Jump to:navigation, search
Wiki






































































ds on or does not end onIn the click box, elements can now be selected or entered again. }}


































De.png
Fr.png


Description of the mail filter

Last adaptation to the version: 11.8.8 (02.2020)


New:

  • New New in 11.8.8 Default address for spam report from the AD
  • New in version 11.8.7 New mailfilter conditions for DKIM-, SPF- and DMARC-results.
  • Emails in quarantine can now alternatively be sent as attachment in a new email.
  • Mailfilter now supports decoding of sections in Microsoft's proprietary TNEF -Format]


Previous versions: 11.7 | 11.8 | 11.8.6


Introduction

In order to determine whether an incoming mail is spam, the POP3 proxy, mail relay and mail connector can pass incoming emails to the mail filter. The mail filter consists of the Cyren scan daemon, the ClamAntivurs, the Securepoint content filter and a URL filter. If a web link is found within the email which matches the URL filter or which is recognized by the content filter, a freely editable replacement message appears instead of the content section of the email. By using the Mail Connector, it is possible to check emails fetched with IMAP as well as the two encrypted variants through the mail filter in addition to POP3. The UTM mail archive stores mails that have been quarantined using the filter rule.
E ails forwarded and delivered by the UTM (HAM) are no longer found in the mail archive if this option is not explicitly activated.

Requirement

Note: For the mail filter to receive mails, the POP3 proxy, the mail relay or the mail connector must be configured.

Mailfilter

Filter Rules

Filter Rules

Overview

The filter rules are used to decide how to proceed with emails for which defined properties have been recognized. UTM is able to retrieve emails from a mail server via the protocols POP3 and IMAP and their encrypted variants POP3S and IMAPS and to check them for spam and malware using the mail filter. A distinction is also made between the protocols POP3 and SMTP. If the mail relay is used, the protocol is SMTP. If the POP3 proxy is used, the POP3 protocol is selected.


Configuration

Configuration


With + Add rule a new filter rule is created.

A unique Rule name must be assigned.

The Rules with and  -Operator determines

  • whether all conditions must be fulfilled ( and  )
  • or whether it is sufficient if only one condition of the filter rule is fulfilled ( or  ).


Filtering according to the following conditions   is possible:

If a email is received:

Condition Operator Kriterium
and protocol   is 
is not 
SMTP  
Mail-Connector  
POP3  
and source host  is 
is not 
is in 
is not in 
matches regexp  See Wiki article about Regex.
ends with 
ends not with  
»any values
and destination host   see source host
and sender   see source host
and recipient   see source host
and header field  
additionally: Specification of the header field
see source host
The header field »from« indicates a sending mail server (Received: from) - not the »Sender« field.
and is classified / is not classified as spam<  
and is classified / is not classified as suspicious  
and is classified / is not classified as bulk  
and has a virus / has no virus  
and is captured by urlfilter  
and with content that  
MIME-Type   oder
Filename  
see source host
and DKIM result for domain  
in 11.8.7
    Enter the domain
exists and is  
is nonexistent or os not  
»fail »pass »temperror

Prerequisite for the use is in the menu → Applications →Mailrelay → Tab General activation of the option SPF/DKIM/DMARC checks: On
If elements of an email were signed by a domain DomainKeys Identified Mail, this verifies the signature and adds the result to the header of the email. This is done by verifying the signature with the public key from the DNS of the mail domain.
The result added to the header is queried at this point. Possible results:

»fail Signature invalid
»pass Signature valid
»temperror mostly: Error in DNS resolution; general: Error that may not occur at a later time.
and SPF result for domain  
in 11.8.7
    Enter the domain
exists and is  
is nonexistent or os not 
»fail »neutral »pass »permerror »softfail »temperror

Prerequisite for the use is in the menu → Applications →Mailrelay → Tab General activation of the option SPF/DKIM/DMARC checks: On
The sender of an e-mail can enter in a txt record of his domain all computers (servers) authorized to send emails with host name and IP address. These entries are synchronized at smtp level with the entry Received: from from the mail header and the result is added to the mail header.
The result added to the header is queried at this point. Possible results:

»fail Client-Host explizit nicht autorisiert
»neutral keine explizite Aussage getroffen
»pass Prüfung erfolgreich
»permerror Fehler (z.B. Syntax) in DNS Resource Records
»softfail nicht explizit unautorisiert, aber auch nicht autorisiert ("~"-qualifier im DNS RR)
»temperror meist: Fehler in der DNS-Auflösung; generell: Fehler, der zu einem späteren Zeitpunkt ggf. nicht mehr auftritt
and DMARC result/policy-to-enforce is  
in 11.8.7
pass  
quarantine  
reject  

Prerequisite for the use is in the menu → Applications →Mailrelay → Tab General activation of the option SPF/DKIM/DMARC checks: On
Neither SPF nor DKIM make any demands on a connection between the sending or signing domain and other characteristics of the email (e.g. header fields). This means that anyone who has control over DNS entries for any domain can carry out valid SMTP transactions ("pass") in the sense of SPF using the "MAIL FROM" command or create valid signatures for this domain in the sense of DKIM.

That is why DMARC (https://tools.ietf.org/html/rfc7489) can be used to establish this connection: A DMARC check is only successful if either SPF or DKIM checks are valid and the domain used matches the domain used in the "From" header field of the email (depending on the option, the same or a subdomain). In addition, a domain owner can define via DMARC which action (reject, quarantine) should be performed if the check is not successful.


With the + button further criteria for this filter can be added.

Hint: Further configuration information can be found in our Best Practice article on Mail Security

The following options are available for do action::

Action Description
Accept email  
Reject email   Important: This option must not be used when using the POP3 proxy!
Important:  When using the Mail-Connector, this function is strongly discouraged.
Neither the sender nor the recipient will be notified that the email has been rejected!
Quarantine email and filter it again after  
New in 11.8
Additional input of quarantine duration 30 in minutes
Important: This option must not be used when using the POP3 proxy!
Quarantine email   (and hold a predefined time (see Settings) for viewing)
Important: This option must not be used when using the POP3 proxy!
drop email   Important: This option must not be used when using the POP3 proxy!
filter email content   A Replacement Message is displayed for the applicable section (plain text, html text, appendix, etc.).
Mark email in subject with   Text with which the subject is added in such a way that the mail is identified and can, for example, be moved from the mail server to an appropriate folder.



Whitelist exception rule

Whitelist exception rule
Move filter rule


In a whitelist rule, the acceptance of a mail is defined under certain conditions. In order for a rule to work as a whitelist rule, the order must be defined so that this rule takes precedence over the general Spam Quarantine rule. By clicking and holding the left mouse button on the whitelist rule (pos. 7) in the "Pos." column, this rule is moved upwards via the general Spam_SMTP filter rule. Once the rule has reached the desired position, the mouse button is released and the whitelist rule is assigned a new position number according to its ranking.

Hint: Further configuration notes can be found in our best practice article on Mail Security.



URL-Filter

URL-Filter
URL-Filter


The URL filter is used to check whether emails contain web links. If a link that is in this list is recognized in the mail, a replacement message is displayed instead of the entire mail text. Safe URLs can be explicitly allowed here so that they are not rejected by the category filter. (Note the order as with whitelist filters!).

With the button the URLs can be allowed or blocked .

For URLs wildcards can be used *. Categories are checked against the Securepoint content filter, which is also used with the Webfilter.


Settings

Here it is possible to create a spam report, change the blocking messages and define the criteria according to which the emails are stored in the UTM mail archive.

Email digest

╭╴ Email digest ╶╮













































Email digest

The spam report can inform email users at certain intervals about emails filtered, blocked or quarantined by the UTM. This report can be sent either on a specific day of the week or daily, at a specific time.

