Jump to:navigation, search
Wiki































De.png
En.png
Fr.png






Configuration of the mailrelay
Last adaptation to the version: 12.6.0
New:
notempty
This article refers to a Resellerpreview

12.5.1 12.2.3 12.2.2 11.8.8 11.8.4 11.8.2 11.8 11.7

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
Applications Mailrelay

Configuration of the Mailrelay

The Securepoint UTM appliance can receive emails using the mailrelay and forward them to a mail server in the internal network. The mail relay checks the received emails and divides them into an appropriate category. Based on the category, it is decided whether an email is forwarded to the internal mail server or not.
To protect against spam or to relieve the [Mailfilter] further options can be configured. More than 90% of spam does not come from regular mail servers, but rather from private and work computers compromised by viruses and Trojans. On the other hand, checking target email addresses, greylisting and the greeting pause have proven to be effective functions.



Preconditions

Settings on the provider side

In order to ensure smooth participation in mail traffic, a number of requirements must be met:

  • The UTM must have a fixed IP address. (e.g. 195.4.169.36)
  • There is an A record on the DNS provider's server that resolves to this IP address. (Example query for the A-record:

    >nslookup -q=a ttt-point.de
    Server: UnKnown
    Address: 192.168.175.1

    Not authorized answer:
    Name: ttt-point.de
    Address: 195.4.169.36
      

    host -t a ttt-point.de
    ttt-point.de has address 195.4.169.36
      )
  • There is an MX record on the DNS provider's server that resolves to this address. (Example query for the MX record:

    >nslookup -q=mx ttt-point.de
    Server: UnKnown
    Address: 192.168.175.1

    Not authorized answer:
    ttt-point.de MX preference = 10, mail exchanger = mx01.ttt-point.de
      

    host -t mx ttt-point.de
    ttt-point.de mail is handled by 10 mx01.ttt-point.de.
      )
  • A PTR record exists on the Internet provider's server that resolves correctly to the DNS A record used in the MX record (reverse DNS). (Example query for the PTR record:
    =
    >nslookup -q=ptr 195.4.169.36
    Server: UnKnown
    Address: 192.168.175.1

    Not authorized answer:
    36.169.4.195.in-addr.arpa name = mx01.ttt-point.de
      

    host -t ptr 195.4.169.36
    36.169.4.195.in-addr.arpa domain name pointer mx01.ttt-point.de.
      )


These are all settings that have to be made by the provider and NOT on the Securepoint Appliance!

notempty
Note:
Since a certain amount of storage space must be available for rejected mails or mails that could not yet be delivered to the internal mail server, the hardware recommendations should be considered without fail!
UTM Mailrelay Mailserver intern.png

Email is sent
DNS-MX record points to UTM
Email is delivered to the UTM and processed (mail filter, greylisting, etc.)

UTM delivers email to the internal mail server
(according to the path under Applications Mailrelay
SMTP routes
)

Email query from the internal network
Query is forwarded to the mail server that was specified as the SMTP route
UTM Mailrelay Mailserver extern-en.png

Email is sent
DNS-MX record points to UTM
Email is delivered to the UTM and processed (mail filter, greylisting, etc.)

UTM delivers email to the external mail server
(according to the path under Applications Mailrelay
SMTP routes
)

Email query from the internal network
Query is forwarded to the mail server that was specified as the SMTP route













  • In both scenarios the DNS A record must point to the fixed IP address of the UTM


  • Set of rules

    To allow access to the mail relay, the hosts authorized to send mail must be allowed access to the corresponding interface of the Securepoint appliance (depending on the zone in which the hosts are located) via the SMTP protocol. Depending on the requirements, this can be a single host (e.g. the mail server), a group of hosts or the entire network. It is important that all applications that are to send mails via the mail relay have entered the corresponding firewall interface as SMTP server or smarthost.
    For example, to allow the internal network access to the mail relay, the set of rules can be created with the predefined network groups:
    Caption Value Description

