TREND MICRO™ Interscan Messaging Security Virtual Appliance

AMEA Partner case submission handbook

TREND MICRO™ AMEA Partner case submission handbook

Document Version 1.1
Prepared by: Anecito Camelon II
Edited by: Wilson Salvador

Copyright © 2020 by Trend Micro Inc. All Rights Reserved.

 Table of contents

Introduction .............................................................................................................. 4
Common Issues/Concerns ........................................................................................... 4
Mail Flow Concerns ................................................................................................ 4
Troubleshooting Tips ......................................................................................... 4
Cannot Receive Incoming Email ....................................................................... 4
Cannot Send Outgoing Email ........................................................................... 9
Delayed Emails ............................................................................................ 13
Email Queue is Increasing ............................................................................. 15
Error Codes ..................................................................................................... 19
Logs to collect .................................................................................................. 21
Console Usage Issues ........................................................................................... 22
Troubleshooting Tips ........................................................................................ 22
Cannot access web console ............................................................................ 22
Forgot admin password ................................................................................ 24
Web console changes does not save ............................................................... 25
Missing Logs ................................................................................................ 26
Logs to Collect ................................................................................................. 27
Policy Configuration ............................................................................................. 28
Troubleshooting Tips ........................................................................................ 28
Office 365 mails getting quarantined by Anti Spoofing ..................................... 28
Remove specific headers in email ................................................................... 29
Enabling SPF ............................................................................................... 30
Enabling DKIM ............................................................................................. 35
Enabling DMARC .......................................................................................... 36
Logs to collect .................................................................................................. 37
Upgrading ........................................................................................................... 38
Troubleshooting Tips ........................................................................................ 38
Things to consider ........................................................................................ 38
Things to avoid ............................................................................................ 38
Logs to collect .................................................................................................. 38
Vulnerabilities Detected ......................................................................................... 40
Troubleshooting Tips ........................................................................................ 40
Sweet 32 ..................................................................................................... 40
Weak Algorithm ........................................................................................... 42
Weak MAC Algorithm ................................................................................... 42
Weak Ciphers ............................................................................................... 43
CBC Cipher Mode Enabled ............................................................................. 43
New Vulnerability Detected by Vulnerability Assessment Tool ............................ 44
Logs To Collect ................................................................................................ 45
Undetected Spam / Threat ..................................................................................... 45
Index ...................................................................................................................... 46
How to Read Email Headers & Check for Time Delays? ............................................. 46
Checking File Ownership ....................................................................................... 48
Checking Database Connection .............................................................................. 48
Checking Disk Space ............................................................................................. 49
Changing File Ownership and Permission ................................................................ 49
IMSVA Sizing Guide .............................................................................................. 50

2 / 55
 Common Networking Troubleshooting guide ........................................................... 50
Using Top Command ............................................................................................ 51
Checking IMSVA Performance History ..................................................................... 52
Installing Patch or Hotfix ....................................................................................... 53
Updating/Rollback Pattern ..................................................................................... 54
Log Collection ...................................................................................................... 54
IMSVA Official Documents ..................................................................................... 55
Contact Us ........................................................................................................... 55
Feedback ................................................................................................................. 55

3 / 55
Introduction

This guide will help partners/customer to know the common issues on IMSVA and how to troubleshoot it. It
contains step by step
procedure, IMSVA command and useful tools.

Common Issues/Concerns

1. Mail Flow Concerns

Summary:

This section discusses mail flow concerns sending and receiving emails through IMSVA.

o Incoming Email
o Outgoing Email
o Error Codes

Troubleshooting Tips

User(s) cannot receive Incoming Emails

Things to do

1. Check if it was working before or if this is a new deployment

2. Go to > Administration >IMSVA Configuration > SMTP Routing> Message Rule tab.

Review Incoming Message Setting

4 / 55
3. Go to > Administration >IMSVA Configuration > SMTP Routing> Message Rule tab > Message
Delivery settings.

Verify if your domain has been added to the list.

4. Check if Sender Filtering has been enabled and could be possibly blocking sender IPs

5. Checking network routing if configured correctly, review network architecture

6. Check if firewall has SMTP network traffic on port 25
7. Check if firewall is allowing SMTP Traffic to go through
8. Check IMSVA logs in the Web Console > Logs > Log Query > Message Tracking

5 / 55
9. Go to > Logs > Log Query and from the drop down menu select MTA Events

10. Go to > Logs > Log Query and from the drop down menu select Message Tracking

§ change the timestamps to 00:00 and 24:00 to see the whole day of logs and check if there
are entries.
§ Click Display Log

6 / 55
 § Verify if there are logs present in IMSVA. Click Quarantined

§ Check if emails were quarantined. Look for the policy that was triggered.

§ If emails are showing SMTP errors. List the error message and see error codes page

Important: if emails are sent successfully this means emails were release from IMSVA.
Investigate the next email hop

7 / 55
What to do when there are no logs displayed?

1. Go to System Status and under Managed Services check if the scanner service is running

2. Send a test email from internal network to external recipients (e.g. gmail account).

§ Wait for 5 minutes and check the mail tracking logs. Go to >Logs > Log Query using drop
down menu select Message Tracking. The test email should be displayed under message
tracking.

if there were errors refer to error page list

§ if the mail was quarantined, check the mail logs which policy is triggered to quarantine the
email.

§ if the email was delivered check your mailbox.

NOTE: if none of the steps above work please collect original mail sample using steps in log collection and
CDT logs.

