Skip navigation

Email Gateway

14 Posts authored by: jfults

How to configure McAfee Email Gateway 7.x with Content Security Reporter 2.x

 

From https://kb.mcafee.com/agent/index?page=content&id=KB83242

 

Title

How to configure McAfee Email Gateway 7.x with Content Security Reporter 2.x

 

 

Environment

McAfee Email Gateway 7.x

McAfee Content Security Reporter 2.x

ePolicy Orchestrator 5.x

 

Summary

How to configure McAfee Email Gateway to send events to Content Security Reporter?

 

Open ePolicy Orchestrator

Click Menu, Configuration, Report Server settings

Select Log Sources

Click the Actions Menu in the right Pane at the bottom left

Select New

Configure a Name under Log Type

For example we used: MEG5000

For Mode Select Syslog

For Log Format Select McAfee Email Gateway

Enter the Client Address(es) for Accept Log Files from the Network Device

Select TCP for the Protocol

Note! Server port will change from 514 to 610 after selecting TCP

Click OK

 

Open the McAfee Email Gateway Console

Browse to System, Logging, Alerting, and SNMP, System Log Settings

Tick the check box for Enable System Log Events

For Logging Format chose Content Security Reporter

Select the events to be sent to CSR

Expand Off-box system log

Tick the check box for Enable off-box system log

Click Add Server

Enter the IP address of the CSR Server

Change the port from 514 to 610

Note! This is what CSR uses for TCP connections for Syslog.  MEG only uses TCP when communicating with CSR.

Apply the Changes

 

Once everything is configured the CSR Reports in ePO will allow for easy reporting on various detections.

Open the ePolicy Orchestrator Console

Browse to Dashboards

Click the Drop Down and Select CSR Email Activity

Click the PIE Chart to drill in to see events.

 

Screen Shots:

Capture1.JPG

Capture2.JPG

Capture3.JPG

Capture4.JPG

Capture5.JPG

 

Capture6.JPG

Hello,

 

      Earlier this quarter we provided a blog post on how to bypass files for Advanced Threat Detection.  With the impending release of McAfee Email Gateway 7.6.3 a new feature has now been added to allow bypassing files destined to Advanced Threat Detection from the Appliance Management Console.

 

To configure this new feature:

Open the Appliance Management Console

Browse to System, ATD Servers

Scan these file types

Select the desired file types to be scanned by ATD. Defaults are the recommended by McAfee.

Capture.JPG

Apply the changes.

Hello,

 

      With the release of MEG 7.6.3 a new feature has been added which will allow Administrators to access Tabs other than the Dashboard.

 

To configure this new option.

Open the Appliance Management Console

Login using the Account which other tabs will be used with.

Capture.JPG

Click Preferences at the upper left corner

Capture1.JPG

Click the Drop Down for After login open

Select From:

Dashboard

Reports

Email

System

Troubleshoot

Last visited page

Capture2.JPG

As an example select Last visited page

Click Apply

Select the Troubleshoot Tab

Click Log Off from the Upper Right corner

Log in to the Appliance Management Console

See that the Troubleshoot Tab comes up after login instead of Dashboard

How to bypass files from being sent to MATD from MEG

 

Problem

When sending certain files to MATD, a queue builds on the MEG Appliance due to IMG files being scanned by MATD.  To help create exclusions there will be a UI configurable option in MEG 7.6.3.  On MEG 7.6.2 as per KB82451 exclusions can be configured manually to allow for certain files such as IMG file from being passed to MATD for inspection.

 

Solution

To disable IMG files from being passed from MEG to MATD, do the following:

 

NOTE: For steps on backing up and restoring configuration files, see KB56323.

 

Open the Appliance management console.

Save the Appliance configuration and place a copy in a safe location.

Open the configuration file and extract the Native\matd.xml file.

NOTE: Do not extract the entire config.zip file.

Open matd.xml in a text editor of your choice.

