The Commands: Reference Examples

This chapter contains the following sections:

How to Read the Listing

For each command, there is a description and at least one example of the command being used. The Usage section specifies the following command attributes:

Procedure


Step 1

Does the command require a commit command to be implemented on the appliance?

Step 2

Is the command restricted to a particular mode (cluster, group, or machine).?

Step 3

Does the command permit a batch format?

For more information about Centralized Management, see User Guide for AsyncOS for Cisco Email Security Appliances .

For more information about batch formats, please see Command Line Interface: The Basics.


Advanced Malware Protection

ampconfig

Configure file reputation filtering and file analysis. Do not modify advanced options without guidance from Cisco TAC.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For details, see the inline help by typing the command: help ampconfig .

Examples

Enabling File Reputation and File Analysis


mail.example.com> ampconfig

File Reputation: Disabled

Choose the operation you want to perform:

- SETUP - Configure Advanced-Malware protection service.

[]> setup

File Reputation: Disabled

Would you like to use File Reputation? [Y]>

Would you like to use File Analysis? [Y]> 

File types supported for File Analysis:

1. Microsoft Executables

Do you want to modify the file types selected for File Analysis? [N]>

Specify AMP processing timeout (in seconds)

[120]>

Advanced-Malware protection is now enabled on the system.

Please note: you must issue the 'policyconfig' command (CLI) or Mail

Policies (GUI) to configure advanced malware scanning behavior for

default and custom Incoming Mail Policies.

This is recommended for your DEFAULT policy.

File Reputation: Enabled

File Analysis: Enabled

File types selected for File Analysis:

1. Microsoft Executables

Choose the operation you want to perform:

- SETUP - Configure Advanced-Malware protection service.

- ADVANCED - Set values for AMP parameters (Advanced configuration).

- CLEARCACHE - Clears the local File Reputation cache.

[]>

Selecting File Types for File Analysis

mail.example.com> ampconfig 
File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet

Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
[]> setup

File Reputation: Enabled
Would you like to use File Reputation? [Y]> yes

Would you like to use File Analysis? [Y]> yes

Do you want to modify the file types selected for File Analysis? [N]> yes

Enter comma separated serial numbers from the list of groups to select file types associated with the group.

1. Archived and compressed
2. Configuration
3. Database
4. Document
5. Email
6. Encoded and Encrypted
7. Executables [partly selected]
8. Font & Graphics and Images
9. Microsoft Documents
10. Miscellaneous
11. Multimedia
[]> 9
File types belonging to the group "Microsoft Documents":
1. Access.Extension.14(mda)
2. Access.MDBFile(mdb)
3. Access.MDEFile.14(mde)
4. Access.Shortcut.DataAccessPage.1(maw)
5. Access.Shortcut.Form.1(maf)
6. …………
Choose the operation you want to perform:
- PRINT - Print the file types for File Analysis
- ADD - Add the file type(s) for File Analysis
[]> add
Choose the file type(s) to be added for File Analysis from the list
File types that are not selected for File Analysis from group "Microsoft Documents":
1. Access.Extension.14(mda)
2. Access.MDBFile(mdb)
3. Access.MDEFile.14(mde)
4. Access.Shortcut.DataAccessPage.1(maw)
5. Access.Shortcut.Form.1(maf)
6. …….. ….
[]> 1-3, 5
Choose the operation you want to perform:
- PRINT - Print the file types for File Analysis
- DELETE - Delete the file type(s) for File Analysis
- ADD - Add the file type(s) for File Analysis
[]> print
File types belonging to the group:
1. Access.Extension.14(mda) [selected]
2. Access.MDBFile(mdb) [selected]
3. Access.MDEFile.14(mde) [selected]
4. Access.Shortcut.DataAccessPage.1(maw)
5. Access.Shortcut.Form.1(maf) [selected]
6. …….. ….
Choose the operation you want to perform:
- PRINT - Print the file types for File Analysis
- DELETE - Delete the file type(s) for File Analysis
- ADD - Add the file type(s) for File Analysis
Specify AMP processing timeout (in seconds)
[120]>

Advanced-Malware protection is now enabled on the system.

Please note: you must issue the 'policyconfig' command (CLI) or Mail Policies (GUI) to configure advanced malware 
scanning behavior for default and custom Incoming Mail Policies.
This is recommended for your DEFAULT policy. File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File
Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
[]>

Configure Email Security appliance to Use Public Cloud File Analysis Server


mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> advanced
Enter cloud query timeout?
[15]>
Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.sourcefire.com)
2. Private reputation cloud
[1]>
Enter cloud domain?
[cloud-domain.com]>
Do you want use the recommended analysis threshold from cloud service? [Y]>
Enter analysis threshold?
[50]>
Enter heartbeat interval?
[15]> 
Do you want to enable SSL communication (port 443) for file reputation? [N]> 
Do you want to suppress the verdict update alerts for all messages that are 
not delivered to the recipient? [N]>
Choose a file analysis server:
1. AMERICAS (https://americas-fa.com)
2. Private Cloud
[1]>
...

(Public Cloud File Analysis Services Only) Configuring Appliance Groups

In order to allow all content security appliances in your organization to view file analysis result details in the cloud for files sent for analysis from any appliance in your organization, you need to join all appliances to the same appliance group.

For more information, see the “File Reputation Filtering and File Analysis” chapter in the user guide.


mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> setgroup
Does your organization have multiple Cisco Email, Web, and/or Content Security Management appliances? [N]> Y
Do you want this appliance to display detailed analysis reports for files uploaded to the cloud from other appliances in your organization, 
and vice-versa? 
[Y]> Enter an Analysis Group name. This name is case-sensitive and must be configured identically on each appliance in the Analysis Group.
[]> FA_Reporting
Registration is successful with the group name. This does not require commit
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: FA_Reporting
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- VIEWGROUP - view the group members details.
- CLEARCACHE - Clears the local File Reputation cache.
[]>

Note

After you configure an appliance group, you cannot use the setgroup subcommand. If you want to need to modify the group for any reason, you must open a case with Cisco TAC.You can view the details of the appliance group using the viewgroup subcommand.

Configure Email Security Appliance to Use an On-Premises File Analysis Server


mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> advanced
Enter cloud query timeout?
[15]>
Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.sourcefire.com)
2. Private reputation cloud
[1]> 
Enter cloud domain?
[a.immunet.com]>
Do you want use the recommended analysis threshold from cloud service? [Y]> 
Enter analysis threshold?
[50]>
Enter heartbeat interval?
[15]> 
Do you want to enable SSL communication (port 443) for file reputation? [N]> 
Do you want to suppress the verdict update alerts for all messages that are 
not delivered to the recipient? [N]>
Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. Private Cloud
[1]> 2
Enter file analysis server url?
[]> https://mycloud.example.com
Certificate Authority:
1. Use Cisco Trusted Root Certificate List
2. Paste certificate to CLI
[1]>
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]>

Configure Email Security Appliance to Use an On-Premises File Reputation Server


mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File
Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> advanced
Enter cloud query timeout?
[15]> 
Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.domain.com)
2. Private reputation cloud
[1]> 2
Enter AMP reputation server hostname or IP address?
[]> myamp.domain.com
Paste the public key followed by a . on a new line
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0
FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/
3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB
-----END PUBLIC KEY-----
.
Enter cloud domain?
[immunet.com]> 
Do you want use the recommended analysis threshold from cloud service? [Y]> 
Enter heartbeat interval?
[15]> 
Do you want to enable SSL communication (port 443) for file reputation? [N]> 
Choose a file analysis server:
1. AMERICAS (https://threatgrid.com)
2. Private analysis cloud
[1]> 
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File
Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> 

Clearing Local File Reputation Cache


mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> clearcache
Do you want to clear File Reputation Cache? [N]> y
Cache cleared successfully.
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]>

Configuring Cache Expiry Period for File Reputation disposition values

In the following example, the modifytimeout sub command is used to configure the cache expiry period for malicious files.


Note

The cache expiry period must be a value from 15 minutes to 7 days.

mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
[]> cachesettings
Choose the operation you want to perfrom:
- MODIFYTIMEOUT - Configure the cache expiry period based on File Reputation disposition.
- CLEARCACHE - Clears the local File Reputation cache.
[]> modifytimeout
Choose the operation you want to perform:
- CLEAN - Configure the cache expiry period for clean files.
- MALICIOUS - Configure the cache expiry period for malicious files.
- UNKNOWN - Configure the cache expiry period for unknown files.
[]> malicious
Specify the cache expiry period for this file disposition (use 'd' for days, 'h' for hours, or 'm' for minutes). If you 
specify a value without a unit, it is always treated as days.
[1d]> 5d

Suppressing File Retrospective Verdict Alerts

mail.example.com> ampconfig 

File Reputation: Enabled 
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet 

Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
[]> advanced

Enter cloud query timeout? 
[15]>

Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.domain.com)
2. Private reputation cloud
[1]> 

Do you want use the recommended reputation threshold from cloud service? [Y]> 

Enter heartbeat interval?
[15]>

Do you want to enable SSL communication (port 443) for file reputation? [N]> 

Do you want to suppress the file retrospective verdict alerts for the messages that are not delivered to the recipient
[N]> yes

Configuring Cisco AMP Threat Grid Clustering for File Analysis


mail.example.com> ampconfig

File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet

Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File
Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
[]> advanced

Enter cloud query timeout?
[15]>

Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.cisco.com)
2. AMERICAS(Legacy) (cloud-sa.amp.sourcefire.com)
3. Private reputation cloud
[1]>

Do you want use the recommended analysis threshold from cloud service? [Y]>

Enter heartbeat interval?
[15]>

Do you want to enable SSL communication (port 443) for file reputation? [N]>

Do you want to suppress the verdict update alerts for all messages that are not
delivered to the recipient? [N]>

Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. Private analysis cloud
[1]> 2

There are no private analysis servers configured.

Choose the operation you want to perform:
- NEW - Configure a new private analysis server.
[]> new

Enter the file analysis server hostname or IP or URL.
[]> 192.1.10.20

Serial Number      Private Analysis Server
-----------------------------------
1                   192.1.10.20

Choose the operation you want to perform:
- ADD - Add a new private analysis server to the cluster.
- EDIT - Edit a private analysis server in the cluster.
- DELETE - Delete a private analysis server from the cluster.
[]> add

Enter the new private analysis server hostname or IP address or URL to the
cluster.
[]> 192.1.10.30

Serial Number      Private Analysis Server
-----------------------------------
1                  192.1.10.20
2                  192.1.10.30

Choose the operation you want to perform:
- ADD - Add a new private analysis server to the cluster.
- EDIT - Edit a private analysis server in the cluster.
- DELETE - Delete a private analysis server from the cluster.
[]>

ampstatus

Description

Display the version of various Advanced Malware Protection (file reputation and analysis) components.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> ampstatus
Component                           Version    Last Updated
AMP Client Settings                 1.0        Never updated
AMP Client Engine                   1.0        Never updated

Spam and Graymail Management

This section contains the following commands:

antispamconfig

Description

Configure anti-spam policy.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example

The following examples demonstrates the configuration for Anti-Spam functionality.


mail3.example.com> antispamconfig

IronPort Anti-Spam scanning: Disabled
Choose the operation you want to perform:
- SETUP - Edit IronPort Anti-Spam settings.
[]> setup
IronPort Anti-Spam scanning: Disabled
Would you like to use IronPort Anti-Spam scanning? [Y]> y
The IronPort Anti-Spam License Agreement is displayed (if you have not already accepted it).
Do you accept the above IronPort Anti-Spam license agreement? []> Y
Increasing the following size settings may result in decreased performance. Please consult documentation for size 
recommendations based on your environment.
Never scan message larger than: (Add a trailing K for kilobytes, M for megabytes, or no letters for bytes.)
[1M]>
Always scan message smaller than: (Add a trailing K for kilobytes, M for megabytes, or no letters for bytes.)
[512K]>
Please specify the IronPort Anti-Spam scanning timeout (in seconds)
[60]>
Would you like to enable regional scanning? [N]>
IronPort Anti-Spam scanning is now enabled on the system. Please note: you must issue the 'policyconfig' command (CLI) 
or Mail Policies (GUI) to configure
Cisco IronPort scanning behavior for default and custom Incoming and Outgoing Mail Policies. This is recommended for your DEFAULT policy.
IronPort Anti-Spam scanning: Enabled
Choose the operation you want to perform:
- SETUP - Edit IronPort Anti-Spam settings.
[]>

antispamstatus

Description

Display anti-spam status.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> antispamstatus
Choose the operation you want to perform:
- IRONPORT - Display IronPort Anti-Spam version and rule information.

- MULTISCAN - Display Intelligent Multi-Scan version and rule information.
[]> ironport
  Component              Last Update                  Version
 CASE Core Files        Never updated                3.4.0-013
 CASE Utilities         Never updated                3.4.0-013
 Structural Rules       Never updated 3.3.1-009-20141210_214201
 Web Reputation DB      Never updated                20141211_111021
 Web Reputation Rules   Never updated 20141211_111021-20141211_170330
 Content Rules          Never updated                unavailable
 Content Rules Update   Never updated                unavailable
Last download attempt made on: Never

antispamupdate

Description

Manually request an immediate update of Anti-Spam rules and related CASE components. This also includes the Anti-Spam rules and CASE components used by Intelligent Multi-Scan (IMS), but not for the third-party anti-spam engines used by IMS.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> antispamupdate
Choose the operation you want to perform:
- MULTISCAN - Request updates for Intelligent Multi-Scan
- IRONPORT - Request updates for IronPort Anti-Spam

[]> ironport
Requesting check for new CASE definitions

imsandgraymailconfig

Description

Configure the Cisco Intelligent Multi-Scan (IMS) and Graymail Detection and Safe Unsubscribe settings.


Note

  • To configure the threshold for message scanning by Cisco Intelligent Multi-Scan and Graymail Detection and Safe Unsubscribing, use the imsandgraymailconfig > globalconfig sub command. These global configuration settings are common for both Cisco Intelligent Multi-Scan and Graymail Detection and Safe Unsubscribing.

  • To configure policy settings for graymail detection and safe unsubscribing, use the policyconfig command. For more information, see Create an Incoming Policy to Drop the Messages Identified as Bulk Email or Social Network Email.


Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format for graymail configuration. For more details, see the inline help by typing the command: help imsandgraymailconfig.

Example

The following examples demonstrates the configurations for Graymail Detection and Safe Unsubscribing and Intelligent Multi-Scan.

mail3.example.com> imsandgraymailconfig

Choose the operation you want to perform:
- GRAYMAIL - Configure Graymail Detection and Safe Unsubscribe settings
- MULTISCAN - Configure IronPort Intelligent Multi-Scan.
- GLOBALCONFIG - Common Global Configuration settings
[]> graymail
Graymail Detection: Disabled

Choose the operation you want to perform:
- SETUP - Configure Graymail.
[]> setup
Would you like to use Graymail Detection? [Y]> y

Would you like to enable automatic updates for Graymail engine? [Y]> y

Graymail Safe Unsubscribe: Disabled
Would you like to use Graymail Safe Unsubscribe? [Y]> y

Graymail Detection and Safe Unsubscribe is now enabled. Please note: The global settings are recommended only for your DEFAULT mail policy. To configure policy settings, use the incoming 
or outgoing policy page on web interface or the 'policyconfig' command in CLI.

[]> multiscan
IronPort Intelligent Multi-Scan: Disabled

Choose the operation you want to perform:
- SETUP - Edit Intelligent Multi-Scan settings.
[]> setup

IronPort Intelligent Multi-Scan scanning: Disabled
Would you like to use IronPort Intelligent Multi-Scan scanning? [Y]> y
Would you like to enable regional scanning? [N]> n

Intelligent Multi-Scan scanning is now enabled on the system. Please note: you must issue the 'policyconfig' command (CLI) or Mail Policies (GUI) to configure
Intelligent Multi-Scan scanning behavior for default and custom Incoming and Outgoing Mail Policies. This is recommended for your DEFAULT policy.

IronPort Intelligent Multi-Scan: Enabled

[]> globalconfig

Choose the operation you want to perform:
- SETUP - Configure Common Global settings
[]> setup

Increasing the following size settings may result in decreased performance. 
Please consult documentation for size recommendations based on your environment.

Never scan message larger than: (Add a trailing K for kilobytes, 
M for megabytes, or no letters for bytes.)
[1M]>

Always scan message smaller than: (Add a trailing K for kilobytes, 
M for megabytes, or no letters for bytes.)
[512K]>

Timeout for Scanning Single Message(in seconds):
[60]>
[]>

graymailstatus

Description

Display the details of the existing graymail rules.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example


mail.example.com> graymailstatus
Component            Version         Last Updated
Graymail Engine      01.378.53       Never Updated
Graymail Rules       01.378.53#15    Never updated
Graymail Tools       1.0.03          Never updated

graymailupdate

Description

Manually request update of the graymail rules.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example

mail.example.com> graymailupdate

Requesting check for new Graymail updates.

incomingrelayconfig

Description

Use the incomingrelayconfig command to enable and configure the Incoming Relays feature. In the following examples, the Incoming Relays feature is first enabled, and then two relays are added, one is modified, and one is deleted.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example: Enabling Incoming RelaysConfiguring an Incoming Relay


mail3.example.com> incomingrelayconfig
Incoming relays: Disabled
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- RELAYLIST - Configure incoming relays.
[]> setup
This command helps your Cisco IronPort appliance determine the sender's
originating IP address.
You should ONLY enable this command if your Cisco IronPort appliance is NOT
directly connected to the Internet as the "first hop" in your email
infrastructure.
You should configure this feature if other MTAs or servers are configured at
your network's perimeter to relay mail to your Cisco IronPort appliance.
Do you want to enable and define incoming relays? [N]> y
Incoming relays: Enabled
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- RELAYLIST - Configure incoming relays.
[]> relaylist
There are no relays defined.
Choose the operation you want to perform:
- NEW - Create a new entry
[]> new
Enter a name for this incoming relay (Ex: "first-hop")
[]> first-hop
Enter the IP address of the incoming relay.  IPv4 and IPv6 addresses are supported.
For IPv4, CIDR format subnets such as 10.1.1.0/24, IP address ranges such as 10.1.1.10-20, and subnets such as 10.2.3. are allowed.
For IPv6, CIDR format subnets such as 2001:db8::/32 and IP address ranges such as 2001:db8::1-2001:db8::11 are allowed.
Hostnames such as crm.example.com and partial hostnames such as .example.com are allowed.
[]> 192.168.1.1
Do you want to use the "Received:" header or a custom header to determine the originating IP address?
1. Use "Received:" header
2. Use a custom header
[1]> 1
Within the "Received:" header, enter the special character or string after which to begin parsing for the originating IP address:
[from]> [
Within the headers, enter the position of the "Received:" header that contains the originating IP address:
[1]> 1
There is 1 relay defined.
Choose the operation you want to perform:
- NEW - Create a new entry
- EDIT - Modify an entry
- DELETE - Remove an entry
- PRINT - Display the table
[]> print
Incoming                                      Header          Match
relay name:    IP address:                    to parse:       after:      Hops:
-----------    -----------                    ---------       ------      -----
first-hop      192.168.1.1                    Received        [           1
There is 1 relay defined.
Choose the operation you want to perform:
- NEW - Create a new entry
- EDIT - Modify an entry
- DELETE - Remove an entry
- PRINT - Display the table
[]> new
Enter a name for this incoming relay (Ex: "first-hop")
[]> second-hop
Enter the IP address of the incoming relay.  IPv4 and IPv6 addresses are supported.
For IPv4, CIDR format subnets such as 10.1.1.0/24, IP address ranges such as 10.1.1.10-20, and subnets such as 10.2.3. are allowed.
For IPv6, CIDR format subnets such as 2001:db8::/32 and IP address ranges such as 2001:db8::1-2001:db8::11 are allowed.
Hostnames such as crm.example.com and partial hostnames such as .example.com are allowed.
[]> 192.168.1.2
Do you want to use the "Received:" header or a custom header to determine the originating IP address?
1. Use "Received:" header
2. Use a custom header
[1]> 2
Enter the custom header name that contains the originating IP address:
[]> x-Connecting-IP
There are 2 relays defined.
Choose the operation you want to perform:
- NEW - Create a new entry
- EDIT - Modify an entry
- DELETE - Remove an entry
- PRINT - Display the table
[]> print
Incoming                                      Header          Match
relay name:    IP address:                    to parse:       after:      Hops:
-----------    -----------                    ---------       ------      -----
first-hop      192.168.1.1                    Received        [           1
second-hop     192.168.1.2                    x-Connecting-IP n/a         n/a
There are 2 relays defined.
Choose the operation you want to perform:
- NEW - Create a new entry
- EDIT - Modify an entry
- DELETE - Remove an entry
- PRINT - Display the table
[]> delete
1. first-hop:      192.168.1.1
2. second-hop:     192.168.1.2
Enter the number of the entry you wish to delete:
[1]> 1
Incoming relay "first-hop" deleted.
There is 1 relay defined.
Choose the operation you want to perform:
- NEW - Create a new entry
- EDIT - Modify an entry
- DELETE - Remove an entry
- PRINT - Display the table
[]>

slblconfig

Description

Configure End-User Safelist/Blocklist.


Note

Safelists/Blocklists must be enabled on the appliance via the GUI in order to run this command.

Usage

Commit: This command does not require a ‘commit’.

Batch Command: This command supports a batch format.

Batch Format - Import

Batch Format

Replaces all entries in the End-User Safelist/Blocklist with entries present in the specified file.


slblconfig import <filename> <ignore invalid entries>
  • filename - Name of the file that has to be imported. The file must be in the /configuration directory on the appliance.
  • ignore invalid entries - Whether to ignore invalid entries or not. Either 'Yes' or 'No.'

Batch Format - Export

Exports all entries in the End-User Safelist/Blocklist to a file the appliance.


slblconfig export

The appliance saves a .CSV file to the /configuration directory using the following naming convention:

slbl<timestamp><serial number>.csv.

Example - Importing Safelist/Blocklist Entries


mail.example.com> 
slblconfig
End-User Safelist/Blocklist: Enabled
Choose the operation you want to perform:
- IMPORT - Replace all entries in the End-User Safelist/Blocklist.
- EXPORT - Export all entries from the End-User Safelist/Blocklist.
[]> 
import
Currently available End-User Safelist/Blocklist files:
1. slbl.csv
Choose the file to import from.
[1]> 
1
Do you want to ignore invalid entries? [Y]> 
Y
End-User Safelist/Blocklist import has been initiated...
Please wait while this operation executes.
End-User Safelist/Blocklist successfully imported.
Choose the operation you want to perform:
- IMPORT - Replace all entries in the End-User Safelist/Blocklist.
- EXPORT - Export all entries from the End-User Safelist/Blocklist.
[]> 

Anti-Virus

This section contains the following CLI commands:

antivirusconfig

Description

Configure anti-virus policy.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example

In the following example, the antivirusconfig command is used to enable Sophos virus scanning on the system and set the time-out value to 60 seconds. To configure the update server, update interval, and optional proxy server, see updateconfig.


Note

The first time you invoke the antivirusconfig command, you may be presented with a license agreement, if you did not accept the license during the systemsetup command. If you do not accept the license agreement, the Sophos virus scanning engine will not be enabled on the appliance.

mail3.example.com> antivirusconfig

Choose the operation you want to perform:
- SOPHOS - Configure Sophos Anti-Virus.
- MCAFEE - Configure McAfee Anti-Virus.
[]> sophos

Sophos Anti-Virus: Disabled

Choose the operation you want to perform:

- SETUP - Configure Sophos Anti-Virus.

[]> setup

Sophos Anti-Virus scanning: Disabled

Would you like to use Sophos Anti-Virus scanning? [Y]> y

(First time users see the license agreement displayed here.)

Please specify the Anti-Virus scanning timeout (in seconds)
[60]> 60

Would you like to enable automatic updates for Sophos engine? [Y] > Y

Sophos Anti-Virus scanning is now enabled on the system.

Please note: you must issue the 'policyconfig' command (CLI) or Mail
Policies (GUI) to configure Sophos Anti-Virus scanning behavior for default and custom Incoming and Outgoing Mail Policies.
This is recommended for your DEFAULT policy.

