McAfee Email Security Appliance 5.

0 Best Practices Guide

COPYRIGHT Copyright 2008 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes.

McAfee Email Security Appliance 5.0 Best Practices Guide

Contents
Email Security Appliance Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The order in which the appliance scans email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Suggested optimum Email Security Appliance configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Frequently asked questions about the Email Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

McAfee Email Security Appliance 5.0 Best Practices Guide

Email Security Appliance Best Practices

This document advises you how to set up your Email Security Appliance to get the most from it and provides some responses to the most frequently asked questions about it. NOTE: The information in this document also applies to the mail part of the McAfee Email and Web Security Appliance product and McAfee Content Security Blade Server. Audience This document is aimed at McAfee Sales Engineers and McAfee Technical Support representatives, and customers who need to optimize their configuration to get the best performance. Contents The order in which the appliance scans email Suggested optimum Email Security Appliance configuration Frequently asked questions about the Email Security Appliance

The order in which the appliance scans email

To get the most from your Email Security Appliance, it helps to understand the order in which scanning happens. Resource intensive checks like the anti-virus scanning, content scanning and anti-spam scanning all occur at later stages in the scanning process. To get maximum performance from your appliance, it's important to block as many messages as possible before the scanning phase. There are a number of options that you can set to reduce the number of messages that are passed for scanning. Phases and checks performed by the appliance before scanning takes place

* If behind an MTA # Needs the null sender check enabled

McAfee Email Security Appliance 5.0 Best Practices Guide

Email Security Appliance Best Practices Suggested optimum Email Security Appliance configuration

Using all these checks provides optimum protection and usage of the appliance's resources because most of the bad content and messages are dropped or blocked before the scanning phase.

Suggested optimum Email Security Appliance configuration

McAfee recommends the following configuration changes on your Email Security Appliance to ensure optimum performance: Disable reverse lookup to prevent delays caused by lookups If host names are present in the list of permitted and blocked senders which do not have an A-record, or if Resolve permitted / blocked hostnames to IP addresses is disabled or if there are domain names present in the list, they would not take effect if reverse lookups are disabled. To disable the lookup, go to Email | Email Configuration | Receiving Email | Permit and Deny Lists. Deselect Reverse lookup sender IP address. Do not allow null senders because valid senders usually have a genuine MAIL FROM address NOTE: Be aware that bounced messages might get rejected because they potentially have a null sender address. To block messages with no sender information, go to Email | Email Configuration | Protocol Configuration | Protocol Settings. Deselect Allow null senders. Enable RBL checks to stop scanning messages that come from blacklisted IP addresses. To enable RBL checks, go to Email | Email Policies | Scanning Policies. Select the policy and, from the Spam column, click Sender Authentication. Select Enable RBL lookup and ensure that at least one RBL server is configured. The default server is cidr.bl.mcafee.com. Enable kernel mode blocking to avoid repeated checks for an IP address that wasn't already detected as blacklisted. NOTE: Once denied, the appliance does not accept any further connection request from a specific IP address for a default period of 10 minutes. To enable kernel mode blocking, follow the steps in the previous example to enable RBL lookups and set the If the sender fails the check option to Reject, close and deny. NOTE: When kernel mode blocking is enabled, use the Dashboard to check the number of blocked connections. Enable the recipents check to reject messages sent to non-existent users If the appliance does not check that a recipient exists at the point of entry, it receives the complete email, scans it and sends it on to the MTA. The MTA rejects messages that contain users that are invalid.

McAfee Email Security Appliance 5.0 Best Practices Guide

Email Security Appliance Best Practices Frequently asked questions about the Email Security Appliance

To check for valid recipient addresses, go to Email | Email Configuration | Receiving Email | Recipient Authentication. In Recipient checks, select either If the recipient is not in the following list and enter email addresses to validate. You can also select Or if the recipient is not listed in LDAP and choose the Reject or Accept and ignore the recipientactions.

