Endian banner

SMTP

The SMTP proxy can relay and filter e-mail traffic when it is sent from the clients to the mail servers.

Note

While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.

The purpose of the SMTP proxy is to control and optimise the SMTP traffic and to protect the local networks from threats when using the SMTP protocol. SMTP is used whenever an e-mail is sent from a local e-mail client to a remote mail server, that is, for the outgoing e-mails. It will also be used if an mail server is running on the LAN (i.e., within the GREEN zone) or DMZ (ORANGE zone) and the e-mails can be sent from outside the local network (incoming requests) through t hat mail server, that is, when clients are allowed to send e-mails from the RED interface.

In order to download mail from a remote mailserver to a local e-mail client, the POP3 or IMAP protocol are used. In order to protect that traffic too, enable the POP3 proxy in Menubar ‣ Proxy ‣ POP3.

Warning

Scanning of IMAP traffic is currently not supported.

With the e-mail proxy functionality, both incoming and outgoing e-mail traffic can be scanned for viruses, spam, and other threats. E-mails are blocked if necessary and in that case both the receiving user and the administrator are notified. With the possibility to scan incoming e-mails, the e-mail proxy can handle incoming connections from the RED interface and pass the e-mail to one or more internal mail servers. Hence, it is possible to run an own mail server behind the firewall without the need to define appropriate port forwarding rules.

The SMTP proxy configuration options are grouped into tabs, each for a different part of the SMTP proxy.

Configuration

This is the main configuration page for the SMTP proxy. The SMTP proxy can be enabled by clicking on the toggle switch swoff. When enabled, for each active zone can be chosen whether the SMTP proxy should be active, inactive, or transparent:

active
The SMTP proxy is enabled for the zone and accepts requests on port 25.
transparent mode
If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need to change the configuration on the clients. This option is not available for the RED zone.
inactive
The SMTP proxy is not enabled for that zone.

Additional options are available, grouped in five panels. Each panel can be expanded by clicking on the expand icon or hidden by clicking on the collapse icon.

Spam settings

In this panel there is the possibility to configure the software applications used by Endian UTM Appliance to recognise and filter out spam, configuring the following options:

Filter mail for spam
Enable the mail spam filter and allows the configuration of additional options that will appear below.
Choose spam handling

There are three actions that can be carried out on e-mails that have been recognised as spam:

  • move to default quarantine location: The spam e-mails will be moved to the default location.
  • send to quarantine email address: Spam e-mails are forwarded to a custom e-mail address that can be specified in the Spam quarantine email address textbox that will appear upon selecting this option.
  • mark as spam: The e-mail is marked as spam before delivery.
  • drop email: The spam e-mail is immediately deleted.
Spam subject
A prefix applied to the subject of all e-mails marked as spam.
Email used for spam notifications (spam admin)
The e-mail address that will receive a notification for each processed spam e-mail.
Spam tag level
If SpamAssassin’s spam score is greater than this number, the X-Spam-Status and X-Spam-Level headers are added to the e-mail.
Spam mark level
If SpamAssassin’s spam score is greater than this number, the Spam subject and X-Spam-Flag headers are added to the e-mail.
Spam quarantine level
Any e-mail that exceed this spam score will be moved to the quarantine location.
Send notification only below level
Send notification e-mails only if the spam score is below this number.
Spam filtering
Enable spam greylisting and show the next option.
Delay for greylisting (sec)
The greylisting delay can be a value between 30 and 3600 seconds.
Spam report
Tick the checkbox to add a report to the body of e-mails that are recognised as spam.
Japanization
Tick this checkbox to activate the support for Japanese sets in e-mails and filter Japanese spam e-mails.

Note

While most simple and well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is necessary to always train the spam filter in order to reach a personalised and stronger (bayesian) filter.

Virus settings

In this panel appear options to configure how to manage any virus found in the emails processed.

