5.8 Policy Management

Policies define the entry point for messages to be filtered within your organization. To scan messages, at least one policy must be defined.

Policies can be created either automatically with Add with wizard or manually with Add new.

After policies have been created, configuration of scanning functionality is accessed from the 'Policy scan configuration' folder in the navigation panel.

Multiple policies may be created to direct messages into different scan configurations. Multiple policies are used to separate classes of email, based on the attributes of each message and their meta-data. This separation is performed by policy qualifications, which will check a set of message attributes to determine if the message should be scanned by the policy. For example, to create separate policies for inbound and outbound mail, two polices would be created, each having the 'Scan by message direction' qualification and the appropriate direction enabled. As messages pass through the system, the policy manager will determine the correct policy to use.

5.8.1 Set the Policy Priority

On the right side of the policy title bars are sorting arrows.

The policy used to scan a message is selected by comparing the qualifications of each of the policies in the list, in the order displayed, from top to bottom. Qualifications are conditions of the policy such as message direction, type of interface, etc. as shown below in the Manual Policy Creation section. The selected policy, and only that policy, is then used to perform the message scan. This trickle down selection is typically used to separate completely different rule sets for different classes of email. For example, inbound and outbound mail will generally have very different filtering requirements. Creating a policy for each direction, and defining the policy qualification based on message direction allows for independent configurations for the direction mail is flowing. You might also, for example, want messages from a specific IP address to completely bypass all of the rules. This would be possible by creating a policy at the top of the stack, qualified by IP address.

For the purpose of understanding, it is helpful to consider each policy as a single, complete and stand alone message filter. This means that messages do not, and can not, be scanned my multiple policies. The logic for testing a message with multiple filters, deciding what to do with the outcome of filtering and applying exceptions is all encapsulated within the individual policy. Any and all logic for scanning a class of message, i.e. inbound or outbound, must exist within the policy itself. Easy ways to understand why multiple policies are not applied is to consider what happenn if the result of two policies are conflicted. If policy A would block a message but policy B would allow a message, the outcome is undecided. If policy A would block an IP address and policy B would have an exception for the same IP address, the outcome is undecided. If policy A would send a message to quarantine and policy B would block a message from being quarantined, the outcome is undecided. All of these logic decisions are accommodated within each individual policy, so that's where these types of configurations are intended to be managed.

You can organize policies by direction. An inbound message will only trigger on an inbound policy.

NOTE:It is recommended that there is at least one policy per interface.

After policies are created here they can be configured by choosing the policy to be configured under Policy Scan Configuration.

5.8.2 Manual Policy Creation

Policies can be created manually and be selecting items more options are revealed.

  • Enabled: Default, checked

  • Bypass Scanning: If enabled, if the message enters this policy, this policy willnot scan the message and not allow the message to the next policy. Default, disabled.

  • Scan by message direction

    • Handle inbound mail

    • Handle outbound mail

    • Handle internal mail

  • Limit by source address

    • Invert address list: Reverses the effect of the listed items.

    • Match address list

  • Limit by recipient address

    • Invert address list: Reverses the effect of the listed items.

    • Match address list

  • Limit by sender IP address

    • Invert address list: Reverses the effect of the listed items.

    • Match address list

  • Limit by message size

    • Minimum message size in bytes

    • Maximum message size in bytes

  • Limit by interface type

    • Invert interface type list: Reverses the effect of the listed items.

    • Matched interface types: Click on [type list] to get a list of supported interfaces.

  • Limit interface

    • Invert interface list: Reverses the effect of the listed items.

    • A list of available interfaces will be available here.

  • Limit by processing server

    • Invert server list: Reverses the effect of the listed items.

    • A list of processing server names will be available here.

    • Scan archives by default: Default, enabled. This will decompress and scan compressed attachments including ZIP, GZ, and TAR.

    • Maximum archive scan depth: Default, 6.

    • Maximum archive files: Default, 1000.

    • Notes: Store notes about the policy.

5.8.3 SMTP Policy Creation With the Wizard

Create a new policy with the wizard. Click on Add with wizard.

  1. Under Policy Management, when creating a new policy you will have to choose if the policy is SMTP or IMAP.

  2. Select the Message Flow Direction. You can choose Inbound and/or Outbound.

  3. Select the features to be configured. Anti-Virus and/or Anti-Spam.

  4. Select Anti-Virus filters, Detect viruses by signature (recommended) and/or Block common attachment types that contain viruses

  5. Select if you want messages quarantined.

  6. Select if you want messages tracked in the system.

  7. A summary of what the wizard will do will appear.

  8. In a moment, it will be done.

  9. The new policy will appear. Clicking on the title allows for changing the name.

  10. Open the Policy scan configuration folder, or refresh to see the new policy, and click on the policy to see the workbench.

