Jump to:navigation, search
Wiki

Mailfilter

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden



















































































































Description of the Mailfilter

Last adaptation to the version: 14.1.1(11.2025)

New:
  • Es gibt zwei neue Filterkriterien:
    • und enthält von der Ähnlichkeitserkennung verdächtigte Domains
    • und enthält keine von der Ähnlichkeitserkennung verdächtigte Domains
notempty
This article refers to a Beta version

14.0.0 12.7.1 12.6.2 12.6.1 12.5.2 12.2.2 11.8.8 11.8.6 11.8 11.7

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Applications Mailfilter

Introduction

In order to determine whether an incoming email is spam, the POP3 proxy, mail relay and mail connector can pass incoming emails to the Mailfilter. The Mailfilter consists of the:

  • Cyren scan daemon,
  • the ClamAntivirus
    Only for systems that meet the requirements
    ,
  • the Securepoint content filter and
  • a URL filter.

If a web link is found within the email which matches the URL filter or which is recognized by the content filter, a freely editable replacement message appears instead of the content section of the email.
By using the Mail Connector, it is possible to check not only POP3 but also emails fetched with IMAP as well as the two encrypted variants through the Mailfilter. The UTM mail archive stores mails that have been quarantined using the filter rule.
Emails forwarded and delivered by the UTM (HAM) are no longer found in the mail archive unless this option is explicitly activated.

Requirement

notempty
For the Mailfilter to receive mails, the POP3 proxy, the mail relay or the mail connector must be configured.

Filter rules

Overview
The filter rules are used to decide how to proceed with emails for which defined properties have been detected. A distinction is made between the SMTP and POP3 protocols as well as the mail connector.
Via the Mail Connector, the UTM is able to read emails from a mail server using the POP3 and IMAP protocols and their encrypted variants POP3S and IMAPS. It also inspects them for spam and malware by using the Mailfilter.
Furthermore, a distinction is made between the protocols POP3 and SMTP.
If the mail relay is used, the protocol is SMTP. If the POP3 proxy is used, the POP3 protocol is selected. 		Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter-Log Mailfilter

Add filter rule

With + Add rule a new filter rule is created.
A unique Rule name must be assigned.
The Conditions with and -Operator determines,
  • whether all conditions must be fulfilled ( and )
  • or whether it is sufficient if only one condition of the filter rule is fulfilled ( or ).
Criteria
Filtering according to the criteria listed below is possible. Several conditions can be combined using the button at the bottom right.
Criteria Category Criteria and their configuration options
Protocol
 Protocol 
When an e-mail is received

and protocol

is / is not

SMTP / Mail-Connector / POP3

Adresswerte
 Adresswerte 
When an e-mail is received
and source host and destination host and sender
  • Sender refers to the "Envelope Sender" in the SMTP communication and not to the mail header From.
  • If, for example, a allowlist entry is to refer to "From" in the header, "and header field" / "From" must be used.
    •  and recipient and header field
  • The header field »from« indicates a sending mail server (Received: from) - not the »Sender« field.
    •

    is / is not / is in / is not in /
    matches regex / ends with / ends not with

    »any values

    Automatische Erkennung
     Automatische Erkennung 
    When an e-mail is received
    and is classified / is not classified as spam and is classified / is not classified as suspicious further investigations are recommended / are not strictly necassary
    The spam filtering engine expects that the category of this email may change in the next 15 minutes.

    and is classified / is not classified as bulk email and has a virus / has no virus and is captured by URL filter / is not captured by URL filter and contains links / does not contain links, which text and destination differ notempty
    Revised recognition and marking
    Used to detect fake URLs. Normal text that is not structured like a URL is not taken into account.
    and has been submitted / has not been submitted by an authenticated user
    Inhalt
     Inhalt 
    When an e-mail is received

    and with content that

    MIME-Type / Dateiname

    is / is not / is in / is not in /
    matches regex / ends with / ends not with

    »any values

    Domains Result Filter
     Domains Result Filter 
    When an e-mail is received

    and DKIM result for domainand SPF result for domain

    »any domain

    exists and is / is nonexistent or is not

    »fail »pass »temperror
    Only SPF:
    »neutral »permerror »softfail

    Prerequisite for the use is in the menu Applications Mailrelay  Area General activation of the option SPF/DKIM/DMARC checks: On

    If elements of an email were signed by a domain DomainKeys Identified Mail, this verifies the signature and adds the result to the header of the email. The signature is verified with the public key from the DNS of the mail domain.
    At this point the result that was added to the header is queried. Potential results:

    »fail Signature invalid
    »pass Signature valid
    »temperror mostly: Error in DNS resolution; generally: Error that may no longer occur at a later point in time

    The sender of an email can enter in a txt record of his domain all computers (servers) authorized to send emails with host name and IP address. These entries are synchronized at smtp level with the entry Received: from from the mail header and the result is added to the mail header.