Sophos Anti-Virus: Enabled
Choose the operation you want to perform:

- SETUP - Configure Sophos Anti-Virus.
[]>

Viewing Anti-Virus IDE Details

AsyncOS provides detailed status on the specific anti-virus signature files (IDE files) that have been downloaded by the appliance. You can access these details using the antivirusconfig -> detail subcommand. For example:


mail3.example.com> antivirusconfig
Choose the operation you want to perform:
- SOPHOS - Configure Sophos Anti-Virus.
- MCAFEE - Configure McAfee Anti-Virus.
[]> sophos
Sophos Anti-Virus: Enabled
Choose the operation you want to perform:
- SETUP - Configure Sophos Anti-Virus.
- STATUS - View Sophos Anti-Virus status.
- DETAIL - View Sophos Anti-Virus detail.
[]> detail
Sophos Anti-Virus:
Product - 3.87
Engine - 2.25.0
Product Date - 01 Nov 2004
Sophos IDEs currently on the system:
   'Mkar-E.Ide'           Virus Sig. - 23 Dec 2004 01:24:02
   'Rbot-Sd.Ide'          Virus Sig. - 22 Dec 2004 19:10:06
   'Santy-A.Ide'          Virus Sig. - 22 Dec 2004 06:16:32
   'Bacbanan.Ide'         Virus Sig. - 21 Dec 2004 18:33:58
   'Rbot-Sb.Ide'          Virus Sig. - 21 Dec 2004 14:50:46
   'Rbotry.Ide'           Virus Sig. - 21 Dec 2004 06:13:40
   'Sdbot-Si.Ide'         Virus Sig. - 20 Dec 2004 20:52:04
   'Oddbob-A.Ide'         Virus Sig. - 19 Dec 2004 23:34:06
   'Rbot-Rw.Ide'          Virus Sig. - 19 Dec 2004 00:50:34
   'Wortd.Ide'            Virus Sig. - 18 Dec 2004 07:02:44
   'Delf-Jb.Ide'          Virus Sig. - 17 Dec 2004 22:32:08
[...command continues...]

antivirusstatus

Description

Display Anti-Virus status.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> antivirusstatus
Choose the operation you want to perform:
- MCAFEE - Display McAfee Anti-Virus version information
- SOPHOS - Display Sophos Anti-Virus version information
[]> sophos
    SAV Engine Version        3.85
    IDE Serial                2004101801
 Engine Update        Mon Sep 27 14:21:25 2004
    Last IDE Update           Mon Oct 18 02:56:48 2004
    Last Update Attempt       Mon Oct 18 11:11:44 2004
    Last Update Success       Mon Oct 18 02:56:47 2004

antivirusupdate

Description

Manually update virus definitions.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> antivirusupdate
Choose the operation you want to perform:
- MCAFEE - Request updates for McAfee Anti-Virus
- SOPHOS - Request updates for Sophos Anti-Virus
[]> sophos
Requesting update of virus definitions
mail3.example.com>

Command Line Management

This section contains the following CLI commands:

commit

Description

Commit changes. Entering comments after the commit command is optional.

Usage

Commit: N/A

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> commit
Please enter some comments describing your changes:
[]> Changed "psinet" IP Interface to a different IP ad dress
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

commitdetail

Description

Display detailed information about the last commit.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> commitdetail
Commit at Mon Apr 18 13:46:28 2005 PDT with comments: "Enabled loopback".
mail3.example.com>

clearchanges or clear

Description

The clear command clears any configuration changes made since the last commit or clear command was issued.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example


mail3.example.com> clear
Are you sure you want to clear all changes since the last commit?  [Y]> y
Changes cleared: Mon Jan 01 12:00:01 2003
mail3.example.com>

help or h or ?

Description

The help command lists all available CLI commands and gives a brief description of each command. The help command can be invoked by typing either help or a single question mark ( ? ) at the command prompt.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example


mail3.example.com> help
Displays the list of all available commands.

rollbackconfig

The rollbackconfig command allows you to rollback to one of the previously committed 10 configurations.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> rollbackconfig
Previous Commits:
    Committed On                  User                Description
---------------------------------------------------------------------------------
1. Fri May 23 06:53:43 2014      admin               new user
2. Fri May 23 06:50:57 2014      admin               rollback
3. Fri May 23 05:47:26 2014      admin
4. Fri May 23 05:45:51 2014      admin               edit user
Enter the number of the config to revert to.
[]> 2
Are you sure you want to roll back the configuration? [N]> y
Reverted to Fri May 23 06:50:57 2014      admin               rollback
Do you want to commit this configuration now? [N]> y
Committed the changes successfully

quit or q or exit

Description

The quit command logs you out of the CLI application. Configuration changes that have not been committed are cleared. The quit command has no effect on email operations. Logout is logged into the log files. (Typing exit is the same as typing quit.)

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example


mail3.example.com> quit
Configuration changes entered but not committed.  Exiting will lose changes.
Type 'commit' at the command prompt to commit changes.
Are you sure you wish to exit?  [N]> Y

Configuration File Management

This section contains the following CLI commands:

loadconfig

Description

Load a configuration file.


Note

Loading configuration on clustered machines is supported only using GUI. For instructions, see User Guide for AsyncOS for Cisco Email Security Appliances .

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example

In this example, a new configuration file is imported from a local location.


mail3.example.com> loadconfig
1. Paste via CLI
2. Load from file
[1]> 2
Enter the name of the file to import:
[]> changed.config.xml
Values have been loaded.
Be sure to run "commit" to make these settings active.
mail3.example.com> commit
Please enter some comments describing your changes:
[]> loaded new configuration file
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

In this example, a new configuration file is pasted directly at the command line. (Remember to type Control-D on a blank line to end the paste command.) Then, the system setup wizard is used to change the default hostname, IP address, and default gateway information. Finally, the changes are committed.


mail3.example.com> loadconfig
1. Paste via CLI
2. Load from file
[1]> 1
Paste the configuration file now.
Press CTRL-D on a blank line when done.
[The configuration file is pasted until the end tag 
</config>
. Control-D is entered on a separate line.] 
Values have been loaded.
Be sure to run "commit" to make these settings active.
mail3.example.com> systemsetup
[The system setup wizard is run.]
mail3.example.com> commit
Please enter some comments describing your changes:
[]> pasted new configuration file and changed default settings via 
systemsetup 
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

mailconfig

Description

To test the configuration, you can use the mailconfig command immediately to send a test email containing the system configuration data you just created with the systemsetup command.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example


mail.example.com> mailconfig
Please enter the email address to which you want to send the configuration file.
Separate multiple addresses with commas.
[]> user@example.com
Choose the passphrase option:
1. Mask passphrases (Files with masked passphrases cannot be loaded using loadconfig command)
2. Encrypt passphrases
3. Plain passphrases
[1]> 2
The configuration file has been sent to user@example.com.

Send the configuration to a mailbox to which you have access to confirm that the system is able to send email on your network.


Note

For enhanced security, if encryption of sensitive data in the appliance is enabled in fipsconfig command, you cannot use Plain passwords option.

resetconfig

Description

When physically transferring the appliance, you may want to start with factory defaults. The r esetconfig command resets all configuration values to factory defaults. This command is extremely destructive, and it should only be used when you are transferring the unit or as a last resort to solving configuration issues. It is recommended you run the systemsetup command after reconnecting to the CLI after you have run the resetconfig command.


Note

The resetconfig command only works when the appliance is in the offline state. When the resetconfig command completes, the appliance is automatically returned to the online state, even before you run the systemsetup command again. If mail delivery was suspended before you issued the resetconfig command, the mail will attempt to be delivered again when the resetconfig command completes.

DANGER

The resetconfig command will return all network settings to factory defaults, potentially disconnecting you from the CLI, disabling services that you used to connect to the appliance (FTP, Telnet, SSH, HTTP, HTTPS), and even removing additional user accounts you created with the userconfig command. Do not use this command if you are not able to reconnect to the CLI using the Serial interface or the default settings on the Management port through the default Admin user account.


Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto). This command requires access to the local file system.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> suspend
Delay (seconds, minimum 30):
[30]> 45
Waiting for listeners to exit...
Receiving suspended.
Waiting for outgoing deliveries to finish...
Mail delivery suspended.
mail3.example.com> 
resetconfig
Are you sure you want to reset all configuration values? [N]> Y
All settings have been restored to the factory default.

saveconfig

Description

The saveconfig command saves the configuration file with a unique filename to the configuration directory.


Note

If you are on a clustered environment, this command saves the complete cluster configuration. To run this command on a clustered machine, change your configuration mode to cluster.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example

In the following example, the passphrases in the configuration file is encrypted and saved in the configuration directory.


mail.example.com> saveconfig
Choose the passphrase option:
1. Mask passphrases (Files with masked passphrases cannot be loaded using loadconfig command)
2. Encrypt passphrases

[1]> 2
File written on machine "mail.example.com" to the location
"/configuration/C100V-4232116C4E14C70C4C7F-7898DA3BD955-20140319T050635.xml".
Configuration saved.

Note

For enhanced security, if encryption of sensitive data in the appliance is enabled in fipsconfig command, you cannot use Plain passwords option.

showconfig

Description

The showconfig command prints the current configuration to the screen.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example

In the following example, the configuration is displayed on CLI and the passphrases in the configuration are encrypted.


mail.example.com> showconfig
Choose the passphrase display option:
1. Mask passphrases (Files with masked passphrases cannot be loaded using loadconfig command)
2. Encrypt passphrases
3. Plain passphrases
[1]> 2
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE config SYSTEM "config.dtd">
<!--
  Product: Cisco C100V Email Security Virtual Appliance
  Model Number: C100V
  Version: 9.0.0-038
  Serial Number: 4232116C4E14C70C4C7F-7898DA3BD955
  Number of CPUs: 2
  Memory (MB): 6144
  Current Time: Wed Mar 19 05:30:05 2014
-->
<config>
<!--
******************************************************************************
*                           Network Configuration                            *
******************************************************************************
-->[The remainder of the configuration file is printed to the screen.]

Note

For enhanced security, if encryption of sensitive data in the appliance is enabled in fipsconfig command, you cannot use Plain passwords option.

Configuring Cisco Email Security Gateway to Consume External Threat Feeds

threatfeedconfig

Description

The threatfeedconfig command is used to

  • Enable the ETF engine on your Cisco Email Security Gateway.

  • Configure an ETF source on your Cisco Email Security Gateway.

Usage

Commit: This command requires a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example - Enabling the External Threat Feeds Engine

In the following example, you can use the setup subcommand to enable the ETF engine on your Cisco Email Security Gateway.

mail.example.com> threatfeedconfig

Choose the operation you want to perform:
- SETUP - Configure External Threat Feeds.
- SOURCECONFIG - Configure an external threat feed source.

[]> setup
External Threat Feeds: Enabled
Would you like to use External Threat Feeds? [Y]> yes
Do you want to add a custom header to the message in the case of an External Threat Feeds Lookup Failure? [N]> yes
Enter the header name:
[X-IronPort-ETF-Lookup-Failure]>

Enter the header content:
[true]> 
Choose the operation you want to perform:
- SETUP - Configure External Threat Feeds.
- SOURCECONFIG - Configure an external threat feed source.

[]>

Example - Adding an External Threat Feed Source

In the following example, you can use the sourceconfig subcommand to add an ETF source on your Cisco Email Security Gateway.

mail.example.com > threatfeedconfig
Choose the operation you want to perform:
- SOURCECONFIG - Configure an external threat feed source.
[]> sourceconfig
Choose the operation you want to perform:
- ADD - Add a Source.
- LIST - List out all the sources.
- DETAIL - Get detailed information about a source.
- EDIT - Edit a source.
- SUSPEND - Suspend a source.
- RESUME - Resume a source.
- DELETE - Delete a source.
[]> add
Choose the operation you want to perform:
- POLL URL - Add an external threat feed source using the polling path and collection name.
[]> poll url
Enter a name for the external threat feed source:
[]> test_source
Enter a description for the external threat feed source (optional):
[]> test_source
Enter the host name for the external threat feed source:
[]> hailataxii.com
Enter the polling path for the external threat feed source:
[]> /taxii-data
Enter the collection name for the external threat feed source:
[]> guest.Abuse_ch
Enter the polling interval:
The polling interval can be an alphanumeric value that consists of a combination of
minutes, hours, or days followed by 'm','h' or 'd' suffixes. The numeric
values that are not entered with a suffix are considered as minutes by default. The
minimum value is 15 minutes.
[60m]> 30

Enter the age of the threat feed:
The value for the age must be between 1 and 365 days. Enter the age of the threat feed
that you want to fetch from the TAXII server. For example, if the age
is 30 days, the appliance fetches all threat feeds whose age is up to 30 days only.
[30]> 20

Enter the time span for each poll segment:
The age of threat feeds for a poll can be split into different poll segments based 
on the time span entered. 
The minimum time span for a poll segment is 1 day. The maximum time span for a 
poll segment is the value entered in the 'Age of Threat Feeds' field.
For example, if the age of the threat feeds is 30 days and the TAXII server has a fixed limit on 
the age of threat feeds (for example, '20 days'), enter the fixed limit, which must be less than 
the age of the threat feeds configured on your appliance.
[30]> 5

Do you want to use HTTPS? [Y]> yes
Enter the polling port:
[443]> 443
Do you want to use a proxy server for the threat feed source? [N]> no
Do you want to configure user credentials for the external threat feed source? [Y]> no
test_source successfully added.

threatfeedstatus

Description

The threatfeedstatus command is used to display the current version of the ETF engine.

Usage

Commit: This command does not require a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example - Viewing Current Version of External Threat Feeds Engine

In the following example, you can use the threatfeedstatus command to view the current version of the ETF engine.

mail.example.com> threatfeedstatus
Component                      Version            Last Updated
External ThreatFeeds           1.0.0-0000001      2 Jul 2018 04:22 (GMT +00:00)

threatfeedupdate

Description

The threatfeedupdate command is used to manually update the ETF engine.

Usage

Commit: This command does not require a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example - Manually Updating External Threat Feeds Engine

In the following example, you can use the threatfeedupdate command to manually update the ETF engine.

mail.example.com > threatfeedupdate

Requesting check for new External Threat Feeds updates.

Cluster Management

This section contains the following CLI commands:

clusterconfig

Description

The clusterconfig command is used to configure cluster-related settings. If this machine is not part of a cluster, running clusterconfig will give you the option of joining a cluster or creating a new cluster.

The clusterconfig command provides additional subcommands:

Non-Cluster Commands

The following commands are available when you are not in a cluster.

  • clusterconfig new <name> — This will create a new cluster with the given name. This machine will be a member of this cluster and a member of a default cluster group called "Main Group".

    <name> - The name of the new cluster.

  • clusterconfig join [--port=xx] <ip_of_remote_cluster> [<admin_password>]<groupname> — This will add this machine to a cluster.

    where:

    <ip_of_remote_cluster> - The IP address of another machine in the cluster.

    <admin_password > - The admin password of the cluster. This should not be

    specified if joining over CCS.

    <groupname> - The name of the group to join.

    <port> - The port of the remote machine to connect to (defaults to 22).

  • clusterconfig prepjoin print

    This will display the information needed to prepare the joining of this machine to a cluster over a CCS port.

Cluster Commands

The following commands are available when you are in a cluster.

  • clusterconfig addgroup <groupname> — Creates a new cluster group. The group starts off with no members.
  • clusterconfig renamegroup <old_groupname> <new_groupname> — Change the name of a cluster group.
  • clusterconfig deletegroup <groupname> [new_groupname] — Remove a cluster group.

    <groupname> - Name of the cluster group to remove.

    <new_groupname> - The cluster group to put machines of the old group into.

  • clusterconfig setgroup <machinename> <groupname> — Sets (or changes) which group a machine is a member of.

    <machinename > - The name of the machine to set.

    <groupname> - The group to set the machine to.

  • clusterconfig removemachine <machinename> — Remove a machine from the cluster.
  • clusterconfig setname <name> — Changes the name of the cluster to the given name.
  • clusterconfig list — Display all the machines currently in the cluster.
  • clusterconfig connstatus — Display all the machines currently in the cluster and add routing details for disconnected machines.
  • clusterconfig disconnect <machinename> — This will temporarily detach a machine from the cluster.

    <machinename> - The name of the machine to disconnect.

  • clusterconfig reconnect <machinename> - This will restore connections with machines that were detached with the “disconnect” command.
  • clusterconfig prepjoin new <serial_number> <hostname> <user_key> — This will add a new host that is to join the cluster over the CCSport.

    <serial_number> - The serial number of the machine being added.

    <hostname> - The host name of the machine being added.

    <user_key> - The SSH user key from the "prepjoin print" command from the joining machine.

  • clusterconfig prepjoin delete <serial_number|hostname> — This will remove a host that was previously indicated to be added from the "prepjoin new" command. This is only necessary to be used if you later decide not to add the host. When a host is successfully added to the cluster, its prepjoin information is automatically removed.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to cluster mode.

Batch Command: This command does not support a batch format.

Example

For an explanation of the clusterconfig command and its uses, see User Guide for AsyncOS for Cisco Email Security Appliances .

Data Loss Prevention

This section contains the following CLI commands:

dlpstatus

Request version information for DLP Engine.


Note

DLP must already be configured via the DLP Global Settings page in the GUI before you can use the dlpstatus command.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is can be used at cluster, group or machine mode.

Batch Command: This command does not support a batch format.

Example

mail.example.com> dlpstatus

Component 								     Version    Last Updated
DLP Engine            3.0.2.31   Never updated

dlpupdate

Description

Update DLP Engine.


Note

DLP must already be configured via the DLP Global Settings page in the GUI before you can use the dlpupdate command.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is can be used at cluster, group or machine mode.

Batch Command: This command supports a batch format.

Batch Format

The batch format of the dlpupdate command forces an update of the DLP engine even if no changes are detected.


dlpupdate [force]

Example


mail.example.com> dlpupdate

Checking for available updates. This may take a few seconds..

Could not check for available updates. Please check your Network and Service Updates settings and retry.

Choose the operation you want to perform:

- SETUP - Enable or disable automatic updates for DLP Engine.

[]> setup

Automatic updates for DLP are disabled

Do you wish to enable automatic updates for DLP Engine? [N]> y

Choose the operation you want to perform:

- SETUP - Enable or disable automatic updates for DLP Engine.

[]>

Domain Exception List

This section contains the following CLI command:

domainrepconfig

Description

The domainrepconfig command is used to create a Domain Exception List.

Usage

Commit: This command requires a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help domainrepconfig.

Example

In the following example, you can use the domainrepconfig command to create a Domain Exception List.

mail.example.com> domainrepconfig

Would you like to configure an exception list for Sender Domain Reputation and 
External Threat Feeds functionality? [N]> yes

Select the domain only address list to to be used for Sender Domain Reputation 
and External Threat Feeds functionality

1. addr_list

[1]> 1

S/MIME Security Services

smimeconfig

Description

Configure S/MIME settings such as sending profiles, managing public keys, and so on.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Examples

Creating a Sending Profile for Signing and Encryption

The following example shows how to create a sending profile for signing and encrypting messages using S/MIME.


mail.example.com> smimeconfig
Choose the operation you want to perform:
- GATEWAY - Manage S/MIME gateway configuration.
[]> gateway
Choose the operation you want to perform:
- VERIFICATION - Manage S/MIME Public Keys.
- SENDING - Manage S/MIME gateway sending profiles.
[]> sending
Choose the operation you want to perform:
- NEW - Create a new S/MIME sending profile.
- EDIT - Edit a S/MIME sending profile.
- RENAME - Rename a S/MIME sending profile.
- DELETE - Delete a S/MIME sending profile.
- IMPORT - Import a S/MIME sending profile from a file
- EXPORT - Export a S/MIME sending profile to a file
- PRINT - Display S/MIME sending profiles.
[]> new
Enter a name for this profile:
> hr_sign_and_encrypt
1. Encrypt
2. Sign
3. Sign/Encrypt
4. Triple
Enter S/MIME mode:
[2]> 3
1. smime_signing
Select S/MIME certificate to sign:
[1]>
1. Detached
2. Opaque
Enter S/MIME sign mode:
[1]>
1. Bounce
2. Drop
3. Split
Enter S/MIME action:
[1]> 3
Choose the operation you want to perform:
- NEW - Create a new S/MIME sending profile.
- EDIT - Edit a S/MIME sending profile.
- RENAME - Rename a S/MIME sending profile.
- DELETE - Delete a S/MIME sending profile.
- IMPORT - Import a S/MIME sending profile from a file
- EXPORT - Export a S/MIME sending profile to a file
- PRINT - Display S/MIME sending profiles.
[]> print
S/MIME Sending Profiles
Name       Certificate      S/MIME Mode   Sign Mode  Action
---------  ---------------  ------------  ---------  --------
hr_sign_a  smime_signing   Sign/Encrypt     Detached      Split
Choose the operation you want to perform:
- NEW - Create a new S/MIME sending profile.
- EDIT - Edit a S/MIME sending profile.
- RENAME - Rename a S/MIME sending profile.
- DELETE - Delete a S/MIME sending profile.
- IMPORT - Import a S/MIME sending profile from a file
- EXPORT - Export a S/MIME sending profile to a file
- PRINT - Display S/MIME sending profiles.
[]>
Adding a Public Key for Encryption

The following example shows how to add the public key of the recipient's S/MIME certificate to the appliance for encrypting messages.


mail.example.com> smimeconfig
Choose the operation you want to perform:
- GATEWAY - Manage S/MIME gateway configuration.
[]> gateway
Choose the operation you want to perform:
- VERIFICATION - Manage S/MIME Public Keys.
- SENDING - Manage S/MIME gateway sending profiles.
[]> verification
Choose the operation you want to perform:
- NEW - Create a new S/MIME Public Key.
- IMPORT - Import the list of S/MIME Public Keys from a file.
[]> new
Enter a name for this profile:
> hr_signing
1. Import
2. Paste
Choose one of the options for the certificate introducing:
[2]>
Paste public certificate in PEM format (end with '.'):
-----BEGIN CERTIFICATE-----
MIIDdDCCAlygAwIBAgIBDTANBgkqhkiG9w0BAQUFADCBljELMAkGA1UEBhMCSU4x
CzAJBgNVBAg...
-----END CERTIFICATE-----
.
C=IN,ST=KA,L=BN,O=Cisco,OU=stg,CN=cert_for_enc,emailAddress=admin@example.com
Choose the operation you want to perform:
- NEW - Create a new S/MIME Public Key.
- EDIT - Edit a S/MIME Public Key.
- RENAME - Rename a S/MIME Public Key.
- DELETE - Delete a S/MIME Public Key.
- IMPORT - Import the list of S/MIME Public Keys from a file.
- EXPORT - Export the list of S/MIME Public Keys to a file.
- PRINT - Display S/MIME Public Keys.
[]> print
S/MIME Public Keys
Name       Emails                     Domains                    Remaining
---------  -------------------------  -------------------------  ---------
hr_signin  admin@vm30bsd0008.ibqa     dns.vm30bsd0008.ibqa       145 days

Domain Keys

This section contains the following CLI commands:

domainkeysconfig

Description

Configure DomainKeys/DKIM support.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.


Note

For enhanced security, if encryption of sensitive data in the appliance is enabled in FIPS mode, you will not be able view the private key. If you intend to edit the private key, you can enter an existing private key or generate a new private key.

Batch Format - Signing Profiles

The batch format of the domainkeysconfig command can be used to create, edit, or delete signing profiles

  • Adding a DomainKeys/DKIM signing profile:

    
    domainkeysconfig profiles signing new <name> <type> <domain> <selector> <user-list> [options]
Table 1. domainkeysconfig New Signing Profile Arguments

Argument

Description

<name>

Name of domain profile.

<type>

Type of domain. Can be dk or dkim .

<domain>

Domain field of domain profile. This forms the d tag of the Domain-Keys signature.

<selector>

Selector field of domain profile. This forms the s tag of the Domain-Keys signature.

<user-list>

Comma separated list of domain profile users. Users are used to match against email addresses to determine if a specific domain profile should be used to sign an email. Use the special keyword all to match all domain users.

[options]

--key_name

The name of the private key that will be used for signing.