Locate the following section:

 

 

<Settings name="acceptable-files" type="Product" version="3.1">

          <List name="GAM" type="nstr">

            <Attr name="0" value="FF/OTR/6001"/>

            <Attr name="1" value="FF/IMG/5032"/>

            <Attr name="2" value="FF/IMG/5063"/>

            <Attr name="3" value="ARCHIVE/"/>

            <Attr name="4" value="FF/DOC/1001"/>

            <Attr name="5" value="FF/SS/3004"/>

            <Attr name="6" value="FF/IMG/5021"/>

            <Attr name="7" value="FF/OTR/6008"/>

            <Attr name="8" value="FF/IMG/5073"/>

            <Attr name="9" value="FF/IMG/5080"/>

            <Attr name="10" value="FF/IMG/5004"/>

            <Attr name="11" value="FF/IMG/5045"/>

            <Attr name="12" value="FF/IMG/5002"/>

          </List>

          <List name="Sandbox" type="nstr">

            <Attr name="0" value="FF/OTR/6001"/>

            <Attr name="1" value="FF/IMG/5032"/>

            <Attr name="2" value="FF/IMG/5063"/>

            <Attr name="3" value="ARCHIVE/"/>

            <Attr name="4" value="FF/DOC/1001"/>

            <Attr name="5" value="FF/SS/3004"/>

            <Attr name="6" value="FF/IMG/5021"/>

          </List>

Remove the following lines while making sure the other entries follow in sequence.

 

 

<Attr name="8" value="FF/IMG/5073"/>

<Attr name="9" value="FF/IMG/5080"/>

 

 

After editing the section the MATD.XML should read:

 

 

<List name="GAM" type="nstr">

            <Attr name="0" value="FF/OTR/6001"/>

            <Attr name="1" value="FF/IMG/5032"/>

            <Attr name="2" value="FF/IMG/5063"/>

            <Attr name="3" value="ARCHIVE/"/>

            <Attr name="4" value="FF/DOC/1001"/>

            <Attr name="5" value="FF/SS/3004"/>

            <Attr name="6" value="FF/IMG/5021"/>

            <Attr name="7" value="FF/OTR/6008"/>

           <Attr name="8" value="FF/IMG/5004"/>

            <Attr name="9" value="FF/IMG/5045"/>

            <Attr name="10" value="FF/IMG/5002"/>

          </List>

Save your changes to matd.xml.

Add the updated file into the \Native\ directory in the Config.zip file, overwriting the existing version.

Restore the config.zip to the appliance and Apply the changes.

https://kc.mcafee.com/corporate/index?page=content&id=KB77361

 

How to enable MEG 7.x RapidRetry

 

Problem

When sending mass emails to various external domain like domains hosted by Gmail, MX Logic, or other vendors like Yahoo/Sbcglobal through the McAfee Email Gateway, the emails are queued with the following reasons:

 

452 too many recipients.

 

451-4.3.0 Multiple destination domains per transaction is unsupported

 

Cause

New functionality was added in MEG 7.0 Patch 3 (and included in all subsequent releases)  to enable RapidRetry.

 

MEG delivers emails based on the IP address(es) resolved (using MX lookup, domain relay config etc.) for the destination domains;

If there is an email with multi-domain recipients where MX records (for e.g.) of two or more domains point to the same destination server, MEG would deliver the matching ones over the same transaction as per 4.5.4.1. Sending Strategy of RFC5321.

 

4.5.4.1. Sending Strategy

 

   When a mail message is to be delivered to multiple recipients, and

   the SMTP server to which a copy of the message is to be sent is the

   same for multiple recipients, then only one copy of the message

   SHOULD be transmitted.  That is, the SMTP client SHOULD use the

   command sequence: MAIL, RCPT, RCPT, ..., RCPT, DATA instead of the

   sequence: MAIL, RCPT, DATA, ..., MAIL, RCPT, DATA.  However, if there

   are very many addresses, a limit on the number of RCPT commands per

   MAIL command MAY be imposed.  This efficiency feature SHOULD be

   implemented.

 

RapidRetry was designed to address such issues.

 

Solution 1

This issue is resolved in Email Gateway 7.0.3 or higher, which is available by logging in to the ServicePortal at: https://support.mcafee.com/downloads.

 

Patches are cumulative; therefore, McAfee recommends that you install the latest one. 

 

To review the Release Notes for this patch, see PD24438.

To review Known Issues, see KB76745.

 

To enable this functionality, install patch 3 or later and then edit the config file as follows:

 

Open the Appliance management console.

Click System, System Administration, Backup and Restore.

Save a copy of the configuration file. 

 

NOTE: For full instructions on how to back up and edit an Appliance configuration file, see KB56323.

 

Create a new directory on your client.

Extract smtp-retryer-config.xml from the saved configuration file into the new directory and create a backup copy of this file.

 

 

NOTE: Ensure that you do not extract the full zip file, only the XML to be edited. Extracting the full configuration can cause corruption in the configuration.

 

Open the smtp-retryer-config.xml file with Notepad or another plain text editor.

Enable and configure RapidEnabled:

 

Locate the following entry: RapidEnabled="0"

Change 0 to 1.

 

For example:

RapidEnabled="1"

 

Add the SMTP error codes to be RapidRetried.

