SMTP agent

Deployment and Installation Center | Data Security Solutions | Version 7.7.x

Applies to:

In this topic:

Data Security, v7.7.x

Operating system support

Required ports

Preparing a machine for the SMTP agent

Installing the SMTP agent

Testing the SMTP agent

The Websense Data Security SMTP agent is installed on a Data Security server or on another Windows server equipped with Microsoft Internet Information Services (IIS) v6.

It receives all outbound email from the mail server and forwards it to a Websense Data Security Policy Engine. The SMTP agent then receives the analyzed email back from the policy engine. Depending on the analysis, SMTP agent blocks the email or forwards it to the mail gateway. When installed on the Data Security Management server or supplemental Data Security server, the SMTP agent uses the local policy engine of those servers to analyze email, unless load balancing has been configured, in which case it uses the specified policy engine. The SMTP agent supports permit, block, and encrypt actions.

Websense recommends you use the SMTP agent whenever you want the ability to block SMTP traffic in a production environment. (If you need only monitor SMTP traffic, the protector may be a better choice for you.)

To use the SMTP agent, you need to configure your corporate email server to route email to it. (The agent becomes a MTA, accepting responsibility for delivery of mail.)

When the agent is installed on a Data Security server, the SMTP traffic is analyzed by the local policy engine. When it is installed as a stand-alone agent, email messages that are sent to the agent are sent to a Data Security server for analysis (whichever server the SMTP agent is registered with). You can configure Websense Data Security to block or quarantine flagged messages.

If an SMTP email transaction was blocked or quarantined, the administrator responsible for handling this incident can release this incident to those recipients originally blocked from receiving the content.

The SMTP agent is usually not the final server in the chain of custody before the email leaves the enterprise. Email is more frequently passed along to another MTA that provides additional processing (anti-virus scanning, for example).

If you have multiple mail servers, you can deploy multiple SMTP agents or you can have one SMTP agent and configure load balancing between the SMTP agent and the outgoing mail server. If this is not built into your SMTP server, you can use an external load balancer to achieve this.

Operating system support

The server must be running on the following operating system environments:

Windows Server 2003 (32-bit)

Standard or Enterprise R2

Standard or Enterprise R2 SP2

Windows Server 2003 (64-bit)

Standard or Enterprise R2

Required ports

The following ports must be kept open for the SMTP agent:


Outbound
To	Port	Purpose
Data Security Management Server	17500-17515*	Consecutive ports that allow communication with Websense agents and machines.
Data Security Server	17500-17515*	Consecutive ports that allow communication with Websense agents and machines.
Next hop MTA	25**	SMTP for inbound/outbound traffic
* This range is necessary for load balancing. ** This is default. Other port can be configured.
Inbound
From	Port	Purpose
Previous MTA	25*	SMTP for inbound/outbound traffic
* This is default. Other port can be configured.

Preparing a machine for the SMTP agent

The following procedure describes how to prepare a Windows 2003 Server for the Data Security SMTP agent.

Install Microsoft IIS with SMTP.

In Windows control panel, select Add/Remove programs > Windows Components.

Select Application Server, and then click Details.

Select Internet Information Services (IIS), and then click Details.

Select SMTP Service, and then click Details.

Click OK 3 times to close the windows.

Click Next to configure and install the components.

Configure the SMTP Service.

In IIS Manager, right-click the Default SMTP Virtual Server and rename it to "Inbound".

Right-click the Inbound server and select Properties.

Select the Messages tab, and then deselect all message "Limits". (These should be enforced by the mail server.)

Select the Delivery tab, and then click Outbound Connections.

Set the TCP port to 10025 and click OK.

Click Advanced and set the Smart host to [127.0.0.1].

Add a new SMTP Virtual Server in IIS Manager.

Right-click the server name, select New > SMTP Virtual Server.

Using the resulting wizard, configure the following settings:

Name: Outbound
IP: 127.0.0.1
Port: 10025
Home Directory: C:\inetpub\outbound

Optional: If your next-hop MTA requires Transport Layer Security (TLS), you can enable and configure the options under Delivery > Outbound Security.

Installing the SMTP agent

If your IIS machine has a 32-bit operating system, download the Websense installer (WebsenseTRITON77Setup.exe) from mywebsense.com.

On 64-bit machines, download WebsenseDataSecurityAgents770-x64.msi instead.

Launch the installer.

Accept the license agreement.

Select Custom.

Click the Install link for Data Security.

On the Welcome screen, click Next to begin the installation.

In the Destination Folder screen, specify the folder into which to install the agent.

The default destination is C:\Program Files or Program Files (x86)\Websense\Data Security. If you have a larger drive, it is used instead. Large removable drives may be detected by the system as a local drive and used as the default. Do not install on removable media.


	Important The full installation path must use only ASCII characters. Do not use extended ASCII or double-byte characters.


	Note Regardless of what drive you specify, you must have a minimum of 0.5 GB of free disk space on the C: drive. This is because Data Security installs components into the Windows "inetpub" folder on C:.

On the Select Components screen, select SMTP agent and then Entire feature will be installed on local hard drive. If this is a stand-alone server, deselect all other options, including Data Security Server.

The Virtual SMTP Server screen appears.

In the Select Virtual Server list, select the IIS virtual SMTP server that should be bound to the SMTP agent. The SMTP agent will monitor traffic that goes through this virtual server. If there multiple SMTP servers listed, the SMTP agent should typically be bound to Inbound.

(See Preparing a machine for the SMTP agent for instructions on installing Microsoft IIS from Control Panel and configuring inbound and outbound SMTP Virtual Servers.)

10.

In the Server Access screen, select the IP address to identify this machine to other Websense components.

11.

In the Register with the Data Security Server screen specify the path and log on credentials for the Data Security server to which this agent will connect. This could be the TRITON management server or a secondary Data Security server.

FQDN is the fully-qualified domain name of a machine.

12.

In the Installation Confirmation screen, if all the information entered is correct, click the Install button to begin installation.

Installation may seem to take a long time. Unless a specific error or failure message appears, allow the installer to proceed.

If the following message appears, click Yes to continue the installation:

Data Security needs port 80 free.
In order to proceed with this installation, DSS will free up this port.
Click Yes to proceed OR click No to preserve your settings.

Clicking No cancels the installation.

A similar message for port 443 may appear. Click Yes to continue or No to cancel the installation.

13.

Once installation is complete, the Installation Complete screen appears to inform you that your installation is complete. Click Finish.

14.

Once installation is complete, the Installation Successful screen appears to inform you that your installation is complete.

Before cutting over the live mail flow, be sure to test relaying through all mail servers as described in Testing the SMTP agent. The easiest way to test your installation is using Outlook Express installed on the same machine as the SMTP agent.

For information on configuring the SMTP agent for your existing email infrastructure, see Using the SMTP agent.

Testing the SMTP agent

Test relay access from the mail server to the Data Security MTA:

Send a test message from the central mail server to the SMTP agent MTA through telnet:

From the mail server, open a command line and execute the following commands:

telnet [DSS MTA ip/hostname] 25
HELO me
MAIL FROM:[email_address@local.domain]
RCPT TO:[your_address@websense.com]
DATA
Subject: testing DSS MTA
.
quit

Once you type the period and press enter you should get a 250 Ok: message from the Data Security MTA. If you get any message other than 250 OK do a Google search for that SMTP message.

If you get a 250 OK, but do not receive your message in your corp address, continue to step 2.

Test relay access from Data Security MTA Inbound to Outbound:

Send a test message from the SMTP agent server to its own Inbound SMTP Virtual Server through telnet:

From the SMTP agent server, open a command line and execute the following commands:

telnet localhost 25
HELO me
MAIL FROM:[email_address@local.domain]
RCPT TO:[your_address@websense.com]
DATA
Subject: testing DSS MTA
.
quit

Once you type the period and press enter you should get a 250 Ok: message from the SMTP Virtual Server. If you get any message other than 250 OK do a Google search for that SMTP message. If you get a 250 OK, but do not receive your message in your corp address, check the Badmail/Queue directories for the inbound SMTP Virtual Server (C:\Inetpub\mailroot by default). If the folders are empty, continue to step 3.

Test relay access from Data Security MTA to its own Outbound server:

Send a test message from the SMTP Agent server to its own Outbound SMTP Virtual Server through telnet:

From the SMTP agent server, open a command line and execute the following commands:

telnet localhost 10025
HELO me
MAIL FROM:[email_address@local.domain]
RCPT TO:[your_address@websense.com]
DATA
Subject: testing DSS MTA
.
quit

Once you type the period and press enter you should get a 250 Ok: message from the SMTP Virtual Server. If you get any message other than 250 OK do a Google search for that SMTP message. If you get a 250 OK, but do not receive your message in your corp address, check the Badmail/Queue directories for the Outbound SMTP Virtual Server (C:\Inetpub\outbound by default). If the folders are empty, continue to step four.

Test relay access from Data Security MTA to the next hop MTA:

Send a test message from the SMTP Agent server to the next hop MTA through telnet:

From the SMTP agent server, open a command line and execute the following commands:

telnet [next hop MTA/smarthost IP/hostname] 25
HELO me
MAIL FROM:[email_address@local.domain]
RCPT TO:[your_address@websense.com]
DATA
Subject: testing DSS MTA
.
quit

Once you type the period and press enter you should get a 250 Ok: message from the next hop MTA. If you get any message other than 250 OK do a Google search for that SMTP message. If you get a 250 OK, but do not receive your message in your corp address, then there is some issue beyond the DSS MTA mail flow (i.e. delivery from next hop MTA to destination domain mail servers).