--canon

The canonicalization algorithm to use when signing by DK. Currently supported algorithms are simple and nofws . Default is nofws .

--body_canon

The body canonicalization algorithm of to use when signing by DKIM. Currently supported algorithms are simple and relaxed . Default is simple .

--header_canon

The headers canonicalization algorithm of to use when signing by DKIM. Currently supported algorithms are simple and relaxed . Default is simple .

--body_length

Number of bytes of canonicalized body that are used to calculate the signature. Is used only in DKIM profiles. If used this value becomes l tag of the signature. By default it is not used.

--headers_select

Detrmines how to select headers for signing. Is used only in DKIM profiles. Can be one of all , standard , standard_and_custom . all means to sign all non-repetitive headers. "standard" means to sign pedefined set of well known headers such as Subject, From, To, Sender, MIME heades etc. standard_and_custom means to sign well known headers and user-defined set of headers. Default is standard .

--custom_headers

User-defined set of headers to sign. Is used only in DKIM profiles if headers_select is standard_and_custom . Default is empty set.

--i_tag

Determines whether to include the i tag into the signature. Possible values are yes or no . Default is yes .

--agent_identity

The identity of the user or agent on behalf of which this message is signed. The syntax is a standard email address where the local-part may be omitted. Domain part of this address should be a sub-domain of or equal to the <domain> . This option is only applicable if --i_tag value is set to yes . Default is an empty local-part followed by an @ and by the <domain> .

--q_tag

Determines whether to include the q tag into the signature. Possible values are yes or no . Default is yes .

--t_tag

Determines whether to include the t tag into the signature. Possible values are yes or no . Default is yes .

--x_tag

Determines whether to include the x tag into the signature. Possible values are yes or no . Default is yes .

--expiration_time

Number of seconds before signature is expired. Is used only in DKIM profiles. This value becomes a difference of x and t tags of the signature. This option is only applicable if --x_tag value is set to yes . Default is 31536000 seconds (one year).

--z_tag

Determines whether to include the z tag into the signature. Possible values are yes or no . Default is no .

  • Editing a signing profile:

    
    domainkeysconfig profiles signing edit <name> [signing-profile-options]

Signing profile options:

  • rename <name>
  • domain <domain>
  • selector <selector>
  • canonicalization <canon>
  • canonicalization <header_canon> <body_canon>
  • key <key_name>
  • bodylength <body_length>
  • headerselect <header_select>
  • customheaders <custom_headers>
  • itag <i_tag> [<agent_identity>]
  • qtag <q_tag>
  • ttag <t_tag>
  • xtag <x_tag> [<expiration_time>]
  • ztag <z_tag>
  • new <user-list>
  • delete <user-list>
  • print
  • clear
  • Delete a signing profile:

    
    domainkeysconfig profiles signing delete <name>
  • Show a list of signing profiles:

    
    domainkeysconfig profiles signing list
  • Print the details of a signing profile:

    
    domainkeysconfig profiles signing print <name>
  • Test a signing profile:

    
    domainkeysconfig profiles signing test <name>
  • Import a local copy of your signing profiles:

    
    domainkeysconfig profiles signing import <filename>
  • Export a copy of your signing profile from the appliance:

    
    domainkeysconfig profiles signing export <filename>
  • Delete all the signing profiles from the appliance:

    
    domainkeysconfig profiles signing clear

Batch Format - Verification Profiles

  • Create a new DKIM verification profile:

    
    domainkeysconfig profiles verification new <name> <verification-profile-options>
Table 2. domainkeysconfig Verification Profile Options

Argument

Description

--name

The name of DKIM verification profile.

--min_key_size

The smallest key to be accepted. Possible key-length values (in bits) are 512, 768, 1024, 1536 and 2048 . Default is 512 .

--max_key_size

The largest key to be accepted. Possible key-length values (in bits) are 512, 768, 1024, 1536 and 2048 . Default is 2048 .

--max_signatures_num

A maximum number of signatures in the message to verify. Possible value is any positive number. Default is 5 .

--key_query_timeout

A number of seconds before the key query is timed out. Possible value is any positive number. Default is 10 .

--max_systemtime_divergence

A number of seconds to tolerate wall clock asynchronization between sender and verifier. Possible value is any positive number. Default is 60.

--use_body_length

Whether to use a body length parameter. Possible values are yes or no . Default is yes .

--tempfail_action

The SMTP action should be taken in case of temporary failure. Possible values are accept or reject . Default is accept .

--tempfail_response_code

The SMTP response code for rejected message in case of temporary failure. Possible value is number in 4XX format. Default is 451 .

--tempfail_response_text

The SMTP response text for rejected message in case of temporary failure. Default is #4.7.5 Unable to verify signature - key server unavailable .

--permfail_action

The SMTP action should be taken in case of permanent failure. Possible values are accept or reject . Default is accept .

--permfail_response_code

The SMTP response code for rejected message in case of permanent failure. Possible value is number in 5XX format. Default is 550 .

--permfail_response_text

The SMTP response text for rejected message in case of permanent failure. Default is #5.7.5 DKIM unauthenticated mail is prohibited.

  • Edit a verification profile:

    
    domainkeysconfig profiles verification edit <name> <verification-profile-options>
  • Delete a verification profile:

    
    domainkeysconfig profiles verification delete <name>
  • Print details of an existing verification profile:

    
    domainkeysconfig profiles verification print <name>
  • Display a list of existing verification profiles:

    
    domainkeysconfig profiles verification list
  • Import a file of verification profiles from a local machine:

    
    domainkeysconfig profiles verification import <filename>
  • Export the verification profiles from the appliance:

    
    domainkeysconfig profiles verification export <filename>
  • Delete all existing verification profiles from the appliance:

    
    domainkeysconfig profiles verification clear

Batch Format - Signing Keys

  • Create a new signing key:

    
    domainkeysconfig keys new <key_name> <key-options>
Table 3. domainkeysconfig Signing Keys Options

Argument

Description

--generate_key

Generate a private key. Possible key-length values (in bits) are 512 , 768 , 1024 , 1536 , and 2048 .

--use_key

Use supplied private key.

--public_key

Flag to derive and print to the screen a matching public key for the specified private key. If --generate_key is specified first, a new private key is generated first, followed by the display of a matching public key.

  • Edit a signing key:

    
    domainkeysconfig keys edit <key_name> key <key-options>
  • Rename an existing signing key:

    
    domainkeysconfig keys edit <key_name> rename <key_name>
  • To specify a public key:

    
    domainkeysconfig keys publickey <key_name>
  • Delete a key:

    
    domainkeysconfig keys delete <key_name>
  • Display a list of all signing keys:

    
    domainkeysconfig keys list
  • Display all information about a specify signing key:

    
    domainkeysconfig keys print <key_name>
  • Import signing keys from a local machine:

    
    domainkeysconfig keys import <filename>
  • Export signing keys from the appliance:

    
    domainkeysconfig keys export <filename>
  • Delete all signing keys on the appliance:

    
    domainkeysconfig keys clear

Batch Format - Search for a Key or Profile

  • Search for a profile signing key:

    
    domainkeysconfig search <search_text>

Batch Format - Global Settings

  • Modify global settings for Domain Keys/DKIM on your appliance:

    
    domainkeysconfig setup <setup_options>

The option available is:

  • --sign_generated_msgs - Specify whether to sign system-generated messages. Possible values are yes or no .

Example: Configuring Domain Keys via the CLI

Use the domainkeysconfig command in the CLI to configure Domain Keys on your appliance.

The domainkeysconfig command has all of the features of the Mail Policies -> Domain Keys page. It also provides the ability to generate a sample Domain Keys DNS TXT record. For more information about generating sample Domain Keys DNS TXT records, see Creating a Sample Domain Keys DNS TXT Record.

In this example, a key is generated, and a domain profile is created:


mail3.example.com> domainkeysconfig
Number of DK/DKIM Signing Profiles: 0
Number of Signing Keys: 0
Number of DKIM Verification Profiles: 1
Sign System-Generated Messages: Yes
Choose the operation you want to perform:
- PROFILES - Manage domain profiles.
- KEYS - Manage signing keys.
- SETUP - Change global settings.
- SEARCH - Search for domain profile or key.
[]> keys
No signing keys are defined.
Choose the operation you want to perform:
- NEW - Create a new signing key.
- IMPORT - Import signing keys from a file.
[]> new
Enter a name for this signing key:
[]> testkey
1. Generate a private key
2. Enter an existing key
[1]>
Enter the size (in bits) of this signing key:
1. 512
2. 768
3. 1024
4. 1536
5. 2048
[3]>
New key "testkey" created.
There are currently 1 signing keys defined.
Choose the operation you want to perform:
- NEW - Create a new signing key.
- EDIT - Modify a signing key.
- PUBLICKEY - Create a publickey from a signing key.
- DELETE - Delete a signing key.
- PRINT - Display signing keys.
- LIST - List signing keys.
- IMPORT - Import signing keys from a file.
- EXPORT - Export signing keys to a file.
- CLEAR - Clear all signing keys.
[]>
Number of DK/DKIM Signing Profiles: 0
Number of Signing Keys: 1
Number of DKIM Verification Profiles: 1
Sign System-Generated Messages: Yes
Choose the operation you want to perform:
- PROFILES - Manage domain profiles.
- KEYS - Manage signing keys.
- SETUP - Change global settings.
- SEARCH - Search for domain profile or key.
[]> profiles
Choose the operation you want to perform:
- SIGNING - Manage signing profiles.
- VERIFICATION - Manage verification profiles.
[]> signing
No domain profiles are defined.
Choose the operation you want to perform:
- NEW - Create a new domain profile.
- IMPORT - Import domain profiles from a file.
[]> new
Enter a name for this domain profile:
[]> Example
Enter type of domain profile:
1. dk
2. dkim
[2]>
The domain field forms the basis of the public-key query.  The value in
this field MUST match the domain of the sending email address or MUST
be one of the parent domains of the sending email address.  This value
becomes the "d" tag of the Domain-Keys signature.
Enter the domain name of the signing domain:
[]> example.com
Selectors are arbitrary names below the "_domainkey." namespace. A
selector value and length MUST be legal in the DNS namespace and in
email headers with the  additional provision that they cannot contain a
semicolon.  This value becomes the "s" tag of the DomainKeys
Signature.
Enter selector:
[]> test
The private key which is to be used to sign messages must be entered.
A corresponding public key must be published in the DNS following the
form described in the DomainKeys documentation.  If a key is not
immediately available, a key can be entered at a later time.
Select the key-association method:
1. Create new key
2. Paste in key
3. Enter key at later time
4. Select existing key
[1]> 4
Enter the name or number of a signing key.
1. testkey
[1]>
The canonicalization algorithm is the method by which the headers and
content are  prepared for presentation to the signing algorithm.
Possible choices are "simple" and "relaxed".
Select canonicalization algorithm for body:
1. simple
2. relaxed
[1]> 1
How would you like to sign headers:
1. Sign all existing, non-repeatable headers (except Return-Path header).
2. Sign "well-known" headers (Date, Subject, From, To, Cc, Reply-To, Message-ID, Sender, MIME headers).
3. Sign "well-known" headers plus a custom list of headers.
[2]>
Body length is a number of bytes of the message body to sign.
This value becomes the "l" tag of the signature.
Which body length option would you like to use?
1. Whole body implied. No further message modification is possible.
2. Whole body auto-determined. Appending content is possible.
3. Specify a body length.
[1]>
Would you like to fine-tune which tags should be used in the
DKIM Signature? (yes/no) [N]>
Finish by entering profile users.  The following types of entries are
allowed:
- Email address entries such as "joe@example.com".
- Domain entries such as "example.com".
- Partial domain entries such as ".example.com".  For example, a partial
  domain of ".example.com" will match "sales.example.com".   This
  sort of entry will not match the root domain ("example.com").
- Leave blank to match all domain users.
Enter user for this signing profile:
[]> sales.example.com
Do you want to add another user? [N]>
There are currently 1 domain profiles defined.
Choose the operation you want to perform:
- NEW - Create a new domain profile.
- EDIT - Modify a domain profile.
- DELETE - Delete a domain profile.
- PRINT - Display domain profiles.
- LIST - List domain profiles.
- TEST - Test if a domain profile is ready to sign.
- DNSTXT - Generate a matching DNS TXT record.
- IMPORT - Import domain profiles from a file.
- EXPORT - Export domain profiles to a file.
- CLEAR - Clear all domain profiles.
[]>
Choose the operation you want to perform:
- SIGNING - Manage signing profiles.
- VERIFICATION - Manage verification profiles.
[]>
Number of DK/DKIM Signing Profiles: 1
Number of Signing Keys: 1
Number of DKIM Verification Profiles: 1
Sign System-Generated Messages: Yes
Choose the operation you want to perform:
- PROFILES - Manage domain profiles.
- KEYS - Manage signing keys.
- SETUP - Change global settings.
- SEARCH - Search for domain profile or key.
[]>

Creating a Sample Domain Keys DNS TXT Record


mail3.example.com> domainkeysconfig
Number of DK/DKIM Signing Profiles: 1
Number of Signing Keys: 1
Number of DKIM Verification Profiles: 1
Sign System-Generated Messages: Yes
Choose the operation you want to perform:
- PROFILES - Manage domain profiles.
- KEYS - Manage signing keys.
- SETUP - Change global settings.
- SEARCH - Search for domain profile or key.
[]> profiles
Choose the operation you want to perform:
- SIGNING - Manage signing profiles.
- VERIFICATION - Manage verification profiles.
[]> signing
There are currently 1 domain profiles defined.
Choose the operation you want to perform:
- NEW - Create a new domain profile.
- EDIT - Modify a domain profile.
- DELETE - Delete a domain profile.
- PRINT - Display domain profiles.
- LIST - List domain profiles.
- TEST - Test if a domain profile is ready to sign.
- DNSTXT - Generate a matching DNS TXT record.
- IMPORT - Import domain profiles from a file.
- EXPORT - Export domain profiles to a file.
- CLEAR - Clear all domain profiles.
[]> dnstxt
Enter the name or number of a domain profile.
1. Example
[1]>
The answers to the following questions will be used to construct DKIM text
record for DNS.  It can be used to publish information about this profile.
Do you wish to constrain the local part of the signing identities
("i=" tag of "DKIM-Signature" header field) associated with this
domain profile? [N]>
Do you wish to include notes that may be of interest to a human (no
interpretation is made by any program)? [N]>
The "testing mode" can be set to specify that this domain is testing DKIM and
that unverified email must not be treated differently from verified email.
Do you want to indicate the "testing mode"? [N]>
Do you wish to disable signing by subdomains of this domain? [N]>
The DKIM DNS TXT record is:
test._domainkey.example.com. IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDX5dOG9J8rXreA/uPtYr5lrCTCqR+qlS5Gm
1f0OplAzSuB2BvOnxZ5Nr+se0T+k7mYDP0FSUHyWaOvO+kCcum7fFRjS3EOF9gLpbIdH5vzOCKp/w7hdjPy3q6PSgJVtqvQ6v9E8k5Ui7C+DF6KvJUiMJSY5sbu2
zmm9rKAH5m7FwIDAQAB;"
There are currently 1 domain profiles defined.
Choose the operation you want to perform:
- NEW - Create a new domain profile.
- EDIT - Modify a domain profile.
- DELETE - Delete a domain profile.
- PRINT - Display domain profiles.
- LIST - List domain profiles.
- TEST - Test if a domain profile is ready to sign.
- DNSTXT - Generate a matching DNS TXT record.
- IMPORT - Import domain profiles from a file.
- EXPORT - Export domain profiles to a file.
- CLEAR - Clear all domain profiles.
[]>
Choose the operation you want to perform:
- SIGNING - Manage signing profiles.
- VERIFICATION - Manage verification profiles.
[]>
Number of DK/DKIM Signing Profiles: 1
Number of Signing Keys: 1
Number of DKIM Verification Profiles: 1
Sign System-Generated Messages: Yes
Choose the operation you want to perform:
- PROFILES - Manage domain profiles.
- KEYS - Manage signing keys.
- SETUP - Change global settings.
- SEARCH - Search for domain profile or key.
[]>

DMARC Verification

This section contains the following CLI commands:

dmarcconfig

Description

Configure DMARC settings.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

Batch Format - DMARC Verification Profiles

The batch format of the dmarcconfig can be used to create, edit, or delete verification profiles and modify global settings.

Add a DMARC Verification Profile

dmarcconfig profiles new <name> [options]

Argument

Description

<name>

Name of the DMARC profile.

[options]

--rejectpolicy_action

The message action that AsyncOS must take when the policy in DMARC record is reject. Possible values are “reject”, “quarantine”, or “none.”

--rejectpolicy_response_code

The SMTP response code for rejected messages. The default value is 550.

--rejectpolicy_response_text

The SMTP response text for rejected messages. The default value is “#5.7.1 DMARC unauthenticated mail is prohibited.”

--rejectpolicy_quarantine

The quarantine for messages that fail DMARC verification.

--quarantinepolicy_action

The message action that AsyncOS must take when the policy in DMARC record is quarantine. Possible values are “quarantine” or “none.”

--quarantinepolicy_quarantine

The quarantine for messages that fail DMARC verification.

--tempfail_action

The message action that AsyncOS must take on the messages that result in temporary failure during DMARC verification. Possible values are “accept” or “reject.”

--tempfail_response_code

The SMTP response code for rejected messages in case of temporary failure. The default value is 451.

--tempfail_response_text

The SMTP response text for rejected messages in case of temporary failure. The default value is “#4.7.1 Unable to perform DMARC verification.”

--permfail_action

The message action that AsyncOS must take on the messages that result in permanent failure during DMARC verification. Possible values are “accept” or “reject.”

--permfail_response_code

The SMTP response code for rejected messages in case of permanent failure. The default value is 550.

--permfail_response_text

The SMTP response text for rejected messages in case of permanent failure. The default value is “#5.7.1 DMARC verification failed.”

Edit a DMARC Verification Profile

dmarcconfig profiles edit <name> [options]

Delete a DMARC Verification Profile

dmarcconfig profiles delete <name>

Delete all the DMARC Verification Profiles

dmarcconfig profiles clear

View the Details of a DMARC Verification Profile

dmarcconfig profiles print <name>

Export DMARC Verification Profiles

dmarcconfig profiles export <filename>

Import DMARC Verification Profiles

dmarcconfig profiles import <filename>

Change Global Settings

dmarcconfig setup [options]

Options

Description

--report_schedule

The time when you want AsyncOS to generate DMARC aggregate reports.

--error_reports

Send delivery error reports to the domain owners if the DMARC aggregate report size exceeds 10 MB or the size specified in the RUA tag of DMARC record.

--org_name

The entity generating DMARC aggregate reports. This must be a domain name.

--contact_info

Additional contact information, for example, details of your organization's customer support, if the domain owners who receive DMARC aggregate reports want to contact the entity that generated the report.

--copy_reports

Send copy of all the DMARC aggregate reports to specific users, for example, internal users who perform analysis on the aggregate reports. Enter an email address or multiple addresses separated by commas.

--bypass_addresslist

Skip DMARC verification of messages from specific senders (address list).

Note 
You can choose only address lists created with full email addresses.

--bypass_headers

Skip DMARC verification of messages that contain specific header field names. For example, use this option to skip DMARC verification of messages from mailing lists and trusted forwarders. Enter a header or multiple headers separated by commas.

Example

The following example shows how to setup a DMARC verification profile and edit the global settings of DMARC verification profiles.


mail.example.com> dmarcconfig
Number of DMARC Verification Profiles: 1
Daily report generation time is: 00:00
Error reports enabled: No
Reports sent on behalf of:
Contact details for reports:
Send a copy of aggregate reports to: None Specified
Bypass DMARC verification for senders from addresslist: None Specified
Bypass DMARC verification for messages with header fields: None Specified
Choose the operation you want to perform:
- PROFILES - Manage DMARC verification profiles.
- SETUP - Change global settings.
[]> profiles
There are currently 1 DMARC verification profiles defined.
Choose the operation you want to perform:
- NEW - Create a new DMARC verification profile.
- EDIT - Modify a DMARC verification profile.
- DELETE - Delete a DMARC verification profile.
- PRINT - Display DMARC verification profiles.
- IMPORT - Import DMARC verification profiles from a file.
- EXPORT - Export DMARC verification profiles to a file.
- CLEAR - Clear all DMARC verification profiles.
[]> new
Enter the name of the new DMARC verification profile:
[]> dmarc_ver_profile_1
Select the message action when the policy in DMARC record is reject:
1. No Action
2. Quarantine the message
3. Reject the message
[3]> 1
Select the message action when the policy in DMARC record is quarantine:
1. No Action
2. Quarantine the message
[2]> 2
Select the quarantine for messages that fail DMARC verification (when the DMARC policy is quarantine).
1. Policy
[1]> 1
What SMTP action should be taken in case of temporary failure?
1. Accept
2. Reject
[1]> 2
Enter the SMTP response code for rejected messages in case of temporary failure.
[451]>
Enter the SMTP response text for rejected messages in case of temporary failure. Type DEFAULT to use the default response text 
'#4.7.1 Unable to perform
DMARC verification.'
[#4.7.1 Unable to perform DMARC verification.]>
What SMTP action should be taken in case of permanent failure?
1. Accept
2. Reject
[1]> 2
Enter the SMTP response code for rejected messages in case of permanent failure.
[550]>
Enter the SMTP response text for rejected messages in case of permanent failure. Type DEFAULT to use the default response text 
'#4.7.1 Unable to perform
DMARC verification.'
[#5.7.1 DMARC verification failed.]>
There are currently 2 DMARC verification profiles defined.
Choose the operation you want to perform:
- NEW - Create a new DMARC verification profile.
- EDIT - Modify a DMARC verification profile.
- DELETE - Delete a DMARC verification profile.
- PRINT - Display DMARC verification profiles.
- IMPORT - Import DMARC verification profiles from a file.
- EXPORT - Export DMARC verification profiles to a file.
- CLEAR - Clear all DMARC verification profiles.
[]>
Number of DMARC Verification Profiles: 2
Daily report generation time is: 00:00
Error reports enabled: No
Reports sent on behalf of:
Contact details for reports:
Send a copy of aggregate reports to: None Specified
Bypass DMARC verification for senders from addresslist: None Specified
Bypass DMARC verification for messages with header fields: None Specified
Choose the operation you want to perform:
- PROFILES - Manage DMARC verification profiles.
- SETUP - Change global settings.
[]> setup
Would you like to modify DMARC report settings? (Yes/No) [N]> y
Enter the time of day to generate aggregate feedback reports. Use 24-hour format (HH:MM).
[00:00]>
Would you like to send DMARC error reports? (Yes/No) [N]> y
Enter the entity name responsible for report generation. This is added to the DMARC aggregate reports.
[]> example.com
Enter additional contact information to be added to DMARC aggregate reports. This could be an email address, 
URL of a website with additional help, a phone number etc.
[]> http://dmarc.example.com
Would you like to send a copy of all aggregate reports?  (Yes/No) [N]>
Would you like to bypass DMARC verification for an addresslist? (Yes/No) [N]>
Would you like to bypass DMARC verification for specific header fields? (Yes/No) [N]> y
Choose the operation you want to perform:
- ADD - Add a header field to the verification-bypass list.
[]> add
Enter the header field name
[]> List-Unsubscribe
DMARC verification is configured to bypass DMARC verification for messages containing the following header fields.
1. List-Unsubscribe
Choose the operation you want to perform:
- ADD - Add a header field to the verification-bypass list.
- REMOVE - Remove a header field from the list.
[]> add
Enter the header field name
[]> List-ID
DMARC verification is configured to bypass DMARC verification for messages containing the following header fields.
1. List-Unsubscribe
2. List-ID
Choose the operation you want to perform:
- ADD - Add a header field to the verification-bypass list.
- REMOVE - Remove a header field from the list.
[]>
Number of DMARC Verification Profiles: 2
Daily report generation time is: 00:00
Error reports enabled: Yes
Reports sent on behalf of: example.com
Contact details for reports: http://dmarc.example.com
Send a copy of aggregate reports to: None Specified
Bypass DMARC verification for senders from addresslist: None Specified
Bypass DMARC verification for messages with header fields: List-Unsubscribe, List-ID
Choose the operation you want to perform:
- PROFILES - Manage DMARC verification profiles.
- SETUP - Change global settings.
[]>

DNS

This section contains the following CLI commands:

dig

Description

Look up a record on a DNS server

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

Batch Format

The batch format of the dig command can be used to perform all the functions of the traditional CLI command.

