Mail Security - recommended settings 2024

Best practice on mail security

Last adaption: 04.2024

New:

Updated to Redesign of the webinterface

Last updated:

Hinweise für Filerregel DKIM ergänzt

notempty

This article refers to a Resellerpreview

07.2023 06.2022 v11.7

notempty

The article describes a best practice for mail security.
These are our recommended settings.
All information provided without guarantee!

Requirements

These recommendations relate to the following scenario:

Receiving emails via the mail relay
Delivery takes place directly via MX
Filtering takes place directly on MX input
Defining a global e-mail address
‍
Network Serversetting Area Serversetting area Firewall caption Global e-mail address

Under Applications Mailrelay , set the configuration to accept only emails to the recipient's address.

General

Caption	Value	Description	Mailrelay UTMuser@firewall.name.fqdnApplications Mailrelay Log
Mailfilter:	On	The mail filter function must be activated
SPF/DKIM/DMARC audits:	On	Adds an RFC 8601 Authentication-Results header to the mail and allows filtering for corresponding SPF/DKIM/DMARC results in a Mailfilter rule (see below).

Relaying

Caption	Value	Description
Relaying list Relaying list With Add Domain / Host the relaying list can be supplemented. The following configurations are useful here:			Area Relaying
Emails, addressed to the anyideas.de domain should be forwarded by mail relay
Domain:	anyideas.de	Example domains for receiving emails
Option:	To	Emails addressed to this domain
Action:	RELAY	Relay
If outbound emails are to be sent via the mail relay of the UTM, another entry is required:
Domain:	192.168.175.100	IP address of the internal mail server
Option:	Connect	While making a connection notempty With this option, the mail relay forwards all emails coming from this host regardless of the recipient (open relay). This option should therefore be used with the utmost care, e.g. only for internal mail servers!
Action:	RELAY	Relay
Entry for a mail server that is to be blocklisted:
Domain:	203.0.113.113	IP address of the foreign mail server
Option:	Connect	While making a connection
Action:	REJECT	refuse
Options Options
Use exact domain name for relaying:	On	This option will not accept emails to recipients within a subdomain.
TLS settings TLS settings
TLS encryption as a server:	On	TLS encryption for mail relay must be enabled, otherwise emails will be received over unencrypted connections. See also the notes of the German BSI for using TLS (german language).
Certificate:	default	Importing a certificate whose CN corresponds to the host name of the UTM is optional. If such a certificate is not imported, the mail relay uses a self-signed certificate for the purpose of transport encryption.
TLS encryption as a client:	encrypt	Ensures that emails are always sent via an encrypted connection. If no TLS is offered, the connection will fail.

SMTP routes

notempty The mail server should reject emails to addresses without a mailbox during the SMTP dialog.
Options Options Validation of recipients for valid e-mail addresses must be activated when smtp is used. This means that only emails that go to a recipient that is also registered on the mail server are accepted.			Area SMTP routes
Verify email address:	Off	Validation of recipients for valid e-mail addresses must be activated when smtp is used. This means that only emails that go to a recipient that is also registered on the mail server are accepted. notempty When using the mailconnector, no emails may be rejected. In this case, the option is mandatory to disable.
	SMTP	The Securepoint appliance inquires the internal mail server in the background. The validation must also be active on the mail server! (Recipient Verification e.g. for an exchange server)
	LDAP	For example, the Securepoint appliance queries the Active Directory server. In the case of authentication via LDAP, the corresponding server must be configured under Authentication AD/LDAP Authentication . The user does not necessarily have to be the administrator, a user with read authorisation is sufficient. LDAP can also be used with users created locally on the UTM and their e-mail addresses.
	Local Email Adress List	The known addresses are managed locally on the UTM
Edit local email address list		All known addresses are here. Add email address email addresses can be added email addresses can be removed

Greylisting

Greylisting causes the delivery attempt of an unknown mail server to be rejected at first.
Spambots usually do not make any further delivery attempts, so the delivery of spam has already been successfully stopped before the mail had to go through the spam filter engine.
A regular mail server, on the other hand, will make another, this time successful, delivery attempt after a certain period of time.
In addition to fending off simple spambots through greylisting, valuable time is also gained to load new definitions to detect any new spam waves.

