Cetus-IT - MXtreme häufige Fragen (FAQ)

MXtreme häufige Fragen (FAQ)

Where can I get a evaluation unit of the Borderware MXtreme or the new Security Platform Appliance?

All appliances can be requested for project evaluation, depending on the size and location of the evaluation we recommend to ask for one-site techical support from one of our Borderware certified support engineers as well:

Cetus-IT Secure GmbH
Triesterstrasse 14 / Top 001
A-2351 Wiener Neudorf
www.cetus-it.com
www.borderware.at
Contact: Michael Kohl
Mobil: +43(0)699 18330160
Tel: +43(0)2236 860766 / Fax DW-35
miko@cetus-it.com

Why on the full report one Webmail session is constantly active?

Answer
The console constantly logins and that's also counted as a session on reports.

Why does the log search only show the last 24 hours?

By default the search will only apply to the last 24 hours of logs. Use the Advanced Search and modify the specific time period to search for old mail entries.

Why isnt TOC release behavior taking place correctly?

Check what kind of Anti Virus scanning is in place;

TOC will only release a message after the hold period has expired and a successful Kaspersky pattern update has occurred.

**Currently there is only support for Kaspersky and not Mcafee with TOC release actions.**

How I can send administrative notifications to multiple recipients?

To complete this you'll have to create an alias for admin.

1. Go to 'Mail Delivery > Mail Aliases'.
2. Click 'Add'.
3. Under the 'Alias Name', type 'admin' only. You cannot add the domain to the mail alias.
4. In the address section, add the desired email addresses to the alias list. To add more email addresses click the 'Add More Addresses' button.
5. Go to basic config > admin account.
6. In the 'Forward email to:' type in 'admin@domain.com'.

Can the BorderWare appliance support the use of a USB keyboard at boot time and on the console?

Yes, the BorderWare appliance supports the use of a USB keyboard. If you are having problems with support for your keyboard please see the steps below to ensure the correct settings are enabled on your appliance:

Please Note that a USB based keyboard will work for purposes of getting into the BIOS menu by hitting the "DEL" key even if the USB controller is turned off.

To ensure full USB keyboard support while booting the BorderWare software and in console mode:

Step 1. Hit the "DEL" key during the BIOS boot sequence to enter the BIOS configuration menu.

Step 2. Under the "Advanced" menu, select "Advanced Chipset Control" menu.

Step 3. Enable both the "USB Controller" option and the "USB Legacy Support" option.

Step 4. Hit "F10" and say "Y" to save the configuration and reboot.

A USB Keyboard will now be supported while using the BorderWare software console and during the appliance boot.

How much logging data is kept for online viewing?

BSP 7.1 will keep logs for a specific amount of time depending on the log:

Mail logs: 8 days
IM proxy logs: 8 days
HTTP proxy logs: 8 days
Kernel messages: 2 weeks
System messages: 2 weeks
Authentication logs: 2 weeks
Web server logs: 2 weeks

Verbose Logging for Policy exists in 6.x but where is that functionality in 7.x?

The functionality for Verbose Logging is still present in 7.x but it has been moved to another location in the UI and renamed, you will find it under: Activity->Status and Utility->Policy Trace

When turned on, this option will show you enhanced Policy logging in the mail log needed to debug policy issues:

Aug 7 21:36:05 Mxblue postfix/cleanup[15975]: 20D7FBC11W: policy_recipient=, policy_user= (remote =F), domain_policy=<0:>, group_policy=<0:>, group_name=<>, user_policy=<4:anthon ytest> default_policy=<1:Default>
Aug 7 21:36:08 Mxblue postfix/cleanup[15975]: 20D7FBC11W: PBMF rule=1, policy_i d=4 triggered

How can I "reset" my Outlook Junk mail filtering preferences?

There is a wonderful article articulating how to manually reset Outlook 2003 Junk Mail Filtering Rules, including step-by-step screenshots:

http://www.exchangeinbox.com/articles/042/junkfix.htm

I have UBQ enabled, so the MXtreme can accept mail for user@fqdn - however, I don't want to accept any mail to the regular inbox for these users, how can I do that?