  • Look up a record on a DNS server

    
    dig [options] [@<dns_ip>] [qtype] <hostname>
  • Do a reverse lookup for given IP address on a DNS server

    
    dig -x <reverse_ip> [options] [@<dns_ip>]

These are the options available for the dig command’s batch format


    -s <source_ip>  Specify the source IP address.

    -t              Make query over TCP.

    -u              Make query over UDP (default).


    dns_ip - Query the DNS server at this IP address.

    qtype - Query type: A, PTR, CNAME, MX, SOA, NS, TXT.

    hostname - Record that user want to look up.

    reverse_ip - Reverse lookup IP address.

    dns_ip - Query the DNS server at this IP address.

Example

The following example explicitly specifies a DNS server for the lookup.


mail.com> dig @111.111.111.111 example.com MX
; <<>> DiG 9.4.3-P2 <<>> @111.111.111.111 example.com MX
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18540
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; QUESTION SECTION:
;example.com.                       IN      MX
;; ANSWER SECTION:
mexample.com.                10800   IN      MX      10 mexample.com.
;; AUTHORITY SECTION:
example.com.                     10800   IN      NS      test.example.com.
;; ADDITIONAL SECTION:
example.com. 10800 IN      A       111.111.111.111
example.com. 10800 IN      AAAA    2620:101:2004:4201::bd
example.com.   300     IN      A       111.111.111.111
;; Query time: 6 msec
;; SERVER: 10.92.144.4#53(10.92.144.4)
;; WHEN: Fri Dec  9 23:37:42 2011
;; MSG SIZE  rcvd: 143

Note

The dig command filters out the information in the Authority and Additional sections if you do not explicitly specify the DNS server when using the command.

Example: Verifying TLSA Record of the DNS Server Supporting DNSSEC

The following example explicitly verifies TLSA records.

mail.example.com> dig
 
Enter the host or IP address to look up.
[]> example.com
 
Choose the query type:
1. A       the host's IP address
2. AAAA    the host's IPv6 address
3. CNAME   the canonical name for an alias
4. MX      the mail exchanger
5. NS      the name server for the named zone
6. PTR     the hostname if the query is an Internet address,otherwise the pointer to other information
7. SOA     the domain's "start-of-authority" information
8. TLSA    TLSA Record
9. TXT     the text information
[1]> 8
 
Which interface do you want to query from?
1. Auto
2. Management
[1]> 2
 
Please enter the host or IP address of DNS server.
Leave the entry blank to use the default server. 
Important! To perform DNSSEC queries, enter the host or IP address of the DNS Server supporting DNSSEC.
[]> 8.8.8.8
 
Do you want to make query over TCP? [N]>
 
Do you want to make a query over DNSSEC? [N]> Y
 
Please enter DNS key file path.
Leave the entry blank to use the default root keys
[]>
 
;; RRset to chase:
dane-esa.com.           3562    IN      MX      10 mx1.dane-esa.com.
 
 
;; RRSIG of the RRset to chase:
dane-esa.com.           3562    IN      RRSIG   MX 7 2 3600 20181028045140 20180928045140 43860 dane-esa.com. 
K+t0W9aOqDMvxytXfkrms+IEUbK1Ct9XB5mBCCb3bHryvHs0cU6XPxTJ XwQ5HUSWuQaC9MLyCA5Zn/AXlbzKA7tGtnab0q3CmVKhhRXnIJ+jJht6
nuksUrLKsM6uYmR73DDM/bCC8n08w6nGeGq476mmNgETXAPfqSvHNuPp DSquCG3nNfm8iE9XnG8jCKRPcKhWjROc/vmK6ZzuzFKCtT4QA/L5Ah0w 
zffZqxR9Qmj3w8WQdz9eFAw5e0LFa5oR57i983ityJrQL4pjFl7bwKNw
94xhqFlsWWKAC6wpoT64DOo00ou5TsKxHq5EwEat1OMIM0GHMniCuJcA K3seyQ==

dnsconfig

Description

Configure DNS setup

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

Batch Format

The batch format of the dnsconfig command can be used to perform all the functions of the traditional CLI command.

  • Configuring DNS to use a local nameserver cache:

    
    dnsconfig parent new <ns_ip> <priority>

Command arguments:

  • <ns_ip> - The IP address of the nameserver. Separate multiple IP addresses with commas.
  • <priority> - The priority for this entry.
  • Deleting the local nameserver cache:

    
    dnsconfig parent delete <ns_ip>
  • Configuring alternate DNS caches to use for specific domains:

    
    dnsconfig alt new <domains> <ns_ip>

Note

Cannot be used when using Internet root nameservers.

Command arguments:

  • <ns_ip> - The IP address of the nameserver. Separate multiple IP addresses with commas.
  • <domains> - A comma separated list of domains.
  • Deleting the alternate DNS cache for a specific domain:

    
    dnsconfig alt delete <domain>
  • Configuring DNS to use the Internet root nameservers:

    
    dnsconfig roots new <ns_domain> <ns_name> <ns_ip>

Nameserver arguments:

  • <ns_domain> - The domain to override.
  • <ns_name> - The name of the nameserver.
  • <ns_ip> - The IP address of the nameserver.

Note

You can override certain domains by specifying an alternate name server for that domain.
  • Deleting nameservers:

    
    dnsconfig roots delete <ns_domain> [ns_name]

Note

When deleting, if you do not specify an ns_name , then all nameservers for that domain will be removed.
  • Clearing all DNS settings and automatically configuring the system to use the Internet root servers:

    
    dnsconfig roots

Displaying the current DNS settings.


dnsconfig print

Example

Each user-specified DNS server requires the following information:

  • Hostname
  • IP address
  • Domain authoritative for (alternate servers only)

Four subcommands are available within the dnsconfig command:

Table 4. Subcommands for dnsconfig Command

Syntax

Description


new

Add a new alternate DNS server to use for specific domains or local DNS server.


delete

Remove an alternate server or local DNS server.


edit

Modify an alternate server or local DNS server.


setup

Switch between Internet root DNS servers or local DNS servers.


mail3.example.com> dnsconfig
Currently using the Internet root DNS servers.
Alternate authoritative DNS servers:
1. com: dns.example.com (10.1.10.9)
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
[]> setup
Do you want the Gateway to use the Internet's root DNS servers or would you like
it to use your own DNS servers?
1. Use Internet root DNS servers
2. Use own DNS cache servers
[1]> 1
Choose the IP interface for DNS traffic.
1. Auto
2. Management (10.92.149.70/24: mail3.example.com)
[1]> 
Enter the number of seconds to wait before timing out reverse DNS lookups.
[20]> 
Enter the minimum TTL in seconds for DNS cache.
[1800]> 
Currently using the Internet root DNS servers.
Alternate authoritative DNS servers:
1. com: dns.example.com (10.1.10.9)
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
[]> 
Adding an Alternate DNS Server for Specific Domains

You can configure the appliance to use the Internet root servers for all DNS queries except specific local domains.


mail3.example.com> dnsconfig
Currently using the Internet root DNS servers.
No alternate authoritative servers configured.
Choose the operation you want to perform:
- NEW - Add a new server.
- SETUP - Configure general settings.
[]> new
Please enter the domain this server is authoritative for. (Ex: "com").
[]> example.com
Please enter the fully qualified hostname of the DNS server for the domain "example.com".
(Ex: "dns.example.com").
[]> dns.example.com
Please enter the IP address of dns.example.com.
[]> 10.1.10.9
Currently using the Internet root DNS servers.
Alternate authoritative DNS servers:
1. com: dns.example.com (10.1.10.9)
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
[]> 
Using Your Own DNS Cache Servers

You can configure the appliance to use your own DNS cache server.


mail3.example.com> dnsconfig
Currently using the Internet root DNS servers.
Alternate authoritative DNS servers:
1. com: dns.example.com (10.1.10.9)
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
[]> setup
Do you want the Gateway to use the Internet's root DNS servers or would you like
it to use your own DNS servers?
1. Use Internet root DNS servers
2. Use own DNS cache servers
[1]> 2
Please enter the IP address of your DNS server.
Separate multiple IPs with commas.
[]> 10.10.200.03
Please enter the priority for 10.10.200.3.
A value of 0 has the highest priority.
The IP will be chosen at random if they have the same priority.
[0]> 1
Choose the IP interface for DNS traffic.
1. Auto
2. Management (192.168.42.42/24)
3. PrivateNet (192.168.1.1/24: mail3.example.com)
4. PublicNet (192.168.2.1/24: mail3.example.com)
[1]> 1
Enter the number of seconds to wait before timing out reverse DNS lookups.
[20]> 
Enter the minimum TTL in seconds for DNS cache.
[1800]> 
Currently using the local DNS cache servers:
1. Priority: 1  10.10.200.3
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
[]> 

dnsflush

Description

Clear all entries from the DNS cache.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example


mail3.example.com> dnsflush
Are you sure you want to clear out the DNS cache? [N]> Y

dnshostprefs

Description

Configure IPv4/IPv6 DNS preferences

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example


mail3.example.com> dnshostprefs
Choose the operation you want to perform:
- NEW - Add new domain override.
- SETDEFAULT - Set the default behavior.
[]> new
Enter the domain you wish to configure.
[]> example.com
How should the appliance sort IP addresses for this domain?
1. Prefer IPv4
2. Prefer IPv6
3. Require IPv4
4. Require IPv6
[2]> 3
Choose the operation you want to perform:
- NEW - Add new domain override.
- SETDEFAULT - Set the default behavior.
[]> setdefault
How should the appliance sort IP addresses?
1. Prefer IPv4
2. Prefer IPv6
3. Require IPv4
4. Require IPv6
[2]> 1
Choose the operation you want to perform:
- NEW - Add new domain override.
- SETDEFAULT - Set the default behavior.
[]>

dnslistconfig

Description

Configure DNS List services support

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example


mail3.example.com> dnslistconfig
Current DNS List Settings:
Negative Response TTL:  1800 seconds
DNS List Query Timeout:  3 seconds
Choose the operation you want to perform:
- SETUP - Configure general settings.
[]> setup
Enter the cache TTL for negative responses in seconds:
[1800]> 1200
Enter the query timeout in seconds:
[3]>
Settings updated.
Current DNS List Settings:
Negative Response TTL:  1200 seconds
DNS List Query Timeout:  3 seconds
Choose the operation you want to perform:
- SETUP - Configure general settings.
[]>

dnslisttest

Description

Test a DNS lookup for a DNS-based list service.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example


mail3.example.com> dnslisttest
Enter the query server name:
[]> mail4.example.com
Enter the test IP address to query for:
[127.0.0.2]> 10.10.1.11
Querying:  10.10.1.11.mail4.example.com
Result:  MATCHED

dnsstatus

Description

Display DNS statistics.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> dnsstatus
Status as of: Mon Apr 18 10:58:07 2005 PDT
Counters:                    Reset          Uptime        Lifetime
  DNS Requests               1,115           1,115           1,115
  Network Requests             186             186             186
  Cache Hits                 1,300           1,300           1,300
  Cache Misses                   1               1               1
  Cache Exceptions               0               0               0
  Cache Expired                185             185             185

Enhanced User Experience using How-Tos Widget

This section contains the following CLI commands:

howtoupdate

Description

The howtoupdate command is used to manually update the How-Tos component.

Usage

Commit: This command does not require a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help howtoupdate.

Example

In the following example, you can use the howtoupdate command to manually update the How-Tos component.

mail.example.com > howtoupdate

Requesting update of How-Tos component

howtostatus

Description

The howtostatus command is used to display the current version of the How-Tos component.

Usage

Commit: This command does not require a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help howtostatus.

Example

In the following example, you can use the howtostatus command to view the current version of the How-Tos component.

mail.example.com > howtostatus

Component            Version Last Updated
How-Tos              1.0 4 Jul 2018 04:22 (GMT +00:00)

General Management/Administration/Troubleshooting

This section contains the following CLI commands:

See also Virtual Appliance Management.

addressconfig

Description

The addressconfig command is used to configure the From: Address header. You can specify the display, user, and domain names of the From: address. You can also choose to use the Virtual Gateway domain for the domain name. Use the addressconfig command for mail generated by AsyncOS for the following circumstances:

  • Anti-virus notifications
  • Bounces
  • DMARC feedback reports
  • Notifications ( notify() and notify-copy() filter actions)
  • Quarantine Messages (and “Send Copy” in quarantine management)
  • Reports
  • All other messages

In the following example, the From: Address for notifications is changed from: Mail Delivery System [MAILER-DAEMON@domain] (the default) to Notifications [Notification@example.com]

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> addressconfig
Current anti-virus from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current bounce from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current notify from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current quarantine from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current DMARC reports from: "DMARC Feedback" <MAILER-DAEMON@domain>
Current all other messages from: "Mail Delivery System" <MAILER-DAEMON@domain>
Choose the operation you want to perform:
- AVFROM - Edit the anti-virus from address.
- BOUNCEFROM - Edit the bounce from address.
- NOTIFYFROM - Edit the notify from address.
- QUARANTINEFROM - Edit the quarantine bcc from address.
- DMARCFROM - Edit the DMARC reports from address.
- OTHERFROM - Edit the all other messages from address.
[]> notifyfrom
Please enter the display name portion of the "notify from" address
["Mail Delivery System"]> Notifications
Please enter the user name portion of the "notify from" address
[MAILER-DAEMON]> Notification
Do you want the virtual gateway domain used for the domain? [Y]> n
Please enter the domain name portion of the "notify from" address
[]> example.com
Current anti-virus from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current bounce from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current notify from: Notifications <Notification@example.com>
Current quarantine from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current DMARC reports from: "DMARC Feedback" <MAILER-DAEMON@domain>
Current all other messages from: "Mail Delivery System" <MAILER-DAEMON@domain>
Choose the operation you want to perform:
- AVFROM - Edit the anti-virus from address.
- BOUNCEFROM - Edit the bounce from address.
- NOTIFYFROM - Edit the notify from address.
- QUARANTINEFROM - Edit the quarantine bcc from address.
- DMARCFROM - Edit the DMARC reports from address.
- OTHERFROM - Edit the all other messages from address.
[]>

adminaccessconfig

Description

Use the adminaccessconfig command to configure:

  • Login message (banner) for the administrator.
  • IP-based access for appliance administrative interface.
  • Web interface Cross-Site Request Forgeries protection.
  • Option to use host header in HTTP requests.
  • Web interface and CLI session inactivity timeout.
  • Maximum HTTP header size.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

Batch Format

The batch format of the adminaccessconfig command can be used to perform all the functions of the traditional CLI command.

  • Select whether to allow access for all IP addresses or limit access to specific IP address/subnet/range

    
    adminaccessconfig ipaccess <all/restrict/proxyonly/proxy>
  • Adding a new IP address/subnet/range

    
    adminaccessconfig ipaccess new <address>
  • Editing an existing IP address/subnet/range

    
    adminaccessconfig ipaccess edit <oldaddress> <newaddress>
  • Deleting an existing IP address/subnet/range

    
    adminaccessconfig ipaccess delete <address>
  • Printing a list of the IP addresses/subnets/ranges

    
    adminaccessconfig ipaccess print
  • Deleting all existing IP addresses/subnets/ranges

    
    adminaccessconfig ipaccess clear
  • Printing the login banner

    
    adminaccessconfig banner print
  • Importing a login banner from a file on the appliance

    
    adminaccessconfig banner import <filename>
  • Deleting an existing login banner

    
    adminaccessconfig banner clear
  • Printing the welcome banner

    
    adminaccessconfig welcome print
  • Importing a welcome banner from a file on the appliance

    
    adminaccessconfig welcome import <filename>
  • Deleting an existing welcome banner

    
    adminaccessconfig welcome clear
  • Exporting a welcome banner

    
    adminaccessconfig welcome export <filename>
  • Add an allowed proxy IP address

    
    adminaccessconfig ipaccess proxylist new <address>
  • Edit an allowed proxy IP address

    
    adminaccessconfig ipaccess proxylist edit <oldaddress> <newaddress>
  • Delete an allowed proxy IP address

    
    adminaccessconfig ipaccess proxylist delete <address>
  • Delete all existing allowed proxy IP addresses

    
    adminaccessconfig ipaccess proxylist clear
  • Configure the header name that contains origin IP address

    
    adminaccessconfig ipaccess proxy-header <header name>
  • Enable or disable web interface Cross-Site Request Forgeries protection

    
    adminaccessconfig csrf <enable|disable>
  • Check whether web interface Cross-Site Request Forgeries protection is enabled

    
    adminaccessconfig csrf print
  • Configure web interface session timeout

    
    adminaccessconfig timeout gui <value>
  • Configure CLI session timeout

    
    adminaccessconfig timeout gui <value>

Example - Configuring Network Access List

You can control from which IP addresses users access the Email Security appliance. Users can access the appliance from any machine with an IP address from the access list you define. When creating the network access list, you can specify IP addresses, subnets, or CIDR addresses.

AsyncOS displays a warning if you do not include the IP address of your current machine in the network access list. If your current machine’s IP address is not in the list, it will not be able to access the appliance after you commit your changes.

In the following example, network access to the appliance is restricted to two sets of IP addresses:


mail.example.com> adminaccessconfig
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
- MAXHTTPHEADERFIELDSIZE - Configure maximum HTTP header field size.
[]> ipaccess
Current mode: Allow All.
Please select the mode:
- ALL - All IP addresses will be allowed to access the administrative interface.
- RESTRICT - Specify IP addresses/Subnets/Ranges to be allowed access.
- PROXYONLY - Specify IP addresses/Subnets/Ranges to be allowed access through proxy.
- PROXY - Specify IP addresses/Subnets/Ranges to be allowed access through proxy or directly.
[]> restrict
List of allowed IP addresses/Subnets/Ranges:
Choose the operation you want to perform:
- NEW - Add a new IP address/subnet/range.
[]> new
Please enter IP address, subnet or range.
[]> 192.168.1.2-100
List of allowed IP addresses/Subnets/Ranges:
1.  192.168.1.2-100
Choose the operation you want to perform:
- NEW - Add a new IP address/subnet/range.
- EDIT - Modify an existing entry.
- DELETE - Remove an existing entry.
- CLEAR - Remove all the entries.
[]> new
Please enter IP address, subnet or range.
[]> 192.168.255.12
List of allowed IP addresses/Subnets/Ranges:
1.  192.168.1.2-100
2.  192.168.255.12
Choose the operation you want to perform:
- NEW - Add a new IP address/subnet/range.
- EDIT - Modify an existing entry.
- DELETE - Remove an existing entry.
- CLEAR - Remove all the entries.
[]>
Warning: The host you are currently using [72.163.202.175] is not included in the User Access list.  Excluding it will prevent your
host from connecting to the administrative interface. Are you sure you want to continue? [N]> Y
Current mode: Restrict.
Please select the mode:
- ALL - All IP addresses will be allowed to access the administrative interface.
- RESTRICT - Specify IP addresses/Subnets/Ranges to be allowed access.
- PROXYONLY - Specify IP addresses/Subnets/Ranges to be allowed access through proxy.
- PROXY - Specify IP addresses/Subnets/Ranges to be allowed access through proxy or directly.
[]>

Example - Configuring Login Banner

You can configure the Email Security appliance to display a message called a “login banner” when a user attempts to log into the appliance through SSH, Telnet, FTP, or Web UI. The login banner is customizable text that appears above the login prompt in the CLI and to the right of the login prompt in the GUI. You can use the login banner to display internal security information or best practice instructions for the appliance. For example, you can create a simple note that saying that unauthorized use of the appliance is prohibited or a detailed warning concerning the organization’s right to review changes made by the user to the appliance.

The maximum length of the login banner is 2000 characters to fit 80x25 consoles. A login banner can be imported from a file in the /data/pub/configuration directory on the appliance. After creating the banner, commit your changes.

In the following example, the login banner “Use of this system in an unauthorized manner is prohibited” is added to the appliance:


mail.example.com> adminaccessconfig
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
- MAXHTTPHEADERFIELDSIZE - Configure maximum HTTP header field size.
[]> banner
A banner has not been defined.
Choose the operation you want to perform:
- NEW - Create a banner to display at login.
- IMPORT - Import banner text from a file.
[]> new
Enter or paste the banner text here. Enter CTRL-D on a blank line to end.
Use of this system in an unauthorized manner is prohibited.
^D
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
[]> banner
Banner: Use of this system in an unauthorized manner is prohibited.
Choose the operation you want to perform:
- NEW - Create a banner to display at login.
- IMPORT - Import banner text from a file.
- DELETE - Remove the banner.
[]>

Example - Configuring Web Interface and CLI Session Timeout

The following example sets the web interface and CLI session timeout to 32 minutes.


Note

The CLI session timeout applies only to the connections using Secure Shell (SSH), SCP, and direct serial connection. Any uncommitted configuration changes at the time of CLI session timeout will be lost. Make sure that you commit the configuration changes as soon as they are made.

mail.example.com> adminaccessconfig
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
- MAXHTTPHEADERFIELDSIZE - Configure maximum HTTP header field size.
[]> timeout
Enter WebUI inactivity timeout(in minutes):
[30]> 32
Enter CLI inactivity timeout(in minutes):
[30]> 32
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
[]>
mail.example.com> commit
Please enter some comments describing your changes:
[]> Changed WebUI and CLI session timeout values
Do you want to save the current configuration for rollback? [Y]>
Changes committed: Wed Mar 12 08:03:21 2014 GMT

Note

After committing the changes, the new CLI session timeout takes affect only during the subsequent login.

certconfig

Description

Configure security certificates and keys.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example - Pasting in a certificate

In the following example, a certificate is installed by pasting in the certificate and private key.


mail3.example.com> certconfig
Choose the operation you want to perform:
- CERTIFICATE - Import, Create a request, Edit or Remove Certificate Profiles
- CERTAUTHORITY - Manage System and Customized Authorities
- CRL - Manage Certificate Revocation Lists
[]> certificate
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  --------------------  --------------------  -------------  ---------
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3467 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- PRINT - View certificates assigned to services
[]> paste
Enter a name for this certificate profile:
> partner.com
Paste public certificate in PEM format (end with '.'):
-----BEGIN CERTIFICATE-----
MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD
VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv
bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy
dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X
DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw
EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l
dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT
EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw
L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN
BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX
9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=
-----END CERTIFICATE-----
.
C=PT,ST=Queensland,L=Lisboa,O=Neuronio,
Lda.,OU=Desenvolvimento,CN=brutus.partner.com,emailAddress=admin@example.com
Paste private key in PEM format (end with '.'):
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ
2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF
oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr
8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc
a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7
WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA
6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=
-----END RSA PRIVATE KEY-----
.
Do you want to add an intermediate certificate? [N]> n
List of Certificates
Name       Common Name           Issued By             Status         Remaining
--------  -------------------  --------------------  -------------  ---------
partner.c brutus.partner.com   brutus.partner       Active        30 days
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3467 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- EDIT - Update certificate or view the signing request
- EXPORT - Export a certificate
- DELETE - Remove a certificate
- PRINT - View certificates assigned to services
[]>
Choose the operation you want to perform:
- CERTIFICATE - Import, Create a request, Edit or Remove Certificate Profiles
- CERTAUTHORITY - Manage System and Customized Authorities
- CRL - Manage Certificate Revocation Lists
[]>
mail3.example.com> commit
Please enter some comments describing your changes:
[]> Installed certificate and key for receiving, delivery, and https
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

Example - Creating a Self-signed Certificate

In the following example, a self-signed certificate is created.


mail3.example.com> certconfig
Choose the operation you want to perform:
- CERTIFICATE - Import, Create a request, Edit or Remove Certificate Profiles
- CERTAUTHORITY - Manage System and Customized Authorities
- CRL - Manage Certificate Revocation Lists
[]> certificate
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  --------------------  --------------------  -------------  ---------
partner.c  brutus.neuronio.pt    brutus.neuronio.pt    Expired        -4930
days
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3467 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- EDIT - Update certificate or view the signing request
- EXPORT - Export a certificate
- DELETE - Remove a certificate
- PRINT - View certificates assigned to services
[]> new
1. Create a self-signed certificate and CSR
2. Create a self-signed SMIME certificate and CSR
[1]> 1
Enter a name for this certificate profile:
> example.com
Enter Common Name:
> example.com
Enter Organization:
> Example
Enter Organizational Unit:
> Org
Enter Locality or City:
> San Francisoc
Enter State or Province:
> CA
Enter Country (2 letter code):
> US
Duration before expiration (in days):
[3650]>
1. 1024
2. 2048
Enter size of private key:
[2]>
Do you want to view the CSR? [Y]> y
-----BEGIN CERTIFICATE REQUEST-----
MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCVVMxFDASBgNVBAMTC2V4YW1wbGUuY29t
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc29jMRAwDgYDVQQKEwdleGFtcGxlMQswCQYD
VQQIEwJDQTEMMAoGA1UECxMDb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA+NwamZyX7VgTZka/x1I5HHrN9V2MPKXoLq7FjzUtiIDwznElrKIuJovw
Svonle6GvFlUHfjv8B3WobOzk5Ny6btKjwPrBfaY+qr7rzM4lAQKHM+P6l+lZnPU
P05N9RCkLP4XsUuyY6Ca1WLTiPIgaq2fR8Y0JX/kesZcGOqlde66pN+xJIHHYadD
oopOgqi6SLNfAzJu/HEu/fnSujG4nhF0ZGlOpVUx4fg33NwZ4wVl0XBk3GrOjbbA
ih9ozAwfNzxb57amtxEJk+pW+co3uEHLJIOPdih9SHzn/UVU4hiu8rSQR19sDApp
kfdWcfaDLF9tnQJPWSYoCh0USgCc8QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEB
AGiVhyMAZuHSv9yA08kJCmrgO89yRlnDUXDDo6IrODVKx4hHTiOanOPu1nsThSvH
7xV4xR35T/QV0U3yPrL6bJbbwMySOLIRTjsUcwZNjOE1xMM5EkBM2BOI5rs4l59g
FhHVejhG1LyyUDL0U82wsSLMqLFH1IT63tzwVmRiIXmAu/lHYci3+vctb+sopnN1
lY1OIuj+EgqWNrRBNnKXLTdXkzhELOd8vZEqSAfBWyjZ2mECzC7SG3evqkw/OGLk
AilNXHayiGjeY+UfWzF/HBSekSJtQu6hIv6JpBSY/MnYU4tllExqD+GX3lru4xc4
zDas2rS/Pbpn73Lf503nmsw=
-----END CERTIFICATE REQUEST-----
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  ------------------- --------------------  -------------  ---------
example.c  example.com           example.com           Valid          3649 days
partner.c  brutus.partner.com   brutus.partner.com  Valid         30 days
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3467 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- EDIT - Update certificate or view the signing request
- EXPORT - Export a certificate
- DELETE - Remove a certificate
- PRINT - View certificates assigned to services
[]>

Example - Create a Self-signed S/MIME Signing Certificate

The following example shows how to create a self-signed S/MIME certificate for signing messages.


vm10esa0031.qa> certconfig
Choose the operation you want to perform:
- CERTIFICATE - Import, Create a request, Edit or Remove Certificate Profiles
- CERTAUTHORITY - Manage System and Customized Authorities
- CRL - Manage Certificate Revocation Lists
[]> certificate
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  --------------------  --------------------  -------------  ---------
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3329 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- PRINT - View certificates assigned to services
[]> new
1. Create a self-signed certificate and CSR
2. Create a self-signed SMIME certificate and CSR
[1]> 2
Enter a name for this certificate profile:
> smime_signing
Enter Common Name:
> CN
Enter Organization:
> ORG
Enter Organizational Unit:
> OU
Enter Locality or City:
> BN
Enter State or Province:
> KA
Enter Country (2 letter code):
> IN
Duration before expiration (in days):
[3650]>
1. 1024
2. 2048
Enter size of private key:
[2]>
Enter email address for 'subjectAltName' extension:
[]> admin@example.com
Add another member? [Y]> n
Begin entering domain entries for 'subjectAltName'.
Enter the DNS you want to add.
[]> domain.com
Add another member? [Y]> n
Do you want to view the CSR? [Y]> n
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  --------------------  --------------------  -------------  ---------
smime_sig  CN                    CN                    Valid          3649 days
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3329 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- EDIT - Update certificate or view the signing request
- EXPORT - Export a certificate
- DELETE - Remove a certificate
- PRINT - View certificates assigned to services
[]>

date

Description

Displays the current date and time

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail.example.com> date
Tue Mar 10 11:30:21 2015 GMT

daneverify

Description

Checks whether DANE is supported for a specified domain.

Usage

Commit: This command does not require a 'commit'.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help daneverify.

Example

In the following example, you can use the daneverify command to verify DANE support for a specified domain.

mail3.example.com> daneverify
Enter the DANE domain to verify against: []> example-dane.net
Trying DANE MANDATORY for example-dane.net
SECURE MX RECORD found for example-dane.net
SECURE A record (10.10.1.198) found for MX(mail.example.com.cs2.test-dane.net) in example-dane.net
SECURE TLSA Record found for MX(mail.example.com.cs2.test-dane.net) in example-dane.net TLS connection established: protocol TLSv1.2, cipher DHE-RSA-AES128-SHA256.
Certificate verification successful for TLSA 
record(030101329aad19cfb5a0bb8d3b99c67dd1282a4dcdf67bd9c4efc08578657065fe7504)
TLS connection succeeded example-dane.net.
DANE_SUCESS for example-dane.net
DANE verification completed.

diagnostic

Description

Use the diagnostic command to:

  • Troubleshoot hardware and network issues using various utilities
  • Check the RAID status
  • Display ARP cache
  • Clear LDAP, DNS, and ARP caches
  • Send SMTP test messages
  • Restart and viewing the status of Service Engines enabled on the appliance.

Using the diagnostic Command

The following commands are available within the diagnostic submenu:

Table 5. diagnostic Subcommands

Option

Sub Commands

Availability

RAID

1. Run disk verify

Available on C30 and C60 only.

2. Monitor tasks in progress

3. Display disk verify verdict

DISK_USAGE (deprecated)

No Sub Commands

This command has been deprecated. Instead, use the diskquotaconfig command.

NETWORK

FLUSH

C-, X-, and M-Series

ARPSHOW

SMTPPING

TCPDUMP

REPORTING

DELETEDB

C-, X-, and M-Series

DISABLE

TRACKING

DELETEDB

C-, X-, and M-Series

DEBUG

RELOAD

No Sub Commands

C-, X-, and M-Series

SERVICES

RESTART

STATUS

C-, X-, and M-Series

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto). This command requires access to the local file system.

Batch Command: This command supports a batch format.

Batch Format

The batch format of the diagnostic command can be used to check RAID status, clear caches and show the contents of the ARP cache. To invoke as a batch command, use the following formats:

Use the batch format to perform the following operations:

  • Check the RAID status

    
    diagnostic raid
    
  • Show the contents of the ARP cache

    
    diagnostic network arpshow
    
  • Show the contents of the NDP cache

    
    diagnostic network ndpshow
    
  • Clear the LDAP, DNS, ARP and NDP caches

    
    diagnostic network flush
    
  • Reset and delete the reporting database

    
    diagnostic reporting deletedb
    
  • Enable reporting daemons

    
    diagnostic reporting enable
  • Disable reporting daemons

    
    diagnostic reporting disable
  • Reset and delete the tracking database

    
    diagnostic tracking deletedb
    
  • Reset configuration to the initial manufacturer values

    
    diagnostic reload
    

Example: Displaying and Clearing Caches

The following example shows the diagnostic command used to display the contents of the ARP cache and to flush all network related caches.


mail.example.com> diagnostic
Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- DISK_USAGE - Check Disk Usage.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
[]> network
Choose the operation you want to perform:
- FLUSH - Flush all network related caches.
- ARPSHOW - Show system ARP cache.
- NDPSHOW - Show system NDP cache.
- SMTPPING - Test a remote SMTP server.
- TCPDUMP - Dump ethernet packets.
[]> arpshow
System ARP cache contents:
(10.76.69.3) at 00:1e:bd:28:97:00 on em0 expires in 1193 seconds [ethernet]
(10.76.69.2) at 00:1e:79:af:f4:00 on em0 expires in 1192 seconds [ethernet]
(10.76.69.1) at 00:00:0c:9f:f0:01 on em0 expires in 687 seconds [ethernet]
(10.76.69.149) at 00:50:56:b2:0e:2b on em0 permanent [ethernet]
Choose the operation you want to perform:
- FLUSH - Flush all network related caches.
- ARPSHOW - Show system ARP cache.
- NDPSHOW - Show system NDP cache.
- SMTPPING - Test a remote SMTP server.
- TCPDUMP - Dump ethernet packets.
[]> flush
Flushing LDAP cache.
Flushing DNS cache.
Flushing system ARP cache.
10.76.69.3 (10.76.69.3) deleted
10.76.69.2 (10.76.69.2) deleted
10.76.69.1 (10.76.69.1) deleted
10.76.69.149 (10.76.69.149) deleted
Flushing system NDP cache.
fe80::250:56ff:feb2:e2d%em2 (fe80::250:56ff:feb2:e2d%em2) deleted
fe80::250:56ff:feb2:e2c%em1 (fe80::250:56ff:feb2:e2c%em1) deleted
fe80::250:56ff:feb2:e2b%em0 (fe80::250:56ff:feb2:e2b%em0) deleted
Network reset complete.

Example: Verify Connectivity to Another Mail Server

The following example shows diagnostics used to check connectivity to another mail server. You can test the mail server by sending a message or pinging the server.


mail.example.com> diagnostic
Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
[]> network
Choose the operation you want to perform:
- FLUSH - Flush all network related caches.
- ARPSHOW - Show system ARP cache.
- NDPSHOW - Show system NDP cache.
- SMTPPING - Test a remote SMTP server.
- TCPDUMP - Dump ethernet packets.
[]> smtpping
Enter the hostname or IP address of the SMTP server:
[mail.example.com]> mail.com
The domain you entered has MX records.
Would you like to select an MX host to test instead? [Y]> y
Select an MX host to test.
1. mx00.gmx.com
2. mx01.gmx.com
[1]>
Select a network interface to use for the test.
1. Management
2. auto
[2]> 1
Do you want to type in a test message to send?  If not, the connection will be tested but no email will be sent. [N]>
Starting SMTP test of host mx00.gmx.com.
Resolved 'mx00.gmx.com' to 74.208.5.4.
Unable to connect to 74.208.5.4.

Example: Reset Appliance Configuration to the Initial Manufacturer Values

The following example shows how to reset your appliance configuration to the initial manufacturer values.


mail.example.com> diagnostic
Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
[]> reload
This command will remove all user settings and reset the entire device.
If this is a Virtual Appliance, all feature keys will be removed,
and the license must be reapplied.
Are you sure you want to continue? [N]> Y
Are you *really* sure you want to continue? [N]> Y
Do you want to wipe also? [N]> Y

Restarting and Viewing Status of Service Engines

You can use the diagnostic > servicessub command in the CLI to:

  • Restart the service engines enabled on your appliance without having to reboot your appliance.

  • View the status of service engines enabled on your appliance.

Example: Viewing Status of DLP Engine

In the following example, the services command is used to view the status of the DLP engine enabled on your appliance.

mail.example.com> diagnostic

Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- DISK_USAGE - Check Disk Usage.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
- SERVICES - Service Utilities.
[]> services

Choose one of the following services:
- ANTISPAM - Anti-Spam services
- ANTIVIRUS - Anti-Virus services
- DLP - Cisco Data Loss Prevention services
- ENCRYPTION - Encryption services
- GRAYMAIL - Graymail services
- REPORTING - Reporting associated services
- SBRS - Reputation Engine services
- TRACKING - Tracking associated services
- URLFILTERING - URL Filtering
- EUQWEB - End User Quarantine GUI
- WEBUI - Web GUI
[]> dlp

Choose the operation you want to perform:
- RESTART - Restart the service
- STATUS - View status of the service
[]> status

Cisco Data Loss Prevention has been up for 3s.

Example: Restarting the Graymail Engine

In the following example, the services command is used to restart the Graymail engine on your appliance.

mail.example.com> diagnostic

Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- DISK_USAGE - Check Disk Usage.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
- SERVICES - Service Utilities.
[]> services

Choose one of the following services:
- ANTISPAM - Anti-Spam services
- ANTIVIRUS - Anti-Virus services
- DLP - Cisco Data Loss Prevention services
- ENCRYPTION - Encryption services
- GRAYMAIL - Graymail services
- REPORTING - Reporting associated services
- SBRS - Reputation Engine services
- TRACKING - Tracking associated services
- URLFILTERING - URL Filtering
- EUQWEB - End User Quarantine GUI
- WEBUI - Web GUI
[]> graymail

Choose the operation you want to perform:
- RESTART - Restart the service
- STATUS - View status of the service
[]> restart

diskquotaconfig

View or configure disk space allocation for reporting and tracking, quarantines, log files, packet captures, and configuration files.

See User Guide for AsyncOS for Cisco Email Security Appliances for complete information about this feature.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command supports a batch format.

Batch Format

diskquotaconfig <feature> <quota> [<feature> <quota> [<feature> <quota>[<feature> <quota>]]]

Valid values for <feature> are euq , pvo , tracking , reporting

Valid values for <quota> are integers.

Example


mail.example.com> diskquotaconfig
     Service                                       Disk Usage(GB)     Quota(GB)
     ---------------------------------------------------------------------------
     Spam Quarantine (EUQ)                         1                  1
     Policy, Virus & Outbreak Quarantines          1                  3
     Reporting                                     5                  10
     Tracking                                      1                  10
     Miscellaneous Files                           5                  30
           System Files Usage : 5 GB
           User Files Usage : 0 GB
     Total                                         13                 54 of 143
Choose the operation you want to perform:
- EDIT - Edit disk quotas
[]> edit
Enter the number of the service for which you would like to edit disk quota:
1. Spam Quarantine (EUQ)
2. Policy, Virus & Outbreak Quarantines
3. Reporting
4. Tracking
5. Miscellaneous Files
[1]> 1
Enter the new disk quota -
[1]> 1
Disk quota for Spam Quarantine (EUQ) changed to 1
     Service                                       Disk Usage(GB)     Quota(GB)
     ---------------------------------------------------------------------------
     Spam Quarantine (EUQ)                         1                  1
     Policy, Virus & Outbreak Quarantines          1                  3
     Reporting                                     5                  10
     Tracking                                      1                  10
     Miscellaneous Files                           5                  30
           System Files Usage : 5 GB
           User Files Usage : 0 GB
     Total                                         13                 54 of 143
Choose the operation you want to perform:
- EDIT - Edit disk quotas
[]>

ecconfig

Set or clear the enrollment client that is used to obtain certificates for use with the URL Filtering feature.

Do not use this command without guidance from Cisco support.

Entries must be in the format <hostname:port> or <IPv4 address:port> . Port is optional.

To specify the default server, enter ecconfig server default .

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used at all levels in a cluster.

Batch Command: This command supports a batch format.

Batch Format

  • To specify a non-default enrollment client server:

> ecconfig server <server_name:port>

To use the default enrollment client server:


> ecconfig server default 

Example


mail.example.com> ecconfig
Enrollment Server: Not Configured (Use Default)
Choose the operation you want to perform:
- SETUP - Configure the Enrollment Server
[]> setup
Do you want to use non-default Enrollment server?
WARNING: Do not configure this option without the assistance of Cisco Support.
Incorrect configuration can impact the services using certificates from the Enrollment server. [N]> y
[]> 192.0.2.1
Choose the operation you want to perform:
- SETUP - Configure the Enrollment Server
[]>

ecstatus

Display the current version of the enrollment client that is used to automatically obtain certificates for use with the URL Filtering feature.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> ecstatus
Component                 Version    Last Updated
Enrollment Client         1.0.2-046  Never updated

ecupdate

Manually update the enrollment client that is used to automatically obtain certificates for use with the URL Filtering feature. Normally, these updates occur automatically. Do not use this command without guidance from Cisco support.

If you use the force parameter (ecupdate [force]) the client is updated even if no changes are detected.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command supports a batch format.

Batch Format


> ecupdate [force]

Example


mail.example.com> ecupdate
Requesting update of Enrollment Client. 

encryptionconfig

Configure email encryption.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example

The following example shows modifications to an encryption profile:


mail.example.com> encryptionconfig
IronPort Email Encryption: Enabled
Choose the operation you want to perform:
- SETUP - Enable/Disable IronPort Email Encryption
- PROFILES - Configure email encryption profiles
- PROVISION - Provision with the Cisco Registered Envelope Service
[]> setup
PXE Email Encryption: Enabled
Would you like to use PXE Email Encryption? [Y]>
WARNING: Increasing the default maximum message size(10MB) may result in
decreased performance. Please consult documentation for size recommendations
based on your environment.
Maximum message size for encryption: (Add a trailing K for kilobytes, M for
megabytes, or no letters for bytes.)
[10M]>
Enter the email address of the encryption account administrator
[administrator@example.com]>
IronPort Email Encryption: Enabled
Choose the operation you want to perform:
- SETUP - Enable/Disable IronPort Email Encryption
- PROFILES - Configure email encryption profiles
- PROVISION - Provision with the Cisco Registered Envelope Service
[]> profiles
Proxy: Not Configured
Profile Name         Key Service            Proxied     Provision Status
------------         -----------            -------     ----------------
HIPAA                Hosted Service         No          Not Provisioned
Choose the operation you want to perform:
- NEW - Create a new encryption profile
- EDIT - Edit an existing encryption profile
- DELETE - Delete an encryption profile
- PRINT - Print all configuration profiles
- CLEAR - Clear all configuration profiles
- PROXY - Configure a key server proxy
[]> edit
1. HIPAA
Select the profile you wish to edit:
[1]> 1
Profile name: HIPAA
External URL: https://res.cisco.com
Encryption algorithm: ARC4
Payload Transport URL: http://res.cisco.com
Envelope Security: High Security
Return receipts enabled: Yes
Secure Forward enabled: No
Secure Reply All enabled: No
Suppress Applet: No
URL associated with logo image: <undefined>
Encryption queue timeout: 14400
Failure notification subject: [ENCRYPTION FAILURE]
Failure notification template: System Generated
Filename for the envelope: securedoc_${date}T${time}.html
Use Localized Envelope: No
Text notification template: System Generated
HTML notification template: System Generated
Choose the operation you want to perform:
- NAME - Change profile name
- EXTERNAL - Change external URL
- ALGORITHM - Change encryption algorithm
- PAYLOAD - Change the payload transport URL
- SECURITY - Change envelope security
- RECEIPT - Change return receipt handling
- FORWARD - Change "Secure Forward" setting
- REPLYALL - Change "Secure Reply All" setting
- LOCALIZED_ENVELOPE - Enable or disable display of envelopes in languages
other than English
- APPLET - Change applet suppression setting
- URL - Change URL associated with logo image
- TIMEOUT - Change maximum time message waits in encryption queue
- BOUNCE_SUBJECT - Change failure notification subject
- FILENAME - Change the file name of the envelope attached to the encryption
notification.
[]> security
1. High Security (Recipient must enter a passphrase to open the encrypted
message, even if credentials are cached ("Remember Me" selected).)
2. Medium Security (No passphrase entry required if recipient credentials are
cached ("Remember Me" selected).)
3. No passphrase Required (The recipient does not need a passphrase to open the
encrypted message.)
Please enter the envelope security level:
[1]> 1
Profile name: HIPAA
External URL: https://res.cisco.com
Encryption algorithm: ARC4
Payload Transport URL: http://res.cisco.com
Envelope Security: High Security
Return receipts enabled: Yes
Secure Forward enabled: No
Secure Reply All enabled: No
Suppress Applet: No
URL associated with logo image: <undefined>
Encryption queue timeout: 14400
Failure notification subject: [ENCRYPTION FAILURE]
Failure notification template: System Generated
Filename for the envelope: securedoc_${date}T${time}.html
Use Localized Envelope: No
Text notification template: System Generated
HTML notification template: System Generated
Choose the operation you want to perform:
- NAME - Change profile name
- EXTERNAL - Change external URL
- ALGORITHM - Change encryption algorithm
- PAYLOAD - Change the payload transport URL
- SECURITY - Change envelope security
- RECEIPT - Change return receipt handling
- FORWARD - Change "Secure Forward" setting
- REPLYALL - Change "Secure Reply All" setting
- LOCALIZED_ENVELOPE - Enable or disable display of envelopes in languages
other than English
- APPLET - Change applet suppression setting
- URL - Change URL associated with logo image
- TIMEOUT - Change maximum time message waits in encryption queue
- BOUNCE_SUBJECT - Change failure notification subject
- FILENAME - Change the file name of the envelope attached to the encryption
notification.
[]> forward
Would you like to enable "Secure Forward"? [N]> y
Profile name: HIPAA
External URL: https://res.cisco.com
Encryption algorithm: ARC4
Payload Transport URL: http://res.cisco.com
Envelope Security: High Security
Return receipts enabled: Yes
Secure Forward enabled: Yes
Secure Reply All enabled: No
Suppress Applet: No
URL associated with logo image: <undefined>
Encryption queue timeout: 14400
Failure notification subject: [ENCRYPTION FAILURE]
Failure notification template: System Generated
Filename for the envelope: securedoc_${date}T${time}.html
Use Localized Envelope: No
Text notification template: System Generated
HTML notification template: System Generated
Choose the operation you want to perform:
- NAME - Change profile name
- EXTERNAL - Change external URL
- ALGORITHM - Change encryption algorithm
- PAYLOAD - Change the payload transport URL
- SECURITY - Change envelope security
- RECEIPT - Change return receipt handling
- FORWARD - Change "Secure Forward" setting
- REPLYALL - Change "Secure Reply All" setting
- LOCALIZED_ENVELOPE - Enable or disable display of envelopes in languages
other than English
- APPLET - Change applet suppression setting
- URL - Change URL associated with logo image
- TIMEOUT - Change maximum time message waits in encryption queue
- BOUNCE_SUBJECT - Change failure notification subject
- FILENAME - Change the file name of the envelope attached to the encryption
notification.
[]>
Proxy: Not Configured
Profile Name         Key Service            Proxied     Provision Status
------------         -----------            -------     ----------------
HIPAA                Hosted Service         No          Not Provisioned
Choose the operation you want to perform:
- NEW - Create a new encryption profile
- EDIT - Edit an existing encryption profile
- DELETE - Delete an encryption profile
- PRINT - Print all configuration profiles
- CLEAR - Clear all configuration profiles
- PROXY - Configure a key server proxy
[]>
IronPort Email Encryption: Enabled
Choose the operation you want to perform:
- SETUP - Enable/Disable IronPort Email Encryption
- PROFILES - Configure email encryption profiles
- PROVISION - Provision with the Cisco Registered Envelope Service
[]>

encryptionstatus

Description

The encryptionstatus command shows the version of the PXE Engine and Domain Mappings file on the Email Security appliance, as well as the date and time the components were last updated.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> encryptionstatus
Component                 Version    Last Updated
PXE Engine                6.7.1      17 Nov 2009 00:09 (GMT)
Domain Mappings File      1.0.0      Never updated

encryptionupdate

Description

The encryptionupdate command requests an update to the PXE Engine on the Email Security appliance.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> encryptionupdate
Requesting update of PXE Engine.

enginestatus

Description

The enginestatus command is used to display the status and CPU usage of various engines enabled on the appliance.

Usage

Commit: This command does not requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help enginestatus.

Example

The following example shows how to view the status and CPU usage of all engines enabled on the appliance:


vm30esa0086.ibqa> enginestatus
Choose the operation you want to perform:
- GRAYMAIL - View Graymail engine status
- SOPHOS - View Sophos engine status
- CASE - View CASE engine status
- AMP - View AMP engine status
- MCAFEE - View McAfee engine status
- ALL - View status of All engines
[]> ALL
CASE Status: UP CPU: 0.0%
Component                      Version                             Last Updated
CASE Core Files                3.5.0-008                           Never updated
CASE Utilities                 3.5.0-008                           Never updated
Structural Rules               3.3.1-009-20141210_214201           Never updated
Web Reputation DB              20141211_111021                     Never updated
Web Reputation Rules           20141211_111021-20141211_170330     Never updated
Content Rules                  unavailable                         Never updated
Content Rules Update           unavailable                         Never updated
SOPHOS Status: UP CPU: 0.0%
Component                      Version                             Last Updated
Sophos Anti-Virus Engine       3.2.07.365.2_5.30                   Never updated
Sophos IDE Rules               0                                   Never updated
GRAYMAIL Status: UP CPU: 0.0%
Component                      Version                             Last Updated
Graymail Engine                01-392.68                           N10 Nov 2016 07:08 (GMT +00:00) updated
Graymail Rules                 01-392.68#121                       Never updated
Graymail Tools                 1.0.03                              Never updated
MCAFEE Status: UP CPU: 0.0%
Component                      Version                             Last Updated
McAfee Engine                  5700                                Never updated
McAfee DATs                    7437                                Never updated
AMP Status: UP CPU: 0.0%
Component                      Version                             Last Updated
AMP Client Settings            1.0                                 Never updated
AMP Client Engine              1.0                                 Never updated

featurekey

Description

The featurekey command lists all functionality enabled by keys on the system and information related to the keys. It also allows you to activate features using a key or check for new feature keys.

For virtual appliances, see also loadlicense and showlicense.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example

In this example, the featurekey command is used to check for new feature keys.


mail3.example.com> featurekey
Module                              Quantity   Status     Remaining   Expiration Date
Outbreak Filters                    1          Active     28 days     Tue Feb 25 06:40:53 2014
IronPort Anti-Spam                  1          Dormant    30 days     Wed Feb 26 07:56:57 2014
Sophos Anti-Virus                   1          Active     26 days     Sun Feb 23 02:27:48 2014
Bounce Verification                 1          Dormant    30 days     Wed Feb 26 07:56:57 2014
Incoming Mail Handling              1          Active     20 days     Sun Feb 16 08:55:58 2014
IronPort Email Encryption           1          Dormant    30 days     Wed Feb 26 07:56:57 2014
Data Loss Prevention      	         1          Active     25 days     Fri Feb 21 10:07:10 2014
McAfee                              1          Dormant    30 days     Wed Feb 26 07:56:57 2014
Choose the operation you want to perform:
- ACTIVATE - Activate a (pending) key.
- CHECKNOW - Check now for new feature keys.
[]> checknow
No new feature keys are available.

featurekeyconfig

Description

The featurekeyconfig command allows you to configure the machine to automatically download available keys and update the keys on the machine.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine.

Batch Command: This command does not support a batch format.

Example

In this example, the featurekeyconfig command is used to enable the autoactivate and autocheck features.


mail3.example.com> featurekeyconfig
Automatic activation of downloaded keys: Disabled
Automatic periodic checking for new feature keys: Disabled
Choose the operation you want to perform:
- SETUP - Edit feature key configuration.
[]> setup
Automatic activation of downloaded keys: Disabled
Automatic periodic checking for new feature keys: Disabled
Choose the operation you want to perform:
- AUTOACTIVATE - Toggle automatic activation of downloaded keys.
- AUTOCHECK - Toggle automatic checking for new feature keys.
[]> autoactivate
Do you want to automatically apply downloaded feature keys? [N]> y
Automatic activation of downloaded keys: Enabled
Automatic periodic checking for new feature keys: Disabled
Choose the operation you want to perform:
- AUTOACTIVATE - Toggle automatic activation of downloaded keys.
- AUTOCHECK - Toggle automatic checking for new feature keys.
[]> autocheck
Do you want to periodically query for new feature keys? [N]> y
Automatic activation of downloaded keys: Enabled
Automatic periodic checking for new feature keys: Enabled

generalconfig

Description

The generalconfig command allows you to configure browser settings.

Usage

Commit: This command requires ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For details, see the inline help by typing the command: help generalconfig .

Example - Configure Internet Explorer Compatibility Mode Override

The following example shows how to override IE Compatibility Mode.


mail.example.com> generalconfig
Choose the operation you want to perform:
- IEOVERRIDE - Configure Internet Explorer Compatibility Mode Override
[]> ieoverride
    For better web interface rendering, we recommend that you enable Internet
    Explorer Compatibility Mode Override. However, if enabling this feature
    is against your organizational policy, you may disable this feature.
    Internet Explorer Compatibility Mode Override is currently disabled.
Would you like to enable Internet Explorer Compatibility Mode Override? [N]y
Choose the operation you want to perform:
- IEOVERRIDE - Configure Internet Explorer Compatibility Mode Override
[]>

healthcheck

Description

Checks the health of your Email Security appliance. Health check analyzes historical data (up to three months) in the current Status Logs to determine the health of the appliance.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail.example.com> healthcheck
Analyzing the system to determine current health of the system.
The analysis may take a while, depending on the size of the historical data.
System analysis is complete.
The analysis indicates that the system has experienced the following issue(s)recently:
Entered Resource conservation mode
Delay in mail processing
High CPU usage
High memory usage
Based on this analysis,
we recommend you to contact Cisco Customer Support before upgrading.

healthconfig

Description

Configure the threshold of various health parameters of your appliance such as CPU usage, maximum messages in work queue and so on

Usage

Commit: This command requires ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail.example.com> healthconfig
Choose the operation you want to perform:
- WORKQUEUE - View and edit workqueue-health configuration.
- CPU - View and edit CPU-health configuration.
- SWAP - View and edit swap-health configuration.
[]> workqueue
Number of messages in the workqueue : 0
Current threshold on the workqueue size : 500
Alert when exceeds threshold : Disabled
Do you want to edit the settings? [N]> y
Please enter the threshold value for number of messages in work queue.
[500]> 550
Do you want to receive alerts if the number of messages in work queue exceeds
threshold value? [N]> n
Choose the operation you want to perform:
- WORKQUEUE - View and edit workqueue-health configuration.
- CPU - View and edit CPU-health configuration.
- SWAP - View and edit swap-health configuration.
[]> cpu
Overall CPU usage : 0 %
Current threshold on the overall CPU usage: 85 %
Alert when exceeds threshold : Disabled
Do you want to edit the settings? [N]> y
Please enter the threshold value for overall CPU usage (in percent)
[85]> 90
Do you want to receive alerts if the overall CPU usage exceeds threshold value?[N]> n
Choose the operation you want to perform:
- WORKQUEUE - View and edit workqueue-health configuration.
- CPU - View and edit CPU-health configuration.
- SWAP - View and edit swap-health configuration.
[]> swap
Number of pages swapped from memory in a minute : 0
Current threshold on the number of pages swapped from memory per minute : 5000
Alert when exceeds threshold : Disabled
Do you want to edit the settings? [N]> y
Please enter the threshold value for number of pages swapped from memory in a
minute.
[5000]> 5500
Do you want to receive alerts if number of pages swapped from memory in a
minute exceeds the threshold? [N]> n
Choose the operation you want to perform:
- WORKQUEUE - View and edit workqueue-health configuration.
- CPU - View and edit CPU-health configuration.
- SWAP - View and edit swap-health configuration.
[]>

ntpconfig

Description

The ntpconfig command configures AsyncOS to use Network Time Protocol (NTP) to synchronize the system clock with other computers. NTP can be turned off using the settime command.

Usage

Commit: This command requires ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> 
ntpconfig
Currently configured NTP servers:
1. time.ironport.com
Choose the operation you want to perform:
- NEW - Add a server.
- DELETE - Remove a server.
- SOURCEINT - Set the interface from whose IP address NTP queries should originate.
- AUTH - Configure NTP authentication.
[]> new
Please enter the fully qualified hostname or IP address of your NTP server.
[]> ntp.example.com
Currently configured NTP servers:
1. time.ironport.com
2. bitsy.mit.edi
Choose the operation you want to perform:
- NEW - Add a server.
- DELETE - Remove a server.
- SOURCEINT - Set the interface from whose IP address NTP queries should
originate.
- AUTH - Configure NTP authentication.
[]> sourceint
 
When initiating a connection to an NTP server, the outbound IP address 
used is chosen automatically.
If you want to choose a specific outbound IP address,please select 
its interface name now.
1. Auto
2. Management (172.19.0.11/24: elroy.run)
3. PrivateNet (172.19.1.11/24: elroy.run)
4. PublicNet (172.19.2.11/24: elroy.run)
[1]> 1
Currently configured NTP servers:
1. time.ironport.com
2. bitsy.mit.edi
Choose the operation you want to perform:
- NEW - Add a server.
- DELETE - Remove a server.
- SOURCEINT - Set the interface from whose IP address NTP queries should originate.
- AUTH - Configure NTP authentication.
[]> auth

Would you like to enable NTP authentication? [N]>yes
Currently configured NTP servers:
1. time.ironport.com
2. bitsy.mit.edi
Authentication is on
Choose the operation you want to perform:
- NEW - Add a server.
- DELETE - Remove a server.
- SOURCEINT - Set the interface from whose IP address NTP queries should
originate.
- AUTH - Configure NTP authentication.

mail3.example.com> commit
Please enter some comments describing your changes:
[]> Added new NTP server
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

portalregistrationconfig

Cisco Spam Submission Tracking Portal is a web-based tool that allows email administrators to track the spam submissions from their organization and to report new misclassified messages to Cisco. This portal requires all your appliances to have a common registration ID.

Use the portalregistrationconfig command in CLI to set the registration ID. If your appliances are not part of a cluster, you must set a common registration ID on all your appliances.

For more information about the portal, see Anti-Spam chapter in user guide or online help.

Usage

Commit: This command requires ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example

 
		mail3.example.com> portalregistrationconfig
	  
 Choose the operation you want to perform:
	 
 - REGISTRATION_ID - Set up the Registration ID.
	  []> registration_id 
	  Enter the new value of the Registration ID.
	  []> registrationidexample1234
	 

reboot

Description

Restart the appliance.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> reboot
Enter the number of seconds to wait before abruptly closing connections.
[30]>
Waiting for listeners to exit...
Receiving suspended.
Waiting for outgoing deliveries to finish...
Mail delivery suspended.

repengstatus

Description

Request version information of Reputation Engine.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> repengstatus
  Component                   Last Update                     Version
  Reputation Engine           28 Jan 2014 23:47 (GMT +00:00)  1
  Reputation Engine Tools     28 Jan 2014 23:47 (GMT +00:00)  1

resume

Description

Resume receiving and deliveries

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> resume
Receiving resumed for Listener 1.
Mail delivery resumed.
Mail delivery for individually suspended domains must be resumed individually.

resumedel

Description

Resume deliveries.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> resumedel
Currently suspended domains:
1. domain1.com
2. domain2.com
3. domain3.com
Enter one or more domains [comma-separated] to which you want to resume delivery.
[ALL]> domain1.com, domain2.com
Mail delivery resumed.

resumelistener

Description

Resume receiving on a listener.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> resumelistener
Choose the listener(s) you wish to resume.
Separate multiple entries with commas.
1. All
2. InboundMail
3. OutboundMail
[1]> 1
Receiving resumed.
mail3.example.com>

revert

Description

Revert to a previous release.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail.example.com> revert
This command will revert the appliance to a previous version of AsyncOS.
WARNING: Reverting the appliance is extremely destructive.
The following data will be destroyed in the process:
- all configuration settings (including listeners)
- all log files
- all databases (including messages in Virus Outbreak and Policy quarantines)
- all reporting data (including saved scheduled reports)
- all message tracking data
- all IronPort Spam Quarantine message and end-user safelist/blocklist data
Only the network settings will be preserved.
Before running this command, be sure you have:
- saved the configuration file of this appliance (with passphrases unmasked)
- exported the IronPort Spam Quarantine safelist/blocklist database
  to another machine (if applicable)
- waited for the mail queue to empty
Reverting the device causes an immediate reboot to take place.
After rebooting, the appliance reinitializes itself and reboots
again to the desired version.
    Available versions
    =================
 1. 9.1.0-019
Please select an AsyncOS version [1]:
Do you want to continue? [N]> 

settime

Description

The settime command allows you to manually set the time if you are not using an NTP server. The command asks you if you want to stop NTP and manually set the system clock. Enter the time is using this format: MM/DD/YYYY HH:MM:SS.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> settime
WARNING: Changes to system time will take place immediately
and do not require the user to run the commit command.
Current time 09/23/2001 21:03:53.
This machine is currently running NTP.
In order to manually set the time, NTP must be disabled.
Do you want to stop NTP and manually set the time? [N]> Y
Please enter the time in MM/DD/YYYY HH:MM:SS format.
[]> 09/23/2001 21:03:53
Time set to 09/23/2001 21:03:53.

settz

Description

Set the local time zone.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail3.example.com> settz
Current time zone: Etc/GMT
Current time zone version: 2010.02.0
Choose the operation you want to perform:
- SETUP - Set the local time zone.
[]> setup
Please choose your continent:
1. Africa
2. America
[ ... ]
11. GMT Offset
[2]> 2
Please choose your country:
1. Anguilla
[ ... ]
45. United States
46. Uruguay
47. Venezuela
48. Virgin Islands (British)
49. Virgin Islands (U.S.)
[45]> 45
Please choose your timezone:
1. Alaska Time (Anchorage)
2. Alaska Time - Alaska panhandle (Juneau)
[ ... ]
21. Pacific Time (Los_Angeles)
[21]> 21
Current time zone: America/Los_Angeles
Choose the operation you want to perform:
- SETUP - Set the local time zone.
[]>

shutdown

Description

Shut down the system to power off

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> shutdown
Enter the number of seconds to wait before forcibly closing connections.
[30]> 
System shutting down.  Please wait while the queue is being closed...
Closing CLI connection.
The system will power off automatically.
Connection to mail.example.com closed.

smaconfig

Description

The smaconfig command is used to add, delete, or view the SMA connection parameters and keys.

Usage

Commit: This command requires a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

Example

In the following example, you can use the smaconfig command to add Email Security appliances to the Content Security Management Appliance (SMA) using pre-shared keys, and view the SMA connection details (host name and user keys).

mail.example.com> smaconfig
Choose the operation you want to perform:
- ADD - Add a new SMA Connection Parameter and Key.
[]> add

Enter the hostname of the system that you want to add.
[]> m380q03.ibqa

Enter the user key of the host m380q03.ibqa.
Press enter on a blank line to finish.

SSH2:dsa
10.76.71.107 ssh-dss AAAAB3NzaC1kc3MAAACBAJCRYaVJgwSMTmLbt2xG5LVNKjFXpzW/vMRDQN3xclvJVpgYnQ1GfjL/zAbZC5pYz/jac405R9h+J2jTzAjzZRgaBIalVvi1Li0JkQQNhcRWEDjOhHwMTOkHh1+SVuqoR5xM0Y47jE/9SmEM6OXFSkAeTVXQq65c99FDGnNpvBWFAAAAFQD0dhuWPCD+++xjLZr4yxlWFJ5AdQAAAIBilaS+VDYY38IosX/9czWGIcBl7cqDZUXWkwoKF41OUfnoa42Q0VDBaoPiJ7gBhWVDHTo8rgz9PQRcl020Ok2ud7WASf/rLKbP9i26PWRK1yAAr7FvDol/l//5GtXbMtqWyVeo3oGqGS7dZc7MI/pMC5jGxDmTSM2SlyOEsS1xmQAAAIAY1ZiXC2ZeMhVWKgj8A8JHEPcgT4hu7Mo3Yq+YkGsemK4L+YF4k3t5DbGwirYvfXZCJSPD+E9mcnltIaOMFuB1W8Kiq+Cz/Ikzm9U4MdIz48HOKS2Sl7YVG3xhYJjyyRpLHGDYRagANtjvOLRPF57xUvkdz5DCcJiXbWEhaZBHkg==

SMA host key was added successfully.


Choose the operation you want to perform:
- ADD - Add a new SMA Connection Parameter and Key.
- DELETE - Remove an existing SMA Connection Parameter and Key.
- PRINT - Display all SMA Parameters and Keys.

[]> print
1. Hostname: m380q03.ibqa  Keys: SSH2:dsa10.76.71.107 ssh-dss
AAAAB3NzaC1kc3MAAACBAJCRYaVJgwSMTmLbt2xG5LVNKjFXpzW/vMRDQN3xclvJVpgYnQ1GfjL/zAbZC5pYz/jac405R9h+J2jTzAjzZRgaBIalVvi1Li0JkQQNhcRWEDjOhHwMTOkHh1+SVuqoR5xM0Y47jE/9SmEM6OXFSkAeTVXQq65c99FDGnNpvBWFAAAAFQD0dhuWPCD+++x
jLZr4yxlWFJ5AdQAAAIBilaS+VDYY38IosX/9czWGIcBl7cqDZUXWkwoKF41OUfnoa42Q0VDBaoPiJ7gBhWVDHTo8rgz9PQRcl020Ok2ud7WASf/rLKbP9i26PWRK1yAAr7FvDol/l//5GtXbMtqWyVeo3oGqGS7dZc7MI/pMC5jGxDmTSM2SlyOEsS1xmQAAAIAY1ZiXC2ZeMhVWKg
j8A8JHEPcgT4hu7Mo3Yq+YkGsemK4L+YF4k3t5DbGwirYvfXZCJSPD+E9mcnltIaOMFuB1W8Kiq+Cz/Ikzm9U4MdIz48HOKS2Sl7YVG3xhYJjyyRpLHGDYRagANtjvOLRPF57xUvkdz5DCcJiXbWEhaZBHkg==
Choose the operation you want to perform:
- ADD - Add a new SMA Connection Parameter and Key.
- DELETE - Remove an existing SMA Connection Parameter and Key.
- PRINT - Display all SMA Parameters and Keys.
[]> 

sshconfig

Description

Configure SSH server and user key settings.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to cluster mode.

Batch Command: This command does not support a batch format.

Examples

Example: Editing SSH Server Configuration

The following example shows how to edit the SSH server configuration:


mail.example.com> sshconfig
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]> sshd
ssh server config settings:
Public Key Authentication Algorithms:
        rsa1
        ssh-dss
        ssh-rsa
Cipher Algorithms:
        aes128-ctr
        aes192-ctr
        aes256-ctr
        arcfour256
        arcfour128
        aes128-cbc
        3des-cbc
        blowfish-cbc
        cast128-cbc
        aes192-cbc
        aes256-cbc
        arcfour
        rijndael-cbc@lysator.liu.se
MAC Methods:
        hmac-md5
        hmac-sha1
        umac-64@openssh.com
        hmac-ripemd160
        hmac-ripemd160@openssh.com
        hmac-sha1-96
        hmac-md5-96
Minimum Server Key Size:
        1024
KEX Algorithms:
        diffie-hellman-group-exchange-sha256
        diffie-hellman-group-exchange-sha1
        diffie-hellman-group14-sha1
        diffie-hellman-group1-sha1
Choose the operation you want to perform:
- SETUP - Setup SSH server configuration settings
[]> setup
Enter the Public Key Authentication Algorithms do you want to use
[rsa1,ssh-dss,ssh-rsa]>
Enter the Cipher Algorithms do you want to use
[aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc@lysator.liu.se]>
Enter the MAC Methods do you want to use
[hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96]>
Enter the Minimum Server Key Size do you want to use
[1024]>
Enter the KEX Algorithms do you want to use
[diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]>
ssh server config settings:
Public Key Authentication Algorithms:
        rsa1
        ssh-dss
        ssh-rsa
Cipher Algorithms:
        aes128-ctr
        aes192-ctr
        aes256-ctr
        arcfour256
        arcfour128
        aes128-cbc
        3des-cbc
        blowfish-cbc
        cast128-cbc
        aes192-cbc
        aes256-cbc
        arcfour
        rijndael-cbc@lysator.liu.se
MAC Methods:
        hmac-md5
        hmac-sha1
        umac-64@openssh.com
        hmac-ripemd160
        hmac-ripemd160@openssh.com
        hmac-sha1-96
        hmac-md5-96
Minimum Server Key Size:
        1024
KEX Algorithms:
        diffie-hellman-group-exchange-sha256
        diffie-hellman-group-exchange-sha1
        diffie-hellman-group14-sha1
        diffie-hellman-group1-sha1
Choose the operation you want to perform:
- SETUP - Setup SSH server configuration settings
[]>
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]>
Example: Installing a New Public Key for the Administrator Account

In the following example, a new public key is installed for the administrator account:


mail.example.com> sshconfig
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]> userkey
Currently installed keys for admin:
Choose the operation you want to perform:
- NEW - Add a new key.
- USER - Switch to a different user to edit.
[]> new
Please enter the public SSH key for authorization.
Press enter on a blank line to finish.
[-paste public key for user authentication here-]
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]> 
Example: Categorizing an IP Address as Persistent Blacklist or Whitelist

If the appliance or the ipblockd service is restarted, the IP address that you categorize as a persistent blacklist or whitelist is retained.


Note

You can categorize IP addresses as persistent blacklists or whitelists only on AsyncOS 11.0.2 and above.


The following example shows how to categorize IP addresses as persistent whitelist:

mail.example.com> sshconfig
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
- ACCESS CONTROL - Edit SSH whitelist/blacklist
[]> access control

Choose the operation you want to perform:
- WHITELIST - Manage the persistent whitelist
- BLACKLIST - Manage the persistent blacklist
[]> whitelist

Choose the operation you want to perform:
- ADD - Add address(es)
- REMOVE - Remove address(es)
- PRINT - Print addresses
[]> add

Enter an IP address or a comma-separated list of addresses.
Addresses already in the Whitelist will be ignored.
[]> 10.8.85.77

The addresses were successfully added to the Whitelist

The following example shows how to categorize IP addresses as persistent blacklist:

mail.example.com> sshconfig
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
- ACCESS CONTROL - Edit SSH whitelist/blacklist
[]> access control

Choose the operation you want to perform:
- WHITELIST - Manage the persistent whitelist
- BLACKLIST - Manage the persistent blacklist
[]> blacklist

Choose the operation you want to perform:
- ADD - Add address(es)
- REMOVE - Remove address(es)
- PRINT - Print addresses
[]> add

Enter an IP address or a comma-separated list of addresses.
Addresses already in the Whitelist will be ignored.
[]> 10.8.85.77

The addresses were successfully added to the blacklist

status

Description

Show system status.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> status

Status as of:               Thu Oct 21 14:33:27 2004 PDT
Up since:                   Wed Oct 20 15:47:58 2004 PDT (22h 45m 29s)
Last counter reset:         Never
System status:              Online
Oldest Message:             4 weeks 46 mins 53 secs
Feature - McAfee:              161 days
[....]
Feature - Outbreak Filters:    161 days
Counters:                               Reset          Uptime        Lifetime
  Receiving
    Messages Received              62,049,822         290,920      62,049,822
    Recipients Received            62,049,823         290,920      62,049,823
  Rejection
    Rejected Recipients             3,949,663          11,921       3,949,663
    Dropped Messages               11,606,037             219      11,606,037
  Queue
    Soft Bounced Events             2,334,552          13,598       2,334,552
  Completion
    Completed Recipients           50,441,741         332,625      50,441,741
  Current IDs
    Message ID (MID)                                                 99524480
    Injection Conn. ID (ICID)                                        51180368
    Delivery Conn. ID (DCID)                                         17550674
Gauges:                               Current
  Connections
    Current Inbound Conn.                   0
    Current Outbound Conn.                 14
Queue
    Active Recipients                              1
    Messages In Work Queue                         0
    Kilobytes Used                                92
    Kilobytes Free                         8,388,516
  Quarantine
    Messages In Quarantine
      Policy, Virus and Outbreak                   0
    Kilobytes In Quarantine
      Policy, Virus and Outbreak                   0

supportrequest

Description

Send a message to Cisco customer support. This command requires that the appliance is able to send mail to the Internet. A trouble ticket is automatically created, or you can associate the support request with an existing trouble ticket.

To access Cisco technical support directly from the appliance, your Cisco.com user ID must be associated with your service agreement contract for this appliance. To view a list of service contracts that are currently associated with your Cisco.com profile, visit the Cisco.com Profile Manager at https://sso.cisco.com/autho/forms/CDClogin.html . If you do not have a Cisco.com user ID, register to get one. See information about registering for an account in the online help or user guide for your release.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto). This command requires access to the local file system.