    Packetfilter UTMuser@firewall.name.fqdnFirewall Update rules

    # Source: Destination: Service: NAT Action Active:
    Dragndrop.png 1 World.svg internet Interface.svg external-interface Tcp.svg smtp Accept On
    Dragndrop.png 2 Network.svg internal-network Interface.svg internal-interface Tcp.svg smtp Accept On
    Active: On Activate rule so that the portfilter takes effect
    Source:  Internet Select Internet as the source
    Destination: Interface.svg external-interface Select external-interface as the destination
    Service: Tcp.svg smtp Select smtp as the service
    Action: Accept Mails that meet the corresponding conditions are accepted and forwarded
    Logging: None - Do not log Logging is not required
    Group: default The portfilter rule can be assigned to a group
    The second rule that allows forwarding the emails to Outlook.
    Active: On Activate rule so that the portfilter takes effect
    Source: Network.svg internal-network Select internal-network as the source
    Destination: Interface.svg internal-interface Select internal-interface as the destination
    Service: Tcp.svg smtp Select smtp as the service
    Action: Accept Mails that meet the corresponding conditions are accepted and forwarded
    Logging: None - Do not log Logging is not required
    Group: default The portfilter rule can be assigned to a group
    notempty
    Note:
    If there is no other connection available besides the Internet connection with the IP over which the mail is sent, it must be ensured that ONLY the mail server is allowed to send mail via SMTP. Otherwise a single computer in the network compromised by a Trojan could seriously disrupt the sending of mails or even make it completely impossible, because it spreads spam and malware with the public IP and is listed on corresponding blocklists for spammers within a very short time.
    notempty
    Important:
    There must be no port forwarding for SMTP. This would ensure that the mails are forwarded past the mail relay!


    Email address

    Under Network Appliance Settings Global email address: a postmaster address should be configured. Otherwise undeliverable mails will remain on the disk space. This can cause the available memory to become insufficient at some point and mails to no longer be accepted.




    Basic configuration of the mailrelay for receiving mails

    The configuration of the mailrelay takes place under Applications Mailrelay .



    General

    General
    Caption Value Description Mailrelay UTMuser@firewall.name.fqdnApplications Mailrelay Log UTM v12.6 Mailrealy allgemein-en.pngGeneral settings of the mailrelay
    Activate mail filter: On Activate
    SASL authentication: Off Enables SASL authentication, if activated
    Postmaster Address: admin-mail@anyideas.de A correct email address must be stored here.
    This email address is specified in the Network Appliance Settings dialog in the Global email address field. Changes are only possible there.
    Maximum message size: 20Link=  Megabytes Maximum size of the mails in megabytes accepted by the mail relay.
    A message appears in the mail filter view in the user interface about the rejection.
    Preferred protocol for outbound email: No preference Specifies whether the mail relay should preferentially establish outgoing connections with a certain protocol.
    This setting should only changed from its default in special cases (e.g., IPv4 behind NAT) and if problems to deliver mail arise.
      
    IPv4 IPv4 is preferred as protocol (e.g. IPv4 behind NAT)
    IPv6 IPv6 is preferred as protocol
    Outgoing Address:    /---  With multipath routing, an outgoing interface can be specified here by the IP address.
    Communication from the internal network then also runs via this IP address. Further settings must be made on the mail server and its firewall in order to accept mails from this IP address.
    SPF/DKIM/DMARC checks: Off Enables filtering for corresponding DKIM/DMARC/SPF-results in Mailfilter rules when enabled On.
    Adds RFC 8601 Authentication-Results Header to email. Not performed for mails sent by SASL-authenticated users or mails coming from "trusted hosts", i.e. hosts that have an entry in the relaying list with action RELAY and option "Connect" or no option.
      
    Further information in the article about Mailfilter




    Smarthost

    Smarthost

    Settings for a Smarthost are only required if such a setting is required for outgoing mails. This is the case, for example, if no own mail server is operated or no fixed public IP address is available.