We need to create two PBMFs: one to reject any messages where the envelope-to is the FQDN of the MXtreme, and one with a higher priority to accept mail from 127.0.0.1. This is to allow for mail to be directed to the spam quarantine and also for notifications (i.e.: from quarantined messages). Here's an example:

1. All mail -- Client IP -- matches -- 127.0.0.1 -- High -- Accept
2. All mail -- Envelope-to -- contains -- mx1.mailhost.com -- Medium -- Reject

What are the different BSN Scores and their importance?

For example:

bsn ip=203.101.80.59, bsn=ipdns.borderware.com, reputation=89, certainty=2, spamminess=53, infected=0, harvester=0, dnsbl_count=2, dul=0, scam=0

Here are the different checks going on:

1. Reputation : proprietary BSN reputation including reputation gained by DNS Block Lists used for connection rejects
2. Dnsbls : indicates the number of Borderware DNS Block List's that this IP is also seen on
3. Certainty/scam/infected/harvester: not relevant checks, functionality in future development
4. spamminess=53 : proprietary BSN reputation not including reputation gained by DNS Block List used in Intercept.
5. BSN Web Site shows Spam: 76.22%: When you see Spam: 76% on bsn.borderware.com you are looking at BSN website statistics that show what percentage of reports on this ip report it as having sent spam.
6. dul : Indicates the ip address analyzed is a Dial-Up ip address

When restoring from 6.X to 7.X version of the BorderWare Security Platform why am I unable to restore my reporting data?

The reporting data format has been changed in the new release of the BorderWare Security Platform from the previous version of the MXtreme 6.X. Since the format of the reporting data has been changed you will be unable to restore this information to the Borderware Security Platform 7.X. We recommend that if you would like to keep the reports from the previous version then you should save a copy of the report to another local system.

What customized features will be over written when restoring from version 6.X to 7.X of the Borderware Security Platform?

When restoring a backup from the 6.X version to the 7.X version of the Borderware Security Platform the Received header setting will be over written with "BorderWare Security Platform" from its previous value. This setting can be reconfigured by going to Mail > Mail Delivery > Advanced and change the Received header setting(advanced).

SPAM is not being moved to the junk mail folder using Action code mapping.

In case where you are using “SCL mapping rule” “Action Code” check the mail headers of the email which wasn't sorted correctly and see if you are getting proper headers:

•X-BTI-AntiSpamCode: certainly — The message has been classified as "Certainly Spam".
•X-BTI-AntiSpamCode: probably — The message has been classified as "Probably Spam".
•X-BTI-AntiSpamCode: maybe — The message has been classified as "Maybe Spam".
•X-BTI-AntiSpamCode: none — No spam classification has been determined for this message and it is considered legitimate mail.

When using the “Action Code” SCL mapping please make sure that under “Intercept Actions” “Add Anti-SPAM Headers” is enabled, every desired “Anti-SPAM Action” is set to “Add header” and “Action Data” is left blank. The MXtreme will automatically add the correct X-BTI-AntiSpamCode header.

If you are using MIPE with policy, make sure that “Action Data” remains empty and “Define” check-box is checked or manually add the correct X-BTI-AntiSPAMCode string.

DNSBL servers used as UBL servers generate dnsstatus alarms.

Update 3 for MX6.5 introduced dnsbl and ubl failover in the event that the dnsbl or ubl domain is unavailable. Some DNSBL type servers used as UBL's cannot be monitored in this release. These UBL servers are still functional but an alarm will be generated every 900 seconds.

May 17 10:10:02 Mxblue dnsstatus: ubl server dnsbl1.dnsbl.borderware.com failed to respond.

If the MXtreme is currently using one of these servers it is recommended to use the "ignore" option. "Alternate" mode cannot be used in this release.

The alarms can be suppressed by disabling "Serious" alarms from Basic Config -> Alarms

Some SURBL servers generate dnsstatus alarms.

Update 3 for MX6.5 introduced dnsbl and ubl failover in the event that the dnsbl or ubl domain is unavailable. Some SURBL type UBL servers cannot be monitored in this release. These UBL servers are still functional but an alarm will be generated every 900 seconds.

May 17 10:10:02 Mxblue dnsstatus: ubl server multi.surbl.org failed to respond.

If the MXtreme is currently using one of these servers it is recommended to use the "ignore" option. "Alternate" mode cannot be used in this release.

The alarms can be suppressed by disabling "Serious" alarms from Basic Config -> Alarms.

How to add a private root CA certificate for TLS?

You must contact technical support with support access enabled. Support access is required to add the root CA certificate to the CA bundle for proper signing and verification of messages.

