Cisco Email Security: Deployment and Troubleshooting

Cisco Email Security
Deployment and Troubleshooting

Raymond Jett
Technical Marketing Engineer, Cisco Content Security
Cisco Secure 2014
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
• Email Security Deployment
• Devices
• Deployment Methods
• Virtual Requirements
• Advanced Topics
Agenda • Troubleshooting
• Basics
• Virtual Machines
• Tailing Logs
• Message Flows
• Engines
• Email Security Deployment
• Devices
• Advanced Topics
Agenda • Troubleshooting
• Basics
• Tailing Logs
• Message Flows
• Engines
Devices Covered
This presentation will cover currently

sold and supported Email Security
Appliances:
• Cx00 Virtual Appliances
• C/Mx80 Series Appliances
• C170 Appliance
• C/Mx70 Series (End of Sale)
• C/Mx60 Series (End of Sale)
Traffic Flow Considerations
Email is simple. We want to be the:

• First hop in
• Last hop out
There are many ways to install Email

Security products, some better than others
Traffic flow and installation connectivity will

depend on your security policy needs
• Turn SNMP Inspection OFF on your
firewalls
Ports and Protocols
Typically Used Between the ESA and the Internet
Inbound from Internet: Internet

• TCP 25: SMTP
Outbound to Internet:
• TCP 25: SMTP
• TCP 80: HTTP
• UDP 123: NTP
• TCP 443: TLS/HTTPS
Mail Server
The complete list can be found in the ESA Configuration Guide, Appendix C
Ports and Protocols
Typically Used Between the ESA and the Internal Network
Inbound from internal network:

Internet
• TCP 22: SSH
• TCP 25: SMTP
• UDP 161: SNMP
• TCP 443: HTTPS
Outbound to internal network:
• TCP 25: SMTP
• TCP 80: HTTP
• UDP 162 SNMP
• TCP 389: LDAP
• TCP/UDP 514: Syslog Mail Server
Support Tunnels
Beware of Firewall Issues
Support Tunnels allow TAC to connect and

remotely fix issues and can be used over: Internet
• TCP 22: SSH

• TCP 25: SMTP
• TCP 53: DNS
• TCP 80: HTTP
• TCP 443: HTTPS
The firewall must have the desired port open
AND allow for SSH to be tunneled over it.
Deep inspection on non-SSH ports could
block the tunnel
Mail Server
ESA Installation Types
Internet
There are multiple ways to configure the
ESA on a network. Each has their pros
and cons. Outside
• Security Nightmare
• No protection for the inside network or Inside
outside interfaces
• The ESA is hardened, but this is a DO

NOT DO scenario
Mail Server
ESA Installation
Parallel to the Firewall
Internet
• Easy to Configure
• Security Nightmare
Outside
• No protection for the inside network or
outside interfaces
• The ESA is hardened, but this is a DO Inside
NOT DO scenario
Mail Server
ESA Installation
Protected Private Interface
Internet
• Easy to Configure
• Still a Security Nightmare
Outside
• No protection for the outside interface
• The ESA is hardened, but this is a DO Inside
NOT DO scenario
Mail Server
ESA Installation
Protected Public Interface
Internet
• Public interface protected by firewall
• Can filter inbound and outbound email
related traffic
Outside
• No inside interface filtering
• Works well in smaller accounts Inside
• Unprotected inside interface can

cause heartburn with security teams
Mail Server
ESA Installation
Single Interface
Internet
• System protected by firewall
• Simplifies firewall configuration for
passing email related traffic
• No specific routes required on the
ESA. Minimizes network
troubleshooting
• Single interface represents a possible
single point of failure or bottleneck
• Preferred and THE most common Mail Server
method of installation by customers
ESA Installation
Dual DMZ Interfaces
Internet
• Inside and outside interfaces
protected by firewall
• Can fully filter and control inbound and Outside
outbound email related traffic Inside
• Offers protection of all resources