  11. Set the Policy Priority

5.8.4 IMAP Policy Creation With the Wizard

Create a new policy with the wizard. Click on Add with wizard.

  1. Under Policy Management, when creating a new policy you will have to choose if the policy is SMTP or IMAP.

  2. There will be another dialog box that provides an overview.

  3. IMAP Scanning Overview

    The IMAP scanner service provides inspection and/or removal of messages stored on an IMAP server. To use this service you must have access to the interface management pages of this system. Once the policy is created, it can be selected as the provider of scan services for any IMAP interfaces.

  4. Select Access Method

  5. Select Access Method

    Choose the type of scan to perform with this IMAP policy.

    If this is your first time using the IMAP scanner, it is recommended that inspection mode is initially used. As inspection mode is non-destructive it will only report on items discovered in the IMAP server, leaving all data intact.

    1. Inspection Mode

      This operation mode will inspect the IMAP server for content based on defined filters, recording findings into the Message Tracker system and/or the administration quarantine. It is useful for discovering data or threats in an IMAP server without removing any items.

    2. Cleanup Mode

      This operation mode will inspect the IMAP server for defined threats and remove items that match. Be careful to be sure that the filters used in this mode are intended to remove data, as misconfiguration can result in a loss of data.

  6. Inspection Mode

    Install Summary

    A sample configuration will be generated that includes anti-virus and text filters. The policy that will be created will be configured to work in the requested manner, with additional options for both inspection and scan mode made available but disabled to allow easy adjustment at a later time.

    Use the items generated in the configured policy as a guide to create your own filtering and scanning options as necessary.

    If you are happy with the list below, press continue to proceed with the setup procedure.

    • Policy will provide virus, text, attachment type and fingerprint filters.

    • Text filter will be empty, ready for population as required.

    • Attachment and fingerprinting filters will be populated with common threat types.

    • Virus, attachment and fingerprint filters will be configured to report to Message Tracker.

    • Text filter will be configured to report to Message Tracker and place a copy in the admin quarantine.

  7. Then you will get a message that the policy creation is complete.

  8. Setup Complete

    Your policy has been configured and is now active. To access and edit the policy, open the 'Policy Scan Configuration' folder in the navigation panel and select the policy from the list.

    To activate this policy, an IMAP interface must be created in the system. From the IMAP interface, select the policy to be used for the scan from the 'Scan policy' option on that page.

IMAP Inspection Policy Reference

  • Enabled: If disabled the policy will be skipped. Default, enabled (checked).

  • Bypass scanning: If this option is enabled, message scan requests will still be processed but the message will not be scanned. Should a scan request find a match to the policy then the message will NOT be passed to the next policy. Default, disabled (unchecked).

  • Scan by message direction: If enabled will allow you to chose between:

    • Handle inbound mail

    • Handle outbound mail

    • Handle internal mail

    • Handle collected mail (only for IMAP interface)

  • Limit by source address: Allows you to limit what addresses to include or exclude. Invert address list and Match address list options are revealed when enables. Default, disabled (unchecked).

  • Limit by recipient address: Allows you to limit what addresses to include or exclude. Invert address list and Match address list options are revealed when enables. Default, disabled (unchecked).

  • Limit by sender IP address: Allows you to limit what addresses to include or exclude. Invert address list and Match address list options are revealed when enables. Default, disabled (unchecked).

  • Limit by message size: Allows you to set minimum and maximum message sizes for inspection. Default disabled (unchecked). Minimum message size: Default, 1000 bytes. Maximum message size: Default, 20000000 bytes.

  • Limit by interface type: Select which interface types to be used. Default, disabled (unchecked). Invert interface type list and Matched interface types [type list]: Default, IMAP.

  • Limit interface: Select which interface to use. Default, disabled (unchecked).

  • Limit by processing server: Limit which processing servers the policy can use. Default, disabled (unchecked).

  • Scan archives by default: Default, enabled (checked).

  • Maximum archive scan depth: Depth of archive to scan. Default, 6.

  • Maximum archive files: Maximum number of archive files to scan. Default, 1000.

  • Notes: Reminders to your future self about why this was setup the way it was.

Cleanup Mode

Cleanup mode is identical to inspection mode, except that it will remove messages that meet the parameters.

IMAP Policy Workbench

The IMAP policy wizard will create an Inspection policy with Anti-Virus, Zero Hour Virus, Fingerprint Executable Files, Named Executable Filers, and Text filters. This will track the messages, with an Admin Quarantine for the Text Filter.

The IMAP policy wizard will create an Inspection policy with Anti-Virus, Zero Hour Virus, Fingerprint Executable Files, Named Executable Filers, and Text filters. This will track the messages, and block qualifying messages.