5
Security

This chapter discusses Oracle Email system security.

This chapter contains the following topics:

• Overview
• SSL
• Anti-Spam
• Anti-Virus
• Virus Scrubber
• Virus Scanning and Removal through PL/SQL Scripts

Overview

E-mail system security has many aspects and implications. Each component of the system has potential vulnerabilities in addition to possible breaches through user error or violation of documented security policies. Examples include careless password management or cooperation with deceptive phone calls purporting to be from IT workers.

Security issues include:

• Components of the e-mail system to identify the areas to consider when designing a secure architecture
• Elements of security to consider in the design, such as password policies.

Email System Component Security

Each core component of an email system has unique security issues and vulnerabilities that you must address in designing your system and security policies. Security decisions must often balance the goals of maximum protection and unlimited access. Most decisions that increase security inevitably reduce the level of access for ordinary users.

The core components are the message store, the middle tier, the identity management infrastructure, and the mail clients.

Message Store

Table 5-1 describes the elements providing security in the message store.

Table 5-1 Security Components of the Message Store  

Message Store Element	Security Effect
Oracle9i database	Traditional database security prevents unauthorized access.
Data access management	Normal database authentication mechanisms protect e-mail, too, and can be restricted to specific accounts or trusted users.
Signed e-mail and S/MIME support	Mail clients can provide e-mail security with digital signatures and S/MIME, part of an overall security strategy supported by Oracle preserving message integrity.

Middle Tier

In the middle tier, more vulnerabilities arise, because this is the access point for most users. Security concerns and ease of use for normal end-users must be balanced based to build a workable implementation.

Since protocol servers, such as IMAP, POP, or SMTP, are potential targets for attack by hackers looking for security weaknesses, you should enable only the protocols you require. Where appropriate, enforce authentication for all client connections, and consider using SSL for the underlying network connection. For SMTP, authentication can prevent inbound mail traffic. In this case, ensure that the anti-spam, anti-relay, and anti-virus controls are setup appropriately to minimize the risks posed by incoming mail traffic.

For HTTP servers, only minimum information should be available through any web servers giving access through web clients. Lock down access to any URL except for the thin client. To protect the security of e-mail date and password, enable SSL access only through the thin clients.

Providing adequate security of the middle tier, particularly the SMTP server, can be problematic because by design, SMTP accepts and routes inbound traffic to its destination. While this design makes mail exchange possible, it also provides possible avenues of attack. Restrictions in the openness of the SMTP server should be weighed against the loss of usability.

SMTP mail is inherently insecure because it enables users to negotiate directly with receiving and relaying SMTP servers. Sophisticated users can create messages that will trick a naive recipient into believing that they came from somewhere else. Constructing such a message so the trickery cannot be detected by an expert is more difficult, but not so much as to deter a determined and knowledgeable hacker.

Consequently, as knowledge of Internet mail increases, so does the knowledge that, at the transport level, SMTP mail inherently cannot be authenticated, nor can integrity checks be provided. Real mail security lies only in end-to-end methods that secure message bodies by using digital signatures, such as PGP or S/MIME.

Identity Management Infrastructure

This infrastructure controls and manages all aspects of directory, authentication, and single sign-on (SSO) operations.

Database security rules protect the underlying Oracle9i instance. Middle tier and storage servers, as well as web clients, must access this information to operate. Access is required though LDAP and possibly HTTP/HTTPS, and access to these protocols should be limited to only those servers truly requiring such access.

If web clients are deployed on the public Internet, the SSO components should be implemented on servers separate from the rest of the infrastructure. This separation makes it possible to provide protection for these components behind firewalls.

Because end user passwords are managed by the infrastructure, password policies should be maintained, such as enforcing acceptable password sizes, randomness, and frequency of change.

Unused or inactive mailboxes should be routinely cleaned or locked to minimize the risk of unauthorized use.

Mail Clients

Most mail clients have configuration options enabling support for increased levels of security when connecting to the server. For example, support for connections over SSL and protocol authentication can require special configuration. Ensure that users are aware of risky behaviors, such as storing passwords in ordinary files on PCs, and the configuration options or changes required to minimize those risks.

Network Security

Security features of the product enable separate components to be configured securely. The more restrictive access to an organization's network is the messaging system's security. Ensuring that the rest of your intranet is secure reduces the chances of unauthorized attempts to access components of the messaging system.

Firewalls

Firewalls play a large role in protecting the security of your implementation. Firewalls must be configured appropriately, with more than firewall in place, and regularly monitored for intrusion. It is important not to assume that everything is safe because you have deployed a firewall.

You have to determine what protocols to enable at the various points in your network. This decision often requires evaluating the trade-off between providing wide access to legitimate users and yet still protecting vulnerabilities from unauthorized use.

At a minimum, sending and receiving e-mail messages from the Internet requires that you enable inbound and outbound connections through port 25, the default SMTP connection socket. For other protocols, such as IMAP and POP, determine whether enabling public Internet access is worth the risks and cost. The risks include unauthorized access, and the costs include extra configuration and administration to maintain this infrastructure. In a typical enterprise, such access is not required, and all protocol tiers can be well protected within an intranet environment. Access for non-office based workers can be managed through a separate VPN or remote access infrastructure.

If you enable access through any of these protocols from the Internet, then security can be improved by using authentication and SSL. Authentication provides some protection to the protocols, and SSL aids data encryption of network traffic.