Why do my reports contain no data?

Verify that the Start and End time are not identical in the event that triggers the report.

Does a USB keyboard work on the MXtreme?

Yes. To get the USB keyboard to work at the initial boot up screen, you must go into the BIOS and enable USB legacy support. Also, ensure that USB controller and USB 2.0 controller is also enabled.

How to identify if MXtreme was installed using 6.5.2 image.

Version 6.5.2 is a release that contains MX6.5 with Update 1 and Update 2 pre-installed. To tell if the MXtreme has the 6.5.2 image or not, goto Status/Reporting -> Status & Utility. The version number at the bottom page.

Version string for the MX6.5.2 image
VERSION="6.5.2" EAL4_VERSION="BTI-MX652-090407" BW6_VERSION="8.00 Global"

Version string for MX6.5.
VERSION="6.5" EAL4_VERSION="BTI-MX65-011106" BW6_VERSION="8.00 Global"

What does untrusted=1 mean?
Apr 26 12:09:12 mail postfix/smtpd[xxxxx]: xxxxxxxxxx: client=unknown[xxx.xxx.xxx.xxx] untrusted=1

This mean that the source was not Trusted. If the 1 was replaced with 0, then the source was Trusted.

What are the specific alarm states of the MXtreme and Infinity products?

MXtreme 5.x/6.x:

Serious - FTP Backup: FTP Backup Failed [error message]
Serious - Clustering: Cluster Error connecting to host [member address]
Serious - Clustering: Cluster Error writing to host [member address]
Serious - Clustering: Cluster Error closing socket for host [member address]
Serious - Clustering: Cluster Error Connection to database
Serious - Clustering: Cluster Error query failed: [query error message]
Serious - Clustering: Cluster replication Error opening configuration file [file error]
Serious - Clustering: Error loading cluster configuration file
Serious - Clustering: Cluster Error loading command at [location in configuration file]

Serious - LDAP Import: LDAP import, Import of groups failed
Serious - LDAP Import: LDAP import, Import of users failed
Serious - LDAP Import: LDAP failed to download users, groups
Critical - LDAP Lookup: LDAP lookup failed during delivery
Critical - LDAP Lookup: LDAP lookup: Unable to bind to server
Critical - LDAP Lookup: LDAP lookup: Search error 81: Can't contact LDAP server

Critical - Queue Replication: Cannot connect to mirror
Serious - dccstat: Excessive DCC failures

Infinity (7.x):

Serious - FTP Backup: FTP Backup Failed [error message]
Serious - SFTP Backup: SFTP Backup Failed [error message] (yet to be implemented?)
Serious - SCP Backup: SCP Backup Failed [error message]

Serious - LDAP Import: LDAP import, Import of groups failed
Serious - LDAP Import: LDAP import, Import of users failed
Serious - LDAP Import: LDAP failed to download users, groups

Critical - LDAP Lookup: LDAP lookup failed during delivery
Critical - LDAP Lookup: LDAP lookup: Unable to bind to server
Critical - LDAP Lookup: LDAP lookup: Search error 81: Can't contact LDAP server
Critical - Queue Replication: Cannot connect to mirror
Critical - kav_pattern_update: No available update servers

Serious - mxlogging: could not rollover/offload some files. Please see details in 'messages'
Serious - mxlogging: generic error message

Critical - incoming_queue_monitor: Incoming queue size exceeded the upper limit. SMTPDs reject new requests temporarily.

Serious - dccstat: Excessive DCC failures

If I want to upload "Trusted and Blocked List" under "Bulk Analysis" settings, what is the proper format?

You would need to create a text file using a following values and "tab" as a delimiter:
count values: ok, ok2 and many
type values: ip, env_to, from, sender, received, message-id and env_from

example:
many      ip          xxx.xxx.xxx.xxx
ok2       env_to      env-to@ok2.com
ok      from          from@ok.com
many      sender      sender@sender.com
many      received    received@many.com

Hardware Specifications for MX 800 and MX 1000.