notempty

When using the mailconnector, greylisting must not be configured

Options Options
Caption	Recommendation	Description	Area Greylisting
Greylisting:	On	Enables greylisting
SPF:	On	If the Sender Policy Framework of the sender domain is correctly entered in the DNS, the mail is delivered without delay. In the SPF record, all mail server IP addresses of the sender are entered that are authorized to send emails. The recipient then checks the mail header field "Mail From" or the "HELO" command to see which domain is entered or named there and whether it matches one of the IP addresses in the SPF record. If the IP address of the sender does not match those of the SPF record, the mail goes into greylisting.
Add header:	On	By default, an additional greylisting entry is added for each recipient listed in the mail header. This can cause issues if there are many recipients in the header. When disabled No no greylisting headers will be inserted.
Automatic allow list for:	7 days	The value can be increased up to 60 days.
Delay:	2 minutes	Time frame given to the sending mail server to make another delivery attempt. notempty Depending on the configuration of the sending mail server, redelivery may be delayed by much more than the configured time frame (default settings 2 minutes) - in extreme cases by several hours. notempty If a larger value is set for Delay for instance: 30 minutes selected, the scan engine may have a higher probability of detecting new outbreaks with redelivered emails, because the virus signatures may have been updated in the meantime.
Advanced Advanced
Greeting Pause Greeting Pause
Caption	Recommendation	Description
Status:	On	Similar to Greylisting, greeting pause takes advantage of the fact that the SMTP protocol is not fully implemented in spam bots. This allows them to be distinguished from regular mail servers. The greeting is a greeting that is transmitted from the mail relay to the sending mail server. This could look like this, for example: 220 firewall.foo.local ESMTP Ready When the SMTP protocol is fully implemented, a mail server will wait for and evaluate this greeting line before sending further SMTP commands to initiate mail delivery. A spam bot will start sending commands immediately after the TCP handshake is completed. In this case, the mail relay will not accept any further commands and will terminate the connection.
Recipient limitations Recipient limitations
Status:	Off	This option blocks E-mails that have more than a defined number of recipient addresses. In the meantime, most spam emails are sent as individual emails. This option should only be activated in special cases.
Limit:	25	Number of recipients that must not be exceeded (Attention: May apply to company-internal mail groups!).
Limitations per client Limitations per client
Limit connections:	On	Activates the function for configuring the maximum number of permitted connections. The connection limit counteracts possible DDOS attacks.
Exceptions	Host	If outbound emails are also to be sent via the mail relay of the UTM, the corresponding mail servers should be added.
Permitted connections:	2	Here you can set how many connections the mail relay accepts simultaneously.
Enable access control	On	Possible DOS attacks are counteracted by the access control.
Time slot:	60 seconds
Connections per time slot:	5
Other Other
HELO required:	On	If HELO is enabled, the SMTP client is requested to give its name. Must absolutely remain activated (default) This option exists to ensure backward compatibility.
Reverse DNS lookup needs:	On	Checks if the HELO name exists and applies in the PTR. When using the mail connector, this action must not be used! Deactivate action Off If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is Mailconnector Add criterion
Accept unresolvable domains:	No	Checks if host address and sender address are resolvable. Should remain disabled for SMTP. notempty Must be enabled when using the mailconnector
Maximum number of processes:	10	The value should only be adjusted in case of permanently high mail volume and must consider the performance of the hardware!

Mailfilter

Under Applications Mail filter many different Filter rules should be adjusted and/or newly created:

Filter rules

Filter rule	Description
Filter rule »is classified as SPAM / SMTP« Spam_SMTP	Run action: Reject email Default: Accept email When an e-mail is received: and protocol is SMTP and is classified as SPAM Mail servers or senders whose emails are classified as SPAM have attracted attention as SPAM sources in the past. Emails from these systems should not be accepted under any circumstances. Accepting such emails (even if they are quarantined afterwards) only makes the email domain more interesting for potential SPAM and virus senders. notempty Securepoint recommends that these emails be rejected.