The storage component of Oracle Email should be located behind any firewall implementation, with minimal access through SQLnet from the middle tier processes in other parts of the DMZ.

You should close down all firewall access other than explicitly required port and host connections. Closely managing and minimizing potential security vulnerabilities is a key part of any secure configuration.

Never assume that implementing a secure configuration means no new vulnerabilities and risks can arise. Watch for security updates from Oracle and security updates affecting Internet protocols to ensure that you maintain a secure environment.

Non-Technical Considerations

Any security implementation is only as good as its users' awareness of security issues. Many security breaches are the result of simple human factors allowing intruders to gain access to user accounts through simple human deception. Administrators must keep the following factors in mind:

• Understand who has access to sensitive information.
• Understand that database administrators can generally access trusted level information.
• Implement password policies: minimum lengths, frequent changes.
• Remove unused accounts.
• Do not start unused services: run only what you need.

Establish security policies for each level of security that applies to different parts of your system, including who has access to them and how to respond to security breaches.

SSL

Secure Sockets Layer (SSL) is a protocol for transmitting private documents over the Internet. SSL works by using a public key to encrypt data that is transferred over the SSL connection. Many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs requiring an SSL connection start with https: instead of http:.

Obtaining a SSL Server Certificate

For servers to communicate securely with clients, customers installing Oracle Email must obtain an SSL Server Certificate for each machine and configure its network listener to use that certificate.

See Also:: Chapter 16 of the Oracle Advanced Security Administrator's Guide, for how to use the Wallet Manager to create a wallet and store SSL certificates

NOTE: You must have a separate certificate for each machine on which the protocol server processes run. A single certificate can support all protocol server processes on one machine.

In the Oracle environment, you can use the Oracle Wallet Manager for secure creation and storage of certificates and the corresponding private keys.

To obtain a certificate, use the Wallet Manager as described in the Oracle Advanced Security Administrator's Guide. The general steps are as follows:

1. Create a new wallet, if one does not already exist. The same wallet can be used by all servers running on that machine.
2. Generate a certificate request, entering the host name along with the domain name as the Common Name. Requesting a certificate request generates the corresponding private key and stores it in the wallet.
3. Send the certificate request to a Certificate Authority, such as VeriSign for signing.
4. Store the signed certificate in the wallet with the Auto Login option enabled on. You should see the certificate status set to Ready.
5. Remember to store the wallet with the Auto Login option enabled. The option is under the Wallet menu option in the Wallet Manager.

   This creates a cwallet.sso file in addition to the ewallet.p12, that is the actual wallet. The files can be found in the following location:

   /etc/ORACLE/WALLETS/userid.
   
   

Configuring the Network Listener for SSL

During installation, the listener.ora file is updated with the required SSL and non- SSL listening end points for both the IMAP4 and POP3 servers. Users only need to set the wallet location in the listener.ora and the sqlnet.ora files, along with any optional SSL parameters, for the listener to receive SSL connections. These settings can be done manually or by using the Oracle Network Manager.

Manually Setting Wallet Location and Client Authentication

Add the following WALLET_LOCATION and SSL_CLIENT_AUTHENTICATION entries in the beginning of the $TNS_ADMIN/listener.ora and $TNS_ADMIN/sqlnet.ora files:

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = <Directory path containing the cwallet.sso file>)
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE

A typical directory parameter value looks like the following line:

/etc/ORACLE/WALLETS/<userid> 

If the SSL_CLIENT_AUTHENTICATION parameter is not set, the default setting is TRUE and clients are required to present a certificate during the SSL handshake. If the intent is only to secure the communication, not to authenticate the client using the certificate, then this parameter should be set to False.

See Also: Chapter 7 of the Oracle Advanced Security Administrator's Guide to set the wallet location using Oracle Network Manager

Configuring Protocol Servers for SSL

IMAP and POP protocol servers can be configured to use SSL for securely communicating with and authenticating clients. To use the SSL client connections, administrators can configure an existing server instance or create a new instance.

Two separate server instances are necessary to use both SSL and non-SSL connections. One server instance cannot manage both types of connections. By default, server instances are configured to manage Internet connections only. The default listening end points for both IMAP and POP protocol servers are created in the listener.ora file during installation.

To configure a SSL server instance, do the following steps:

1. Log in to Oracle Enterprise Manager.
2. Select the application server instance where Oracle Email is installed.
3. Click Oracle Email.
4. Click IMAP or POP.
5. Click the process instance.
6. Select IMAPSSL, POPSSL, or Custom from the drop-down list.

   If you select Custom:

   • Provide a specific presentation name in the corresponding field.
   • Change the SSL Enabled parameter to TRUE and verify that there is a description entry in the listener.ora file for the presentation name you specified. Verify that protocol is set to TCPS and that the PORT set to the default SSL port number of the protocol.

   The default SSL port number for IMAP is 993. The default SSL port number for POP is 995.