MXtreme MX-800 Hardware Specifications

Model Number
• SYS-G-BRD200-MX800

Processor (CPU)
• One Intel Xeon 3.2 GHz, 1 MB L2 cache, 800 MHz FSB

Random Access Memory (RAM)
• 2 GB RAM

Dimensions
• Form Factor: 2U rack mount
• Height: 3.5 in. (88 mm)
• Width: 16.7 in. (424 mm)
• Depth: 25.7 in. (652 mm)

Weight
• Net as configured: 62 lb. (28 kg)
• Packaged for shipment: 68 lb. (31 kg)

Storage (Hard Disk Drives)
• Four hot-swap 73 GB ULTRA-320 SCSI HDD
• RAID 10

LAN Controllers
• Four Gigabit Ethernet controllers

Front Panel
• One four button LCD
• One 3.5 in. 1.44 MB floppy disk drive
• One CD-ROM drive

Back Panel I/O Ports
• Stacked PS/2 keyboard and mouse ports, Two stacked USB 2.0 ports, One 9-pin serial port, One 15-pin VGA port with ATI Rage XL SVGA 8MB PCI video controller, One parallel 25 pin D-Sub (DB-25) port, Four RJ45 LAN ports

Motherboard & Chipset
• Supermicro
• Intel E7520 Chipset

Power Supply
• Two hot-swap 500 W, 100~240 VAC auto-switching
• Input Voltage: 100~240 VAC, 50~60 Hz, 10~5 A

BTU Rating
• Max Heat output 2731 BTU/hr

Operating Environment
• Operating Temperature Range: 0 to 35°C (32 to 95°F)
• Non-Operating Temperature Range: -40 to 70°C (-40 to 158°F)
• Humidity Range: 8 to 90% non-condensing
• Non-Operating Humidity Range: 5 to 95% non-condensing
Regulatory
• RoHS compliant
• USA – UL listed, FCC
• Canada – CUL listed
• Germany – TUV certified
• Europe – CE Mark
• EN 60950/IEC 60950-Compliant
• Australia, New Zealand – C-Tick

------------------------------------------------------

MXtreme MX-1000 Hardware Specifications

Model Number
• SYS-G-BRD400-MX1000

Processor (CPU)
• Two Intel Xeon 3.2 GHz, 1 MB L2 cache, 800 MHz FSB
Random Access Memory (RAM)
• 2 GB RAM

Dimensions
• Form Factor: 2U rack mount
• Height: 3.5 in. (88 mm)
• Width: 16.7 in. (424 mm)
• Depth: 25.7 in. (652 mm)

Weight
• Net as configured: 62 lb. (28 kg)
• Packaged for shipment: 68 lb. (31 kg)
Storage (Hard Disk Drives)
• Four hot-swap 73 GB ULTRA-320 SCSI HDD
• RAID 10

LAN Controllers
• Four Gigabit Ehternet controllers

Front Panel
• One four button LCD
• One 3.5 in. 1.44 MB floppy disk drive
• One CD-ROM drive

Power Supply
• Two hot-swap 500 W, 100~240 VAC auto-switching
• Input Voltage: 100~240 VAC, 50~60 Hz, 10~5 A

BTU Rating
• Max Heat output 2731 BTU/hr
Operating Environment
• Operating Temperature Range: 0 to 35°C (32 to 95°F)
• Non-Operating Temperature Range: -40 to 70°C (-40 to 158°F)
• Humidity Range: 8 to 90% non-condensing
• Non-Operating Humidity Range: 5 to 95% non-condensing
Regulatory
• RoHS compliant
• USA – UL listed, FCC
• Canada – CUL listed
• Germany – TUV certified
• Europe – CE Mark
• EN 60950/IEC 60950-Compliant
• Australia, New Zealand – C-Tick

Hardware Specifications for MX 400.

MXtreme MX-400 Hardware Specifications

Model Number
• SYS-G-BRD100-MX400

Processor (CPU)
• One Intel Xeon 2.4 GHz, 1 MB L2 cache, 533 MHz FSB

Random Access Memory (RAM)
• 1 GB RAM

Dimensions
• Form Factor: 1U rack mount
• Height: 1.7 in. (43 mm)
• Width: 16.7 in. (424 mm)
• Depth: 25.6 in. (650 mm)

Weight
• Net as configured: 37 lb. (17 kg)
• Packaged for shipment: 40 lb. (18 kg)

Storage (Hard Disk Drives)
• Two cold-swap 160 GB EIDE
• RAID 1

LAN Controllers
• Three Gigabit Ethernet controllers

Front Panel
• One four button LCD
• One 3.5 in. 1.44 MB floppy disk drive
• One CD-ROM drive

