. Click Finish to implement the policy. Note Most policy wizards use the basic design shown in this example, but the screens and options available in each policy wizard can vary. For more information about a particular policy wizard, click Help in any of its screens. 56
5 Security Manager Security Manager encrypts, decrypts, digitally signs, and verifies the messages that your users send and receive over the Internet. Security Manager also enforces many policies. This chapter briefly describes Security Manager, the integration of security into your mail, and the policies that help you to automate and enforce that integration. This chapter assumes a general familiarity with private keys, public key certificates, and digital signatures. If you are not familiar with those terms or want to read more about S/MIME, refer to the WorldSecure/Mail Help. 57
Chapter 5 Security Manager Security Manager Overview Security Manager simplifies and centralizes mail security by allowing you to secure all mail that flows between your organization and designated users or domains. Security Manager uses the S/MIME Internet security standard and helps you to establish and maintain: Virtual Private Networks (VPNs), or site-to-site security between the local WorldSecure server and remote WorldSecure servers. In other words, all mail that flows between your WorldSecure server and another WorldSecure server on the Internet is automatically encrypted, decrypted, signed, and verified. Proxy security, or site-to-site security between the local WorldSecure and a remote recipient with an S/MIME client. In other words, all mail that flows between your WorldSecure server and a particular recipient is automatically encrypted, decrypted, signed, and verified. Policies to ensure that: The administrator has access to the original text of an encrypted message (Plaintext Access policy). Encrypted or signed messages cannot be modified by policy managers unless specified with an Allow Security Stripping policy. Messages are secured based on their content and other properties (Unencrypted Message Filter policy and Client Encryption and Signature policy). Security Manager helps you to create and maintain a secure pipeline across the Internet through which messages can flow between your organization and another, or between your organization and an individual. You control the contents of that pipeline with your policies. 58
Key Pairs and Certificates Key Pairs and Certificates Before you can encrypt and digitally sign messages to another person, or decrypt and verify messages from another person, you each need to generate a unique key pair. A key pair consists of a private key that you keep secret and use to decrypt inbound messages and sign outbound messages, and a public key that you publish to the world so that others can encrypt messages for you and verify your signature. You can generate key pairs (and corresponding certificates) with WorldSecure. You must exchange public keys with your correspondents before you can exchange encrypted mail. In most cases, public keys are contained in certificates, digitally signed by a certificate authority. The certificate ensures that the public key is safe and belongs to the person to whom you think it does. A certificate is only as good as the criteria required by the certificate authority to issue it; it is up to you to validate a correspondent s certificate and determine whether or not you trust it. For detailed information about encryption, key pairs, and certificates, see the WorldSecure/Mail Help. 59
Chapter 5 Security Manager Configuring a Virtual Private Network A Virtual Private Network (VPN) is a secure server-to-server messaging link established with another Internet mail domain that uses WorldSecure. Figure 5-1 illustrates a VPN. Figure 5-1 A Virtual Private Network Internet WorldSecure Server WorldSecure Server E-Mail Client E-Mail Client 0122 This section describes how to set up a VPN with a fictional remote domain called medio.com. Most of these steps must be completed at both your WorldSecure server and the remote WorldSecure server. 1 Open the Security Manager Properties dialog box. 1 Expand the tree under the Local Server object. 2 Under Countermeasures, right-click Security Manager and select Properties. 60
Configuring a Virtual Private Network 2 Generate a key pair and certificate for WorldSecure. 1 Click Manage S/MIME Keys... to open the Security Settings dialog box. 2 Click Generate and follow the directions in the Key Generation wizard. 3 Click OK when the key pair is shown in the list. 61
Chapter 5 Security Manager 3 Configure VPN link handling settings. 1 Click Settings. 2 Verify that the Autorespond... checkbox is selected. 3 Customize the VPN link request response message text if desired. For example, add your 4 Verify that the Forward... checkbox is 5 Type the mail address to which notifications of VPN link requests and responses will be sent. 6 Customize the outgoing VPN link request message if desired. 4 Request a VPN link with the remote WorldSecure server. Before you can exchange secure mail with medio.com, you must exchange certificates. A VPN link request helps you to automate this process. 62