7. Reinitialize the server instance.

Configuring SSL from Protocol Servers and Oracle Internet Directory

All server process instances have a description parameter. The following parameter shows a sample set of configuration options:

-sslenable=yes -sslport=3061 -sslwalletloc=file:/directory_
name/oracle/work/genwallt/client 
-sslwalletpassword=welcome12 -sslmode=3 

Where:

• sslenable has two possible values: yes or no
• sslport is the port on which Oracle Internet Directory is listening. Oracle Internet Directory should be configured to listen on both SSL and non-SSL mode
• sslwalletloc is the location of the client wallet in the file system.
• sslwalletpassword is the password used to access the wallet.
• sslmode: valid values are
  • 1: SSL without authentication is performed (no PKI certificate exchanges), only channel encryption and data integrity
  • 2: One-way authentication is performed. For example: Oracle Internet Directory server authentication
  • 3: Both the client protocol servers and Oracle Internet Directory server authentication are performed

If any values are not stored correctly, a non!-ssl mode of auth occurs.

See Also: Oracle Internet Directory Administrator's Guide for more information regarding Oracle Internet Directory SSL.

Configuring SSL for Oracle Webmail

Perform the following steps to configure SSL for Oracle Webmail:

1. In the toolkit.properties file, set the oracle.mail.ldap.connectssl=true/false property to true.
2. Place the oracle.mail.ldap.connectssl=true/false property in the $ORACLE_HOME/oes/admin/oesadmin.properties file

Anti-Spam

The NNTP and SMTP servers support a variety of anti-spam methods to prevent users and domains from misusing the e-mail system. Examples include flooding the e-mail system with undesired, unsolicited messages, and using the server as a spam relay for other domains.

Third Party Anti-Spam Filters

A third party anti-spam filter agent can be run in front of the SMTP server to check whether incoming messages are spam. After completing the spam check it passes the mail to the SMTP server. Anti-spam filters are configured to either reject spam mails or to change or add headers to indicate that the mail could be spam.

This release of Oracle Email does not process any specific spam headers. However, because the format and values of the new headers are known, a user can set up server-side or client-side rules to move spam mail out of the INBOX or delete them based on certain criteria.

Setting Up Third Party Anti-Spam Filters

If the third party spam filter and SMTP server are running on the same machine, the filter should listen to the default SMTP port 25. The SMTP server listens to a different port. When e-mails come into the system, the spam filter filters the mail and takes action on it. If the mail passes the spam check, it is sent to the SMTP server. The communication between the third party spam filter and SMTP server must be done over SMTP protocol.

Native Anti-Spam for SMTP

The SMTP server supports native anti-spam checks, which are more efficient than third party anti-spam filters because they eliminate the costs of external agent execution and passing mail. Checks are performed on each input from the sender to identify spam mails at an earlier stage. Native anti-spam checks do not analyze message contents, but all e-mails are checked for the following:

• Sender's address
• Sender's domain
• Recipient's address
• Recipient's domain
• IP address of the sending computer
• Domain of the sending computer

The server supports two types of settings: an acceptance list and a rejection list. The values in these lists are domains, IP addresses, and senders. The appropriate accept and reject list is checked against the SMTP command being processed.

Anti-spam checks are performed during the following operations:

• When the SMTP connection is opened
• When the client connects
• After each SMTP protocol command, in the following order:

  HELO/EHLO, MAIL FROM, RCPT TO
  
  

Typically, SMTP servers inside a firewall do not need to have anti-spam checking enabled. Outside the firewall, however, servers receiving inbound e-mail messages need anti-spam protection.

Oracle Email servers have a global native anti-spamming parameter that is checked by each instance. If this value is set to FALSE, anti-spam checking does not take place and all other parameters for anti-spam are disabled.

If native anti-spam is set to TRUE, the following steps occur:

