Mail Security - recommended settings 2023

Best practice on mail security

Last adaption: 07.2023

New:

Additional filter rules recommended:
SPF fail, SPF permerror, DKIM, DMARC quarantine, DMARC reject

notempty

This article refers to a Resellerpreview

06.2022 11.7

notempty

The article describes a best practice for mail security.
These are our recommended settings.
All information provided without guarantee!

Requirements

These recommendations refer to the following scenario:

Receiving the emails through the mail relay
Delivery is made directly via MX
Filtering occurs directly on input to MX

General

Global email address

In order to receive error notifications, a valid postmaster address must be set under

Firewall

Global email address

Under → Applications →Mail relay, set the configuration to accept only emails to the recipient's address.

General

Caption	Value	Description
Mail filter	On	The mail filter function must be activated
SPF/DKIM/DMARC audits:	On	Adds an RFC 8601 Authentication-Results header to the mail and allows filtering for corresponding SPF/DKIM/DMARC results in a Mailfilter rule (see below).

Add domain / host

Relaying

Relaying list

Configure with + Add domain / host

Mails, addressed to the anyideas.de domain should be forwarded by mail relay
Domain:	`anyideas.de`	Example domains for receiving emails
Option:	To
Action:	Relay	Relay
If outbound emails are to be sent via the mail relay of the UTM, another entry is required:
Domain:	`192.168.175.100`	IP address of the internal mail server
Option:	Connect	While making a connection
Action:	Relay	Relay
Entry for a mail server that is to be blacklisted:
Domain:	`203.0.113.113`	IP address of the foreign mail server
Option:	Connect	While making a connection
Action:	Denied	refuse

Use exact domain name for relaying:	On	This option will not accept emails to recipients within a subdomain.
TLS settings
TLS encryption as a server:	On	TLS encryption for mail relay must be enabled, otherwise mails will be received over unencrypted connections. See also the notes of the German BSI for using TLS (german language).
Certificate	default	Importing a certificate whose CN corresponds to the host name of the UTM is optional. If such a certificate is not imported, the mail relay uses a self-signed certificate for the purpose of transport encryption.
TLS encryption as a client:	encrypt	Ensures that emails are sent over an encrypted connection in all instances.

SMTP routes

notempty

The mail server should reject emails to addresses without a mailbox during the SMTP dialog.

section

Settings

Validation of recipients for valid e-mail addresses must be activated when smtp is used.
This means that only emails that go to a recipient that is also registered on the mail server are accepted.

Verify email address:	Off	Validation of recipients for valid e-mail addresses must be activated when smtp is used. This means that only emails that go to a recipient that is also registered on the mail server are accepted. notempty When using the mailconnector, no emails may be rejected. In this case, the option is mandatory to disable.
	SMTP	The Securepoint appliance inquires the internal mail server in the background. The validation must also be active on the mail server! (Recipient Verification e.g. for an exchange server)
	LDAP	The Securepoint appliance inquires the active directory server, for example. For authentication via LDAP, the corresponding server must be configured under → Authentication →AD/LDAP Authentication. The user does not have to be an administrator, a user with viewing rights is sufficient.
	Local Email Adress List	The known addresses are managed locally on the UTM
Edit local email address list		All known addresses are here. Add email address email addresses can be added email addresses can be removed

Greylisting

Greylisting causes the delivery attempt of an unknown mail server to be rejected at first.
Spambots usually do not make any further delivery attempts, so the delivery of spam has already been successfully stopped before the mail had to go through the spam filter engine.
A regular mail server, on the other hand, will make another, this time successful, delivery attempt after a certain period of time.

In addition to fending off simple spambots through greylisting, valuable time is also gained to load new definitions to detect any new spam waves.

notempty

When using the mailconnector, greylisting must not be configured

Settings

Labeling	Recommendation	Description
Greylisting:	On	Enables greylisting.
SPF:	On	If the Sender Policy Framework of the sender domain is correctly entered in the DNS, the mail is delivered without delay. In the SPF record, all mail server IP addresses of the sender are entered that are authorized to send emails. The recipient then checks the mail header field "Mail From" or the "HELO" command to see which domain is entered or named there and whether it matches one of the IP addresses in the SPF record. If the IP address of the sender does not match those of the SPF record, the mail goes into greylisting.
Add header:	On	By default, an additional greylisting entry is added for each recipient listed in the mail header. This can cause issues if there are many recipients in the header. When disabled No no greylisting headers will be inserted.
Automatic allow list for:	60 days	The value can be increased up to 60 days.
Delay:	2 minutes	Time frame given to the sending mail server to make another delivery attempt. notempty Depending on the configuration of the sending mail server, redelivery may be delayed by much more than the configured time frame (default settings 2 minutes) - in extreme cases by several hours. notempty If a larger value is set for Delay for instance: 30 minutes selected, the scan engine may have a higher probability of detecting new outbreaks with redelivered emails, because the virus signatures may have been updated in the meantime.
Extended
Greeting Pause Greeting Pause
Labeling	Recommendation	Description
Status	On	Similar to Greylisting, greeting pause takes advantage of the fact that the SMTP protocol is not fully implemented in spam bots. This allows them to be distinguished from regular mail servers. The greeting is a greeting that is transmitted from the mail relay to the sending mail server. This could look like this, for example: 220 firewall.foo.local ESMTP Ready When the SMTP protocol is fully implemented, a mail server will wait for and evaluate this greeting line before sending further SMTP commands to initiate mail delivery. A spam bot will start sending commands immediately after the TCP handshake is completed. In this case, the mail relay will not accept any further commands and will terminate the connection.
Recipient limitations Recipient limitations
Status	Off	This option blocks mails that have more than a defined number of recipient addresses. In the meantime, most spam mails are sent as individual mails. This option should only be activated in special cases.
Limit:	25	Number of recipients that must not be exceeded (Attention: May apply to company-internal mail groups!).
Limitations per client
Limit connections	On	Here you can define how many connections the mail relay accepts at the same time. Exceptions can be defined for known mail servers as a host list. Allowed connections: 1 (Leave default value.) The connection limit counteracts possible DDOS attacks.
Enable access control	On	Possible DOS attacks are counteracted by the access control.
Time slot:	60 seconds
Connections per time slot:	5
Exceptions	Host	If outbound mails are also to be sent via the mail relay of the UTM, the corresponding mail servers should be added.
Other Other
HELO required	On	If HELO is enabled, the SMTP client is requested to give its name. Must absolutely remain activated (default) This option exists to ensure backward compatibility.
Reverse DNS lookup needs:	On	Checks if the HELO name exists and applies in the PTR. When using the mail connector, this action must not be used! Deactivate action Off If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is Mailconnector Add criterion
Accept unresolvable domains:	No	Checks if host address and sender address are resolvable. Should remain disabled for SMTP. notempty Must be enabled when using the mailconnector
Maximum number of processes:	10	The value should only be adjusted in case of permanently high mail volume and must consider the performance of the hardware!

Mail filter

Under → Applications →Mail filter many different Filter rules should be adjusted and/or newly created:

Filter rules

Filter rule	Description
Filter rule »is classified as SPAM / SMTP« Spam_SMTP	When an email is received and protocol is SMTP and is classified as SPAM Run action: Edit filter rule: Reject email Default: Quarantine email Mail servers or senders whose emails are classified as SPAM have attracted attention as SPAM sources in the past. Emails from these systems should not be accepted under any circumstances. Accepting such emails (even if they are quarantined afterwards) only makes the email domain more interesting for potential SPAM and virus senders. notempty Securepoint recommends that these mails be rejected.

Filter rule »is classified as suspicious«. Possibly_Spam	When an email is received and is classified as suspicious. Run action: Edit filter rule: Quarantine email Default: Tag email in subject with [Marked as possibly spam] Emails that are classified as suspicious contain suspicious patterns and content and should not be delivered to the user's mailbox. notempty Securepoint recommends that these mails be quarantined. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion

Filter rule »contains a virus« Virus	When an email is received and contains a virus. Run action: Edit filter rule: Reject email Default: Filter applicable content Accepting such emails (even if they are quarantined afterwards) only makes the email domain more interesting for potential SPAM and virus senders. notempty Securepoint recommends that these mails be rejected. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion When using the mail connector, this action must not be used! Here we recommend do action: quarantine email If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is Mailconnector Add criterion

Filter rule »with content of« Filter_Extensions	When an email is received with content of File name ends with Default: ade, adp, bat, chm, cmd, com, cpl, exe, hta, ins, isp, jar, js, jse, lib, lnk, mde, msc, msi, msp, mst, nsh, pif, scr, sct, shb, sys, vb, vbe, vbs, vxd, wsc, wsf, wsh Run action: Edit filter rule: Reject email Default: Filter applicable content Executable files should not be delivered. They are filtered based on the file extension. Can be added to as needed. notempty Securepoint recommends that these mails be rejected. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion

Filter rule »is a bulk email« Add rule bulk_rescan Bulk_Mail	rule name bulk_rescan When an email is received and is a bulk email Run action: Edit filter rule: Quarantine email and filter again for 30 minutes Default: Accept email Emails classified as BULK are currently being sent out in masses and should not be delivered to the user's mailbox. These could be, for example, the first emails of a new SPAM wave. notempty Securepoint recommends that these mails be quarantined. When using the POP3 proxy, this action must not be used! Here we recommend do action: mark email in subject with BULK Mail If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Rules with the action ...and filter again by are applied only once. Another rule is needed that defines how to proceed in case of a new scan with the same result! Create a new rule: Add rule rule name Bulk_Mail When an email is received and is a bulk email Add criterion and header field From does not contain » ✕anyideas.de Run action: Edit filter rule: Quarantine email Default: Accept email

Filter rule »Investigate / further investigations are recommended« Add rule Investigate	rule name Investigate When an email is received further investigations are recommended / are not strictly necassary Run action: Edit filter rule: Quarantine email and filter again for 15 minutes Default: Accept email The spam filtering engine expects that the category of this email may change in the next 15 minutes. notempty Securepoint recommends that these mails be quarantined. When using the POP3 proxy, this action must not be used! Here we recommend do action: mark email in subject with Check content (no classification) If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion

Filter rule »was caught by the URL filter« Add rule URL_Filter	Create a new rule: rule name URL_Filter When an email is received and was caught by the URL filter Run action: Edit filter rule: Quarantine email Default: Accept email Emails containing a dangerous URL should not be accepted and delivered to the user's mailbox. Please note the settings of the URL filter. notempty Securepoint recommends that these mails be quarantined. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion
The current threat situation makes it clear that standard procedures can no longer keep up in the fight against malware. Potentially dangerous documents should not be delivered to the user's mailbox. Documents are identified by MIME types and file extensions.
Filter rule »Word documents based on MIME types« +Add rule Word_MIME	Create a new rule: rule name Word_Mime When an email is received and with content of MIME type is MIME types can now be selected in the click box. This list can be entered as content. application/msword, application/vnd.openxmlformats-officedocument.wordprocessingml.document, application/vnd.openxmlformats-officedocument.wordprocessingml.template, application/vnd.ms-word.document.macroEnabled.12, application/vnd.ms-word.template.macroEnabled.12 Run action: Edit filter rule: Quarantine email and filter again for 30 minutes Default: Accept email In order for Word documents to be filtered based on MIME types, a new rule is needed. When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »Excel documents based on MIME types« +Add fitler rule Excel_MIME	Create a new rule: rule name Excel_Mime When an email is received and with content of MIME type is application/vnd.ms-excel, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, application/vnd.openxmlformats-officedocument.spreadsheetml.template, application/vnd.ms-excel.sheet.macroEnabled.12, application/vnd.ms-excel.template.macroEnabled.12, application/vnd.ms-excel.addin.macroEnabled.12, application/vnd.ms-excel.sheet.binary.macroEnabled.12 Run action: Edit filter rule: Quarantine email and filter again for 30 minutes Default: Accept email In order for Excel documents to be filtered based on MIME types, a new rule is needed. notempty Securepoint recommends that mails with Office documents attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »Open Office / Libre Office documents based on MIME types« +Add fitler rule OOffice_MIME	Create a new rule: rule name OOffice_MIME (Open-Office) When an email is received and with content of MIME type is application/vnd.oasis.opendocument.chart-template,application/vnd.oasis.opendocument.database,application/vnd.oasis.opendocument.formula, application/vnd.oasis.opendocument.formula-template,application/vnd.oasis.opendocument.graphics,application/vnd.oasis.opendocument.graphics-template, application/vnd.oasis.opendocument.image,application/vnd.oasis.opendocument.image-template,application/vnd.oasis.opendocument.presentation, application/vnd.oasis.opendocument.presentation-template,application/vnd.oasis.opendocument.spreadsheet, application/vnd.oasis.opendocument.spreadsheet-template,application/vnd.oasis.opendocument.text,application/vnd.oasis.opendocument.text-master, application/vnd.oasis.opendocument.text-template,application/vnd.oasis.opendocument.text-web, text/rtf, application/rtf Run action: Edit filter rule: Quarantine email and filter again for 30 minutes Default: Accept email notempty ! Securepoint recommends mails with Office documents attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion

Filter rule »Office documents based on file extension« +Add fitler rule Office_Extension	Create a new rule: rule name Office_Extension When an email is received and with content of File name ends with File extensions can now be selected in the click box. This list can be entered as content. doc, dot, docx, docm, dotx, dotm, docb, xls, xlsx, xlt, xlm, xlsm, xltm, xlsb, xla, xlam, xll, xlw, ppt, pot, pps, ppa, pptx, pptm, potx, potm, ppam, ppsx, ppsm, sldx, sldm, pub, odt, ott, oth, odm, otg, odp, otp, ods, ots, odc, odf, odb, odi, oxt, rtf Run action: Edit filter rule: Quarantine email and filter again for 30 minutes Default: Accept email In order for Office documents to be filtered by file extension, a new rule is needed. notempty Securepoint recommends that mails with Office documents attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »Compressed files based on MIME types« +Add fitler rule Compressed_MIME	Create a new rule: rule name Compressed_MIME When an email is received and with content of MIME type is MIME types can now be selected in the click box. This list can be entered as content. application/x-zip-compressed,application/zip Run action: Edit filter rule: Quarantine email and filter again for 30 minutes Default: Accept email In order for compressed files to be filtered based on MIME types, a new rule is needed. notempty Securepoint recommends that mails with compressed files attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »Compressed files based on extension« +Add fitler rule Compressed_Extension	Create a new rule: rule name Compressed_Extension When an email is received and with content of File name ends with File extensions can now be selected in the click box. This list can be entered as content. zip,7z,ace,arj,cab,zz,zipx Run action: Edit filter rule: Quarantine email and filter again for 30 minutes Default: Accept email In order for compressed files to be filtered based on the file extension, a new rule is needed. notempty Securepoint recommends that mails with compressed files attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

Filter rule »ISO files based on MIME type or extension« +Add fitler rule images	Create a new rule: rule name Images Rules with or -Connect operators When an email is received and with content of File name ends with File extensions can now be selected in the click box. This list can be entered as content. iso,img or with content of MIME type is MIME types can now be entered in the click box. This list can be entered as content. application/x-cd-image, application/x-iso-image, application/x-iso9660-image Run action: Edit filter rule: Quarantine email and filter again for 30 minutes Default: Accept email In order for .iso and .img files to be filtered, a new rule is needed. notempty Securepoint recommends that mails with images attached are temporarily quarantined and filtered again after 30 minutes! When using the POP3 proxy, this action must not be used! Here we recommend do action: filter email content If different protocols are used, this must be selected in the filter conditions beforehand! and protocol is POP3 Add criterion Save

WL_mark or filter attachments Add fitler rule WL_mark attachments WL_accept attachements Filter attachments	Scenario: Attachments from specific senders are to be tagged and delivered. All other attachments should be filtered. 1st rule: Tag emails with attachments from specific senders. 2nd rule: Deliver emails with attachments from specific senders. 3rd rule: Filter emails with attachments that do not come from specific senders. Create a new rule:rule name WL_mark attachments When an email is received and with content of File name contains » ✕* Add criterion and sender contains » ✕anyideas.de Run action: Edit filter rule: Mark email in subject with Sender verified Add fitler rule Create a new rule:rule name WL_accept attachements When an email is received and with content of File name contains » ✕* Add criterion and sender contains » ✕anyideas.de Run action: Edit filter rule: Accept email notempty Since this email was flagged - i.e. a filter applied - it is displayed in the quarantine as filtered. Nevertheless, thanks to the 2nd rule, it will be delivered. Add fitler rule Create a new rule:rule name Filter attachments When an email is received and with content of File name contains » ✕* and sender does not contain » ✕anyideas.de Run action: Edit filter rule: Quarantine email and filter again for 30 minutes The check for the set of rules is not canceled for the actions Filter applicable content and Tag email in subject with, but continues. Further filter rules can be applied to such emails. In all other action cases, the verification on the set of rules is terminated if the criteria apply.

Create whitelist exception rules +Add fitler rule Whitelist updated	If emails from a certain sender (here from securepoint.de) are to be delivered in any case, a whiltelist exception must be created in the mail filter rule set. Create a new rule:rule name Whitelist When an email is received and protocol is SMTP Add criterion and sender from ends with » ✕@ttt-point.de Run action: Edit filter rule: Accept email Save Move filter rule For a rule to work as a whitelist rule, the order must be defined so that this rule takes effect before the general spam quarantine rule. By clicking and holding with the left mouse button on the whitelist rule (pos. 7) in the "Pos." column, this rule is moved up above the general Spam_SMTP filter rule. When the rule has reached the desired position, release the mouse button. The whitelist rule is now assigned a new position number according to its ranking. Whitelist rules should be after the rules for spam and viruses, but before other rules that may unintentionally prevent delivery.

Fake sender +Add fitler rule fake_sender_internal	Fake sender In order to avoid accepting emails with fake internal senders (which usually enjoy a high level of trust), we recommend creating three filter rules according to the following example: notempty In this example, mails of the mail domain @securepoint.de are to be accepted. The IP address of the mail server is assumed to be 192.168.175.100. notempty These are only sample addresses that need to be customized locally. Create a new rule:rule name fake_sender_internal1 When an email is received and sender contains » ✕@ttt-point.de Add criterion and source host is not » ✕192.168.175.100 Run action: Edit filter rule: Reject email Save Add rule Create a new rule:rule name fake_sender_internal2 When an email is received and header field From contains » ✕@ttt-point.de Add criterion and source host is not » ✕192.168.175.100 Run action: Edit filter rule: Reject email Save Add fitler rule Create a new rule:rule name fake_sender_internal3 When an email is received and header field From is » ✕securepoint.de Add criterion and source host is not » ✕192.168.175.100 Run action: Edit filter rule: Reject email Save

Filter rule SPF fail +Add fitler rule SPF fail New in the wiki	Create a new rule:Regelname SPF fail Wenn eine E-Mail eingeht and SPF result for domain » ✕anyideas.de exists and is » ✕fail Run action: Edit filter rule: Quarantine email Speichern

Filter rule SPF permerror +Add fitler rule SPF permerror New in the wiki	Create a new rule:Regelname SPF permerror Wenn eine E-Mail eingeht and SPF result for domain » ✕anyideas.de exists and is » ✕softfail or » ✕permerror Run action: Edit filter rule: Mark email in subject with SPF error / check sender! Speichern

Filter rule DKIM +Add fitler rule DKIM New in the wiki	Create a new rule:Regelname DKIM Wenn eine E-Mail eingeht and DKIM result for domain » ✕anyideas.de exists and is » ✕fail Run action: Edit filter rule: Quarantine email Speichern

Filter rule DMARC quarantine +Add fitler rule DMARC quarantine New in the wiki	Create a new rule:Regelname DMARC quarantine Wenn eine E-Mail eingeht and DMARC result/policy recommendation is quarantine Run action: Edit filter rule: Quarantine email Speichern

Filter rule DMARC reject +Add fitler rule DMARC reject New in the wiki	Create a new rule:Regelname DMARC reject Wenn eine E-Mail eingeht and DMARC result/policy recommendation is reject Run action: Edit filter rule: Reject email Speichern

URL filter

→ Applications →Mail filterTab URL filter

The URL filter verifies

the URL itself. Add rule Further notes in the wiki about the Mailfilter.
This can be used in combination with the allow action to create mainly whitelists
in which content category the visited page falls. Add category
This categorization is constantly updated by our content filter team.
Allowlist entries (e.g. Education (schools and training institutes, universities) can also be created here with the allow action, or blocklist entries with the action.

The following categories are preconfigured in installations since 11.8 and should not be missed in older installations:

Add category

Type	Name	Description	Action
Category	Threat Intelligence Feed	This category contains URLs currently classified as malicious which spread malware and contain phishing pages (phishing, malware, botnets, crime ware, etc.)	block
Category	Porn and erotic	This category contains URLs that provide pornographic or predominantly sexual content.	block
Category	Hacking	This category contains URLs that provide advice on hacking, warez, building malware, tricking systems or subscription traps.	block
Category	Update Server	Server and services for important software updates This category is intended for whitelist environments.	allow

notempty

Other categories are to be adapted to the requirements of the company

By clicking on Save the filter rule will be added.

Spam Report

Tab Settings section

Spam Report

Email digest

The spam report can inform email users at certain intervals about emails filtered, blocked or quarantined by the UTM. This report can be sent either on a specific day of the week or daily, at a specific time.

Action	Value	Description
Enable reports:	None (Default)	No spam reports will be sent.
	Users	Reports are sent to the users.
	Users and Admin	Reports are sent to the users and an overview is sent to the administrator.
Delivery Condition:	Deliver always (Default)	In any case, a spam report will be sent.
	Not accepted	Quarantined or filtered
	Quarantined or filtered	A spam report will only be delivered if at least one email has been quarantined or filtered.
Alternative Hostname / IP:		If the web interface with the mail server is to be accessed via an external IP or another host name.
Day:	Monday (Default)	This report can be sent either on a specific weekday or Every day .
1. Report	20:00 o'clock	Specifies the time for sending the report.
2.Report 3.Report 4.Report	Disabled	With every day reports, a total of four reports can be sent at specified times.

In order for the report to reach the e-mail user, it is necessary for the e-mail user to be in a group with the 'Spamreport permission.

If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.

Add a group under

The setting for this is made in the menu
→ Authentication →Users Groups + Add Group or Edit under Permissions:

The following sections must be activated here:

Email digest

On activates the creation of the spam report

Userinterface

On The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

In the Mailfilter tab, further settings must be made, including the e-mail address to which reports are sent:

<This function may allow the downloading of viruses and should therefore only be allowed for experienced users!/li> }}

Caption	Default	Description
Email address
support@ttt-point.de		Email accounts that can be viewed by members of this group to control the mail filter. Delete with
Email address		Adding a mail address to the list
Allow downloads of following attachments:	None (Default)	Members of this group can download attachments from mails in the user interface that meet certain criteria.
	Filtered but not quarantined
	Quarantined but not filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Allow forwarding of following emails:	None (Default)	Members of this group can forward emails in the user interface that meet certain criteria
	Filtered but not quarantined
	Quarantined but not filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Report email address:		Email address to which a spam report is sent. If no entry is made here, the spam report is sent to the first email address in the list. If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address..
Report language:	Default	Default under → Network →Server settings → Firewall → language of reports It can be specifically selected: German or English

UTM v11.8.6 Mailfilter Spamreport-en.png

Spam report to the user.

Disclaimer and hints

Liability
This website was compiled with the greatest possible care. Nevertheless, no guarantee can be given for the correctness and accuracy of the information provided. Any liability for damages arising directly or indirectly from the use of this website is excluded. If this website refers to websites operated by third parties, Securepoint GmbH is not responsible for any content linked or referred from this site.

The following wiki articles may be helpful for setup.

Requirements

General

Global email address

Mail relay

General

Relaying

SMTP routes

Greylisting

Extended

Greeting Pause

Recipient limitations

Other

Mail filter

Filter rules

Filter rule »is classified as SPAM / SMTP«

Filter rule »is classified as suspicious«.

Filter rule »contains a virus«

Filter rule »with content of«

Filter rule »is a bulk email«

Filter rule »Investigate / further investigations are recommended«

Filter rule »was caught by the URL filter«

Filter rule »Word documents based on MIME types«

Filter rule »Excel documents based on MIME types«

Filter rule »Open Office / Libre Office documents based on MIME types«

Filter rule »Office documents based on file extension«

Filter rule »Compressed files based on MIME types«

Filter rule »Compressed files based on extension«

Filter rule »ISO files based on MIME type or extension«

WL_mark or filter attachments

Create whitelist exception rules

Fake sender

Filter rule SPF fail

Filter rule SPF permerror

Filter rule DKIM

Filter rule DMARC quarantine

Filter rule DMARC reject

URL filter

Spam Report

Disclaimer and hints