Filter rule »is classified as suspicious«. Possibly_Spam	Run action: Quarantine email Default: Accept email When an e-mail is received: and is classified as suspicious. Emails that are classified as suspicious contain suspicious patterns and content and should not be delivered to the user's mailbox. notempty Securepoint recommends that these emails be quarantined. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion

Filter rule »contains a virus« Virus	Run action: Reject email Default: Accept email When an e-mail is received: and contains a virus. Accepting such emails (even if they are quarantined afterwards) only makes the email domain more interesting for potential SPAM and virus senders. notempty Securepoint recommends that these emails be rejected. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion When using the mail connector, this action must not be used! Here we recommend do action: quarantine email If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is Mailconnector Add criterion

Filter rule »with content of« Filter_Extensions	Run action: Reject email Default: Accept email When an e-mail is received: with content of File name ends with Default: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jar, js, jse, lib, lnk, mde, msc, msi, msp, mst, nsh, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf, wsh Executable files should not be delivered. They are filtered based on the file extension. Can be added to as needed. notempty Securepoint recommends that these emails be rejected. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion

Filter rule »is a bulk email« Add rule bulk_rescan Bulk_Mail	rule name bulk_rescan Run action: Quarantine email and filter again for 30 minutes Default: Accept email When an e-mail is received: and is a bulk email E-Mails classified as BULK are currently being sent out in masses and should not be delivered to the user's mailbox. These could be, for example, the first emails of a new SPAM wave. notempty Securepoint recommends that these emails be quarantined. When using the POP3 proxy, this action must not be used! Here we recommend do action: mark email in subject with BULK Mail If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Rules with the action ...and filter again by are applied only once. Another rule is needed that defines how to proceed in case of a new scan with the same result! Create a new rule: Add rule rule name Bulk_Mail Run action: Quarantine email Default: Accept email When an e-mail is received: and is a bulk email Add criterion and header field From does not contain »anyideas.de

Filter rule »Investigate / further investigations are recommended« Add rule Investigate	Run action: Quarantine email and filter again for 15 minutes Default: Accept email When an e-mail is received: further investigations are recommended / are not strictly necassary The spam filtering engine expects that the category of this email may change in the next 15 minutes. notempty Securepoint recommends that these emails be quarantined. When using the POP3 proxy, this action must not be used! Here we recommend do action: mark email in subject with Check content (no classification) If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion

Filter rule »was caught by the URL filter« Add rule URL_Filter	Run action: Quarantine email Default: Accept email When an e-mail is received: and was caught by the URL filter Emails containing a dangerous URL should not be accepted and delivered to the user's mailbox. Please note the settings of the URL filter. notempty Securepoint recommends that these emails be quarantined. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion
The current threat situation makes it clear that standard procedures can no longer keep up in the fight against malware. Potentially dangerous documents should not be delivered to the user's mailbox. Documents are identified by MIME types and file extensions.
Filter rule »Word documents based on MIME types« +Add rule Word_MIME	Run action: Quarantine email and filter again for 30 minutes Default: Accept email When an e-mail is received: and with content of MIME type is MIME types can now be selected in the click box. This list can be entered as content. application/msword, application/vnd.openxmlformats-officedocument.wordprocessingml.document, application/vnd.openxmlformats-officedocument.wordprocessingml.template, application/vnd.ms-word.document.macroEnabled.12, application/vnd.ms-word.template.macroEnabled.12 In order for Word documents to be filtered based on MIME types, a new rule is needed. notempty Securepoint recommends emails with Office documents attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »Excel documents based on MIME types« + Add fitler rule Excel_MIME	Run action: Quarantine email and filter again for 30 minutes Default: Accept email When an e-mail is received: and with content of MIME type is application/vnd.ms-excel, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, application/vnd.openxmlformats-officedocument.spreadsheetml.template, application/vnd.ms-excel.sheet.macroEnabled.12, application/vnd.ms-excel.template.macroEnabled.12, application/vnd.ms-excel.addin.macroEnabled.12, application/vnd.ms-excel.sheet.binary.macroEnabled.12 In order for Excel documents to be filtered based on MIME types, a new rule is needed. notempty Securepoint recommends that emails with Office documents attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »Open Office / Libre Office documents based on MIME types« +Add fitler rule OOffice_MIME	Run action: Quarantine email and filter again for 30 minutes Default: Accept email When an e-mail is received: and with content of MIME type is application/vnd.oasis.opendocument.chart-template,application/vnd.oasis.opendocument.database,application/vnd.oasis.opendocument.formula, application/vnd.oasis.opendocument.formula-template,application/vnd.oasis.opendocument.graphics,application/vnd.oasis.opendocument.graphics-template, application/vnd.oasis.opendocument.image,application/vnd.oasis.opendocument.image-template,application/vnd.oasis.opendocument.presentation, application/vnd.oasis.opendocument.presentation-template,application/vnd.oasis.opendocument.spreadsheet, application/vnd.oasis.opendocument.spreadsheet-template,application/vnd.oasis.opendocument.text,application/vnd.oasis.opendocument.text-master, application/vnd.oasis.opendocument.text-template,application/vnd.oasis.opendocument.text-web, text/rtf, application/rtf notempty Securepoint recommends emails with Office documents attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion

Filter rule »Office documents based on file extension« +Add fitler rule Office_Extension	Run action: Quarantine email and filter again for 30 minutes Default: Accept email When an e-mail is received: and with content of File name ends with File extensions can now be selected in the click box. This list can be entered as content. doc, dot, docx, docm, dotx, dotm, docb, xls, xlsx, xlt, xlm, xlsm, xltm, xlsb, xla, xlam, xll, xlw, ppt, pot, pps, ppa, pptx, pptm, potx, potm, ppam, ppsx, ppsm, sldx, sldm, pub, odt, ott, oth, odm, otg, odp, otp, ods, ots, odc, odf, odb, odi, oxt, rtf In order for Office documents to be filtered by file extension, a new rule is needed. notempty Securepoint recommends that emails with Office documents attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »Compressed files based on MIME types« +Add fitler rule Compressed_MIME	Run action: Quarantine email and filter again for 30 minutes Default: Accept email When an e-mail is received: and with content of MIME type is application/x-zip-compressed,application/zip In order for compressed files to be filtered based on MIME types, a new rule is needed. notempty Securepoint recommends that emails with compressed files attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »Compressed files based on extension« +Add fitler rule Compressed_Extension	Run action: Quarantine email and filter again for 30 minutes Default: Accept email When an e-mail is received: and with content of File name ends with File extensions can now be selected in the click box. This list can be entered as content. zip,7z,ace,arj,cab,zz,zipx In order for compressed files to be filtered based on the file extension, a new rule is needed. notempty Securepoint recommends that emails with compressed files attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »ISO files based on MIME type or extension« +Add fitler rule images	Rules with or -Connect operators Run action: Quarantine email and filter again for 30 minutes Default: Accept email When an e-mail is received: and with content of File name ends with File extensions can now be selected in the click box. This list can be entered as content. iso,img or with content of MIME type is MIME types can now be entered in the click box. This list can be entered as content. application/x-cd-image, application/x-iso-image, application/x-iso9660-image In order for .iso and .img files to be filtered, a new rule is needed. notempty Securepoint recommends that emails with images attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

AL_mark or filter attachments Add fitler rule AL_Anhänge markieren AL_Anhänge zustellen Filter attachments	Scenario: Attachments from specific senders are to be tagged and delivered. All other attachments should be filtered. 1st rule: Tag emails with attachments from specific senders. 2nd rule: Deliver emails with attachments from specific senders. 3rd rule: Filter emails with attachments that do not come from specific senders. rule name: AL_Anhänge markieren Run action: Mark email in subject with Sender verified When an e-mail is received: and with content of File name contains »* Add criterion and sender contains »anyideas.de Add fitler rule rule name AL_Anhänge zustellen Run action: Accept email When an e-mail is received: and with content of File name contains »* Add criterion and sender contains »anyideas.de notempty Since this email was flagged - i.e. a filter applied - it is displayed in the quarantine as filtered. Nevertheless, thanks to the 2nd rule, it will be delivered. Add fitler rule rule name: Filter attachments Run action: Quarantine email and filter again for 30 minutes When an e-mail is received: and with content of File name contains »* and sender does not contain »anyideas.de The check for the set of rules is not canceled for the actions Filter applicable content and Tag email in subject with, but continues. Further filter rules can be applied to such emails. In all other action cases, the verification on the set of rules is terminated if the criteria apply.