1. The Internet Protocol (IP) address and domain name (based upon a DNS lookup of the IP address) of the requester are checked during the connection request to the server. The following parameters are checked:
   • Accept Connections from IP Addresses: If the IP address is trusted, then the process continues
   • Reject Connections from IP Addresses: If the IP address is here, the message is rejected and the connection is closed
   • Accept Connections from Host Domains: If the domain name of the computer is trusted, then the process continues. The domain name is obtained through a reverse DNS lookup of the IP address
   • Reject Connections from Host Domains: If the domain name is in this list, then reject the message and close the connection
   • Prevent Service Denial Attack: The number of messages plus the number of connection requests from this host within a time interval that is considered to be flooding
   • Spam Flood Interval: The time interval, in minutes, used in conjunction with Spam Flood Count parameter to determine whether a host spamming
2. The HELO or EHLO command is performed. This is the initial command performed before any work can begin on the SMTP server. When this command is entered, a domain name is passed as part of the command. The following parameters are set:
   • Accept Connections from IP Addresses: If the IP address is trusted, the process is continued
   • Accept Connections from Host Domains: If the domain name of the computer is obtained through reverse DNS lookup of the IP address are trusted, then the process continues
   • Enable HELO DNS Check: If this parameter is set then the domain name in the helo/ehlo command is checked for existence in the DNS server. If it does not exist, the connection is rejected
3. The information in the MAIL FROM command is verified. This command contains the e-mail address of the sender. This address can be checked for spam. The following parameters are set:
   • Accept Connections from IP Addresses: If the IP address is trusted, the process is continued
   • Accept Connections from Host Domains: If the domain name of the computer is obtained through reverse DNS lookup of the IP address are trusted, then the process continues
   • Reject Connections from Sender Domains: If the domain name part of the sender's e-mail address is in this list, the message is rejected and the connection is closed
   • Reject Connections from Sender: If the sender's e-mail address is in this list, the message is rejected and the connection is closed
   • Accept Connections from Sender Domains: If the domain part of the sender's e-mail address is in the list, the process is continued
   • Accept Connections from Sender: If the sender address is a trusted address, the process is continued
   • Enable Sender DNS Check: If this is enabled, then the domain in the sender's address is checked to determine if it exists in the DNS server
4. An additional check for flooding takes place. This is required because a single connection to a message transfer agent (MTA) can send multiple messages. A flood check is performed after each message is accepted.
   • Prevent Service Denial Attack: The number of messages plus the number of connection requests from this host within a time interval that is considered to be flooding.
   • Spam Flood Interval: The time interval, in minutes, used in conjunction with Spam Flood Count to determine whether a host is spamming.
5. The RCPT TO command is verified. This command contains the e-mail address(es) of the recipient(s). This check is dependent on several parameters and differs depending on the mail destination. Again if the sending computer is trusted then the mail continues. Then each recipient is either a local user or the mail message needs to be relayed to another SMTP server. If the mail is going to be delivered to a local user, then a check for rejected recipients is made. If the mail is to be relayed, then we check to make sure the server is allowed to relay, or allowed to relay conditional upon the domain the mail is going to as well as if the connection was initially authenticated.
   • Accept Connections from IP Addresses: If the IP address is trusted, the process is continued.
   • Accept Connections from Host Domains: If the domain name of the computer or the domain name sent as part of the connect request are trusted, the process is continued.
   • Accept Connections from Sender Domains: If the domain part of the sender's e-mail address is in the list, the process is continued.
   • Accept Connections from Sender: If the sender address is a trusted address, the process is continued.
   • Reject Recipient: This parameter list is only used for local delivery mail messages. If the recipient name is in this list, then message is rejected and the connection is closed. This is useful for temporarily suspended accounts or restricted distribution lists.
   • Relay Allowed: This parameter is only used for relay delivery of mail messages. The possible values are:
     • True: The recipient domain is checked to see if it is in the list of domains allowed to relay
     • False: Relay messages are not allowed
     • Auth: If the sender is authenticated when it first connected to the SMTP server, then the mail is allowed to continue
   • Relay Domains Allowed: This value only reads relay mail messages when the Allow Relay parameter is set to True. This parameter provides a list of domains that the SMTP server allows to be relayed. If relaying for all domains is allowed, the parameter must be set to an asterisk (*).

Native Anti-Spam for NNTP

The NNTP server supports native anti-spam checks, which are based on the following:

• Host domain
• Host IP
• Sender mail address

Wildcards

NNTP and SMTP wildcard support exists on prefixes for domains and suffixes for IP addresses, to allow sub-domains and sub networks with a single entry. Entries containing only an asterisk (*) on a line by itself means all domains or IP addresses.

For example:

Valid entries *.foo.com (all sub-domains of foo.com), *.*.foo.com, 99.99.99.* (any host with IP address having a prefix 99.99.99);

Invalid entries: *.foo.*.com (domain), 99.*.99.* (IP).

Native Anti-spam Parameters for NNTP and SMTP

Note: For SMTP, Reject parameters take precedence over Accept parameters. Exception for parameters such as Accept IPs apply only to subsequent spam checks. For example, if user99@foo.com is present in Accept senders, any checks on the rcpt to: command are ignored. However, if the IP address of host1.foo.com is present in Accept IPs and is not present in Reject IPs, all connections from host1.foo.com are accepted and all further spam checks on mails from host1.foo.com are ignored.

The following table describes the Oracle Email native anti-spam parameters for NNTP and SMTP:

Table 5-2 Anti-spam Parameters

Parameter	Description
Native Anti-spamming	Turns on anti-spamming checks. If this parameter is not set, all anti-spamming checks are turned off.
Relay Blocking	Enables domains determined by SMTP Relay Domains Allowed.
Prevent Denial of Service Attacks
Reject connections from sender(s)	List of senders to be rejected, but only if Native Anti Spamming is TRUE
Accept connections from sender(s)	List of sender addresses against which the sender address is checked, if Native Anti Spamming is TRUE
Reject connections from sender domain(s)	Specifies the list of domains and sub-domains to be rejected
Accept connections from sender domain(s)	List of domains against which the domain part of the sender's e-mail address is checked, if Native Anti Spamming is TRUE
Reject connections from Host domain(s)	List of domains and sub-domains to reject, and close connection, but only if Native Anti Spamming is TRUE
Accept connections from Host domain(s)	List of allowed domains or sub-domains from which mail is received, if Native Anti Spamming is TRUE, regardless of any further anti-spam checks
Reject connections from IP address(es)	List of IP addresses to reject, and close connection, but only if Native Anti Spamming is TRUE
Accept connections from IP address(es)	List of IP addresses from which connections are permitted, if Native Anti Spamming is TRUE, regardless of any further anti-spam checks
Reject recipient(s)	List of local recipients to reject, but only if Native Anti Spamming is TRUE
Allowed Relay Domain(s)	List of domains on which relay is allowed when the Relay Allowed parameter is enabled.
DNS check on helo/ehlo domains	Specifies if the domain in the helo command should be checked in the DNS server
DNS check on sender domains	Specifies if the domain in the mail from command should be checked in the DNS server

Adding Anti-spamming to Servers

1. Navigate to the Oracle Webmail client administration page.
2. Select Policy >Anti-Spam.
3. Select the server on which you want to add anti-spamming.
4. Select SMTP inbound or NNTP inbound from the drop down menu.
5. Enter information in the appropriate fields.
6. Click Apply to Servers.
7. Select the server from the list.
8. Click OK.
9. Restart the SMTP or NNTP server to make the changes take effect.