Batch Command: This command does not support a batch format.

Example

The following example shows a support request that is not related to an existing support ticket.


mail.example.com> supportrequest
Please Note:
If you have an urgent issue, please call one of our worldwide Support Centers
(www.cisco.com/support). Use this command to open a technical support request
for issues that are not urgent, such as:
- Request for information.
- Problem for which you have a work-around, but would like an alternative
solution.
Do you want to send the support request to supportrequest@mail.qa? 
[Y]>
Do you want to send the support request to additional recipient(s)? 
[N]>
Is this support request associated with an existing support ticket? 
[N]>
Please select a technology related to this support request:
1. Security - Email and Web
2. Security - Management
[1]> 1
Please select a subtechnology related to this support request:
1. Cisco Email Security Appliance (C1x0,C3x0, C6x0, X10x0) - Misclassified
Messages
2. Cisco Email Security Appliance (C1x0,C3x0, C6x0, X10x0) - SBRS
3. Cisco Email Security Appliance (C1x0,C3x0, C6x0, X10x0) - Other
4. Email Security Appliance - Virtual
[1]> 3
Please select the problem category:
1. Upgrade
2. Operate
3. Configure
4. Install
[1]> 3
Please select a problem sub-category:
1. Error Messages, Logs, Debugs
2. Software Failure
3. Interoperability
4. Configuration Assistance
5. Install, Uninstall or Upgrade
6. Hardware Failure
7. Licensing
8. Data Corruption
9. Software Selection/Download Assistance
10. Passphrase Recovery
[1]> 5
Please enter a subject line for this support request:
[]> <Subject line for support request>
Please enter a description of your issue, providing as much detail as possible
to aid in diagnosis:
[]> <Description of issue>
It is important to associate all your service contracts with your Cisco.com profile (CCO ID) in order for you to receive complete 
access to support and services from Cisco. Please follow the URLs below to associate your contract coverage on your Cisco.com profile. 
If you do not have a CCO ID, please follow
the URL below to create a CCO ID.
How to create a CCO ID:
https://tools.cisco.com/RPF/register/register.do
How to associate your CCO ID with contract:
https://tools.cisco.com/RPFA/profile/profile_management.do
Frequently Asked Question:
http://www.cisco.com/web/ordering/cs_info/faqs/index.html
Select the CCOID
1. New CCOID
[1]>
Please enter the CCOID of the contact person :
[]> your name
The CCO ID may contain alphabets, numbers and '@', '.', '-' and '_' symbols.
Please enter the CCOID of the contact person :
[]> me@example.com
Please enter the name of the contact person :
[]> yourname
Please enter your email address:
[]> me@example.com
Please enter the contract ID:
[]> 1234
Please enter any additional contact information (e.g. phone number):
[]>
Please wait while configuration information is generated...
Do you want to print the support request to the screen? 
[N]>

supportrequeststatus

Description

Display Support Request Keywords version information for requesting support from Cisco TAC.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail.example.com> supportrequeststatus
Component                 Version    Last Updated
Support Request           1.0        Never updated

supportrequestupdate

Description

Request manual update of Support Request Keywords for requesting support from Cisco TAC.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail.example.com> supportrequestupdate
Requesting update of Support Request Keywords.

suspend

Description

Suspend receiving and deliveries

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> suspend
Enter the number of seconds to wait before abruptly closing connections.
[30]> 45
Waiting for listeners to exit...
Receiving suspended for Listener 1.
Waiting for outgoing deliveries to finish...
Mail delivery suspended.
mail3.example.com>

suspenddel

Description

Suspend deliveries

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> suspenddel
Enter the number of seconds to wait before abruptly closing connections.
[30]>
Enter one or more domains [comma-separated] to which you want to suspend delivery.
[ALL]> domain1.com, domain2.com, domain3.com
Waiting for outgoing deliveries to finish...
Mail delivery suspended.

suspendlistener

Description

Suspend receiving.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> suspendlistener
Choose the listener(s) you wish to suspend.
Separate multiple entries with commas.
1. All
2. InboundMail
3. OutboundMail
[1]> 1
Enter the number of seconds to wait before abruptly closing connections.
[30]>
Waiting for listeners to exit...
Receiving suspended.
mail3.example.com> 

tcpservices

Description

Display information about files opened by processes.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.cisco.com> tcpservices
System Processes (Note: All processes may not always be present)
  ftpd.main    - The FTP daemon
  ginetd       - The INET daemon
  interface    - The interface controller for inter-process communication
  ipfw         - The IP firewall
  slapd        - The Standalone LDAP daemon
  sntpd        - The SNTP daemon
  sshd         - The SSH daemon
  syslogd      - The system logging daemon
  winbindd     - The Samba Name Service Switch daemon
Feature Processes
  euq_webui    - GUI for ISQ
  gui          - GUI process
  hermes       - MGA mail server
  postgres     - Process for storing and querying quarantine data
  splunkd      - Processes for storing and querying Email Tracking data
COMMAND      USER         TYPE NODE   NAME
interface    root         IPv4 TCP    127.0.0.1:53
postgres     pgsql        IPv4 TCP    127.0.0.1:5432
qabackdoo    root         IPv4 TCP    *:8123
ftpd.main    root         IPv4 TCP    10.1.1.0:21
euq_webui    root         IPv4 TCP    10.1.1.0:83
euq_webui    root         IPv6 TCP    [2001:db8::]:83
gui          root         IPv4 TCP    172.29.181.70:80
gui          root         IPv4 TCP    10.1.1.0:80
gui          root         IPv6 TCP    [2001:db8::]:80
gui          root         IPv4 TCP    172.29.181.70:443
gui          root         IPv4 TCP    10.1.1.0:443
gui          root         IPv6 TCP    [2001:db8::]:443
ginetd       root         IPv4 TCP    172.29.181.70:22
ginetd       root         IPv4 TCP    10.1.1.0:22
ginetd       root         IPv6 TCP    [2001:db8::]:22
ginetd       root         IPv4 TCP    10.1.1.0:2222
ginetd       root         IPv6 TCP    [2001:db8::]:2222
hermes       root         IPv4 TCP    172.29.181.70:25
splunkd      root         IPv4 TCP    127.0.0.1:8089
splunkd      root         IPv4 TCP    127.0.0.1:9997
api_serve    root         IPv4 TCP    10.1.1.0:6080
api_serve    root         IPv6 TCP    [2001:db8::]:6080
api_serve    root         IPv4 TCP    10.1.1.0:6443
api_serve    root         IPv6 TCP    [2001:db8::]:6443
java         root         IPv6 TCP    [::127.0.0.1]:9999

techsupport

Description

Allow Cisco TAC to access your system.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> techsupport
Service Access currently disabled.
Serial Number: XXXXXXXXXXXX-XXXXXXX
Choose the operation you want to perform:
- SSHACCESS - Allow a Cisco IronPort Customer Support representative to remotely access your system, without establishing a tunnel.
- TUNNEL - Allow a Cisco IronPort Customer Support representative to remotely access your system, and establish a secure tunnel 
           for communication.
- STATUS - Display the current techsupport status.
[]> sshaccess
A random seed string is required for this operation
1. Generate a random string to initialize secure communication (recommended)
2. Enter a random string
[1]> 1
Are you sure you want to enable service access? [N]> y
Service access has been ENABLED.  Please provide the string:
QT22-JQZF-YAQL-TL8L-8@2L-95
to your Cisco IronPort Customer Support representative.
Service Access currently ENABLED (0 current service logins).
Tunnel option is not active.
Serial Number: XXXXXXXXXXXX-XXXXXXX
Choose the operation you want to perform:
- DISABLE - Prevent customer service representatives from remotely accessing your system.
- STATUS - Display the current techsupport status.
[]>

tlsverify

Description

Establish an outbound TLS connection on demand and debug any TLS connection issues concerning a destination domain. To create the connection, specify the domain to verify against and the destination host. AsyncOS checks the TLS connection based on the Required (Verify) TLS setting

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command supports a batch format.

Batch Format

The batch format of the tlsverify command can be used to perform all the fuctions of the traditional CLI command to check the TLS connection to the given hostname.


tlsverify <domain> <hostname>[:<port>]

Example


mail3.example.com> tlsverify
Enter the TLS domain to verify against:
[]> example.com
Enter the destination host to connect to.  Append the port (example.com:26) if you are not connecting on port 25:
[example.com]> mxe.example.com:25
Connecting to 1.1.1.1 on port 25.
Connected to 1.1.1.1 from interface 10.10.10.10.
Checking TLS connection.
TLS connection established: protocol TLSv1, cipher RC4-SHA.
Verifying peer certificate.
Verifying certificate common name mxe.example.com.
TLS certificate match mxe.example.com
TLS certificate verified.
TLS connection to 1.1.1.1 succeeded.
TLS successfully connected to mxe.example.com.
TLS verification completed.

trace

Description

Trace the flow of a message through the system

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> trace
Enter the source IP
[]> 192.168.1.1
Enter the fully qualified domain name of the source IP
[]> example.com
Select the listener to trace behavior on:
1. InboundMail
2. OutboundMail
[1]> 1
Fetching default SenderBase values...
Enter the SenderBase Org ID of the source IP.  The actual ID is N/A.
[N/A]>
Enter the SenderBase Reputation Score of the source IP.  The actual score is N/A.
[N/A]>
Enter the Envelope Sender address:
[]> pretend.sender@example.net
Enter the Envelope Recipient addresses.  Separate multiple addresses by commas.
[]> admin@example.com
Load message from disk?  [Y]> n
Enter or paste the message body here.  Enter '.' on a blank line to end.
Subject: Hello
This is a test message.
.
HAT matched on unnamed sender group, host ALL
 - Applying $ACCEPTED policy (ACCEPT behavior).
 - Maximum Message Size:  100M (Default)
 - Maximum Number Of Connections From A Single IP:  1000 (Default)
 - Maximum Number Of Messages Per Connection:  1,000 (Default)
 - Maximum Number Of Recipients Per Message:  1,000 (Default)
 - Maximum Recipients Per Hour:  100 (Default)
 - Use SenderBase For Flow Control:  Yes (Default)
 - Spam Detection Enabled:  Yes (Default)
 - Virus Detection Enabled:  Yes (Default)
 - Allow TLS Connections:  No (Default)
Processing MAIL FROM:
 - Default Domain Processing:  No Change
Processing Recipient List:
Processing admin@ironport.com
 - Default Domain Processing:  No Change
 - Domain Map:  No Change
 - RAT matched on admin@ironport.com, behavior = ACCEPT
 - Alias expansion:  No Change
Message Processing:
 - No Virtual Gateway(tm) Assigned
 - No Bounce Profile Assigned
Domain Masquerading/LDAP Processing:
 - No Changes.
Processing filter 'always_deliver':
Evaluating Rule:   rcpt-to == "@mail.qa"
    Result = False
Evaluating Rule:   rcpt-to == "ironport.com"
    Result = True
Evaluating Rule:   OR
    Result = True
Executing Action:  deliver()
Footer Stamping:
 - Not Performed
Inbound Recipient Policy Processing: (matched on Management Upgrade policy)
Message going to:  admin@ironport.com
AntiSpam Evaluation:
 - Not Spam
AntiVirus Evaluation:
 - Message Clean.
 - Elapsed Time = '0.000 sec'
Outbreak Filter Evaluation:
 - No threat detected
Message Enqueued for Delivery
Would you like to see the resulting message? [Y]> y
Final text for messages matched on policy Management Upgrade
Final Envelope Sender:  pretend.sender@example.doma
Final Recipients:
 - admin@ironport.com
Final Message Content:
Received: from remotehost.example.com (HELO TEST) (1.2.3.4)
  by stacy.qa with TEST; 19 Oct 2004 00:54:48 -0700
Message-Id: <3i93q9$@Management>
X-IronPort-AV: i="3.86,81,1096873200";
   d="scan'208"; a="0:sNHT0"
Subject: hello
This is a test message.
Run through another debug session? [N]>

Note

When using trace , you must include both the header and the body of the message pasted into the CLI.

trackingconfig

Description

Configure the tracking system.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example


mail.example.com> trackingconfig
Message Tracking service status: Message Tracking is enabled.
Choose the operation you want to perform:
- SETUP - Enable Message Tracking for this appliance.
[]> setup
Would you like to use the Message Tracking Service? [Y]>
Do you want to use Centralized Message Tracking for this appliance? [N]>
Would you like to track rejected connections? [N]>
Message Tracking service status: Local Message Tracking is enabled.
Rejected connections are currently not being tracked.
Choose the operation you want to perform:
- SETUP - Enable Message Tracking for this appliance.
[]>

tzupdate

Description

Update timezone rules

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command supports a batch format.

Batch Format

The batch format of the tzupdate command forces an update off all time zone rules even if no changes are detected.


tzupdate [force]

Example


mail.example.com> tzupdate
Requesting update of Timezone Rules

updateconfig

Description

Configure system update parameters.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Examples

Configure the Appliance to Download Updates from Updater Servers

In the following example, the updateconfig command is used to configure the appliance to download update images from Cisco servers and download the list of available AsyncOS upgrades from a local server.


mail.example.com> updateconfig
Service (images):                                    Update URL:
------------------------------------------------------------------------------------------
Feature Key updates                                  http://downloads.ironport.com/asyncos
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates                            Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates                            Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
Update interval: 5m
Alert Interval for Disabled Automatic Engine Updates: 30d
Proxy server: not enabled
HTTPS Proxy server: not enabled
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]> setup
For the following services, please select where the system will download updates from:
Service (images):                                     Update URL:
------------------------------------------------------------------------------------------
Feature Key updates                                   http://downloads.ironport.com/asyncos
1. Use Cisco IronPort update servers (http://downloads.ironport.com)
2. Use own server
[1]>
For the following services, please select where the system will download updates from (images):
Service (images):                                    Update URL:
------------------------------------------------------------------------------------------
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates                            Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
1. Use Cisco IronPort update servers
2. Use own server
[1]>
For the following services, please select where the system will download updates from (images):
Service (images):                                    Update URL:
------------------------------------------------------------------------------------------
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
1. Use Cisco IronPort update servers
2. Use own server
[1]>
For the following services, please select where the system will download the list of available
updates from:
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates                            Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
1. Use Cisco IronPort update servers
2. Use own update list
[1]>
For the following services, please select where the system will download the list of available
updates from:
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
1. Use Cisco IronPort update servers
2. Use own update list
[1]>
Enter the time interval between checks for new:
    - Timezone rules
    - Enrollment Client Updates (used to fetch certificates for URL Filtering)
    - Support Request updates
Use a trailing 's' for seconds, 'm' for minutes or 'h' for hours. The minimum
valid update time is 30s or enter '0' to disable automatic updates (manual
updates will still be available for individual services).
[5m]>
When initiating a connection to the update server the originating IP interface
is chosen automatically. If you want to choose a specific interface, please
specify it now.
1. Auto
2. Management (10.76.69.149/24: vm30esa0086.ibqa)
[1]>
Do you want to set up a proxy server for HTTP updates for ALL of the following
services:
    - Feature Key updates
    - Timezone rules
    - Enrollment Client Updates (used to fetch certificates for URL Filtering)
    - Support Request updates
    - Cisco IronPort AsyncOS upgrades
[N]>
Do you want to set up an HTTPS proxy server for HTTPS updates for ALL of the following
services:
    - Feature Key updates
    - Timezone rules
    - Enrollment Client Updates (used to fetch certificates for URL Filtering)
    - Support Request updates
    - Cisco IronPort AsyncOS upgrades
    - SenderBase Network Participation sharing
[N]>
Service (images):                                    Update URL:
------------------------------------------------------------------------------------------
Feature Key updates                                  http://downloads.ironport.com/asyncos
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates                            Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates 							 Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
Update interval: 5m
Proxy server: not enabled
HTTPS Proxy server: not enabled
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]>
Configure the Appliance to Verify the Validity of Updater Server Certificate

If you configure this option, every time the appliance communicates the Cisco updater server, the validity of the updater server certificate is verified. If the verification fails, updates are not downloaded and the details are logged in Updater Logs. The following example shows how to configure this option:


mail.example.com> updateconfig
Service (images):                                    Update URL:
------------------------------------------------------------------------------------------
Feature Key updates                                  http://downloads.ironport.com/asyncos
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates                            Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates                            Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
Update interval: 5m
Alert Interval for Disabled Automatic Engine Updates: 30d
Proxy server: not enabled
HTTPS Proxy server: not enabled
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]> validate_certificates
Should server certificates from Cisco update servers be validated?
[Yes]>
Service (images):                                    Update URL:
------------------------------------------------------------------------------------------
Feature Key updates                                  http://downloads.ironport.com/asyncos
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates						     Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Timezone rules                                       Cisco IronPort Servers
Enrollment Client Updates                            Cisco IronPort Servers
Support Request updates                              Cisco IronPort Servers
Service (list):                                      Update URL:
------------------------------------------------------------------------------------------
Cisco IronPort AsyncOS upgrades                      Cisco IronPort Servers
Update interval: 5m
Proxy server: not enabled
HTTPS Proxy server: not enabled
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]>
Configure the Appliance to Trust Proxy Server Communication

If you are using a non-transparent proxy server, you can add the CA certificate used to sign the proxy certificate to the appliance. By doing so, the appliance trusts the proxy server communication. The following example shows how to configure this option:


...
Choose the operation you want to perform:
- SETUP - Edit update configuration.
- VALIDATE_CERTIFICATES - Validate update server certificates
- TRUSTED_CERTIFICATES - Manage trusted certificates for updates
[]> trusted_certificates
Choose the operation you want to perform:
- ADD - Upload a new trusted certificate for updates.
[]> add
Paste certificates to be trusted for secure updater connections, blank to quit
Trusted Certificate for Updater:
Paste cert in PEM format (end with '.'):
-----BEGIN CERTIFICATE-----
MMIICiDCCAfGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCSU4x
DDAKBgNVBAgTA0tBUjENM............................................
-----END CERTIFICATE-----
.
Choose the operation you want to perform:
- ADD - Upload a new trusted certificate for updates.
- LIST - List trusted certificates for updates.
- DELETE - Delete a trusted certificate for updates.
[]>

updatenow

Description

Requests an update to all system service components.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does support a batch format.

Batch Format

The batch format of the updatenow command can be used to update all components on the appliance even if no changes are detected.


updatenow [force]

Example


mail3.example.com> updatenow
Success - All component updates requested

version

Description

View system version information

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> version
Current Version
===============
Product: Cisco C100V Email Security Virtual Appliance
Model: C100V
Version: 9.1.0-019
Build Date: 2015-02-17
Install Date: 2015-02-19 05:17:56
Serial #: 421C73B18CFB05784A83-B03A99E71ED8
BIOS: 6.00
CPUs: 2 expected, 2 allocated
Memory: 6144 MB expected, 6144 MB allocated
RAID: NA
RAID Status: Unknown
RAID Type: NA
BMC: NA

wipedata

Description

Use the wipedata command to wipe the core files on the disk and check the status of the last coredump operation.


Note

Depending on the size of the data, wipe action may take a while and can affect the system performance until the action is complete.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> wipedata
Wiping data may take a while and can affect system performance till it completes.
Choose the operation you want to perform:
- STATUS - Display status of last command run
- COREDUMP - Wipe core files on disk
[]> coredump
wipedata: In progress
mail.example.com> wipedata
Wiping data may take a while and can affect system performance till it completes.
Choose the operation you want to perform:
- STATUS - Display status of last command run
- COREDUMP - Wipe core files on disk
[]> status
Last wipedata status: Successful

upgrade

Description

The upgrade CLI command displays a list of available upgrades and upgrades the AsyncOS system to the version specified by the user.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail3.example.com> upgrade
Upgrades available:
1. AsyncOS (***DON'T TOUCH!***) 4.0.8 upgrade, 2005-05-09 Build 900
2. AsyncOS 4.0.8 upgrade, 2005-08-12 Build 030
.......
45. SenderBase Network Participation Patch
[45]>
Performing an upgrade will require a reboot of the system after the upgrade is applied.
 Do you wish to proceed with the upgrade? [Y]> Y

Content Scanning

contentscannerstatus

Display the content scanning engine version information.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

Example


mail.example.com> contentscannerstatus
Component              Version                Last Updated
Content Scanner Tools  11.2.1884.970097       Never updated

contentscannerudpate

Request manual update of the content scanning engine. If ‘force’ parameter is used, update is performed even if no changes are detected.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does not support a batch format.

Example


mail.example.com> contentscannerupdate force
Requesting forced update for Content Scanner.

LDAP

This section contains the following CLI commands:

ldapconfig

Description

Configure LDAP servers

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example - Creating a New LDAP Server Profile

In the following example, the ldapconfig command is used to define an LDAP server for the appliance to bind to, and queries for recipient acceptance ( ldapaccept subcommand), routing ( ldaprouting subcommand), masquerading ( masquerade subcommand), end-user authentication for the Spam Quarantine ( isqauth subcommand), and alias consolidation for spam notifications ( isqalias subcommand) are configured.

