Jump to:navigation, search
Wiki

Mailfilter

From Securepoint Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht






























































































ds on or does not end onIn the click box, elements can now be selected or entered again. }}





Mailfilter









Description of the Mailfilter

Last adaptation to the version: 12.5.2

New:
notempty
This article refers to a Beta version


Introduction

In order to determine whether an incoming email is spam, the POP3 proxy, mail relay and mail connector can pass incoming emails to the Mailfilter. The Mailfilter consists of the:

  • Cyren scan daemon,
  • the ClamAntivirus
    Only for systems that meet the requirements
    ,
  • the Securepoint content filter and
  • a URL filter.

If a web link is found within the email which matches the URL filter or which is recognized by the content filter, a freely editable replacement message appears instead of the content section of the email.
By using the Mail Connector, it is possible to check not only POP3 but also emails fetched with IMAP as well as the two encrypted variants through the Mailfilter.

The UTM mail archive stores mails that have been quarantined using the filter rule.
Emails forwarded and delivered by the UTM (HAM) are no longer found in the mail archive unless this option is explicitly activated.


Requirement

notempty
For the Mailfilter to receive mails, the POP3 proxy, the mail relay or the mail connector must be configured.


Filter rules

Filter rules

Overview

The filter rules are used to decide how to proceed with emails for which defined properties have been detected.

A distinction is made between the SMTP and POP3 protocols as well as the mail connector.
Via the Mail Connector, the UTM is able to read emails from a mail server using the POP3 and IMAP protocols and their encrypted variants POP3S and IMAPS. It also inspects them for spam and malware by using the Mailfilter.

Furthermore, a distinction is made between the protocols POP3 and SMTP.
If the mail relay is used, the protocol is SMTP. If the POP3 proxy is used, the POP3 protocol is selected.


Configuration

Configuration

With + Add rule a new filter rule is created.

A unique Rule name must be assigned.

The Conditions with and -Operator determines,

  • whether all conditions must be fulfilled ( and )
  • or whether it is sufficient if only one condition of the filter rule is fulfilled ( or ).



Criteria

Filtering according to the following conditions is possible:
If an email is received...

Condition Operator Value
and protocol is
is not		 SMTP
Mail-Connector
POP3
and source host is
is not
is in
is not in
matches regex
See Wiki article about Regex.

ends with
ends not with 		»any values
and destination host see source host
and sender see source host
and recipient see source host
and header field
additionally: Specification of the header field
 see source host
The header field »from« indicates a sending mail server (Received: from) - not the »Sender« field.
and is classified / is not classified as spam<
and is classified / is not classified as suspicious
further investigations are recommended / are not strictly necassary The spam filtering engine expects that the category of this email may change in the next 15 minutes.
and is classified / is not classified as bulk email
and has a virus / has no virus
and is captured by URL filter / is not captured by URL filter
and has been submitted / has not been submitted by an authenticated user
and with content that
MIME-Type oder
Filename
see source host
and DKIM result for domain
    Enter the domain
 exists and is
is nonexistent or is not 		»fail »pass »temperror

Prerequisite for the use is in the menu → Applications →MailrelayTab General activation of the option SPF/DKIM/DMARC checks: On
If elements of an email were signed by a domain DomainKeys Identified Mail, this verifies the signature and adds the result to the header of the email. The signature is verified with the public key from the DNS of the mail domain.
At this point the result that was added to the header is queried. Potential results:

»fail Signature invalid
»pass Signature valid
»temperror mostly: Error in DNS resolution; general: Error that may not occur at a later time.
and SPF result for domain
    Enter the domain
 exists and is
is nonexistent or is not		 »fail »neutral »pass »permerror »softfail »temperror

Prerequisite for the use is in the menu → Applications →MailrelayTab General activation of the option SPF/DKIM/DMARC checks: On
The sender of an email can enter in a txt record of his domain all computers (servers) authorized to send emails with host name and IP address. These entries are synchronized at smtp level with the entry Received: from from the mail header and the result is added to the mail header.