Mail virus scanner
Enable filtering of e-mails for viruses and to show the additional options.
Choose virus handling

There are three or four available actions (depending on the type of Endian UTM Appliance) that can be carried out on e-mails that have been recognised as spam. They are the same as in the Spam settings above:

  • move to default quarantine location: any e-mail containing virus will be moved to the default location.
  • send to quarantine email address: e-mails containing virus are forwarded to a custom e-mail address that can be specified in the Virus quarantine email address textbox that will appear upon selecting this option.
  • pass to recipient (regardless of bad contents): e-mail containing virus will be delivered normally.
  • drop email: The e-mail containing virus is immediately deleted.
Email used for virus notifications (virus admin)
The e-mail address that will receive a notification for each processed e-mail containing virus.
Notifications sender address
The e-mail address that will appear as sender of the notification.
Notify recipients about emails containing viruses
Tick the checkbox to send the original recipients of the e-mail a notification that the e-mail was blocked.
Send notifications only to addresses of configured incoming domains
Tick the checkbox to send a notification only to recipients whose domain is configured in the Incoming domains (see Proxy ‣ SMTP ‣ Incoming domains).

File settings

This panel contains settings to block any files attached to an e-mail depending on their extension. Whenever those file extensions are found in any attachment, the selected action will be performed.

Block files by extension
Activate the extensions-based filtering on files and reveal the additional virus filter options.
Choose handling of blocked files

There are three available actions that can be carried out on e-mails that have blocked (They are the same as in the previous Spam settings and Virus settings panels):

  • move to default quarantine location: e-mails containing blocked files will be moved to the default location.
  • send to quarantine email address: e-mails containing blocked files are forwarded to a custom e-mail address that can be specified in the Email used for blocked file notifications textbox that will appear upon selecting this option.
  • pass to recipient (regardless of blocked files): e-mails containing blocked files will be delivered normally
Email used for blocked file notifications (file admin)
The e-mail address that will receive a notification for each processed e-mail containing blocked attachments.
Block archives that contain blocked filetypes

Tick the checkbox to block every archive that contains files with a blocked extension.

Hint

If Program (.exe) has been chosen as one filetype to block, any .zip, .tar.gz, or another archive containing a file ending in .exe will be blocked.

Block files with double extension
Enable the blocking of any file with a double extension, like exe.jpg or bat.jpg. When ticked, the next option will appear.
Block files with double extension

In this textarea it is possible to write, one per line, all the extensions that should be blocked when they appear as the second extension of a file. It is necessary to provide at least one in the textarea, otherwise it has no effect. No wildacards are allowed.

Hint

The entry .jpg will block any file with extensions exe.jpg or bat.jpg, but will allow files with extensions jpg.exe, jpg.bat.

Note

Files with double extensions are usually malicious files which may appear as inoffensive images or documents in a file browser, but when they are clicked, an application is executed that has the purpose to harm a computer or steal personal data. A file with a double extensions is exactly like a normal file, but whose name (e.g., image.jpg) is followed by other extensions like .exe, .com, .vbs, .pif, .scr, .bat, .cmd or .dll (e.g., image.jpg.exe).

Choose filetypes to block (by extension)

The file extensions to be blocked.

Hint

Hold down the CTRL key and click on the left mouse button to select multiple extensions.

It is necessary to configure the e-mail domains for which each local server should be responsible. The list of combinations domain-SMTP server can be defined in the Incoming domains under Menubar ‣ Proxy ‣ SMTP ‣ Incoming domains.

Quarantine settings

There is only one option in this panel:

Quarantine retention time (in days)

The number of days that the e-mail will be stored in the special quarantine location on the Endian UTM Appliance before being automatically deleted.

Hint

The e-mails stored in the quarantine can be managed in the Mail Quarantine, located at Menubar ‣ Services ‣ Mail Quarantine.

Bypass transparent proxy

In the last panel custom lists of domains can be defined for which the transparent proxy should be disabled.

Bypass transparent proxy from SUBNET/IP/MAC
E-mails sent from these sources are not subject to the transparent proxy.
Bypass transparent proxy to SUBNET/IP
E-Mails sent to these destinations are not subject to the transparent proxy.

Black- & Whitelists

In this page there are four panels: Three allow the definition of several custom black- and whitelists, while the fourth allows to select and use existing RBL.

Accepted mail (Black- & Whitelists)

In the first panel any number of domains, sub-domains, or single e-mail addresses to be white- or blacklisted can be entered. For both of the lists any number of senders, recipients, and clients can be entered in the appropriate textareas, as follows:

Whitelist sender
All the e-mails sent from these addresses or domains will be accepted. This is the e-mail From: field.
Blacklist sender
All the e-mails sent from these addresses or domains will be rejected. This is the e-mail From: field.
Whitelist recipient
All the e-mails sent to these addresses or domains will be accepted. This is the e-mail To: field.
Blacklist recipient
All the e-mails sent to these addresses or domains will be rejected. This is the e-mail To: field.
Whitelist client
All the e-mails sent from these IP addresses or hosts will be accepted.
Blacklist client
All the e-mails sent from these IP addresses or hosts will be rejected.