Configuring a Virtual Private Network 1 Click the VPN Links tab. 2 Click Request VPN Link to open the Submit VPN Link Request dialog box. 3 Type the fully qualified mail domain of the remote WorldSecure server. 4 Click Submit. WorldSecure sends a digitally signed message that includes its certificate to the remote WorldSecure. The remote WorldSecure imports the certificate into its Certificate 63
Chapter 5 Security Manager 5 Check for the VPN link response. If the remote WorldSecure server is configured to respond automatically to VPN link requests, you will soon receive a digitally signed VPN link response. The timing depends on your Internet mail connectivity and whether the remote server is active. Because you configured WorldSecure to forward a copy of VPN link requests and responses, you will also receive a mail message when the response is received by the local WorldSecure server. 1 Click Refresh to update the Pending VPN Links list. The list is not updated automatically. 2 Locate the request or response in the Pending VPN Links area. Note If the request or response does not appear in the Pending VPN Links area, close the Security Manager Properties dialog box and check again after you receive 64
Configuring a Virtual Private Network 6 Accept the VPN Link response. 1 Click the VPN Links tab. 2 Select the response to accept. 3 Click Accept... to open the Pending Link dialog box. 65
Chapter 5 Security Manager 7 Trust the remote server s certificate. After you click Accept in the Pending VPN Links list, the Pending Link dialog box appears. The Accept button in this dialog box is not available until you trust the certificate. 1 Click Details... to open the Trust Information dialog 2 Select explicitly trusted from the Trust Status menu. 3 Click Update to apply the new trust status. 66
Configuring a Virtual Private Network 4 Click Accept to accept the VPN response. After you click Accept, WorldSecure displays a message indicating that the link is configured. WorldSecure automatically creates a domain record for the remote WorldSecure server in the External folder of the WorldSecure Directory. In addition, WorldSecure associates the remote server s certificate with the newly created domain record. 67
Chapter 5 Security Manager 8 Set security for the domain. 1 Expand the Directory under the Local Server object and click the External folder. 2 Right-click the Domain Record icon and select Properties. 3 Click the Domain Security tab. 4 Select this to ensure that mail sent from this domain is signed and encrypted. Worldtalk recommends waiting 24 hours before selecting this, to allow for receipt of unencrypted messages sent before the VPN was established. 5 Modify the encryption algorithm, if necessary. The domestic version of WorldSecure sets this to 112- bit Triple-DES by default. If your VPN partner is using the Worldwide version of WorldSecure, select 56-bit DES. If your VPN partner is using the Strong Worldwide version, select 128-bit RC2. 68
Configuring a Virtual Private Network 9 Disallow external-to-external mail routing. On the Internet, any user can access any SMTP mail server and use it to send mail. With a VPN, however, all mail from the local WorldSecure server to a remote WorldSecure server is automatically signed and encrypted. If you want to make sure that only trusted internal users send mail to the remote WorldSecure server, you must make sure that no one from an external source can use WorldSecure as a relay host. 1 Under Content Sources, double-click SMTP Relay. 2 In the General tab, deselect Allow external to external mail routing. 3 Click the Domains tab. 4 Configure the internal mail domains. When external-to-external mail routing is disallowed, you must specify your internal mail domains. Otherwise, WorldSecure will consider them to be external and reject mail addressed to them from external hosts. See Mail Domain Records on page 29. 5 Click the Hosts tab. 6 Configure the internal hosts. When external-to-external mail routing is disallowed, you must specify your internal hosts. Otherwise, WorldSecure will consider them to be external and block mail sent from them to external domains. See Host Records on page 31. 7 Click the Routing tab. 8 Click Advanced. 9 Configure external-to-external mail 10 Click OK. 11 Make sure that no host in your organization is automatically forwarding external mail to WorldSecure. 69
Chapter 5 Security Manager VPN Policies Security Manager has policies that specify what to do when WorldSecure encounters certain security problems in VPN correspondence. To view or modify these policies, click the VPN Policies tab in the Security Manager Properties dialog box. Non-VPN Message Received from a VPN Domain (inbound) This policy specifies what action to take if WorldSecure receives a nonsecure message from a domain with which you have established a VPN and selected Require VPN for messages sent from this domain in the Domain Security tab (see page 68). For example, suppose Jacob s business e-mail address originates from a VPN domain. Suppose he sends you a message from his home computer, but specifies his business address as the return address on the message. When the message arrives, it will appear to be a nonsecure message from a VPN domain. Imperfect VPN Message Received (inbound) This policy specifies what action to take if Security Manager cannot decrypt or verify a message from a domain with which you have established a VPN. For example, a message corrupted or compromised during transport is considered to be imperfect. Unable to Encrypt and Sign Message to a VPN Domain (outbound) This policy specifies what action to take if Security Manager cannot encrypt or sign an outbound message to a VPN domain. For example, you might have forgotten to associate a certificate with the VPN domain in the WorldSecure Directory. Note For information about other Security Manager policies, see Security Manager Policies on page 84. 70