8 / 55
User(s) cannot send Outgoing Emails

Things to do

1. Check if it was working before or if this is a new deployment

2. Go to Administration >IMSVA Configuration > SMTP Routing
§ Under Message Rule tab check the Permitted senders of Relayed Mail

§ Under Message Delivery tab and verify if your domain has been configured

3.) Go to Sender Filtering has been enabled and could be possibly blocking sender IPs

4. Check network routing if configured correctly, review network architecture

5. Check if IMSVA can lookup other domains using configured DNS servers

9 / 55
6. Check if there's a firewall rule for outgoing SMTP network traffic on port 25
7. Check if firewall is allowing SMTP Traffic to go through
8. Check IMSVA logs in the Web Console > Logs > Log Query > Message Tracking

o change the timestamps to 00:00 and 24:00 to see the whole day of logs and check if there are
entries

o click Display Log

10 / 55
 o verify if there are logs displayed.

§ check if emails were quarantined, look for the policy that was triggered.

§ click Quarantined to view details

§ If emails are showing SMTP errors. List the error message and see error codes page

Important: if emails are sent successfully this means emails were release from IMSVA. Investigate the
next email hop

What to do when there are no logs displayed?

1. Go to System Status and under Managed Services check if the scanner service is running

2. Send a test email from internal network to external recipients (e.g. gmail account).

§ Wait for 5 minutes and check the mail tracking logs. Go to >Logs > Log Query using drop
down menu select Message Tracking. The test email should be displayed under message
tracking.

if there were errors refer to error page list

11 / 55
 § if the mail was quarantined, check the mail logs which policy is triggered to quarantine the
email.

§ if the email was delivered check your mailbox.

NOTE: if none of the steps above work please collect original mail sample using steps in log collection and
CDT logs.

12 / 55
How to troubleshoot delayed Emails?

Things to do:

1. Review email header. "Email headers" can be used to identify which MTA the delay occurs.
see How to check email headers using Outlook?

2. Using IMSVA Web Console on the left menu go to Sender Filtering > Blocked List has been enabled
and could be possibly blocking sender IPs (e.g internal exchange server, or External Sender IP address).

3. Check network routing if configured correctly, review network architecture especially if there are loops in
the design
4.Check if you are using load balancers
5. Check if you are using Hybrid Service such as Office365 with IMSVA.
6. Check if there are intermediary devices before the internet going to the IMSVA
7. Check IMSVA logs when it received mail, and when it was delivered by the imsva to the next hop
8. Using IMSVA Web Console on the left menu go to Logs > Log Query

9. Using the drop down menu select Message tracking.

10. Search for the email.

13 / 55
 11. Check if the email triggered a policy and was quarantined and was later released.

12. Check for DNS related errors

13. Using IMSVA Web Console on the left menu go to Administration > IMSVA Configuration>
Connections.

14. Select NTP Settings Tab.

§ Check if time settings across all servers are correct.

§ You may use an NTP Server to automatically check time from an NTP Server.

14 / 55
How to troubleshoot IMSVA when email queue is increasing?

Things to do:

1. Log in to IMSVA Console and go to Dashboard.

2. Under System Overview tab, identify which queue is increasing in count.

3. Verify if services are running.

a) login as root in IMSVA CLI Console

b) type in "imssctl.sh status" to check if the imssd is running or stopped

Note: proceed to step 4 if imssd is running

c.) Restart IMSVA service.

command for imssctl.sh restart

d.) Below is the expected results after running the command.

15 / 55
4. Check if there are still system space that's available. using "df -h" command.

Note: usage percentage should not be near 90% especially if server is fairly used
sizing may vary depending on how the VM was configured during deployment

5. Check IMSVA logs in the Web Console > Logs > Log Query > Message Tracking

16 / 55
o change the timestamps to 00:00 and 24:00 to see the whole day of logs.
o Click Display Log and check if there are entries

o Check if there are deferred mails. Take note of the sender and recipient email address.

o Using IMSVA Web Console on the left menu go to Logs > Log Query
o Using the drop down menu select MTA Events . Use the sender/recipient details to search for
the email in the MTA Events

17 / 55
 if there were errors refer to error page list or try to search in google for the meaning of the error.

6. Check next Email Hop/MTA or intermediary device (if any). It's possible the next hops to the recipient
could be the culprit. You can refer to the error messages you can see from the step above.

NOTE: if none of the steps above work please collect original mail sample using steps in log collection ,
CDT logs and Contact Trend Micro Support

18 / 55
SMTP response status codes

This is a list of Simple Mail Transfer Protocol (SMTP) response status codes. Status codes are issued by a
server in response to a client's request made to the server.

· 2xx - Good reply codes

· 3xx - Needs more input reply codes

as per response, the machine is expecting more data, and can be finished using enter, "." and enter. Once
data transmission has ended a good response code will be provided.

· 4xx - Temporarily block reply codes

400 error codes show up due to possible Email Throttling, lack of hardware space, Email Quota reached.
Emails affected by these are usually retried unless specified by the server that provided the response.
Usual culprits of email delays.

· 5xx - Permanent blocking reply codes

500 error codes show up due to configuration blocking which will not be retried and automatically blocked.

In this instance, the mail server is expecting an rcpt to command.

19 / 55
 The sender issued an invalid input does getting a 500 Error: Bad Syntax result.

Usual error codes by public domains

1. Sample 4XX error messages from Yahoo. see yahoo article for more info

421 SMTP error codes

o 421 4.7.0 [TS01] Messages from x.x.x.x temporarily deferred due to user complaints - 4.16.55.1
o 421 4.7.0 [TS02] Messages from x.x.x.x ... deferred due to excessive user complaints - 4.16.56.1
o 421 4.7.1 [TS03] All messages from x.x.x.x permanently deferred
o 421 Message temporarily deferred - [numeric code]
o 421 Resources temporarily unavailable. Please try again later

451 SMTP error codes

o 451 Resources temporarily not available - Please try again later [#4.16.5]
o 451 VS1-IP Excessive unknown recipients - (#4.1.8)
o 451 VS1-MF Excessive unknown recipients - possible Open Relay (#4.4.5)

2. Sample 5XX error messages from Yahoo. see yahoo article for more info

553 SMTP error codes

o 553 5.7.1 [BLXX] Connections not accepted from IP addresses on Spamhaus [XXX]
o 553 VS99-IP1 deferred
o 553 Mail from x.x.x.x not allowed - [numeric code]

554 SMTP error codes

o 554 5.7.1 [MW01] Message content not accepted for policy reasons
o 554 5.7.5 (AU01) Message not accepted for policy reasons
o 554 5.7.9: Message not accepted for policy reasons
o 554 delivery error: dd This user doesn't have a yahoo.com account ({recipients'userid}@yahoo.com)
o 554 Message not allowed - [numeric code]

3. Gmail Response code guide lines.

SMTP error reference

You may encounter the following error messages when using G Suite email services. These messages
are helpful tools for diagnosing and troubleshooting email problems.

Gmail appends one or both of the following identifiers to all error messages to show you the source of the
erorr:

20 / 55
 · gsmtp (Google SMTP) is added to all errors.
· gcdp (G Suite Custom Domain Policies) is added to errors resulting from customized
rules created by the G Suite administrator.

For example, "550 5.7.1 This message violates example.com email policy. - gcdp <sessionid> - gsmtp"
indicates that the error is a result of a custom rule created by the G Suite administrator.

see gmail article for more info

Logs and Information to collect?

Important: Provide the result of the troubleshooting tips.

Provide the following information:

1. Is the server newly installed?

2. When did the issue occurred? Is it working before?
3. Is there a particular incident that may have happened before the issue occurred?
4. Are you sending bulk emails? When was the last time you sent bulk mails?
5. What changes were made before the issue happened?
6. Provide the sender, recipient and time stamp of affected mail

Collect the Mail Sample and Case Diagnostic Logs

21 / 55
2. Web UI related issues

Summary:

This section discusses common issues about IMSVA Web UI.

· Cannot access Web/CLI console

· Forgot admin password
· Configuration changes does not save
· Missing logs in web console

Troubleshooting Tips

Admin console is not accesible

Things to do:

1. Check if Hardware has power and turned on

2. Check if hardware has networking
3. Check image status in VMware/HyperV
4. Check if image is running and in login prompt
5. Check IP from HyperV is the same with the accessed IP in browser from the machine
6. Check if you can communicate with the IMSVA server from the machine being used using commands
below

§ Check if IMSVA server responds to ping

§ Check if IMSVA server responds to telnet on port 8445, 25 and 22

note: If server does not respond check for possible network issue.

§ Verify if you can connect to IMSVA using SSH.

§ Login as root using putty through port 22/ssh
§ Once logged in check if IMSVA Manager is running by typing command below
#imssctl.sh status

§ look for imssmgr and verify if running

If services are not running, restart the services using the command below
imssctl.sh restart

22 / 55
 § Expected result

§ Run imssctl.sh status to verify if the service is running.

§ Verify if you can access the console

7. Try power cycling the IMSVA through the VMware/HyperV Manager

NOTE: if none of the steps above work please collect original mail sample using steps in log collection ,
CDT logs and Contact Trend Micro Support

23 / 55
How to reset password?

Things to do:

Root Password:

1. Boot the system from the IMSVA installation CD (insert the image in the Virtual Machine CD drive).
2. Choose "2. RUN SYSTEM RECOVERY".
3. Use the "chroot /mnt/sysimage" command to change root to the mounted HDD root partition.
4. Use the passwd command to change the root password.

Admin Password:

To reset the web admin console password, see KB 1055325.

En Password:

To recover enable account password:

1. Connect to the IMSVA and Login as “root”.

2. Enter cli by typing the “clish” command.
3. Enter enable mode without password by simply typing “enable”.
4. Then use cli command "configure system password enable" to reset the enable account password.

24 / 55
Troubleshooting unable to save configuration using web UI?

Things to do:

1. Check if other pages can are affected

2. List all pages that you notice that are affected
3. Restart IMSVA server using command below.

a.) Login as root in IMSVA CLI console

b.) Run imssctl.sh restart

c.) Expected result

d. run imssctl.sh status to confirm the service is running

4. If service failed to start, schedule a maintenance and do a server reboot

NOTE: if none of the steps above work please collect original mail sample using steps in log collection ,
CDT logs and Contact Trend Micro Support

25 / 55
Troubleshooting "no/missing logs" or only "deferred logs" show under IMSVA
message tracking?

1. Login to IMSVA Linux shell via root. Stop the Message Tracking process using the command below:

[root@imsva ~]# S99MSGTRACING stop

2. Backup and Remove the broken bookmark file using the following command:

[root@imsva~]# mv /opt/trend/imss/MsgTracing/ScanLogBookmark.txt /tmp/ScanLogBookmark.txt.old

3. Start the Message Tracking process using the following command:

[root@imsva ~]# S99MSGTRACING start

4. Wait more than 10 minutes and check.

If the issue still exists, please help to get following from imsva servers

§ /tmp/ScanLogBookmark.txt.old
§ /opt/trend/imss/MsgTracing/ScanLogBookmark.txt
§ CDT logs.

NOTE: if none of the steps above work please collect original mail sample using steps in Collect IMSVA
logs See KB1113629 , CDT logs and Contact Trend Micro Support

26 / 55
Logs and Information to collect?

Troubleshooting unable to save configuration using web UI?

Important: Provide the result of the troubleshooting tips.

Provide the following information

1. Was the server a fresh install or was it working before?

2. What changes were made prior to issue happening?

Debug IMSVA admin UI

1. Log in to IMSVA as root

2. Edit the log4j.properties by doing the commnad below;

#vi /opt/trend/imss/UI/adminUI/ROOT/WEB-INF/classes/log4j.properties

3. Change the debug=ERROR to debug=DEBUG

4. Restart S99ADMINUI restart.
5. Replicate the Issue.

Collect IMSVA logs See KB1113629

Troubleshooting "no/missing logs" or only "deferred logs" show under IMSVA message tracking?

