Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For details, see the inline help by typing the command: help ampconfig .

• Enabling File Reputation and File Analysis

• Selecting File Types for File Analysis

• Configure Email Security appliance to Use Public Cloud File Analysis Server

• (Public Cloud File Analysis Services Only) Configuring Appliance Groups

• Configure Email Security Appliance to Use an On-Premises File Analysis Server

• Configure Email Security Appliance to Use an On-Premises File Reputation Server

• Clearing Local File Reputation Cache

• Configuring Cache Expiry Period for File Reputation disposition values

• Suppressing File Retrospective Verdict Alerts

• Configuring Cisco AMP Threat Grid Clustering for File Analysis

mail.example.com> ampconfig

File Reputation: Disabled

Choose the operation you want to perform:

- SETUP - Configure Advanced-Malware protection service.

[]> setup

File Reputation: Disabled

Would you like to use File Reputation? [Y]>

Would you like to use File Analysis? [Y]> 

File types supported for File Analysis:

1. Microsoft Executables

Do you want to modify the file types selected for File Analysis? [N]>

Specify AMP processing timeout (in seconds)

[120]>

Advanced-Malware protection is now enabled on the system.

Please note: you must issue the 'policyconfig' command (CLI) or Mail

Policies (GUI) to configure advanced malware scanning behavior for

default and custom Incoming Mail Policies.

This is recommended for your DEFAULT policy.

File Reputation: Enabled

File Analysis: Enabled

File types selected for File Analysis:

1. Microsoft Executables

Choose the operation you want to perform:

- SETUP - Configure Advanced-Malware protection service.

- ADVANCED - Set values for AMP parameters (Advanced configuration).

- CLEARCACHE - Clears the local File Reputation cache.

[]>

mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> advanced
Enter cloud query timeout?
[15]>
Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.sourcefire.com)
2. Private reputation cloud
[1]>
Enter cloud domain?
[cloud-domain.com]>
Do you want use the recommended analysis threshold from cloud service? [Y]>
Enter analysis threshold?
[50]>
Enter heartbeat interval?
[15]> 
Do you want to enable SSL communication (port 443) for file reputation? [N]> 
Do you want to suppress the verdict update alerts for all messages that are 
not delivered to the recipient? [N]>
Choose a file analysis server:
1. AMERICAS (https://americas-fa.com)
2. Private Cloud
[1]>
...

In order to allow all content security appliances in your organization to view file analysis result details in the cloud for files sent for analysis from any appliance in your organization, you need to join all appliances to the same appliance group.

For more information, see the “File Reputation Filtering and File Analysis” chapter in the user guide.

mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> setgroup
Does your organization have multiple Cisco Email, Web, and/or Content Security Management appliances? [N]> Y
Do you want this appliance to display detailed analysis reports for files uploaded to the cloud from other appliances in your organization, 
and vice-versa? 
[Y]> Enter an Analysis Group name. This name is case-sensitive and must be configured identically on each appliance in the Analysis Group.
[]> FA_Reporting
Registration is successful with the group name. This does not require commit
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: FA_Reporting
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- VIEWGROUP - view the group members details.
- CLEARCACHE - Clears the local File Reputation cache.
[]>

Note	After you configure an appliance group, you cannot use the setgroup subcommand. If you want to need to modify the group for any reason, you must open a case with Cisco TAC.You can view the details of the appliance group using the viewgroup subcommand.

mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> advanced
Enter cloud query timeout?
[15]>
Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.sourcefire.com)
2. Private reputation cloud
[1]> 
Enter cloud domain?
[a.immunet.com]>
Do you want use the recommended analysis threshold from cloud service? [Y]> 
Enter analysis threshold?
[50]>
Enter heartbeat interval?
[15]> 
Do you want to enable SSL communication (port 443) for file reputation? [N]> 
Do you want to suppress the verdict update alerts for all messages that are 
not delivered to the recipient? [N]>
Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. Private Cloud
[1]> 2
Enter file analysis server url?
[]> https://mycloud.example.com
Certificate Authority:
1. Use Cisco Trusted Root Certificate List
2. Paste certificate to CLI
[1]>
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]>

mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File
Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> advanced
Enter cloud query timeout?
[15]> 
Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.domain.com)
2. Private reputation cloud
[1]> 2
Enter AMP reputation server hostname or IP address?
[]> myamp.domain.com
Paste the public key followed by a . on a new line
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0
FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/
3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB
-----END PUBLIC KEY-----
.
Enter cloud domain?
[immunet.com]> 
Do you want use the recommended analysis threshold from cloud service? [Y]> 
Enter heartbeat interval?
[15]> 
Do you want to enable SSL communication (port 443) for file reputation? [N]> 
Choose a file analysis server:
1. AMERICAS (https://threatgrid.com)
2. Private analysis cloud
[1]> 
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File
Analysis reporting details.
- CLEARCACHE - Clears the local File Reputation cache.
[]> 

mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
[]> cachesettings
Choose the operation you want to perform:
- MODIFYTIMEOUT - Configure the cache expiry period based on File Reputation disposition.
- CLEARCACHE - Clears the local File Reputation cache.
[]>clearcache

In the following example, the modifytimeout sub command is used to configure the cache expiry period for malicious files.

Note	The cache expiry period must be a value from 15 minutes to 7 days.

mail.example.com> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
    Microsoft Windows / DOS Executable
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
[]> cachesettings
Choose the operation you want to perfrom:
- MODIFYTIMEOUT - Configure the cache expiry period based on File Reputation disposition.
- CLEARCACHE - Clears the local File Reputation cache.
[]> modifytimeout
Choose the operation you want to perform:
- CLEAN - Configure the cache expiry period for clean files.
- MALICIOUS - Configure the cache expiry period for malicious files.
- UNKNOWN - Configure the cache expiry period for unknown files.
[]> malicious
Specify the cache expiry period for this file disposition (use 'd' for days, 'h' for hours, or 'm' for minutes). If you 
specify a value without a unit, it is always treated as days.
[1d]> 5d

mail.example.com> ampconfig

File Reputation: Enabled
File Analysis: Enabled
Appliance Group ID/Name: Not part of any group yet

Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- SETGROUP - Add this appliance to the group of appliances that can share File
Analysis reporting details.
- CACHESETTINGS - Configure the cache settings for AMP.
[]> advanced

Enter cloud query timeout?
[15]>

Choose a file reputation server:
1. AMERICAS (cloud-sa.amp.cisco.com)
2. AMERICAS(Legacy) (cloud-sa.amp.sourcefire.com)
3. Private reputation cloud
[1]>

Do you want use the recommended analysis threshold from cloud service? [Y]>

Enter heartbeat interval?
[15]>

Do you want to enable SSL communication (port 443) for file reputation? [N]>

Do you want to suppress the verdict update alerts for all messages that are not
delivered to the recipient? [N]>

Choose a file analysis server:
1. AMERICAS (https://panacea.threatgrid.com)
2. Private analysis cloud
[1]> 2

There are no private analysis servers configured.

Choose the operation you want to perform:
- NEW - Configure a new private analysis server.
[]> new

Enter the file analysis server hostname or IP or URL.
[]> 192.1.10.20

Serial Number      Private Analysis Server
-----------------------------------
1                   192.1.10.20

Choose the operation you want to perform:
- ADD - Add a new private analysis server to the cluster.
- EDIT - Edit a private analysis server in the cluster.
- DELETE - Delete a private analysis server from the cluster.
[]> add

Enter the new private analysis server hostname or IP address or URL to the
cluster.
[]> 192.1.10.30

Serial Number      Private Analysis Server
-----------------------------------
1                  192.1.10.20
2                  192.1.10.30

Choose the operation you want to perform:
- ADD - Add a new private analysis server to the cluster.
- EDIT - Edit a private analysis server in the cluster.
- DELETE - Delete a private analysis server from the cluster.
[]>

Display the version of various Advanced Malware Protection (file reputation and analysis) components.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> ampstatus
Component                           Version    Last Updated
AMP Client Settings                 1.0        Never updated
AMP Client Engine                   1.0        Never updated

Configure anti-spam policy.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

The following examples demonstrates the configuration for Anti-Spam functionality.

mail3.example.com> antispamconfig

IronPort Anti-Spam scanning: Disabled
Choose the operation you want to perform:
- SETUP - Edit IronPort Anti-Spam settings.
[]> setup
IronPort Anti-Spam scanning: Disabled
Would you like to use IronPort Anti-Spam scanning? [Y]> y
The IronPort Anti-Spam License Agreement is displayed (if you have not already accepted it).
Do you accept the above IronPort Anti-Spam license agreement? []> Y
Increasing the following size settings may result in decreased performance. Please consult documentation for size 
recommendations based on your environment.
Never scan message larger than: (Add a trailing K for kilobytes, M for megabytes, or no letters for bytes.)
[1M]>
Always scan message smaller than: (Add a trailing K for kilobytes, M for megabytes, or no letters for bytes.)
[512K]>
Please specify the IronPort Anti-Spam scanning timeout (in seconds)
[60]>
Choose Scanning Profile
1. Normal - Scanning profile used to block spam with small potential for false positives.
2. Aggressive - Scanning profile used to block spam that has more impact on spam detection than the Normal profile with a larger potential for false positives.
3. Regional (China) - Scanning profile similar to a Normal profile that provides benefit to detect spam in regional languages.
If you have changed the global scanning profile settings, you must review the Anti-Spam policy thresholds (Mail Policies > Incoming/Outgoing Mail Policies > Anti-Spam)
to produce satisfactory results.
If you have changed the scanning profile setting from Normal to Aggressive, you need to reset the mail policy threshold values to the default values to avoid 
undesirable false positives. 
For Aggressive scanning profile, it is recommended to tune the policy threshold values to smaller increments compared to the threshold values of the 
Normal scanning profile.
IronPort Anti-Spam scanning is now enabled on the system. 
Please note: You must issue the policyconfig command or Mail Policies (GUI) to configure Cisco IronPort scanning behavior for default and custom policies. 
This is recommended for your DEFAULT policy. 
IronPort Anti-Spam scanning: Enabled
Choose the operation you want to perform:
- SETUP - Edit IronPort Anti-Spam settings.
[]>

Display anti-spam status.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail3.example.com> antispamstatus
Choose the operation you want to perform:
- IRONPORT - Display IronPort Anti-Spam version and rule information.

- MULTISCAN - Display Intelligent Multi-Scan version and rule information.
[]> ironport
  Component              Last Update                  Version
 CASE Core Files        Never updated                3.4.0-013
 CASE Utilities         Never updated                3.4.0-013
 Structural Rules       Never updated 3.3.1-009-20141210_214201
 Web Reputation DB      Never updated                20141211_111021
 Web Reputation Rules   Never updated 20141211_111021-20141211_170330
 Content Rules          Never updated                unavailable
 Content Rules Update   Never updated                unavailable
Last download attempt made on: Never

Manually request an immediate update of Anti-Spam rules and related CASE components. This also includes the Anti-Spam rules and CASE components used by Intelligent Multi-Scan (IMS), but not for the third-party anti-spam engines used by IMS.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does not support a batch format.

mail3.example.com> antispamupdate
Choose the operation you want to perform:
- MULTISCAN - Request updates for Intelligent Multi-Scan
- IRONPORT - Request updates for IronPort Anti-Spam

[]> ironport
Requesting check for new CASE definitions

Configure the Cisco Intelligent Multi-Scan (IMS) and Graymail Detection and Safe Unsubscribe settings.

Note

To configure the threshold for message scanning by Cisco Intelligent Multi-Scan and Graymail Detection and Safe Unsubscribing, use the imsandgraymailconfig > globalconfig sub command. These global configuration settings are common for both Cisco Intelligent Multi-Scan and Graymail Detection and Safe Unsubscribing. To configure policy settings for graymail detection and safe unsubscribing, use the policyconfig command. For more information, see Create an Incoming Policy to Drop the Messages Identified as Bulk Email or Social Network Email.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format for graymail configuration. For more details, see the inline help by typing the command: help imsandgraymailconfig.

The following examples demonstrates the configurations for Graymail Detection and Safe Unsubscribing and Intelligent Multi-Scan.

mail3.example.com> imsandgraymailconfig

Choose the operation you want to perform:
- GRAYMAIL - Configure Graymail Detection and Safe Unsubscribe settings
- MULTISCAN - Configure IronPort Intelligent Multi-Scan.
- GLOBALCONFIG - Common Global Configuration settings
[]> graymail
Graymail Detection: Disabled

Choose the operation you want to perform:
- SETUP - Configure Graymail.
[]> setup
Would you like to use Graymail Detection? [Y]> y

Would you like to enable automatic updates for Graymail engine? [Y]> y

Graymail Safe Unsubscribe: Disabled
Would you like to use Graymail Safe Unsubscribe? [Y]> y

Graymail Detection and Safe Unsubscribe is now enabled. Please note: The global settings are recommended only for your DEFAULT mail policy. To configure policy settings, use the incoming 
or outgoing policy page on web interface or the 'policyconfig' command in CLI.

[]> multiscan
IronPort Intelligent Multi-Scan: Disabled

Choose the operation you want to perform:
- SETUP - Edit Intelligent Multi-Scan settings.
[]> setup

IronPort Intelligent Multi-Scan scanning: Disabled
Would you like to use IronPort Intelligent Multi-Scan scanning? [Y]> y
Would you like to enable regional scanning? [N]> n

Intelligent Multi-Scan scanning is now enabled on the system. Please note: you must issue the 'policyconfig' command (CLI) or Mail Policies (GUI) to configure
Intelligent Multi-Scan scanning behavior for default and custom Incoming and Outgoing Mail Policies. This is recommended for your DEFAULT policy.

IronPort Intelligent Multi-Scan: Enabled

[]> globalconfig

Choose the operation you want to perform:
- SETUP - Configure Common Global settings
[]> setup

Increasing the following size settings may result in decreased performance. 
Please consult documentation for size recommendations based on your environment.

Never scan message larger than: (Add a trailing K for kilobytes, 
M for megabytes, or no letters for bytes.)
[1M]>

Always scan message smaller than: (Add a trailing K for kilobytes, 
M for megabytes, or no letters for bytes.)
[512K]>

Timeout for Scanning Single Message(in seconds):
[60]>
[]>

Display the details of the existing graymail rules.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

mail.example.com> graymailstatus
Component            Version         Last Updated
Graymail Engine      01.378.53       Never Updated
Graymail Rules       01.378.53#15    Never updated
Graymail Tools       1.0.03          Never updated

Manually request update of the graymail rules.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

mail.example.com> graymailupdate

Requesting check for new Graymail updates.

Use the incomingrelayconfig command to enable and configure the Incoming Relays feature. In the following examples, the Incoming Relays feature is first enabled, and then two relays are added, one is modified, and one is deleted.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

Configure End-User Safelist/Blocklist.

Note	Safelists/Blocklists must be enabled on the appliance via the GUI in order to run this command.

Commit: This command does not require a ‘commit’.

Batch Command: This command supports a batch format.

Replaces all entries in the End-User Safelist/Blocklist with entries present in the specified file.

slblconfig import <filename> <ignore invalid entries>

• filename - Name of the file that has to be imported. The file must be in the /configuration directory on the appliance.
• ignore invalid entries - Whether to ignore invalid entries or not. Either 'Yes' or 'No.'

Exports all entries in the End-User Safelist/Blocklist to a file the appliance.

slblconfig export

The appliance saves a .CSV file to the /configuration directory using the following naming convention:

slbl<timestamp><serial number>.csv.

mail.example.com> 
slblconfig
End-User Safelist/Blocklist: Enabled
Choose the operation you want to perform:
- IMPORT - Replace all entries in the End-User Safelist/Blocklist.
- EXPORT - Export all entries from the End-User Safelist/Blocklist.
[]> 
import
Currently available End-User Safelist/Blocklist files:
1. slbl.csv
Choose the file to import from.
[1]> 
1
Do you want to ignore invalid entries? [Y]> 
Y
End-User Safelist/Blocklist import has been initiated...
Please wait while this operation executes.
End-User Safelist/Blocklist successfully imported.
Choose the operation you want to perform:
- IMPORT - Replace all entries in the End-User Safelist/Blocklist.
- EXPORT - Export all entries from the End-User Safelist/Blocklist.
[]> 

Configure anti-virus policy.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

In the following example, the antivirusconfig command is used to enable Sophos virus scanning on the system and set the time-out value to 60 seconds. To configure the update server, update interval, and optional proxy server, see updateconfig.

Note	The first time you invoke the antivirusconfig command, you may be presented with a license agreement, if you did not accept the license during the systemsetup command. If you do not accept the license agreement, the Sophos virus scanning engine will not be enabled on the appliance.

mail3.example.com> antivirusconfig

Choose the operation you want to perform:
- SOPHOS - Configure Sophos Anti-Virus.
- MCAFEE - Configure McAfee Anti-Virus.
[]> sophos

Sophos Anti-Virus: Disabled

Choose the operation you want to perform:

- SETUP - Configure Sophos Anti-Virus.

[]> setup

Sophos Anti-Virus scanning: Disabled

Would you like to use Sophos Anti-Virus scanning? [Y]> y

(First time users see the license agreement displayed here.)

Please specify the Anti-Virus scanning timeout (in seconds)
[60]> 60

Would you like to enable automatic updates for Sophos engine? [Y] > Y

Sophos Anti-Virus scanning is now enabled on the system.

Please note: you must issue the 'policyconfig' command (CLI) or Mail
Policies (GUI) to configure Sophos Anti-Virus scanning behavior for default and custom Incoming and Outgoing Mail Policies.
This is recommended for your DEFAULT policy.

Sophos Anti-Virus: Enabled
Choose the operation you want to perform:

- SETUP - Configure Sophos Anti-Virus.
[]>

AsyncOS provides detailed status on the specific anti-virus signature files (IDE files) that have been downloaded by the appliance. You can access these details using the antivirusconfig -> detail subcommand. For example:

mail3.example.com> antivirusconfig
Choose the operation you want to perform:
- SOPHOS - Configure Sophos Anti-Virus.
- MCAFEE - Configure McAfee Anti-Virus.
[]> sophos
Sophos Anti-Virus: Enabled
Choose the operation you want to perform:
- SETUP - Configure Sophos Anti-Virus.
- STATUS - View Sophos Anti-Virus status.
- DETAIL - View Sophos Anti-Virus detail.
[]> detail
Sophos Anti-Virus:
Product - 3.87
Engine - 2.25.0
Product Date - 01 Nov 2004
Sophos IDEs currently on the system:
   'Mkar-E.Ide'           Virus Sig. - 23 Dec 2004 01:24:02
   'Rbot-Sd.Ide'          Virus Sig. - 22 Dec 2004 19:10:06
   'Santy-A.Ide'          Virus Sig. - 22 Dec 2004 06:16:32
   'Bacbanan.Ide'         Virus Sig. - 21 Dec 2004 18:33:58
   'Rbot-Sb.Ide'          Virus Sig. - 21 Dec 2004 14:50:46
   'Rbotry.Ide'           Virus Sig. - 21 Dec 2004 06:13:40
   'Sdbot-Si.Ide'         Virus Sig. - 20 Dec 2004 20:52:04
   'Oddbob-A.Ide'         Virus Sig. - 19 Dec 2004 23:34:06
   'Rbot-Rw.Ide'          Virus Sig. - 19 Dec 2004 00:50:34
   'Wortd.Ide'            Virus Sig. - 18 Dec 2004 07:02:44
   'Delf-Jb.Ide'          Virus Sig. - 17 Dec 2004 22:32:08
[...command continues...]