    »fail Client host explicitly not authorized
    »neutral No explicit statement made
    »pass Let e-mail through
    »permerror Errors (e.g. syntax) in DNS resource records
    »softfail not explicitly unauthorized, but also not authorized (“~” qualifier in DNS RR)
    »temperror mostly: Error in DNS resolution; generally: Error that may no longer occur at a later point in time
    DMARC result/policy recommendation
     DMARC result/policy recommendation 
    When an e-mail is received

    and DMARC result/policy-to-enforce is

    pass / quarantine / reject
    Criteria for ‘'pass’': obsolete keys with e.g. rsa-sha1 or rsa-sha256 with ‘’'less'‘’ than 1024 bit key length are not accepted
  • Should only be used in conjunction with a specific domain from which correct dkim signatures are expected.
    • Tags
     Tags 
    When an e-mail is received

    and resembles an email with the tagand does not resemble an email with the tag

    Tag
    Either an existing tag is selected.
    Or a new one is added using the button.

    Ähnlichkeitserkennung
     Ähnlichkeitserkennung 
    notempty
    New as of v14.1.1 Experimentell

    When an e-mail is received

    und enthält von der Ähnlichkeitserkennung verdächtigte Domains und enthält keine von der Ähnlichkeitserkennung verdächtigte Domains

  • Diese Feature ist experimentell und sollte daher nur mit Bedacht verwendet werden!
  • Further configuration hints can be found in our best practice article on Mail Security.
    • Actions
    The following options are available for Do action:
  • The check for the set of rules
    • Filter applicable content and
    • Mark email in subject with
    is not aborted but continued.
    Further filter rules can be applied to these emails.
  • In all other action cases, if the criteria apply, the check for the rule set is terminated after the action.
    • Action Description
    Accept email Accepts the email. The test for the rule set is completed.
    Reject email The sender receives a notification that their email has been rejected.
  • This option must not be used when using the POP3 proxy!

    • notempty
    When using the Mail-Connector, this function is strongly discouraged.
    Neither the sender nor the recipient will be notified that the email has been rejected!
    Quarantine email and filter again: Additional input of quarantine duration in minutes. Example: 30 minutes
  • This option must not be used when using the POP3 proxy!
    • Quarantine email (and hold a predefined time (see Settings) for viewing)
  • This option must not be used when using the POP3 proxy!
    • Discard email The email is disposed off without the sender being notified.
  • This option must not be used when using the POP3 proxy!
    • Filter applicable content or mark deviating link notempty
    Revised recognition and marking
    		 Marks all links in an e-mail with ℹ️. Text that looks like a link but refers to another address is marked with ⛔.
    • Link text and display text the same (with and without protocol) (Link text: https://securepoint.de, Display text: ( https:// ) securepoint.de) → ℹ️
    • Link text with non-link-like display text (Link text: https://securepoint.de, Display text: Besuch uns auf unserer Webseite) → ℹ️
    • Link text with link-like, different display text (with and without protocol) (Link text: https://securepoint.de, Display text: ( https:// ) github.com) → ⛔
    • Mailto link (Link text: mailto: HomerS@ttt-point.de, Display text: HomerS@ttt-point.de) → ℹ️ (all links with mailto: as protocol receive an info icon)
    • No link text with a link-like display text without protocol (Link text: @, Display text: @securepoint.de) -> no marking
    • Images with embedded link (<a href="https://securepoint.de><img src="https://link.to.image.de/image.png></a>) → ℹ️
    • Images without embedded link (<img src="https://link.to.image.de/image.png>) → no marking
    • HTML-Buttons → ℹ️
    Highlight email subject header with Text, which is added to the subject header to mark an email so that it can, for example, be relocated from the mail server to a corresponding folder.
    Behavior for action Mark email in subject with
    The behavior of a mail filter rule with the action Highlight email subject header with depends on whether the email is in quarantine or not.
    • Email is not in quarantine: If an email is sent or received for which this mail filter rule applies, the set marker is placed in the email subject.
    • Email is in quarantine: If an email is placed in quarantine or an email in quarantine is resent where this mail filter rule applies, the subject not is changed.
      Reason: The information from the original email is saved in the mail archive. Therefore, the subject cannot be changed.