Important: Provide the result of the troubleshooting tips.

Provide the following information

1. Can you see any logs in the server? Please provide a screenshot of your mail tracking logs, and
MTA events?
2. Were there any changes made in this server prior to you noticing the issue?

Collect the following files in the server

o /tmp/ScanLogBookmark.txt.old
o /opt/trend/imss/MsgTracing/ScanLogBookmark.txt

Collect IMSVA logs See KB1113629

27 / 55
3. Policy Configuration

Summary:

This section discusses common issues related to policy configuration.

Troubleshooting Tips

Office 365 mails ge tting quarantine d by Anti Spoofing

Disclaimer: Office365 / Microsoft Office 2016 Hybrid is not best fit for IMSVA. You should consider switching to
a better suited product which is Trend Micro Email Security(TM EMS) and Trend Micro Cloud App Security(TM
CAS)

Cannot receive emails from Office365 Internal Accounts when Anti Spoofing Feature is enabled

· AntiSpoofing checks all the IP hops in the mail transaction as an "internal mail" should have all IPs
registered in the trusted list. In this instance you cannot list all office365 IPs thus triggering the said
rule for internal office365 mails coming from the internet. To fix this you can follow the KB article
below
https://success.trendmicro.com/solution/1118975

28 / 55
How to re move spe cific he ade rs in e mail?

Disclaimer: Doing the steps below can cause damage to mail integrity. It may also prevent
further troubleshooting to be done in your email samples that you provided. Please consider this
before applying the said steps.

To hide private IP addresses:

1. Go to /opt/trend/imss/postfix/etc/postfix.
2. Create a backup of the main.cf file by running the following command: cp main.cf main.cf.bak
3. Create a new header_check file
o run the following commands
# touch header_check
# vi header_check
o Insert one of the following regular expressions:

To remove all “Received” headers:

# Header Checks File

/^Received:* / IGNORE

Note: Put a tab between “/” and “IGNORE”.

To remove only the “Received” header that contains the IP address of the Exchange server,
include the IP address:

#Header Checks File

/^Received:.+10\.10\.203\.65* / IGNORE

where 10.10.203.65 is the IP address of the Exchange server

4. Open the main.cf file and add the following line below header_check:
§ header_checks = regexp:/opt/trend/imss/postfix/etc/postfix/header_check

5. Save the changes and close the file.

6. Run the following commands to stop and start Postfix:

# postfix stop
# postfix start

29 / 55
How to enable SPF?

DISCLAIMER: Do not enable this feature without first understanding the purpose of this. You can
read more in the RFC article provided below. By enabling this feature without gathering and
understanding your Mail Traffic Statistics could lead to missing mails, rejected mails, and worse
no mail flow.

Please read and understand RFC7208 first before proceeding:

Introduction
SPF (Sender Policy Framework) is an open standard which provides solutions to resist sender address
forgery. Organizations who want to adopt SPF are required to publish DNS records for the hosts that are
used in “MAIL FROM” and “HELO” identities so that recipients can identify whether a host is authorized to
send email messages for the domain by querying these records. The complete specifications of SPF are
documented in RFC 4408. For a simple introduction, visit http://www.openspf.org/Introduction.
This document guides you on how to integrate SPF checking for IMSVA 9.0. This solution makes use of
the Postfix SMTP access policy delegation mechanism. A script will be used to do SPF checking and
report specific actions to Postfix. Postfix then takes the appropriate action. For further details, visit
http://www.postfix.org/SMTPD_POLICY_README.html.

1. Enable/Disable

To Enable SPF

1. Modify your Postfix settings to inject SPF checking to the Postfix email message flow.Postfix has
two main configuration files: master.cf and main.cf. The master.cf configuration file defines how a
client program connects to a service, and what daemon program runs when a service is requested.
The Postfix main.cf configuration file specifies a subset of all the parameters that controls the
operation of the Postfix mail system.

In /opt/trend/imss/postfix/etc/postfix/master.cf, remove the comments for the following so that the

SPF script will be launched by Postfix when needed.

In /opt/trend/imss/postfix/etc/postfix/main.cf, remove the comments for

“smtpd_sender_restrictions” to let Postfix perform an SPF check after receiving a “MAIL FROM”
command.

---------------------------------------------------------------------------------------------------------------------------------------------------
------------------------
smtpd_sender_restrictions =
check_policy_service unix:private/SPFPolicyd
---------------------------------------------------------------------------------------------------------------------------------------------------
------------------------

NOTE: For there is already one specify on smtpd_sender_restrictions by default in IMSVA9.0,

so just need add values like following.

30 / 55
 ---------------------------------------------------------------------------------------------------------------------------------------------------
------------------------
smtpd_sender_restrictions =
check_policy_service inet:127.0.0.1:999, check_policy_service unix:private/SPFPolicyd
---------------------------------------------------------------------------------------------------------------------------------------------------
------------------------

By default, Postfix stops the SPF check process after 1000 seconds. This is too short for a policy
daemon that may need to run for as long as the SMTP server process that talks to it. To extend the
time for the SPF check process, remove the comments for the following in main.cf.

SPFPolicyd_time_limit = 3600

2. Restart the Postfix service, to make all the modifications take effect, using the following command:

# postfix restart

The logs of the SPF check script are written to /var/log/maillog, with a leading “SPFPolicyd” in front
of each line in the log.

To verify that SPF checking works, send an email message that can pass an IMSVA scan. If the
message contains “Received-SPF” in the header, the SPF check script is working correctly.

To Disable SPF

To disable SPF checking, insert comments for the entries added in the previous section to master.cf
and main.cf. Then restart the Postfix service.