   Note: These parameters can also be modified through the Oracle Enterprise Manager administration pages.

Anti-Virus

The Oracle Email SMTP server and message store support plug-ins for third party anti-virus solutions to detect and cleanse, or delete potentially destructive messages. The message store has the capability to re-scan messages already in the store for potential virus. There are two ways to integrate with the virus scanner:

• External Filter Process: write a process that can be called from the server for virus scanning
• C Callouts: Implement the virus scanner as a C language procedure and link it with the server

External Filter Process

The SMTP server provides a way to integrate external processes to the server. The SMTP server for each mail calls this process for each mail process. Both the message body and envelope are passed through the process. The external process can then apply its own filtering mechanism and pass back a success or a failure message to the SMTP server. If a failure message is received from the external filter, the message is rejected. The external filter can also pass modified mail back to the server and that is delivered to the recipients. If the external process fails, the messages are queued and retried after the queue retry interval.

Configure the following parameters to set up external filter processing:

• External Filter: A Boolean that indicates if external filter processing is turned on.
• External Filter Process: This parameter must be in the following format:

  name:path_name when_to_call flags
  
  

where:

Table 5-3 External Filter Process Parameters

Parameter	Description
name	The name of the external filter.
path_name	The complete path of the process to be called.
when_to_call	The point at which the callout should be called. The possible values are: ENV - After receiving the message envelope DATA - After receiving the complete message and before local delivery NEVER - Disables the callout RELAY - Before relaying a message
Repair	Can be set to Yes or No. If set to Yes, then the callout can send the repaired message back to the server. If it set to No, the server does not read any repaired message back from the callout and rejects the mail if the scanner returns failure.

The call to the external process has the following syntax:

Filter_process host=host mailfrom=mailfrom rcptto=[#_of_recipients] 
msgsize=[msg_size]

where:

Table 5-4 External Filter Process Parameters

Parameter	Description
filter_process	The process set in the External Filter Process parameter
host	The name of host of the client connection
mailfrom	The address sent by the client during the SMTP protocol exchange
rcptto	The list of recipients from the SMTP protocol exchange. This is a list separated by a comma and is enclosed in brackets.
msg-size	The size of the message. It is optionally passed depending on when_to_call parameter. If the when_to_call parameter is set to ENV then this is not passed.

After the filter process has finished processing the mail, it should return the status and the changed message back to the server. This is done by writing the following information to its standard output (stdout)

status_code [version_definition]
repaired message

where:

Table 5-5 External Filter Process Parameters

Parameter	Description
status_code	The possible values are: 0 (success) The message is clean and is to be sent to the recipient 1 (failure) The message is not clean and is to be rejected 2 (repaired) The message was not clean but was changed is to be sent to the recipients
version_definition	Can be returned by the filter process and is stored with the message. An example would be to keep the virus definition database identifier in it. Because it stored with the message, it can be used later in the virus scrubber process to selectively re-scan messages.
repaired message	The modified message that should be sent to the recipients

Adding an External Filter Process

1. Navigate to the Oracle Webmail client administration page.
2. Select Policy > Anti-Virus.
3. Select the server on which you want to add anti-virus.
4. Select SMTP inbound, SMTP outbound, or list server from the drop down menu
5. Click Go.
6. Click Add.
7. Enter the filter name.
8. Select External Filter.
9. Enter information in the appropriate fields.
10. Click Submit to commit the changes or Cancel to return to the previous page.
11. Restart the SMTP server to make the changes take effect.

    Table 5-6 External Filter Process Parameters

    Parameter	Description
    Name	The name of the external filter.
    Location	The complete path of the process to be called.
    When to Call	The point at which the callout should be called. The possible values are: ENV - After receiving the message envelope DATA - After receiving the complete message and before local delivery NEVER - Disables the callout RELAY - Before relaying a message
    Repair	Can be set to Yes or No. If set to Yes, then the callout can send the repaired message back to the server. If it set to No, the server does not read any repaired message back from the callout and rejects the mail if the scanner returns failure.

External C Callouts

In addition to external process callouts, the SMTP server can call C language procedures. These procedures can be used as an inexpensive and efficient way of filtering mails. The C callouts that are implemented can obtain various message parts, such as envelope, size, and message text, through the API provided by the server. The procedure then filters and returns a reject or success with an optional modified message to the server.

Since these are linked with the server there is no overhead in the calls. But at the same time care must be taken while implementing these since they share the same process and memory space as the server. Any corruption affects the server. Each callout needs to implement a pre-defined set of functions. These functions are called by the server to initialize, send message and receive status and message back from the callout. The callouts can be specified by setting values in the Scanner Interface parameter. Multiple callouts can be specified and are called in sequence.

