Skip navigation

Email Gateway

9 Posts authored by: Ryan Brady Expert

When using MQM accounts for administrators and users, certain symbols are explicitly rejected and some others are accepted in the UI, but don't save the account or password.  If you use different symbols, the password is accepted.


The following symbols are acceptable:


<

>

;

"

/

(

)

{

}

Any other symbol will cause issues with MQM. Only use the symbols in this list for passwords with MQM accounts.

In your MEG message search, you can see the disposition of a message and how it was delivered.  In the properties column, there are a few icons that can tell you if it was inbound vs outbound, original vs modified and if it was delivered securely. 

 

The color of the lock icon tells you if it was delivered via opportunistic TLS or via a policy action.  If the icon is black, then it was via opportunistic TLS configured under Email - Encryption - TLS.  In this case, it can be either a domain where TLS is forced or the * option.  If the icon is gold, then it was triggered via a policy action to encrypt and delivered via the options under Email - Email Policies - Policy Options - Encryption Settings.

 

Gold Lock = Policy based action

Black Lock = Domain based rule or opportunistic TLS

Taken from McAfee KnowledgeBase - How to enable new spam rules on Email Gateway for system defined header analysis

 

Environment

 

McAfee Email Gateway (MEG) 7.x

 

 

Summary

Several new spam rules have been added to MEG 7.x that look at defined header values to improve detections.

 

New Rules:

 

  • EDT_ SDHA_SMP_HMS_FRM - This rule triggers when the MAIL FROM has a null sender.
  • EDT_ SDHA_HMS_FRM - This rule triggers when the header From is missing or empty.
  • EDT_SDHA_FRM_INV (Header From Invalid) - This rule triggers when the 822 header is an invalid email address.
  • EDT_SDHA_ADR_FRG (Address Forged) - This rule triggers when there is a mismatch in either the local or the domain part of the email address between 821 and 822 headers.
  • EDT_SDHA_DMN_FRG (Domain Forged) - This rule triggers when there is a mismatch in the domain part of the email address between 821 and 822 headers.
NOTE: EDT_SDHA_ADR_FRG (Address Forged) and EDT_SDHA_DMN_FRG (Domain Forged) replicate the Header Analysis featurefrom Ironmail.
  • The rule EDT_SDHA_ADR_FRG is functionally equivalent to the following filter on IronMail:
    SDHA, 821-Address, Forged "From:" email address.
  • The rule EDT_SDHA_DMN_FRG is functionally equivalent to the following filter on IronMail:
    SDHA, 821-Address, Forged "From:" domain name.

 

Solution

Use the following procedure to enable the rules.
IMPORTANT:
  • If you are using ePO to manage your appliance, you must follow the process documented in KB82606 to avoid ePO overwriting your configuration changes.
  • For details about saving, editing, and restoring the appliance configuration file, follow the instructions in KB56323.
  1. Open the MEG Management console and select Email, Email Policies, Policy Row, Spam.
  2. Select the Spam Rules tab.
  3. In the Filter text box, type EDT_ and click Apply.
  4. Disable all five rules displayed and click Apply.
  5. Select System, System Administration, Configuration Management.
  6. Select Backup Configuration and save the zip file to your local drive.
  7. Open the zip file, navigate to the \config directory, and open SharedSettings.xml in a text editor.
  8. Search for EDT_.
  9. For the five rules, change the enabled value from 0 to 1 and set the score to the required level.
  10. Save the file and update the configuration zip file.
  11. Select System, System Administration, Configuration Management, Restore from File.
  12. Navigate to the modified zip file and load the modified config.
  13. Click OK and apply changes as required.

 

From https://kb.mcafee.com/agent/index?page=content&id=KB83165

 

Environment

 

McAfee Email Gateway (MEG) 7.x

 

 

Summary

By default, McAfee Email Gateway (MEG) allows negotiation of secure connections via SSLv3. Perform the steps in this article to disable SSLv3 connections.

 

 

Solution

NOTE: This solution requires either MEG 7.5.3 + HF971179 (3016.109) or later or 7.6.2H1008011 (3044.109) or later installed.