»fail Client-Host explizit nicht autorisiert
»neutral keine explizite Aussage getroffen
»pass Prüfung erfolgreich
»permerror Fehler (z.B. Syntax) in DNS Resource Records
»softfail nicht explizit unautorisiert, aber auch nicht autorisiert ("~"-qualifier im DNS RR)
»temperror meist: Fehler in der DNS-Auflösung; generell: Fehler, der zu einem späteren Zeitpunkt ggf. nicht mehr auftritt
and DMARC result/policy-to-enforce is pass
quarantine
reject

Prerequisite for the use is in the menu → Applications →MailrelayTab General activation of the option SPF/DKIM/DMARC checks: On
Neither SPF nor DKIM make any demands on a connection between the sending or signing domain and other characteristics of the email (e.g. header fields). This means that anyone who has control over DNS entries for any domain can carry out valid SMTP transactions ("pass") in the sense of SPF using the "MAIL FROM" command or create valid signatures for this domain in the sense of DKIM.

That is why DMARC (https://tools.ietf.org/html/rfc7489) can be used to establish this connection: A DMARC check is only successful if either SPF or DKIM checks are valid and the domain used matches the domain used in the "From" header field of the email (depending on the option, the same or a subdomain). In addition, a domain owner can define via DMARC which action (reject, quarantine) should be performed if the check is not successful.


The + button can by used to apply additional critaria for this filter.

notempty

Hint:
Further configuration hints can be found in our best practice article on Mail Security


Aktionen

The following options are available for Do action:

  • The check for the set of rules
    • Filter applicable content and
    • Mark email in subject with
    is not aborted but continued.
    Further filter rules can be applied to these emails.
  • In all other action cases, if the criteria apply, the check for the rule set is terminated after the action.
Action Description
Accept email Accepts the email. The test for the rule set is completed.
Reject email notempty
Important:
This option must not be used when using the POP3 proxy!
notempty
Important: When using the Mail-Connector, this function is strongly discouraged.
Neither the sender nor the recipient will be notified that the email has been rejected!
Quarantine email and filter again: Additional input of quarantine duration 30 in minutes
notempty
Important:
This option must not be used when using the POP3 proxy!
Quarantine email (and hold a predefined time (see Settings) for viewing)
notempty
Important:
This option must not be used when using the POP3 proxy!
Discard email notempty
Important:
This option must not be used when using the POP3 proxy!
filter email content A Replacement Message is displayed for the relevant section (plain text, html text, attachment, etc.).
Highlight email subject header with Text, which is added to the subject header to mark an email so that it can, for example, be relocated from the mail server to a corresponding folder.



Whitelist exception rule

Whitelist exception rule
Move filter rule


In a whitelist rule, the acceptance of a mail is defined under certain conditions. In order for a rule to work as a whitelist rule, the order must be defined so that this rule takes precedence over the general spam quarantine rule. By clicking and holding the left mouse button on the whitelist rule (pos. 7) in the "Pos." column, this rule is moved upwards above the general Spam_SMTP filter rule. Once the rule has reached the desired position, the mouse button is released and the whitelist rule is assigned a new position number according to its ranking.

notempty
Hint:
Further configuration hints can be found in our best practice article on Mail Security.


URL-Filter

URL-Filter

Text for emails that have been filtered because of the URLs they contain.












Add Rule
Add Rule
Type ‌ Domain  example.com Domain in plain text notation. All subdomains and subpages are filtered.
Filter rules
Type ‌ URL  *.example.com/pages/* Only the exact URL is filtered (wildcard * is possible).
Type ‌ URL Regex  .*\.example\.com URL in regex format, which allows numerous placeholders
Syntax of regular expressions - Regex
Type ‌ Category 
category
  • Content filter list maintained by Securepoint.
    An overview with all categories can be found here.
  • notempty
    New as of v12.5
     Category: Unknown
    This allows you to block access to all websites that have not yet been classified by Securepoint.
    • Reporting of accidentally wrongly categorised pages here.



    Settings

    In this section, you can create a spam report, modify the blocking messages, and define the criteria according to which the emails are stored in the UTM mail archive.

    Spam report

    Spam report



























    The spam report can inform email users at certain intervals about emails filtered, blocked or quarantined by the UTM. This report can be sent either on a specific day of the week or daily, at a specific time.