    Caption Value Description UTM v12.6 Mailrelay Smarthost-en.png
    Smarthost settings of the mailrelay
    Enable Smarthost: On Activates the Smarthost function.
    Smarthost: smtp.anyideas.de smtp.anyideas.de
    Mail server that is to receive and send outgoing mails.(sample address)
    Port: 587Link= Mail port for external mail server
    25: Default port for smtp (default)
    465: default port for implicit TLS
    587: default port for STARTTLS
    Use implicit TLS Off By default (deactivated), a connection is first established via smtp and then attempts to initiate TLS encryption with the remote terminal.
    On When activated, the connection is first encrypted with TLS before smtp communication is established. If the remote terminal does not control TLS, no connection is established. The TLS version is configured under Authentication Encryption .
    Smarthost Verification: None There is no verification of the smarthost.
    pki The smarthost is verified by default installed root CAs or a self-signed CA.
    CA: SystemCAs (Default) Alternatively, a CA (previously created or imported under Authentication Certificates ) can be selected for authentication.
    dane Authenticates and uses TLS to DANE-compliant servers, if offered.
    Enable Authentication: On Enables authentication on the smarthost mail server.
    TLS/SSL encryption is required for authentication
    User: Credentials The user of the Smarthost
    Password: Credentials The corresponding password
    Displays the password


    Relaying

    Relaying
    UTM v12.6 Mailrelay Relaying-en.png
    Configuration Relaying

    Relaying list

     Relaying list 

    Here it is configured which mails are accepted by the Securepoint appliance and forwarded to the internal mail server. Relaying can be allowed for certain hosts or certain domains.
    Add an entry with the button Add Domain / Host


    Specification of the following values:
    Caption Value Description Add Domain / Host UTMuser@firewall.name.fqdnApplicationsMailrelay UTM v12.6 Anwendungen Mailrelay Relaying Domain hinzufügen-en.pngAdd Domain / Host Dialog
    Domain: anyideas.de Email domain name or IP address
    Option: NONE The action is applied to all events.
    From The sender domain is evaluated here. Example: Domain: ttt-point.de - This applies to all mails with the domain ttt-point.de in the sender.
    notempty
    Since the sender domain can easily be faked, this option is to be used only after careful examination.
    To The recipient domain is evaluated here. Example: Domain: anyideas.de - This concerns all mails with the domain anyideas.de in the recipient.
    Connect Here the IP, hostname or domain of the mail server that wants to deliver the mail is evaluated. Example: Domain: ttt-point.de - Affects all mails from mail servers in the domain ttt-point.de - regardless of the sender or recipient of the mail.
    Action: RELAY Mails that meet the relevant conditions will be accepted and forwarded.
    REJECTED Mails are rejected.
    OK Mails are accepted and delivered to a local mailbox, but not forwarded.

    In order to relay all mails intended for recipients of your own domain, the following entry must be configured:


    Add Domain / Host
    Domain: anyideas.de
    Option: To
    Action: RELAY


    Settings
    Settings

    Use exact domain name for relaying:
    On The relay reacts only to the domain name entered in the list and not to unregistered subdomains or extensions.
    Example: Domain entered in the relay list: anyideas.de


    On
    accepted by mailrelay:
    Off
    accepted by mailrelay:
    @anyideas.de @anyideas.de
    @support.anyideas.de
    @anyideas.de.com



    TLS Settings
    TLS Settings

    Caption Default Description
    TLS encryption as server: On If TLS is deactivated, mails are sent over unencrypted connections!
    Certificate: default The mailrelay uses a self-signed certificate for transport encryption. Optionally, a certificate whose CN corresponds to the UTM host name can be imported under Authentication Certificates .
    TLS authentication as client: may Uses TLS if it is offered.
    encrypt Always uses TLS. Connection with servers that do not offer TLS will be cancelled.
    dane Authenticates and uses TLS to DANE-compliant servers, if offered.


