MailMarshal comes from Marshal Software, a software company based in New Zealand, and is designed to provide content security for email systems. It scans all emails to enforce your company's policy on email content. It is not designed to be an email server, but acts as an email gateway in conjunction with any SMTP-compatible email server. MailMarshal, however, also supports POP3 and IMAP mail protocols, and can act as a POP3 mail server. The MailMarshal software acts as an email gateway between email servers, whether those email servers are within your company or outside on the Internet.

The software must be installed on a PC running Windows NT 4.0 or 2000 server. Where an existing email server is running on Windows NT4/2000 server, MailMarshal can run on the same machine. Minimum system requirements are a 166MHz Pentium processor, 64Mb RAM and a 1Gb hard disk. The management interface may be run locally or remotely and enables you to set up your own email content policies. These policies can be different for different users based on username, department, domain, etc.

MailMarshal may be configured, using a scripting language, to scan for keywords and phrases in quite complicated ways. This can be used to protect against confidential information being emailed to the wrong people, against legal liabilities that might arise from offensive, racist, or sexual messages, and against spam and chain letters. Attachments may be blocked by file type, and MailMarshal can look inside archive files such as ZIP files. Blocked messages and attachments are placed in a quarantine area to be examined by the administrator. Where an attachment is blocked, the message stub can still be transmitted so that the recipient knows of the existence of the message and why it has been blocked.

The product is highly configurable, and can be scripted with complex rules to search for hoax and other suspicious email text. Rules can contain exceptions - for example, you can say, "block all emails containing the word 'sex' except when addressed to dr.jekyll@companymedicaladviser.com". The Text Censor is very flexible because of the availability of operators such as 'NEAR=', 'INSTANCES=' and 'FOLLOWEDBY='. It's not difficult to imagine how these could be used to stop chain letters and virus hoax emails, for example. Action taken can involve blocking and quarantining a message, rejecting it (thus conserving bandwidth), or copying it to the system administrator while allowing it through.

MailMarshal can also enforce encryption based on complicated rules, which can depend on things such as sender and recipient, and can use PKI-based encryption. For example, it could enforce encryption on all messages between the finance department and personnel. It can also block encrypted messages that cannot be decrypted by MailMarshal for content examination.

You can also enforce message stamping with signature text and legal disclaimers. Outgoing messages above a user-configurable size may be blocked or parked, which means that they are delayed and transmitted outside normal working hours, for example, to conserve bandwidth. This size limit may also be applied to bulk mailings where each individual message is small but, because of the number of recipients, a large amount of bandwidth would be consumed.

MailMarshal detects viruses by integrating with other vendors' anti-virus products, and presently includes Sophos Anti-Virus, Norman Virus Control, VET Anti-Virus, Dr Solomon's Anti-Virus, McAfee, Norton AV 2000/2001 and Kaspersky AVP. You can even run multiple virus scanners from different vendors if you're particularly paranoid.

There are specific features to prevent your email system being hijacked to carry out a denial-of-service (DoS) attack, and the anti-relaying feature prevents an external domain from hiding its identity from the final destination by relaying through your mail server. This is achieved by entering a list of hosts or networks that can or can't relay. Usually, you would allow only those networks internal to your own organization to relay messages to external recipients.

Spam and other nuisance email may be blocked by preparing a list of hosts that you wish to block or using the mail abuse prevention system's real-time blackhole list (MAPS RBL), which is an online up-to-date list of known spammers.

There is a powerful reporting tool that enables the administrator to examine activity based on user, domain, or bandwidth demand. These reports are detailed enough to be used for billed purposes. Microsoft Access is required for reporting, but need be installed only on the management workstation from which reporting is to be carried out.

Optionally, at extra cost, there is support for PKI encryption and decryption, together with signing email at the gateway. This uses S/MIME, which is the industry-standard way of ensuring email privacy, and provides digital signatures. The digital signature provides proof that the message came from the company's MailMarshal server, but is not proof that it came from an individual user, because that user's email address could have been hijacked by another employee. If you have properly enabled the anti-relay feature, however, that message must have originated from within your company. The MailMarshal server provides a Certificate Manager to maintain the PKI certificates needed for encryption and digital signatures. Certificates may be imported and swapped with other sites and commercial certificate authorities (CAs).

It's hard to think of anything that MailMarshal cannot do to enforce email security policies. In this review we have been able to cover only the major features and give a few examples, but the capabilities of MailMarshal are limited by your imagination only. The only thing that it can't do is police internal email traffic within a single email server, although Marshal Software will be introducing another product that fills that gap for Microsoft Exchange only. It's such a good product that the only criticism is that it's not available for the UNIX and Linux platforms.
 

SC On-Line
SC Magazine
www.scmagazine.com