2. Configuration
The file config.ini, under the same folder as the script, is the main configuration file. The format for the file
is as follows:

2.2. Basic Configuration

The table below describes detailed uses of all keys in config.ini.ʼ

NOTE: Possible values are separated by pipes “|”. Underlined values are default values. For parameters
that can have multiple values, use a comma or space to separate them. For example: example.com,
example2.com.

31 / 55
Se ction Param e te r Value De s cription
The SMTP response code if email
<text> | 550 Service
messages are blocked. Both the response
unavailable; SPF check
code “550” and message can be
unsuccessful and
block_res customized. The response code can be
transaction closed due
any valid 3 digits starting w ith 5. Do not
to the organization's
forget the blank space betw een the
policy.
response code and the message.
Specifies if the HELO/EHLO identity needs
to do a SPF check. The HELO/EHLO
check_helo yes | no
identity w ill be checked if the MAILFROM
identity is empty or invalid.
Specifies an enforcement list of domains.
Email messages from these domains w ill
<comma or space have actions applied to them defined in
enforce_domain separated list of “enforce_actions” section. You can add
domains> domains that are frequently forged by
spammers and apply stricter actions, to
better protect your mail system.
Specifies an enforcement list of IP
addresses. The usage is similar to
“enforce_domain”. Currently only IP v4 is
<comma or space supported. You can use a specific format
enforce_ip
separated list of IPs> <x.x.x.x> to exactly match an IP address
or the subnet mask pattern
<x.x.x.x>/<subnet mask length> to match
a series of IP addresses.
Defines the log level. There are 5 log
levels.
0: no log > no log w ill be generated.
1: normal > provides basic information for
administration and maintenance.
log_level 0 |1 |2 |3 |4 2: detailed > detailed information, including
original SPF check results.
globals
3: diagnostic > all information of level 1
and 2 logs, plus configurations in use.
4: debug > most detailed, only
recommended w hen trouble shooting.
SPF queries can return 7 kinds of results:
pass, neutral, softfail, fail, none,
temperror and permerror. The parameters
w ith the same names define the
corresponding actions. The available
actions are: bypass, tempblock and
block.
bypass | tempblock |
pass Bypass: means the SPF check is not
block
performed
Tempblock: returns a 4XX SMTP response
to temporarily block the mail.
Block: returns a 5XX response to block
the mail.
Pass: means the host is allow ed to send
messages for this domain.
bypass | tempblock | Neutral means the validity of this host is
neutral
block not specified.
bypass | tempblock | Softfail means the host is not allow ed to
softfail
block send messages but is in transition.
bypass | tempblock | Fail means the host is not allow ed to send
fail
block messages.
None means the domain does not have an
bypass | tempblock |
none SPF record or the SPF record does not
block
have a result.
Temperror means a temporary error has
bypass | tempblock |
temperror occurred. For example: netw ork
block
connections lost.
permerror bypass | tempblock | Permerror means a permanent error has

32 / 55
 occurred For example: SPF record invalid
block
format.
Specify w hether to insert a “Received-
SPF” header in your messages.

prepend_header yes | no Tre nd M icro re com m e nds adding

this he ade r for furthe r
adm inis tration or analys is of
m e s s age s .
<text> | 451 Service The SMTP response code if temporarily
temporarily unavailable; blocking the messages. Both the
SPF check response code “451” and message can
tempblock_res unsuccessful and be customized. The response code can
transaction closed due be any valid 3 digits starting w ith 4. Do
to the organization's forget the blank space betw een the
policy. response code and message.
Specify an approved list of domains.
<comma or space
Messages from these domains w ill
w hite_domain separated list of
bypass the SPF check. You can add
domains>
trusted domains to this list.
Specify an approved list of domains.
<comma or space
Messages from these addresses w ill
w hite_ip separated list of IPs> |
bypass the SPF check. You can add
127.0.0.1
trusted domains to this list.
enforce_actions Parameters under the “enforce_actions”
section define the actions for domains
bypass | tempblock |
pass and IP addresses in the enforcement list.
block
Follow s the same behavior as global
actions.
bypass | tempblock |
neutral Same as above.
block
bypass | tempblock |
softfail Same as above.
block
bypass | tempblock |
fail Same as above.
block
bypass | tempblock |
none Same as above.
block
bypass | tempblock |
temperror Same as above.
block
bypass | tempblock |
permerror Same as above.
block

2.2. Configure Domain-Specific Actions

Sometimes you may want to apply specific actions to some domains. For example, the domain
example.com has a published SPF record and never sends messages using hosts not in the SPF record.
So you want to block messages if they do not come from the hosts in the SPF record. You can add a
section in config.ini to block those messages.

[<domain>.com]
none=block
Now if the SPF query result is none, the message will be blocked. Actions for other query results are kept
the same as the global actions. You can also override actions for other query results if needed.

Wildcards are supported. For example, you can use “*.example.com” to define actions for example.com
and all its sub-domains. The SPF check automatically searches for the best matched domains. If the
sender is “[email protected]”, the SPF check will first look for “[example.com]”, if this section
does not exist, it will look for “[*.example.com]” next.

The priority of this section is lower than approved list and enforcement list.

33 / 55
Note: Ignore procedure 2.3 if you are not using CLOUD Pre-Filter

2.3 Using SPF with Cloud Pre-Filter

If you are using Cloud Pre-Filter, a little more configuration is needed. Cloud Pre-Filter actually works as a
proxy, so messages passed from Cloud Pre-Filter may not pass an SPF check. You have to add the IP
addresses of Cloud Pre-Filter to the approved list. If you enabled Cloud Pre-Filter, open the file
“/opt/trend/imss/postfix/etc/postfix/NRSAllowAccessList”, and add the IP addresses in this file to
“white_ip”, so messages from Cloud Pre-Filter will not be subjected to an SPF check. There may be many
IP addresses for Cloud Pre-Filter, so you can make use of the subnet format (<IP address>/<subnet mask
length>) to save time.

How to publish SPF record to your DNS?