 

For example:

 

<RapidErrorCodes>

        <Attr name="0" value="450"/>

        <Attr name="1" value="451"/>

        <Attr name="2" value="452"/>

      </RapidErrorCodes>

Save smtp-retryer-config.xml. If prompted, select .txt and ignore any warnings about removing the formatting.

 

IMPORTANT: If you save smtp-config.xml in a rich text format, the data will be corrupted.

 

Update the configuration zip file with the modified smtp-retryer-config.xml. Use Winzip or an equivalent application that works with long filenames.

 

NOTE: If you use Winzip, ensure that the full path info option is not enabled. 

 

Restore the modified zip file to the Appliance via the Backup and Restore page.

Click Apply Changes.

MEG 7.6.2 supports Advanced Threat Defense

 

KB81769

 

Environment

McAfee Email Gateway (MEG) 7.6.2 and later

 

Summary

New functionality for Advanced Threat Defense has been added to allow integration of McAfee Advanced Threat Defense support for the MEG appliance.

 

Solution

To enable Advanced Threat Defense support:

 

    Open the Appliance Management Console.

    Browse to System, ATD Servers.

    Click Add Server.

        Enter the IP for the ATD Appliance.

        Enter the User configured on ATD Appliance.

        Enter the Password configured on the ATD Appliance. Click Next.

        Enter Proxy Server if required. Click Next.

        Click Test Connection. Verify in the status window that MEG can successfully establish a connection to ATD.

        Click Finish.

 

    Click Apply Changes as required.

 

To enable Scanning using ATD:

 

    Open the Appliance Management Console.

    Browse to Email, Email Policies, Anti-Virus, Viruses.

    Select the Advanced Threat Defense tab.

    Select Enable Advanced Threat Defense.

        Click the drop down to configure which virtual machine profile to use to scan emails.

        Configure the Action to take. Click OK.

    Click Apply Changes.

How to configure TLS in the MEG 7.x Appliance

 

Environment

McAfee Email Gateway 7.x

 

Summary

McAfee Email Gateway (MEG) 7 encryption options include TLS, S/MIME, PGP, and Secure Mail Delivery. The Appliance can be set up to detect when sensitive data is present in a message and then require encrypted delivery of that information, if it should be allowed to leave the organization.

 

TLS (Transport Layer Security) is a standard form of encryption also commonly known as SSL (Secure Sockets Layer) 3.0. This is the protocol used to encrypt HTTPS sessions. This protocol is a transport layer encryption method, meaning that the message itself is not encrypted, only the data packets in flight between the sender and the recipient are encrypted.

 

Solution 1

Configuring TLS on the MEG 7.x Appliance via the Appliance Dashboard:

 

    Load encryption keys into the Appliance (see Related Information for instructions). 

    Configure the Appliance to perform TLS.

 

In MEG 7.x, it is possible to configure the Appliance to perform TLS encryption either as a result of the source or destination server, or as a result of policy. By default, the Appliance will offer the STARTTLS verb to any connecting host that says EHLO, and will use the STARTTLS verb whenever available when connecting to a remote host.

 

To set up TLS Encryption based on source or destination:

 

For a Source address (inbound mail):

 

    Open the Appliance Dashboard.

    Select Email, Encryption, TLS.

    Under When receiving email (gateway is acting as a server), click Add Domain.

    Enter the hostname (for example host.domain.com) or network address (for example 172.27.1.1/32) of any server to which you want to offer or disallow TLS.

 

    NOTE: In MEG 7, it is necessary to identify the hostname or IP address of the connecting server. Entering a Hostname is useful only if Email, Email Configuration, Lookup Reverse DNS is selected.

    If a domain name is to be used, it should be entered as a wildcard host entry (*.domain.com) because any other result will not function. If the reverse DNS entry for the connecting IP does not return the domain in question, it will not take effect.

    For example, when configuring to require TLS for gmail.com, either identify the source IP address for the sending server in question or identify *.1e100.net as the sending server, not *.gmail.com.

 

    Under Use TLS, select the appropriate option:

        Never - The Appliance will never offer the STARTTLS verb to the connecting server.

        When Available - The Appliance will offer the STARTTLS verb, and will accept it if the connecting server sends it.

        Always - The Appliance will offer the STARTTLS verb, and will not communicate with the sending server unless a TLS session is established.

        NOTE: Advanced TLS settings are listed in the Related Information section. However, McAfee recommends that you do not change or modify these settings.

 

    Select whether to authenticate the client. Select this option to require the sending server to also provide a certificate to prove their identity.