    Action Value Description Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter-Log Email digest
    Enable reports: None
    (Default)    		 No spam reports will be sent.
    Users Reports are sent to the users.
    Users and Admin Reports are sent to the users and an overview is sent to the administrator.
    Delivery Condition: Deliver always
    (Default)    		 In any case, a spam report will be sent.
    Not accepted A spam report will only be delivered if at least one email has been filtered, quarantined or rejected.
    Quarantined or filtered A spam report will only be delivered if at least one email has been quarantined or filtered.
    Alternative Hostname / IP:     If the web interface with the mail server is to be accessed via an external IP or another host name.
    Day: Monday This report can be sent either on a specific weekday or Every day .
    1. Report notempty
    updated

    20 : 00 Uhr    		 Specifies the time for sending the report.
    2. Report
    3.Report
    4. Report    		 Off With every day reports, a total of four reports can be sent at specified times.

    In order for the report to reach the e-mail user, it is necessary for the e-mail user to be in a group with the 'Spamreport permission.

    If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.

    Gruppe hinzufügen UTMuser@firewall.name.fqdnAuthentifizierungBenutzer Add a group under Authentication Users The setting for this is made in the menu
    Authentication Users Groups + Add Group or Edit under Permissions:
    The following sections must be activated here:

    Email digest
    On activates the creation of the spam report
    Userinterface
    On The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

    The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

    In the Mailfilter section, further settings must be made, including the e-mail address to which reports are sent:





  • <This function may allow the downloading of viruses and should therefore only be allowed for experienced users!/li> }}
    • Caption Default Description
    Allow downloads of following attachments: None (Default) Members of this group can download attachments from mails in the user interface that meet certain criteria.
    Filtered but not quarantined
    Quarantined but not filtered
  • This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    • Quarantined and/or filtered
  • This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
    • Allow forwarding of following emails:
  • Die Berechtigung Mailfilter Administrator überschreibt diese Konfiguration mit dem Default Wert. notempty
    updated
    		•  None Members of this group can forward emails in the user interface that meet certain criteria
    Filtered but not quarantined
    Quarantined but not filtered (Default)
  • This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
    • Quarantined and/or filtered
  • This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
    • Report email address:     Email address to which a spam report is sent.
    If no entry is made here, the spam report is sent to the first email address in the list.
    If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address..

    Report language: Default Default under Network Server settings
    Firewall
    language of reports
    It can be specifically selected: German or English
    Email address
    Email address Adding a mail address to the list
    support@ttt-point.de Email accounts that can be viewed by members of this group to control the mail filter.
    Delete with

    Spam report to the user.




    Replacement messages

     Replacement messages 
    Replacement messages

    Here you define texts to be displayed instead of the blocked email section (plain text, formatted text or attachment). The text can be modified with the editing tool .


    Type Default message Description
    Content-Blocking
    The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
    		 Text for emails that have been blocked because of their content or attachment'.
    URL-Filter
    The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
    		 Text for emails that have been filtered because of the URLs they contain.
    Virus-Blocking
    The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
    		 Text for emails that have been blocked due to "'virus detection"'.



    Mail archive

    Mail archive
    Mail archive settings

    Guidelines on how emails are stored in the quarantine archive of the UTM.


    Criterion / Action Default Description
    Maximum number of emails: 1024 Specifies how many mails are held locally on the UTM.
    Maximum email age: 7 Days Defines the time of reproaching.
    Maximum archive size: 128 megabytes. Determines the amount of storage space available for mails. When the limit is reached, the oldest mails are deleted.
    Save all email transactions: Off When activated, the meta information' on unobjectionable mails is saved in addition to the complete filtered and rejected mails.
    Deliver again as attachment: Off Emails in quarantine can now alternatively be sent as attachment in a new email.
    Activate TNEF decoding:
    		 On Default When activated, Emails whose formatted body elements or attachments have been encoded by Microsoft Outlook in the proprietary TNEF format can be captured by the Mailfilter.
    Default Einstellung ab v12.5.2 auch für bestehende Installationen geändert auf Ein



    Conclusion

    Finish the configuration with Save and Close

    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Mailfilter_v12.5.2&oldid=88603"