Create allowlist exception rules +Add fitler rule Allowlist	If emails from a certain sender (here from securepoint.de) are to be delivered in any case, a allowlist exception must be created in the mail filter rule set. Run action: Accept email When an e-mail is received: and protocol is SMTP Add criterion and sender from ends with »@ttt-point.de Save Mailfilter UTMuser@firewall.name.fqdnApplications Mailfilter Log For a rule to work as a allowlist rule, the order must be defined so that this rule takes effect before the general spam quarantine rule. By clicking and holding with the left mouse button on the allowlist rule (pos. 7) in the "Pos." column, this rule is moved up above the general Spam_SMTP filter rule. When the rule has reached the desired position, release the mouse button. The allowlist rule is now assigned a new position number according to its ranking. Allowlist rules should be after the rules for spam and viruses, but before other rules that may unintentionally prevent delivery.

Fake sender +Add fitler rule fake_sender_intern	Fake Sender In order to avoid accepting emails with fake internal senders (which usually enjoy a high level of trust), we recommend creating three filter rules according to the following example: notempty In this example, emails of the mail domain @securepoint.de are to be accepted. The IP address of the mail server is assumed to be 192.168.175.100. notempty These are only sample addresses that need to be customized locally. rule name fake_sender_intern1 Run action: Reject email When an e-mail is received: and sender contains »@ttt-point.de Add criterion and source host is not »192.168.175.100 Save Add rule rule name fake_sender_intern2 Run action: Reject email When an e-mail is received: and header field From contains »@ttt-point.de Add criterion and source host is not »192.168.175.100 Save Add fitler rule rule name fake_sender_intern3 Run action: Reject email When an e-mail is received: and header field From is »securepoint.de Add criterion and source host is not »192.168.175.100 Save

Filter rule SPF fail +Add fitler rule SPF fail	Run action: Quarantine email When an e-mail is received: and SPF result for domain »anyideas.de exists and is »fail Speichern

Filter rule SPF permerror +Add fitler rule SPF permerror	Run action: Mark email in subject with SPF error / check sender! When an e-mail is received: and SPF result for domain »anyideas.de exists and is »softfail or »permerror Speichern

Filter rule DKIM +Add fitler rule DKIM	Run action: Quarantine email When an e-mail is received: and DKIM result for domain »anyideas.de anyideas.de muss durch eine individuelle Domain ersetzt werden Es sollten nur Domains eingetragen werden, für die in der Regel immer korrekte dkim-Ergebnisse erwartet werden exists and is »fail Speichern

Filter rule DMARC quarantine +Add fitler rule DMARC quarantine	Run action: Quarantine email When an e-mail is received: and DMARC result/policy recommendation is quarantine Speichern

Filter rule DMARC reject +Add fitler rule DMARC reject	Run action: Reject email When an e-mail is received: and DMARC result/policy recommendation is reject Speichern

URL-Filter

Area URL-Filter

The URL filter verifies

the URL itself. Add rule Further notes in the wiki about the Mailfilter.
This can be used in combination with the allow action to create mainly allowlists
in which content category the visited page falls. Add category
This categorization is constantly updated by our content filter team.
Allowlist entries (e.g. Education (schools and training institutes, universities) can also be created here with the allow action, or blocklist entries with the action.
The following categories are preconfigured in installations since 11.8 and should not be missed in older installations:

Add category

Type	Name	Description	Action
Category	Threat Intelligence Feed	This category contains URLs currently classified as malicious which spread malware and contain phishing pages (phishing, malware, botnets, crime ware, etc.)	block
Category	Porn and erotic	This category contains URLs that provide pornographic or predominantly sexual content.	block
Category	Hacking	This category contains URLs that provide advice on hacking, warez, building malware, tricking systems or subscription traps.	block
Category	Update Server	Server and services for important software updates This category is intended for allowlist environments.	allow

notempty

Other categories are to be adapted to the requirements of the company

By clicking on Save the filter rule will be added.