Note: Procedure on adding an SPF record to your public DNS differs and based on your ISP that
manage your public DNS records.

Sample format
v=spf1 ip4:IP_OF_YOUR_OUTGOING_MTA

Other references:
https://ph.godaddy.com/help/add-an-spf-record-19218
http://www.openspf.org/SPF_Record_Syntax

34 / 55
How to enable DKIM?

DISCLAIMER: Do not enable this feature without first understanding the purpose of this. You can
read more in the RFC article provided below. By enabling this feature without gathering and
understanding your Mail Traffic Statistics could lead to missing mails, rejected mails, and worse
no mail flow.

Please read and understand RFC6376 before proceeding with the steps below.

Adding a DKIM Signature Procedure

1. Go to Administration → IMSVA Configuration → DKIM Signature.

The DKIM Signature screen appears.

2. Click Enable DKIM signature and select one or multiple headers to sign.

Note
The From header is selected by default. To add more message headers for selection, click
Customize.
3. Click Add.

The Add DKIM Signature screen appears.

4. Specify the general settings.

o Domain: Specify the domain where email messages are sent, for example, example.com.

o SDID: Specify the signing domain identifier, for example, example.com.

o Selector: Specify the selector to subdivide key namespace or retain the default value.

o Private key: Upload a private key or request IMSVA to create a private key. If you want to
generate a private key, select the key length before generation.

5. (Optional) Specify the advanced settings.

o Header canonicalization: Select Simple or Relaxed.

o Body canonicalization: Select Simple or Relaxed.

Note
Two canonicalization algorithms are defined for each of the email header and the
email body: a "simple" algorithm that tolerates almost no modification and a
"relaxed" algorithm that tolerates common modifications such as whitespace
replacement and header field line rewrapping.
o Enable signature expiration: If you select this option, set the number of days that the signature
will be valid.

o Enable body length: If you select this option, set the number of bytes allowed for the email
body.

o AUID: Specify the Agent or User Identifier on behalf of which SDID is taking responsibility.

o Exempt domain: Specify one or multiple domains to be excluded from DKIM signing.

6. Click Save.

35 / 55
How to enable DMARC?

DISCLAIMER: Do not enable this feature without first understanding the purpose of this. You can
read more in the RFC article provided below. By enabling this feature without gathering and
understanding your Mail Traffic Statistics could lead to missing mails, rejected mails, and worse
no mail flow.

Please read and understand RFC7489 before proceeding with the steps below.

Specifying DMARC Settings

IMSVA authenticates email messages of the specified domain and allows administrators to take actions on
messages that fail to pass DMARC authentication. If DMARC authentication passes, the messages will be
delivered normally. If DMARC authentication fails, the messages will be quarantined, rejected or delivered
according to the DMARC settings.

Procedure

1. Go to Sender Filtering → DMARC.

The Domain-based Message Authentication, Reporting & Conformance (DMARC) screen

appears.

2. Select Enable DMARC.

3. Optionally select Insert an X-Header into email messages.

X-Header is added to indicate whether DMARC authentication is successful or not.

4. Optionally select Deliver daily reports to senders for authentication failures.

If you select this option, aggregated reports will be generated daily for authentication failures and sent
back to email senders.

5. Type a domain name for the DMARC verification list and click Add.

You can import, export and delete DMARC verification list records. Make sure the import file is a text
file containing one record per line.

6. (Optional) Type an IP address for the DMARC exception list and click Add.

You can import, export and delete DMARC exception list records. Make sure the import file is a text
file containing one record per line.

7. Under Actions, specify actions to take on messages that fail DMARC authentication.

A DMARC tag instructs recipients how to handle email messages that fail DMARC authentication.
There are three values for the tag: "none", "quarantine", and "reject". IMSVA enables you to specify the
action to take in each scenario based on the instructions:

§ None: select the action to take when the DMARC tag value is "none".

§ Quarantine: select the action to take when the DMARC tag value is "quarantine".

§ Reject: select the action to take when the DMARC tag value is "reject".

§ No DMARC records: select the action to take when there is no DMARC records.

8. Click Save.

36 / 55
Logs and Information to collect?

Provide the following information:

Important: Provide the result of the troubleshooting tips.

Provide the following information:

1. What changes were made before the issue happened?

2. Have they recently enabled this feature? or Was it working before?
3. Take note and provide sender, recipient, and time stamp of affected mail.
4. What's the status in the Mail Tracking logs? Is there an error message? Is the email quarantined?
delivered?

Collect the Mail Sample and Case Diagnostic Logs

37 / 55
4. Upgrading IMSVA.

In this chapter we discuss what are the things you can and cannot do during an upgrade.

o Things to Consider When Upgrading your IMSVA

o Things not to do during an upgrade

Troubleshooting Tips

Things to Consider When Upgrading your IMSVA:

-Down time: as upgrading your servers will require service restarts at minimum, schedule a downtime for
this activity to avoid any production impact.

-How many servers to upgrade: to minimize impact during planning phase of upgrade consider your
available IMSVA servers if you have multiple (2 and above) you can eg:

§ IMSVA 1
§ IMSVA 2
§ IMSVA 3
§ IMSVA 4

since you have 4 servers all in parent mode, if you do not have a separate load balancer application you
can divert the traffic of servers 3 and 4 to servers 1 and 2 and upgrade server 3 and 4 on the first phase.
You can do it 2 at a time or 1 at a time for minimal impact. The goal here is to minimize down time.

Upgrading multiple servers can be used to check if you'll be encountering issue in this particular upgrade.
In the instance given above, you can upgrade 1 server first then observe it's behavior for a week with normal
mail load. If you encounter any issues you can reach out to us so we can validate said issues and confirm
if there's a need for a rollback.

-Current Environment Setup: if you have multiple IMSVA, Parent or Child you have to consider the
sequence of upgrade. By design the child servers are always upgraded first and the last will be the parent.
So using the information above in combination if the server is parent or child you can plan your upgrade
accordingly.

-Files to be used for the upgrade: if you have an upgrade project make sure you have the files available and
ready at your disposal. You can check the latest releases at https://downloadcenter.trendmicro.com

-Roll Back: hotfixes and critical patches can be rolled back, but major upgrades such as service packs, or
version upgrades cannot be rolled back. Please consider this when planning an upgrade. If you're using the
IMSVA in a virtual environment, you can take a snapshot of your VM before applying changes so you can
have a save point to revert to.

Things NOT to do during an upgrade:

1. Never interrupt/ hard reboot the server mid upgrade.

2. If it's not responding wait, especially when upgrading from a very old version. If it lasts for more than
2hours with no response. Contact us through our hotline for urgent assistance:

38 / 55
Logs and Information to collect?

Provide the following information:

Important: Provide the result of the troubleshooting tips

1. Can you still access the web console?

If no see cannot access web console

2. Provide a screenshot of your Updates > System Updates page.

3 Collect and Submit Case Diagnostic Logs

39 / 55
5. How to check and secure IMSVA when vulnerabilities are detected?

Here we provide the fix of certain vulnerabilities that have been reported by different Vulnerability Assessment
Tests which affects the IMSVA, and what to do when reported vulnerabilities does not yet have a fix provided.

o Sweet 32
o Weak Algorithm
o Weak MAC Algorithm
o Weak Ciphers
o CBC Cipher Mode Enabled

Troubleshooting Tips

How to resolve Sweet32 Vulnerabilities?

[Port 8445 - Web Console]

1. Go to /opt/trend/imss/UI/php/conf

#cd /opt/trend/imss/UI/php/conf

2. Backup the widget.conf file

#cp widget.conf widget.conf.bak

3. Open the widget.conf

a. To edit run #vi widget.conf

o Look for “SSLCipherSuite” by typing “/SSLCipherSuite” after vi command and

press enter.
o add the following two lines below if they do not exist.

SSLProtocol All -SSLv2 -SSLv3

SSLCipherSuite ALL:!ADH:!RC4+RSA:+HIGH:
+MEDIUM:!LOW:!SSLv2:!EXP:!3DES
Note: If the two lines already exist, update SSLCipherSuite just add !3DES and
update the RC4+RSA to !RC4+RSA

b. To save changes and exit file press Esc, and type :wq!

4. Run below command to restart the IMSVA admin UI.

#S99ADMINUI restart

40 / 55
[Port 25 - Postfix]
1. Go to /opt/trend/imss/postfix/etc/postfix
#cd /opt/trend/imss/postfix/etc/postfix

2. Backup the main.cf file

#cp main.cf main.cf.bak

3. Open the main.cf file. .

a. To edit run #vi main.cf
b. Look for “smtp_tls_exclude_ciphers” entry. Type “/smtp_tls_exclude_ciphers”
and press enter.
c. Add the two lines below if they do not exist
smtp_tls_exclude_ciphers = EXPORT, LOW, aNULL, RC4, 3DES
smtpd_tls_exclude_ciphers = EXPORT, LOW, aNULL, RC4, 3DES
Note: If the two lines already exist, just add "RC4" and "3DES"
d. To save changes and exit file press Esc, and type :wq!

4. Restart postfix
#service postfix restart

41 / 55
How to disable weak algorithm?

1. Login as root in IMSVA Cli

2. Open sshd_config in /etc/ssh directory.
3. Add the following sentence to last line:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

4. Save and quit.

5. Restart sshd service using the command:
[root@imsva~#] service sshd restart

How to disable weak MAC algorithm?

1. Login as root in IMSVA Cli

2. Open sshd_config in /etc/ssh directory.
3. Add following sentence to last line:
MACs hmac-sha1,[email protected],hmac-ripemd160

4. Save and quit.

5. Restart sshd service using the command:

42 / 55
 [root@imsva~#] service sshd restart

How to disable weak ciphers?

How to disable the sslv2 protocol on port 8445?

Do the following:

1. Open the /opt/trend/imss/UI/php/conf/widget.conf file.

2. Edit the file by adding the following line under “SSLEngine On”:SSLProtocol all -SSLv2
3. Save the changes and close the file.
4. Restart the web console by running the command "S99ADMINUI restart".

To test SSL strength, use the openssl command line and run the command "openssl s_client -connect <IP
of IMSVA>:8445 -ssl2". A handshake failure means SSL2 has been disabled.

How to disable encryption below 128 bits?

Do the following:

1. Open the /opt/trend/imss/UI/php/conf/widget.conf file.

2. Edit the file by adding the following line under “SSLProtocol all -SSLv2”:SSLCipherSuite
HIGH:MEDIUM
3. Save the changes and close the file.
4. Restart the web console by running the command "S99ADMINUI restart".

To verify if IMSVA already prohibits weak ciphers, run the command "openssl s_client -connect <IP of
IMSVA>:8445 -cipher LOW:EXP". A handshake failure means low cipher is no longer allowed.

How to disable CBC cipher mode?

1. Login as root in IMSVA Cli

2. Open sshd_config in /etc/ssh directory.

3. Delete CBC ciphers aes192-cbc,aes128-cbc,3des-cbc

43 / 55
4. Expected results. We will retain “Ciphers aes256-ctr,aes192-ctr,aes128-ctr” only.

5. Save and quit.

6. Restart sshd service using the command:

[root@imsva~#] service sshd restart

How to report new vulnerabilities detected?

If a new vulnerability is detected that is not included in this document please follow the following procedure

Things to do

1. Get the CVE Number

2. Reach out to us, through our Contact us channels.
3. Provide details of Vulnerability Assessment Report with the included CVE

44 / 55
Logs and Information to collect?