• Firewall represents a possible single
point of failure or bottleneck
• Static routes required on the ESA
Mail Server
ESA Installation
Large DMZ with Dual Firewalls
Internet
• System is well protected
• Allows for maximum control and
isolation of traffic flowing in the DMZ Outside
• Static routes required on the ESA Inside
• Configure redundant firewalls for

maximum uptime and to reduce single
points of failure
Mail Server
ESA Installation
Separate Management Network
Internet
• Meets the most stringent customer
connectivity needs
• Requires a larger appliance with 3 Outside
interfaces Inside
• Can be done in a multi-firewall DMZ or

Management
with a single interface installation Network Link
• Use the route command via CLI to

configure traffic flows for the extra
interfaces
Mail Server
ESA Installation
High Availability
Internet
• Use larger appliances with RAID

arrays and redundant power supplies
• Configure NIC Teaming to help protect
against network failures L4-7 Switch
• Cluster the Email Security Appliances

• Use multiple Email security
Appliances and MX records
• Devices can be load balanced with
VIPs on a L4-7 switch
Mail Server
ESA Redundancy
MX Records
• The easiest and most common way to do redundancy

• Relies on the robust nature of communications on the internet
• If one server cannot be contacted, fail over to the next on the list
Internet
west.mail.company.com east.mail.company.com
West Coast East Coast

Mail Server Mail Server
ESA Redundancy
Clustering Appliances
• The easiest and most common way to do redundancy

• Relies on the robust nature of communications on the internet
• If one server cannot be contacted, fail over to the next on the list
• Ensure the ESAs can communicate with each other and the SMA
Internet
West Coast East Coast

Mail Server Mail Server
Virtual Architecture
• Currently supported on Vmware ESX/ESXi only.

• KVM, Hyper-V, and Xen are being investigated for future support
• TAC Supported on Cisco UCS hardware

• TAC will support ESAV running on 3rd party hardware, but not provide support for the 3rd
party hardware platform.
Cisco UCS Other Hardware

Consolidation | Automation | Virtualization
Hardware Specifications
• Performance can vary greatly depending on system hardware

• CPU cores/speed, RAID configurations, memory bandwidth, IO bandwidth
• CPU and memory are not to be oversubscribed
• Performance testing was done on the following hardware

• UCS 5108 chassis with UCSB-B200-M3 blades
• Intel Xeon E5-2640: 6 cores, 2.5GHz clock, 15MB Cache, 1333MHz RAM speed
• Disks were configured at a RAID 5 level
• If you build your systems to meet or exceed this configuration you will have
similar performance to our performance metrics
• Your Cisco or partner account teams can help you with sizing your solution
Separate Management Network, Consolidated Data Center
• Less rack
Mail Server VM
space needed ESAv
Internet
• Lower power
requirements
Virtual Management
• Lower cooling UCS Network
costs Outside
• Networks are Inside
securely
separated
Redundant Data Centers
• Migrate
machines in
Internet
event of a Mail Server Mail Server
ESAv ESAv
failure
• Easily add UCS1 UCS 2
additional VMs
for extra mail
capacity
handling
Virtual Management
Network
Advanced Topics
Outbreak Filters
Outbreak Filters is designed to catch day zero

viral attacks and blended targeted attack
messages.
• Detects approx. 20 different categories of
threats
• Holds messages then releases for
rescanning by the IPAS engine
• Can mark up message subjects to draw
attention to problems
• Rewrite URLs to redirect to a proxy back-
ended by our CWS product
• Optionally prepend a warning message to
the body of the email – a “Think before you
click”
Outbreak Filters
Enabling Globally
Enable Outbreak Filters Globally. You

may need to accept the EULA.
• Adaptive Rules are for the Viral
component
• Be cautious when raising the
Maximum Message Size to Scan.
Increment the size slowly and monitor
ESA performance
Outbreak Filters
Enabling Per Incoming Mail Policy
Enable Outbreak Filters for each