First, the nickname of “PublicLDAP” is given for the mldapserver.example.com LDAP server. Queries are directed to port 3268 (the default). The search base of example.com is defined ( dc=example,dc=com ), and queries for recipient acceptance, mail re-routing, and masquerading are defined. The queries in this example are similar to an OpenLDAP directory configuration which uses the inetLocalMailRecipient auxiliary object class defined in the expired Internet Draft draft-lachman-laser-ldap-mail-routing-xx.txt , also sometimes known as “the Laser spec.” (A version of this draft is included with the OpenLDAP source distribution.) Note that in this example, the alternate mailhost to use for queried recipients in the mail re-routing query is mailForwardingAddress . Remember that query names are case-sensitive and must match exactly in order to return the proper results.


mail3.example.com> ldapconfig
No LDAP server configurations.
Choose the operation you want to perform:
- NEW - Create a new server configuration.
- SETUP - Configure LDAP options.
[]> new
Please create a name for this server configuration (Ex: "PublicLDAP"):
[]> PublicLDAP
Please enter the hostname:
[]> myldapserver.example.com
Use SSL to connect to the LDAP server? [N]> n
Select the authentication method to use for this server configuration:
1. Anonymous
2. Passphrase based
[1]> 2
Please enter the bind username:
[cn=Anonymous]>
Please enter the bind passphrase:
[]>
Connect to LDAP server to validate setting? [Y]
Connecting to the LDAP server, please wait...
Select the server type to use for this server configuration:
1. Active Directory
2. OpenLDAP
3. Unknown or Other
[3]> 1

Please enter the port number:
[3268]> 3268
Please enter the base:
[dc=example,dc=com]> dc=example,dc=com
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- TEST - Test the server configuration.
- LDAPACCEPT - Configure whether a recipient address should be accepted or
bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- CERTAUTH - Configure certificate authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]> ldapaccept
Please create a name for this query:
[PublicLDAP.ldapaccept]> PublicLDAP.ldapaccept
Enter the LDAP query string:
[(proxyAddresses=smtp:{a})]> (proxyAddresses=smtp:{a})
Do you want to test this query? [Y]> n
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]> ldaprouting
Please create a name for this query:
[PublicLDAP.routing]> PublicLDAP.routing
Enter the LDAP query string:
[(mailLocalAddress={a})]> (mailLocalAddress={a})
The query requires one of the attributes below.  Please make a selection.
  [1] Configure MAILROUTINGADDRESS only - Rewrite the Envelope Recipient (and
leave MAILHOST unconfigured)?
  [2] Configure MAILHOST only - Send the messages to an alternate mail host
(and leave MAILROUTINGADDRESS unconfigured)?
  [3] Configure both attributes
[]> 1
Enter the attribute which contains the full rfc822 email address for the
recipients.
[mailRoutingAddress]> mailRoutingAddress
Do you want to test this query? [Y]> n
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
LDAPROUTING: PublicLDAP.routing
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]> masquerade
Please create a name for this query:
[PublicLDAP.masquerade]> PublicLDAP.masquerade
Enter the LDAP query string:
[(mailRoutingAddress={a})]> (mailRoutingAddress={a})
Enter the attribute which contains the externally visible full rfc822 email address.
[]> mailLocalAddress
Do you want the results of the returned attribute to replace the entire friendly portion of the original recipient? [N]> n
Do you want to test this query? [Y]> n
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
LDAPROUTING: PublicLDAP.routing
MASQUERADE: PublicLDAP.masquerade
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]> isqauth
Please create a name for this query:
[PublicLDAP.isqauth]> PublicLDAP.isqauth
Enter the LDAP query string:
[(sAMAccountName={u})]> (sAMAccountName={u})
Enter the list of email attributes.
[]> mail,proxyAddresses
Do you want to activate this query? [Y]> y
Do you want to test this query? [Y]> y
User identity to use in query:
[]> admin@example.com
Passphrase to use in query:
[]> passphrase
LDAP query test results:
LDAP Server: myldapserver.example.com
Query: PublicLDAP.isqauth
User: admin@example.com
Action: match positive
LDAP query test finished.
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
LDAPROUTING: PublicLDAP.routing
MASQUERADE: PublicLDAP.masquerade
ISQAUTH: PublicLDAP.isqauth [active]
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]>
Current LDAP server configurations:
1. PublicLDAP: (myldapserver.example.com:3268)
Choose the operation you want to perform:
- NEW - Create a new server configuration.
- SETUP - Configure LDAP options.
- EDIT - Modify a server configuration.
- DELETE - Remove a server configuration.
[]>

Example - Configuring Global Settings

In the following example, the LDAP global settings are configured, including the certificate for TLS connections.


mail3.example.com> ldapconfig
No LDAP server configurations.
Choose the operation you want to perform:
- NEW - Create a new server configuration.
- SETUP - Configure LDAP options.
[]> setup
Choose the IP interface for LDAP traffic.
1. Auto
2. Management (10.92.145.175/24: esx16-esa01.qa)
[1]> 1
LDAP will determine the interface automatically.
Should group queries that fail to complete be silently treated as having
negative results? [Y]>
Validate LDAP server certificate? [Y]>
The "Demo" certificate is currently configured. You may use "Demo", but this will not be secure.
1. partner.com
2. Demo
Please choose the certificate to apply:
[1]> 1
No LDAP server configurations.
Choose the operation you want to perform:
- NEW - Create a new server configuration.
- SETUP - Configure LDAP options.
[]>

ldapflush

Description

Flush any cached LDAP results.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example


mail3.example.com> ldapflush
Are you sure you want to flush any cached LDAP results? [N]> y
Flushing cache
mail3.example.com>

ldaptest

Description

Perform a single LDAP query test

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example

In this example, the ldaptest command is used to test the only recipient acceptance query for the configured LDAP server configuration. The recipient address “admin@example.com” passes the test, while the recipient address “bogus@example.com” fails.


mail3.example.com> ldaptest
Select which LDAP query to test:
1. PublicLDAP.ldapaccep
[1]> 1
Address to use in query:
[]> admin@example.com
LDAP query test results:
                Query: PublicLDAP.ldapaccept
             Argument: admin@example.com
               Action: pass
LDAP query test finished.
mail3.example.com> ldaptest
Select which LDAP query to test:
1. PublicLDAP.ldapaccep
[1]> 1
Address to use in query:
[]> bogus@example.com
LDAP query test results:
 Query: PublicLDAP.ldapaccept
 Argument: bogus@example.com
 Action: drop or bounce (depending on listener settings)
 Reason: no matching LDAP record was found
LDAP query test finished.
mail3.example.com>

sievechar

Description

Sets or disables the character used for Sieve Email Filtering, as described in RFC 3598. Note that the Sieve Character is ONLY recognized in LDAP Accept and LDAP Reroute queries. Other parts of the system will operate on the complete email address.

Allowable characters are: -_=+/^#

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

Example

In this example, the sievechar command is used to define + as the sieve character recognized in Accept and LDAP Reroute queries.


mail3.example.com> sievechar
Sieve Email Filtering is currently disabled.
Choose the operation you want to perform:
- SETUP - Set the separator character.
[]> setup
Enter the Sieve Filter Character, or a space to disable Sieve Filtering.
[]> +
Sieve Email Filter is enabled, using the '+' character as separator.
This applies only to LDAP Accept and LDAP Reroute Queries.
Choose the operation you want to perform:
- SETUP - Set the separator character.
[]> 

Mail Delivery Configuration/Monitoring

This section contains the following CLI commands:

addresslistconfig

Description

Configure address lists.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

Batch Format

The batch format for the addresslistconfig command can be used to create a new address list, edit an existing address list, print a list of address lists, delete an address list, or find conflicting addresses within an address list.

  • Adding a new address list:

    
    addresslistconfig new <name> --descr=<description> --addresses=<address1,address2,...>
  • Editing an existing address list:

    
    addresslistconfig edit <name> --name=<new-name> --descr=<description> --addresses=<address1,address2,...>
  • Deleting an address list:

    
    addresslistconfig delete <name>
  • Printing a list of address lists:

    
    addresslistconfig print <name>
  • Finding conflicting addresses within an address list:

    
    addresslistconfig conflicts <name>

Example

mail1.example.com> addresslistconfig

No address lists configured.

Choose the operation you want to perform:
- NEW - Create a new address list.
[]> new

Enter a name for the address list:
> add-list1

Enter a description for the address list:
> This is a sample address list

Enter the type of list:
1. Full Email Addresses only
2. Domains only
3. IP Addresses only
4. All of the above
Enter the type of the address list:
[4]> 1

Enter a comma separated list of addresses:
(e.g.: user@example.com)
> user1@example.com, user2@example.com

Address list "add-list1" added.

Choose the operation you want to perform:
- NEW - Create a new address list.
- EDIT - Modify an address list.
- DELETE - Remove an address list.
- PRINT - Display the contents of an address list.
- CONFLICTS - Find conflicting entries within an address list.
[]>

aliasconfig

Description

Configure email aliases.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

Batch Format

The batch format of the aliasconfig command can be used to add a new alias table, edit an existing table, print a list of email aliases, and import/export alias table. To invoke as a batch command, use the following format of the aliasconfig command with the variables listed below:

  • Adding a new email alias:

    
    aliasconfig new <domain> <alias> [email_address1] [email_address2] ...
    

Note

Using the ‘ aliasconfig new ’ command with a non-existant domain causes the domain to be created.
  • Editing an existing email alias

    
    aliasconfig edit <domain> <alias> <email_address1] [email_address2] ...
    
  • Displaying an email alias:

    
    aliasconfig print
    
  • Importing a local alias listing:

    
    aliasconfig import <filename>
    
  • Exporting an alias listing on the appliance:

    
    aliasconfig export <filename>
    

Example


mail3.example.com> aliasconfig
Enter address(es) for "customercare".
Separate multiple addresses with commas.
[]> bob@example.com, frank@example.com, sally@example.com
Adding alias customercare: bob@example.com,frank@example.com,sally@example.com
Do you want to add another alias?  [N]> n
There are currently 1 mappings defined.
Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- PRINT - Display the table.
- IMPORT - Import aliases from a file.
- EXPORT - Export table to a file.
- CLEAR - Clear the table.
[]> new
How do you want your aliases to apply?
1. Globally
2. Add a new domain context
3. example.com
[1]> 1
Enter the alias(es) to match on.
Separate multiple aliases with commas.
Allowed aliases:
    - "user@domain" - This email address.
    - "user" - This user for any domain
    - "@domain" - All users in this domain.
    - "@.partialdomain" - All users in this domain, or any of its sub domains.
[]> admin
Enter address(es) for "admin".
Separate multiple addresses with commas.
[]> administrator@example.com
Adding alias admin: administrator@example.com
Do you want to add another alias?  [N]> n
There are currently 2 mappings defined.
Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- PRINT - Display the table.
- IMPORT - Import aliases from a file.
- EXPORT - Export table to a file.
- CLEAR - Clear the table.
[]> print
admin: administrator@example.com
[ example.com ]
customercare: bob@example.com, frank@example.com, sally@example.com
There are currently 2 mappings defined.
Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- PRINT - Display the table.
- IMPORT - Import aliases from a file.
- EXPORT - Export table to a file.
- CLEAR - Clear the table.
[]>
Table 6. Arguments for Configuring Aliases

Argument

Description

<domain>

The domain context in which an alias is applied. ‘Global’ specifies the Global Domain Context.

<alias>

The name of the alias to configure

Aliases permitted at the Global Comain Context:

‘ user@domain’ — This email address.

‘ user’— This user for any domain.

‘@domain— All users in this domain.

‘@.partialdomain’— All users in this domain or any of its sub-domains.

Aliases permitted for specific domain contexts:

‘user’— This user in this domain context

‘user@domain’— This email address

<email_address>

The email address that an alias mapps to. A single alias can map to multiple email addresses.

<filename>

The filename to use with importing/exporting the alias table.

archivemessage

Description

Archive older messages in your queue.

Usage

Commit: This command does not require a commit.

Cluster Management: This command is restricted to machine mode..

Batch Command: This command does not support a batch format.

Example

In the following example, an older message is archived:


mail3.example.com> 
archivemessage
Enter the MID to archive.
[0]> 47

MID 47 has been saved in file oldmessage_47.mbox in the configuration

altsrchost

Description

Configure Virtual Gateway(tm) mappings.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example

In the following example, the altsrchost table is printed to show that there are no existing mappings. Two entries are then created:

  • Mail from the groupware server host named @exchange.example.com is mapped to the PublicNet interface.
  • Mail from the sender IP address of 192.168.35.35 is mapped to the AnotherPublicNet interface.

Finally, the altsrchost mappings are printed to confirm and the changes are committed.


mail3.example.com> altsrchost
There are currently no mappings configured.
Choose the operation you want to perform:
- NEW - Create a new mapping.
- IMPORT - Load new mappings from a file.
[]> new
Enter the Envelope From address or client IP address for which you want to set up a Virtual Gateway mapping.  
Partial addresses such as "@example.com" or "user@" are allowed.
[]> @exchange.example.com
Which interface do you want to send messages for @exchange.example.com from?
1. AnotherPublicNet (192.168.2.2/24: mail4.example.com)
2. Management (192.168.42.42/24: mail3.example.com)
3. PrivateNet (192.168.1.1/24: mail3.example.com)
4. PublicNet (192.168.2.1/24: mail4.example.com)
[1]> 4
Mapping for @exchange.example.com on interface PublicNet created.
Choose the operation you want to perform:
- NEW - Create a new mapping.
- EDIT - Modify a mapping.
- DELETE - Remove a mapping.
- IMPORT - Load new mappings from a file.
- EXPORT - Export all mappings to a file.
- PRINT - Display all mappings.
- CLEAR - Remove all mappings.
[]> new
Enter the Envelope From address or client IP address for which you want to set up a Virtual Gateway mapping.  
Partial addresses such as "@example.com" or "user@" are allowed.
[]> 192.168.35.35
Which interface do you want to send messages for 192.168.35.35 from?
1. AnotherPublicNet (192.168.2.2/24: mail4.example.com)
2. Management (192.168.42.42/24: mail3.example.com)
3. PrivateNet (192.168.1.1/24: mail3.example.com)
4. PublicNet (192.168.2.1/24: mail4.example.com)
[1]> 1
Mapping for 192.168.35.35 on interface AnotherPublicNet created.
Choose the operation you want to perform:
- NEW - Create a new mapping.
- EDIT - Modify a mapping.
- DELETE - Remove a mapping.
- IMPORT - Load new mappings from a file.
- EXPORT - Export all mappings to a file.
- PRINT - Display all mappings.
- CLEAR - Remove all mappings.
[]> print
1. 192.168.35.35 -> AnotherPublicNet
2. @exchange.example.com -> PublicNet
Choose the operation you want to perform:
- NEW - Create a new mapping.
- EDIT - Modify a mapping.
- DELETE - Remove a mapping.
- IMPORT - Load new mappings from a file.
- EXPORT - Export all mappings to a file.
- PRINT - Display all mappings.
- CLEAR - Remove all mappings.
[]>
mail3.example.com> commit
Please enter some comments describing your changes:
[]> Added 2 altsrchost mappings 
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

bounceconfig

Description

Configure the behavior of bounces.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. See the inline CLI help for more details. Use the help command to access the inline help for this command.

Example

In the following example, a bounce profile named bounceprofile is created using the bounceconfig command. In this profile, all hard bounced messages are sent to the alternate address bounce-mailbox@example.com . Delay warnings messages are enabled. One warning message will be sent per recipient, and the default value of 4 hours (14400 seconds) between warning messages is accepted


mail3.example.com> bounceconfig
Current bounce profiles:
1. Default
Choose the operation you want to perform:
- NEW - Create a new profile.
- EDIT - Modify a profile.
[]> new
Please create a name for the profile:
[]> bounceprofile
Please enter the maximum number of retries.
[100]> 100
Please enter the maximum number of seconds a message may stay in the queue before being hard bounced.
[259200]> 259200
Please enter the initial number of seconds to wait before retrying a message.
[60]> 60
Please enter the maximum number of seconds to wait before retrying a message.
[3600]> 3600
Do you want a message sent for each hard bounce? (Yes/No/Default) [Y]> y
Do you want bounce messages to use the DSN message format? (Yes/No/Default) [Y]> y
Enter the subject to use:
[Delivery Status Notification (Failure)]> 
Select default notification template:
1. System Generated
2. bounce_english
3. bounce_russian
[1]> 
Do you want to configure language specific templates? [N]> 
Do you want to parse the DSN "Status" field received from bounce
responses to include in the DSN generated by the appliance?
(Yes/No/Default) [N]> 
If a message is undeliverable after some interval, do you want to send a delay warning message? (Yes/No/Default) [N]> y
Enter the subject to use:
[Delivery Status Notification (Delay)]> 
Select default notification template:
1. System Generated
2. bounce_english
3. bounce_russian
[1]> 1
Do you want to configure language specific templates? [N]> 
Please enter the minimum interval in seconds between delay warning messages.
[14400]> 14400
Please enter the maximum number of delay warning messages to send per
recipient.
[1]> 1
Do you want hard bounce and delay warning messages sent to an alternate address, instead of the sender? [N]> y
Please enter the email address to send hard bounce and delay warning.
[]> bounce-mailbox@example.com
Do you want bounce messages to be signed (Yes/No/Default)?  [N]> 
Current bounce profiles:
1. Default
2. bounceprofile
Choose the operation you want to perform:
- NEW - Create a new profile.
- EDIT - Modify a profile.
- DELETE - Remove a profile.
[]>
mail3.example.com>

Applying a Bounce Profile to a Listener

After a bounce profile has been configured, you can apply the profile for each listener using the listenerconfig -> bounceconfig command and then committing the changes.


Note

Bounce profiles can be applied based upon the listener that a message was received on. However, this listener has nothing to do with how the message is ultimately delivered.

In this example, the OutboundMail private listener is edited and the bounce profile named bouncepr1 is applied to it.


mail3.example.com> listenerconfig
Currently configured listeners:
1. InboundMail (on PublicNet, 192.168.2.1) SMTP Port 25 Public
2. OutboundMail (on PrivateNet, 192.168.1.1) SMTP Port 25 Private
Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]> edit
Enter the name or number of the listener you wish to edit.
[]> 2
Name: OutboundMail
Type: Private
Interface: PrivateNet (192.168.1.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 600 (TCP Queue: 50)
Domain Map: Disabled
TLS: No
SMTP Authentication: Disabled
Bounce Profile: Default
Footer: None
LDAP: Off
Choose the operation you want to perform:
- NAME - Change the name of the listener.
- INTERFACE - Change the interface.
- LIMITS - Change the injection limits.
- SETUP - Configure general options.
- HOSTACCESS - Modify the Host Access Table.
- BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener.
- MASQUERADE - Configure the Domain Masquerading Table.
- DOMAINMAP - Configure domain mappings.
[]> bounceconfig
Please choose a bounce profile to apply:
1. Default
2. bouncepr1
3. New Profile
[1]> 2
Name: OutboundMail
Type: Private
Interface: PrivateNet (192.168.1.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 600 (TCP Queue: 50)
Domain Map: Disabled
TLS: No
SMTP Authentication: Disabled
Bounce Profile: bouncepr1
Footer: None
LDAP: Off
Choose the operation you want to perform:
- NAME - Change the name of the listener.
- INTERFACE - Change the interface.
- LIMITS - Change the injection limits.
- SETUP - Configure general options.
- HOSTACCESS - Modify the Host Access Table.
- BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener.
- MASQUERADE - Configure the Domain Masquerading Table.
- DOMAINMAP - Configure domain mappings.
[]>
Currently configured listeners:
1. InboundMail (on PublicNet, 192.168.2.1) SMTP Port 25 Public
2. OutboundMail (on PrivateNet, 192.168.1.1) SMTP Port 25 Private
Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]>
mail3.example.com> commit
Please enter some comments describing your changes:
[]> Enabled the bouncepr1 profile to the Outbound mail listener
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

bouncerecipients

Description

Bounce messages from the queue.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example

Recipients to be bounced are identified by either the destination recipient host or the message sender identified by the specific address given in the Envelope From line of the message envelope. Alternately, all messages in the delivery queue can be bounced at once.

Bounce by Recipient Host

mail3.example.com> bouncerecipients
Please select how you would like to bounce messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 1
Please enter the hostname for the messages you wish to bounce.
[]> example.com
Are you sure you want to bounce all messages being delivered to "example.com"? [N]> Y
Bouncing messages, please wait.
100 messages bounced.
Bounce by Envelope From Address

mail3.example.com> bouncerecipients
Please select how you would like to bounce messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 2
Please enter the Envelope From address for the messages you wish to bounce.
[]> mailadmin@example.com
Are you sure you want to bounce all messages with the Envelope From address of "mailadmin@example.com"? [N]> Y
Bouncing messages, please wait.
100 messages bounced.
Bounce All

mail3.example.com> bouncerecipients
Please select how you would like to bounce messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 
Are you sure you want to bounce all messages in the queue? [N]> Y
Bouncing messages, please wait.
1000 messages bounced.

bvconfig

Description

Configure settings for Bounce Verification. Use this command to configure keys and invalid bounced emails.

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example

The following exampe shows key configuration and settings configured for invalid bounced emails.


mail3.example.com> bvconfig
Behavior on invalid bounces: reject
Key for tagging outgoing mail: key
Previously-used keys for verifying incoming mail:
        1. key (current outgoing key)
        2. goodneighbor (last in use Wed May 31 23:21:01 2006 GMT)
Choose the operation you want to perform:
- KEY - Assign a new key for tagging outgoing mail.
- PURGE - Purge keys no longer needed for verifying incoming mail.
- CLEAR - Clear all keys including current key.
- SETUP - Set how invalid bounces will be handled.
[]> key
Enter the key to tag outgoing mail with (when tagging is enabled in the Good
Neighbor Table)
[]> basic_key
Behavior on invalid bounces: reject
Key for tagging outgoing mail: basic_key
Previously-used keys for verifying incoming mail:
        1. basic_key (current outgoing key)
        2. key (last in use Wed May 31 23:22:49 2006 GMT)
        3. goodneighbor (last in use Wed May 31 23:21:01 2006 GMT)
Choose the operation you want to perform:
- KEY - Assign a new key for tagging outgoing mail.
- PURGE - Purge keys no longer needed for verifying incoming mail.
- CLEAR - Clear all keys including current key.
- SETUP - Set how invalid bounces will be handled.
[]> setup
How do you want bounce messages which are not addressed to a valid tagged
recipient to be handled?
1. Reject.
2. Add a custom header and deliver.
[1]> 1
Behavior on invalid bounces: reject
Key for tagging outgoing mail: basic_key
Previously-used keys for verifying incoming mail:
        1. basic_key (current outgoing key)
        2. key (last in use Wed May 31 23:22:49 2006 GMT)
        3. goodneighbor (last in use Wed May 31 23:21:01 2006 GMT)
Choose the operation you want to perform:
- KEY - Assign a new key for tagging outgoing mail.
- PURGE - Purge keys no longer needed for verifying incoming mail.
- CLEAR - Clear all keys including current key.
- SETUP - Set how invalid bounces will be handled.
[]>
mail3.example.com> commit
Please enter some comments describing your changes:
[]> Configuring a new key and setting reject for invalid email bounces
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

deleterecipients

Description

Delete messages from the queue

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example

The appliance gives you various options to delete recipients depending upon the need. The following example show deleting recipients by recipient host, deleting by Envelope From Address, and deleting all recipients in the queue.

Delete by Recipient Domain

mail3.example.com> deleterecipients
Please select how you would like to delete messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 1
Please enter the hostname for the messages you wish to delete.
[]> example.com
Are you sure you want to delete all messages being delivered to "example.com"? [N]> Y
Deleting messages, please wait.
100 messages deleted.
Delete by Envelope From Address

mail3.example.com> deleterecipients
Please select how you would like to delete messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 2
Please enter the Envelope From address for the messages you wish to delete.
[]> mailadmin@example.com
Are you sure you want to delete all messages with the Envelope From address of "mailadmin@example.com"? [N]> Y
Deleting messages, please wait.
100 messages deleted.

Delete All


mail3.example.com> deleterecipients
Please select how you would like to delete messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 1
Are you sure you want to delete all messages in the queue? [N]> Y
Deleting messages, please wait.
1000 messages deleted.

deliveryconfig

Description

Configure mail delivery

Usage

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Example

In the following example, the deliveryconfig command is used to set the default interface to “Auto” with “Possible Delivery” enabled. The system-wide maximum outbound message delivery is set to 9000 connections.


mail3.example.com> deliveryconfig
Choose the operation you want to perform:
- SETUP - Configure mail delivery.
[]> setup
Choose the default interface to deliver mail.
1. Auto
2. AnotherPublicNet (192.168.3.1/24: mail4.example.com)
3. Management (192.168.42.42/24: mail3.example.com)
4. PrivateNet (192.168.1.1/24: mail3.example.com)
5. PublicNet (192.168.2.1/24: mail3.example.com)
[1]> 1
Enable "Possible Delivery" (recommended)?  [Y]> y
Please enter the default system wide maximum outbound message delivery
concurrency
[10000]> 9000
mail3.example.com>

delivernow

Description

Reschedule messages for immediate delivery. Users have the option of selecting a single recipient host, or all messages currently scheduled for delivery.

Usage

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Example


mail3.example.com> delivernow
Please choose an option for scheduling immediate delivery.
1. By recipient domain
2. All messages
[1]> 1
Please enter the recipient domain to schedule for delivery.
[]>foo.com
Scheduling all messages to foo.com for delivery.

destconfig

Formerly the setgoodtable command. The table is now called the Destination Control Table. Use this table to configure delivery limits for a specified domain.

Using the destconfig Command

The following commands are available within the destconfig submenu:

Table 7. destconfig Subcommands

Syntax

Description

SETUP

Change global settings.

NEW

Add new limits for a domain.

EDIT

Modify the limits for a domain.

DELETE

Remove the limits for a domain.

DEFAULT

Change the default limits for non-specified domains.

LIST

Display the list of domains and their limits.

DETAIL

Display the details for one destination or all entries.

CLEAR

Remove all entries from the table.

IMPORT

Imports a table of destination control entries from a .INI configuration file.

EXPORT

Exports a table of destination control entries to a .INI configuration file.

The destconfig command requires the following information for each row in the Destination Controls table.

  • Domain (recipient host)
  • Maximum simultaneous connections to the domain
  • Messages-per-connection limit
  • Recipient limit
  • System-wide or Virtual Gateway switch
  • Enforce limits per domain
  • Time period for recipient limit (in minutes)
  • Bounce Verification
  • Bounce profile to use for the domain

Sample Destination Control Table

The following table shows entries in a destination control table.

Table 8. Example Destination Control Table Entries

Domain

Conn. Limit

Rcpt. Limit

Min. Prd.

Enforce MX/DOM

(default)

500

None

1

Domain

Unlisted domains get their own set of 500 connections with unlimited rcpts/hr

(default)

500

None

1

MXIP

Mail gateways at unlisted domains get up to 500 connections, with unlimited rcpts/hr

partner.com

10

500

60

Domain

All gateways at partner.com will share 10 connections, with 500 rcpts/minute maximum

101.202.101.2