1. CVE Number
2. Vulnerability Assessment Report
3. Case Diagnostic Logs

6. How to handle undetected spam/threat?

Note: Do not forward the email sample to the administrator, it will ruin the mail integrity and no further checking
can be done to it.

If you have a mail sample that passed through the IMSVA which is an undetected spam / threat do the steps
below.

1. Collect the sample in the mail box of the recipient. Download a copy from the Outlook > File > save as
.eml or .msg\
2. Collect CDT logs together with the mail sample.
3. Contact us, and provide details of the incident, if it is undetected spam / threat in the details

45 / 55
Index

How to Read Email Headers & Check for Time Delays?

Email headers can be used to identify which MTA the delay occurs.

TIME ZONES

When investigating to see if a email has a particular delay. Obtain the headers of the email and look
through the time stamps. If you examine the time stamps carefully and convert everything to UTC
(GMT), then you should be able to come to a conclusion as to whether or not there is a delay in the email
or if there is simply a time zone issue.

1. What information to convert?

Take note of email header information with Received: from <email server>

ex:
Received: from mail.sender.com (unknown [192.168.20.208])
by mail.recipient.com (Postfix) with ESMTPS;
Wed, 13 May 2020 10:45:25 +0200 (CAT)

2. Take note of the time and convert to UTC.

3. Find the delay

ex:
* Delay = UTC 1 – UTC 2
* Delay = 25:11:50 - 22:46:40 = 2 hours 25 mins 19 secs

4. You may also use websites that analyze headers such as MXToolBox Header Analyzer for ease of use.

Related Topics:
See How to troubleshoot delayed emails?

How to view email headers using Outlook?

1. Open the mail sample.

2. Go > File >

46 / 55
3. Go to >Info >Properties

4. Under Properties, review internet headers. This

47 / 55
How to check file ownership and permission?

1. Make sure that the IMSVA file are owned by IMSVA (screenshot below for reference)

[root@imsva ~]#ls -ll /opt/trend/imss/postfix/etc/postfix/

2. If any file ownership/permission is incorrect , make changes to correct. see Changing File Ownership
and Permission (Linux)

How to check database connection?

Login to the IMSVA shell as root.

.
[root@imsva51 ~]# /opt/trend/imss/PostgreSQL/bin/psql imss sa

"\q" and then press enter to quit imss=#

48 / 55
How to check disk space information?

1. Login to the IMSVA shell as root.

2. Type the command "df -h"

[root@imsva ~]# df -h

How to change file ownership and permission (Linux)?

Note: IMSVA files usually are owned by root:root

1. File ownership
[root@imsva ~]# chown root:root <file name>

2. File permission
[root@imsva ~]# chmod <permission> <file name>

chmod reference: https://www.linode.com/docs/tools-reference/tools/modify-file-permissions-with-chmod/

Note: If unsure with the changes, check with support.

49 / 55
Recommended Sizing for IMSVA

CPU
§ Recommended:Four Intel™ Xeon™ processors
§ Minimum:Two Intel™ Xeon processors

Memory

§ Recommended:8GB RAM
§ Minimum:4GB RAM

Disk Space
§ Recommended:250GB
§ Minimum:120GB

Common Network Troubleshooting Tips

1. Check if IMSVA lookup the recipient domain.

[root@imsva ~]# nslookup -q=mx gmail.com

2. Check if IMSVA can communicate to said domain on port 25

[root@imsva ~]# telnet gmail.com 25

50 / 55
3. Check if IMSVA can reach the domain (useful for isolating which hop is having an issue) . Use
"traceroute"

Note: Traceroute tool will show you each hop sequentially, and total hops required. For each hop, it will
display the hop #, roundtrip times, best time (ms), IP address, TTL, and country.

[root@imsva ~]# traceroute gmail.com

Note: If the route don't came back check which is the last IP where it stopped that may be the cause of
the issue.

How to use "top" command?

One of the most frequently used commands in our daily system administrative jobs is the "top" command.
top displays processor activity of your Linux box and also displays tasks managed by kernel in real-time.

see https://www.tecmint.com/12-top-command-examples-in-linux/

51 / 55
How to check IMSVA performance?

1. Using IMSVA Console go to > Dashboard > System Overview tab . Check and review System
Usage

see CPU / Memory / Data Partition Information

2. Go to > Dashboard > Message Traffic tab

Here you can see message handling performance information. You can change the range up of how much
logs should be displayed

52 / 55
How to install patch/Hotfix?

Note: For latest IMSVA Patch you can check with Trend Micro Download Center.

1. Create a backup file. (For Best Practice)

· Access the IMSVA web console.

· Select Administration > Import / Export > Import / Export Configuration files tab
· Click Export.

2. Installing the patch

· Log on to the IMSVA admin console GUI.

· Go to the "Administration > Updates > System and Application" page.
· Click "Browse".

· Browse your local hard disk for the patch file and click "Open".
· Click "Upload". Your browser uploads the patch file to IMSVA and IMSVA validates if the file is a
legitimate patch.
· Select target IMSVA Server and click "Update".

53 / 55
How to update and rollback?

1. Go to System Status
2. Select target component and click Update or Rollback

How to collect logs?

If you are experiencing any issues not covered by the provided troubleshooting guide.

see https://success.trendmicro.com/solution/1113629 to check on how to collect IMSVA logs?

Provide the following files when filing a support case.

o CDT from the KB article above
o Mail Sample
o Packet captures

54 / 55
 IMSVA Official Documents

The following IMSVA documents and guide are upload in doc.trendmicro.com

o Administration Guide
o Installation Guide
o Online Help
see: https://docs.trendmicro.com/en-us/enterprise/interscan-messaging-security-virtual-appliance.aspx

Trend Micro Contact Details

Please find your local channel in the article provided below.

Contact Us

Feedback

For comments and suggestions you can answer a quick survey below.

o Comments and Suggestions

55 / 55