    SMTP Routen

    SMTP Routen
    SMTP Routing List
     SMTP Routing List 

    Mailrelay UTMuser@firewall.name.fqdnApplications Mailrelay-Log UTM v12.6 Mailrelay SMTP-Routen-en.pngConfiguration of SMTP routes Here you have to set to which mail server a received mail should be forwarded. If this does not happen, the mail relay evaluates the MX record of the recipient domain - which points to the relay itself! A so-called "loopback" is then detected, which cancels the acceptance of the mail with a corresponding error message. In the following, further domains can be forwarded to the same or to other mail servers.
    With the button + Add SMTP-Routing  further routes are created.

    Required information:
    Domain: anyideas.de (or the corresponding mail domain)
    Mailserver: either as FQDN or the IP address


    Settings
    Settings

    In this section you can configure the verification of the destination email address. It causes mails to unknown recipients to be rejected. On the one hand the attempt to deliver spam to "invented" recipients is effectively prevented, on the other hand legitimate senders receive feedback that their mail could not be delivered, for example because they have committed themselves to the recipient address.


    Function Option Description
    Email address validation: Off There is no verification of email addresses. An attempt is made to deliver all mails.
    SMTP The Securepoint appliance queries the internal mail server in the background.
    notempty
    Hinweis
    The validation must also be active on the mail server! (Recipient Verification e.g. with an Exchange).
    LDAP For example, the Securepoint appliance queries the Active Directory server.
    In the case of authentication via LDAP, the corresponding server must be configured under Authentication AD/LDAP Authentication . The user does not necessarily have to be the administrator, one user with read privileges is sufficient.
    Local email address list Mail address list
    A list of accepted mail recipients can also be created locally.
    Add email Address This can be used to add mail addresses.



    Signing

    Signing

    Outgoing emails can be signed using DomainKeys Identified Mail. The individual segments in the header and the body are signed separately, so that forwarding a mail via a mail server and changing the mail header does not destroy the signature.

    General
    Caption Value Description Mailrelay UTMuser@firewall.name.fqdnApplications Mailrelay-Log UTM v12.6 Anwendung Mailrelay Signierung-en.pngSigning with DKIM
    DKIM Sign On At activation, DKIM signing can be used.
    notempty
    New as of v12.5.1

    Sign local email:
    On Mails originating from the UTM are signed with DKIM.
    Maximum processes: 2Link= Controls global number of concurrent connections to mail relay (and attached filtering and anti-spam processes)
    Domains
    Add default configuration Adds a default configuration. For this purpose, an RSA key is generated (Selector) and assigned to each mail domain entered as SMTP route
    Add Adds a domain name record
    / Opens / closes the overview that shows the selectors for a domain that are used for signing.
    Removes a selector from a domain entry
    Displays the DNS Settings
    Plain text No With Yes activation the DNS settings will be displayed in one window.
    If a separate authoritative DNS server is operated, this value can be copied directly into a BIND zone file.
    Subdomain Copies the entry to the clipboard.
    To assign the subdomain at the DNS hoster.
    TXT Record Copies the entry to the clipboard.
    To assign the subdomain at the DNS hoster.
    This is the public part of the RSA key, which must be stored in the TXT record of the mail domain.
    Can also be found in the menu Authentication / RSA keys / Public part (of the corresponding key) / PEM format
      
    Edits the respective domain name
    Deletes the entry

    DKIM Selectors
    Add Adds a DKIM selector
    Adds the selector to the active (blue highlighted) domain entry.
    Edits the entry
    Name: selector-2020-02-13-1 Name of the selector
    RSA Key: Key name Select existing key or create a new key pair with the button
    Hash algorithm: sha256 Algorithm used
    [–] Advanced settings
    Email Header Canonicalization: relaxed Canonicalize the email headers.
    Since various sources (like relaying mailservers) might alter the email headers, it is possible to use a canonicalized version of those headers before creating the signature and also before validating it - the headers itself will stay unaffected. This will make the digital signing more reliable.
      
    simple Do not canonicalize the email headers.
    Email Body Canonicalization: relaxed Remove trailing blank lines and cleanup whitespaces.
    Since various sources (like relaying mailservers) might alter the email body, it is possible to use a canonicalized version of the body before creating the signature and also before validating it - the body itself will stay unaffected. This will make the digital signing more reliable.
      
    simple Remove trailing blank lines only.
    Sign default email headers: Yes Default: h=From:Reply-To:Subject:Date:To:Cc:Resent-Date:Resent-From:Resent-To:Resent-Cc:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;   
    Email headers to be signed: »From »Date
    »Subject »To
    »List-Unsubscribe »List-ID
    Email headers to be signed.



    Optional Settings

    Further settings are recommended, but not mandatory for operative use:

    Greylisting

    Greylisting

    Greylisting causes the delivery attempt of an unknown mail server to be initially rejected. Usually, spambots do not make any further delivery attempts, so that the delivery of spam was already successfully prevented before the mail had to run through the spam filter engine. A regular mail server, on the other hand, will make another successful delivery attempt after a certain period of time.
    The following configurations are possible:

    Allowlist
    Allowlist
    Caption Default Description Mailrelay UTMuser@firewall.name.fqdnApplications Mailrelay-Log UTM v12.6 Mailrelay Greylisting-en.pngConfiguration of Greylisting
    IP / Networks: »10.0.0.0/8 »172.16.0.0/12 »192.168.0.0/16 »127.0.0.0/8 The default are the private IP address ranges and the loopback address. With a click into the clickobx you can add further networks and single hosts (e.g.:»203.0.113.113/32)
    Domains:     Here single Mailserver domains can be added e.g.: smtp.anyideas.de
    The domain of the mail server does not have to be identical with the e-mail domain of the sender.
    Example: Sender user@ttt-point.de sends via the mail server »smtp.anyideas.de
    Recipient:     Individual recipients can be added here, e.g: »MailUser@ttt-point.de
    Sender:     Individual senders can be added here e.g.:{cb
    Settings
    Settings
    Greylisting: Off On activates the function.
    Delivery attempts from unknown mail servers are initially rejected.
      
    SPF: Off If the Sender Policy Framework of the sender domain is correctly entered in the DNS, the mail will be delivered without delay if On is activated.
    Add header: Yes By default, an additional greylisting entry is added for each recipient listed in the mail header.
    This can cause problems in case of many recipients.
    When disabled No, no greylisting headers are inserted.
    Automatic allowlisting for: 7Link= Days (Default) For this period, after a successful delivery mails will be accepted immediately.
    Delay: 2Link= Minutes (Default) The period of time that the sending mail server is given to make another delivery attempt.
    Subnet Match
    Subnet Match
    Subnet mask IPv4: »32 Instead of the sending server having to have the exact IP address as before, this can be changed so that, for example, only the first 2 or 3 octets have to match.
    This enables whitelisting even if the sender has several mail servers.
    Possible values: (Only one value can be entered.)
    »32 (Single Host)
    »24 Subnet, with match of first three octets
    »29 Any value via keyboard input.
    Subnet mask IPv6: »128


  • Depending on the configuration of the sending mail server, the re-delivery may be delayed by much more than the configured period (default 2 minutes) - in extreme cases by several hours. In this case, senders or recipients of particularly time-critical emails can be entered manually in a whitelist.


  • If a larger value for delay of e.g.: 30Link= minutes has been selected, the scan engine may have a higher probability of detection for new outbreaks when re-delivered with virus signatures that have been updated in the meantime.

  • Domain Mapping

    Domain Mapping
    UTM v12.6 Mailrelay Domainmapping-en.png
    Domain Mapping

    Domains can be mapped to receive incoming mails to e.g. user@anyideas.net also under user@anyideas.de.

    With Add Domain Mapping the mapping between two domains can be activated.

    To do this, a Source-Domain: and a Destination Domain: must be specified.