Frequently asked questions about the Email Security Appliance

This information provides answers to some of the most frequently asked questions to the McAfee Technical Support team. How do I create a policy group? Go to System | Users, Groups and Services | Policy Groups and create your policy. For example, to create a network group of internal machines using IP addresses 10.1.1.0/24: 1 2 3 4 In the Edit Network Group dialog box, type the group name. In Rule type, select IP address. In Match, choose is in. In Value, type the address range and click OK.

How do I create and use email policies? Go to Email | Email Policies | Add Policy. Do domain names in policies affect performance? McAfee recommends that you avoid using domain names in policy settings because it might be necessary to perform DNS lookups to compare the domain of the incoming connection with that of the configured ones for policy application. DNS lookups can potentially cause a delay. NOTE: If you notice a significant reduction in performance, McAfee recommends that you check: The health of the DNS server(s) The response time for DNS queries. Whether policies that have domain names configured can have the domain names replaced with IP addresses. How does policy priority work? Policies are always applied in the order that they appear in the list, that is, the topmost policy in the list takes precedence if a user or device is affected by two or more policies. When there is more than one user-defined policy, you can use the up and down arrows in the Move column to change the order of the policies (and therefore their precedence). Why can Connections and Listeners not be configured in Email Security Appliance 5.0 SMTP settings? Email Security Appliance 5.0 uses asynchronous processes to handle SMTP proxy settings which results in better concurrent connection handling capabilities. The necessary parameters are already configured on the appliance to give optimum performance and do not need to be altered.

McAfee Email Security Appliance 5.0 Best Practices Guide

Email Security Appliance Best Practices Frequently asked questions about the Email Security Appliance

Can email delivery be prioritized? You can prioritize email delivery by specifying per-domain settings such as the number of messages per connection, and the retry interval. To configure per domain settings, go to Email | Email Configuration | Sending Email | Queued Email Delivery | Per domain settings and add the required settings. The domain's priority is in the order of their appearance in the Per-domain settings list. How can I resolve my appliance having too many connections and a high CPU? You may experience high CPU usage because too many messages are arriving at the appliance at the same time which require a large amount of processing. To resolve the issue, try the configuration changes listed in this FAQ section. If the high CPU usage continues after the configuration changes, contact your McAfee Technical Support representative. Will having more than one RBL server configured impact appliance performance? Multiple RBL servers impact performance because the appliance does RBL lookups until it has found that the connecting IP address is blacklisted or it has no more RBL servers to check. NOTE: The default appliance RBL server is
cidr.bl.mcafee.com

. Is it beneficial to have more than one DNS server configured? It is not necessary to have more than one DNS server configured, as long as the configured server is available and responsive. If there are multiple DNS servers present, adding the addresses of those servers as part of the DNS configuration, provides fault tolerance and is not detrimental. NOTE: DNS servers are used in the order in which they appear in the list. Can I reduce or avoid email queues building up on my MTA when I proxy through an Email Security Appliance? Queues build up when: The MTA is not supplying enough messages to the appliance. To confirm whether this is happening, check the CPU and memory usage on the appliance. If they have low values, it means the appliance is not being fully utilized. The appliance is overly busy and either connection to port 25 of the appliance times out or there are excessive delays. To confirm whether this is happening, either telnet to the appliances' IP address on port 25 and check the response time or perform a packet capture on the MTA or the appliance and look for any delays between requests and responses. There are several options to keep the queues at optimum levels: Concurrently supply as many messages as possible from the MTA by either Increasing the number of connections established by the MTA with the appliance. Decreasing the number of messages sent over every connection established with the appliance. Using both these options together ensures that many messages are sent in parallel which keeps the queues low.

McAfee Email Security Appliance 5.0 Best Practices Guide

Email Security Appliance Best Practices Frequently asked questions about the Email Security Appliance

Change the SMTP retryer settings to handle a larger number of deferred messages at any given point in time. Contact your McAfee Technical Support representative for more information. Combine the first two solutions. NOTE: McAfee recommends you do not enable the store and forward feature on an appliance running in explicit proxy mode because it only moves queues from the MTA to the appliance.

McAfee Email Security Appliance 5.0 Best Practices Guide