Each callout is specified as:

name:shared_library_path, when_to_call, [internal | host:port], (init, register_
callback, scan_msg, send_msg, receive_msg, close),scanner_flag,system_flags

where:

Table 5-7 External C Callout Parameters

Parameter	Description
name	The name of the external filter.
shared_library_path	The full path of the C shared library. This is loaded by the server at startup.
when_to_call	The point at which the callout should be called. The possible values are: ENV - After receiving the message envelope DATA - After receiving the complete message and before local delivery RELAY - Just before relaying a message NEVER - Essentially disables the callout
internal or host:port	If a host and port are needed by the scanner, enter the host name and port number of the scanner. These are passed to the scanner initialization function. If the scanner does not need a host and port, select internal.
Repair	Can be set to Yes or No. If set to Yes, then the callout can send the repaired message back to the server. If it set to No, the server does not read any repaired message back from the callout and rejects the mail if the scanner returns failure.
Additional Flags	The number 1

Adding an External C Callout Procedure

1. Navigate to the Oracle Webmail administration page.
2. Select Policy > Anti-Virus.
3. Select the server on which you want to add anti-virus.
4. Select SMTP inbound, SMTP outbound, or list server from the drop down menu.
5. Click Go.
6. Click Add.
7. Enter the filter name.
8. Select Callout.
9. Enter information in the appropriate fields.
10. Click Submit to commit the changes or Cancel to return to the previous page.
11. Restart the SMTP server to make the changes take effect.

    Table 5-8 External C Callout Process Parameters

    Parameter	Description
    Name	The name of the external filter.
    Location	If a host and port are needed by the scanner, enter the host name and port number of the scanner. These are passed to the scanner initialization function. If the scanner does not need a host and port, select internal.
    Library Path	The path of the C Callout library.
    When to Call	The point at which the callout should be called. The possible values are: ENV - After receiving the message envelope DATA - After receiving the complete message and before local delivery NEVER - Disables the callout RELAY - Before relaying a message
    Initial Function	The initialization of the scanner.
    Register Callback Function	The callback registration function.
    Scan Function	The function to scan the message.
    Send Function	The function used to get the message body
    Receive Function	The function used to send the repaired message.
    Close Function	The scanner exit function.
    Repair	Can be set to Yes or No. If set to Yes, then the callout can send the repaired message back to the server. If it set to No, the server does not read any repaired message back from the callout and rejects the mail if the scanner returns failure.
    Additional Flags	The number 1

Applying an Existing Anti-virus Policy to a Service Process

1. Navigate to the Oracle Webmail client administration page.
2. Select Policy > Anti-Virus.
3. Select the server on which you want to add anti-virus.
4. Select SMTP inbound, SMTP outbound, or list server from the drop down menu
5. Click Go.
6. Select the service name from the drop down list.
7. Click Apply to Servers.
8. Select the Server name(s) on which the service is running.
9. In the Override Default Process settings? field, select Yes, if you want to override the process instance values set in Oracle Enterprise Manager. Otherwise, select No.
10. Click OK to commit the changes or Cancel to return to the previous page.

    Note: Applying an existing anti-virus policy to a service, overwrites the policy currently applied to that service.

Anti-Virus with Symantec

The Oracle Email SMTP server and mail store can integrate with the Symantec Anti Virus Scan Engine (SAVSE). This enables Oracle Email to use Symantec's virus knowledge base to detect and cleanse infected messages at the SMTP level and the mail store.

Configuring Oracle Email MTA with Symantec Anti-Virus

1. Navigate to the Oracle Webmail client administration page.
2. Select Policy > Anti-Virus.
3. Select the server on which you want to add anti-virus.
4. Select Inbound Mail or Outbound Mail from the drop down menu.
5. Click Add.
6. Enter a filter name. This should be descriptive name.
7. Select Callout from the Type drop down menu.
8. See Table 5-9 for the appropriate values to enter into the remaining fields.
9. Click Submit.
10. Using Oracle Enterprise Manager, navigate to the SMTP process for which you added the Symantec callout.
11. Select True from the External Filter drop down menu.
12. Click Apply.
13. Stop and Start the SMTP server to make the changes take effect.

    Table 5-9 Symantec C Callout Values

    Parameter	Value
    Name	The descriptive name of the external filter. Oracle Corporation recommends using a descriptive name.
    Location	The IP address of the host and port number where the SAVSE is running
    Library Path	$ORACLE_HOME/oes/lib/libessymantec.so
    When to Call	Message reception for the SMTP inbound server, and relay for the SMTP outbound server.
    Initial Function	essmasymantec_init
    Callback Function	essmasymantec_register_cb
    Scan Function	essmasymantec_scanmsg
    Send Function	essmasymantec_send
    Receive Function	essmasymantec_recv
    Close Function	essmasymantec_close
    Repair	Can be set to Yes or No. If set to Yes, then the callout can send the repaired message back to the server. If it set to No, the server does not read any repaired message back from the callout and rejects the mail if the scanner returns failure.
    Additional Flags	The number 1

Virus Scrubber

The Oracle Email virus scrubber is a server process that scans for and cleans up virus-infected e-mail messages already in the message store. When rapid measures are required to immediately cleanse a system of virus-infected messages, the virus scrubber pre-scans a message store to isolate suspect messages already there based on headers such as subjects or attachment names. Pre-scanning isolates suspect messages so that users are not able to access them and possibly cause damage. Pre-scanning never deletes a message. After pre-scanning, the virus scrubber uses the external scanner to individually scan the isolated messages. A message that is deemed clean or repaired by the virus detection software is restored to its original folder.

Note: Although pre-scanning is a faster way to isolate suspect messages in a message store than scanning all individual messages, it can quarantine clean messages.