Configuring Proxy Security Configuring Proxy Security WorldSecure provides proxy security to users in your organization by encrypting, decrypting, signing, and verifying the mail that they exchange with S/MIME client users. Figure 5-2 illustrates proxy security. Figure 5-2 Proxy Security Internet WorldSecure Server S/MIME E-Mail Client E-Mail Client 0121 Receiving Encrypted Mail by Proxy A user behind WorldSecure does not need to generate a key pair to receive encrypted messages. When a remote correspondent requests a WorldSecure user s certificate, WorldSecure responds to the request by sending a signed message to the correspondent that includes the WorldSecure certificate. The sender then associates the WorldSecure certificate with the local user and uses it to encrypt mail for the local user. When WorldSecure receives the encrypted message, it decrypts the message using its private key, passes the plaintext message to the various policy managers for processing, annotates the plaintext message to say it was encrypted, and sends the plaintext message to the recipient. 71
Chapter 5 Security Manager To be compatible with S/MIME clients that cannot associate a server certificate with a user, WorldSecure also creates proxy certificates. Proxy certificates are based on the WorldSecure certificate but include the user s mail address instead of the WorldSecure server mail address. Messages encrypted with a proxy certificate can still be decrypted by WorldSecure. Sending Encrypted Mail by Proxy A user behind WorldSecure does not need to manage correspondents certificates in order to send encrypted messages. Instead, the certificates are stored in the WorldSecure Directory. When a local user sends an encrypted message to a recipient, WorldSecure checks the recipient s user record for a certificate. If the recipient s certificate is associated with his or her user record, WorldSecure encrypts the message for the recipient using that certificate. If WorldSecure does not find a certificate for the recipient, your policies dictate what action to take. Configuring Proxy Security This section describes one way to set up proxy security between a local user named John Snyder (jsnyder@platte.com) and a remote S/MIME client user named Susan Allen (susan.allen@demo.com). After these steps are complete and Susan adds John s certificate to her S/MIME database and associates his mail address with that certificate, Susan and John can exchange secure mail. 1 Open the Security Manager Properties dialog box. 1 Expand the tree under the WorldSecure object. 2 Under Countermeasures, double-click Security Manager. 72
Configuring Proxy Security 2 Generate a key pair and certificate for WorldSecure. 1 Click Manage S/MIME Keys... to open the Security Settings dialog box. 2 Click Generate and follow the directions in the Key Generation wizard. When prompted in the wizard, select Export Root Key to save the WorldSecure certificate as a.crt file. The.crt file can be provided to remote users as a root key so that they can trust the WorldSecure 3 Click OK when the key pair is shown in the list. 73
Chapter 5 Security Manager 3 Configure WorldSecure to use the new certificate as the proxy signing certificate. 1 Select Details to display the Secure Domain Details dialog box. 2 Select the certificate you generated for WorldSecure. 74
Configuring Proxy Security 4 Enable proxy certificate usage. Proxy certificates bind the public key of the WorldSecure server to the e-mail addresses of specific WorldSecure users. Because some S/MIME clients require that the mail address in a certificate exactly match the mail address with which the certificate is associated, Worldtalk recommends using proxy certificates to represent users. 1 Click the Proxy Certificates tab. 2 Select this option to enable WorldSecure to create proxy certificates as 5 Enable Certificate Responder. The WorldSecure Certificate Responder automatically locates and sends proxy certificates when requested. If a proxy certificate does not exist, WorldSecure creates one. 1 Click the Certificate 2 Select this option to enable WorldSecure to automatically respond to certificate requests. The response is a digitally signed 75
Chapter 5 Security Manager 6 Create a Client Encryption and Signature policy that adds the administrator as a carbon-copy (cc:) recipient to all inbound messages that are digitally signed and addressed to certquery@*. The cc d message signals the administrator to: Establish trust of the incoming certificate (imported from the digitally signed message). Create a user record in the WorldSecure Directory to associate with the incoming certificate. For example, you might create a policy in the External folder that is worded like this: Policy example For all messages sent from this user that are signed and sent to cert-query@* process normally and add the recipient CC: admin@platte.com See Creating Policies on page 53 for more information. 7 Create a Proxy Decrypt and Verify policy in the Internal folder. This is required for WorldSecure to verify the signatures on certificate queries from external S/MIME clients. For example, you might create a policy in the Internal folder that is worded like this: Policy example For all messages sent to this user attempt to decrypt and verify the message If successful, annotate the message with its security properties if unsuccessful, quarantine the message with the tag: proxy decrypt and send the notification Proxy Decryption Failed to this recipient and send the notification Proxy Decryption Failed to the mail administrator See Creating Policies on page 53 for more information. 8 Make the WorldSecure root key available. To trust a proxy certificate, an S/MIME client must contain the root key that issued the proxy certificate. The WorldSecure certificate that issues a proxy certificate acts as its root key. To provide the WorldSecure certificate as a root key: 76
Configuring Proxy Security 1 Save the WorldSecure certificate as a.crt file. You should already have saved the.crt file in Key Generation wizard by selecting Export Root Key when prompted. If not, open the Certificate Manager (see step 10), select the WorldSecure certificate, and click Export. 2 Publish the.crt file on your Web site. 3 Create an Access Management/Mail policy that sends a notification to the sender of any inbound message addressed to cert-query@*. The notification should include the URL and instructions for obtaining the root key. For example, you might create a policy in the External folder that is worded like this: Policy example For all messages sent from this user sent to cert-query@* process normally and send the notification WorldSecure Root Key to the sender See Creating Policies on page 53 for more information. 77
Chapter 5 Security Manager 9 Exchange certificates. WorldSecure is now ready to receive and respond to a certificate query from Susan. Susan must send WorldSecure a digitally signed message in the following format: From: susan.allen@demo.com To: CERT-QUERY@platte.com Subject: jsnyder@platte.com Note that the Subject field specifies John s fully qualified mail address. When WorldSecure receives the message, it automatically imports Susan s certificate from the digitally signed message and sends a digitally signed response to Susan that includes a proxy certificate for John Snyder. In addition, the message from Susan invokes the policy that you created in step 8, and WorldSecure sends her the notification about how to obtain the WorldSecure root key. After she imports the root key, her client will trust John s proxy certificate. If there is no Proxy Decrypt and Verify policy in place for the internal user, Susan will receive a message similar to the following instead of a digitally signed message: No user was found matching the address provided: jsnyder@platte.com To correct the problem, create a Proxy Decrypt and Verify policy in the Internal folder as described in step 7 on page 76 and ask Susan to send another certificate query. 78
Configuring Proxy Security 10 Verify the authenticity of Susan s certificate. After you receive Susan s certificate, you must establish trust of that certificate. Contact Susan by phone or in person to verify the certificate fingerprint. 1 Click the General 2 Click Manage Certificates... to view the Certificate Manager. 3 Select the certificate to be verified. 4 Compare this fingerprint with the fingerprint that Susan reports. If the fingerprints do not match, remove this certificate and have Susan send it again. 5 Click Close to exit the Certificate Manager, and then click OK to exit the Security Manager Properties dialog box. 79
Chapter 5 Security Manager 11 Create a user record for Susan in your WorldSecure Directory. 1 Right-click the External folder in your WorldSecure Directory and select New. 2 In the Add Directory Entry Wizard, create a user record as follows: Type Susan's name in the fields provided. Type susan.allen@demo.com in the E-Mail Address field. Type Susan Allen in the Display Name field. 12 Associate Susan s certificate with her user record. 1 Double-click Susan s user record to open the User Properties dialog box. 2 Click the User Security tab and do the following: Click Attach New... to associate Susan s certificate with her user record. Select an algorithm to use when encrypting mail to Susan. Use the strongest algorithm Select the digital signature format that Susan s client supports. This format is used only for 80
Configuring Proxy Security 13 Create a Proxy Encrypt and/or Sign policy in Susan s user record. This policy will automatically encrypt and sign all mail sent to Susan from your organization. 1 In Susan s user record Properties dialog box, click the Policies tab. 2 Click Add to open the Add Policy dialog box. 3 Select Security Manager on the left, select Proxy Encrypt and/or Sign (Recipient) on the right, and click OK. 4 Complete the policy wizard. For example, you might create a policy that is worded like this: Policy example For all messages sent to this user attempt to encrypt and/or sign the message if unsuccessful, quarantine the message with the tag: proxy encrypt and send the notification Proxy Encryption Failed to the sender and send the notification Proxy Encryption Failed to the mail administrator Click Help or see Creating Policies on page 53 for information. 14 Create a Proxy Decrypt and Verify policy in John s user record. 1 Double-click John s user record and click the Policies tab. 2 Click Add to open the Add Policy dialog box. 3 Select Security Manager on the left, select Proxy Decrypt and Verify (Recipient) on the right, and click OK. 4 Complete the policy wizard. For example, you might create a policy that is worded like this: Policy example For all messages sent to this user attempt to decrypt and verify the message if successful, annotate the message with its security properties if unsuccessful, quarantine the message with the tag: proxy decrypt and send the notification Proxy Decryption Failed to this recipient and send the notification Proxy Decryption Failed to the mail administrator Click Help or see Creating Policies on page 53 for information. 81
Chapter 5 Security Manager Note If multiple users in your organization will receive secure mail, create a folder for their user records, add their records to the folder, and create the Proxy Decrypt and Verify policy in that folder. Remote correspondents must send a separate cert-query message for each user with whom they want to exchange secure mail. 82
Configuring Proxy Security 15 Disallow external to external mail routing. On the Internet, any user can access any SMTP mail server and use it to send mail. Under ordinary circumstances, you may not care who uses your mail server to relay mail. In the case of proxy security, however, all mail from the local WorldSecure to a remote secure user is signed and encrypted. Thus, if you want to make sure that only trusted internal users send mail to the remote secure user, you must make sure that no one from an external source can use WorldSecure as a relay host. 1 Under Content Sources, double-click SMTP Relay. The SMTP Relay Properties dialog box appears. 2 In the General tab, deselect Allow external to external mail routing. 3 Click the Domains tab and specify your internal e-mail domains. When external-to-external mail routing is disallowed, you must specify your internal mail domains. Otherwise, WorldSecure will consider them to be external and reject mail addressed to them from external hosts. See Mail Domain Records on page 29. 4 Click the Hosts tab and specify your internal hosts. When external-to-external mail routing is disallowed, you must specify your internal hosts. Otherwise, WorldSecure will consider them to be external and block mail sent from them to external domains. See Host Records on page 31. 5 Click the Routing tab and click Advanced to specify what to do with external-to-external mail. 6 Click OK to save your changes and exit the SMTP Relay Properties dialog box. 7 Make sure that no host in your organization is automatically forwarding external mail to WorldSecure. 83
Chapter 5 Security Manager Security Manager Policies This section describes additional policies in Security Manager. Plaintext Access An encrypted message is called ciphertext; the original message is called plaintext. Ciphertext produced using a particular public key can only be deciphered into plaintext using the corresponding private key. If WorldSecure receives an encrypted message that requires a private key that it cannot access (for example, an individual user s private key) then it cannot decrypt the message and none of the policy managers can apply the policies in the WorldSecure Directory. The solution is for all encrypted messages to be encrypted for WorldSecure in addition to other message recipients. This is called providing plaintext access. When WorldSecure receives the message, it decrypts the message using its private key and passes a plaintext version of the message to the other policy managers. In the end, the intended recipient receives an encrypted message that he or she must decrypt using his or her private key. Figure 5-3 illustrates the disposition of a message when the sender provides plaintext access. Figure 5-3 Plaintext Access Internet WorldSecure Server (unlocked with WorldSecure Server's private key) S/MIME E-Mail Client (locked with public keys of recipient and WorldSecure Server) S/MIME E-Mail Client (unlocked with recipient's private key) 0123 84
Security Manager Policies One way to ensure that senders provide plaintext access is to create a Plaintext Access policy. This policy is invoked by messages that are encrypted, but not for WorldSecure. With this policy, you can send a digitally signed notification to the sender of the message, describing your policy and providing the WorldSecure certificate so that future messages can be encrypted for WorldSecure. To configure the plaintext access notification: 1 Open the Security Manager Properties dialog box. 1 Expand the tree under the WorldSecure object. 2 Under Countermeasures, double-click Security Manager. 2 Complete the Plaintext Access tab. 1 Click the Plaintext Access tab. 2 Type the text of the notification that WorldSecure will send to senders that invoke your Plaintext Access policy. 4 Click OK. 3 Type the address that you want senders to use when including WorldSecure as a recipient on encrypted messages.this address should have a false mailbox but a valid WorldSecure Note Messages encrypted with the WorldSecure certificate or a proxy certificate automatically provide plaintext access. 85