 

IMPORTANT:

  • If you are using ePO to manage your appliance, you must follow the process documented in KB82606 to avoid ePO overwriting your configuration changes.
  • For details about saving, editing, and restoring the appliance configuration file, follow the instructions in KB56323.

 


To disable SSLv3 for MEG:
  1. Export the Appliance configuration file and extract machine.xml:
    1. Create a new folder and assign a descriptive name.
    2. Log on to the Appliance Management Console and select System, System Administration, Configuration Management.
    3. Click Backup Config, then click the link to save the configuration. Save the configuration to the new folder.

      NOTE
      : The numbers in the name of the configuration file change with new versions and updates.
    4. Save a copy of the configuration .zip file to a backup location.
    5. Right-click the configuration file and select Open with WinZip.
    6. Locate and extract machine.xml file to your new folder.
      NOTE:
      Ensure that you do not extract the full zip file, only the XML file to be edited. Extracting the full configuration can cause corruption in the MEG appliance configuration. 
  2. Edit the machine.xml configuration file:
    1. Right-click machine.xml and select Open with Wordpad.
    2. Search for ForbiddenProtocols. The entry will be in the following text section:

      <List name="ForbiddenProtocols" type="nstr">
      <Attr name="0" value="SSLv2"/>
      </List>
    3. Change the entry above to read as follows:

      <List name="ForbiddenProtocols" type="nstr">
      <Attr name="0" value="SSLv2"/>
      <Attr name="1" value="SSLv3"/>
      </List>
    4. Click Save.
    5. Update the MEG appliance configuration zip file with the edited machine.xml
  3. Restore the Configuration File to the Appliance:
    1. Log on to the Appliance Management Console and select System, System Administration, Configuration Management, Backup and Restore Configuration.
    2. Click Restore from File, locate the updated configuration zip file and click OK.
    3. Select the Values to Restore and click OK.
    4. Click Close.
    5. Click Apply Changes.
    6. Type a comment and click OK.

From McAfee KnowledgeBase -

 

There are two methods to enabling debug logging.

 

Method 1 - via the AdminUI

 

  1. Create a destination folder for the Debug logs:

    1. Open Windows Explorer.
    2. On a local drive, create a folder to store the Debug logs (for example: C:\MQMLogs).
    3. Close Windows Explorer.
  2. Enable Debug logging in the MSME console:

    1. Open the MQM AdminUI. 
    2. Click Settings and Diagnostics.
    3. Click Diagnostics, and then click the Debug Logging tab.
    4. Set Level to High
    5. Optional: Select Limit size of Debug log files.

      IMPORTANT: McAfee recommends that you not set a size limit for the debug logs because important information will be overwritten when the log files are truncated. Instead, enable debug logging only for the time necessary to reproduce the issue, and then disable debug logging.
    6. Select Specify location for Debug files.
    7. In the Debug file location drop-down list, select (full path)
    8. In the Debug file location field, type the name of the folder created above (example: C:\MQMLogs)
    9. Click Apply.
  3. Run the Debug log for the specified time to capture the issue.

    With Debug logging enabled, replicate the issue. The length of time to have debug logging enabled will vary depending on the issue that you are investigating. When the issue has been replicated, proceed to the next step to disable debug logging.
  4. Disable Debug logging:
    1. Open the MQM AdminUI. 
    2. Click Settings and Diagnostics.
    3. Click Diagnostics, and then click the Debug logging tab.
    4. Set Level to None.
    5. Click Apply

 

 

Method 2 - via the Registry

 

 

  1. Stop the McAfee Quarantine Manager service:

    1. Click Start, Run, type services.msc, and then click OK.
    2. Perform the following two steps only if the server is managed by ePolicy Orchestrator (ePO):
    1. Right-click McAfee Framework Service and select Properties.
    2. In the Startup Type section, select Manual from the drop-down list and then click Apply. This will stop ePO policies from restarting the service.
    3. Right-click McAfee Framework Service and select Stop.
    1. Right-click McAfee Quarantine Manager and select Stop.
    2. Minimize the Services window.