Spam Report

Area Options Section

Spam Report

Email digest

The spam report can inform email users at certain intervals about emails filtered, blocked or quarantined by the UTM. This report can be sent either on a specific day of the week or daily, at a specific time.

Action	Value	Description
Enable reports:	None (Default)	No spam reports will be sent.
	Users	Reports are sent to the users.
	Users and Admin	Reports are sent to the users and an overview is sent to the administrator.
Delivery Condition:	Deliver always (Default)	In any case, a spam report will be sent.
	Not accepted	Quarantined or filtered
	Quarantined or filtered	A spam report will only be delivered if at least one email has been quarantined or filtered.
Alternative Hostname / IP:		If the web interface with the mail server is to be accessed via an external IP or another host name.
Day:	Monday (Default)	This report can be sent either on a specific weekday or Every day .
1. Report	20:00 o'clock	Specifies the time for sending the report.
2.Report 3.Report 4.Report	Disabled	With every day reports, a total of four reports can be sent at specified times.

In order for the report to reach the e-mail user, it is necessary for the e-mail user to be in a group with the 'Spamreport permission.

If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.

Show group settings for spam report

Add a group under

The setting for this is made in the menu
→ Authentication →Users Groups + Add Group or Edit under Permissions:

The following sections must be activated here:

Email digest

On activates the creation of the spam report

Userinterface

On The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

In the Mailfilter tab, further settings must be made, including the e-mail address to which reports are sent:

<This function may allow the downloading of viruses and should therefore only be allowed for experienced users!/li> }}

Caption	Default	Description
Email address
support@ttt-point.de		Email accounts that can be viewed by members of this group to control the mail filter. Delete with
Email address		Adding a mail address to the list
Allow downloads of following attachments:	None (Default)	Members of this group can download attachments from mails in the user interface that meet certain criteria.
	Filtered but not quarantined
	Quarantined but not filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Allow forwarding of following emails:	None (Default)	Members of this group can forward emails in the user interface that meet certain criteria
	Filtered but not quarantined
	Quarantined but not filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Report email address:		Email address to which a spam report is sent. If no entry is made here, the spam report is sent to the first email address in the list. If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.. Abb.
Report language:	Default	Default under → Network →Server settings → Firewall → language of reports It can be specifically selected: German or English

UTM v11.8.6 Mailfilter Spamreport-en.png

Spam report to the user.

Disclaimer and hints

Liability
This website was compiled with the greatest possible care. Nevertheless, no guarantee can be given for the correctness and accuracy of the information provided. Any liability for damages arising directly or indirectly from the use of this website is excluded. If this website refers to websites operated by third parties, Securepoint GmbH is not responsible for any content linked or referred from this site. The following wiki articles may be helpful for setup.

Requirements

Mailrelay

General

Relaying

Relaying list

Options

TLS settings

SMTP routes

Options

Greylisting

Options

Advanced

Greeting Pause

Recipient limitations

Limitations per client

Other

Mailfilter

Filter rules

Filter rule »is classified as SPAM / SMTP«

Filter rule »is classified as suspicious«.

Filter rule »contains a virus«

Filter rule »with content of«

Filter rule »is a bulk email«

Filter rule »Investigate / further investigations are recommended«

Filter rule »was caught by the URL filter«

Filter rule »Word documents based on MIME types«

Filter rule »Excel documents based on MIME types«

Filter rule »Open Office / Libre Office documents based on MIME types«

Filter rule »Office documents based on file extension«

Filter rule »Compressed files based on MIME types«

Filter rule »Compressed files based on extension«

Filter rule »ISO files based on MIME type or extension«

AL_mark or filter attachments

Create allowlist exception rules

Fake sender

Filter rule SPF fail

Filter rule SPF permerror

Filter rule DKIM

Filter rule DMARC quarantine

Filter rule DMARC reject

URL-Filter

Spam Report

Disclaimer and hints