Back Panel I/O Ports
• PS/2 keyboard and mouse connectors, Two stacked USB 2.0 ports, One 9-pin serial port, Three RJ45 LAN ports, One 15-pin VGA port with ATI Rage XL SVGA 8MB PCI video controller

Motherboard & Chipset
• Supermicro
• Intel E7501 Chipset

Power Supply
• One fixed 420W, 100~240 VAC auto-switching
• Input Voltage: 100~240 VAC, 50~60 Hz, 7~4 A

BTU Rating
• Max Heat output 2295 BTU/hr

Operating Environment
• Operating Temperature Range: 10 to 35°C (50 to 95°F)
• Non-Operating Temperature Range: -40 to 70°C (-40 to 158°F)
• Humidity Range: 8 to 90% non-condensing
• Non-Operating Humidity Range: 5 to 95% non-condensing

Regulatory
• RoHS compliant
• USA – UL listed, FCC
• Canada – CUL listed
• Germany – TUV certified
• Europe – CE Mark
• EN 60950/IEC 60950-Compliant
• Australia, New Zealand – C-Tick

Hardware specifications for MX 200.

MXtreme MX-200G Hardware Specifications

Model Number
• BRDW_MX-200G
Processor (CPU)
• One Intel Celeron D 2.80 GHz, 256 K L2 cache, 533 MHz FSB
Random Access Memory (RAM)
• 512 MB RAM
Dimensions
• Form Factor: 1U rack mount
• Height: 1.7 in. (43 mm)
• Width: 16.8 in. (427 mm)
• Depth: 14 in. (356 mm)
Weight
• Net: 12.3 lbs. (6 kg)
• Packaged: 16.6 lbs. (7.5 kg)
Storage (Hard Disk Drives)
• One fixed 80 GB IDE
LAN Controllers
• Two Gigabit Ethernet ports
Front Panel
• LEDs (L~R): System Overheat, LAN, LAN, HDD, Power
• Buttons (L~R): Reset, Power On/Off
Back Panel I/O Ports
• Two USB 2.0 / 1.1 ports, Two Fast UART 16550 serial ports, One VGA Port with ATI RageXL 8MB PCI Graphic Controller, One ECP/EEP Parallel Port, Two RJ45 LAN Ports, One PS/2 keyboard port, One PS/2 mouse port
Motherboard & Chipset
• Supermicro
• Intel E7210 Chipset
Power Supply
• One fixed 260 W, 100~240 VAC auto-switching
• Input Voltage: 100~240V, 50~60Hz, 5 A
BTU Rating
• Max Heat Putput 1370 BTU/hr
Operating Environment
• Operating Temperature Range: 10 to 35°C (50 to 95°F)
• Non-Operating Temperature Range: -40 to +70°C (-40 to 158°F)
• Humidity Range: 8 to 90% non-condensing
• Non-Operating Humidity Range: 5 to 95% non-condensing
Regulatory
• RoHS compliant
• USA – UL listed, FCC
• Canada – CUL listed
• Germany – TUV certified
• Europe – CE Mark
• EN 60950/IEC 60950-Compliant
• Australia, New Zealand – C-Tick

What is the maximum support number of Local Account or User based Quarantine accounts for MX200, MX400, MX800 and MX1000?

All platforms support up to 32,000 account.

Why are .odt (Microsoft 2007 document format) attachments detected as .zip?

The .ODT attachment is formatted as an XML in a ZIP wrapper, thus it will detect in attachment scanning as a .zip

basically, it is an archived file type. Known mime types for .ODT are:

application/vnd.oasis.opendocument.text
application/x-vnd.oasis.opendocument.text

A workaround for this is to uncheck scanning on .odt file attachments: Mail Delivery > Content Management > Attachment Control

Exporting multiple .csv reporting data to create long reports

In Excel its pretty simple to import all the .csv reports in a single workbook.

To get the sum across mutiple worksheets, use this formula:

Here is the excel formula:

|=SUM(Sheet1:Sheet3!B3)

You only need to enter the formula once, then copy and paste the formula into the other cell in the summary worksheet.
|
Here is an article that provides a sample

http://office.microsoft.com/en-us/help/HA010429191033.aspx

Sum the value of a cell across multiple worksheets
Another common Excel task is to sum the value of a cell in multiple worksheets and then display the result in another cell. For example, you may want to sum the number of a particular product that customers have ordered over a period of time, such as by quarterly periods. If worksheets are formatted in the same way for each period, the total sales for the product always appears in the same cell in each worksheet.

Finding the sum in this situation is simple. You can use a formula:

1. Start Excel. A new, blank workbook appears.
2. In cell B3 in Sheet1, type *20*.
3. In cell B3 in both Sheet2 and Sheet3, type *30*.
4. In cell A1 in Sheet1, type the following formula:
|=SUM(Sheet1:Sheet3!B3)|
5. Press ENTER. Notice that cell A1 displays *80*, which is the total
sum of the cells in the three worksheets.

If I have Mcafee and Kaspersky enabled on the Mxtreme, which one scans first?

They actual scan the message at the same time. If either one detects a virus the message will be blocked.

Blackberry.net activation messages are being blocked by Threat Outbreak Control.

One of the characteristics that Threat Outbreak Control uses to determine whether the message indicates as an early virus threat is being a Bulk email containing an executable file or common office document.

Blackberry.net activation messages are flagged a Bulk and contain an executable attachment (ETP.DAT), therefore the message will be blocked.

The best way to prevent TOC from triggering on these emails is to
whitelist the blackberry.net mailserver in Bulk Analysis. Here is the
current blackberry.net mailservers:

mx17.blackberry.net.
mx18.blackberry.net.
SMTPRelay11.na.blackberry.net.
SMTPRelay12.na.blackberry.net.
SMTPRelay13.na.blackberry.net.
SMTPRelay14.na.blackberry.net.
SMTPRelay01.na.blackberry.net.
SMTPRelay02.na.blackberry.net.
SMTPRelay03.na.blackberry.net.

To do so, Mail Delivery > Anti-Spam > Intercept > Bulk Analysis >
Trusted and Blocked > Add

I'm seeing
Apr 5 11:00:01 Mxblue newsyslog[56787]: logfile turned over due to size>1K

The MXtreme will roll over all logs every hour on the hour.

Need instructions on Rebuilding Array for MX 400.

The MX-400 and SG-400 ( the 1u platform -products) use the Promise TX2000 RAID card. The drives are cabled as follows:
Left hand drive bay is the slave drive on the primary bus
Mid drive bay is the master drive on the primary bus.
Right most drive bay has no drive.

Important Note:
The silver top of the Mx-400 must be removed to change hard drives. The IDE and power cables are not hard mounted inside the
MX-400. If these cables are not manually removed and the HDD is pulled from the HDD carriage, the cables can be damaged.

How to identify which drive has failed.
1. During reboot press Ctrl + F at probpt to enter Raid BIOS.
2. Go to option 3. "Define Array"
3. Highlight Array 1 and hit Enter.
4. Under the drive assignments heading, you will see something like the following:

Channel :ID Drive Model Capacity (MB)
1:Mas Maxtor 6E04L0 41110
?:? Failed or disconnected
*note: In the above scenario the Slave drive has failed.
There are three scenarios that can occur when a Raid Array degrades on a MX-400

1. An HDD is not seen in the RAID Bios
- example only 1 drive shows in the Raid BIOS under option 2. "View Drive Assignments"
2. An HDD fell out of the Array
- example in the RAID BIOS under Option 2. "View Drive Assignments" will look like the following:
Channel :ID Drive Model Capacity (MB) Assignment Mode
1:Mas Maxtor 6E04L0 41110 Array 1 U6
2:SLA Maxtor 6E04L0 41110 Free U6
3. An HDD fell out of Array 1 and created Array 2
- example in the RAID BIOS under Option 2. "View Drive Assignments" will look like the following
Channel :ID Drive Model Capacity (MB) Assignment Mode
1:Mas Maxtor 6E04L0 41110 Array 1 U6
2:SLA Maxtor 6E04L0 41110 Free U6

Scenario 1. An HDD is not seen in the RAID Bios
1. Take note of what HDD is in Array 1 from the Raid BIOS Option 2. "View Drive Assignments". Do not delete Array 1 or remove
the reserve bit from the drive in Array 1.
example below shows Mas Maxtor as the HDD in Array 1.
2. Proceed with RMA.
3. When new drive is recieved go to step 4 Rebuilding array

Scenario 2. An HDD fell out of the Array
1. Take note of what HDD is in Array 1. Do not delete Array 1 or remove the reserve bit from the drive in Array 1.
2. Select the Free drive that is not in Array 1
3. Press Alt-F1 then Ctrl-Tab (This will allow you to erase the reserve bit on the hard drive)
4. Select "y" when prompted
5. Hit Esc to exit the menu (this will also reboot the MXtreme)
6. Hit Ctrl-F when prompted to enter the RAID BIOS
7. Select option 5 (Rebuild Array)
8. Select Array 1 and hit Enter
9. Select the available drive and hit enter
10. Drive will be imaged and added to the array

Scenario 3. An HDD fell out of Array 1 and created Array 2
1. Take note of what HDD is in Array 1. Do not delete Array 1 or remove the reserve bit from the drive in Array 1.
2. Select the drive that is not in Array 1
3. Press Alt-F1 then Ctrl-Tab (This will allow you to erase the reserve bit on the hard drive)
4. Select "y" when prompted
5. Hit Esc to exit the menu (this will also reboot the MXtreme)
6. Hit Ctrl-F when prompted to enter the RAID BIOS
7. Select option 5 (Rebuild Array)
8. Select Array 1 and hit Enter
9. Select the available drive and hit enter
10. Drive will be imaged and added to the array

I using just STA/Token Analysis, getting lots of spam, but my STA is not training. Why?

Make sure to have at least one other STA-training Intercept feature enabled, such as URLBL, DCC/Bulk, BSN, etc. Otherwise, STA will not train.

When licensing the MXtreme or any of add-on license getting "Invalid license" error?

Sometimes when you are licensing any type of license for the MXtreme you may get an error "Invalid serial number."

This most likely happens because you are copy-pasting the serial numbers from certificate:

1) It can be caused by an extra space after serial number
2) In the certificate the hyphen is in Unicode format. You can't actually see a difference between ANSI and Unicoded hyphens in the certificate, so the best way to avoid this error is manually retype the hyphen or the entire serial number.
3) The HSN number must be uppercase and PSN must be lowercase. In case of manual activation the system ID is also lowercase.

In v7.0, some things do not show on the activity page that did in v6.X - what shows there now?

1. BSN reject
- Counts to Rejects on Activity page: YES
- Shown on Activity page: NO
- Shown in Connection History: NO
- Shown in Mail History: NO

2. DNSBL reject
- Counts to Rejects on Activity page: NO
- Shown on Activity page: NO
- Shown in Connection History: YES
- Shown in Mail History: NO

3. SAP reject
- Counts to Rejects on Activity page: NO
- Shown on Activity page: NO
- Shown in Connection History: YES
- Shown in Mail History: NO

4. PBMF reject on envelope
- Counts to Rejects on Activity page: YES
- Shown on Activity page: NO
- Shown in Connection History: NO
- Shown in Mail History: YES

5. PBMF reject on header
- Counts to Rejects on Activity page: YES
- Shown on Activity page: YES
- Shown in Connection History: NO
- Shown in Mail History: YES

6. PBMF reject on body
- Counts to Rejects on Activity page: YES
- Shown on Activity page: YES
- Shown in Connection History: NO
- Shown in Mail History: YES

How big are the patches on MXtreme 6.0:

Following is the sizes of current patches for MXtreme 6.0:
Update 6.0.3 - mx60_update_3.pf - 36.88 MB
Update 6.0.4 - mx60_update_4.pf - 10.74 MB
Update 6.5 - mx65.pf - 7.61 MB
Update 6.5.1 - mx65_update_1.pf - 10.92 MB

Messages are not moved to the Junk mail folder in Outlook non-cached mode.

When running in non-cached mode, Outlook 2003 can prevent server-side Junk mail filtering rules like MIPE from running. This behavior was introduced after installing Office 2003 SP1. Enabling cahced mode fixes this.

http://support.microsoft.com/kb/842510

I'm using Active Directory 2003 and I've setup LDAP Relay according to the User guide but I get the following error: ALARM: LDAP lookup: : dict_ldap_real_lookup: Search error 1.

When using AD 2003, it requires BIND.

How the search works.

1. MXtreme BINDS to the AD 2003 on port 389
2. The AD server acknowledges back
3. Sends the DN search
4. The AD server acknowledges back
5. User BIND (sAMAccountName)
6. The AD server acknowledges back
7. At this point you'll get the dict_ldap_real_lookup: Search error 1, because the BIND option is OFF.

Were to submit false positives/negatives missed by McAfee?

If you encounter an email and you think that it is wrongfully tagged by McAffe antivirus please forward that email to virus_research@avertlabs.com.

Taken from FAQ http://www.mcafee.com/us/threat_center/outbreaks/faqs.html

If you think your computer, server, or network may be infected with a virus or Trojan or may have a new potentially unwanted program (PUP), you can submit a sample to us for analysis. If you would like to get information on a threat that is not listed in the Threat Information Library, you may send an e-mail inquiry to McAfee Avert Labs including a sample for analysis. If you think a harmless file has been detected as a virus, you can send a sample to our labs to determine whether it is a false positive or a virus. We will send you an automated reply stating that the sample is already detected; you will need to reply to this message to tell us that you believe it to be an incorrect identification.

Why isn't annotation applied to digitally signed emails?

This is expected since it would break the original digital signature. A digitally-signed email would have a header that look like this:

Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
micalg=SHA1;

Common signing methods attach files like smime.p7s or smime.p7m.

Why are Microsoft Office 2007 files are being detected as ZIP files?

The files are being detected as ZIPs because Microsoft is using ZIP to compress the documents.

Here is a section about MS Office 2007 documents, taken from a Microsoft web site: http://msdn2.microsoft.com/en-us/library/aa338205.aspx

The Office XML Formats use ZIP and compression technologies to store documents. A significant benefit of the new formats is substantially smaller file sizes—up to 75 percent smaller than comparable binary documents. This is one of the advantages of using the combination of XML and the ZIP technologies for storing files. Because XML is a text–based format that compresses very well, and the ZIP container supports compressing the contents, users can obtain significant reductions in file size. This type of file compression offers potential cost savings because it reduces the disk space required to store files and decreases the bandwidth needed to transport files through e-mail, over networks, and across the Web.

To allow such documents through you would have to configure attachment control to allow ZIP files through MXtreme.
In version 6.5 the setting is located under: "Mail Delivery >Content Management>Attachment Control"
Note: if you are using policies, each policy should be modified as well.

You can all so educate end users not to use compress option in the "office" if they decide to send those documents out.

Why do my reports only show the top 25 senders when I have "All" selected in the report?

The number of entries that can be used in a report is restricted by the global 'Table length' setting.

If you need to see more entires in the top senders, or any report table. Increase the global setting from Reports->Configure Reports to the desired maximum.

Where did the 'strict order' DNS option go in MX7.0

In MX6.5, DNS servers could be used in order, or configured to use the fastest responding DNS server.

This has been replaced in MX7.0 with the option to disable DNS caching. When DNS caching is enabled, the fastest DNS server will be used. When DNS caching is disabled, the name servers will be queried in order just like the 'strict order' option in MX6.5

What information is updated through the security connection?

1. Updates from product management
2. STA database updates
3. Kaspersky Keys
4. Patches
5. License Expiry
6. Kaspersky update servers.

If BSN Domain Reputation is enabled, does it take longer to process a message?

No, it uses the same query when getting the senders IP reputation.

How can I change some common LDAP settings in Notes?

Here is a good link to change things like anonymous bind, etc:

https://publib-b.boulder.ibm.com/help/help65_admin.nsf/
f4b82fbb75e942a6852566ac0037f284/74c39d780aff98d785256dff004b1111?OpenDocument

Why are messages being rejected with 'loops back to myself' error?

This will occur if the hostname the SMTP banner of the internal mail server matches the hostname of the MXtreme.

example:
- MXtreme hostname: mail.techsupport.com
- MTA/Mail Server Banner: mail.techsupport.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830

Do I have to mirror LDAP accounts as local users in order to utilize 'Reject on Unknown Recipient' smtp connection check?

No, mirroring is not required in order to utilize the 'Reject on Unknown Recipient' smtp connection check. Mirroring is only used for User Based Spam Quarantine.

How are dates obtained for User-Based Spam Quarantine expirations?

When a mail is quarantined a header is added that looks like:

X-Quarantine-Spam: 200702152038

corresponding to: Feb 15 2007 20:38

The date is compared to the current

What is PSN and HSN?

PSN: product serial number. PSN referrers to all license number than can be activated on the MXtreme, either MXtreme base license, Kaspersky antivirus, MacAfee antivirus, Brightmail, HALO and Attachment Content Scanning.

HSN: Hardware serial number. This number can be found on a sticker at the back of your MXtreme, it will start with letter S/N.