    Select the certificate to use for the domain in question.

    Move the entry up or down in the list, as necessary.

    NOTE: The default entry for the wildcard (*) domain to use TLS when available must be the final entry in the list. If it is not, this rule will match any domain and will make all rules below it irrelevant.

    Click OK and Apply changes as required.

 

 

For a Destination Address (outbound mail):

 

    Open the Appliance Dashboard.

    Select Email, Encryption, TLS.

    Under When sending email (gateway is acting as a client), click Add Domain.

    Enter the hostname (for example host.domain.com) or network address (for example 172.27.1.1/32) of any server for which you want to request TLS when connecting.

    NOTE: The same requirements are present for sending mail as are explained under Source Address (step 4) above.

 

    Under Use TLS, select the appropriate option:

        Never - The Appliance will never offer the STARTTLS verb to the connecting server.

        When Available - The Appliance will offer the STARTTLS verb, and will accept it if the connecting server sends it.

        Always - The Appliance will offer the STARTTLS verb, and will not communicate with the sending server unless a TLS session is established.

        NOTE: Advanced TLS settings are listed in the Related information section. However, McAfee recommends that you do not change or modify these settings.

 

    Select whether the Appliance should authenticate itself if requested.

    If  When requested was selected, select the certificate the Appliance should use to authenticate itself under Client Certificate.

    Select whether the sending server's certificate must match the hostname to which the Appliance is connected:

        Never - The Appliance does not care if the certificate does not match the hostname.

        Always - The Appliance will drop the connection if the certificate does not match. 

    Move the entry up or down in the list, as necessary.

    NOTE: The wildcard (*) entry must be the final entry in the list.

 

    Click OK and Apply changes as required.

 

Solution 2

Configuring TLS on the MEG 7.x Appliance via an ePO server:

 

NOTE:

 

    Perform these steps before setting the Appliance to accept configuration from the ePO server.

    The following instructions are specific to ePO 4.5, but are similar for all versions of ePO:

 

    Load the encryption keys into each ePO managed Appliance: 

        Open the Appliance Dashboard.

        Select System, Appliance Management, Email Gateway Certificate and populate the fields with the appropriate data. 

        Click Apply changes.

        Once the changes have been applied, click the link displayed to Generate Certificate Signing Request.

        Provide the CSR to your CA of choice.

        Once the CA provides the signed certificate, select System, Appliance Management, Email Gateway Certificate and click Import.

        Click Browse and select the certificate file.

        Enter the passphrase if required.

        NOTE: This is usually not required unless the CSR was generated outside the Appliance.

 

        Click OK.

 

        Once the Appliance Dashboard is displayed:

            Log in to the Dashboard.

            Select Email, Certificate Management, Certificates, TLS Certificates and Keys.

            Verify that the cert data on the Default Email Gateway Certificate matches that loaded into the Dashboard and that the icon next to the certificate is green with no yellow triangle present.

            If the triangle is present, load the appropriate CA certificates under the CA Certificates link on this page.

            Click OK and Apply changes as required.

 

    Configure the Appliance to perform TLS (perform these steps in ePO).

        Open the ePO manager.

        Select Menu, Policy, Policy Catalog.

        For Product, select McAfee Email Gateway 7.0.

        Under Category, select 07 - Encryption.

        On your policy for the Appliance, click Edit Settings. This displays the MEG 7 Dashboard.

        Click the TLS tab.

        For each specific domain, set the appropriate settings and select the Default Email Gateway certificate to be used.

        Appropriate settings will vary from domain to domain however it is usually appropriate to have:

            One entry where the domain is "*"

            Use TLS set to When Available.

            Authenticate Client (for receiving) is set to No

            or

            Authenticate self (for sending) is set to When Requested .

 

        Click Save.

 

    On each managed Appliance:

        Select System, Component Management, ePO.

        Select Allow configuration to be applied from ePO.

        Click OK and Apply Changes as required.

 

Your Appliance will now be managed by the ePO server for purpose of applying policy, but the TLS certificate for each Appliance will be individual and CA-signed.

Related Information

Advanced TLS Settings - Cipher Strength:

 

    Allow only strong ciphers (128-bit or greater)

    This option allows only ciphers with a key length of at least 128 bits to be used for encryption

    Allow all cipher strengths

    This option allows ciphers of any strength to be accepted.

    Allow no encryption (not recommended)

    This option is available only if Allow All Cipher Strengths is selected.

    NOTE: McAfee recommends not selecting this option because it will allow ciphers that do not encrypt the traffic, thus defeating the purpose of TLS.

    Allow anonymous key exchange

    This option allows the use of ciphers that do not provide authentication features.

    NOTE: McAfee recommends not selecting this option because it does not allow verification of the identity of the remote server.

 

Creation of Encryption Keys:

Unlike earlier versions of the EWS software, MEG 7.x includes a self-signed certificate. This self-signed certificate can be used to initially perform TLS with remote hosts. However, many remote hosts will not accept the built-in, self-signed certificate because the certificate is not signed by a publicly known Certificate Authority. Therefore, McAfee recommends that, when configuring the Appliance to use TLS for email security, administrators obtain a CA-signed certificate at least for the receiving side.

 

It is possible to generate a CSR; however, that CSR will have a key length of 2048 bits. It is not possible to specify any other key length in the MEG 7 software. If a different key length is necessary, the key must be manually generated. Also, it is not possible to load the resulting certificate into the SMTP TLS certificates listing in the UI. In order to use it, first load the certificate back into the location of the UI where the CSR was generated, then re-export the certificate and private key. These steps are necessary because the UI does not provide the private key when generating a CSR, and the private key is required to load a certificate into the SMTP TLS Certificates portion of the UI.

 

For more information see:

 

    KB60557 - How to generate a certificate signing request (CSR) for third-party certificate authorities to be used with the EWS or MEG Appliance

    KB74880 - How to import a TLS certificate into an EWS or MEG 7 Appliance

 

NOTE:

 

    When using TLS as a receiver, ensure your certificate matches the hostname on your MX record. This can be done by creating a certificate for each appliance, or can be done through the creation of a wildcard certificate. Wildcard certificates are certificates with a hostname of "*.domain.com", and can be applied to any device within domain.com.

 

    Configuring encryption based upon policy is common to all encryption types, and is covered in KB76398.

Sending emails via TLS are rejected for 554 Certificate Rejected over TLS (wrong cipher returned).

 

KB78818 covers how to disable TLS 1.2 for 7.5.x & 7.6.x

 

Environment

McAfee Email Gateway (MEG) 7.5, 7.5.1, 7.6.1

 

Problem

If you send email to external domains using TLS, MEG 7.5 aborts the TLS session. If this happens, administrators and/or users see the following message (via the Dashboard and DSN):

 

554 Certificate Rejected over TLS (wrong cipher returned).

 

Cause

This issue occurs when the remote side of the conversation indicates that they want to use TLS 1.0, but then indicates that they want to use a cipher suite defined in the TLS 1.2 specification.

 

Solution

The preferred solution for this issue is for the remote server administrators to fix their mail servers to use TLS 1.2, if available.

 

NOTE: McAfee Support has found this issue to be both pervasive and problematic. For MEG 7.5.2, TLS v1.2 will be disabled by default with a user-controlled option to re-enable it.

Workaround

Disable all TLS 1.2 ciphers.

 

To fix this issue, you need to edit the Appliance configuration files. For full steps on backing up and editing the Appliance configuration files, see KB56323.

 

IMPORTANT: McAfee recommends that you save the configuration file from the McAfee Appliance and store a backup copy in a separate location. Edit the copy of the configuration file, and keep a current version in a safe place at all times.

 

    Export and extract the Appliance configuration file:

 

        On the Appliance, select System, System Administration, Configuration Management, Backup Configuration.

        Click Backup Configuration, then click the link to save the configuration.

        Save this configuration to a new folder.

 

        NOTE: The numbers in the name of the configuration file change with new versions and updates.

 

        Right-click the configuration file and select Open with WinZip.

 

    Edit the Appliance configuration file:

 

        Navigate to config\Native\smtp-config.xml.

        Right-click smtp-config.xml and select Open with WordPad.

 

        NOTE: Ensure that you do not extract the full .zip file, only the XML to be edited. Extracting the full configuration can cause corruption in the configuration.

 

        Locate the ForbiddenCiphers section and change it to read as follows (copy and paste the following):

 

        <ForbiddenCiphers>

            <Attr value="aNULL" name="0"/>

            <Attr value="TLSv1.2" name="1"/>

        </ForbiddenCiphers>

 

        Save the file.

        Update the Appliance config file with the edited smtp-config.xml.

 

    Restore the Configuration File to the Appliance:

 

        Log on to the Appliance manager console.

        Select System, System Administration, Configuration Management, Restore Configuration.

        Click Restore From File.

        Locate the .zip file you just created and click OK.

        Select the Values to Restore and click OK.

        Click Close.

        Click Apply Configuration Changes.

        Type a comment and click OK.

 

Note! With the release of MEG 7.6.2 coming soon there will now be a UI option available to disable TLS 1.2.

 

To do this open the Appliance Management Console

Browse to Email, Encryption, TLS

Expand TLS Options (Advanced)

Uncheck Enable TLS v1.2 cipher suites

Apply the Changes.

 

Capture.JPG

To meet compliance checks it is often that support receives questions on how to disable SSLv2 in MEG 7.x  Steps to disable

 

How to disable SSLv2 for Email Gateway

Technical Articles ID:  KB76671

 

Environment

McAfee Email Gateway 7.x

 

Summary

To meet with compliancy scans, you must disable SSLv2 for Email Gateway.

 

To determine if SSLv2 is enabled:

 

    Open a SSH session to the Appliance. For more information, see KB60469.

    Type the following command:

 

    openssl s_client -connect <Appliance_IP>:25 -starttls smtp -ssl2

 

    where <Appliance_IP> is the IP address of the Appliance you are testing.

 

    Verify that the handshake completes. 

 

 

To disable SSLv2 for SMTP TLS:

 

    Export and extract the Appliance configuration file:

        Create a new folder and assign a descriptive name. For example, Appliance_config_backup.

        Log on to the Appliance Management Console and select System, System Administration, Cluster Management, Backup and Restore Configuration.

        Click Backup Config, then click the link to save the configuration.

        Save this configuration to the new folder.

 

        NOTE: The numbers in the name of the configuration file change with new versions and updates.

 

        Right-click the configuration file and select Open with WinZip.

        At the top of the dialog box, click the Extract icon, navigate to the new folder, and click Extract.

        Save a copy of the configuration .zip file to a backup location.

 

        NOTE: Ensure that you do not delete or move the folders extracted from the .zip file.

 

     Edit the Appliance configuration file:

        Navigate to the folders you extracted and locate the smtp-config.xml file.

        Right-click smtp-config.xml and select Open with Wordpad.

        Search for ForbiddenCiphers. The entry will be in the following text section:

 

        <encryption>

          <ForbiddenCiphers>

            <Attr value="aNULL" name="0"/>

          </ForbiddenCiphers>

          <PermissibleCiphers>

            <Attr value="ALL" name="0"/>

          </PermissibleCiphers>

        </encryption>

 

        Change the entry above to read as follows.

 

        <encryption>

           <ForbiddenCiphers>

            <Attr value="aNULL" name="0"/>

            <Attr value="SSLv2" name="1"/>

           </ForbiddenCiphers>

           <PermissibleCiphers>

             <Attr value="ALL" name="0"/>

           </PermissibleCiphers>

         </encryption>

 

        Click Save.

        In the folder you created earlier, select all three extracted sub-folders, right-click, select WinZip, and click Add to Zip file.

        Click New.

        Click the Up One Level icon.

        In the File Name field, type edited_config.zip, then click OK.

        Click Add.

 

    Restore the Configuration File to the Appliance:

        Log on to the Appliance Management Console and select System, System Administration, Cluster Management, Backup and Restore Configuration.

        Click Restore from File, locate the .zip file you created, and click OK.

        Select the Values to Restore and click OK.

        Click Close.

        Click Apply Changes.

        Type a comment and click OK.

 

    Confirm that SSLv2 is disabled:

        Open a SSH session to the Appliance. For more information, see KB60469.

        Type the following command:

 

        openssl s_client -connect <Appliance_IP>:25 -starttls smtp -ssl2

        You will see an error similar to the following:

 

        error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

 

SSLv2 is now disabled for SMTP TLS transactions on the Appliance.

With the end of support quickly approaching for MEG 7.0 in 8 months for Feburary 2015 we often get questions for how to migrate appliances from 5.6 or 7.0 to MEG 7.5 or 7.6.  This blog post is to share steps which can make migrating versions easier.

 

https://kc.mcafee.com/corporate/index?page=content&id=KB81845

 

How to migrate Email Gateway using the rescue image on the Appliance hard disk

Technical Articles ID:  KB81845

 

Environment

McAfee Email Gateway 7.x

McAfee Email and Web Security 5.6

 

Summary

Installing from the rescue image on the Appliance hard disk can make migration easier, while keeping the Configuration and Emails on the disk. This is useful when the Appliance is not local and needs to be migrated to the latest software version.

 

Solution

IMPORTANT: McAfee strongly recommends that you perform the following actions before you perform the migration:

 

    Patch the current installed version to the latest patch before performing the migration.

    Ensure that you have saved a backup of the latest configuration prior to migrating.

 

To perform the migration:

 

    Download the required ISO rescue image from the McAfee website.