Realtime Blacklist (RBL)

An often used method to block spam e-mails are so called RBL, whose use can be configured in the second panel. These lists are created, managed, and updated by different organisations with the purpose to identify as quickly as possible new SMTP server used to send spam and block them. If a domain or sender IP address appears in one of the blacklists, e-mails sent from there will be rejected without further notice. The use of RBL saves bandwidth, since the mails will not be accepted and then handled like legitimate e-mails, but rather dismissed as soon as the sender’s IP address or domain is found in any blacklist. The Endian UTM Appliance uses many different RBL, which are divided into IP-based and domain-based. The blacklist that belong on each category are shown by clicking on the small expand icon, and can be enabled or disabled by clicking on the red or green arrow on top of the list, or individually. The homepage of the various organisations that compile the lists is reachable by clicking on the list’s name.

Warning

Sometimes it can happen that IP addresses or domains have been wrongly listed by an RBL operator. If this should happen, it may negatively impact communications, since even legitimate e-mails from those domains will be refused without the possibility to recover it. Since there is no possibility to directly influence the RBLs, it is necessary to take into account the policies applied from the organisations that manage the RBLs before using them. Endian is not responsible for any e-mail that might be lost using the RBLs.

Among the blacklist installed, there are:

bl.spamcop.net
A blacklist based on submissions from its users.
zen.spamhaus.org
This list contains the Spamhaus block list as well as Spamhaus’ exploits block list and its policy block list.
cbl.abuseat.org
The CBL takes its source data from very large spamtraps. It only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (e.g., HTTP, socks, AnalogX, wingate etc.) that have been abused to send spam, worms, viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.
[name].dnsbl.sorbs.net and rhsbl.dnsbl.sorbs.net
Several blacklists are supplied from this organisation (replace [name] with safe, relays, spam, and zombie), and can be activated individually or all together by enabling the dsnbl.sorbs.net blacklist.
uceprotect.net
Lists that hold domains of known spam sources for at most seven days. After this period, domains are delisted, but subsequent violations cause the application of more restrictive policies.

The RBLs are grouped into two boxes. On the left-hand side there are IP-based RBLs, while on the right-hand side there are domain-based RBLs. To activate all the RBLS in one box, click on the drop icon next to the box’s title bar (the icon will become accept), while to enable only some of the RBLs, click on the drop icon next to each RBL’s name. In that case, the drop or accept icon on the title bar will be replaced by a partial icon.

Spam greylisting

Spam Greylisting

Spam greylisting is a method used by a MTA to verify whether an e-mail is legitimate by rejecting it a first time and waiting for a second dispatch of the same e-mail. If the e-mail is not received anymore the sender is considered as a spam source. The idea behind greylisting is that any mass spam bot will not try to resend any rejected e-mail, so only valid e-mails would be resent.

In the third panel, greylisting whitelists can be created by adding entries for every recipient, IP address or network in the two textareas. To the items in the whitelist will not be applied any greylisting.

Whitelist recipient
All E-mail addresses or whole domains written in this textarea, e.g., test@example.com or example.com are considered “safe”, i.e., the e-mail received from them will not be checked for spam.
Whitelist client
All the mailserver’s address in this textarea are considered “safe”, i.e., all the e-mails coming from this server’s address will not be checked for spam.

Spam (Black- & Whitelists)

In the fourth and last panel, explicit black- and whitelists for the spam filter are defined.

Whitelist sender
E-mail addresses or whole domains can be whitelisted in this textarea (i.e., they will never be detected as spam), like e.g. test@example.com or the domain example.com.
Blacklist sender
E-mail addresses or whole domains can be blacklisted in this textarea (i.e., they will always be detected as spam), like e.g. test@example.com or the domain example.com.

Incoming domains

An incoming domain must be configured whenever clients outside the RED interface are allowed to send e-mails from a local SMTP server and the e-mails should be forwarded to an mail server behind the Endian UTM Appliance - usually set up in the ORANGE zone. It is possible to specify multiple mail servers behind the Endian UTM Appliance for different domains.