    Allowlist exception rule

    In a allowlist rule, the acceptance of a mail is defined under certain conditions. In order for a rule to work as a allowlist rule, the order must be defined so that this rule takes precedence over the general spam quarantine rule. By clicking and holding the left mouse button on the allowlist rule (pos. 7) in the "Pos." column, this rule is moved upwards above the general Spam_SMTP filter rule. Once the rule has reached the desired position, the mouse button is released and the allowlist rule is assigned a new position number according to its ranking. Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter-Log Move filter rule
  • Further configuration hints can be found in our best practice article on Mail Security.

    • Tags

    Sets of emails can be selected with the help of tags. A pattern is created based on these sets and each new incoming email is checked for similarities using this pattern. Certain actions can then be carried out using corresponding mail filter rules Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter-Log The overview of existing tags
    In order for emails to be tagged, they must be saved in the mail archive. It is therefore advisable to activate the option Save all email transactions under Applications Mail filter  Area Settings in
    Mail archive
     Yes.
    The following is displayed in the tag overview:
    • Name: The name of the tag
    • Description: The description of the tag, if available
    • Used in mail filter rules: Displays the mail filter rules in which this tag is used

    Opens the dialog for editing the tag
    Deletes the tag

    A new tag is added with the Add tag button.
    Caption Value Description Add tag UTMuser@firewall.name.fqdnApplicationsMailfilter Window for adding a tag
    Name:     Choose a suitable name for the tag
    Description:     Optional Enter a description for the function of this tag
    Use the Save and close button to save the tag and close the window.

    Fill in tags

    A filter rule must be configured in order to apply a created tag.
    • In Filter rules, create a new filter rule using the Add rule button, or edit the filter rule for an existing filter rule using the button
    • Configure the filter rule
    • Under When an email arrives and resembles an email with the tag, or and does not resemble an email with the tag
    • Select the created tag

    After saving the filter rule, this tag can be used in the user interface. This wiki article describes further details.

    User permission

    In order for a user to be able to tag emails, this user requires the corresponding group authorization.
    Under Authentication User , the corresponding group is selected via Edit under Groups.
    The following authorizations must be active in the Authorizations section:
    • On Userinterface
    • On Mailfilter Administrator
    • On Mailtag Administrator
    		 Edit group UTMuser@firewall.name.fqdnAuthenticationUser The required active authorizations

    CLI

    The following CLI commands are available for tags:
    • Add email to tag mail filterng tag add mail <name> tag <name>
      • If the tag does not exist, a new one is created
    • Create tag name with description mail filterng tag set description <text> tag <name>
    • Set description mail filterng tag set description <text> tag <name>
    • Information about existing tags mail filterng tag get
    • Return list of archived emails with associated tag mail archive get
    • Delete entire day mail filterng tag purge tag <name>
    • Remove email from tag mail filterng tag remove mail <name> tag <name>

    URL-Filter











    Text for emails that have been filtered because of the URLs they contain. Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter-Log URL filter with some filters
    Add Rule
    Add Rule
    Type Domain anyideas.com Domain in plain text notation. All subdomains and subpages are filtered. Add Rule UTMuser@firewall.name.fqdnApplications Filter rules
    Type URL *.anyideas.com/pages/* Only the exact URL is filtered (wildcard * is possible).
    Type URL Regex .*\.anyideas\.com URL in regex format, which allows numerous placeholders
    Syntax of regular expressions - Regex
    Type Category Unknown
    • Content filter list maintained by Securepoint.
      An overview with all categories can be found here.
  • Category: Unknown
    This allows you to block access to all websites that have not yet been classified by Securepoint.
    • Reporting of accidentally wrongly categorised pages here.

    Settings

    In this section, you can create a spam report, modify the blocking messages, and define the criteria according to which the emails are stored in the UTM mail archive.

    General

    notempty
    Neu ab v14.0: Aktivierung direkt im Mailfilter
    Caption Value Description Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter-Log Activation of the mail filter under Applications Mailfilter  Area Settings Section General
    Mail filter for Mailrelay / Mail-Connector: Off Activates the mail filter for Mailrelay and Mail-Connector
    Mailfilter for POP3-Proxy Off Activates the mail filter for POP3 proxy

    Spam report



























    The spam report can inform email users at certain intervals about emails filtered, blocked or quarantined by the UTM. This report can be sent either on a specific day of the week or daily, at a specific time.