Incoming Mail Policy.
• The viral component is easy, but the
targeted threat component is not on
by default
• The Quarantine Threat Level is for the
viral component
• The Other Threats is the timer for the
targeted threat component
Configuring Outbreak Filters
• Enable Message Modification and URL Rewriting MUST be set for the targeted threat components
to be active
• Threat Level default is 3. Raising it to a 2 or 1 makes it more aggressive in identifying threats
• False positives are OK with this feature as messages not caught by IPAS rule updates after
quarntine timer expiration are delivered to the end user with the appropriate mark ups and changes
Advanced Topics
URL Reputation and Filtering
Included in the Outbreak Filters policy and introduced in AsyncOS 8.5.x; Outbreak
Filters and IPAS use web reputation components to target more spam
• Enable URL filtering globally to enable it in IPAS and Outbreak Filters
automatically.
• Whitelist can be created to bypass scanning for specific domains at a global
level
Configuring URL Category Filtering
URL Category Condition
Introduced in 8.5.x, this new Content

Filter Condition lets you filter URLs by
category
• Enforce Acceptable Use Policies for
the web on incoming email
• Any action available in Content Filters
can be taken on the messages: Drop,
Quarantine, BCC, etc.
• A whitelist can be used to bypass
specific URLs at this level
Configuring URL Category Action
Actions to Take on URLs
A new Content Filter Action lets you take

specific actions on URLs by category:
• Defang, Redirect to the Cisco Security
Proxy, or Replace the URL with a text
message for users.
• These actions can be performed on all
messages or unsigned to keep from
breaking message signatures
Filtering URLs by Reputation
Introduced in 8.5.x, this new Content Filter

Condition lets you take specific actions on
URLs by raw URL reputation scoring:
• If you wish to broaden the Malicious
category using a Custom Range, do so
slowly and deliver the messages to a
quarantine until you are satisfied with the
results.
• A whitelist can be used to bypass specific
URLs at this level
• Any CF Action can be taken based on
URL Reputation Conditions
Filtering URLs by Reputation
Actions to Take on Reputation
Introduced in 8.5.x, this new Content

Filter Action lets you take specific actions
on URLs by raw URL reputation scoring:
• Defang, Redirect, or Replace the URL
with a text message
• Replicate any Custom Range from CF
Conditions here
Advanced Topics
DKIM – DomainKeys Identified Mail
In a nutshell: senders sign outgoing

messages which recipients can verify
• Helps avoid spoofing of messages
• Transparent: Does not affect receiving of
messages if not used by recipients
• Public keys published by sender in DNS
• Keys checked upon receipt, configure in
Mail Flow Policies
• Use Content Filters to control messages
based on results
DKIM – DomainKeys Identified Mail
DKIM Verification includes:

• Pass: This message was signed by DKIM. These
should be delivered
• Neutral: The message was not signed by DKIM.
These should be delivered
• TempError: There was a temporary error during
DNS lookups. These should be delivered
• PermError: An unrecoverable error occurred
during verification. These should be delivered
• HardFail: The signature is not vaild for this
message. These should be quarantined or
dropped
• None: Verification was not tempted as the MFP
for the message has DKIM Verification disabled
Advanced Topics
SPF – Sender Policy Framework
Senders publish a list of systems used for

sending email
• Helps avoid spoofing of messages
• Transparent: Does not affect receiving of
messages if not used by recipients
• List is published by sender in DNS
• Ends with ?all, ~all, or -all
• IP/hostnames checked upon receipt of
message. Configure in Mail Flow Policies
• Use Content Filters to control messages
based on results
SPF – Sender Policy Framework
SPF Verification includes:

• None: The domain does not have an SPF record. These
should be delivered
• Pass: The IP address of the sender is included in the SPF
record. These should be delivered
• Neutral: The IP address of the sender matches a host
mechanism with the ? prefix. These should be delivered
• SoftFail: The IP address of the sender is not listed in the
SPF record. Because of the ~all at the end of the record, you
shouldn’t drop these but you may want to quarantine or mark
up before delivery.
• Fail: The IP address of the sender is not listed in the SPF
record. These should be quarantined or dropped
• TempError: There was a temporary error during DNS
lookups. These should be delivered
• PermError: An unrecoverable error occurred during
verification. These should be delivered
Shortcomings
SPF and DKIM
There are shortcomings with DKIM and SPF

that made it difficult to implement
• You must decide what to do with
messages that fail checks
• Do you know all the systems you have
that send email?
• What about third parties sending on your
behalf?
• Targeted messages from cousin domains
could be signed
• No feedback from recipients on message
disposition
DMARC
Domain-Based Message Authentication, Reporting & Conformance
DMARC addresses many of the

shortcomings with DKIM and SPF
• Senders publish DKIM records in DNS
telling recipients how to process
messages purported to come from them
• Recipients can automatically send reports
to the senders
• By tying DKIM and SPF together, DMARC
has gained rapid acceptance by financial,
e-commerce, and other business
segments plagued by spoofed emails
Only one test (DKIM or SPF) needs to pass
for DMARC checks to pass
Configuring DMARC
• Enable DKIM and SPF Verification in each Mail Flow Policy – no need to create the
Content Filters
• Global settings such as bypassing verification for emails with specific headers must
be configured.
• Additional contact information mailbox should not be a real user. These are being
harvested by spammers.
DMARC
Domain-Based Message Authentication, Reporting & Conformance
Different DMARC Verification Profiles

can be configured for each Mail Flow
Policy
• Set the Message Action for Reject to
reject the message and give a 550
message back to the sender
• Choose the quarantine to place
quarantined messages in
• TempFail and PermFail messages
should be accepted.
Sending Messages
Using DKIM, SPF, and DMARC
Is beyond the scope for this presentation,

but it requires configuration on and off of
the ESA:
• Creating DKIM, SPF, and DMARC
records in DNS
• Creating DKIM signing keys and
Domain Signing Profiles on the ESA
• Enable DKIM Signing on the
RELAYED MFP
Use Caution
When Creating Your SPF Record
Do not use the –all unless you know ALL of the email senders sending on your behalf.
• Amazon.com uses the –all. When is the last time you saw spoofed email on that
domain?
• Allow third parties to relay through a set of ESAs from specific IP addresses. Cisco
IT does this.
You are limited to 10 recursions when doing SPF record queries
• Do not use hostnames. Use IP addresses and save FQDNs for includes
Keep your record <512 bytes in size
• You’re using DNS queries. When you pass 512 bytes it’s a TCP connection instead
of UDP and many networks filter TCP 53
Additional Resources
For DKIM, SPF, and DMARC
Check an SPF record:

https://dmarcian.com/spf-survey/
More information on DKIM:
http://www.dkim.org/#introduction
Check a DMARC record:
https://dmarcian.com/dmarc-inspector/
Email Security Deployment
• Devices
• Advanced Topics
Agenda Troubleshooting
• Basics
• Tailing Logs
• Message Flows
• Engines
Troubleshooting
Virtual machine considerations

• Licensing
• Cloning
• Mixed Clusters with HW
Appliances
All Systems:
• Testing Communications
• Using mail_logs
Licensing
Virtual Machines are licensed differently

than hardware devices
• Licensed by VLN ID
• Use showlicense CLI command to
get the VLN ID
• License is loaded via the CLI
using the loadlicense command
o FTP the license to the appliance OR
paste the file data into the terminal
program
Licensing
“Malformed License” Error
The default program for opening XML on

Windows is Internet Explorer. When
copying the license from IE and pasting
into the ESAV, you will receive an error:
• “Malformed License: Invalid XML,
could not parse”
Don’t open the file with IE. Use a text

editor such as Wordpad
Example of opening a license file with IE
Cloning Virtual Machines
Cloning the ESAV should be done before you

deploy it.
Cloning a configured system will forcefully
expire any licenses on the new machine
Additional steps are required if cloning a
configured system:
• Licenses must be reinstalled
• Messages in queues must be delivered UCS
first or cleared before cloning
• Network settings must be changed
• Quarantines must be cleared
• Message Tracking and reporting data
must be deleted
Mixed Clusters
Virtual and Hardware Appliances
Virtual ESA uses a different manifest server than the

hardware appliances
• ESAV: update-manifests.sco.cisco.com:443
• ESA: update-manifests.ironport.com:443
If you are joining virtual appliances with physical

appliances in the same cluster this setting will be
overwritten on the virtual appliances
If mixing clusters you can:

• Create a Group Level configuration for the
virtual appliances update setting
• Use Machine Level update settings to have
the correct Dynamic Host settings for the
virtual appliances
Testing Communications
The Basics
From the CLI, use ping to test Internet

communications on then off the subnet.
If you can ping the default gateway try to ping
a system on the internet or the internal
network
If pinging to these networks fail check your

firewall rules and route rules for traffic Mail Server
If pinging by hostname fails, check DNS
The Basics
From the CLI, use nslookup to test DNS

If you cannot connect on port 53 check
your DNS and/or firewall rules
Use a domain name and choose the type
of query to do. For querying MX records
for a domain, choose query type 4
The Basics
From the CLI, use telnet to test Internet

communications off the subnet to ensure
port 80 is open.
If you cannot connect on port 80 check
your firewall rules
If a proxy is required, set it on the ESA:
• UI under Security Services >
Service Updates
• CLI using updateconfig
Mail Server
The Basics
From the CLI, use telnet to test

communications off the subnet to ensure port
25 is open to the internet and to your internal
email server.
Use standard SMTP commands to manually
send a message:
• helo
• mail from:
• rcpt to:
• data
End the message with a period on a blank
line then use the SMTP command quit to end
the session
LDAP
From the CLI, use telnet to test

communications off the subnet to ensure
port 389 is open to your internal LDAP
server.
If you are having problems with queries
try the free Softerra LDAP Browser
http://www.ldapbrowser.com/download.ht
m?download=browser
Tailing Logs
Using mail_logs
From the CLI, use tail mail_logs to watch what is happening when you send test
messages through the ESA
This command will display the tail of any log you choose. use the tail command by
itself and the system will list the 27 logs available
Searching Logs
Using findevent
From the CLI, use findevent to search logs for specific messages
Searching Logs
Using grep
From the CLI, use grep to search logs for specific messages
If you don’t know the log name, use grep without any parameters to use it
interactively
Troubleshooting Mail Delivery
RAT Entries and SMTP Routes
If your mail_logs show problems delivering mail to the correct location, ensure you
have an SMTP Route for each RAT entry.
The RAT entries signify “I accept incoming email for these domains” and the
SMTP Route tells the ESA where to deliver that mail.
Troubleshooting Message Flows
TLS Messages
Use the tlsverify CLI command to verify against a domain to ensure TLS is working
properly
What’s in Queue?
Use the showrecipients CLI command to see what is currently in queue or the
Delivery Status report on the UI to see if messages are still in the queue
Anti-Spam Scanning
Did a spam get through? How do you determine the cause?

Examine the headers in your email client and look for the IPAS header:
• X-IronPort-Anti-Spam-Filtered: true
The X-IronPort-Anti-Spam-Result header value is valuable to TAC for investigation
Anti-Spam Scanning
Look in Message
Tracking for:
• Sender Group
• per-recipient
policy
• CASE
verdicts
• Outbreak
Filters verdict
Are any of the items
missing?
Sender Groups
Sender Groups are important in tracking down sources of spam as they can be
set to bypass anti-spam scanning
An example of this is the TRUSTED Mail Flow Policy used by the WHITELIST
Sender Group
Marketing Message Detection
When Spam is Not Spam
A large number of end-user spam complaints come from aggressive email marketers who
use Opt-Out messaging techniques. Their messages conform to Can-SPAM and other
legal requirements.
Marketing Message Detection is off by default. Turn it on to address these messages
Options are Deliver, Drop, Spam Quarantine, or Bounce
Is IPAS Updating Properly?
The Anti-Spam engine in the ESA regularly communicates and checks for updates to the
engines, databases, and rules. This can be checked under Security Services > IronPort
Anti-Spam
Click Update Now, or use the CLI command antispamupdate ironport force
You can run the tail updater_logs CLI command to watch for errors in updating
Is Anti-Virus Updating Properly?
Similar to Anti-Spam, the Anti-Virus engine in the ESA regularly communicates and checks
for updates to the engines, databases, and rules. This can be checked under Security
Services > Sophos or Security Services > McAfee
Click Update Now, or use the CLI command antivirusupdate force
You can run the tail updater_logs CLI command to watch for errors in updating
One Last Item
Submitting Missed Spam
Missed spam must be submitted in the