If a message is identified as infected and not repairable, the administrator can either delete the message immediately or quarantine it to a special folder for later processing. For example, an infected message can be quarantined to wait for a future release of virus definitions that may be able to repair the message. Oracle Email can be configured to send a message to either the mail recipient or sender notifying them that it was identified as infected. Such notifications are useful to explain to users why their messages disappeared.

The virus scrubber is different from the SMTP based virus scanner that filters out virus-infected messages before they enter the system. The Oracle Email virus scrubber is a necessary complement to the SMTP virus scanner because new types of viruses continue to pop up before virus detection software can be updated to detect and repair them. There's always a possibility that by the time virus software is updated, some infected messages have already entered the system. The virus scanner can be used to retroactively rid the system of such viruses. This message store-based scanner can also be used to scan viruses coming in through a non-SMTP route such as IMAP append.

The Oracle Email virus scrubber and SMTP-based virus scanner rely on external virus detection and cleanup software such as the Symantec AntiVirus Scan Engine. Oracle Collaboration Suite provides interface libraries for third party virus tools to integrate with Oracle Email. The third party virus software must be installed properly for the virus scrubber server to be fully functional.

The virus scrubber can be run as either a daemon process that runs forever or a standalone process that runs once and exit. A typical process configuration may contain one process configured as a daemon that wakes up and scan the message store monthly and another instance configured as a standalone server that can be run on demand.

The virus scrubber log files are located in the following directories:

On UNIX:

$ORACLE_HOME/oes/log/install_name/vs/pid/pid.log

On Windows:

%ORACLE_HOME\oes\log\install_name\vs\pid\pid.log

Configuring the Virus Scrubber Through Oracle Webmail

1. Navigate to the Oracle Webmail client administration page.
2. Select Policy > AntiVirus > Mail Store
3. Select the host name from the drop-down list.
4. Click Go.
5. Select Add.
6. Enter information in the appropriate fields. See table Table 5-9 for field descriptions.
7. Click Apply to Servers.
8. Select the server(s) for which you want to apply virus scanning.
9. Click OK to commit the changes or Cancel to return to the previous page.

   Note: Selecting more than one server to apply the policy to overwrites the old configuration and sets the common configuration for all.

10. Install and configure Oracle Collaboration Suite, Release 2 (9.0.4).
11. Install the Symantec Anti Virus Scan Engine (SAVSE) according to the product installation instructions.
12. Using Oracle Enterprise Manager, navigate to the virus scrubber page.
13. Set the following parameters to the appropriate values:

    Table 5-10 Virus Scrubber Parameters

    Parameter Name	Valid Values	Default Value	Remarks
    Execution Mode	Run Once and Daemon	Daemon	Determines whether the server should run once and exit or stay active in the background forever (also known as the daemon mode). If a process is set to run as a daemon, it sleeps after one round of execution before starting the next round. In Run Once mode, it simply exits after the current task is finished.
    Concurrency Level	A positive number		Specifies the number of messages that should be scanned concurrently. This parameter greatly depends on the third party virus scanner software setup. It is recommended that this parameter be set within the level of concurrency supported by the third party software. For example, if the Oracle Email system is configured to use a Symantec SAVSE server that can handle 1000 concurrent virus scanning requests, the entire Oracle Email system, including the SMTP-based virus scanner, should be configured to submit roughly the same or lower number of concurrent requests to SAVSE, such as 500.
    Pre-Scan	Enabled or Disabled	Enabled	Turns pre-scanning on and off. Turn on Pre-Scan to quickly isolate potential virus messages by header searches. At least one instance of virus scrubber should have pre-scan enabled since message-based scanning does not occur unless messages are first isolated by a pre-scan operation.
    Pre-Scan filter	String		String containing the search criteria to be used to pre-scan messages. Search filters are specified using the IMAP search command syntax. Refer to RFC 2060 for details of valid search clauses. For example, a search on all messages from acme.com with a subject "Snow White" uses the filter string 'SUBJECT "Snow White" FROM acme.com'.
    Repair Mode	Direct or Quarantine	Direct	Specifies how to deal with messages identified by the scanner as infected or not repairable. Direct causes the server to remove the message directly. Quarantine causes the server to move the message to a special folder defined by the Quarantine Folder parameter and owned by Quarantine User. If repair mode is not specified, the default is direct. If Quarantine User or Quarantine Folder is not specified, but Repair Mode is set to "quarantine," then it is an error. The server stops processing messages until the error is corrected.
    Quarantine User	String	None	Identifies the owner of the Quarantine Folder into which quarantined messages should be moved. Typically this is a user account belonging to an administrator or a dedicated e-mail account for holding infected messages. If Quarantine User or Quarantine Folder is not specified, but Repair Mode is set to "quarantine," then it is an error. The server stops processing messages until the error is corrected.
    Quarantine Folder	String	None	Specifies the folder into which quarantined messages should be moved. This folder must already exist under the Quarantine User account. If Quarantine User or Quarantine Folder is not specified, but Repair Mode is set to "quarantine," then it is an error. The server stops processing messages until the error is corrected.
    Sender Notification	Text String	None	Contains the notification message body that the server should send to the sender of any virus-infected message. If this parameter is not set, no notification message is sent.
    Recipient Notification	Text String	None	Contains the notification message body that the server should send to the recipients of any virus-infected message. If this parameter is not set, no notification message is sent.
    Process Sleep Duration	Positive Number	None	The amount of time, in minutes, the virus scrubber should run before sleeping. The virus scrubber always completes scrubbing the mail store before sleeping.