Display Anti-Virus status.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail3.example.com> antivirusstatus
Choose the operation you want to perform:
- MCAFEE - Display McAfee Anti-Virus version information
- SOPHOS - Display Sophos Anti-Virus version information
[]> sophos
    SAV Engine Version        3.85
    IDE Serial                2004101801
 Engine Update        Mon Sep 27 14:21:25 2004
    Last IDE Update           Mon Oct 18 02:56:48 2004
    Last Update Attempt       Mon Oct 18 11:11:44 2004
    Last Update Success       Mon Oct 18 02:56:47 2004

Manually update virus definitions.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does not support a batch format.

mail3.example.com> antivirusupdate
Choose the operation you want to perform:
- MCAFEE - Request updates for McAfee Anti-Virus
- SOPHOS - Request updates for Sophos Anti-Virus
[]> sophos
Requesting update of virus definitions
mail3.example.com>

Commit changes. Entering comments after the commit command is optional.

Commit: N/A

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail3.example.com> commit
Please enter some comments describing your changes:
[]> Changed "psinet" IP Interface to a different IP ad dress
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

Display detailed information about the last commit.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail3.example.com> commitdetail
Commit at Mon Apr 18 13:46:28 2005 PDT with comments: "Enabled loopback".
mail3.example.com>

The clear command clears any configuration changes made since the last commit or clear command was issued.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

mail3.example.com> clear
Are you sure you want to clear all changes since the last commit?  [Y]> y
Changes cleared: Mon Jan 01 12:00:01 2003
mail3.example.com>

The help command lists all available CLI commands and gives a brief description of each command. The help command can be invoked by typing either help or a single question mark ( ? ) at the command prompt.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

mail3.example.com> help
Displays the list of all available commands.

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> rollbackconfig
Previous Commits:
    Committed On                  User                Description
---------------------------------------------------------------------------------
1. Fri May 23 06:53:43 2014      admin               new user
2. Fri May 23 06:50:57 2014      admin               rollback
3. Fri May 23 05:47:26 2014      admin
4. Fri May 23 05:45:51 2014      admin               edit user
Enter the number of the config to revert to.
[]> 2
Are you sure you want to roll back the configuration? [N]> y
Reverted to Fri May 23 06:50:57 2014      admin               rollback
Do you want to commit this configuration now? [N]> y
Committed the changes successfully

The quit command logs you out of the CLI application. Configuration changes that have not been committed are cleared. The quit command has no effect on email operations. Logout is logged into the log files. (Typing exit is the same as typing quit.)

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

mail3.example.com> quit
Configuration changes entered but not committed.  Exiting will lose changes.
Type 'commit' at the command prompt to commit changes.
Are you sure you wish to exit?  [N]> Y

Load a configuration file.

Note	Loading configuration on clustered machines is supported only using GUI. For instructions, see User Guide for AsyncOS for Cisco Email Security Appliances .

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

In this example, a new configuration file is imported from a local location.

mail3.example.com> loadconfig
1. Paste via CLI
2. Load from file
[1]> 2
Enter the name of the file to import:
[]> changed.config.xml
Values have been loaded.
Be sure to run "commit" to make these settings active.
mail3.example.com> commit
Please enter some comments describing your changes:
[]> loaded new configuration file
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

In this example, a new configuration file is pasted directly at the command line. (Remember to type Control-D on a blank line to end the paste command.) Then, the system setup wizard is used to change the default hostname, IP address, and default gateway information. Finally, the changes are committed.

mail3.example.com> loadconfig
1. Paste via CLI
2. Load from file
[1]> 1
Paste the configuration file now.
Press CTRL-D on a blank line when done.
[The configuration file is pasted until the end tag 
</config>
. Control-D is entered on a separate line.] 
Values have been loaded.
Be sure to run "commit" to make these settings active.
mail3.example.com> systemsetup
[The system setup wizard is run.]
mail3.example.com> commit
Please enter some comments describing your changes:
[]> pasted new configuration file and changed default settings via 
systemsetup 
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

To test the configuration, you can use the mailconfig command immediately to send a test email containing the system configuration data you just created with the systemsetup command.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

mail.example.com> mailconfig
Please enter the email address to which you want to send the configuration file.
Separate multiple addresses with commas.
[]> user@example.com
Choose the passphrase option:
1. Mask passphrases (Files with masked passphrases cannot be loaded using loadconfig command)
2. Encrypt passphrases
3. Plain passphrases
[1]> 2
The configuration file has been sent to user@example.com.

Send the configuration to a mailbox to which you have access to confirm that the system is able to send email on your network.

Note	For enhanced security, if encryption of sensitive data in the appliance is enabled in fipsconfig command, you cannot use Plain passwords option.

When physically transferring the appliance, you may want to start with factory defaults. The r esetconfig command resets all configuration values to factory defaults. This command is extremely destructive, and it should only be used when you are transferring the unit or as a last resort to solving configuration issues. It is recommended you run the systemsetup command after reconnecting to the CLI after you have run the resetconfig command.

Note

The resetconfig command only works when the appliance is in the offline state. When the resetconfig command completes, the appliance is automatically returned to the online state, even before you run the systemsetup command again. If mail delivery was suspended before you issued the resetconfig command, the mail will attempt to be delivered again when the resetconfig command completes.

DANGER

The resetconfig command will return all network settings to factory defaults, potentially disconnecting you from the CLI, disabling services that you used to connect to the appliance (FTP, Telnet, SSH, HTTP, HTTPS), and even removing additional user accounts you created with the userconfig command. Do not use this command if you are not able to reconnect to the CLI using the Serial interface or the default settings on the Management port through the default Admin user account.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto). This command requires access to the local file system.

Batch Command: This command does not support a batch format.

mail3.example.com> suspend
Delay (seconds, minimum 30):
[30]> 45
Waiting for listeners to exit...
Receiving suspended.
Waiting for outgoing deliveries to finish...
Mail delivery suspended.
mail3.example.com> 
resetconfig
Are you sure you want to reset all configuration values? [N]> Y
All settings have been restored to the factory default.

The saveconfig command saves the configuration file with a unique filename to the configuration directory.

Note	If you are on a clustered environment, this command saves the complete cluster configuration. To run this command on a clustered machine, change your configuration mode to cluster.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

In the following example, the passphrases in the configuration file is encrypted and saved in the configuration directory.

mail.example.com> saveconfig
Choose the passphrase option:
1. Mask passphrases (Files with masked passphrases cannot be loaded using loadconfig command)
2. Encrypt passphrases

[1]> 2
File written on machine "mail.example.com" to the location
"/configuration/C100V-4232116C4E14C70C4C7F-7898DA3BD955-20140319T050635.xml".
Configuration saved.

Note	For enhanced security, if encryption of sensitive data in the appliance is enabled in fipsconfig command, you cannot use Plain passwords option.

The showconfig command prints the current configuration to the screen.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

In the following example, the configuration is displayed on CLI and the passphrases in the configuration are encrypted.

mail.example.com> showconfig
Choose the passphrase display option:
1. Mask passphrases (Files with masked passphrases cannot be loaded using loadconfig command)
2. Encrypt passphrases
3. Plain passphrases
[1]> 2
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE config SYSTEM "config.dtd">
<!--
  Product: Cisco C100V Email Security Virtual Appliance
  Model Number: C100V
  Version: 9.0.0-038
  Serial Number: 4232116C4E14C70C4C7F-7898DA3BD955
  Number of CPUs: 2
  Memory (MB): 6144
  Current Time: Wed Mar 19 05:30:05 2014
-->
<config>
<!--
******************************************************************************
*                           Network Configuration                            *
******************************************************************************
-->[The remainder of the configuration file is printed to the screen.]

Note	For enhanced security, if encryption of sensitive data in the appliance is enabled in fipsconfig command, you cannot use Plain passwords option.

The threatfeedconfig command is used to

• Enable the ETF engine on your Cisco Email Security Gateway.

• Configure an ETF source on your Cisco Email Security Gateway.

Commit: This command requires a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

In the following example, you can use the setup subcommand to enable the ETF engine on your Cisco Email Security Gateway.

mail.example.com> threatfeedconfig

Choose the operation you want to perform:
- SETUP - Configure External Threat Feeds.
- SOURCECONFIG - Configure an external threat feed source.

[]> setup
External Threat Feeds: Enabled
Would you like to use External Threat Feeds? [Y]> yes
Do you want to add a custom header to the message in the case of an External Threat Feeds Lookup Failure? [N]> yes
Enter the header name:
[X-IronPort-ETF-Lookup-Failure]>

Enter the header content:
[true]> 
Choose the operation you want to perform:
- SETUP - Configure External Threat Feeds.
- SOURCECONFIG - Configure an external threat feed source.

[]>

In the following example, you can use the sourceconfig subcommand to add an ETF source on your Cisco Email Security Gateway.

mail.example.com > threatfeedconfig
Choose the operation you want to perform:
- SOURCECONFIG - Configure an external threat feed source.
[]> sourceconfig
Choose the operation you want to perform:
- ADD - Add a Source.
- LIST - List out all the sources.
- DETAIL - Get detailed information about a source.
- EDIT - Edit a source.
- SUSPEND - Suspend a source.
- RESUME - Resume a source.
- DELETE - Delete a source.
[]> add
Choose the operation you want to perform:
- POLL URL - Add an external threat feed source using the polling path and collection name.
[]> poll url
Enter a name for the external threat feed source:
[]> test_source
Enter a description for the external threat feed source (optional):
[]> test_source
Enter the host name for the external threat feed source:
[]> hailataxii.com
Enter the polling path for the external threat feed source:
[]> /taxii-data
Enter the collection name for the external threat feed source:
[]> guest.Abuse_ch
Enter the polling interval:
The polling interval can be an alphanumeric value that consists of a combination of
minutes, hours, or days followed by 'm','h' or 'd' suffixes. The numeric
values that are not entered with a suffix are considered as minutes by default. The
minimum value is 15 minutes.
[60m]> 30

Enter the age of the threat feed:
The value for the age must be between 1 and 365 days. Enter the age of the threat feed
that you want to fetch from the TAXII server. For example, if the age
is 30 days, the appliance fetches all threat feeds whose age is up to 30 days only.
[30]> 20

Enter the time span for each poll segment:
The age of threat feeds for a poll can be split into different poll segments based 
on the time span entered. 
The minimum time span for a poll segment is 1 day. The maximum time span for a 
poll segment is the value entered in the 'Age of Threat Feeds' field.
For example, if the age of the threat feeds is 30 days and the TAXII server has a fixed limit on 
the age of threat feeds (for example, '20 days'), enter the fixed limit, which must be less than 
the age of the threat feeds configured on your appliance.
[30]> 5

Do you want to use HTTPS? [Y]> yes
Enter the polling port:
[443]> 443
Do you want to use a proxy server for the threat feed source? [N]> no
Do you want to configure user credentials for the external threat feed source? [Y]> no
test_source successfully added.

The threatfeedstatus command is used to display the current version of the ETF engine.

Commit: This command does not require a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

In the following example, you can use the threatfeedstatus command to view the current version of the ETF engine.

mail.example.com> threatfeedstatus
Component                      Version            Last Updated
External ThreatFeeds           1.0.0-0000001      2 Jul 2018 04:22 (GMT +00:00)

The threatfeedupdate command is used to manually update the ETF engine.

Commit: This command does not require a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

In the following example, you can use the threatfeedupdate command to manually update the ETF engine.

mail.example.com > threatfeedupdate

Requesting check for new External Threat Feeds updates.

The clusterconfig command is used to configure cluster-related settings. If this machine is not part of a cluster, running clusterconfig will give you the option of joining a cluster or creating a new cluster.

The clusterconfig command provides additional subcommands:

Non-Cluster Commands

The following commands are available when you are not in a cluster.

• clusterconfig new <name> — This will create a new cluster with the given name. This machine will be a member of this cluster and a member of a default cluster group called "Main Group".

  <name> - The name of the new cluster.

• clusterconfig join [--port=xx] <ip_of_remote_cluster> [<admin_password>]<groupname> — This will add this machine to a cluster.

  where:

  <ip_of_remote_cluster> - The IP address of another machine in the cluster.

  <admin_password > - The admin password of the cluster. This should not be

  specified if joining over CCS.

  <groupname> - The name of the group to join.

  <port> - The port of the remote machine to connect to (defaults to 22).

• clusterconfig prepjoin print

  This will display the information needed to prepare the joining of this machine to a cluster over a CCS port.

Cluster Commands

The following commands are available when you are in a cluster.

• clusterconfig addgroup <groupname> — Creates a new cluster group. The group starts off with no members.
• clusterconfig renamegroup <old_groupname> <new_groupname> — Change the name of a cluster group.

• clusterconfig deletegroup <groupname> [new_groupname] — Remove a cluster group.

  <groupname> - Name of the cluster group to remove.

  <new_groupname> - The cluster group to put machines of the old group into.

• clusterconfig setgroup <machinename> <groupname> — Sets (or changes) which group a machine is a member of.

  <machinename > - The name of the machine to set.

  <groupname> - The group to set the machine to.

• clusterconfig removemachine <machinename> — Remove a machine from the cluster.
• clusterconfig setname <name> — Changes the name of the cluster to the given name.
• clusterconfig list — Display all the machines currently in the cluster.
• clusterconfig connstatus — Display all the machines currently in the cluster and add routing details for disconnected machines.

• clusterconfig disconnect <machinename> — This will temporarily detach a machine from the cluster.

  <machinename> - The name of the machine to disconnect.

• clusterconfig reconnect <machinename> - This will restore connections with machines that were detached with the “disconnect” command.

• clusterconfig prepjoin new <serial_number> <hostname> <user_key> — This will add a new host that is to join the cluster over the CCSport.

  <serial_number> - The serial number of the machine being added.

  <hostname> - The host name of the machine being added.

  <user_key> - The SSH user key from the "prepjoin print" command from the joining machine.

• clusterconfig prepjoin delete <serial_number|hostname> — This will remove a host that was previously indicated to be added from the "prepjoin new" command. This is only necessary to be used if you later decide not to add the host. When a host is successfully added to the cluster, its prepjoin information is automatically removed.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to cluster mode.

Batch Command: This command does not support a batch format.

For an explanation of the clusterconfig command and its uses, see User Guide for AsyncOS for Cisco Email Security Appliances .

Commit: This command does not require a ‘commit’.

Cluster Management: This command is can be used at cluster, group or machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> dlpstatus

Component 								     Version    Last Updated
DLP Engine            3.0.2.31   Never updated

Update DLP Engine.

Note	DLP must already be configured via the DLP Global Settings page in the GUI before you can use the dlpupdate command.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is can be used at cluster, group or machine mode.

Batch Command: This command supports a batch format.

The batch format of the dlpupdate command forces an update of the DLP engine even if no changes are detected.

dlpupdate [force]

mail.example.com> dlpupdate

Checking for available updates. This may take a few seconds..

Could not check for available updates. Please check your Network and Service Updates settings and retry.

Choose the operation you want to perform:

- SETUP - Enable or disable automatic updates for DLP Engine.

[]> setup

Automatic updates for DLP are disabled

Do you wish to enable automatic updates for DLP Engine? [N]> y

Choose the operation you want to perform:

- SETUP - Enable or disable automatic updates for DLP Engine.

[]>

The domainrepconfig command is used to create a Domain Exception List.

Commit: This command requires a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help domainrepconfig.

In the following example, you can use the domainrepconfig command to create a Domain Exception List.

mail.example.com> domainrepconfig

Would you like to configure an exception list for Sender Domain Reputation and 
External Threat Feeds functionality? [N]> yes

Select the domain only address list to to be used for Sender Domain Reputation 
and External Threat Feeds functionality

1. addr_list

[1]> 1

Configure S/MIME settings such as sending profiles, managing public keys, and so on.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

• Creating a Sending Profile for Signing and Encryption
• Adding a Public Key for Encryption

Configure DomainKeys/DKIM support.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

Note	For enhanced security, if encryption of sensitive data in the appliance is enabled in FIPS mode, you will not be able view the private key. If you intend to edit the private key, you can enter an existing private key or generate a new private key.

The batch format of the domainkeysconfig command can be used to create, edit, or delete signing profiles

• Adding a DomainKeys/DKIM signing profile:

  domainkeysconfig profiles signing new <name> <type> <domain> <selector> <user-list> [options]

• Editing a signing profile:

  domainkeysconfig profiles signing edit <name> [signing-profile-options]

Signing profile options:

• rename <name>
• domain <domain>
• selector <selector>
• canonicalization <canon>
• canonicalization <header_canon> <body_canon>
• key <key_name>
• bodylength <body_length>
• headerselect <header_select>
• customheaders <custom_headers>
• itag <i_tag> [<agent_identity>]
• qtag <q_tag>
• ttag <t_tag>
• xtag <x_tag> [<expiration_time>]
• ztag <z_tag>
• new <user-list>
• delete <user-list>
• print
• clear

• Delete a signing profile:

  domainkeysconfig profiles signing delete <name>

• Show a list of signing profiles:

  domainkeysconfig profiles signing list

• Print the details of a signing profile:

  domainkeysconfig profiles signing print <name>

• Test a signing profile:

  domainkeysconfig profiles signing test <name>

• Import a local copy of your signing profiles:

  domainkeysconfig profiles signing import <filename>

• Export a copy of your signing profile from the appliance:

  domainkeysconfig profiles signing export <filename>

• Delete all the signing profiles from the appliance:

  domainkeysconfig profiles signing clear

• Create a new DKIM verification profile:

  domainkeysconfig profiles verification new <name> <verification-profile-options>

• Edit a verification profile:

  domainkeysconfig profiles verification edit <name> <verification-profile-options>

• Delete a verification profile:

  domainkeysconfig profiles verification delete <name>

• Print details of an existing verification profile:

  domainkeysconfig profiles verification print <name>

• Display a list of existing verification profiles:

  domainkeysconfig profiles verification list

• Import a file of verification profiles from a local machine:

  domainkeysconfig profiles verification import <filename>

• Export the verification profiles from the appliance:

  domainkeysconfig profiles verification export <filename>

• Delete all existing verification profiles from the appliance:

  domainkeysconfig profiles verification clear

• Create a new signing key:

  domainkeysconfig keys new <key_name> <key-options>

• Edit a signing key:

  domainkeysconfig keys edit <key_name> key <key-options>

• Rename an existing signing key:

  domainkeysconfig keys edit <key_name> rename <key_name>

• To specify a public key:

  domainkeysconfig keys publickey <key_name>

• Delete a key:

  domainkeysconfig keys delete <key_name>

• Display a list of all signing keys:

  domainkeysconfig keys list

• Display all information about a specify signing key:

  domainkeysconfig keys print <key_name>

• Import signing keys from a local machine:

  domainkeysconfig keys import <filename>

• Export signing keys from the appliance:

  domainkeysconfig keys export <filename>

• Delete all signing keys on the appliance:

  domainkeysconfig keys clear

• Search for a profile signing key:

  domainkeysconfig search <search_text>

• Modify global settings for Domain Keys/DKIM on your appliance:

  domainkeysconfig setup <setup_options>

The option available is:

• --sign_generated_msgs - Specify whether to sign system-generated messages. Possible values are yes or no .

mail3.example.com> domainkeysconfig
Number of DK/DKIM Signing Profiles: 1
Number of Signing Keys: 1
Number of DKIM Verification Profiles: 1
Sign System-Generated Messages: Yes
Choose the operation you want to perform:
- PROFILES - Manage domain profiles.
- KEYS - Manage signing keys.
- SETUP - Change global settings.
- SEARCH - Search for domain profile or key.
[]> profiles
Choose the operation you want to perform:
- SIGNING - Manage signing profiles.
- VERIFICATION - Manage verification profiles.
[]> signing
There are currently 1 domain profiles defined.
Choose the operation you want to perform:
- NEW - Create a new domain profile.
- EDIT - Modify a domain profile.
- DELETE - Delete a domain profile.
- PRINT - Display domain profiles.
- LIST - List domain profiles.
- TEST - Test if a domain profile is ready to sign.
- DNSTXT - Generate a matching DNS TXT record.
- IMPORT - Import domain profiles from a file.
- EXPORT - Export domain profiles to a file.
- CLEAR - Clear all domain profiles.
[]> dnstxt
Enter the name or number of a domain profile.
1. Example
[1]>
The answers to the following questions will be used to construct DKIM text
record for DNS.  It can be used to publish information about this profile.
Do you wish to constrain the local part of the signing identities
("i=" tag of "DKIM-Signature" header field) associated with this
domain profile? [N]>
Do you wish to include notes that may be of interest to a human (no
interpretation is made by any program)? [N]>
The "testing mode" can be set to specify that this domain is testing DKIM and
that unverified email must not be treated differently from verified email.
Do you want to indicate the "testing mode"? [N]>
Do you wish to disable signing by subdomains of this domain? [N]>
The DKIM DNS TXT record is:
test._domainkey.example.com. IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDX5dOG9J8rXreA/uPtYr5lrCTCqR+qlS5Gm
1f0OplAzSuB2BvOnxZ5Nr+se0T+k7mYDP0FSUHyWaOvO+kCcum7fFRjS3EOF9gLpbIdH5vzOCKp/w7hdjPy3q6PSgJVtqvQ6v9E8k5Ui7C+DF6KvJUiMJSY5sbu2
zmm9rKAH5m7FwIDAQAB;"
There are currently 1 domain profiles defined.
Choose the operation you want to perform:
- NEW - Create a new domain profile.
- EDIT - Modify a domain profile.
- DELETE - Delete a domain profile.
- PRINT - Display domain profiles.
- LIST - List domain profiles.
- TEST - Test if a domain profile is ready to sign.
- DNSTXT - Generate a matching DNS TXT record.
- IMPORT - Import domain profiles from a file.
- EXPORT - Export domain profiles to a file.
- CLEAR - Clear all domain profiles.
[]>
Choose the operation you want to perform:
- SIGNING - Manage signing profiles.
- VERIFICATION - Manage verification profiles.
[]>
Number of DK/DKIM Signing Profiles: 1
Number of Signing Keys: 1
Number of DKIM Verification Profiles: 1
Sign System-Generated Messages: Yes
Choose the operation you want to perform:
- PROFILES - Manage domain profiles.
- KEYS - Manage signing keys.
- SETUP - Change global settings.
- SEARCH - Search for domain profile or key.
[]>

Configure DMARC settings.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

The batch format of the dmarcconfig can be used to create, edit, or delete verification profiles and modify global settings.

The following example shows how to setup a DMARC verification profile and edit the global settings of DMARC verification profiles.

mail.example.com> dmarcconfig
Number of DMARC Verification Profiles: 1
Daily report generation time is: 00:00
Error reports enabled: No
Reports sent on behalf of:
Contact details for reports:
Send a copy of aggregate reports to: None Specified
Bypass DMARC verification for senders from addresslist: None Specified
Bypass DMARC verification for messages with header fields: None Specified
Choose the operation you want to perform:
- PROFILES - Manage DMARC verification profiles.
- SETUP - Change global settings.
[]> profiles
There are currently 1 DMARC verification profiles defined.
Choose the operation you want to perform:
- NEW - Create a new DMARC verification profile.
- EDIT - Modify a DMARC verification profile.
- DELETE - Delete a DMARC verification profile.
- PRINT - Display DMARC verification profiles.
- IMPORT - Import DMARC verification profiles from a file.
- EXPORT - Export DMARC verification profiles to a file.
- CLEAR - Clear all DMARC verification profiles.
[]> new
Enter the name of the new DMARC verification profile:
[]> dmarc_ver_profile_1
Select the message action when the policy in DMARC record is reject:
1. No Action
2. Quarantine the message
3. Reject the message
[3]> 1
Select the message action when the policy in DMARC record is quarantine:
1. No Action
2. Quarantine the message
[2]> 2
Select the quarantine for messages that fail DMARC verification (when the DMARC policy is quarantine).
1. Policy
[1]> 1
What SMTP action should be taken in case of temporary failure?
1. Accept
2. Reject
[1]> 2
Enter the SMTP response code for rejected messages in case of temporary failure.
[451]>
Enter the SMTP response text for rejected messages in case of temporary failure. Type DEFAULT to use the default response text 
'#4.7.1 Unable to perform
DMARC verification.'
[#4.7.1 Unable to perform DMARC verification.]>
What SMTP action should be taken in case of permanent failure?
1. Accept
2. Reject
[1]> 2
Enter the SMTP response code for rejected messages in case of permanent failure.
[550]>
Enter the SMTP response text for rejected messages in case of permanent failure. Type DEFAULT to use the default response text 
'#4.7.1 Unable to perform
DMARC verification.'
[#5.7.1 DMARC verification failed.]>
There are currently 2 DMARC verification profiles defined.
Choose the operation you want to perform:
- NEW - Create a new DMARC verification profile.
- EDIT - Modify a DMARC verification profile.
- DELETE - Delete a DMARC verification profile.
- PRINT - Display DMARC verification profiles.
- IMPORT - Import DMARC verification profiles from a file.
- EXPORT - Export DMARC verification profiles to a file.
- CLEAR - Clear all DMARC verification profiles.
[]>
Number of DMARC Verification Profiles: 2
Daily report generation time is: 00:00
Error reports enabled: No
Reports sent on behalf of:
Contact details for reports:
Send a copy of aggregate reports to: None Specified
Bypass DMARC verification for senders from addresslist: None Specified
Bypass DMARC verification for messages with header fields: None Specified
Choose the operation you want to perform:
- PROFILES - Manage DMARC verification profiles.
- SETUP - Change global settings.
[]> setup
Would you like to modify DMARC report settings? (Yes/No) [N]> y
Enter the time of day to generate aggregate feedback reports. Use 24-hour format (HH:MM).
[00:00]>
Would you like to send DMARC error reports? (Yes/No) [N]> y
Enter the entity name responsible for report generation. This is added to the DMARC aggregate reports.
[]> example.com
Enter additional contact information to be added to DMARC aggregate reports. This could be an email address, 
URL of a website with additional help, a phone number etc.
[]> http://dmarc.example.com
Would you like to send a copy of all aggregate reports?  (Yes/No) [N]>
Would you like to bypass DMARC verification for an addresslist? (Yes/No) [N]>
Would you like to bypass DMARC verification for specific header fields? (Yes/No) [N]> y
Choose the operation you want to perform:
- ADD - Add a header field to the verification-bypass list.
[]> add
Enter the header field name
[]> List-Unsubscribe
DMARC verification is configured to bypass DMARC verification for messages containing the following header fields.
1. List-Unsubscribe
Choose the operation you want to perform:
- ADD - Add a header field to the verification-bypass list.
- REMOVE - Remove a header field from the list.
[]> add
Enter the header field name
[]> List-ID
DMARC verification is configured to bypass DMARC verification for messages containing the following header fields.
1. List-Unsubscribe
2. List-ID
Choose the operation you want to perform:
- ADD - Add a header field to the verification-bypass list.
- REMOVE - Remove a header field from the list.
[]>
Number of DMARC Verification Profiles: 2
Daily report generation time is: 00:00
Error reports enabled: Yes
Reports sent on behalf of: example.com
Contact details for reports: http://dmarc.example.com
Send a copy of aggregate reports to: None Specified
Bypass DMARC verification for senders from addresslist: None Specified
Bypass DMARC verification for messages with header fields: List-Unsubscribe, List-ID
Choose the operation you want to perform:
- PROFILES - Manage DMARC verification profiles.
- SETUP - Change global settings.
[]>

Look up a record on a DNS server

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

The batch format of the dig command can be used to perform all the functions of the traditional CLI command.

• Look up a record on a DNS server

  dig [options] [@<dns_ip>] [qtype] <hostname>

• Do a reverse lookup for given IP address on a DNS server

  dig -x <reverse_ip> [options] [@<dns_ip>]

These are the options available for the dig command’s batch format

    -s <source_ip>  Specify the source IP address.

    -t              Make query over TCP.

    -u              Make query over UDP (default).

    dns_ip - Query the DNS server at this IP address.

    qtype - Query type: A, PTR, CNAME, MX, SOA, NS, TXT.

    hostname - Record that user want to look up.

    reverse_ip - Reverse lookup IP address.

    dns_ip - Query the DNS server at this IP address.

The following example explicitly specifies a DNS server for the lookup.

mail.com> dig @111.111.111.111 example.com MX
; <<>> DiG 9.4.3-P2 <<>> @111.111.111.111 example.com MX
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18540
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; QUESTION SECTION:
;example.com.                       IN      MX
;; ANSWER SECTION:
mexample.com.                10800   IN      MX      10 mexample.com.
;; AUTHORITY SECTION:
example.com.                     10800   IN      NS      test.example.com.
;; ADDITIONAL SECTION:
example.com. 10800 IN      A       111.111.111.111
example.com. 10800 IN      AAAA    2620:101:2004:4201::bd
example.com.   300     IN      A       111.111.111.111
;; Query time: 6 msec
;; SERVER: 10.92.144.4#53(10.92.144.4)
;; WHEN: Fri Dec  9 23:37:42 2011
;; MSG SIZE  rcvd: 143

Note	The dig command filters out the information in the Authority and Additional sections if you do not explicitly specify the DNS server when using the command.

The following example explicitly verifies TLSA records.

mail.example.com> dig
 
Enter the host or IP address to look up.
[]> example.com
 
Choose the query type:
1. A       the host's IP address
2. AAAA    the host's IPv6 address
3. CNAME   the canonical name for an alias
4. MX      the mail exchanger
5. NS      the name server for the named zone
6. PTR     the hostname if the query is an Internet address,otherwise the pointer to other information
7. SOA     the domain's "start-of-authority" information
8. TLSA    TLSA Record
9. TXT     the text information
[1]> 8
 
Which interface do you want to query from?
1. Auto
2. Management
[1]> 2
 
Please enter the host or IP address of DNS server.
Leave the entry blank to use the default server. 
Important! To perform DNSSEC queries, enter the host or IP address of the DNS Server supporting DNSSEC.
[]> 8.8.8.8
 
Do you want to make query over TCP? [N]>
 
Do you want to make a query over DNSSEC? [N]> Y
 
Please enter DNS key file path.
Leave the entry blank to use the default root keys
[]>
 
;; RRset to chase:
dane-esa.com.           3562    IN      MX      10 mx1.dane-esa.com.
 
 
;; RRSIG of the RRset to chase:
dane-esa.com.           3562    IN      RRSIG   MX 7 2 3600 20181028045140 20180928045140 43860 dane-esa.com. 
K+t0W9aOqDMvxytXfkrms+IEUbK1Ct9XB5mBCCb3bHryvHs0cU6XPxTJ XwQ5HUSWuQaC9MLyCA5Zn/AXlbzKA7tGtnab0q3CmVKhhRXnIJ+jJht6
nuksUrLKsM6uYmR73DDM/bCC8n08w6nGeGq476mmNgETXAPfqSvHNuPp DSquCG3nNfm8iE9XnG8jCKRPcKhWjROc/vmK6ZzuzFKCtT4QA/L5Ah0w 
zffZqxR9Qmj3w8WQdz9eFAw5e0LFa5oR57i983ityJrQL4pjFl7bwKNw
94xhqFlsWWKAC6wpoT64DOo00ou5TsKxHq5EwEat1OMIM0GHMniCuJcA K3seyQ==

Configure DNS setup

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

The batch format of the dnsconfig command can be used to perform all the functions of the traditional CLI command.

• Configuring DNS to use a local nameserver cache:

  dnsconfig parent new <ns_ip> <priority>

Command arguments:

• <ns_ip> - The IP address of the nameserver. Separate multiple IP addresses with commas.
• <priority> - The priority for this entry.

• Deleting the local nameserver cache:

  dnsconfig parent delete <ns_ip>

• Configuring alternate DNS caches to use for specific domains:

  dnsconfig alt new <domains> <ns_ip>

Note	Cannot be used when using Internet root nameservers.

Command arguments:

• <ns_ip> - The IP address of the nameserver. Separate multiple IP addresses with commas.
• <domains> - A comma separated list of domains.

• Deleting the alternate DNS cache for a specific domain:

  dnsconfig alt delete <domain>

• Configuring DNS to use the Internet root nameservers:

  dnsconfig roots new <ns_domain> <ns_name> <ns_ip>

Nameserver arguments:

• <ns_domain> - The domain to override.
• <ns_name> - The name of the nameserver.
• <ns_ip> - The IP address of the nameserver.

Note	You can override certain domains by specifying an alternate name server for that domain.

• Deleting nameservers:

  dnsconfig roots delete <ns_domain> [ns_name]

Note	When deleting, if you do not specify an ns_name , then all nameservers for that domain will be removed.

• Clearing all DNS settings and automatically configuring the system to use the Internet root servers:

  dnsconfig roots

Displaying the current DNS settings.

dnsconfig print

Each user-specified DNS server requires the following information:

• Hostname
• IP address
• Domain authoritative for (alternate servers only)

Four subcommands are available within the dnsconfig command:

new

delete

edit

setup

mail3.example.com> dnsconfig
Currently using the Internet root DNS servers.
Alternate authoritative DNS servers:
1. com: dns.example.com (10.1.10.9)
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
[]> setup
Do you want the Gateway to use the Internet's root DNS servers or would you like
it to use your own DNS servers?
1. Use Internet root DNS servers
2. Use own DNS cache servers
[1]> 1
Choose the IP interface for DNS traffic.
1. Auto
2. Management (10.92.149.70/24: mail3.example.com)
[1]> 
Enter the number of seconds to wait before timing out reverse DNS lookups.
[20]> 
Enter the minimum TTL in seconds for DNS cache.
[1800]> 
Currently using the Internet root DNS servers.
Alternate authoritative DNS servers:
1. com: dns.example.com (10.1.10.9)
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
[]> 

Clear all entries from the DNS cache.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

mail3.example.com> dnsflush
Are you sure you want to clear out the DNS cache? [N]> Y

Configure IPv4/IPv6 DNS preferences

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

mail3.example.com> dnshostprefs
Choose the operation you want to perform:
- NEW - Add new domain override.
- SETDEFAULT - Set the default behavior.
[]> new
Enter the domain you wish to configure.
[]> example.com
How should the appliance sort IP addresses for this domain?
1. Prefer IPv4
2. Prefer IPv6
3. Require IPv4
4. Require IPv6
[2]> 3
Choose the operation you want to perform:
- NEW - Add new domain override.
- SETDEFAULT - Set the default behavior.
[]> setdefault
How should the appliance sort IP addresses?
1. Prefer IPv4
2. Prefer IPv6
3. Require IPv4
4. Require IPv6
[2]> 1
Choose the operation you want to perform:
- NEW - Add new domain override.
- SETDEFAULT - Set the default behavior.
[]>

Configure DNS List services support

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

mail3.example.com> dnslistconfig
Current DNS List Settings:
Negative Response TTL:  1800 seconds
DNS List Query Timeout:  3 seconds
Choose the operation you want to perform:
- SETUP - Configure general settings.
[]> setup
Enter the cache TTL for negative responses in seconds:
[1800]> 1200
Enter the query timeout in seconds:
[3]>
Settings updated.
Current DNS List Settings:
Negative Response TTL:  1200 seconds
DNS List Query Timeout:  3 seconds
Choose the operation you want to perform:
- SETUP - Configure general settings.
[]>

Test a DNS lookup for a DNS-based list service.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

mail3.example.com> dnslisttest
Enter the query server name:
[]> mail4.example.com
Enter the test IP address to query for:
[127.0.0.2]> 10.10.1.11
Querying:  10.10.1.11.mail4.example.com
Result:  MATCHED

Display DNS statistics.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> dnsstatus
Status as of: Mon Apr 18 10:58:07 2005 PDT
Counters:                    Reset          Uptime        Lifetime
  DNS Requests               1,115           1,115           1,115
  Network Requests             186             186             186
  Cache Hits                 1,300           1,300           1,300
  Cache Misses                   1               1               1
  Cache Exceptions               0               0               0
  Cache Expired                185             185             185

The howtoupdate command is used to manually update the How-Tos component.

Commit: This command does not require a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help howtoupdate.

In the following example, you can use the howtoupdate command to manually update the How-Tos component.

mail.example.com > howtoupdate

Requesting update of How-Tos component

The howtostatus command is used to display the current version of the How-Tos component.

Commit: This command does not require a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help howtostatus.

In the following example, you can use the howtostatus command to view the current version of the How-Tos component.

mail.example.com > howtostatus

Component            Version Last Updated
How-Tos              1.0 4 Jul 2018 04:22 (GMT +00:00)

The addressconfig command is used to configure the From: Address header. You can specify the display, user, and domain names of the From: address. You can also choose to use the Virtual Gateway domain for the domain name. Use the addressconfig command for mail generated by AsyncOS for the following circumstances:

• Anti-virus notifications
• Bounces
• DMARC feedback reports
• Notifications ( notify() and notify-copy() filter actions)
• Quarantine Messages (and “Send Copy” in quarantine management)
• Reports
• All other messages

In the following example, the From: Address for notifications is changed from: Mail Delivery System [MAILER-DAEMON@domain] (the default) to Notifications [Notification@example.com]

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail3.example.com> addressconfig
Current anti-virus from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current bounce from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current notify from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current quarantine from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current DMARC reports from: "DMARC Feedback" <MAILER-DAEMON@domain>
Current all other messages from: "Mail Delivery System" <MAILER-DAEMON@domain>
Choose the operation you want to perform:
- AVFROM - Edit the anti-virus from address.
- BOUNCEFROM - Edit the bounce from address.
- NOTIFYFROM - Edit the notify from address.
- QUARANTINEFROM - Edit the quarantine bcc from address.
- DMARCFROM - Edit the DMARC reports from address.
- OTHERFROM - Edit the all other messages from address.
[]> notifyfrom
Please enter the display name portion of the "notify from" address
["Mail Delivery System"]> Notifications
Please enter the user name portion of the "notify from" address
[MAILER-DAEMON]> Notification
Do you want the virtual gateway domain used for the domain? [Y]> n
Please enter the domain name portion of the "notify from" address
[]> example.com
Current anti-virus from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current bounce from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current notify from: Notifications <Notification@example.com>
Current quarantine from: "Mail Delivery System" <MAILER-DAEMON@domain>
Current DMARC reports from: "DMARC Feedback" <MAILER-DAEMON@domain>
Current all other messages from: "Mail Delivery System" <MAILER-DAEMON@domain>
Choose the operation you want to perform:
- AVFROM - Edit the anti-virus from address.
- BOUNCEFROM - Edit the bounce from address.
- NOTIFYFROM - Edit the notify from address.
- QUARANTINEFROM - Edit the quarantine bcc from address.
- DMARCFROM - Edit the DMARC reports from address.
- OTHERFROM - Edit the all other messages from address.
[]>

Use the adminaccessconfig command to configure:

• Login message (banner) for the administrator.
• IP-based access for appliance administrative interface.
• Web interface Cross-Site Request Forgeries protection.
• Option to use host header in HTTP requests.
• Web interface and CLI session inactivity timeout.
• Maximum HTTP header size.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

The batch format of the adminaccessconfig command can be used to perform all the functions of the traditional CLI command.

• Select whether to allow access for all IP addresses or limit access to specific IP address/subnet/range

  adminaccessconfig ipaccess <all/restrict/proxyonly/proxy>

• Adding a new IP address/subnet/range

  adminaccessconfig ipaccess new <address>

• Editing an existing IP address/subnet/range

  adminaccessconfig ipaccess edit <oldaddress> <newaddress>

• Deleting an existing IP address/subnet/range

  adminaccessconfig ipaccess delete <address>

• Printing a list of the IP addresses/subnets/ranges

  adminaccessconfig ipaccess print

• Deleting all existing IP addresses/subnets/ranges

  adminaccessconfig ipaccess clear

• Printing the login banner

  adminaccessconfig banner print

• Importing a login banner from a file on the appliance

  adminaccessconfig banner import <filename>

• Deleting an existing login banner

  adminaccessconfig banner clear

• Printing the welcome banner

  adminaccessconfig welcome print

• Importing a welcome banner from a file on the appliance

  adminaccessconfig welcome import <filename>

• Deleting an existing welcome banner

  adminaccessconfig welcome clear

• Exporting a welcome banner

  adminaccessconfig welcome export <filename>

• Add an allowed proxy IP address

  adminaccessconfig ipaccess proxylist new <address>

• Edit an allowed proxy IP address

  adminaccessconfig ipaccess proxylist edit <oldaddress> <newaddress>

• Delete an allowed proxy IP address

  adminaccessconfig ipaccess proxylist delete <address>

• Delete all existing allowed proxy IP addresses

  adminaccessconfig ipaccess proxylist clear

• Configure the header name that contains origin IP address

  adminaccessconfig ipaccess proxy-header <header name>

• Enable or disable web interface Cross-Site Request Forgeries protection

  adminaccessconfig csrf <enable|disable>

• Check whether web interface Cross-Site Request Forgeries protection is enabled

  adminaccessconfig csrf print

• Configure web interface session timeout

  adminaccessconfig timeout gui <value>

• Configure CLI session timeout

  adminaccessconfig timeout gui <value>

You can control from which IP addresses users access the Email Security appliance. Users can access the appliance from any machine with an IP address from the access list you define. When creating the network access list, you can specify IP addresses, subnets, or CIDR addresses.

AsyncOS displays a warning if you do not include the IP address of your current machine in the network access list. If your current machine’s IP address is not in the list, it will not be able to access the appliance after you commit your changes.

In the following example, network access to the appliance is restricted to two sets of IP addresses:

mail.example.com> adminaccessconfig
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- XSS - Configure Cross-Site Scripting Attack protection.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
- MAXHTTPHEADERFIELDSIZE - Configure maximum HTTP header field size.
- HOW-TOS - Configure How-Tos feature.
[]> ipaccess
Current mode: Allow All.
Please select the mode:
- ALL - All IP addresses will be allowed to access the administrative interface.
- RESTRICT - Specify IP addresses/Subnets/Ranges to be allowed access.
- PROXYONLY - Specify IP addresses/Subnets/Ranges to be allowed access through proxy.
- PROXY - Specify IP addresses/Subnets/Ranges to be allowed access through proxy or directly.
[]> restrict
List of allowed IP addresses/Subnets/Ranges:
Choose the operation you want to perform:
- NEW - Add a new IP address/subnet/range.
[]> new
Please enter IP address, subnet or range.
[]> 192.168.1.2-100
List of allowed IP addresses/Subnets/Ranges:
1.  192.168.1.2-100
Choose the operation you want to perform:
- NEW - Add a new IP address/subnet/range.
- EDIT - Modify an existing entry.
- DELETE - Remove an existing entry.
- CLEAR - Remove all the entries.
[]> new
Please enter IP address, subnet or range.
[]> 192.168.255.12
List of allowed IP addresses/Subnets/Ranges:
1.  192.168.1.2-100
2.  192.168.255.12
Choose the operation you want to perform:
- NEW - Add a new IP address/subnet/range.
- EDIT - Modify an existing entry.
- DELETE - Remove an existing entry.
- CLEAR - Remove all the entries.
[]>
Warning: The host you are currently using [72.163.202.175] is not included in the User Access list.  Excluding it will prevent your
host from connecting to the administrative interface. Are you sure you want to continue? [N]> Y
Current mode: Restrict.
Please select the mode:
- ALL - All IP addresses will be allowed to access the administrative interface.
- RESTRICT - Specify IP addresses/Subnets/Ranges to be allowed access.
- PROXYONLY - Specify IP addresses/Subnets/Ranges to be allowed access through proxy.
- PROXY - Specify IP addresses/Subnets/Ranges to be allowed access through proxy or directly.
[]>

You can configure the Email Security appliance to display a message called a “login banner” when a user attempts to log into the appliance through SSH, Telnet, FTP, or Web UI. The login banner is customizable text that appears above the login prompt in the CLI and to the right of the login prompt in the GUI. You can use the login banner to display internal security information or best practice instructions for the appliance. For example, you can create a simple note that saying that unauthorized use of the appliance is prohibited or a detailed warning concerning the organization’s right to review changes made by the user to the appliance.

The maximum length of the login banner is 2000 characters to fit 80x25 consoles. A login banner can be imported from a file in the /data/pub/configuration directory on the appliance. After creating the banner, commit your changes.

In the following example, the login banner “Use of this system in an unauthorized manner is prohibited” is added to the appliance:

mail.example.com> adminaccessconfig
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- XSS - Configure Cross-Site Scripting Attack protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
- MAXHTTPHEADERFIELDSIZE - Configure maximum HTTP header field size.
- HOW-TOS - Configure How-Tos feature.
[]> banner
A banner has not been defined.
Choose the operation you want to perform:
- NEW - Create a banner to display at login.
- IMPORT - Import banner text from a file.
[]> new
Enter or paste the banner text here. Enter CTRL-D on a blank line to end.
Use of this system in an unauthorized manner is prohibited.
^D
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
[]> banner
Banner: Use of this system in an unauthorized manner is prohibited.
Choose the operation you want to perform:
- NEW - Create a banner to display at login.
- IMPORT - Import banner text from a file.
- DELETE - Remove the banner.
[]>

The following example sets the web interface and CLI session timeout to 32 minutes.

Note	The CLI session timeout applies only to the connections using Secure Shell (SSH), SCP, and direct serial connection. Any uncommitted configuration changes at the time of CLI session timeout will be lost. Make sure that you commit the configuration changes as soon as they are made.

mail.example.com> adminaccessconfig
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- XSS - Configure Cross-Site Scripting Attack protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
- MAXHTTPHEADERFIELDSIZE - Configure maximum HTTP header field size.
- HOW-TOS - Configure How-Tos feature.

[]> timeout
Enter WebUI inactivity timeout(in minutes):
[30]> 32
Enter CLI inactivity timeout(in minutes):
[30]> 32
Choose the operation you want to perform:
- BANNER - Configure login message (banner) for appliance administrator login.
- WELCOME - Configure welcome message (post login message) for appliance administrator login.
- IPACCESS - Configure IP-based access for appliance administrative interface.
- CSRF - Configure web UI Cross-Site Request Forgeries protection.
- HOSTHEADER - Configure option to use host header in HTTP requests.
- TIMEOUT - Configure GUI and CLI session inactivity timeout.
[]>
mail.example.com> commit
Please enter some comments describing your changes:
[]> Changed WebUI and CLI session timeout values
Do you want to save the current configuration for rollback? [Y]>
Changes committed: Wed Mar 12 08:03:21 2014 GMT

Note	After committing the changes, the new CLI session timeout takes affect only during the subsequent login.

Configure security certificates and keys.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

In the following example, a certificate is installed by pasting in the certificate and private key.

mail3.example.com> certconfig
Choose the operation you want to perform:
- CERTIFICATE - Import, Create a request, Edit or Remove Certificate Profiles
- CERTAUTHORITY - Manage System and Customized Authorities
- CRL - Manage Certificate Revocation Lists
[]> certificate
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  --------------------  --------------------  -------------  ---------
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3467 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- PRINT - View certificates assigned to services
[]> paste
Enter a name for this certificate profile:
> partner.com
Paste public certificate in PEM format (end with '.'):
-----BEGIN CERTIFICATE-----
MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD
VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv
bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy
dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X
DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw
EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l
dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT
EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw
L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN
BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX
9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=
-----END CERTIFICATE-----
.
C=PT,ST=Queensland,L=Lisboa,O=Neuronio,
Lda.,OU=Desenvolvimento,CN=brutus.partner.com,emailAddress=admin@example.com
Paste private key in PEM format (end with '.'):
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ
2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF
oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr
8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc
a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7
WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA
6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=
-----END RSA PRIVATE KEY-----
.
Do you want to add an intermediate certificate? [N]> n
List of Certificates
Name       Common Name           Issued By             Status         Remaining
--------  -------------------  --------------------  -------------  ---------
partner.c brutus.partner.com   brutus.partner       Active        30 days
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3467 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- EDIT - Update certificate or view the signing request
- EXPORT - Export a certificate
- DELETE - Remove a certificate
- PRINT - View certificates assigned to services
[]>
Choose the operation you want to perform:
- CERTIFICATE - Import, Create a request, Edit or Remove Certificate Profiles
- CERTAUTHORITY - Manage System and Customized Authorities
- CRL - Manage Certificate Revocation Lists
[]>
mail3.example.com> commit
Please enter some comments describing your changes:
[]> Installed certificate and key for receiving, delivery, and https
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

In the following example, a self-signed certificate is created.

mail3.example.com> certconfig
Choose the operation you want to perform:
- CERTIFICATE - Import, Create a request, Edit or Remove Certificate Profiles
- CERTAUTHORITY - Manage System and Customized Authorities
- CRL - Manage Certificate Revocation Lists
[]> certificate
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  --------------------  --------------------  -------------  ---------
partner.c  brutus.neuronio.pt    brutus.neuronio.pt    Expired        -4930
days
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3467 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- EDIT - Update certificate or view the signing request
- EXPORT - Export a certificate
- DELETE - Remove a certificate
- PRINT - View certificates assigned to services
[]> new
1. Create a self-signed certificate and CSR
2. Create a self-signed SMIME certificate and CSR
[1]> 1
Enter a name for this certificate profile:
> example.com
Enter Common Name:
> example.com
Enter Organization:
> Example
Enter Organizational Unit:
> Org
Enter Locality or City:
> San Francisoc
Enter State or Province:
> CA
Enter Country (2 letter code):
> US
Duration before expiration (in days):
[3650]>
1. 1024
2. 2048
Enter size of private key:
[2]>
Do you want to view the CSR? [Y]> y
-----BEGIN CERTIFICATE REQUEST-----
MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCVVMxFDASBgNVBAMTC2V4YW1wbGUuY29t
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc29jMRAwDgYDVQQKEwdleGFtcGxlMQswCQYD
VQQIEwJDQTEMMAoGA1UECxMDb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA+NwamZyX7VgTZka/x1I5HHrN9V2MPKXoLq7FjzUtiIDwznElrKIuJovw
Svonle6GvFlUHfjv8B3WobOzk5Ny6btKjwPrBfaY+qr7rzM4lAQKHM+P6l+lZnPU
P05N9RCkLP4XsUuyY6Ca1WLTiPIgaq2fR8Y0JX/kesZcGOqlde66pN+xJIHHYadD
oopOgqi6SLNfAzJu/HEu/fnSujG4nhF0ZGlOpVUx4fg33NwZ4wVl0XBk3GrOjbbA
ih9ozAwfNzxb57amtxEJk+pW+co3uEHLJIOPdih9SHzn/UVU4hiu8rSQR19sDApp
kfdWcfaDLF9tnQJPWSYoCh0USgCc8QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEB
AGiVhyMAZuHSv9yA08kJCmrgO89yRlnDUXDDo6IrODVKx4hHTiOanOPu1nsThSvH
7xV4xR35T/QV0U3yPrL6bJbbwMySOLIRTjsUcwZNjOE1xMM5EkBM2BOI5rs4l59g
FhHVejhG1LyyUDL0U82wsSLMqLFH1IT63tzwVmRiIXmAu/lHYci3+vctb+sopnN1
lY1OIuj+EgqWNrRBNnKXLTdXkzhELOd8vZEqSAfBWyjZ2mECzC7SG3evqkw/OGLk
AilNXHayiGjeY+UfWzF/HBSekSJtQu6hIv6JpBSY/MnYU4tllExqD+GX3lru4xc4
zDas2rS/Pbpn73Lf503nmsw=
-----END CERTIFICATE REQUEST-----
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  ------------------- --------------------  -------------  ---------
example.c  example.com           example.com           Valid          3649 days
partner.c  brutus.partner.com   brutus.partner.com  Valid         30 days
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3467 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- EDIT - Update certificate or view the signing request
- EXPORT - Export a certificate
- DELETE - Remove a certificate
- PRINT - View certificates assigned to services
[]>

The following example shows how to create a self-signed S/MIME certificate for signing messages.

vm10esa0031.qa> certconfig
Choose the operation you want to perform:
- CERTIFICATE - Import, Create a request, Edit or Remove Certificate Profiles
- CERTAUTHORITY - Manage System and Customized Authorities
- CRL - Manage Certificate Revocation Lists
[]> certificate
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  --------------------  --------------------  -------------  ---------
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3329 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- PRINT - View certificates assigned to services
[]> new
1. Create a self-signed certificate and CSR
2. Create a self-signed SMIME certificate and CSR
[1]> 2
Enter a name for this certificate profile:
> smime_signing
Enter Common Name:
> CN
Enter Organization:
> ORG
Enter Organizational Unit:
> OU
Enter Locality or City:
> BN
Enter State or Province:
> KA
Enter Country (2 letter code):
> IN
Duration before expiration (in days):
[3650]>
1. 1024
2. 2048
Enter size of private key:
[2]>
Enter email address for 'subjectAltName' extension:
[]> admin@example.com
Add another member? [Y]> n
Begin entering domain entries for 'subjectAltName'.
Enter the DNS you want to add.
[]> domain.com
Add another member? [Y]> n
Do you want to view the CSR? [Y]> n
List of Certificates
Name       Common Name           Issued By             Status         Remaining
---------  --------------------  --------------------  -------------  ---------
smime_sig  CN                    CN                    Valid          3649 days
Demo       Cisco Appliance Demo  Cisco Appliance Demo  Active         3329 days
Choose the operation you want to perform:
- IMPORT - Import a certificate from a local PKCS#12 file
- PASTE - Paste a certificate into the CLI
- NEW - Create a self-signed certificate and CSR
- EDIT - Update certificate or view the signing request
- EXPORT - Export a certificate
- DELETE - Remove a certificate
- PRINT - View certificates assigned to services
[]>

Displays the current date and time

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail.example.com> date
Tue Mar 10 11:30:21 2015 GMT

Checks whether DANE is supported for a specified domain.

Commit: This command does not require a 'commit'.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help daneverify.

In the following example, you can use the daneverify command to verify DANE support for a specified domain.

mail3.example.com> daneverify
Enter the DANE domain to verify against: []> example-dane.net
Trying DANE MANDATORY for example-dane.net
SECURE MX RECORD found for example-dane.net
SECURE A record (10.10.1.198) found for MX(mail.example.com.cs2.test-dane.net) in example-dane.net
SECURE TLSA Record found for MX(mail.example.com.cs2.test-dane.net) in example-dane.net TLS connection established: protocol TLSv1.2, cipher DHE-RSA-AES128-SHA256.
Certificate verification successful for TLSA 
record(030101329aad19cfb5a0bb8d3b99c67dd1282a4dcdf67bd9c4efc08578657065fe7504)
TLS connection succeeded example-dane.net.
DANE_SUCESS for example-dane.net
DANE verification completed.

Use the diagnostic command to:

• Troubleshoot hardware and network issues using various utilities
• Check the RAID status
• Display ARP cache
• Clear LDAP, DNS, and ARP caches
• Send SMTP test messages

• Restart and viewing the status of Service Engines enabled on the appliance.

The following commands are available within the diagnostic submenu:

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto). This command requires access to the local file system.

Batch Command: This command supports a batch format.

The batch format of the diagnostic command can be used to check RAID status, clear caches and show the contents of the ARP cache. To invoke as a batch command, use the following formats:

Use the batch format to perform the following operations:

• Check the RAID status

  diagnostic raid

• Show the contents of the ARP cache

  diagnostic network arpshow

• Show the contents of the NDP cache

  diagnostic network ndpshow

• Clear the LDAP, DNS, ARP and NDP caches

  diagnostic network flush

• Reset and delete the reporting database

  diagnostic reporting deletedb

• Enable reporting daemons

  diagnostic reporting enable

• Disable reporting daemons

  diagnostic reporting disable

• Reset and delete the tracking database

  diagnostic tracking deletedb

• Reset configuration to the initial manufacturer values

  diagnostic reload

You can use the diagnostic > servicessub command in the CLI to:

• Restart the service engines enabled on your appliance without having to reboot your appliance.

• View the status of service engines enabled on your appliance.

Example: Viewing Status of DLP Engine

mail.example.com> diagnostic

Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- DISK_USAGE - Check Disk Usage.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
- SERVICES - Service Utilities.
[]> services

Choose one of the following services:
- ANTISPAM - Anti-Spam services
- ANTIVIRUS - Anti-Virus services
- DLP - Cisco Data Loss Prevention services
- ENCRYPTION - Encryption services
- GRAYMAIL - Graymail services
- REPORTING - Reporting associated services
- SBRS - Reputation Engine services
- TRACKING - Tracking associated services
- URLFILTERING - URL Filtering
- EUQWEB - End User Quarantine GUI
- WEBUI - Web GUI
[]> dlp

Choose the operation you want to perform:
- RESTART - Restart the service
- STATUS - View status of the service
[]> status

Cisco Data Loss Prevention has been up for 3s.

Example: Restarting the Graymail Engine

mail.example.com> diagnostic

Choose the operation you want to perform:
- RAID - Disk Verify Utility.
- DISK_USAGE - Check Disk Usage.
- NETWORK - Network Utilities.
- REPORTING - Reporting Utilities.
- TRACKING - Tracking Utilities.
- RELOAD - Reset configuration to the initial manufacturer values.
- SERVICES - Service Utilities.
[]> services

Choose one of the following services:
- ANTISPAM - Anti-Spam services
- ANTIVIRUS - Anti-Virus services
- DLP - Cisco Data Loss Prevention services
- ENCRYPTION - Encryption services
- GRAYMAIL - Graymail services
- REPORTING - Reporting associated services
- SBRS - Reputation Engine services
- TRACKING - Tracking associated services
- URLFILTERING - URL Filtering
- EUQWEB - End User Quarantine GUI
- WEBUI - Web GUI
[]> graymail

Choose the operation you want to perform:
- RESTART - Restart the service
- STATUS - View status of the service
[]> restart

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command supports a batch format.

diskquotaconfig <feature> <quota> [<feature> <quota> [<feature> <quota>[<feature> <quota>]]]

Valid values for <feature> are euq , pvo , tracking , reporting

Valid values for <quota> are integers.

mail.example.com> diskquotaconfig
     Service                                       Disk Usage(GB)     Quota(GB)
     ---------------------------------------------------------------------------
     Spam Quarantine (EUQ)                         1                  1
     Policy, Virus & Outbreak Quarantines          1                  3
     Reporting                                     5                  10
     Tracking                                      1                  10
     Miscellaneous Files                           5                  30
           System Files Usage : 5 GB
           User Files Usage : 0 GB
     Total                                         13                 54 of 143
Choose the operation you want to perform:
- EDIT - Edit disk quotas
[]> edit
Enter the number of the service for which you would like to edit disk quota:
1. Spam Quarantine (EUQ)
2. Policy, Virus & Outbreak Quarantines
3. Reporting
4. Tracking
5. Miscellaneous Files
[1]> 1
Enter the new disk quota -
[1]> 1
Disk quota for Spam Quarantine (EUQ) changed to 1
     Service                                       Disk Usage(GB)     Quota(GB)
     ---------------------------------------------------------------------------
     Spam Quarantine (EUQ)                         1                  1
     Policy, Virus & Outbreak Quarantines          1                  3
     Reporting                                     5                  10
     Tracking                                      1                  10
     Miscellaneous Files                           5                  30
           System Files Usage : 5 GB
           User Files Usage : 0 GB
     Total                                         13                 54 of 143
Choose the operation you want to perform:
- EDIT - Edit disk quotas
[]>

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used at all levels in a cluster.

Batch Command: This command supports a batch format.

• To specify a non-default enrollment client server:

> ecconfig server <server_name:port>

To use the default enrollment client server:

> ecconfig server default 

mail.example.com> ecconfig
Enrollment Server: Not Configured (Use Default)
Choose the operation you want to perform:
- SETUP - Configure the Enrollment Server
[]> setup
Do you want to use non-default Enrollment server?
WARNING: Do not configure this option without the assistance of Cisco Support.
Incorrect configuration can impact the services using certificates from the Enrollment server. [N]> y
[]> 192.0.2.1
Choose the operation you want to perform:
- SETUP - Configure the Enrollment Server
[]>

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> ecstatus
Component                 Version    Last Updated
Enrollment Client         1.0.2-046  Never updated

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command supports a batch format.

> ecupdate [force]

mail.example.com> ecupdate
Requesting update of Enrollment Client. 

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

The following example shows modifications to an encryption profile:

mail.example.com> encryptionconfig
IronPort Email Encryption: Enabled
Choose the operation you want to perform:
- SETUP - Enable/Disable IronPort Email Encryption
- PROFILES - Configure email encryption profiles
- PROVISION - Provision with the Cisco Registered Envelope Service
[]> setup
PXE Email Encryption: Enabled
Would you like to use PXE Email Encryption? [Y]>
WARNING: Increasing the default maximum message size(10MB) may result in
decreased performance. Please consult documentation for size recommendations
based on your environment.
Maximum message size for encryption: (Add a trailing K for kilobytes, M for
megabytes, or no letters for bytes.)
[10M]>
Enter the email address of the encryption account administrator
[administrator@example.com]>
IronPort Email Encryption: Enabled
Choose the operation you want to perform:
- SETUP - Enable/Disable IronPort Email Encryption
- PROFILES - Configure email encryption profiles
- PROVISION - Provision with the Cisco Registered Envelope Service
[]> profiles
Proxy: Not Configured
Profile Name         Key Service            Proxied     Provision Status
------------         -----------            -------     ----------------
HIPAA                Hosted Service         No          Not Provisioned
Choose the operation you want to perform:
- NEW - Create a new encryption profile
- EDIT - Edit an existing encryption profile
- DELETE - Delete an encryption profile
- PRINT - Print all configuration profiles
- CLEAR - Clear all configuration profiles
- PROXY - Configure a key server proxy
[]> edit
1. HIPAA
Select the profile you wish to edit:
[1]> 1
Profile name: HIPAA
External URL: https://res.cisco.com
Encryption algorithm: ARC4
Payload Transport URL: http://res.cisco.com
Envelope Security: High Security
Return receipts enabled: Yes
Secure Forward enabled: No
Secure Reply All enabled: No
Suppress Applet: No
URL associated with logo image: <undefined>
Encryption queue timeout: 14400
Failure notification subject: [ENCRYPTION FAILURE]
Failure notification template: System Generated
Filename for the envelope: securedoc_${date}T${time}.html
Use Localized Envelope: No
Text notification template: System Generated
HTML notification template: System Generated
Choose the operation you want to perform:
- NAME - Change profile name
- EXTERNAL - Change external URL
- ALGORITHM - Change encryption algorithm
- PAYLOAD - Change the payload transport URL
- SECURITY - Change envelope security
- RECEIPT - Change return receipt handling
- FORWARD - Change "Secure Forward" setting
- REPLYALL - Change "Secure Reply All" setting
- LOCALIZED_ENVELOPE - Enable or disable display of envelopes in languages
other than English
- APPLET - Change applet suppression setting
- URL - Change URL associated with logo image
- TIMEOUT - Change maximum time message waits in encryption queue
- BOUNCE_SUBJECT - Change failure notification subject
- FILENAME - Change the file name of the envelope attached to the encryption
notification.
[]> security
1. High Security (Recipient must enter a passphrase to open the encrypted
message, even if credentials are cached ("Remember Me" selected).)
2. Medium Security (No passphrase entry required if recipient credentials are
cached ("Remember Me" selected).)
3. No passphrase Required (The recipient does not need a passphrase to open the
encrypted message.)
Please enter the envelope security level:
[1]> 1
Profile name: HIPAA
External URL: https://res.cisco.com
Encryption algorithm: ARC4
Payload Transport URL: http://res.cisco.com
Envelope Security: High Security
Return receipts enabled: Yes
Secure Forward enabled: No
Secure Reply All enabled: No
Suppress Applet: No
URL associated with logo image: <undefined>
Encryption queue timeout: 14400
Failure notification subject: [ENCRYPTION FAILURE]
Failure notification template: System Generated
Filename for the envelope: securedoc_${date}T${time}.html
Use Localized Envelope: No
Text notification template: System Generated
HTML notification template: System Generated
Choose the operation you want to perform:
- NAME - Change profile name
- EXTERNAL - Change external URL
- ALGORITHM - Change encryption algorithm
- PAYLOAD - Change the payload transport URL
- SECURITY - Change envelope security
- RECEIPT - Change return receipt handling
- FORWARD - Change "Secure Forward" setting
- REPLYALL - Change "Secure Reply All" setting
- LOCALIZED_ENVELOPE - Enable or disable display of envelopes in languages
other than English
- APPLET - Change applet suppression setting
- URL - Change URL associated with logo image
- TIMEOUT - Change maximum time message waits in encryption queue
- BOUNCE_SUBJECT - Change failure notification subject
- FILENAME - Change the file name of the envelope attached to the encryption
notification.
[]> forward
Would you like to enable "Secure Forward"? [N]> y
Profile name: HIPAA
External URL: https://res.cisco.com
Encryption algorithm: ARC4
Payload Transport URL: http://res.cisco.com
Envelope Security: High Security
Return receipts enabled: Yes
Secure Forward enabled: Yes
Secure Reply All enabled: No
Suppress Applet: No
URL associated with logo image: <undefined>
Encryption queue timeout: 14400
Failure notification subject: [ENCRYPTION FAILURE]
Failure notification template: System Generated
Filename for the envelope: securedoc_${date}T${time}.html
Use Localized Envelope: No
Text notification template: System Generated
HTML notification template: System Generated
Choose the operation you want to perform:
- NAME - Change profile name
- EXTERNAL - Change external URL
- ALGORITHM - Change encryption algorithm
- PAYLOAD - Change the payload transport URL
- SECURITY - Change envelope security
- RECEIPT - Change return receipt handling
- FORWARD - Change "Secure Forward" setting
- REPLYALL - Change "Secure Reply All" setting
- LOCALIZED_ENVELOPE - Enable or disable display of envelopes in languages
other than English
- APPLET - Change applet suppression setting
- URL - Change URL associated with logo image
- TIMEOUT - Change maximum time message waits in encryption queue
- BOUNCE_SUBJECT - Change failure notification subject
- FILENAME - Change the file name of the envelope attached to the encryption
notification.
[]>
Proxy: Not Configured
Profile Name         Key Service            Proxied     Provision Status
------------         -----------            -------     ----------------
HIPAA                Hosted Service         No          Not Provisioned
Choose the operation you want to perform:
- NEW - Create a new encryption profile
- EDIT - Edit an existing encryption profile
- DELETE - Delete an encryption profile
- PRINT - Print all configuration profiles
- CLEAR - Clear all configuration profiles
- PROXY - Configure a key server proxy
[]>
IronPort Email Encryption: Enabled
Choose the operation you want to perform:
- SETUP - Enable/Disable IronPort Email Encryption
- PROFILES - Configure email encryption profiles
- PROVISION - Provision with the Cisco Registered Envelope Service
[]>

The encryptionstatus command shows the version of the PXE Engine and Domain Mappings file on the Email Security appliance, as well as the date and time the components were last updated.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> encryptionstatus
Component                 Version    Last Updated
PXE Engine                6.7.1      17 Nov 2009 00:09 (GMT)
Domain Mappings File      1.0.0      Never updated

The encryptionupdate command requests an update to the PXE Engine on the Email Security appliance.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does not support a batch format.

mail3.example.com> encryptionupdate
Requesting update of PXE Engine.

The enginestatus command is used to display the status and CPU usage of various engines enabled on the appliance.

Commit: This command does not requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For more details, see the inline help by typing the command: help enginestatus.

The following example shows how to view the status and CPU usage of all engines enabled on the appliance:

vm30esa0086.ibqa> enginestatus
Choose the operation you want to perform:
- GRAYMAIL - View Graymail engine status
- SOPHOS - View Sophos engine status
- CASE - View CASE engine status
- AMP - View AMP engine status
- MCAFEE - View McAfee engine status
- ALL - View status of All engines
[]> ALL
CASE Status: UP CPU: 0.0%
Component                      Version                             Last Updated
CASE Core Files                3.5.0-008                           Never updated
CASE Utilities                 3.5.0-008                           Never updated
Structural Rules               3.3.1-009-20141210_214201           Never updated
Web Reputation DB              20141211_111021                     Never updated
Web Reputation Rules           20141211_111021-20141211_170330     Never updated
Content Rules                  unavailable                         Never updated
Content Rules Update           unavailable                         Never updated
SOPHOS Status: UP CPU: 0.0%
Component                      Version                             Last Updated
Sophos Anti-Virus Engine       3.2.07.365.2_5.30                   Never updated
Sophos IDE Rules               0                                   Never updated
GRAYMAIL Status: UP CPU: 0.0%
Component                      Version                             Last Updated
Graymail Engine                01-392.68                           N10 Nov 2016 07:08 (GMT +00:00) updated
Graymail Rules                 01-392.68#121                       Never updated
Graymail Tools                 1.0.03                              Never updated
MCAFEE Status: UP CPU: 0.0%
Component                      Version                             Last Updated
McAfee Engine                  5700                                Never updated
McAfee DATs                    7437                                Never updated
AMP Status: UP CPU: 0.0%
Component                      Version                             Last Updated
AMP Client Settings            1.0                                 Never updated
AMP Client Engine              1.0                                 Never updated

The featurekey command lists all functionality enabled by keys on the system and information related to the keys. It also allows you to activate features using a key or check for new feature keys.

For virtual appliances, see also loadlicense and showlicense.

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

In this example, the featurekey command is used to check for new feature keys.

mail3.example.com> featurekey
Module                              Quantity   Status     Remaining   Expiration Date
Outbreak Filters                    1          Active     28 days     Tue Feb 25 06:40:53 2014
IronPort Anti-Spam                  1          Dormant    30 days     Wed Feb 26 07:56:57 2014
Sophos Anti-Virus                   1          Active     26 days     Sun Feb 23 02:27:48 2014
Bounce Verification                 1          Dormant    30 days     Wed Feb 26 07:56:57 2014
Incoming Mail Handling              1          Active     20 days     Sun Feb 16 08:55:58 2014
IronPort Email Encryption           1          Dormant    30 days     Wed Feb 26 07:56:57 2014
Data Loss Prevention      	         1          Active     25 days     Fri Feb 21 10:07:10 2014
McAfee                              1          Dormant    30 days     Wed Feb 26 07:56:57 2014
Choose the operation you want to perform:
- ACTIVATE - Activate a (pending) key.
- CHECKNOW - Check now for new feature keys.
[]> checknow
No new feature keys are available.

The featurekeyconfig command allows you to configure the machine to automatically download available keys and update the keys on the machine.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine.

Batch Command: This command does not support a batch format.

In this example, the featurekeyconfig command is used to enable the autoactivate and autocheck features.

mail3.example.com> featurekeyconfig
Automatic activation of downloaded keys: Disabled
Automatic periodic checking for new feature keys: Disabled
Choose the operation you want to perform:
- SETUP - Edit feature key configuration.
[]> setup
Automatic activation of downloaded keys: Disabled
Automatic periodic checking for new feature keys: Disabled
Choose the operation you want to perform:
- AUTOACTIVATE - Toggle automatic activation of downloaded keys.
- AUTOCHECK - Toggle automatic checking for new feature keys.
[]> autoactivate
Do you want to automatically apply downloaded feature keys? [N]> y
Automatic activation of downloaded keys: Enabled
Automatic periodic checking for new feature keys: Disabled
Choose the operation you want to perform:
- AUTOACTIVATE - Toggle automatic activation of downloaded keys.
- AUTOCHECK - Toggle automatic checking for new feature keys.
[]> autocheck
Do you want to periodically query for new feature keys? [N]> y
Automatic activation of downloaded keys: Enabled
Automatic periodic checking for new feature keys: Enabled

The generalconfig command allows you to configure browser settings.

Commit: This command requires ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. For details, see the inline help by typing the command: help generalconfig .

The following example shows how to override IE Compatibility Mode.

mail.example.com> generalconfig
Choose the operation you want to perform:
- IEOVERRIDE - Configure Internet Explorer Compatibility Mode Override
[]> ieoverride
    For better web interface rendering, we recommend that you enable Internet
    Explorer Compatibility Mode Override. However, if enabling this feature
    is against your organizational policy, you may disable this feature.
    Internet Explorer Compatibility Mode Override is currently disabled.
Would you like to enable Internet Explorer Compatibility Mode Override? [N]y
Choose the operation you want to perform:
- IEOVERRIDE - Configure Internet Explorer Compatibility Mode Override
[]>

Checks the health of your Email Security appliance. Health check analyzes historical data (up to three months) in the current Status Logs to determine the health of the appliance.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail.example.com> healthcheck
Analyzing the system to determine current health of the system.
The analysis may take a while, depending on the size of the historical data.
System analysis is complete.
The analysis indicates that the system has experienced the following issue(s)recently:
Entered Resource conservation mode
Delay in mail processing
High CPU usage
High memory usage
Based on this analysis,
we recommend you to contact Cisco Customer Support before upgrading.

Configure the threshold of various health parameters of your appliance such as CPU usage, maximum messages in work queue and so on

Commit: This command requires ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail.example.com> healthconfig
Choose the operation you want to perform:
- WORKQUEUE - View and edit workqueue-health configuration.
- CPU - View and edit CPU-health configuration.
- SWAP - View and edit swap-health configuration.
[]> workqueue
Number of messages in the workqueue : 0
Current threshold on the workqueue size : 500
Alert when exceeds threshold : Disabled
Do you want to edit the settings? [N]> y
Please enter the threshold value for number of messages in work queue.
[500]> 550
Do you want to receive alerts if the number of messages in work queue exceeds
threshold value? [N]> n
Choose the operation you want to perform:
- WORKQUEUE - View and edit workqueue-health configuration.
- CPU - View and edit CPU-health configuration.
- SWAP - View and edit swap-health configuration.
[]> cpu
Overall CPU usage : 0 %
Current threshold on the overall CPU usage: 85 %
Alert when exceeds threshold : Disabled
Do you want to edit the settings? [N]> y
Please enter the threshold value for overall CPU usage (in percent)
[85]> 90
Do you want to receive alerts if the overall CPU usage exceeds threshold value?[N]> n
Choose the operation you want to perform:
- WORKQUEUE - View and edit workqueue-health configuration.
- CPU - View and edit CPU-health configuration.
- SWAP - View and edit swap-health configuration.
[]> swap
Number of pages swapped from memory in a minute : 0
Current threshold on the number of pages swapped from memory per minute : 5000
Alert when exceeds threshold : Disabled
Do you want to edit the settings? [N]> y
Please enter the threshold value for number of pages swapped from memory in a
minute.
[5000]> 5500
Do you want to receive alerts if number of pages swapped from memory in a
minute exceeds the threshold? [N]> n
Choose the operation you want to perform:
- WORKQUEUE - View and edit workqueue-health configuration.
- CPU - View and edit CPU-health configuration.
- SWAP - View and edit swap-health configuration.
[]>

The ntpconfig command configures AsyncOS to use Network Time Protocol (NTP) to synchronize the system clock with other computers. NTP can be turned off using the settime command.

Commit: This command requires ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail3.example.com> 
ntpconfig
Currently configured NTP servers:
1. time.ironport.com
Choose the operation you want to perform:
- NEW - Add a server.
- DELETE - Remove a server.
- SOURCEINT - Set the interface from whose IP address NTP queries should originate.
- AUTH - Configure NTP authentication.
[]> new
Please enter the fully qualified hostname or IP address of your NTP server.
[]> ntp.example.com
Currently configured NTP servers:
1. time.ironport.com
2. bitsy.mit.edi
Choose the operation you want to perform:
- NEW - Add a server.
- DELETE - Remove a server.
- SOURCEINT - Set the interface from whose IP address NTP queries should
originate.
- AUTH - Configure NTP authentication.
[]> sourceint
 
When initiating a connection to an NTP server, the outbound IP address 
used is chosen automatically.
If you want to choose a specific outbound IP address,please select 
its interface name now.
1. Auto
2. Management (172.19.0.11/24: elroy.run)
3. PrivateNet (172.19.1.11/24: elroy.run)
4. PublicNet (172.19.2.11/24: elroy.run)
[1]> 1
Currently configured NTP servers:
1. time.ironport.com
2. bitsy.mit.edi
Choose the operation you want to perform:
- NEW - Add a server.
- DELETE - Remove a server.
- SOURCEINT - Set the interface from whose IP address NTP queries should originate.
- AUTH - Configure NTP authentication.
[]> auth

Would you like to enable NTP authentication? [N]>yes
Currently configured NTP servers:
1. time.ironport.com
2. bitsy.mit.edi
Authentication is on
Choose the operation you want to perform:
- NEW - Add a server.
- DELETE - Remove a server.
- SOURCEINT - Set the interface from whose IP address NTP queries should
originate.
- AUTH - Configure NTP authentication.

mail3.example.com> commit
Please enter some comments describing your changes:
[]> Added new NTP server
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

Commit: This command requires ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

 
		mail3.example.com> portalregistrationconfig
	  
 Choose the operation you want to perform:
	 
 - REGISTRATION_ID - Set up the Registration ID.
	  []> registration_id 
	  Enter the new value of the Registration ID.
	  []> registrationidexample1234
	 

Restart the appliance.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> reboot
Enter the number of seconds to wait before abruptly closing connections.
[30]>
Waiting for listeners to exit...
Receiving suspended.
Waiting for outgoing deliveries to finish...
Mail delivery suspended.

Request version information of Reputation Engine.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> repengstatus
  Component                   Last Update                     Version
  Reputation Engine           28 Jan 2014 23:47 (GMT +00:00)  1
  Reputation Engine Tools     28 Jan 2014 23:47 (GMT +00:00)  1

Resume receiving and deliveries

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> resume
Receiving resumed for Listener 1.
Mail delivery resumed.
Mail delivery for individually suspended domains must be resumed individually.

Resume deliveries.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> resumedel
Currently suspended domains:
1. domain1.com
2. domain2.com
3. domain3.com
Enter one or more domains [comma-separated] to which you want to resume delivery.
[ALL]> domain1.com, domain2.com
Mail delivery resumed.

Resume receiving on a listener.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> resumelistener
Choose the listener(s) you wish to resume.
Separate multiple entries with commas.
1. All
2. InboundMail
3. OutboundMail
[1]> 1
Receiving resumed.
mail3.example.com>

Revert to a previous release.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail.example.com> revert
This command will revert the appliance to a previous version of AsyncOS.
WARNING: Reverting the appliance is extremely destructive.
The following data will be destroyed in the process:
- all configuration settings (including listeners)
- all log files
- all databases (including messages in Virus Outbreak and Policy quarantines)
- all reporting data (including saved scheduled reports)
- all message tracking data
- all IronPort Spam Quarantine message and end-user safelist/blocklist data
Only the network settings will be preserved.
Before running this command, be sure you have:
- saved the configuration file of this appliance (with passphrases unmasked)
- exported the IronPort Spam Quarantine safelist/blocklist database
  to another machine (if applicable)
- waited for the mail queue to empty
Reverting the device causes an immediate reboot to take place.
After rebooting, the appliance reinitializes itself and reboots
again to the desired version.
    Available versions
    =================
 1. 9.1.0-019
Please select an AsyncOS version [1]:
Do you want to continue? [N]> 

Configure SAML profile with Service Provider and Identity Provider Settings.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, and machine).

Batch Command: This command does not support a batch format.

In the following example, the samlconfig command is used to create a new SAML Profile with service provider and identity provider settings. You must enter a valid certificate and the private key for the service provider. You can either configure the identity provider configuration manually or import an existing identity provider metadata.

mail.example.com > samlconfig
Choose the operation you want to perform:
- UILOGIN - Create a new SAML Profile for UI Login.
[]> uilogin
No SAML profiles are configured on the system.
Choose the operation you want to perform:
- NEW - Create a new SAML profile.
[]> new
Please enter the Service Provider Settings:
Enter the SP profile Name:
[]> SP1
Enter the SP Entity Id:
[]> ENTSP
Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Assertion Consumer URL: http://mail.example.com
Please paste the SP Certificate
.
Paste the content now.
Press CTRL-D on a blank line when done.
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIJAPSTH66oUo0kMA0GCSqGSIb3DQEBBQUAMC8xLTArBNV 
BAMMJHZtMjFlc2EwMTMzLmNzMjEuZGV2aXQuY2lzY29sYWJzLmNvbTAeFw0xOTA1 
MDkxMzA3NDRaFw0yOTA1MDYxMzA3NDRaMC8xLTArBgNVBAMMJHZtMjFlc2EwMTMz 
LmNzMjEuZGV2aXQuY2lzY29sYWJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP 
ADCCAQoCggEBAM1/iDEkYMKOXXU+XWQr+KrDxdNxq3tCkqLmZwFH4TjzxYLIwKsX 
BZt8mlGiilEn/8ilBHlNDtju399qi7ZdSV2OIozrIqm9tPsgGCfoi90F3AM0WYTP 
BWXi6MaJMJPlIkA0lZvVLVqXjUcSM2esAsLNY1qmz/MDqK/x11FWK5qCh/2J9n9n 
4NuRpXsZDqCq4ERKhHOizrO1esoqKEF3Cn9yDDkFQb4NgRC9CDNWCIF7jbdIcD5T 
H4nIus2k5dyo57NIZtdLhLFidUFJ0MycGXZfO7+AHuST0ofnTxgz1o3ZpcxwZl4m 
40UNOQhK7DrBDfSAAjITpyAZ1CuXIKnLkEsCAwEAAaNQME4wHQYDVR0OBBYEFKWK 
siiXt1Qfe/EXFhEnTuZoJzoCMB8GA1UdIwQYMBaAFKWKsiiXt1Qfe/EXFhEnTuZo 
JzoCMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADuzDA0iqITrrZC/ 
jEdwlbz5rbJCMu96mDlH2zzjvQj5K8WNbkTa/UDcj42+2fP+w+DfIjeKcZwUTHGp 
TMmVsLAtuL8oF2uKuNhGUD8tVvqbRFAgb7OefOfYWXKjDyhfNsWxohNemDne+RZc 
DZ7bS/NG2Wkj0wiZBUCj42+0emtDDa0k2Imi/LquZnQomNfsid2OZiAh89gfEgRU 
zogadeWGTGtOB2bDlU4pwaLx+4gKI25ZjpFtk6ak4p8NDZGNDZE3r4IvsP9mlSSe 
0IA+RwGBbgQxnFuuh9s8NuxlDzNj38Pb6qedjujwIHh3TTYETJ3rS5jBWnlJdsmt
2po7pB8=
-----END CERTIFICATE-----
Please paste the SP Certificate Key
.
Paste the content now.
Press CTRL-D on a blank line when done.
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzX+IMSRgwo5ddT5dZCv4qsPF03Gre0KSouZnAUfhOPPFgjA 
qxcFm3yaUaKKUSf/yKUEeU0O2O7f32qLtl1JXY4ijOsiqb20+yAYJ+iL3QXcAzRZ 
hM8FZeLoxokwk+UiQDSVm9UtWpeNRxIzZ6wCws1jWqbP8wOor/HXUVYrmoKH/Yn2 
f2fg25GlexkOoKrgREqEc6LOs7V6yiooQXcKf3IMOQVBvg2BEL0IM1YIgXuNt0hw 
PlMfici6zaTl3Kjns0hm10uEsWJ1QUnQzJwZdl87v4Ae5JPSh+dPGDPWjdmlzHBm 
XibjRQ05CErsOsEN9IACMhOnIBnUK5cgqcuQSwIDAQABAoIBAGkPxK9rK9UMOBfT 
FKg8GtwjTya1PLi95n5GUW9EMo+NgfNFc8uE76b442TNNu4bBxir1Ue279pU9jwh 
GuDXfMTKADwPkx85ECg71l3A9JDBiCRTRVkzBk163wtx5FYYlZRBziNnr9JbHS2y 
znk4Zgj2PM+B7VsPCdU6TZ0V8yEAo75PtmZfmwq/Z1zMmIhDiFJqXZuxH7vYCP+y 
3ZeBPp09YOu4Rz8x9MpUPG8z+b9ekoLd8K90YQqdTZPqaG3MD8SEeKLSYLbyOk1B 
mGZWrVWRRfeNjEPsjixxjiLsdD8RFL+l8SAzI5Zfmr1GM1lMcUcQ4zz8Wds5I2Zi 
FhqW7vECgYEA+76Af/U7joUApxjzrm7MfLHO/w+OKrPJJdCl3V5PZtGgmJTkrf33 
7+kv3zlnyOBf5myErFlCtFYqJ3QA/taolK1PdE4EFpIJevxA7PF2hH0Ee51YCx5v 
T8G/dSOFSDm+3oaXr3WQZfNPBOWBxltb+0EaHGe553HtQQGAFte1l2UCgYEA0Pjj 
AtE2t5IwV2xehBU7XlDkUSFITz6nHlkB/4jehQWbT3pulBctBfGeEfPMxreNmolt 
kcNQ3pw6vo4ZeHrxG6A3KYWqPVnlhXOYo7z1evbUGWnAQrSb9eCEZy191OoXW16F 
E5X2WQ/ENz8YDa/XqOJ6IIvW+++dSBfhEAzRRe8CgYAktfodLtDZjrGyrGPUuxmc 
0X0jGsybk44wsoWNi5Q+pTErLwNOECwY00OE5OUqmPXDL24FiBq/G5WYHUWL5Be/ 
Xqqohjv4YqF5StHY+7lRxr1hnWdab7zBv7pAxcZI6wrXfn8eOiGtjFaomyNanrYC 
JNM+8y1b//QeN67LJfe4NQKBgBcURc4b2RUxGhGtsEqaJbJm8LBdIqVN4Bsj7WqR 
bTH3yo1ekjPc02YipziIWodf4k28+9LrZVUQoBRHkVyTB2nrqev2DTU1Znn0qFj9 
F4d7FzWvTkKPu+HN6BGVHp6TM/0tVTkyiMCRUzRezYNFdmX6jU5m41lzv0UlDgA9 
yicVAoGBAJHY4jbd9mi+u87ss6yT4ETHmzauxdl4ohEQmNhM9YqBeaNC1LRrzQoM 
JhK1xSx55X2lR+2Iizg6DVJ3GFpc+Kfwp86676J08tWfad+3mnHtRqSSFEaV/7Ik 
YfO9kYdhDAVLU4BFmBQ5Fi8Brx6Bmi2MpjTP1CsTStAkAnB2KZuV
-----END RSA PRIVATE KEY-----
^DEnter the SP Certificate Passpharse:
[]> 
Do you want to Sign Requests:
[0]>
Do you want to Sign Assertion Requests:
[0]>
Enter the Technical Contact Id:
[]> mail@example.com
Enter the Organization URL:
[]> http://www.example.com
Enter the Organization Name:
[]> Example
Enter the Organization Display Name:
[]> Example
Please enter the Identity Provider Settings:
Enter the IDP Profile Name:
[]> IDP1
Choose the operation you want to perform:
- PASTE - Paste the IDP Metadata XML.
- ENTER - Enter the IDP Metadata
[]> paste
Please paste the IDP Metadata XML
.
Paste the content now.
Press CTRL-D on a blank line when done.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
        entityID="https://WIN-BL0P4116VDB/dag/saml2/idp/metadata.php">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>          
        <ds:X509Certificate>MIIDYTCCAkmgAwIBAgIBAANBgkqhkiG9w0BAQsFADBLMQ
        swCQYDVQQGEwJVUzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEbMBkG
        A1UECgwSRHVvIFNlY3VyaXR5LCBJbmMuMB4XDTE5MDQyOTEwMTQxMFoXDTI5MDQyNjE
        wMTQxMFowSzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJi
            b3IxGzAZBgNVBAoMEkR1byBTZWN1cml0eSwgSW5jLjCCASIwDQYJKoZIhvcNAQEB
            BQADggEPADCCAQoCggEBAMQO/l7hUuSP/7m7qGlisjWGfRQuSzWw5AorTVVmfy1yaHHoFPMiN
            9FWMkZHLVAdW0FJrAooF3I6dQmc3YkuLWoI/DMaGcbNDaZ6+lYdB+pDBl6dXpliNHAsFiyhn89=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>          
        <ds:X509Certificate>MIIDYTCCAkmgAwIBAgIBADANBgkqhkiG9w0BAQsFADBLMQswCQYDVQ
        QGEwJVUzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEbMBkGA1UECgwSRHVvIFNlY
        3VyaXR5LCBJbmMuMB4XDTE5MDQyOTEwMTQxMFoXDTI5MDQyNjEwMTQxMFowSzELMAkGA1UEBhMCV
        VMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGzAZBgNVBAoMEkR1byBTZWN1cml0e
        SwgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQO/l7hUuSP/7m7qGlisjWGfR
        QuSzWw5AorTVVmfy1yaHHoFPMiN9FWMkZHLVAdW0FJrAooF3I6dQmc3YkuLWoI/DMaGcbNDaZ6+lYd
        B+pDBl6dXpliNHAsFiyhn89+ee06Thys9yxrND8hYwZfQE3aIB/leEmyualhO8YDd81iD+XtMijSYhO=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
        Location="https://WIN-BL0P4116VDB/dag/saml2/idp/SingleLogoutService.php"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
        Location="https://WIN-BL0P4116VDB/dag/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
        Location="https://WIN-BL0P4116VDB/dag/saml2/idp/SSOService.php"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
        Location="https://WIN-BL0P4116VDB/dag/saml2/idp/SSOService.php"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
        Location="https://WIN-BL0P4116VDB/dag/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

In the following example, you can use the samlconfig command to modify the service provider or identity provider settings of an existing SAML profile.

mail.example.com > samlconfig

Choose the operation you want to perform:
- UILOGIN - Create a new SAML Profile for UI Login.

[]> uilogin

Currently configured SAML User profiles:
-------------   ------------------   ------------------    --------------------------------------
 Type            Name                 Entity ID              URL
-------------   ------------------   ------------------    --------------------------------------
SP Settings     SP1                  ENTSP                 http://mail.example.com
IDP Settings    IDP1                 https://WIN-BL0P4116  https://WIN- BL0P4116VDB/dag/saml2/idp/Si
-------------   ------------------   ------------------    ----------------------------------
Choose the operation you want to perform:
- EDIT - Modify a SAML profile.
- DELETE - Delete a SAML profile.
[]> edit
Choose the operation you want to perform:
- SP - Edit Service Provider Settings.
- IDP - Edit Identity Provider Settings.
[]>

The settime command allows you to manually set the time if you are not using an NTP server. The command asks you if you want to stop NTP and manually set the system clock. Enter the time is using this format: MM/DD/YYYY HH:MM:SS.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> settime
WARNING: Changes to system time will take place immediately
and do not require the user to run the commit command.
Current time 09/23/2001 21:03:53.
This machine is currently running NTP.
In order to manually set the time, NTP must be disabled.
Do you want to stop NTP and manually set the time? [N]> Y
Please enter the time in MM/DD/YYYY HH:MM:SS format.
[]> 09/23/2001 21:03:53
Time set to 09/23/2001 21:03:53.

Set the local time zone.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail3.example.com> settz
Current time zone: Etc/GMT
Current time zone version: 2010.02.0
Choose the operation you want to perform:
- SETUP - Set the local time zone.
[]> setup
Please choose your continent:
1. Africa
2. America
[ ... ]
11. GMT Offset
[2]> 2
Please choose your country:
1. Anguilla
[ ... ]
45. United States
46. Uruguay
47. Venezuela
48. Virgin Islands (British)
49. Virgin Islands (U.S.)
[45]> 45
Please choose your timezone:
1. Alaska Time (Anchorage)
2. Alaska Time - Alaska panhandle (Juneau)
[ ... ]
21. Pacific Time (Los_Angeles)
[21]> 21
Current time zone: America/Los_Angeles
Choose the operation you want to perform:
- SETUP - Set the local time zone.
[]>

Shut down the system to power off

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> shutdown
Enter the number of seconds to wait before forcibly closing connections.
[30]> 
System shutting down.  Please wait while the queue is being closed...
Closing CLI connection.
The system will power off automatically.
Connection to mail.example.com closed.

The smaconfig command is used to add, delete, or view the SMA connection parameters and keys.

Commit: This command requires a 'commit'.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

In the following example, you can use the smaconfig command to add Email Security appliances to the Content Security Management Appliance (SMA) using pre-shared keys, and view the SMA connection details (host name and user keys).

mail.example.com> smaconfig
Choose the operation you want to perform:
- ADD - Add a new SMA Connection Parameter and Key.
[]> add

Enter the hostname of the system that you want to add.
[]> m380q03.ibqa

Enter the user key of the host m380q03.ibqa.
Press enter on a blank line to finish.

SSH2:dsa
10.76.71.107 ssh-dss AAAAB3NzaC1kc3MAAACBAJCRYaVJgwSMTmLbt2xG5LVNKjFXpzW/vMRDQN3xclvJVpgYnQ1GfjL/zAbZC5pYz/jac405R9h+J2jTzAjzZRgaBIalVvi1Li0JkQQNhcRWEDjOhHwMTOkHh1+SVuqoR5xM0Y47jE/9SmEM6OXFSkAeTVXQq65c99FDGnNpvBWFAAAAFQD0dhuWPCD+++xjLZr4yxlWFJ5AdQAAAIBilaS+VDYY38IosX/9czWGIcBl7cqDZUXWkwoKF41OUfnoa42Q0VDBaoPiJ7gBhWVDHTo8rgz9PQRcl020Ok2ud7WASf/rLKbP9i26PWRK1yAAr7FvDol/l//5GtXbMtqWyVeo3oGqGS7dZc7MI/pMC5jGxDmTSM2SlyOEsS1xmQAAAIAY1ZiXC2ZeMhVWKgj8A8JHEPcgT4hu7Mo3Yq+YkGsemK4L+YF4k3t5DbGwirYvfXZCJSPD+E9mcnltIaOMFuB1W8Kiq+Cz/Ikzm9U4MdIz48HOKS2Sl7YVG3xhYJjyyRpLHGDYRagANtjvOLRPF57xUvkdz5DCcJiXbWEhaZBHkg==

SMA host key was added successfully.


Choose the operation you want to perform:
- ADD - Add a new SMA Connection Parameter and Key.
- DELETE - Remove an existing SMA Connection Parameter and Key.
- PRINT - Display all SMA Parameters and Keys.

[]> print
1. Hostname: m380q03.ibqa  Keys: SSH2:dsa10.76.71.107 ssh-dss
AAAAB3NzaC1kc3MAAACBAJCRYaVJgwSMTmLbt2xG5LVNKjFXpzW/vMRDQN3xclvJVpgYnQ1GfjL/zAbZC5pYz/jac405R9h+J2jTzAjzZRgaBIalVvi1Li0JkQQNhcRWEDjOhHwMTOkHh1+SVuqoR5xM0Y47jE/9SmEM6OXFSkAeTVXQq65c99FDGnNpvBWFAAAAFQD0dhuWPCD+++x
jLZr4yxlWFJ5AdQAAAIBilaS+VDYY38IosX/9czWGIcBl7cqDZUXWkwoKF41OUfnoa42Q0VDBaoPiJ7gBhWVDHTo8rgz9PQRcl020Ok2ud7WASf/rLKbP9i26PWRK1yAAr7FvDol/l//5GtXbMtqWyVeo3oGqGS7dZc7MI/pMC5jGxDmTSM2SlyOEsS1xmQAAAIAY1ZiXC2ZeMhVWKg
j8A8JHEPcgT4hu7Mo3Yq+YkGsemK4L+YF4k3t5DbGwirYvfXZCJSPD+E9mcnltIaOMFuB1W8Kiq+Cz/Ikzm9U4MdIz48HOKS2Sl7YVG3xhYJjyyRpLHGDYRagANtjvOLRPF57xUvkdz5DCcJiXbWEhaZBHkg==
Choose the operation you want to perform:
- ADD - Add a new SMA Connection Parameter and Key.
- DELETE - Remove an existing SMA Connection Parameter and Key.
- PRINT - Display all SMA Parameters and Keys.
[]> 

Configure SSH server and user key settings.

Commit: This command requires a ‘commit’.

Cluster Management: This command is restricted to cluster mode.

Batch Command: This command does not support a batch format.

• Example: Editing SSH Server Configuration

• Example: Installing a New Public Key for the Administrator Account

• Example: Categorizing an IP Address as Persistent Blacklist or Whitelist

Show system status.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> status

Status as of:               Thu Oct 21 14:33:27 2004 PDT
Up since:                   Wed Oct 20 15:47:58 2004 PDT (22h 45m 29s)
Last counter reset:         Never
System status:              Online
Oldest Message:             4 weeks 46 mins 53 secs
Feature - McAfee:              161 days
[....]
Feature - Outbreak Filters:    161 days
Counters:                               Reset          Uptime        Lifetime
  Receiving
    Messages Received              62,049,822         290,920      62,049,822
    Recipients Received            62,049,823         290,920      62,049,823
  Rejection
    Rejected Recipients             3,949,663          11,921       3,949,663
    Dropped Messages               11,606,037             219      11,606,037
  Queue
    Soft Bounced Events             2,334,552          13,598       2,334,552
  Completion
    Completed Recipients           50,441,741         332,625      50,441,741
  Current IDs
    Message ID (MID)                                                 99524480
    Injection Conn. ID (ICID)                                        51180368
    Delivery Conn. ID (DCID)                                         17550674
Gauges:                               Current
  Connections
    Current Inbound Conn.                   0
    Current Outbound Conn.                 14
Queue
    Active Recipients                              1
    Messages In Work Queue                         0
    Kilobytes Used                                92
    Kilobytes Free                         8,388,516
  Quarantine
    Messages In Quarantine
      Policy, Virus and Outbreak                   0
    Kilobytes In Quarantine
      Policy, Virus and Outbreak                   0

Send a message to Cisco customer support. This command requires that the appliance is able to send mail to the Internet. A trouble ticket is automatically created, or you can associate the support request with an existing trouble ticket.

To access Cisco technical support directly from the appliance, your Cisco.com user ID must be associated with your service agreement contract for this appliance. To view a list of service contracts that are currently associated with your Cisco.com profile, visit the Cisco.com Profile Manager at https://sso.cisco.com/autho/forms/CDClogin.html . If you do not have a Cisco.com user ID, register to get one. See information about registering for an account in the online help or user guide for your release.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto). This command requires access to the local file system.

Batch Command: This command does not support a batch format.