       
  2. Enable debug logging via the registry:

    1. Click Start, Run, type regedit, and then click OK.
    2. Navigate to the following key:

      [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Quarantine Manager\trace]
      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\Quarantine Manager\trace]

    3. Set the keys to the following values:

      NOTE: If any of the listed keys do not exist, click Edit, New and select either DWORD Value or String Value.    
      Key Name

      Key Type

      Base Type

      Value

      Level

      DWORD

      Hex

      3

      MaxFileSize

      DWORD

      Decimal

      10240

      Path

      STRING

       

      C:\MQMLogs


      IMPORTANT: MaxFileSize is an optional value. This key is not required if you do not want to set a maximum file size. McAfee does not recommend that a size limit be set for the debug logs because important information will be overwritten when the log files are truncated. Instead, enable debug logging only for the time necessary to capture the error/issue, and then disable it.
    4. Close the Registry Editor.

       
  3. Start McAfee Quarantine Manager and launch the Product Console:
    1. Maximize the Services window.
    2. Right-click McAfee Quarantine Manager and select Start.
    1. Minimize the Services window.
    2. Open the McAfee Quarantine Manager Console and/or perform the steps and actions that you want to be captured in the debug logs.

       
  4. When enough debug information has been captured, remove the debug settings from the registry:

    1. Click Start, Run, type regedit and then click OK.
    2. Navigate to the following key:

      [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Quarantine Manager\trace]
      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\Quarantine Manager\trace]

    3. Right-click Level and change the value to 0.
    4. Close the registry editor.

       
  5. Restart the McAfee Quarantine Manager service:

    1. In the Services window, right-click McAfee Quarantine Manager and select Restart.
    2. Close the Services window.

       
  6. Set McAfee Framework Service back to Automatic and start the service.
  7. Collect the required files, and contact McAfee technical support. 

From https://kc.mcafee.com/agent/index?page=content&id=KB79085

 

 

Problem

When configured for MQM quarantine digests, one or more domains are unable to send digests.  One or more domains configured for digests on the MQM are not receiving digests, and the digest task does not identify any new messages.  You can also see instances where it starts sending to a domain, but gets stuck and only sends a small number of digests when there should be many more going out.

 

Cause

The DigestUserBatch and DigestUserBWThreshold values in the registry have invalid values.

 

Solution

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a .REG file that is not confirmed to be a genuine registry import file.
 
  1. On your MQM server click Start, Run, Type Regedit and click Ok.
  2. Navigate to the MQM subtree: 
    • For 32-bit windows this is:
      HKey_Local_Machine\Software\McAfee\Quarantine Manager
    • For 64-bit windows this is:
      HKLM\Software\Wow6432Node\McAfee\Quarantine Manager
  3. Check the values of DigestUserBatch and DigestUserBWThreshold
    When this issue is seen, these values have been increased to a seven or eight digit value; change these values back to 1000 each.
  4. Save the changes.
  5. Restart the MQM services.

From http://kc.mcafee.com/agent/index?page=content&id=KB82605

 

Environment

 

McAfee Quarantine Manager (MQM) 7.x

 

Microsoft Outlook

 

Problem

When using the HTML attachment as the digest mail format, you cannot take actions on quarantined items if you view the attachment in the Outlook Preview Pane. You see one of the following issues:

 

  • When you click the button associated with the required action, nothing happens.
  • You see one of several possible errors, and the yellow warning triangle is displayed at the bottom of the browser.
If you double-click the attachment and open it in a browser, the actions all work as expected.

 

Solution

This is a limitation of the Preview Pane in Microsoft Outlook. By default, it blocks scripts and forms from running as a security precaution.

 

Open the attachment in a browser for full functionality, or switch the digest to HTML Inline digests as follows:
  1. Select Administrator Management, Manage Domains.
  2. Select the domain to be configured, and click Modify Configuration.
  3. Select the Templates tab.
  4. Under Mail Format, select HTML inline.
  5. Click Apply.