proper format for us to be able to process it.
Send as an RFC 822 compliant attachment
Spam: spam@access.ironport.com
Phish: phish@access.ironport.com
Non-Spam: ham@access.ironport.com
Marketing: ads@access.ironport.com
Use our free Outlook or Lotus Notes plug-in
to make reporting easier
For Thunderbird use the 3rd party MailSentry
IronPort Spam Reporter 1.4 or newer
Resources
White Papers:
Catch More Spam: Fine-Tune Your Email Security Appliance
http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white-paper-c11-732910.html
Higher Education: Combining Features for Email Defense

http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/whitepaper_C11-720311.html
Outbreak Filters:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/white_paper_c11-684611.html
Software:
Email Security Plug-in for Outlook (7.3.x) and Lotus Notes (7.1.x)
http://software.cisco.com/download/release.html?mdfid=283137618&flowid=4948&softwareid=283090992
Email Security Products:

http://www.cisco.com/go/esa and http://www.cisco.com/go/cloudemail
Questions?

Cisco Email Security: Deployment and Troubleshooting

Uploaded by

Copyright:

Available Formats

You might also like

Cisco Email Security: Deployment and Troubleshooting

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Email Security: Deployment and Troubleshooting

Uploaded by

Copyright:

Available Formats

Cisco Email Security

Deployment and Troubleshooting

This presentation will cover currently

Email is simple. We want to be the:

There are many ways to install Email

Traffic flow and installation connectivity will

Inbound from Internet: Internet

Inbound from internal network:

Support Tunnels allow TAC to connect and

• TCP 22: SSH

• The ESA is hardened, but this is a DO

• The ESA is hardened, but this is a DO Inside

• The ESA is hardened, but this is a DO Inside

• Unprotected inside interface can

method of installation by customers

• Offers protection of all resources

• Static routes required on the ESA Inside

• Configure redundant firewalls for

• Can be done in a multi-firewall DMZ or

• Use the route command via CLI to

• Use larger appliances with RAID

• Cluster the Email Security Appliances

• The easiest and most common way to do redundancy

West Coast East Coast

• The easiest and most common way to do redundancy

West Coast East Coast

• Currently supported on Vmware ESX/ESXi only.

• TAC Supported on Cisco UCS hardware

Cisco UCS Other Hardware

• Performance can vary greatly depending on system hardware

• Performance testing was done on the following hardware

• Networks are Inside

Outbreak Filters is designed to catch day zero

Enable Outbreak Filters Globally. You

Enable Outbreak Filters for each

Introduced in 8.5.x, this new Content

A new Content Filter Action lets you take

Introduced in 8.5.x, this new Content Filter

Introduced in 8.5.x, this new Content

In a nutshell: senders sign outgoing

DKIM Verification includes:

Senders publish a list of systems used for

SPF Verification includes:

There are shortcomings with DKIM and SPF

DMARC addresses many of the

Different DMARC Verification Profiles

Is beyond the scope for this presentation,

Check an SPF record:

Virtual machine considerations

Virtual Machines are licensed differently

The default program for opening XML on

Don’t open the file with IE. Use a text

Example of opening a license file with IE

Cloning the ESAV should be done before you

Virtual ESA uses a different manifest server than the

If you are joining virtual appliances with physical

If mixing clusters you can:

From the CLI, use ping to test Internet