14. Click Apply.
15. Restart the virus scrubber.

Command-line

To run the virus scrubber, use oesctl startup with a service type of vs.

oesctl startup target | instance

For the virus scrubber, the syntax for target is

hostname:um_system:service_type

where hostname is the name of the server on which the process should run service_type vs

The syntax of instance is target:instance_ID

where instance_id is a number assigned to an instance when it is created. These numbers are selected automatically at instance creation time. Instance numbers cannot be configured by administrators.

Example 1

To start the virus scrubber for all registered processes for the server named Acme, enter the following command:

oesctl startup acme:um_system:vs

Example 2

To start the virus scrubber for the process with ID 104750025197124824 on the server named Acme, enter the following command:

oesctrl startup acme:um_system:vs:104750025197124824

See Also: Chapter 8, "Command Line Interface" for more information on oesctl

Virus Scanning and Removal through PL/SQL Scripts

E-mail viruses typically have the form of an executable program, such as an e-mail attachment. The program is executed on the client machine when the attachment is opened by an unsuspecting user, causing various forms of damage to the computer or the network. Oracle Email provides several different tools of virus protection, each of them suited for a different type of administration requirement.

The Oracle Email server SMTP inbound process provides integration with third party virus scanning software to scan each message that passes through the SMTP server. The server rejects the message upon arrival, preventing the virus e-mail from entering the email system.

If third party virus scanning software is not available, Oracle Email server can still reject virus messages using server side rules. Server side rules reject incoming messages based on suspicious subject lines, attachment names or sender information.

See Also: Chapter 8, "Command Line Interface" for more information on how to create system wide rules using OESRL

If there is a virus outbreak before the SMTP server has a chance to upgrade itself to use the latest third party software, then some virus e-mail messages are already present in user's mailbox. The Oracle Email virus scrubber process can be used to scan the entire message store, repair or remove virus e-mail messages once the third party software is upgraded to date.

Oracle Email has a simple PL/SQL utility package MAIL_AV that scans the message store based on simple message attributes such as subject line and attachment names. To use this package, one simply writes a SQLPLUS script that uses this package or execute procedures in this package directly from SQLPLUS.

See Also: Chapter 8, "Command Line Interface" for more information on how to create system wide rules using OESCTL

Usage Examples

The following are summaries and usage examples for the procedures in the MAIL_AV package:

Quarantine

The quarantine procedure has the following syntax:

PROCEDURE quarantine (p_endday IN DATE,
                      p_dayrange IN NUMBER,
                      p_attribute IN NUMBER,
                      p_pattern IN VARCHAR2,
                      p_folder IN VARCHAR2);

The quarantine procedure identifies virus messages using a given pattern and moves them to a designated folder. The caller of the procedure must have write authorization to the folder. Authentication is done by using MAIL_SESSION package.

See Also: Oracle Email Application Developer's Guide for more information

The p_endday and p_dayrange parameters can be used to narrow down the virus search to within certain time frame. The p_attribute parameters takes one of the following three values:

MAIL_AV.ATTR_SUBJECT 
MAIL_AV.ATTR_ATTACHMENT 
MAIL_AV.ATTR_SENDER

The p_pattern parameter is the identifying string for the virus. The p_folder parameter is the designated folder name to which virus-infected messages are moved.

The following example logs in as user SYSADMIN, and scans the whole mail server for messages with an attachment name containing.exe within the last seven days, and moves them to the /infected folder.

declare
  sessionid number;
begin
  mail_session.login('sysadmin', <password>, <ldaphost>, sessionid);
    mail_av.quarantine(sysdate, 7, mail_av.attr_attachment, '.exe', 
'/sysadmin/infected');
end;
/

Quarantine II

The Quarantine procedure can take on the following format enabling IMAP style search criteria:

 
PROCEDURE quarantine (p_criteria IN VARCHAR2,
                       p_folder IN VARCHAR2);

This quarantine procedure form identifies virus messages using an IMAP style search criteria for enhanced searching. All IMAP search commands are supported. The advantage of using this procedure not only includes the expanded list of search item, but also the ability to combine search criteria using logical operations such as "and" or "or."

See Also: Internet RFC 2060: Internet Message Access Protocol, version 4, rev 1, for more information on IMAP search commands

Use the new form of quarantine procedure, the following script identifies and moves messages with subject "snow white" and from acme.com, that's also sent since January 2002:

declare
    sessionid number;
begin
    mail_session.login('sysadmin', <password>, <ldaphost>, sessionid);
    mail_av.quarantine('SINCE 01-Jan-2002 SUBJECT "snow white" SENDER 
"aol.com"', '/sysadmin/infected');
end;
/

Restore

There are two procedures to restore quarantined messages back to their original folders:

PROCEDURE restore (p_messageid IN NUMBER);
PROCEDURE restoreall;

The restore procedure takes a given message ID and restore it back to its original folder. If the message ID does not exist, the procedure does nothing. The restoreall procedure restores all messages quarantined regardless which designated folders are used to store the messages. These procedures are useful when a message is wrongly identified as a virus message and must be restored back to its recipients.