    Action Value Description Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter-Log Email digest
    Enable reports: None
    (Default)    		 No spam reports will be sent.
    Users Reports are sent to the users.
    Users and Admin Reports are sent to the users and an overview is sent to the administrator.
    Delivery Condition: Deliver always
    (Default)    		 In any case, a spam report will be sent.
    Not accepted A spam report will only be delivered if at least one email has been filtered, quarantined or rejected.
    Quarantined or filtered A spam report will only be delivered if at least one email has been quarantined or filtered.
    Alternative Hostname / IP:     If the web interface with the mail server is to be accessed via an external IP or another host name.
    Day: Monday This report can be sent either on a specific weekday or Every day .
    1. Report notempty
    updated

    20 : 00 Uhr    		 Specifies the time for sending the report.
    2. Report
    3.Report
    4. Report    		 Off With every day reports, a total of four reports can be sent at specified times.

    In order for the report to reach the e-mail user, it is necessary for the e-mail user to be in a group with the 'Spamreport permission.

    If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.

    Gruppe hinzufügen UTMuser@firewall.name.fqdnAuthentifizierungBenutzer Add a group under Authentication Users The setting for this is made in the menu
    Authentication Users Groups + Add Group or Edit under Permissions:
    The following sections must be activated here:

    Email digest
    On activates the creation of the spam report
    Userinterface
    On The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

    The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

    In the Mailfilter section, further settings must be made, including the e-mail address to which reports are sent:





  • <This function may allow the downloading of viruses and should therefore only be allowed for experienced users!/li> }}
    • Caption Default Description
    Allow downloads of following attachments: None (Default) Members of this group can download attachments from mails in the user interface that meet certain criteria.
    Filtered but not quarantined
    Quarantined but not filtered
  • This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    • Quarantined and/or filtered
  • This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    • Allow forwarding of following emails:
  • Die Berechtigung Mailfilter Administrator überschreibt diese Konfiguration mit dem Default Wert. notempty
    updated
    		•  None Members of this group can forward emails in the user interface that meet certain criteria
    Filtered but not quarantined
    Quarantined but not filtered (Default)
  • This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
    • Quarantined and/or filtered
  • This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
    • Report email address:     Email address to which a spam report is sent.
    If no entry is made here, the spam report is sent to the first email address in the list.
    If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address..

    Report language: Default Default under Network Server settings
    Firewall
    language of reports
    It can be specifically selected: German or English
    Email address
    Email address Adding a mail address to the list
    support@ttt-point.de Email accounts that can be viewed by members of this group to control the mail filter.
    Delete with

    Spam report to the user.



    Replacement messages

    Replacement messages


    Here you define texts to be displayed instead of the blocked email section (plain text, formatted text or attachment). The text can be modified with the editing tool . Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter-Log Replacement messages
    Type Default message Description
    Content-Blocking
    The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
    		 Text for emails that have been blocked because of their content or attachment'.
    URL-Filter
    The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
    		 Text for emails that have been filtered because of the URLs they contain.
    Virus-Blocking
    The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
    		 Text for emails that have been blocked due to "'virus detection"'.

    Mail archive

    Guidelines on how emails are stored in the quarantine archive of the UTM.
    Criterion / Action Default Description
    Mail archive settings under Applications Mail filter  Area Settings section
    Mail Archive
    Maximum number of emails: 1024 Specifies how many mails are held locally on the UTM.
    Maximum email age: 7 Days Defines the time of reproaching.
    Maximum archive size: 128 Megabytes Determines the amount of storage space available for mails. When the limit is reached, the oldest mails are deleted.
    Save all email transactions: Off When activated, the meta information' on unobjectionable mails is saved in addition to the complete filtered and rejected mails.
    Deliver again as attachment: Off Emails in quarantine can alternatively be sent as attachment in a new email.
    TNEF handling:notempty
    New as of 12.6.2
    Formerly Activate TNEF decoding    		 Do not decode Emails whose formatted body elements or attachments have been encoded by Microsoft Outlook in the proprietary TNEF format (.dat attachments) are not decoded and are therefore not scanned by the mail filter.
    Decode and replace TNEF format content, is decoded and replaced to ward off malware.
    Decoding TNEF format content is decoded in order to examine it, but is not generally replaced. It will of course still be removed if it has been classified as inadmissible.

    Conclusion

    Finish the configuration with Save.

    Mail-Header

    The following values can be set under the X-Securepoint header field by the mail filter:

    • X-Securepoint: Virusscan Failure
    • X-Securepoint: Spamcheck Failure
    • X-Securepoint: Virus found (virus_name)
    • X-Securepoint: Content Changed
    • X-Securepoint: Spam
    • X-Securepoint: Probably Spam
    • X-Securepoint: UrlFilterSpam
    • X-Securepoint: Bulk
    • X-Securepoint: FHASH notempty
      neu
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Mailfilter&oldid=99370"