 

    Export and extract the Appliance configuration file:

        Create a new folder and provide a descriptive name. For example, Appliance_config_backup.

        On the Appliance, select System, Cluster Management, Backup and Restore Configuration.

        Click Backup Config, and then click the link to save the configuration.

        Save this configuration to the new folder.

 

    Import the latest ISO:

        Open the Appliance Management Console.

        Click System, System Administration, Rescue Image.

        Click Import Image.

        Browse to the ISO that the Appliance is going to be migrated to and click OK.

 

    Perform the migration to the latest version:

        Click System, System Administration, Rescue Image.

        Click Force Boot from Rescue Image.

        Select Install software preserving configuration and email messages.

        Enter the Appliance password.

        Click OK.

 

        The Appliance reboots, and uses the rescue image to reimage the Appliance using the installation options selected.

 

        Once the migration is complete, the Appliance will boot under the upgraded version.

Subject: McAfee SNS Notice: Vunerability Hotfixes for MEG 7.5 and MEG 7.6 Now Available

 

Vulnerability remediation hotfixes for McAfee Email Gateway (MEG) 7.5 and 7.6 are now available. These hotfixes provide remediation for CVE-2014-0160 (Heartbleed):

 

•    MEG 7.5: 7.5h960401 (Requires Patch 2)

•    MEG 7.6: 7.6h960405

NOTE: The appliance will reboot and an LDAP sync may be initiated after you install the hotfix.

 

For more information on CVE-2014-0160 see SB10071, https://kc.mcafee.com/corporate/index?page=content&id=SB10071

 

To download the hotfix, go to the McAfee downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.  

 

For a full list of changes, see the appropriate Release Notes document:

•    MEG 7.5 - PD25157:

https://kc.mcafee.com/corporate/index?page=content&id=PD25157

•    MEG 7.6 - PD251578:

https://kc.mcafee.com/corporate/index?page=content&id=PD25158

 

 

________________________________________

The McAfee Support Notification Service (SNS) provides valuable information to help you maximize the functionality and protection capabilities of your McAfee products. To change your preferences, go to the SNS Subscription Center. For SNS questions, email sns@mcafee.com. To unsubscribe from ALL SNS communications, click here. Go to https://support.mcafee.com to access McAfee Technical Support, the ServicePortal, and the Knowledge Center. Platinum customers should contact their SAM for high severity issues. Visit the McAfee Community for product user groups and discussions.

Some clients may use Splunk to monitor MEG appliances in the environment.  It has been asked how to configure MEG 7.x to work with Splunk like EWS 5.6 was able to.

 

The App to install for Splunk has not been updated as of yet for MEG 7.x but it does allow for basic logging functionality as per KB.  This is especially helpful when managing multiple MEG Appliances.

 

Please See:

https://kc.mcafee.com/corporate/index?page=content&id=KB71152

 

To Configure Splunk with MEG 7.x.

 

Open the Appliance Management Console

Browse to System, Logging, Alerting and SNMP, System Log Settings

Click to Enable System Log Events

Select Splunk from the Logging Format

Enable the Event Types to be sent to Splunk

Expand off-box system log

Enter the IP of the Splunk Server.

For redudancy multiple Splunk IPs can also be configured.

Note! TCP 514 is automatically used

 

Example Below:

Capture.JPG

 

In this example if 172.16.0.220 does happen to be off-line then 172.16.0.222 will receive the traffic till 172.16.0.220 come back on-line which both Splunk servers will receive traffic.

 

MEG normally caches 100 MB when the remote syslog server is off line.

 

Download the McAfeeEWSReporter.ZIP from KB71152 as above.

 

Extract McAfeeEWSReporter.ZIP to a temp directory so McAfeeEWSReporter.tar.gz is extracted.

 

Install the App in Splunk by clicking Manage Apps after logging in.

 

Untitled.jpg

 

Click Install app from the menu

 

Capture2.JPG

 

Click Choose file to Brows to the McAfeeEWSReporter.tar.gz extracted to a temp directory.

 

Capture3.JPG

Click Upload ensuring that Upgrade app. Checking this will overwrite the app if it already exists.

 

Once the appliance has sent enough traffic to Splunk we should now be able to filter on the Dashboards.

 

From the Home Page for Splunk Click Dashboard for McAfee Email and Web Security then select EWS Main Dashboard.

 

Capture4.JPG

 

We can now see items in the Dashboard from MEG 7.6.