The page presents a list of domains along with the mailserver responsible for each of them, if any has been defined. To add a new domain, click on the Add a domain button: A simple form will open, in which the combination domain-mailserver can be created.

Domain
The domain the mailserver is responsible for.
Mailserver IP
The IP address of the mailserver.

The new entry will be shown at the bottom of the list. The actions available for each domain are:

  • edit - modify the domain’s property.
  • delete - remove the domain.

Warning

No confirmation is asked after clicking on the delete icon: The domain will removed immediately.

Domain routing

The page shows a list of domains along with the smarthost responsible for delivering the e-mails’ to or from those domains. The information shown by the list are the same that shall be provided when adding a new domain. Available actions are:

  • edit - modify the domain routing.
  • delete - remove the domain routing.

To add a new domain, click on the Add new domain route button: A simple form will open, in which the combination domain-mailserver can be created.

Direction
Decide whether the rule will be applied to the domain associated with the sender or with the recipient.
Domain
The domain this mailserver is responsible for.
Outgoing address

Choose from the drop-down menu the interface or IP address of the uplink through which the e-mails will be sent.

Note

If left blank, the smarthost will select the uplink or IP address to be used.

Smarthost
Tick this checkbox to configure a custom smarthost instead o using the system’s smarthost. The options that will appear, including those for authentication, are the same that are in the Smarthost configuration below.

Rule’s priority in Domain Routing

Suppose you have set up two rules for domain routing: One with domain mydomain.com as the sender and uplink main as the route, and a second one with domain example.org as the receiver and uplink secondary as the route. What happens to an email that is sent from server foo.mydomain.com to a user on bar.example.org? The answer can be found in how the Endian UTM Appliance‘s MTA, postfix, processes the e-mails’ sending rules: It first reads all the rules involving the sources, then the rules involving the recipient. Thus, the e-mail that is sent from foo.mydomain.com to bar.example.org will be routed through through the secondary uplink.

Mail Routing

This option allows to send a BCC of an e-mail to a given e-mail address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list show the direction, the address and the BCC address, if any, and the available actions:

  • edit - modify the mail routing.
  • delete - remove the mail routing.

To add a new mail route, click on the Add a Mail Route button. In the form that opens these options can be configured:

Direction
Select from the drop-down menu whether the mail route should be defined for a sender or recipient of the e-mail.
Mail address
Depending on the direction chosen, this will be the e-mail address of the recipient or sender to which the route should be applied.
BCC address
The e-mail address which are the recipient of the copy of the e-mails.

Warning

Neither the sender nor the recipient will be notified of the copy being sent to a third party. In most countries it is highly illegal to read other people’s private messages, so please neither misuse nor abuse of this feature.

Advanced

In this page of the SMTP proxy configuration there are advanced settings options available, grouped in four panels, that can be shown or hidden by clicking on the expand or collapse icons on the left of the panel title.

Smarthost configuration

In the first panel a smarthost can be activated and configured. If the SMTP server has a dynamic IP address, for example when using an ISDN or an ADSL dialup Internet connection, there can be some troubles sending e-mails to other mail servers, since that IP address might have been blacklisted in some RBL (see Black- & Whitelists above) and therefore the remote mailserver might refuse the e-mails. Hence, it becomes necessary to use a smarthost for sending e-mails.

Smarthost for delivery
Tick this checkbox to enable a smarthost for delivering e-mails and to show additional options.
Smarthost address
The IP address or hostname of the smarthost.
Smarthost port
The port on which the smarthost is listening, defaults to 25.
Smarthost authentication
Tick this checkbox if the smarthost requires authentication. The next three extra options are then shown.
Smarthost username
The username used for authentication on the smarthost.
Smarthost password
The password used for authentication on the smarthost.
Choose authentication method
The authentication methods required by the smarthost: PLAIN, LOGIN, CRAM-MD5, and DIGEST-MD5 are supported. Multiple methods can be chosen by ticking the checkboxes in the multiselect drop-down menu.

IMAP Server for SMTP authentication

This panel contains configuration options for the IMAP server that should be used for authentication when sending e-mails. These settings are especially important for SMTP incoming connections that are opened from the RED zone. The following settings can be configured:

SMTP authentication
Tick this checkbox to enable IMAP authentication and to show additional options.
Choose number of authentication daemons
How many concurrent logins are possible through the Endian UTM Appliance.
IMAP authentication server
The IP address of the IMAP server.
IMAP authentication port
The port on which the IMAP server is listening, defaults to 143 for plain IMAP or 993 for IMAP over SSL.

Mail server settings

In this panel, additional parameters of the SMTP server can be defined.

Require SMTP HELO
When this checkbox is ticked, the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session.
Reject invalid hostname
Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname.
SMTP HELO name
The hostname to send with the SMTP EHLO or HELO command. The default value used is the REDIP, but a custom hostname in FQDN format can be supplied.

Hint

Use the hostname of the domain’s MX.

Always BCC to address
An e-mail address here that will receive a BCC of each message that goes through the SMTP proxy.
Mail template language
The language in which error messages should be sent, among those available: English, German, Italian, and Japanese.
Recipient address verification
Enable the check for a valid recipients address before sending the message.
Hard error limit
The maximum number of errors a remote SMTP client is allowed to produce without delivering mail. The SMTP Proxy server disconnects once this limit is exceeded (default 20).

Maximum email content size

The maximum size allowed for a single e-mail message. Several predefined values can be selected from the drop-down menu. When choosing the Custom value, the next option appears.
Custom maximum email contentsize (in KB)
The maximum size in mega bytes of the e-mail that will be accepted by the SMTP server.
Enable DSN on zones
Choose from the available zones those which will send a bounce message (i.e., a DSN message) to undeliverable e-mails or to e-mails that can not be correctly sent. In other words, it will be possible to receive delivery notification messages of emails only from zones that have been selected here.

HELO/EHLO and hostname

Almost all mail servers require that clients connecting via SMTP announce themselves with a valid hostname along with the HELO/EHLO, or they drop the connection. However, the Endian UTM Appliance uses its own hostname in order to announce to foreign e-mail servers, which is sometimes not publicly valid within the global DNS.

If that is the case, another custom hostname in FQDN format can be configured under Menubar ‣ Proxy ‣ SMTP ‣ Advanced ‣ Mail server settings ‣ SMTP Helo Name, that can be understood by the remote mail server.

Spam prevention

Finally, in this last panel additional parameters for the spam filter can be defined, by ticking one or more of the four checkboxes.

Reject invalid recipient (non-FQDN)
Reject the request when the RCPT TO address is not in FQDN form, as required by the RFC 821.
Reject invalid sender (non-FQDN)
Reject the connecting client if the hostname supplied with the HELO or EHLO command is not a FQDN as required by the RFC 821.
Reject unknown recipient domain
Reject the connection if the domain of the recipient e-mail address has no DNS A or MX record.
Reject sender from unknown domains
Reject the connection if the domain of the sender e-mail address has no DNS A or MX record.

Troubleshooting STMP proxy.

When the message “Mail for xxx loops back to myself” appears in the log file, it is indicative of a misconfiguration in the custom SMTP HELO name on the appliance, that is the same as the hostname of the internal mailserver to which the incoming e-mail should be forwarded.

In that case the SMTP connection received from the internal mailserver will contain an hostname (the one in the HELO line from the SMTP Proxy setting), that is the same as the hostname of the internal mailserver, hence the internal mailserver believes to send and receive the same e-mail, producing the error message.

Possible solutions include:

  • To change the hostname of the internal mailserver.
  • To create a new publicly valid A Record within the DNS zone which also points to the Endian UTM Appliance and use this hostname as the HELO line within the SMTP Proxy.

See also

A step by step guide to set up a basic e-mail proxy can be found here.

Anti-Spam

This page includes configuration settings for the anti-spam engine. The following options can be configured:

Enable spamassassin shortcircuit
Check this box to skip spamassassin whenever Cyren (former Commtouch) marks a message as spam.
Ignore IPs/Networks
Here IPs and networks which should not be checked by Cyren can be defined.

In the SPAM tag level panel the following options can be configured. The valid values for each option are between 1 and 10 included, except for the NONSPAM option, whose valid values are between -1o and -1.

CONFIRMED
Every e-mail with a tag level above this value will be recognised as spam.
BULK
Every e-mail with a tag level above this value will be identified as bulk mail.
SUSPECTED
Every e-mail with a tag level above this value will is suspected to contain spam.
UNKNOWN
E-mails with a tag level below this value will be classified as unknown.
NONSPAM
E-mails with a tag level below this value will be recognised as non-spam mails.