    Advanced Settings

    Advanced

    Here some further options to avoid spam can be found, each of which can be activated individually:

    Greeting Pause
    Caption Function Description UTM v12.6 Mailrelay Erweitert-en.png
    Advanced Mail Relay Settings
    Status: On activates the function.
    Duration: 2Link= Seconds (default value). Time the mail relay delays the greeting message. If the connected client sends SMTP commands before this time has elapsed, its request is rejected at the RCPT TO command with a "Protocol Error".
    Exceptions can be defined as network or host IP address for known mail servers.
    Successfully waiting mail servers are also automatically whitelisted for one day.
    Recipient Restriction
    Status: Off
    Limit: 25Link= Recipient
    Restriction per client
    Enable connection limits: Off Exceptions can be defined as network or host IP address for known mail servers.
    Configuration if a single mail server (identified by its IP address) is to establish a maximum of one connection to the UTM Appliance and a maximum of 5 connections per minute in succession:
    Allowed connections: 1Link= Number of (client) connections, per connected mail server.
    Enable rate control: Off Limits the number of (client) connections per connected mail server within a time frame.
    Time frame: 60Link= seconds
    Connections per time frame: 5Link=
    Others
    HELO required: On Should absolutely remain activated (default). This switch exists to ensure backward compatibility.
    Require reverse DNS lookup: Off Requires a reverse lookup (address) to exist for connected mail servers. The forward lookup must return the IP address.
    Accept unresolvable domains: Off Allows sender addresses whose domain cannot be resolved via DNS.
    Maximum processes: 10Link= Controls global number of concurrent connections to mail relay (and attached filtering and anti-spam processes)



    Configuration of the mailrelay for outgoing mails

    To make sure that no spam or malware can be sent from your own network, the mail relay can also be used for outgoing mails.

    Set of rules

    To allow access to the mail relay, the hosts authorized to send mail must be allowed access to the corresponding interface of the Securepoint appliance (depending on the zone in which the hosts are located) via the SMTP protocol. Depending on the requirements, this can be a single host (e.g. the mail server), a group of hosts or the entire network. It is important that all applications that are to send mails via the mail relay have entered the corresponding firewall interface as SMTP server or smarthost.
    For example, to allow the internal network access to the mail relay, the set of rules can be created with the predefined network groups:

    Packetfilter UTMuser@firewall.name.fqdnFirewall Update rules

    # Source: Destination: Service: NAT Action Active:
    Dragndrop.png 1 World.svg internet Interface.svg external-interface Tcp.svg smtp Accept On
    Dragndrop.png 2 Network.svg internal-network Interface.svg internal-interface Tcp.svg smtp Accept On


    Add network object UTMuser@firewall.name.fqdnFirewall UTM v12.6 PFMR Serverobjekt-en.pngNetzwerkobjekt Mailserver If only the mail server is to be able to send mails, it must first be created as a network object:

    This object can then be used in the firewall rule:

    Packetfilter UTMuser@firewall.name.fqdnFirewall Update rules

    # Source: Destination: Service: NAT Action Active:
    Dragndrop.png 3 World.svg internet Interface.svg external-interface Tcp.svg smtp Accept On
    Dragndrop.png 4 Host.svg Mailserver Interface.svg internal-interface Tcp.svg smtp Accept On -
    Active: On Activate rule so that the portfilter takes effect
    Source: Host.svg Mailserver Select Mailserver (or the network object created above) as the source
    Destination: Interface.svg internal-interface Select internal-interface as the destination
    Service: Tcp.svg smtp Select smtp as the service
    Action: Accept Mails that meet the corresponding conditions are accepted and forwarded
    Logging: None - Do not log Logging is not required
    Group: default The portfilter rule can be assigned to a group

    If a certain group of computers in the internal network is to be allowed to use the mail relay, these computers must be created as network objects. These can then be combined in a group (e.g. "SMTP Authorized").


    Configuration Relaying

    In order for the mailrelay to accept mails from the internal network or from the mail server, the settings in the
    Relaying
    } tab must be supplemented by a corresponding entry. The network address of the corresponding subnet or the IP address of the relevant computer serves as criterion:

    + Add Domain / Host

    Domain: 192.0.2.0/30 or 192.0.2.192
    notempty
    These are sample IPs for the internal mail servers. These have to be replaced by individual addresses!
    Option: None
    Action: Relay

    Conclusion

    The UTM can now check incoming and outgoing mails for spam and viruses.