 

Capture5.JPG

 

Each Bar Chart can be clicked on in Splunk to reveal more information.  In our example we clicked on a few for Compliancy which shows graymail tests which were blocked.  Note! Some newer features that were added in MEG 7.x will not be available in the EWS App for Splunk which will show up as NULL.

 

Graymail:

Capture6.JPG

 

 

 

File Format Blocking:

 

Capture7.JPG

 

Eicar.com Test Virus:

 

Capture8.JPG

 

To verify traffic is being sent to Splunk:

 

Syslog traffic being sent from MEG to Splunk via network captures can be verified by taking a capture MEG under Troubleshoot, Reports, Capture Network Traffic. 

 

Ensure everything is selected.

 

Let the capture run for 3 minutes then save it from the appliance.

 

Open the file downloaded in our case traffic_17-03-2014_165910.tar.gz using your favorite compression utility.

 

Open the eth0-000.cap file using Wireshark.

 

Filter for tcp.port == 514 to verify packets are being sent.

 

Capture9.JPG

 

Thanks,

 

John

Environment: McAfee Email Gateway 7.x

 

Solution:

Open the Appliance Management Console

Browse to Email, Group Management, Directory Services

Click Add Server

Configure the Base Settings for

 

Service Name

Secure Communication

Server Added of the LDAP Server to be queried

Server Port (Default is port 389) 

Server Type

Base DN

User Name

Password

McAfee recommends to disable Referrals if not being used.

Untitled.jpg

Click Next

Note there are various options such as Cache Result to keep the results for LDAP Queries local on the appliance.

 

To Test the Query to verify LDAP is working by Selecting List of Groups

Click Test Query

Capture.JPG

Click Perform LDAP Query

Capture2.JPG

Click Next

Click Finish

Apply the Changes

Unscannable Content Feature:

 

https://kc.mcafee.com/corporate/index?page=content&id=KB79035

 

With the release of MEG 7.6, the appliance is now able to detect emails that would cause a scan to crash or otherwise fail and not return an error. Usually scanning these emails results in the connection being dropped, and in the event that a remote retryer resends the mail, a loop develops with the email scan crashing. The appliance will now detect this after several attempts and takes a pre-configured action.

 

Detection of unscannable content is available on all SMTP and Webmail policies (enabled by default).

 

Unscannable content detection suggests a scan crash or timeout, which is often caused by issues in programmed software. To fix it, McAfee needs to obtain and analyze such unscannable content. The unscannable content detection feature will help collect sample email messages that trigger a scan crash or timeout.

 

How it works
When this feature is enabled, a unique signature is calculated for each email message sent through the appliance. A tracking file (size=0) containing the unique signature in the file name is created under the /scandir partition before a scan is attempted.

 

NOTE: The impact to disk space is minor and the file will be deleted upon completion of the scan. If the scan crashes or times out, the file will be left in place and will be detected by a process that checks the tracker directory for old files once per minute.

 

If a failed scan is detected, the appliance will take the unique signature and increment a counter in the backend database. The appliance will look up the counter value for the message unique signature using the internal database to check how many times the scan of a message with a matching signature has failed. If it is less than the configurable threshold, a scan will be performed. If the counter value for the unique signature reaches the configured threshold, the appliance will not attempt to scan the message, but will perform the configured unscannable content action(s).

 

NOTE: Seemingly identical messages composed using the same email clients might have different encapsulation boundaries (for example) and may therefore be treated as two separate, unique messages.

 

How to configure the unscannable content detection feature

  1. Open the appliance management console by selecting Email, Email Configuration, Protocol Configuration, Connection Settings (SMTP), Unscannable content options.
  2. Select Enable detection of unscannable content.
  3. Configure the values for Maximum number of failed scan attempts and Period before content previously detected as unscannable can be rescanned.
        NOTE: McAfee recommends using the default values.
  4. Select Email, Email Policies.
  5. Select the policy on which you want to configure unscannable content detection.
  6. For the policy, select Content handling, Corrupt or Unreadable Content, Unscannable Content.
  7. Configure the action(s) for unscannable content.
        NOTE: If the quarantining option is enabled, you can capture unscannable content in your quarantine area, and later provide it to McAfee Support for analysis.
  8. Click OK.
  9. Click Apply Changes.

How to search for detection of unscannable content
Message Search in the dashboard is now capable of searching for unscannable content.

  1. Select Reports, Message Search.
  2. Click Message status.
  3. Select one of the listed statuses.
  4. Click Category.
  5. Select Unscannable Content.
  6. Click Search/Refresh.

NOTE: The conversation log will now list the unscannable content message; its SCAN section will notify you that Mail could not be scanned after several attempts.

Filter Blog

By date:
By tag: