Search Related Articles All Products Worry-Free Business Security Standard/AdvancedOfficeScanHosted Email SecurityControl ManagerInterScan Messaging Security SuiteDeep Security Advanced Reporting and Management for InterScan Web SecurityClient / Server Suite for SMBClient Server Messaging Security for SMBControl ManagerCore Protection for Virtual MachinesCore Protection ModuleData Loss PreventionData Loss Prevention EndpointDeep DiscoveryDeep Discovery InspectorDeep SecurityDeep Security as a ServiceEmail Reputation ServicesEmail Security Platform for Service Providers - White LabelEndpoint Security PlatformHosted Email SecurityHosted Email Security - Inbound FilteringInstant Messaging SecurityInterScan eManagerInterScan Gateway Security ApplianceInterScan Messaging Security Appliance 5000InterScan Messaging Security SuiteInterScan Messaging Security Virtual ApplianceInterScan VirusWallInterScan VirusWall for NTInterScan VirusWall for SMBInterScan Web Security Appliance 2500InterScan Web Security SuiteInterScan Web Security Virtual ApplianceInterScan WebProtectIntrusion Defense FirewallLeakProofLicensing Management PlatformMobile Armor DataArmor Full Disk EncryptionMobile Armor FileArmorMobile Armor KeyArmorMobile Armor PolicyServerNetwork VirusWallOfficeScanPortalProtectSafeSync for EnterpriseScanMail for ExchangeScanMail for Lotus DominoSecureCloudServerProtect for EMC CelerraServerProtect for LinuxServerProtect for Microsoft Windows/Novell NetwareServerProtect for Network Appliance FilerThreat Discovery ApplianceThreat Intelligence ManagerTrend Micro Email Encryption GatewayTrend Micro Email Encryption HostedTrend Micro Encryption for EmailTrend Micro Endpoint EncryptionTrend Micro Hosted Mobile SecurityTrend Micro Mobile SecurityTrend Micro Portable SecurityTrend Micro SafeSync for BusinessTrend Micro Security for MacintoshTrend Micro Smart Protection ServerWeb App SecurityWorry-Free Business Security ServicesWorry-Free Business Security Services for DellWorry-Free Business Security Standard/AdvancedWorry-Free Remote Manager Business Knowledge Base All Support Advanced Search | View Search Tips Upgrading InterScan Messaging Security Suite (IMSS) 7.0 to version 7.1Restoring the configuration in InterScan Messaging Security Suite (IMSS) for WindowsMigrating InterScan Messaging Security Suite (IMSS) policies to another databasePorts that InterScan Messaging Security Suite (IMSS) for Windows usesInstalling InterScan Messaging Security Suite (IMSS) in one server Solution ID Last Updated 1035429 Date : 2013/04/01 Time:4:45 AM , (PST) Product/Version Platform InterScan Messaging Security Suite - 7.1 Windows; Windows - 2000 Advanced Server, 2000 Server, 2003 Enterprise Server, 2003 Standard Server Edition, 2008 Enterprise Server, 2008 Enterprise Server Edition 64-bit, 2008 Standard Server Edition, 2008 Standard Server Edition 64-bit
Search Related Articles All Products Worry-Free Business Security Standard/AdvancedOfficeScanHosted Email SecurityControl ManagerInterScan Messaging Security SuiteDeep Security Advanced Reporting and Management for InterScan Web SecurityClient / Server Suite for SMBClient Server Messaging Security for SMBControl ManagerCore Protection for Virtual MachinesCore Protection ModuleData Loss PreventionData Loss Prevention EndpointDeep DiscoveryDeep Discovery InspectorDeep SecurityDeep Security as a ServiceEmail Reputation ServicesEmail Security Platform for Service Providers - White LabelEndpoint Security PlatformHosted Email SecurityHosted Email Security - Inbound FilteringInstant Messaging SecurityInterScan eManagerInterScan Gateway Security ApplianceInterScan Messaging Security Appliance 5000InterScan Messaging Security SuiteInterScan Messaging Security Virtual ApplianceInterScan VirusWallInterScan VirusWall for NTInterScan VirusWall for SMBInterScan Web Security Appliance 2500InterScan Web Security SuiteInterScan Web Security Virtual ApplianceInterScan WebProtectIntrusion Defense FirewallLeakProofLicensing Management PlatformMobile Armor DataArmor Full Disk EncryptionMobile Armor FileArmorMobile Armor KeyArmorMobile Armor PolicyServerNetwork VirusWallOfficeScanPortalProtectSafeSync for EnterpriseScanMail for ExchangeScanMail for Lotus DominoSecureCloudServerProtect for EMC CelerraServerProtect for LinuxServerProtect for Microsoft Windows/Novell NetwareServerProtect for Network Appliance FilerThreat Discovery ApplianceThreat Intelligence ManagerTrend Micro Email Encryption GatewayTrend Micro Email Encryption HostedTrend Micro Encryption for EmailTrend Micro Endpoint EncryptionTrend Micro Hosted Mobile SecurityTrend Micro Mobile SecurityTrend Micro Portable SecurityTrend Micro SafeSync for BusinessTrend Micro Security for MacintoshTrend Micro Smart Protection ServerWeb App SecurityWorry-Free Business Security ServicesWorry-Free Business Security Services for DellWorry-Free Business Security Standard/AdvancedWorry-Free Remote Manager Business Knowledge Base All Support Advanced Search | View Search Tips Upgrading InterScan Messaging Security Suite (IMSS) 7.0 to version 7.1Restoring the configuration in InterScan Messaging Security Suite (IMSS) for WindowsMigrating InterScan Messaging Security Suite (IMSS) policies to another databasePorts that InterScan Messaging Security Suite (IMSS) for Windows usesInstalling InterScan Messaging Security Suite (IMSS) in one server Solution ID Last Updated 1035429 Date : 2013/04/01 Time:4:45 AM , (PST) Product/Version Platform InterScan Messaging Security Suite - 7.1 Windows; Windows - 2000 Advanced Server, 2000 Server, 2003 Enterprise Server, 2003 Standard Server Edition, 2008 Enterprise Server, 2008 Enterprise Server Edition 64-bit, 2008 Standard Server Edition, 2008 Standard Server Edition 64-bit
Problem Description Create a new self-signed OpenSSL certificate via the Administration Console. By default, the InterScan Messaging Security (IMSS) SMTP Service already has a certificate installed and is ready for inbound Transport Layer Security (TLS) connections. Solution [ Expand All ] Generating a certificate The SMTP Service requires both the IMSS Server Private Key and Certificate (Public Key) to be stored in unencrypted form, in a single PEM-format file. To generate a certificate: Run the following command: openssl.exe req -new -x509 -days-nodes -config-out-keyout Where: req Creates and processes certificate requests in PKCS#10 format -new Prompts for user information specified in the OpenSSL configuration file, such as: Country, State, Organization and Common Name -x509 Creates a self-signed certificate rather than a certificate request -days Number of days that certificate will be valid -nodes Private Key is generated in unencrypted form and avoids prompting for a pass phrase every time the certificate is used -config <openssl_config_file> Path and file name of the OpenSSL configarion file (usually openssl.cnf) -*out <cert_name.pem> Path and file name of the certificate to be generated (both -out and -keyout arguments should point to the same file) Below is a sample screen output of the Certificate generation process using OpenSSL: E:\Program Files\Trend Micro\IMSS\ui\apache\bin>openssl.exe req -new -x509 - days 1460 -nodes -config openssl.cnf -out tsmtpd.pem -keyout tsmtpd.pem Loading 'screen' into random state - done Generating a 1024 bit RSA private key .................++++++ ...................++++++ writing new private key to 'tsmtpd.pem' Enter the information that would be incorporated into your certificate request. Enter a Distinguished Name or DN. There are some fields that you can leave blank, while others would have a default value. If you enter '.', the field will be left blank. Country Name (2 letter code) [PH]: Locality Name (eg, city) []:Manila Organization Name (eg, Company) []:Trend Micro Organizational Unit Name (eg, Department, Division) []:Global Training Common Name (eg, hostname or YOUR name) []:server01.tmcourse.net Email Address []:jm@support.trendmicro.com E:\Program Files\Trend Micro\IMSS\ui\apache\bin> Run the following command to change the certificate format to PFX, which is an acceptable format for version 7.1: openssl pkcs12 -export -out text.pfx -in where: "" is the .PEM file generated above For more information about OpenSSL and key/certificate generation, refer to the following topic: OpenSSL: Documents, req(1). IMSS has the following restrictions: Only unencrypted OpenSSL generated certificates are supported Both Private and Public keys must be stored in the same PEM-format file The\bin\pemverify.exe tool can be used to verify if a Certificate meets the requirements. The generated certificate can then be uploaded to the SMTP Routing > Connections section of the Administration Console. The uploaded certificate is stored in tb_mta_config/ [Common]/ SSLCertData and can be exported to a file using the same section of the Administration Console. Configuring the SMTP Service Incoming TLS Settings The default configuration of the IMSS SMTP Service does not require TLS for inbound connections to its SMTP port (default is port 25) but offers this option (STARTTLS) in response to the EHLO command from the SMTP client: 220 tmcourse.net [ESMTP Server] service ready;ESMTP Server; 04/16/07 18:22:18 ehlo tmcourse.net 250-tmcourse.net 250-SIZE 16777216 250-8BITMIME 250 STARTTLS The configuration can be modified to either force all inbound connections to use TLS or selectively force hosts to use TLS based on the IP address or Domain Name of the connection hosts (SMTP clients). When the SMTP Service is configured to force SMTP clients to use TLS and an SMTP client tries to send messages to the SMTP Service without first establishing TLS, the SMTP Service returns an error. Below is an example of such a transaction: 220 tmcourse.net [ESMTP Server] service ready;ESMTP Server; 04/16/07 18:22:18 ehlo tmcourse.net 250-tmcourse.net 250-SIZE 16777216 250-8BITMIME 250 STARTTLS mail from: <> 530 Must issue a STARTTLS command first - Outgoing TLS Settings The IMSS SMTP Service can be configured to try to establish TLS communication for all outgoing messages. Use the Administration Console to set this up. If configured and the downsteam SMTP server supports TLS, TLS communication is established. Otherwise, unencrypted SMTP communication is used. This global outgoing TLS setting can be overwritten by the individual Domain-based Relay Host and Default Delivery Relay Host settings discussed in section 4.4.1 on p.87 and section 4.4.2 on p.88 respectively. Note: The SMTP Service does not verify the authenticity of the Certificate it receives from the downstream MTA, nor does it check if the Common Name in the Certificate matches the FQDN of the downstream MTA. Windows 2008 is only supported in IMSS 7.1 for Windows. You can refer to the IMSS 7.1 for Windows Readme for more information.
Problem Description Create a new self-signed OpenSSL certificate via the Administration Console. By default, the InterScan Messaging Security (IMSS) SMTP Service already has a certificate installed and is ready for inbound Transport Layer Security (TLS) connections. Solution [ Expand All ] Generating a certificate The SMTP Service requires both the IMSS Server Private Key and Certificate (Public Key) to be stored in unencrypted form, in a single PEM-format file. To generate a certificate: Run the following command: openssl.exe req -new -x509 -days-nodes -config-out-keyout Where: req Creates and processes certificate requests in PKCS#10 format -new Prompts for user information specified in the OpenSSL configuration file, such as: Country, State, Organization and Common Name -x509 Creates a self-signed certificate rather than a certificate request -days Number of days that certificate will be valid -nodes Private Key is generated in unencrypted form and avoids prompting for a pass phrase every time the certificate is used -config <openssl_config_file> Path and file name of the OpenSSL configarion file (usually openssl.cnf) -*out <cert_name.pem> Path and file name of the certificate to be generated (both -out and -keyout arguments should point to the same file) Below is a sample screen output of the Certificate generation process using OpenSSL: E:\Program Files\Trend Micro\IMSS\ui\apache\bin>openssl.exe req -new -x509 - days 1460 -nodes -config openssl.cnf -out tsmtpd.pem -keyout tsmtpd.pem Loading 'screen' into random state - done Generating a 1024 bit RSA private key .................++++++ ...................++++++ writing new private key to 'tsmtpd.pem' Enter the information that would be incorporated into your certificate request. Enter a Distinguished Name or DN. There are some fields that you can leave blank, while others would have a default value. If you enter '.', the field will be left blank. Country Name (2 letter code) [PH]: Locality Name (eg, city) []:Manila Organization Name (eg, Company) []:Trend Micro Organizational Unit Name (eg, Department, Division) []:Global Training Common Name (eg, hostname or YOUR name) []:server01.tmcourse.net Email Address []:jm@support.trendmicro.com E:\Program Files\Trend Micro\IMSS\ui\apache\bin> Run the following command to change the certificate format to PFX, which is an acceptable format for version 7.1: openssl pkcs12 -export -out text.pfx -in where: "" is the .PEM file generated above For more information about OpenSSL and key/certificate generation, refer to the following topic: OpenSSL: Documents, req(1). IMSS has the following restrictions: Only unencrypted OpenSSL generated certificates are supported Both Private and Public keys must be stored in the same PEM-format file The\bin\pemverify.exe tool can be used to verify if a Certificate meets the requirements. The generated certificate can then be uploaded to the SMTP Routing > Connections section of the Administration Console. The uploaded certificate is stored in tb_mta_config/ [Common]/ SSLCertData and can be exported to a file using the same section of the Administration Console. Configuring the SMTP Service Incoming TLS Settings The default configuration of the IMSS SMTP Service does not require TLS for inbound connections to its SMTP port (default is port 25) but offers this option (STARTTLS) in response to the EHLO command from the SMTP client: 220 tmcourse.net [ESMTP Server] service ready;ESMTP Server; 04/16/07 18:22:18 ehlo tmcourse.net 250-tmcourse.net 250-SIZE 16777216 250-8BITMIME 250 STARTTLS The configuration can be modified to either force all inbound connections to use TLS or selectively force hosts to use TLS based on the IP address or Domain Name of the connection hosts (SMTP clients). When the SMTP Service is configured to force SMTP clients to use TLS and an SMTP client tries to send messages to the SMTP Service without first establishing TLS, the SMTP Service returns an error. Below is an example of such a transaction: 220 tmcourse.net [ESMTP Server] service ready;ESMTP Server; 04/16/07 18:22:18 ehlo tmcourse.net 250-tmcourse.net 250-SIZE 16777216 250-8BITMIME 250 STARTTLS mail from: <> 530 Must issue a STARTTLS command first - Outgoing TLS Settings The IMSS SMTP Service can be configured to try to establish TLS communication for all outgoing messages. Use the Administration Console to set this up. If configured and the downsteam SMTP server supports TLS, TLS communication is established. Otherwise, unencrypted SMTP communication is used. This global outgoing TLS setting can be overwritten by the individual Domain-based Relay Host and Default Delivery Relay Host settings discussed in section 4.4.1 on p.87 and section 4.4.2 on p.88 respectively. Note: The SMTP Service does not verify the authenticity of the Certificate it receives from the downstream MTA, nor does it check if the Common Name in the Certificate matches the FQDN of the downstream MTA. Windows 2008 is only supported in IMSS 7.1 for Windows. You can refer to the IMSS 7.1 for Windows Readme for more information.
Connect with us on
| | | |