Action Value Description
Enable reports: None (Default) No spam reports will be sent.
Users Reports are sent to the users.
Users and Admin Reports are sent to the users and an overview is sent to the administrator.
Delivery Condition: Deliver always  (Default) In any case, a spam report will be sent.
Not accepted Quarantined or filtered
Quarantined or filtered A spam report will only be delivered if at least one email has been quarantined or filtered.
Alternative Hostname / IP:     If the web interface with the mail server is to be accessed via an external IP or another host name.
Day: Monday   (Default) This report can be sent either on a specific weekday   or Every day  .
1. Report 20:00 o'clock Specifies the time for sending the report.
2.Report
3.Report
4.Report
Disabled With every day reports, a total of four reports can be sent at specified times.


In order for the report to reach the e-mail user, it is necessary for the e-mail user to be in a group with the 'Spamreport permission.

New New in 11.8.8 If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.

Datei:UTM v11.8.6 Mailfilter Gruppe Spamreport-en.png
Add a group under → Authentication →Users

The setting for this is made in the menu
→ Authentication →Users Groups + Add Group or Edit under Permissions:

The following sections must be activated here:

Email digest
On activates the creation of the spam report
Userinterface
On The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

The email address can be taken from a directory server such as ActiveDirectory or LDAP if the UTM is connected to it. Otherwise, the user must be created with his email address on the UTM.

In the Mailfilter tab, further settings must be made, including the e-mail address to which reports are sent:


























{Button|Quarantined but not filtered|dr}} } This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Quarantised and/or filtered }} This function may allow the downloading of viruses and should therefore only be allowed for experienced users!}}

















Caption Default Description
Email address
support@ttt-point.de Email accounts that can be viewed by members of this group to control the mail filter.
Delete with
Email address Adding a mail address to the list
Allow downloads of following attachments: None   (Default) Members of this group can download attachments from mails in the user interface that meet certain criteria.
Filtered but not quarantined
Quarantined but not filtered This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Quarantined and/or filtered This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Allow forwarding of following emails: None   (Default) Members of this group can forward emails in the user interface that meet certain criteria
Filtered but not quarantined
Quarantined but not filtered This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Quarantined and/or filtered This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Report email address:     Email address to which a spam report is sent.
If no entry is made here, the spam report is sent to the first email address in the list.
New New in 11.8.8 If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address..
AD proxyAdresses spamreport.png

Report language: Default Default under → Network →Server settings╭╴Firewall╶╮ → language of reports
It can be specifically selected: German  or English 


UTM v11.8.6 Mailfilter Spamreport-en.png

Spam report to the user.



Replacement messages

 Replacement messages 
Replacement messages

Here you define texts to be displayed instead of the blocked email section (plain text, formatted text or attachment). With the editing tool the texts can be changed.

Type Default message Description
Content-Blocking
The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
Text for emails that have been blocked because of their content or attachment'.
URL-Filter
The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
Text for emails that have been filtered because of the URLs they contain.
Virus-Blocking
The content is rejected due content restrictions. If you think this is incorrect, please contact the IT Service Desk.
Text for emails that have been blocked due to "'virus detection"'.




Mailarchive

╭╴ Mailarchive ╶╮
Mailarchive settings

Specifications on how e-mails are stored in the quarantine archive of the UTM.

Criterion / Action Default Description
Maximum number of emails: 1024Link= Specifies how many mails are held locally on the UTM.
Maximum email age: 7Link= days. Defines the time of reproaching.
Maximum archive size: 128Link= megabytes Specifies the storage space available for mails. When the limit is reached, the oldest mails are deleted.
Save all email transactions: Off When activated, the meta information' on unobjectionable mails is saved in addition to the complete filtered and rejected mails.
Deliver again as attachment:
New in 11.8.6
Off Emails in quarantine can now alternatively be sent as attachment in a new email.
Activate TNEF decoding:
New in 11.8.6
Off Emails whose formatted body elements or attachments have been encoded by Microsoft Outlook in the proprietary TNEF format can be captured by the mail filter when activated.


Conclusion

Finish the configuration with Save and Close