 

From http://kc.mcafee.com/agent/index?page=content&id=KB78783

 

One of the things you can do to enable better compliance and auditing is have MEG create audit copies of email messages.  This creates an additional copy of a message sent to a location of your choosing.  While this is great for your next audit, it can also lead to you having a lot of extra email for things that were blocked due to Antispam, Antivirus, or other such scanners.  You can however, have MEG only create an audit copy of messages that were delivered and so messages that were blocked aren't duplicated.  For version 7.0.4 and higher, v. 7.5 and higher, as well as v. 7.6.0 and 7.6.1, you have to edit the smtp-config.xml manually.

 

To enable this functionality, edit the config file as follows:

  1. Open the Appliance management console.
  2. Click System, System Administration, Backup and Restore, and save a copy of the configuration file.
  3. Create a new directory on your client.
  4. Extract smtp-config.xml from the saved configuration file into the new directory and create a backup copy of this file.
    NOTE: Ensure that you do not extract the full zip file, only the XML to be edited. Extracting the full configuration can cause corruption in the configuration.
  5. Open the smtp-config.xml file with Notepad or another plain text editor.
  6. Change the CopyOnlyIfDelivered value from 0 to 1:
    1. Locate the following entry: CopyOnlyIfDelivered="0"
    2. Change "0" to "1".
      For example:
      CopyOnlyIfDelivered="1"
  7. Save smtp-config.xml. If prompted, select .txt and ignore any warnings about removing the formatting.
    IMPORTANT: If you save smtp-config.xml in a rich text format, the data will be corrupted.
  8. Update the configuration zip file with the modified smtp-config.xml. Use Winzip or an equivalent application that works with long filenames.
    NOTE: If you use Winzip, ensure that the full path info option is not enabled. 
  9. Restore the modified zip file to the Appliance via the Backup and Restore page.
  10. Click Apply Changes.

    NOTE: For full instructions on how to back up and edit an Appliance configuration file, see KB56323.

 

 

Starting in v. 7.6.2, we have added a GUI option to enable this functionality.


shot1.png

Click Manage Templates above and a dialog bos like the one below comes up for the notification templates.

shot2.png

Now, click Add to create a new notification template similar to: "Deliver an audit copy to 'Auditing Email List'

shot3.png

Click Next

shot4.png

Click Next

shot5.png

Click Next

shot6.png

Click Next and select the option "Only generate the notification when the email is delivered"

shot7.png

Click Finish and you have a new template called "auditcopy_only_if_delivered" which only generates audit copies for delivered messages.

shot8.png

Click OK and then use the template you just created when sending the notification as seen below.

shot9.png

 

 

This should help reduce the amount of junk you have in your audit mailbox and make it easier to find what you are looking for!

From http://kc.mcafee.com/agent/index?page=content&id=KB81526

 

 

Problem

When the McAfee Email Gateway (MEG) Appliance quarantines data to the default quarantine location because of URL Reputation, the mail cannot be found by users in the MQM quarantine digest.

 

 

Cause

This occurs because mail quarantined to the default queue for URL Reputation is placed in a queue called Other. This queue is not exposed to customers due to its content.

 

 

Solution

In MEG 7.5 or later, you can create custom queues:
  1. Create a new queue for URL reputation:

    1. Navigate to Email, Quarantine Configuration, Quarantine Queue Settings.
    2. Click Add at the bottom of the screen.
    3. Give the new queue a name, for example URL Reputation.
    4. Optionally type a description for the new quarantine queue.
    5. Click OK to add the new queue.
  2. Configure URL Reputation to quarantine to the new queue:

    1. Navigate to Email, Email Policies, Compliance, and click URL Reputation at the bottom of the column.
    2. For the desired URL reputation category, under And Also, check the box next to Quarantine, then click the triangle next to it to expand the options and provide a pull-down box.
    3. In the pull-down box, select the URL Reputation queue created earlier.
    4. Click OK to save the changes.
  3. Click the green check in the upper right corner to save and apply the changes.
Messages quarantined due to URL Reputation will now be quarantined to the new queue on the MQM. When at least one message has been quarantined to this queue, the administrator can enable user visibility and release for this queue as described in the MQM Product Guide (PD23170).

 

Filter Blog

By date:
By tag: