1. technology and computing
2. internet technology
3. email

GateWall Mail Security 2.x
Administrator Manual
www.gatewall.com
Content
Introduction
4 System Requirements
4 GateWall Mail Security Installation and Removal
4 GateWall Mail Security Registration
5 Licensing Policy
5 Email Accounts Licensing
5 Methods of Data Loss Protection
6 Spam Filtering Methods
6 GateWall Mail Security Quick Setup
6 GateWall Mail Security Server Structure
Monitoring Agent (CSETray)
Coordinator (CSERouter)
SMTP Client (CSESmtp)
Message Processing Coordinator (CSETosser)
Message Processor (CSEProcessor)
Message Delivery Manager (CSEDM)
Statistics Module (CSEStat)
IMAP Client (CSEImapC)
POP3-client (CSEPop3С)
Mail archiver (CSESync)
Scheduler (CSECron)
Web Server (CSEHTTP)
Web Server API (CSESrvCtrl)
7 7 7 7 8 8 8 8 8 8 9 9 9 9 Message Processing
Connection Filtering
Sender Filtering
Recipient Filtering
Content Filtering
Mail queue
9 9 10 12 14 17 GateWall Mail Security Administrator Console
License Supported Addresses Key Settings Services Virtual SMTP Server
Settings Routes Data Loss Protection
Key Settings General Information on Rule Settings Regular Expressions 17 17 18 19 20 21 21 22 23 23 24 25 www.gatewall.com
2
Document Comparison Lemmatizer Message Queue Antispam
Key Settings SPF Settings DNSBL Settings Greylisting SURBL Settings Cloud Antispam Black and White Lists Backscatter Bayesian Filter Antiviruses
Message Processing Rules
Message Backup
Autoreply
Mail Downloaders
Monitoring
Message Log Event Log IMAP Integration
IMAP Synchronization in MS Exchange IMAP Synchronization in IBM Lotus Notes Getting support
26 27 29 31 31 32 33 34 35 36 37 38 39 40 41 42 42 43 44 44 47 47 47 49 51 www.gatewall.com
3
Introduction
GateWall Mail Security is a full-fledged mail gateway solution with integrated spam
filtering and antivirus tools. GateWall Mail Security also contains the system for
protection from data loss, preventing confidential information leaks or penetration of
unwanted external information. Apart from filtering, GateWall Mail Security features
message backup and rules-based message processing, as well as automatic reply.
The product has a module structure, which makes the system more failsafe and
allows running the server on a distributed system. GateWall Mail Security supports
the leading spam filtering methods, including Cloud Antispam, and Bayesian
statistical spam filtering solution designed by Entensys.
System Requirements
It is recommended to install GateWall Mail Security on the server with MS Windows
XP/2003/Vista/7/2008 (32 or 64 bit) operating system with Internet connection. The
minimum RAM memory space is 512 MB for Windows XP, and 1 Gb is
recommended for operating systems beginning from Windows Vista.
The
disk
space requirements depend on the volume of e-mail backup needed. The application
will need some 90 MB of free disk space for installation.
GateWall Mail Security Installation and Removal
Launch the setup file to install GateWall Mail Security and follow the instructions of
the installation wizard. The installation wizard will prompt you to specify the GateWall
Mail Security administrator’s log-in, password and Email address and select network
interfaces for SMTP, HTTP and HTTPS services. By default, GateWall Mail Security’s
network services monitor all network interfaces available to the server. GateWall Mail
Security will install all the components automatically and launch the services
immediately upon installation. The default installation folder is “%Program
files%\Entensys\CSE” (further referred to as %GWMS%).
Before you install the application, make sure the required server ports (TCP 25, TCP
80 and TCP 443) are not assigned to other applications or services and the
connection to the port is allowed by the firewall. GateWall Mail Security server is
administered from a web-based administrator console at http://localhost or
https://localhost. When installation is complete, a special CSETray module’s icon will
appear in the system tray. You may use the tray agent's contextual menu to launch
and stop GateWall Mail Security modules and monitor their status. The agent’s icon
will show an exclamation mark if any of the application’s modules is not running.
To remove GateWall Mail Security, use the “Add or Remove Programs” feature in the
Windows control panel.
www.gatewall.com
4
GateWall Mail Security Registration
To register your GateWall Mail Security, open the administrator console in your web
browser application (http://localhost/), go to “GateWall Mail Security – Licenses” and
press “Register.” Select one of the two options in the registration window: ‘request
demo key’ or ‘enter pin code.’ If you enter the pin code, you will receive a valid
license key. Regardless of the option you select, you will need a live Internet
connection over HTTPS to register the product. If you are connected to the Internet
via an upstream proxy server, you can specify proxy server settings in the dialog box.
When you complete the registration process, you can view information on registered
GateWall Mail Security modules and the license expiry date in the administrator
console on the “Licenses” page. On the same page you may check for new versions
of GateWall Mail Security. Update request is submitted to the vendor’s website
(http://www.gatewall.com). If an update is available, your GateWall Mail Security will
not be reinstalled automatically. Only a system administrator can update the server
application.
Licensing Policy
GateWall Mail Security includes built-in antivirus modules from Kaspersky Lab and
Panda Software, as well as the “Cloud Antispam” module. These modules require
additional licenses to be acquired. To enable a module, register GateWall Mail
Security using a special pin code. GateWall Mail Security is licensed for the period of
one calendar year.
You can use a full-featured trial version of GateWall Mail Security for 30 days. The
built-in antivirus modules also have a 30-day trial period.
Email Accounts Licensing
The number of filtered Email accounts depends on the GateWall Mail Security
license. GateWall Mail Security server has no mail accounts of its own – it receives
mail from the Internet, filters messages and forwards them to the mail servers
specified in the server settings. The list of filtered email addresses will be generated
during the forwarding process. You can view the list on the “Processed Addresses”
page in “GateWall Mail Security” section. If you have a 10-user license, the product
will carry out filtering only for the first ten addresses on the list. E-mail to other
addresses is delivered directly to the specified mail server without any filtering
applied. You can only place valid email addresses on the Processed Addresses list.
Addresses that are not processed are highlighted in red on the list.
www.gatewall.com
5
Methods of Data Loss Protection
Data Loss Protection or Data Leakage Prevention (DLP) is a system created to
prevent confidential information leakage or penetration of other unwanted information
from external sources.
If your organization has certain standards and rules for Email usage, this data loss
protection module can be used to check compliance, trace violations and prevent
data leakage, as well as to control outgoing messages not related to business.
During filtering and application of rules the sender receives no notification on
message sending failure or its delayed sending; therefore, users should be informed
of the existing mail rules.
The system uses three types of filtering: regular expressions, documents comparison
and a lemmatizer. Each of these uses a different search method to scan body,
message subjects, attachments and other parts of messages, but the common
feature is that these filters monitor Email messages for certain key words or phrases.
All the messages satisfying the created rules are displayed in a separate “Message
queue" tab, so you can check the correctness and validity of active filters, and
compile reports based on filtering results. You can view all details on message traffic
in the “Message Log”.
Spam Filtering Methods
GateWall Mail Security supports several spam-filtering methods, including DNS
filtering (DNSBL, RHSBL, Backscatter, MX, SPF, SURBL), online service filtering
(“Cloud Antispam”) and statistical filtering (Bayesian filtering method designed by
Entensys). In addition, GateWall Mail Security supports SMTP monitoring (ensures
the commands comply with RFC), allows to set maximum message size, maximum
number of addressees, etc.
Spam filtering modules can be configured in a separate directory of the administrator
console. When installed, GateWall Mail Security already lists the most popular
servers to be scanned for spam (DNSBL, SURBL).
GateWall Mail Security Quick Setup
GateWall Mail Security modules will run automatically upon installation. To quickly
configure the server, complete the following minimum setup:

Acquire GateWall Mail Security registration key

Create one or more routes for the mail domains to be processed

Check DNS settings
www.gatewall.com
6

Check mail delivery to Internet recepients over GateWall Mail Security mail
relay.
Note! The default assumption is that your corporate LAN already has a configured
mail server, and your DNS server has the corresponding MX record. The MX record
should be linked to the external IP address of the computer where your GateWall
Mail Security server is installed.
To enable the spam filtering modules to perform properly, the network settings of the
computer on which your GateWall Mail Security is installed must specify the address
of the DNS server configured for domain names resolution from the Internet. By
default, GateWall Mail Security will use the DNS server specified in the computer’s
network settings. However, you can list one or more additional DNS server
addresses on the “GateWall Mail Security – Key Settings” page of the administrator
console.
To create a route, open the “Virtual SMTP Server – Routes” page and add one or
more domains to be processed. Route parameters should specify the domain name
and IP address and port (e.g. 192.168.0.2:25) of the mail server that processes
messages from a domain.
GateWall Mail Security Server Structure
GateWall Mail Security server is a modular server. Each module is designed for a
specific task. The modules interface via a special coordination module (CSERouter)
over an RPC protocol. A web server module with XML-RPC support is used for
administrator interface. The modules and their functions are outlined below.
Monitoring Agent (CSETray)
Monitoring Agent allows you to manage (enable, disable and restart) all GateWall
Mail Security modules. You can use the relevant options of a contextual menu to
control the agent. GateWall Mail Security server can be controlled remotely. To
enable remote control, enter the IP address of the server where CSERouter process
is running in the command prompt when launching CSETray. Because CSERouter is
the main module of GateWall Mail Security, you will not be able to control the process
from CSETray.
Coordinator (CSERouter)
Coordinator is the main module of your GateWall Mail Security server. CSEProcessor
enables and disables other server modules, registers the modules and coordinates
message exchange. Modules exchange messages over the RPC protocol.
SMTP Client (CSESmtp)
This module implements SMTP protocol and is used to process incoming mail. SMTP
Client receives incoming messages, applies certain spam filtering methods (DNSBL,
RHSBL, SPF, RFC restrictions, Greylisting, Tarpiting, white/black lists) and backs up
the incoming messages as *.qeml files to the incoming queue folder “%GWMS
www.gatewall.com
7
%\mail\queue\inc” for further processing. A temporary message copy is saved as
“%GWMS%\mail\archive\inc\*.qeml.tmp” during backup.
Message Processing Coordinator (CSETosser)
This module coordinates message processing. CSETosser scans the outgoing
message queue “%GWMS%\mail\queue\out” and generates tasks for CSEProcessor
module.
Message Processor (CSEProcessor)
Features of this module include spam filtering (SURBL, Cloud Antispam), virus
scanning (Cloud Antispam, Kaspersky, Panda) and message processing with rules
created by GateWall Mail Security administrator. When processed, a message
(*.xeml file) is placed into the outgoing queue “%GWMS%\mail\queue\out” or
quarantine folder “%GWMS%\mail\quarantine” depending on the processing result. A
file with delivery status information (*.dlvr) is additionally generated for messages
placed into the outgoing queue.
In addition, CSEProcessor generates statistics reports on spam messages for each
processed address. Information on spam messages (date, time, sender address and
subject) is recorded in statistics files “%GWMS%\mail\statistics\users\*.stat.”
Message Delivery Manager (CSEDM)
Delivery
Manager
module
CSEDM
monitors
the
outgoing
queue
“%GWMS%\mail\queue\out” and delivers messages across the specified routes.
Besides, CSEDM monitors folder “%GWMS%\mail\queue\import” containing
messages incorrectly identified as spam.
Messages that cannot be immediately delivered to the addressee are placed in folder
“%GWMS%\mail\queue\out\try” for delivery retry. You can set the number of delivery
retries and intervals between such retries in “Delivery Settings” section of “Virtual
SMTP Server – Settings” page.
Statistics Module (CSEStat)
This module records mail processing statistics. Statistical information (date, time,
source and destination addresses, GateWall Mail Security server modules used for
processing and the processing result) is recorded in the built-in SQLite3 database.
Database file is located in %GWMS%\mail\statistics\stat.csdb folder.
IMAP Client (CSEImapC)
IMAP client manages IMAP folders located on a remote mail server. CSEImapC
supports MS Exchange 2003 and Lotus Domino R7 and is used to create a special
IMAP folder structure on a remote mail server and process messages in such folders.
POP3-client (CSEPop3С)
POP3 client downloads mail from remote POP3 accounts. All important information,
such as download date and time, mail unique identificators, statuses are located in
%CSE@\mail\pop3c.
www.gatewall.com
8
Mail archiver (CSESync)
Mail archiver copies and restores mail to the folder, which is set as backup folder in
the settings.
Scheduler (CSECron)
The Scheduler module is used to update virus definitions of the antivirus modules
and distribute GateWall Mail Security server statistics.
Scheduler supports daily, weekly, monthly and custom schedules. CRONTAB line is
used to create a custom schedule. The line includes six segments divided by spaces
(and/or tabs). Each segment sets time as follows:
(minute:0-59) (hour:0-23) (day:0-31) (month:0-12) (week day:0-6, 0-Sunday)
Each of the first five segments may have the following settings:
 Asterix (*) sets the full range (from the first to the last element);
 Dash (-) sets a specific range; for example, “5-7” means 5, 6 and 7;
 Lists – numbers (or range of numbers) divided by commas; for example,
“1,5,10,11” or “1-11,19-23;”
 Incremented asterix or range is used to set increments in a given range of
numbers. The increment is set with a slash. For example, “2-10/2” means
“2,4,6,8,10”, and “*/2” in the “hours” segment means “every two hours.”.
Web Server (CSEHTTP)
The web server is used to administer GateWall Mail Security.
Web Server API (CSESrvCtrl)
This module implements API for the XML-RPC interface of the web server
(CSEHTTP).
Message Processing
When processed by GateWall Mail Security, messages go through several filtering
stages, including connection filtering, sender filtering, recipient filtering and content
filtering. At the last stage, a message is filtered in accordance with the rules created by
the administrator.
Connection Filtering
Connection filtering flow chart is shown in Fig. 1. When an incoming connection is
registered on TCP port 25, GateWall Mail Security server scans through its global
white list of IP addresses. The white list is assigned on the “Antispam – Black and
White Lists” page. Each list item may be an IP address or a range of IP addresses, a
domain name (A-type record) or a name of domain mail exchanger (MX-type record).
GateWall Mail Security server resolves the listed names into corresponding IP
addresses and generates global lists of resolved and restricted IP addresses. If the
www.gatewall.com
9
incoming connection originates from a white list IP address, GateWall Mail Security
will skip all subsequent checks up until the rules created by the administrator and
receive the message. GateWall Mail Security will block connection for IP addresses
listed on the black list.
At the next step GateWall Mail Security checks DNSBL. If the incoming connection
originates from an IP address that is on the spam list, GateWall Mail Security will
reject and close the connection and generate a corresponding error message. You
can set DNSBL parameters on the corresponding page of the administrator console.
DNSBL parameters include names of DNSBL servers used in the check process and the
exceptions list. In the exceptions list you may specify an IP address, domain name or
name of mail exchanger.
Sender Filtering
GateWall Mail Security starts sender filtering after the MAIL FROM command has
been received. If the address in the MAIL FROM command is a blank address (“<>”),
GateWall Mail Security will complete the BackScatter check. This check is used, for
example, to block “fake” information messages, such as delivery failure messages.
BackScatter settings (“Antispam – BackScatter” page) should specify the address of
the server used for the check and an exceptions list.
www.gatewall.com
10
If the MAIL FROM command does not contain a blank address, GateWall Mail
Security server will scan the black and white lists for this address. If the address is
found on the black list, GateWall Mail Security will close the incoming connection and
produce a corresponding error message. If the address is on the white list, all
subsequent checks will be skipped.
The next step is to check if the domain whose address is listed in the MAIL FROM
command has an MX (Mail eXchanger) record and a SPF (Sender Policy
Framework) record. To enable MX record check, go to “Antispam – Key Settings”
page of the administrator console. SPF check parameters are assigned in the
Antispam section of the corresponding SPF page. You can set GateWall Mail
Security to respond to the results of MX and SPF checks in the server settings.
The last step is to complete RHSBL filtering by the domain name listed in the MAIL
FROM command. If the domain name is found on the spam list, GateWall Mail
Security will close the incoming connection and produce a corresponding error
message.
www.gatewall.com
11
Recipient Filtering
GateWall Mail Security starts recipient filtering after the RCPT TO command has
been received. The received address is checked against the black and white lists. If
the destination address is found in the white list, all subsequent checks will be
skipped. If the address is found on the black list, GateWall Mail Security will close the
incoming connection and produce a corresponding error message.
www.gatewall.com
12
Next, GateWall Mail Security checks the availability of the destination address in
accordance with the set routes (“Virtual SMTP Server – Routes” page). To complete
the check, GateWall Mail Security connects to the mail server specified in the route
and requests the availability of the recipient by sending the RCPT TO command. If
the mail server contains no such destination address, GateWall Mail Security will
produce a corresponding error message.
For each incoming connection, GateWall Mail Security creates a triplet (IP address
originating the connection, MAIL FROM address and RCPT TO address) and scans
the internal list of triplets for previous connections. If the received triplet is not found
in the internal triplet list (i.e. the connection with the given parameters is a new
connection), GateWall Mail Security will produce a temporary error message. This is
a Greylisting check procedure. You can set the Greylisting parameters in the Antispam
section of the corresponding Greylisting page.
GateWall Mail Security supports the Tarpitting feature to protect you from address
matching. The Tarpitting feature “delays” mail server response when a new
destination address is received in the RCPT TO command. By default, response
delay will be enabled if more than five destination addresses are received at once.
You can set the required Tarpitting parameters on the “Antispam – Key Settings”
page.
www.gatewall.com
13
Content Filtering
GateWall Mail Security will start content filtering after the message body has been
received. The first step is to check MIME headers. If the message delivery route
specified in the header is longer than the set limit (“Maximum Forwarding Distance”
parameter on “Virtual SMTP Server – Settings” page), GateWall Mail Security will
block the message. Besides, a reply message will be generated at the MIME check
step if the Autoreply function is enabled.
The next step is to check the entire message using an online service (the so-called
Cloud Antispam). The application sends a unique message hash to a remote server
www.gatewall.com
14
using the HTTP POST method. Cloud Antispam requires HTTP to be enabled on the
computer where GateWall Mail Security is installed. Messages identified as spam or
infected messages (Cloud Antispam also scans messages for viruses) are placed
into the quarantine folder (%GWMS%\mail\quarantine). You can push messages in
the quarantine folder to their destination addresses. To do so, move the
corresponding *.xeml file of a message from “%GWMS%\mail\quarantine” folder to
“%GWMS%\mail\import” folder. To push-send a message, use the contextual menu
on the “Monitoring” page.
NOTE! Quarntine folder is periodically cleaned. You can set quarantine cleaning
configuration in Administrator’s console in “Antispam — Main settings” section.
Next, GateWall Mail Security completes SURBL filtering and statistical check
(Bayesian filtering). The Bayesian filtering algorithm designed by Entensys allows
automatic learning using the messages identified by Cloud Antispam as “clean
messages.” The last step includes virus check and message processing using the
rules.
www.gatewall.com
15
www.gatewall.com
16
Mail queue
You can check messages waiting for delivery in the mail queue on «Monitoring - Mail
Activity» page using filter dm:pending.
Delivered
messages
are
stored
“%CSE%\mail\sump_delivered”.
for
two
weeks
in
the
folder
Messages which could not be delivered from a first try are placed in the folder
%CSE%\mail\sump. Next delivery attempts will be happening according to the
following schedule:
- after 30 minutes after previous attempt;
- after 1 hour after previous attempt;
- after 2 hour after previous attempt;
- after 3 hour after previous attempt;
- every 4 hours after previous attempt during maximum delivery time (default is 1
week).
GateWall Mail Security Administrator Console
License The License page features all information on the GateWall Mail Security server
license and additional modules. The page also contains “Register” and “Check for
updates” buttons and links for support site.
www.gatewall.com
17
Supported Addresses Supported Addresses is the main page listing all Email addresses to which incoming
mail has been forwarded. This list is automatically populated based forwarded
emails. The list only includes existing addresses that belong to the domain/domains
specified in the GateWall Mail Security server routes. This list contains e-mail
addresses and their aliases. Email accounts which are not covered with the license
are marked by a red “x”. You cannot set more processed accounts that the license
allows.
www.gatewall.com
18
The addresses page contains a spam statistics distribution scheduler. You may use it
to list accounts to which statistics will be distributed or deny such distribution for
specific accounts (see column opposite the email accounts). Grey icon color means
that spam statistics will not be sent to the user, colored icon means that statistics will
be sent according with the schedule. Spam statistic report is sent as an email with
the list of all messages blocked as spam. It contains time, sender’s email address
and link to release spam messages from quarantine and deliver them to recipient.
Key Settings The page contains the following parameters:
 DNS configuration.
 Web interface configuration (administrator log-in and password).
 Time zone setting.
NOTE! You should set correct timezone to show correct time in the “Message
log”. Make sure that computer system time and timezone in operating system
have valid values as well.
 Send bug-report for vendor for analysis. New feature, which allows
automatically sending crash-reports to vendor. If enabled, crash report will be
sent to “[email protected]” every time any UserGate module will be
crashed. Usually, mail is about 100-200 Kb.
 Mailing address for important notifications. This address will be used about
important mail server events, such as low disk space.
You can also view the remaining disk space.
www.gatewall.com
19
Services On Services page you can configure and manage GateWall Mail Security network
services. Here you may change the interface and port number, as well as start and
cancel services.
www.gatewall.com
20
Virtual SMTP Server
Settings Virtual SMTP Server processes incoming and outgoing mail. SMTP server settings
include the following parameters:
 Server domain name (Server address). Usually it should be the MX-record for
your domain.
 Delivery mode: MX delivery or delivery via a relay server (“SMTP Delivery
Settings”). Delivery with relay server authorization is also supported;
 Outbound relay settings. If it must be used, specify server address, port and
login and password for relay server authorization.
 Incoming relay settings. Mail server may be used as a server forwarding mail
from third party domains. To make it run as a relay server without
authorization (open-relay), we recommend restricting the number of IP
addresses to which connection is permitted. Specify the applicable IP
addresses in the “SMTP – No authorization servers” section.
 TTL for delivered messages. Set time which all delivered messages stored in
the specific folder.
www.gatewall.com
21
 Maximum recipients in batch – maximum number of recipients which can be
set in “To” field in e-mail.
 Maximum redirect depth parameter sets the number of intermediate servers
delivering a message.
 Maximum message size. Maximum message size which can be sent over mail
server.
 Delivery expiration time. Maximum time in minutes server trys to deliver
message. Default is 7 days.

Send DSN (delivery status notification). Enables or disables sending DSN.
 “Server address and port for SPAM messages” is the address specified in the
spam distribution emails to remove messages from quarantine. Usually, this
parameter is equivalent to the local IP address or (domain name) of the
machine on which the mail server is installed. You can also set a port by
specifying it using colon, for example «IP-address:8080».
Routes You must create one or more routes to begin working with GateWall Mail Security.
When creating route you should set:
 Domain name (for example, example.net)
www.gatewall.com
22
 IP-address and port of mail server servicing this domain (for example,
192.168.0.2:25)
GateWall Mail Security is not limited with the number of mail domains. The only
number of email accounts is limited by the license.
Data Loss Protection
Key Settings Key settings include the following general check parameters:
 Actions:
Approve — a message satisfying the rule will be sent to the recipient; the relevant
information will appear in the “Message queue” tab.
Hold — when this action is set as a parameter, the hold time will be shown in
minutes. As the hold time expires, the message will be sent to the recipient.
Reject — the message will not be sent.
After a rule has been applied to messages with “Hold” (within the hold time limit) and
“Reject” queue status, you can manually reset the action to apply one of the
remaining actions.
Should there apply two or more rules with different actions, the rule with a higher
priority will be implemented. Priority in descending order: reject, hold, and approve.
www.gatewall.com
23
 Mail Notification
With GateWall Mail Security you may choose the settings for mail notification. By
specifying e-mail in the “General Settings”, you will receive a message named “DLP
notification” each time any particular rule is applied; the notification will contain the
information about the message (the sender, the recipient, and the subject) and the
rules applied (rule name, module, and action performed).
The parameters of actions and mail notification in the “General Settings” are set by
default for all rules, unless other parameters are selected during filter creation.
 Module Configuration
You can enable or disable modules (regular expressions, documents comparison
and a lemmatizer). A filtering module disabled, all of its rules are no longer applied.
In the documents comparison module the “Operation threshold” will also be set in
percentage, the default value being 30%. (See more details in the Documents
Comparison section).
General Information on Rule Settings On each module page you will see a list of created rules and the following editing
buttons: add (to create a new rule), edit, and delete.
www.gatewall.com
24
After new changes have been introduced the “Save” and “Cancel” buttons will appear
at the top of the page. Do not forget to save changes after editing or creating rules.
The filter texts for all modules are converted to Unicode.
When creating any of the three types of filters, the following parameters are set:

Header – name of the applied rule is shown in the “Message queue”.

Action (see Actions section for more details) – by default the value from the
general settings is used.

Mail notification (the address from “Key Settings” is used). Enable this
parameter to receive notifications on the filters applied.
Regular Expressions Regular expressions are a formal language used for text search. Basically, it is a
pattern-line setting a search rule.
The following parameters are used to create a filter:
Filter type – plain or custom. Depending on the selected type, the text of a filter will
differ.
Filter Text

Plain
Type a phrase in the text of a filter. The rule will apply for a message containing a
fully identical line.
 Custom
You can use the regular expression language in the text of a filter.
If you are familiar with the regular expression language, you may create some
custom filters with more complex search parameters.
www.gatewall.com
25
The “plain” rule will apply only if a message contains the phrase “How does a plain
filter work?”, and will not apply to any other cases. If at least one symbol is removed
or replaced, the message will not be identified.
The “custom” rule is the simplest example of a regular expressions search; this rule
will apply to any message containing at least one figure.
Document Comparison When creating a rule in this module, the messages sent into queue will contain both
the full and partial text of a rule.
The Document Comparison module divides the pattern into separate words and
transforms them into their basic forms (infinitives of verbs; and nominative case,
singular of nouns), so that the word in a message with another conjugation or
declension is still considered a match. Punctuation marks and figures are not
identified. If the match percentage of a message is equals or exceeds the “Operation
threshold” parameter in the key settings, the message is sent into queue.
Note! Transformation of words into basic forms works only for the Russian, English,
and German languages.
You may create two types of rules in the “Document comparison” tab: add a filter by
specifying its content in the entry field (text), or upload a pattern file.
It should be said that the smaller is the filter content, the higher is the possibility that
the rule will be applied.
www.gatewall.com
26
For example, if the filter contains four words, and two of them are used in the
message, the match percentage will be 50%.
Add Filter
When a new filter is added, a dialog box will appear where you should input the
name of a filter, its text and the appropriate action. The filter text should contain at
least three words (made of characters; other elements, such as figures and symbols,
are not taken into account).
File Uploading
The comparison option is available for doc, xls, pdf, rtf, html, and txt files.
For a more accurate analysis document templates should be created.
Thus, if you want to hold the messages containing a certain type of documents (for
example, invoices), it is not the example of a file that should be uploaded, but an
empty template to ensure higher match percentage. Delete all the information that is
unlikely to be used repeatedly.
Lemmatizer A lemmatizer is a module responsible for the analysis of words and phrases in a text.
Unlike the plain filter of the Regular Expressions module, a lemmatizer does not
search for absolute matches but returns the basic form of a word and uses it for
comparison. For example, it can be the infinitive form for a verb, and the nominative
case singular for a noun). A lemmatizer also performs the reverse operations of
www.gatewall.com
27
conjugation and declension. (Thus, the filter will apply to any form of a word specified
in a rule).
Note! Transformation of words into basic forms works only for the Russian, English,
and German languages.
There are two tables in the “Lemmatizer” tab: categories and phrases. To add the key
phrases you should first create a category and set the “Operation threshold”. Each
phrase added to this category will have “Weight” as one of its parameters. During
message processing the total weight of words fitting this category is calculated, and if
it exceeds the operation threshold, an action from the category settings will apply.
If the weight of a word is equal to the operation threshold of its category, any
message containing the word is deemed satisfactory to filtering conditions and shall
be sent to the message queue.
Two categories have been created for this example (a table on the left). If the
message contains the words “how”, “does”, “it”, and “work”, the weight of each word
is 25 (a table on the left), and the total will be 100, which is a threshold level for the
cat_1 category. Such a message meets the filtering conditions.
If a message contains the word “another”, and the weight of this word meets the
threshold value of cat_2 (the category to which the word belongs), it will immediately
activate the filter.
www.gatewall.com
28
Message Queue This tab contains full information about the messages meeting the requirements of at
least one rule.
The table on the right shows the following parameters:
Approved
Status
Direction
Message Information
Held
Rejected
Incoming mail
Outgoing mail
Recipient, sender, date of sending, subject
Regular
Expressions
Modules applied
Document
Module Comparison
Lemmatizer
Header
An element for which a match was found
Here you may also view the content of a message by double clicking on it or pressing
the “View message” button, having previously selected the relevant message.
It should be reminded that for such statuses as “Hold” (within the hold time) and
“Reject” you may reset the action to apply one of the remaining actions.
www.gatewall.com
29
On the same page you may see the total summary of the number of messages
satisfying the rules of a module. For a faster search of particular messages on the
page you may create filters by time (today, yesterday, week, month or state a time
interval between two particular dates) or by other characteristics. To do this you need
to input special instructions in the search field. Using the following commands the
search can be performed by:
Status
Message direction
Approved
status:approve
Rejected
status:reject
Held
status:hold
Incoming mail
direction:in
Outgoing mail
direction:out
Message subject
subject:<specify subject>;
Sender mask
from:<specify sender>;
Recipient mask
to:<specify recipient>.
www.gatewall.com
30
Antispam
Key Settings Key settings include the following general check parameters:

MX record availability check. If enabled, GateWall Mail Security will check
for MX record availability on the domain specified in the MAIL FROM
command.

SMTP check (disconnection on the maximum bad command limit).
Connection with the client sending bad commands will be closed when the
number of bad commands exceeds the limit.

Server hello message delay.

Sender hash validation. The option is used to check the validity of
destination address when running GateWall Mail Security as a relay server.

Verification of host name received in HELO command (“Check host on
HELO”). Host name should be represented by a domain name.

Tarpitting mode (delay in server response when receiving a new destination
address in RCPT TO command). Tarpitting makes destination address
scanning a more time-consuming process.

Quarantine clearing schedule

IMAP integration mode
IMAP integration is used for receiving feedback from mail server users through
special IMAP folders for message processing. The integration settings are described
in the relevant section.
www.gatewall.com
31
SPF Settings SPF (Sender Policy Framework) is a method used to verify sender’s domain that is
based on special DNS records (TXT type). These records indicate which hosts on the
Internet can send messages on behalf of the domain. To set GateWall Mail Security
to respond to SPF check results, use the reject parameter in the server settings file
(%GWMS%\settings.xml):
<spfcheck enabled="false" reject="Soft Fail;Hard Fail;Error"/>
www.gatewall.com
32
DNSBL Settings Use DSNBL Settings page to create a list of servers to be used for DNSBL (DNS
Black Lists) and RHSBL (Right Hand Side Block Lists) checks. DNSBL check verifies
the IP address originating a connection, while RHSBL check verifies the domain
name specified in MAIL FROM command.
www.gatewall.com
33
Greylisting Greylisting is a spam filtering method that consists in blocking the initial attempt to
receive a new message. GateWall Mail Security generates a list of triplets including
the IP address originating a connection, the address received in MAIL FROM
command and the address specified in RCPT TO command. A message is qualified
as new mail if its triplet has never been received before. The message is blocked,
and a “temporary error” notice is sent. When a sender's server receives a “temporary
error” notice, it is supposed to retry sending the message later. Greylisting settings
specify triplet storage time and exceptions lists.
www.gatewall.com
34
SURBL Settings SURBL (Spam URI Block Lists) is a method of filtering spam by checking the
message body for spam links. SURBL settings include the list of servers of
exceptions lists. Messages that contain spam links will be blocked.
www.gatewall.com
35
Cloud Antispam Cloud Antispam is an antispam and antivirus module that employs CommTouch
service. GateWall Mail Security interfaces with the online service via HTTP POST
requests. Each request to the online server contains a unique message hash
computed based on the full message body (including headers).
www.gatewall.com
36
Black and White Lists The page is used to create global lists of resolved and restricted addresses. These
lists allow blocking messages at the initial processing stage (black lists) or, on the
opposite, skip all further checks (white lists). Settings include the following
parameters:

IP address (lines <ipwhite enabled="true"/> or <ipblack enabled="true"/> in
the server settings file, record type ip4);

Domain
name
(lines
<ipwhite
enabled="true"/>, record type a);

Domain MX record (lines <ipwhite
enabled="true"/>, record type mx)
enabled="true"/>
enabled="true"/>
or
or
<ipblack
<ipblack
GateWall Mail Security will resolve any specified parameter to the given IP address.
www.gatewall.com
37
You can specify resolved (<whitelist enabled="true"/>) or restricted (<blacklist
enabled="true"/>) email addresses on the Black and White Lists page.
Backscatter BackScatter filtering method is used to block service messages, e.g. delivery failure
messages. For instance, if a spamming system uses your mail domain name to
distribute spam messages, remote mail servers may generate a large number of
delivery failure messages.
www.gatewall.com
38
Bayesian Filter This module filters spam using the statistical message processing. The filter
determines the probability of each message containing spam. If the estimated
probability exceeds the set limit, the filter blocks the message. The probability is
estimated based on the recorded statistics, i.e. statistics of clean and spam
messages. Entensys’ own design of the Bayesian algorithm allows the filtering
module to learn from the Cloud Antispam performance, the administrator’s actions
(marking a message as “not spam” on the Monitoring page) or users’ actions
provided IMAP integration is enabled.
www.gatewall.com
39
Antiviruses
GateWall Mail Security features three integrated antivirus modules: cloud antivirus,
Kaspersky Lab and Panda Security. All of these modules are used to scan mail traffic
for viruses. You can configure the modules on the corresponding page of the
administrator console.
Prior to enabling an antivirus module, launch virus definition update and wait for the
update process to complete. The antivirus page indicates if your virus definitions are
up to date. You can also use this page to schedule virus definition updates.
www.gatewall.com
40
Message Processing Rules
GateWall Mail Security features message processing rules. A rule generally contains
one or more conditions with the AND/OR logic and an action that will be applied to a
message if the conditions are met. Rules are processed top-down in the list.
GateWall Mail Security scans the entire list of rules for each message. It also
supports non-sequential processing through applying two actions: “Cancel
processing” and “Redirect action to rule.” The first action ignores all subsequent rules
and the second allows switching directly to a specified rule. Redirection is only
allowed to rules located below in the list.
www.gatewall.com
41
Message Backup
GateWall Mail Security allows you to backup all incoming messages. The backup
process is completed upstream of spam and virus filtering. Backup copies are placed
in “%GWMS%\mail\queue\archive*” folder. You can specify the direction of
messages to be backed up (incoming only, outgoing only or both) and list exception
addresses in the Backup settings.
Note! GateWall Mail Security Beta does not support message backup viewing.
Messages are placed in %GWMS%\mail\queue\archive-inbound\*.qeml.tmp files. To
resend the message backup archive, move the corresponding *.qeml.tmp file into the
%GWMS%\mail\queue\inc folder and remove the *.tmp extension.
Autoreply
When the Autoreply function is enabled, GateWall Mail Security will automatically
generate a reply to messages sent to the specified address. Specify the destination
address, subject and the message in the Autoreply settings (“Autoreply” page).
Autoreplies will be generated at the Content Filtering stage.
www.gatewall.com
42
Mail Downloaders
GateWall Mail Security allows fetching mail from POP3 accounts and distributing the
received mail to the users’ accounts. Two mail fetching methods are supported:


Fetching mail from accounts with one user only;
Fetching mail from a mail account servicing several users, so-called
multiboxes.
The first option means that one user listed in the addresses serviced by GateWall
Mail
Security
corresponds
to
one
POP3
account.
For the second option compliance rules are set for a mail account receiving mail and
a user from the addresses serviced by GateWall Mail Security.
www.gatewall.com
43
The mail fetcher supports secure connection. To check the settings press the
corresponding button. In case of a successful/failed connection and authorization at a
remote server, the administrator console will display a relevant message. You may
set the mail fetcher operation period in the “Schedule” tab. Apart from setting a
schedule, you may force mail fetching directly on the “Mail Fetcher” page. The page
will show the task status and the information on fetching (the number of messages,
date of fetching, and the status of the most recent attempt).
Monitoring
Message Log Message Log page contains information on all the messages processed by GateWall
Mail Security server, including message date, time, parameters (source address,
destination address and subject), processing status and the result of processing with
GateWall Mail Security modules.
GateWall Mail Security administrator can organize filtering by date, processing status
(delivered/blocked) or address. Right-click on the message information line to open a
contextual menu; you can use the contextual menu to place the message on the
black or white list, mark the message as spam or push-send the message. Doubleclick the message status icon to organize messages by status.
www.gatewall.com
44
The above listing of search filter parameters needs no explanation, with the
exception of the last item – “by message status.” Mail server supports search by
internal status of messages that can be easily filtered, for instance, to show only
messages qualified as spam or display a sequence of messages. To apply such filter,
you will need to enter a special variable parameter in the search box. For example, to
search for all quarantined messages, enter the following parameter in the filter box:
status:quarantine
To find all messages in the outgoing queue, enter:
dm:pending
Below is a full list of variable parameters:
all:clean — search messages for which all plugin statuses are clean
each:clean — = all:clean all plugins report that the message is clean
any:clean — search messages for which at least one plugin status is clean
plugin:clean — = all:clean
plugin:infected — = any:infected
www.gatewall.com
45
plugin:suspicious — = any:suspicious
plugin:spam — = any:spam
cloudantispam:suspicious — search messages that CloudAntispam regards as
suspicious
cloudantispam:clean — search messages that passed through CloudAntispam
cloudantispam:infected — search messages marked by CloudAntispam as infected
cloudantispam:spam — search messages marked by CloudAntispam as spam
surbl:clean — search messages that passed SURBL check
surbl:spam — search messages blocked by SURBL
antivirus:infected — search messages in which at least one antivirus plugin found
viruses
antivirus:suspicious — search messages which at least one antivirus plugin found
suspicious
antivirus:clean — search messages in which neither antivirus plugin found viruses
kav:infected — search messages in which KAV found viruses
kav:suspicious — search messages which KAV found suspicious
kav:clean — search messages in which KAV found no viruses
panda:infected — search messages in which Panda found viruses
panda:clean — search messages in which Panda found no viruses
dm:pending — search messages that are pending delivery
dm:success — search successfully delivered messages
dm:expanded — search messages that were partially delivered (delivered to only
some of the listed recipients)
dm:failed — search messages whose delivery failed (not completed, completed with
5ХХ errors)
status:quarantine — search only quarantined messages
status:whitelisted — search whitelisted messages
status:failed — search messages blocked by filters
status:success — search messages that successfully passed all filters
status:received — search messages that were received via SMTP but have not been
processed yet
You may also apply filter by message status by double-clicking on the applicable icon
in the “message status” column.
www.gatewall.com
46
Event Log On the Event Log page, you can track the life cycle (receipt – processing – delivery)
of messages received by the mail server, as well as monitor performance of server
modules. You can filter messages by one or more of the following criteria:

Time;

Field: From, To, Subject, Status;

Service;

Type;

Random field;
To track route of a certain message:

Select corresponding time period.

Create filter by completing at least one of the fields: "From", "To", "Subject".

Apply filter by pressing "Apply" button in the bottom of the page.

Select one of the messages in the right window and press "Track message"
in the pop-up menu.
Message events are tracked by a unique MIME header (X-Message-Id) tagged to
each message received by mail server. You can also filter messages by random
message fields.
NOTE!You can enable logging for some or all server modules as may be necessary.
To enable logging for a certain module, complete the steps below:

Create an empty log named "log.module_name.enable" in %CSE% folder.
For example, if you want to create a log for SMTP client, create file
"log.csesmtpc.enable" in %CSE% folder. To enable logging for all server
modules, create file "log.all.enable".

Restart server by selecting "Restart all" in the agent`s system tray menu.
IMAP Integration
GateWall Mail Security features integration with a remote IMAP server. The
integration is supported for MS Exchange 2003 and IBM Lotus Domino R7 mail
servers and allows using a public IMAP folder on a remote mail server for mail server
user feedback. You can enable this feature in the “GateWall Mail Security – Antispam
– Key Settings – IMAP Server Integration” section.
IMAP Synchronization in MS Exchange Complete the following actions to configure IMAP integration for MS Exchange 2003:
1.
Go to “GateWall Mail Security – Antispam – Key Settings – IMAP Server
Integration”. Specify MS Exchange server’s IP address, Public Folders prefix
and the log-in and password of the user authorized to create and delete
folders in Exchange Public Folders. The user must be authorized to work over
IMAP protocol.
www.gatewall.com
47
2.
Click the “Check settings” button. GateWall Mail Security will authorize with
MS Exchange server using the specified user account information and create
subfolders as shown in the picture below.
3.
Enable the “Use integration with IMAP server” option and save changes.
When the option is enabled, GateWall Mail Security will connect to the MS Exchange
server every 2 seconds and scan folders “GWMS/Mark as Spam” and “GWMS/Mark
as not Spam” for messages. Messages identified as spam will be automatically
moved to “GWMS/Quarantine” folder.
A mail client synchronized with an IMAP server may subscribe to GateWall Mail
Security folders. Users may move messages to “Public Folders\GWMS\Mark as
Spam”, which will facilitate automatic learning of Cloud Antispam. There is a slight lag
in the learning process because Cloud Antispam is an online service. GateWall Mail
Security IMAP client places all the processed messages into the “Public
Folders\GWMS\Mark as Spam\Processed” folder.
Configuring IMAP folder access permissions
By default, all MS Exchange users authorized to work over IMAP can view messages
from other users in “Public Folders\GWMS” folders. You can configure folder access
permissions to hide messages posted by other users. Complete the following steps:
1. Open Exchange System Manager console.
2. Select “Properties” in “Public Folders\GWMS” contextual menu.
3. Open “Permissions” tab and press “Client permissions.”
4. Press “Add” and add one or more users who will not be authorized to view
messages from other users. Select “Contributor” as user role.
5. Close the properties window, select “Public Folders\GWMS” and click on
“All tasks - Propagate settings” in the shortcut menu.
Note! Users marked as Contributor will only be allowed to view their own messages
in “Public Folders\GWMS” folders.
www.gatewall.com
48
IMAP Synchronization in IBM Lotus Notes Complete the following actions to configure IMAP synchronization for IBM Lotus
Domino:
1. Use mail template to create a new Lotus Domino database. The new
database will be used as a public IMAP folder. Go to File – Database –
New in Lotos Administrator menu and specify parameters as shown in the
picture below.
2. Link the new database with a user and assign user rights as shown in the
picture below.
www.gatewall.com
49
3. Assign corresponding rights to users authorized to work with the public
IMAP folder.
4. Prepare mail databases for IMAP integration. Open the “Server – Status”
tab in Lotus Administrator, select “Server Console” and execute the
following commands in the Live mode:
www.gatewall.com
50
tell router quit
load convert -e mail\*.nsf
load router
5. Enable IMAP Public Folders. Open “Configuration - Messaging –
Configurations” in Lotus Administrator. Go to “IMAP - Public and Other
Users’ Folders” tab, check “Public Folders Prefix” parameter and insert link
to the new database from item (1) above to “Public folder database link.”
6. Restart the IMAP service. Execute the following commands in “Server
Console”:
tell imap quit
load imap
7. IMAP folder has the following full path in Lotus Domino:
Public_Folder_Prefix\Public_Folder_Database_name. Specify this path as
the “IMAP folder” parameter in GateWall Mail Security settings.
Note! Due to certain operating parameters, IMAP integration is not supported by later
MS Exchange and Lotus Domino versions.
Getting support
Additional information and support for Entensys software products are available at
http://www.entensys.com/support.
www.gatewall.com
51