The following example shows a support request that is not related to an existing support ticket.

mail.example.com> supportrequest
Please Note:
If you have an urgent issue, please call one of our worldwide Support Centers
(www.cisco.com/support). Use this command to open a technical support request
for issues that are not urgent, such as:
- Request for information.
- Problem for which you have a work-around, but would like an alternative
solution.
Do you want to send the support request to supportrequest@mail.qa? 
[Y]>
Do you want to send the support request to additional recipient(s)? 
[N]>
Is this support request associated with an existing support ticket? 
[N]>
Please select a technology related to this support request:
1. Security - Email and Web
2. Security - Management
[1]> 1
Please select a subtechnology related to this support request:
1. Cisco Email Security Appliance (C1x0,C3x0, C6x0, X10x0) - Misclassified
Messages
2. Cisco Email Security Appliance (C1x0,C3x0, C6x0, X10x0) - SBRS
3. Cisco Email Security Appliance (C1x0,C3x0, C6x0, X10x0) - Other
4. Email Security Appliance - Virtual
[1]> 3
Please select the problem category:
1. Upgrade
2. Operate
3. Configure
4. Install
[1]> 3
Please select a problem sub-category:
1. Error Messages, Logs, Debugs
2. Software Failure
3. Interoperability
4. Configuration Assistance
5. Install, Uninstall or Upgrade
6. Hardware Failure
7. Licensing
8. Data Corruption
9. Software Selection/Download Assistance
10. Passphrase Recovery
[1]> 5
Please enter a subject line for this support request:
[]> <Subject line for support request>
Please enter a description of your issue, providing as much detail as possible
to aid in diagnosis:
[]> <Description of issue>
It is important to associate all your service contracts with your Cisco.com profile (CCO ID) in order for you to receive complete 
access to support and services from Cisco. Please follow the URLs below to associate your contract coverage on your Cisco.com profile. 
If you do not have a CCO ID, please follow
the URL below to create a CCO ID.
How to create a CCO ID:
https://tools.cisco.com/RPF/register/register.do
How to associate your CCO ID with contract:
https://tools.cisco.com/RPFA/profile/profile_management.do
Frequently Asked Question:
http://www.cisco.com/web/ordering/cs_info/faqs/index.html
Select the CCOID
1. New CCOID
[1]>
Please enter the CCOID of the contact person :
[]> your name
The CCO ID may contain alphabets, numbers and '@', '.', '-' and '_' symbols.
Please enter the CCOID of the contact person :
[]> me@example.com
Please enter the name of the contact person :
[]> yourname
Please enter your email address:
[]> me@example.com
Please enter the contract ID:
[]> 1234
Please enter any additional contact information (e.g. phone number):
[]>
Please wait while configuration information is generated...
Do you want to print the support request to the screen? 
[N]>

Display Support Request Keywords version information for requesting support from Cisco TAC.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail.example.com> supportrequeststatus
Component                 Version    Last Updated
Support Request           1.0        Never updated

Request manual update of Support Request Keywords for requesting support from Cisco TAC.

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail.example.com> supportrequestupdate
Requesting update of Support Request Keywords.

Suspend receiving and deliveries

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> suspend
Enter the number of seconds to wait before abruptly closing connections.
[30]> 45
Waiting for listeners to exit...
Receiving suspended for Listener 1.
Waiting for outgoing deliveries to finish...
Mail delivery suspended.
mail3.example.com>

Suspend deliveries

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> suspenddel
Enter the number of seconds to wait before abruptly closing connections.
[30]>
Enter one or more domains [comma-separated] to which you want to suspend delivery.
[ALL]> domain1.com, domain2.com, domain3.com
Waiting for outgoing deliveries to finish...
Mail delivery suspended.

Suspend receiving.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> suspendlistener
Choose the listener(s) you wish to suspend.
Separate multiple entries with commas.
1. All
2. InboundMail
3. OutboundMail
[1]> 1
Enter the number of seconds to wait before abruptly closing connections.
[30]>
Waiting for listeners to exit...
Receiving suspended.
mail3.example.com> 

Display information about files opened by processes.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.cisco.com> tcpservices
System Processes (Note: All processes may not always be present)
  ftpd.main    - The FTP daemon
  ginetd       - The INET daemon
  interface    - The interface controller for inter-process communication
  ipfw         - The IP firewall
  slapd        - The Standalone LDAP daemon
  sntpd        - The SNTP daemon
  sshd         - The SSH daemon
  syslogd      - The system logging daemon
  winbindd     - The Samba Name Service Switch daemon
Feature Processes
  euq_webui    - GUI for ISQ
  gui          - GUI process
  hermes       - MGA mail server
  postgres     - Process for storing and querying quarantine data
  splunkd      - Processes for storing and querying Email Tracking data
COMMAND      USER         TYPE NODE   NAME
interface    root         IPv4 TCP    127.0.0.1:53
postgres     pgsql        IPv4 TCP    127.0.0.1:5432
qabackdoo    root         IPv4 TCP    *:8123
ftpd.main    root         IPv4 TCP    10.1.1.0:21
euq_webui    root         IPv4 TCP    10.1.1.0:83
euq_webui    root         IPv6 TCP    [2001:db8::]:83
gui          root         IPv4 TCP    172.29.181.70:80
gui          root         IPv4 TCP    10.1.1.0:80
gui          root         IPv6 TCP    [2001:db8::]:80
gui          root         IPv4 TCP    172.29.181.70:443
gui          root         IPv4 TCP    10.1.1.0:443
gui          root         IPv6 TCP    [2001:db8::]:443
ginetd       root         IPv4 TCP    172.29.181.70:22
ginetd       root         IPv4 TCP    10.1.1.0:22
ginetd       root         IPv6 TCP    [2001:db8::]:22
ginetd       root         IPv4 TCP    10.1.1.0:2222
ginetd       root         IPv6 TCP    [2001:db8::]:2222
hermes       root         IPv4 TCP    172.29.181.70:25
splunkd      root         IPv4 TCP    127.0.0.1:8089
splunkd      root         IPv4 TCP    127.0.0.1:9997
api_serve    root         IPv4 TCP    10.1.1.0:6080
api_serve    root         IPv6 TCP    [2001:db8::]:6080
api_serve    root         IPv4 TCP    10.1.1.0:6443
api_serve    root         IPv6 TCP    [2001:db8::]:6443
java         root         IPv6 TCP    [::127.0.0.1]:9999

Allow Cisco TAC to access your system.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> techsupport
Service Access currently disabled.
Serial Number: XXXXXXXXXXXX-XXXXXXX
Choose the operation you want to perform:
- SSHACCESS - Allow a Cisco IronPort Customer Support representative to remotely access your system, without establishing a tunnel.
- TUNNEL - Allow a Cisco IronPort Customer Support representative to remotely access your system, and establish a secure tunnel 
           for communication.
- STATUS - Display the current techsupport status.
[]> sshaccess
A random seed string is required for this operation
1. Generate a random string to initialize secure communication (recommended)
2. Enter a random string
[1]> 1
Are you sure you want to enable service access? [N]> y
Service access has been ENABLED.  Please provide the string:
QT22-JQZF-YAQL-TL8L-8@2L-95
to your Cisco IronPort Customer Support representative.
Service Access currently ENABLED (0 current service logins).
Tunnel option is not active.
Serial Number: XXXXXXXXXXXX-XXXXXXX
Choose the operation you want to perform:
- DISABLE - Prevent customer service representatives from remotely accessing your system.
- STATUS - Display the current techsupport status.
[]>

Establish an outbound TLS connection on demand and debug any TLS connection issues concerning a destination domain. To create the connection, specify the domain to verify against and the destination host. AsyncOS checks the TLS connection based on the Required (Verify) TLS setting

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command supports a batch format.

The batch format of the tlsverify command can be used to perform all the fuctions of the traditional CLI command to check the TLS connection to the given hostname.

tlsverify <domain> <hostname>[:<port>]

mail3.example.com> tlsverify
Enter the TLS domain to verify against:
[]> example.com
Enter the destination host to connect to.  Append the port (example.com:26) if you are not connecting on port 25:
[example.com]> mxe.example.com:25
Connecting to 1.1.1.1 on port 25.
Connected to 1.1.1.1 from interface 10.10.10.10.
Checking TLS connection.
TLS connection established: protocol TLSv1, cipher RC4-SHA.
Verifying peer certificate.
Verifying certificate common name mxe.example.com.
TLS certificate match mxe.example.com
TLS certificate verified.
TLS connection to 1.1.1.1 succeeded.
TLS successfully connected to mxe.example.com.
TLS verification completed.

Trace the flow of a message through the system

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> trace
Enter the source IP
[]> 192.168.1.1
Enter the fully qualified domain name of the source IP
[]> example.com
Select the listener to trace behavior on:
1. InboundMail
2. OutboundMail
[1]> 1
Fetching default SenderBase values...
Enter the SenderBase Org ID of the source IP.  The actual ID is N/A.
[N/A]>
Enter the SenderBase Reputation Score of the source IP.  The actual score is N/A.
[N/A]>
Enter the Envelope Sender address:
[]> pretend.sender@example.net
Enter the Envelope Recipient addresses.  Separate multiple addresses by commas.
[]> admin@example.com
Load message from disk?  [Y]> n
Enter or paste the message body here.  Enter '.' on a blank line to end.
Subject: Hello
This is a test message.
.
HAT matched on unnamed sender group, host ALL
 - Applying $ACCEPTED policy (ACCEPT behavior).
 - Maximum Message Size:  100M (Default)
 - Maximum Number Of Connections From A Single IP:  1000 (Default)
 - Maximum Number Of Messages Per Connection:  1,000 (Default)
 - Maximum Number Of Recipients Per Message:  1,000 (Default)
 - Maximum Recipients Per Hour:  100 (Default)
 - Use SenderBase For Flow Control:  Yes (Default)
 - Spam Detection Enabled:  Yes (Default)
 - Virus Detection Enabled:  Yes (Default)
 - Allow TLS Connections:  No (Default)
Processing MAIL FROM:
 - Default Domain Processing:  No Change
Processing Recipient List:
Processing admin@ironport.com
 - Default Domain Processing:  No Change
 - Domain Map:  No Change
 - RAT matched on admin@ironport.com, behavior = ACCEPT
 - Alias expansion:  No Change
Message Processing:
 - No Virtual Gateway(tm) Assigned
 - No Bounce Profile Assigned
Domain Masquerading/LDAP Processing:
 - No Changes.
Processing filter 'always_deliver':
Evaluating Rule:   rcpt-to == "@mail.qa"
    Result = False
Evaluating Rule:   rcpt-to == "ironport.com"
    Result = True
Evaluating Rule:   OR
    Result = True
Executing Action:  deliver()
Footer Stamping:
 - Not Performed
Inbound Recipient Policy Processing: (matched on Management Upgrade policy)
Message going to:  admin@ironport.com
AntiSpam Evaluation:
 - Not Spam
AntiVirus Evaluation:
 - Message Clean.
 - Elapsed Time = '0.000 sec'
Outbreak Filter Evaluation:
 - No threat detected
Message Enqueued for Delivery
Would you like to see the resulting message? [Y]> y
Final text for messages matched on policy Management Upgrade
Final Envelope Sender:  pretend.sender@example.doma
Final Recipients:
 - admin@ironport.com
Final Message Content:
Received: from remotehost.example.com (HELO TEST) (1.2.3.4)
  by stacy.qa with TEST; 19 Oct 2004 00:54:48 -0700
Message-Id: <3i93q9$@Management>
X-IronPort-AV: i="3.86,81,1096873200";
   d="scan'208"; a="0:sNHT0"
Subject: hello
This is a test message.
Run through another debug session? [N]>

Note	When using trace , you must include both the header and the body of the message pasted into the CLI.

Configure the tracking system.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

mail.example.com> trackingconfig
Message Tracking service status: Message Tracking is enabled.
Choose the operation you want to perform:
- SETUP - Enable Message Tracking for this appliance.
[]> setup
Would you like to use the Message Tracking Service? [Y]>
Do you want to use Centralized Message Tracking for this appliance? [N]>
Would you like to track rejected connections? [N]>
Message Tracking service status: Local Message Tracking is enabled.
Rejected connections are currently not being tracked.
Choose the operation you want to perform:
- SETUP - Enable Message Tracking for this appliance.
[]>

Update timezone rules

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command supports a batch format.

The batch format of the tzupdate command forces an update off all time zone rules even if no changes are detected.

tzupdate [force]

mail.example.com> tzupdate
Requesting update of Timezone Rules

Configure system update parameters.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

• Configure the Appliance to Download Updates from Updater Servers
• Configure the Appliance to Verify the Validity of Updater Server Certificate
• Configure the Appliance to Trust Proxy Server Communication

Requests an update to all system service components.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does support a batch format.

The batch format of the updatenow command can be used to update all components on the appliance even if no changes are detected.

updatenow [force]

mail3.example.com> updatenow
Success - All component updates requested

View system version information

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> version
Current Version
===============
Product: Cisco C100V Email Security Virtual Appliance
Model: C100V
Version: 9.1.0-019
Build Date: 2015-02-17
Install Date: 2015-02-19 05:17:56
Serial #: 421C73B18CFB05784A83-B03A99E71ED8
BIOS: 6.00
CPUs: 2 expected, 2 allocated
Memory: 6144 MB expected, 6144 MB allocated
RAID: NA
RAID Status: Unknown
RAID Type: NA
BMC: NA

Use the wipedata command to wipe the core files on the disk and check the status of the last coredump operation.

Note	Depending on the size of the data, wipe action may take a while and can affect the system performance until the action is complete.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> wipedata
Wiping data may take a while and can affect system performance till it completes.
Choose the operation you want to perform:
- STATUS - Display status of last command run
- COREDUMP - Wipe core files on disk
[]> coredump
wipedata: In progress
mail.example.com> wipedata
Wiping data may take a while and can affect system performance till it completes.
Choose the operation you want to perform:
- STATUS - Display status of last command run
- COREDUMP - Wipe core files on disk
[]> status
Last wipedata status: Successful

The upgrade CLI command displays a list of available upgrades and upgrades the AsyncOS system to the version specified by the user.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail3.example.com> upgrade
Upgrades available:
1. AsyncOS (***DON'T TOUCH!***) 4.0.8 upgrade, 2005-05-09 Build 900
2. AsyncOS 4.0.8 upgrade, 2005-08-12 Build 030
.......
45. SenderBase Network Participation Patch
[45]>
Performing an upgrade will require a reboot of the system after the upgrade is applied.
 Do you wish to proceed with the upgrade? [Y]> Y

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format.

mail.example.com> contentscannerstatus
Component              Version                Last Updated
Content Scanner Tools  11.2.1884.970097       Never updated

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode. It is further restricted to the login host (i.e., the specific machine you are logged onto).

Batch Command: This command does not support a batch format.

mail.example.com> contentscannerupdate force
Requesting forced update for Content Scanner.

Configure LDAP servers

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

In the following example, the ldapconfig command is used to define an LDAP server for the appliance to bind to, and queries for recipient acceptance ( ldapaccept subcommand), routing ( ldaprouting subcommand), masquerading ( masquerade subcommand), end-user authentication for the Spam Quarantine ( isqauth subcommand), and alias consolidation for spam notifications ( isqalias subcommand) are configured.

First, the nickname of “PublicLDAP” is given for the mldapserver.example.com LDAP server. Queries are directed to port 3268 (the default). The search base of example.com is defined ( dc=example,dc=com ), and queries for recipient acceptance, mail re-routing, and masquerading are defined. The queries in this example are similar to an OpenLDAP directory configuration which uses the inetLocalMailRecipient auxiliary object class defined in the expired Internet Draft draft-lachman-laser-ldap-mail-routing-xx.txt , also sometimes known as “the Laser spec.” (A version of this draft is included with the OpenLDAP source distribution.) Note that in this example, the alternate mailhost to use for queried recipients in the mail re-routing query is mailForwardingAddress . Remember that query names are case-sensitive and must match exactly in order to return the proper results.

mail3.example.com> ldapconfig
No LDAP server configurations.
Choose the operation you want to perform:
- NEW - Create a new server configuration.
- SETUP - Configure LDAP options.
[]> new
Please create a name for this server configuration (Ex: "PublicLDAP"):
[]> PublicLDAP
Please enter the hostname:
[]> myldapserver.example.com
Use SSL to connect to the LDAP server? [N]> n
Select the authentication method to use for this server configuration:
1. Anonymous
2. Passphrase based
[1]> 2
Please enter the bind username:
[cn=Anonymous]>
Please enter the bind passphrase:
[]>
Connect to LDAP server to validate setting? [Y]
Connecting to the LDAP server, please wait...
Select the server type to use for this server configuration:
1. Active Directory
2. OpenLDAP
3. Unknown or Other
[3]> 1

Please enter the port number:
[3268]> 3268
Please enter the base:
[dc=example,dc=com]> dc=example,dc=com
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- TEST - Test the server configuration.
- LDAPACCEPT - Configure whether a recipient address should be accepted or
bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- CERTAUTH - Configure certificate authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]> ldapaccept
Please create a name for this query:
[PublicLDAP.ldapaccept]> PublicLDAP.ldapaccept
Enter the LDAP query string:
[(proxyAddresses=smtp:{a})]> (proxyAddresses=smtp:{a})
Do you want to test this query? [Y]> n
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]> ldaprouting
Please create a name for this query:
[PublicLDAP.routing]> PublicLDAP.routing
Enter the LDAP query string:
[(mailLocalAddress={a})]> (mailLocalAddress={a})
The query requires one of the attributes below.  Please make a selection.
  [1] Configure MAILROUTINGADDRESS only - Rewrite the Envelope Recipient (and
leave MAILHOST unconfigured)?
  [2] Configure MAILHOST only - Send the messages to an alternate mail host
(and leave MAILROUTINGADDRESS unconfigured)?
  [3] Configure both attributes
[]> 1
Enter the attribute which contains the full rfc822 email address for the
recipients.
[mailRoutingAddress]> mailRoutingAddress
Do you want to test this query? [Y]> n
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
LDAPROUTING: PublicLDAP.routing
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]> masquerade
Please create a name for this query:
[PublicLDAP.masquerade]> PublicLDAP.masquerade
Enter the LDAP query string:
[(mailRoutingAddress={a})]> (mailRoutingAddress={a})
Enter the attribute which contains the externally visible full rfc822 email address.
[]> mailLocalAddress
Do you want the results of the returned attribute to replace the entire friendly portion of the original recipient? [N]> n
Do you want to test this query? [Y]> n
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
LDAPROUTING: PublicLDAP.routing
MASQUERADE: PublicLDAP.masquerade
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]> isqauth
Please create a name for this query:
[PublicLDAP.isqauth]> PublicLDAP.isqauth
Enter the LDAP query string:
[(sAMAccountName={u})]> (sAMAccountName={u})
Enter the list of email attributes.
[]> mail,proxyAddresses
Do you want to activate this query? [Y]> y
Do you want to test this query? [Y]> y
User identity to use in query:
[]> admin@example.com
Passphrase to use in query:
[]> passphrase
LDAP query test results:
LDAP Server: myldapserver.example.com
Query: PublicLDAP.isqauth
User: admin@example.com
Action: match positive
LDAP query test finished.
Name: PublicLDAP
Hostname: myldapserver.example.com Port 3268
Server Type: Active Directory
Authentication Type: passphrase
Base: dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
LDAPROUTING: PublicLDAP.routing
MASQUERADE: PublicLDAP.masquerade
ISQAUTH: PublicLDAP.isqauth [active]
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
- EXTERNALAUTH - Configure external authentication queries.
- ISQAUTH - Configure Spam Quarantine End-User Authentication Query.
- ISQALIAS - Configure Spam Quarantine Alias Consolidation Query.
[]>
Current LDAP server configurations:
1. PublicLDAP: (myldapserver.example.com:3268)
Choose the operation you want to perform:
- NEW - Create a new server configuration.
- SETUP - Configure LDAP options.
- EDIT - Modify a server configuration.
- DELETE - Remove a server configuration.
[]>

In the following example, the LDAP global settings are configured, including the certificate for TLS connections.

mail3.example.com> ldapconfig
No LDAP server configurations.
Choose the operation you want to perform:
- NEW - Create a new server configuration.
- SETUP - Configure LDAP options.
[]> setup
Choose the IP interface for LDAP traffic.
1. Auto
2. Management (10.92.145.175/24: esx16-esa01.qa)
[1]> 1
LDAP will determine the interface automatically.
Should group queries that fail to complete be silently treated as having
negative results? [Y]>
Validate LDAP server certificate? [Y]>
The "Demo" certificate is currently configured. You may use "Demo", but this will not be secure.
1. partner.com
2. Demo
Please choose the certificate to apply:
[1]> 1
No LDAP server configurations.
Choose the operation you want to perform:
- NEW - Create a new server configuration.
- SETUP - Configure LDAP options.
[]>

Flush any cached LDAP results.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

mail3.example.com> ldapflush
Are you sure you want to flush any cached LDAP results? [N]> y
Flushing cache
mail3.example.com>

Perform a single LDAP query test

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

In this example, the ldaptest command is used to test the only recipient acceptance query for the configured LDAP server configuration. The recipient address “admin@example.com” passes the test, while the recipient address “bogus@example.com” fails.

mail3.example.com> ldaptest
Select which LDAP query to test:
1. PublicLDAP.ldapaccep
[1]> 1
Address to use in query:
[]> admin@example.com
LDAP query test results:
                Query: PublicLDAP.ldapaccept
             Argument: admin@example.com
               Action: pass
LDAP query test finished.
mail3.example.com> ldaptest
Select which LDAP query to test:
1. PublicLDAP.ldapaccep
[1]> 1
Address to use in query:
[]> bogus@example.com
LDAP query test results:
 Query: PublicLDAP.ldapaccept
 Argument: bogus@example.com
 Action: drop or bounce (depending on listener settings)
 Reason: no matching LDAP record was found
LDAP query test finished.
mail3.example.com>

Sets or disables the character used for Sieve Email Filtering, as described in RFC 3598. Note that the Sieve Character is ONLY recognized in LDAP Accept and LDAP Reroute queries. Other parts of the system will operate on the complete email address.

Allowable characters are: -_=+/^#

Commit: This command does not require a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format

In this example, the sievechar command is used to define + as the sieve character recognized in Accept and LDAP Reroute queries.

mail3.example.com> sievechar
Sieve Email Filtering is currently disabled.
Choose the operation you want to perform:
- SETUP - Set the separator character.
[]> setup
Enter the Sieve Filter Character, or a space to disable Sieve Filtering.
[]> +
Sieve Email Filter is enabled, using the '+' character as separator.
This applies only to LDAP Accept and LDAP Reroute Queries.
Choose the operation you want to perform:
- SETUP - Set the separator character.
[]> 

Configure address lists.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

The batch format for the addresslistconfig command can be used to create a new address list, edit an existing address list, print a list of address lists, delete an address list, or find conflicting addresses within an address list.

• Adding a new address list:

  
  addresslistconfig new <name> --descr=<description> --addresses=<address1,address2,...>

• Editing an existing address list:

  
  addresslistconfig edit <name> --name=<new-name> --descr=<description> --addresses=<address1,address2,...>

• Deleting an address list:

  
  addresslistconfig delete <name>

• Printing a list of address lists:

  
  addresslistconfig print <name>

• Finding conflicting addresses within an address list:

  
  addresslistconfig conflicts <name>

Configure email aliases.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format.

The batch format of the aliasconfig command can be used to add a new alias table, edit an existing table, print a list of email aliases, and import/export alias table. To invoke as a batch command, use the following format of the aliasconfig command with the variables listed below:

• Adding a new email alias:

  aliasconfig new <domain> <alias> [email_address1] [email_address2] ...

Note	Using the ‘ aliasconfig new ’ command with a non-existant domain causes the domain to be created.

• Editing an existing email alias

  aliasconfig edit <domain> <alias> <email_address1] [email_address2] ...

• Displaying an email alias:

  aliasconfig print

• Importing a local alias listing:

  aliasconfig import <filename>

• Exporting an alias listing on the appliance:

  aliasconfig export <filename>

mail3.example.com> aliasconfig
Enter address(es) for "customercare".
Separate multiple addresses with commas.
[]> bob@example.com, frank@example.com, sally@example.com
Adding alias customercare: bob@example.com,frank@example.com,sally@example.com
Do you want to add another alias?  [N]> n
There are currently 1 mappings defined.
Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- PRINT - Display the table.
- IMPORT - Import aliases from a file.
- EXPORT - Export table to a file.
- CLEAR - Clear the table.
[]> new
How do you want your aliases to apply?
1. Globally
2. Add a new domain context
3. example.com
[1]> 1
Enter the alias(es) to match on.
Separate multiple aliases with commas.
Allowed aliases:
    - "user@domain" - This email address.
    - "user" - This user for any domain
    - "@domain" - All users in this domain.
    - "@.partialdomain" - All users in this domain, or any of its sub domains.
[]> admin
Enter address(es) for "admin".
Separate multiple addresses with commas.
[]> administrator@example.com
Adding alias admin: administrator@example.com
Do you want to add another alias?  [N]> n
There are currently 2 mappings defined.
Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- PRINT - Display the table.
- IMPORT - Import aliases from a file.
- EXPORT - Export table to a file.
- CLEAR - Clear the table.
[]> print
admin: administrator@example.com
[ example.com ]
customercare: bob@example.com, frank@example.com, sally@example.com
There are currently 2 mappings defined.
Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- PRINT - Display the table.
- IMPORT - Import aliases from a file.
- EXPORT - Export table to a file.
- CLEAR - Clear the table.
[]>

Archive older messages in your queue.

Commit: This command does not require a commit.

Cluster Management: This command is restricted to machine mode..

Batch Command: This command does not support a batch format.

In the following example, an older message is archived:

mail3.example.com> 
archivemessage
Enter the MID to archive.
[0]> 47

MID 47 has been saved in file oldmessage_47.mbox in the configuration

Configure Virtual Gateway(tm) mappings.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

In the following example, the altsrchost table is printed to show that there are no existing mappings. Two entries are then created:

• Mail from the groupware server host named @exchange.example.com is mapped to the PublicNet interface.
• Mail from the sender IP address of 192.168.35.35 is mapped to the AnotherPublicNet interface.

Finally, the altsrchost mappings are printed to confirm and the changes are committed.

mail3.example.com> altsrchost
There are currently no mappings configured.
Choose the operation you want to perform:
- NEW - Create a new mapping.
- IMPORT - Load new mappings from a file.
[]> new
Enter the Envelope From address or client IP address for which you want to set up a Virtual Gateway mapping.  
Partial addresses such as "@example.com" or "user@" are allowed.
[]> @exchange.example.com
Which interface do you want to send messages for @exchange.example.com from?
1. AnotherPublicNet (192.168.2.2/24: mail4.example.com)
2. Management (192.168.42.42/24: mail3.example.com)
3. PrivateNet (192.168.1.1/24: mail3.example.com)
4. PublicNet (192.168.2.1/24: mail4.example.com)
[1]> 4
Mapping for @exchange.example.com on interface PublicNet created.
Choose the operation you want to perform:
- NEW - Create a new mapping.
- EDIT - Modify a mapping.
- DELETE - Remove a mapping.
- IMPORT - Load new mappings from a file.
- EXPORT - Export all mappings to a file.
- PRINT - Display all mappings.
- CLEAR - Remove all mappings.
[]> new
Enter the Envelope From address or client IP address for which you want to set up a Virtual Gateway mapping.  
Partial addresses such as "@example.com" or "user@" are allowed.
[]> 192.168.35.35
Which interface do you want to send messages for 192.168.35.35 from?
1. AnotherPublicNet (192.168.2.2/24: mail4.example.com)
2. Management (192.168.42.42/24: mail3.example.com)
3. PrivateNet (192.168.1.1/24: mail3.example.com)
4. PublicNet (192.168.2.1/24: mail4.example.com)
[1]> 1
Mapping for 192.168.35.35 on interface AnotherPublicNet created.
Choose the operation you want to perform:
- NEW - Create a new mapping.
- EDIT - Modify a mapping.
- DELETE - Remove a mapping.
- IMPORT - Load new mappings from a file.
- EXPORT - Export all mappings to a file.
- PRINT - Display all mappings.
- CLEAR - Remove all mappings.
[]> print
1. 192.168.35.35 -> AnotherPublicNet
2. @exchange.example.com -> PublicNet
Choose the operation you want to perform:
- NEW - Create a new mapping.
- EDIT - Modify a mapping.
- DELETE - Remove a mapping.
- IMPORT - Load new mappings from a file.
- EXPORT - Export all mappings to a file.
- PRINT - Display all mappings.
- CLEAR - Remove all mappings.
[]>
mail3.example.com> commit
Please enter some comments describing your changes:
[]> Added 2 altsrchost mappings 
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

Configure the behavior of bounces.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command supports a batch format. See the inline CLI help for more details. Use the help command to access the inline help for this command.

In the following example, a bounce profile named bounceprofile is created using the bounceconfig command. In this profile, all hard bounced messages are sent to the alternate address bounce-mailbox@example.com . Delay warnings messages are enabled. One warning message will be sent per recipient, and the default value of 4 hours (14400 seconds) between warning messages is accepted

mail3.example.com> bounceconfig
Current bounce profiles:
1. Default
Choose the operation you want to perform:
- NEW - Create a new profile.
- EDIT - Modify a profile.
[]> new
Please create a name for the profile:
[]> bounceprofile
Please enter the maximum number of retries.
[100]> 100
Please enter the maximum number of seconds a message may stay in the queue before being hard bounced.
[259200]> 259200
Please enter the initial number of seconds to wait before retrying a message.
[60]> 60
Please enter the maximum number of seconds to wait before retrying a message.
[3600]> 3600
Do you want a message sent for each hard bounce? (Yes/No/Default) [Y]> y
Do you want bounce messages to use the DSN message format? (Yes/No/Default) [Y]> y
Enter the subject to use:
[Delivery Status Notification (Failure)]> 
Select default notification template:
1. System Generated
2. bounce_english
3. bounce_russian
[1]> 
Do you want to configure language specific templates? [N]> 
Do you want to parse the DSN "Status" field received from bounce
responses to include in the DSN generated by the appliance?
(Yes/No/Default) [N]> 
If a message is undeliverable after some interval, do you want to send a delay warning message? (Yes/No/Default) [N]> y
Enter the subject to use:
[Delivery Status Notification (Delay)]> 
Select default notification template:
1. System Generated
2. bounce_english
3. bounce_russian
[1]> 1
Do you want to configure language specific templates? [N]> 
Please enter the minimum interval in seconds between delay warning messages.
[14400]> 14400
Please enter the maximum number of delay warning messages to send per
recipient.
[1]> 1
Do you want hard bounce and delay warning messages sent to an alternate address, instead of the sender? [N]> y
Please enter the email address to send hard bounce and delay warning.
[]> bounce-mailbox@example.com
Do you want bounce messages to be signed (Yes/No/Default)?  [N]> 
Current bounce profiles:
1. Default
2. bounceprofile
Choose the operation you want to perform:
- NEW - Create a new profile.
- EDIT - Modify a profile.
- DELETE - Remove a profile.
[]>
mail3.example.com>

After a bounce profile has been configured, you can apply the profile for each listener using the listenerconfig -> bounceconfig command and then committing the changes.

Note	Bounce profiles can be applied based upon the listener that a message was received on. However, this listener has nothing to do with how the message is ultimately delivered.

In this example, the OutboundMail private listener is edited and the bounce profile named bouncepr1 is applied to it.

mail3.example.com> listenerconfig
Currently configured listeners:
1. InboundMail (on PublicNet, 192.168.2.1) SMTP Port 25 Public
2. OutboundMail (on PrivateNet, 192.168.1.1) SMTP Port 25 Private
Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]> edit
Enter the name or number of the listener you wish to edit.
[]> 2
Name: OutboundMail
Type: Private
Interface: PrivateNet (192.168.1.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 600 (TCP Queue: 50)
Domain Map: Disabled
TLS: No
SMTP Authentication: Disabled
Bounce Profile: Default
Footer: None
LDAP: Off
Choose the operation you want to perform:
- NAME - Change the name of the listener.
- INTERFACE - Change the interface.
- LIMITS - Change the injection limits.
- SETUP - Configure general options.
- HOSTACCESS - Modify the Host Access Table.
- BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener.
- MASQUERADE - Configure the Domain Masquerading Table.
- DOMAINMAP - Configure domain mappings.
[]> bounceconfig
Please choose a bounce profile to apply:
1. Default
2. bouncepr1
3. New Profile
[1]> 2
Name: OutboundMail
Type: Private
Interface: PrivateNet (192.168.1.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 600 (TCP Queue: 50)
Domain Map: Disabled
TLS: No
SMTP Authentication: Disabled
Bounce Profile: bouncepr1
Footer: None
LDAP: Off
Choose the operation you want to perform:
- NAME - Change the name of the listener.
- INTERFACE - Change the interface.
- LIMITS - Change the injection limits.
- SETUP - Configure general options.
- HOSTACCESS - Modify the Host Access Table.
- BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener.
- MASQUERADE - Configure the Domain Masquerading Table.
- DOMAINMAP - Configure domain mappings.
[]>
Currently configured listeners:
1. InboundMail (on PublicNet, 192.168.2.1) SMTP Port 25 Public
2. OutboundMail (on PrivateNet, 192.168.1.1) SMTP Port 25 Private
Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]>
mail3.example.com> commit
Please enter some comments describing your changes:
[]> Enabled the bouncepr1 profile to the Outbound mail listener
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

Bounce messages from the queue.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

Recipients to be bounced are identified by either the destination recipient host or the message sender identified by the specific address given in the Envelope From line of the message envelope. Alternately, all messages in the delivery queue can be bounced at once.

Configure settings for Bounce Verification. Use this command to configure keys and invalid bounced emails.

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

The following exampe shows key configuration and settings configured for invalid bounced emails.

mail3.example.com> bvconfig
Behavior on invalid bounces: reject
Key for tagging outgoing mail: key
Previously-used keys for verifying incoming mail:
        1. key (current outgoing key)
        2. goodneighbor (last in use Wed May 31 23:21:01 2006 GMT)
Choose the operation you want to perform:
- KEY - Assign a new key for tagging outgoing mail.
- PURGE - Purge keys no longer needed for verifying incoming mail.
- CLEAR - Clear all keys including current key.
- SETUP - Set how invalid bounces will be handled.
[]> key
Enter the key to tag outgoing mail with (when tagging is enabled in the Good
Neighbor Table)
[]> basic_key
Behavior on invalid bounces: reject
Key for tagging outgoing mail: basic_key
Previously-used keys for verifying incoming mail:
        1. basic_key (current outgoing key)
        2. key (last in use Wed May 31 23:22:49 2006 GMT)
        3. goodneighbor (last in use Wed May 31 23:21:01 2006 GMT)
Choose the operation you want to perform:
- KEY - Assign a new key for tagging outgoing mail.
- PURGE - Purge keys no longer needed for verifying incoming mail.
- CLEAR - Clear all keys including current key.
- SETUP - Set how invalid bounces will be handled.
[]> setup
How do you want bounce messages which are not addressed to a valid tagged
recipient to be handled?
1. Reject.
2. Add a custom header and deliver.
[1]> 1
Behavior on invalid bounces: reject
Key for tagging outgoing mail: basic_key
Previously-used keys for verifying incoming mail:
        1. basic_key (current outgoing key)
        2. key (last in use Wed May 31 23:22:49 2006 GMT)
        3. goodneighbor (last in use Wed May 31 23:21:01 2006 GMT)
Choose the operation you want to perform:
- KEY - Assign a new key for tagging outgoing mail.
- PURGE - Purge keys no longer needed for verifying incoming mail.
- CLEAR - Clear all keys including current key.
- SETUP - Set how invalid bounces will be handled.
[]>
mail3.example.com> commit
Please enter some comments describing your changes:
[]> Configuring a new key and setting reject for invalid email bounces
Do you want to save the current configuration for rollback? [Y]> n
Changes committed: Fri May 23 11:42:12 2014 GMT

Delete messages from the queue

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

The appliance gives you various options to delete recipients depending upon the need. The following example show deleting recipients by recipient host, deleting by Envelope From Address, and deleting all recipients in the queue.

mail3.example.com> deleterecipients
Please select how you would like to delete messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 1
Are you sure you want to delete all messages in the queue? [N]> Y
Deleting messages, please wait.
1000 messages deleted.

Configure mail delivery

Commit: This command requires a ‘commit’.

Cluster Management: This command can be used in all three machine modes (cluster, group, machine).

Batch Command: This command does not support a batch format.

In the following example, the deliveryconfig command is used to set the default interface to “Auto” with “Possible Delivery” enabled. The system-wide maximum outbound message delivery is set to 9000 connections.

mail3.example.com> deliveryconfig
Choose the operation you want to perform:
- SETUP - Configure mail delivery.
[]> setup
Choose the default interface to deliver mail.
1. Auto
2. AnotherPublicNet (192.168.3.1/24: mail4.example.com)
3. Management (192.168.42.42/24: mail3.example.com)
4. PrivateNet (192.168.1.1/24: mail3.example.com)
5. PublicNet (192.168.2.1/24: mail3.example.com)
[1]> 1
Enable "Possible Delivery" (recommended)?  [Y]> y
Please enter the default system wide maximum outbound message delivery
concurrency
[10000]> 9000
mail3.example.com>

Reschedule messages for immediate delivery. Users have the option of selecting a single recipient host, or all messages currently scheduled for delivery.

Commit: This command does not require a ‘commit’.

Cluster Management: This command is restricted to machine mode.

Batch Command: This command does not support a batch format

mail3.example.com> delivernow
Please choose an option for scheduling immediate delivery.
1. By recipient domain
2. All messages
[1]> 1
Please enter the recipient domain to schedule for delivery.
[]>foo.com
Scheduling all messages to foo.com for delivery.

The following commands are available within the destconfig submenu:

The destconfig command requires the following information for each row in the Destination Controls table.

• Domain (recipient host)
• Maximum simultaneous connections to the domain
• Messages-per-connection limit
• Recipient limit
• System-wide or Virtual Gateway switch
• Enforce limits per domain
• Time period for recipient limit (in minutes)
• Bounce Verification
• Bounce profile to use for the domain

The following table shows entries in a destination control table.

The batch format of the destconfig command can be used to perform all the fuctions of the traditional CLI command.

• Creating a new destination control table

  destconfig new <profile> [options]

• Editing an existing destination control table

  destconfig edit <default|profile> [options]

• Deleting an existing destination control table

  destconfig delete <profile>

• Displaying a summary of all destination control entries

  destconfig list

• Displaying details for one destination or all entries

  destconfig detail <default|profile|all>

• Deleting all existing destination control table entries

  destconfig clear

• Import table from a file

  destconfig import <filename>

• Export table to a file

  destconfig export <filename>

For the edit and new batch commands, any or all of the following options may be provided by identifying the value with the variable name and an equals sign. Options not specified will not be modified (if using edit ) or will be set to default values (if using new ).

concurrency_limit=<int> - The maximum concurrency for a specific host.

concurrency_limit_type=<host|MXIP> - Maximum concurrency is per host or per MX IP.

concurrency_limit_apply=<system|VG> - Apply maximum concurrency is system wide or by Virtual Gateway(tm).