In this page you find:
Changed in version 2.5-armel: Removed Commtouch since there is no Commtouch’s version for ARM platforms.
New in version 3.0.5-YYYYMM: a couple of options to handle files with double extensions.
The SMTP proxy can relay and filter e-mail traffic when it is sent from the clients to the mail servers.
While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.
The purpose of the SMTP proxy is to control and optimise the SMTP traffic and to protect the local networks from threats when using the SMTP protocol. SMTP is used whenever an e-mail is sent from a local e-mail client to a remote mail server, that is, for the outgoing e-mails. It will also be used if an mail server is running on the LAN (i.e., within the GREEN zone) or DMZ (ORANGE zone) and the e-mails can be sent from outside the local network (incoming requests) through t hat mail server, that is, when clients are allowed to send e-mails from the RED interface.
In order to download mail from a remote mailserver to a local e-mail client, the POP3 or IMAP protocol are used. In order to protect that traffic too, enable the POP3 proxy in.
Scanning of IMAP traffic is currently not supported.
With the e-mail proxy functionality, both incoming and outgoing e-mail traffic can be scanned for viruses, spam, and other threats. E-mails are blocked if necessary and in that case both the receiving user and the administrator are notified. With the possibility to scan incoming e-mails, the e-mail proxy can handle incoming connections from the RED interface and pass the e-mail to one or more internal mail servers. Hence, it is possible to run an own mail server behind the firewall without the need to define appropriate port forwarding rules.
The SMTP proxy configuration is split into six tabs, each one tailored to one aspects of the SMTP proxy.
This is the main configuration page for the SMTP proxy. The SMTP proxy can be enabled by clicking on the toggle switch . When enabled, for each active zone can be chosen whether the SMTP proxy should be active, inactive, or transparent:
In this panel there is the possibility to configure the software applications used by Endian UTM Appliance to recognise and filter out spam, configuring the following options:
There are three actions that can be carried out on e-mails that have been recognised as spam:
Changed in version 2.5: The possibility to specify a custom location in which to store spam e-mails has been removed.
New in version 3.0: The drop email option.
While most simple and well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is absolutely necessary to always train the spam filter in order to reach a personalised and stronger filter (bayes).
In this panel a few options can be configured to manage any virus found.
There are three or four available actions (depending on the type of Endian UTM Appliance) that can be carried out on e-mails that have been recognised as spam. They are the same as in the Spam settings above:
Changed in version 2.5: The possibility to specify a custom location in which to store e-mails containing viruses has been removed.
New in version 3.0: The drop email option.
This panel contains settings to block any files attached to an e-mail depending on their extension. Whenever those file extensions are found in any attachment, the selected action will be performed.
There are three or four available actions (depending on the type of Endian UTM Appliance ) that can be carried out on e-mails that have blocked (They are the same as in the previous Spam settings and Virus settings boxes):
Changed in version 2.5: The possibility to specify a custom location in which to store e-mails containing blocked files has been removed.
The file extensions to be blocked.
Hold down the
CTRL key and click on the left
mouse button to select multiple extensions.
Tick the checkbox to block every archive that contains files with a blocked extension.
If Program (.exe) has been chosen as one filetype to block, any .zip, .tar.gz, or another archive containing a file ending in .exe will be blocked.
In this textarea it is possible to write, one per line, all the extensions that should be blocked when they appear as the second extension for a file. Leaving the textarea empty has the same effect as the previous option were disabled. No wildacards are allowed.
The entry .jpg will block any file with extensions exe.jpg or bat.jpg, but will allow files with extensions jpg.exe, jpg.bat.
Files with double extensions are usually malicious files
which may appear as inoffensive images or documents, but when they
are clicked, an application is executed that has the purpose to
harm a computer or steal personal data. A file with a double
extensions is exactly like a normal file, but whose name (e.g.,
image.jpg) is followed by .exe, .com, .vbs, .pif,
.scr, .bat, .cmd or .dll (e.g.,
It is necessary to configure the e-mail domains for which each local server should be responsible. The list of combinations domain-SMTP server can be defined under.
There is only one option in this panel:
The number of days that the e-mail will be stored in the special quarantine location on the Endian UTM Appliance before being automatically deleted.
The e-mails stored in the quarantine can be managed in the Mail Quarantine, located at .
In the last panel custom lists of domains can be defined for which the transparent proxy should be disabled.
In this page there are four panels: Three allow the definition of several custom black- and whitelists, while the fourth allows to select and use existing RBL.
In the first panel any number of domains, sub-domains, or single e-mail addresses to be white- or blacklisted can be entered. For both of the lists any number of senders, recipients, and clients can be entered in the appropriate textareas, as follows:
An often used method to block spam e-mails are so called RBL, whose use can be configured in the second panel. These lists are created, managed, and updated by different organisations with the purpose to identify as quickly as possible new SMTP server used to send spam and block them. If a domain or sender IP address appears in one of the blacklists, e-mails sent from there will be rejected without further notice. The use of RBL saves bandwidth, since the mails will not be accepted and then handled like legitimate e-mails, but rather dismissed as soon as the sender’s IP address or domain is found in any blacklist. The Endian UTM Appliance uses many different RBL, which are divided into IP-based and domain-based. The blacklist that belong on each category are shown by clicking on the small icon, and can be enabled or disabled by clicking on the red or green arrow on top of the list, or individually. The homepage of the various organisations that compile the lists is reachable by clicking on the list’s name.
Sometimes it can happen that IP addresses or domains have been wrongly listed by an RBL operator. If this should happen, it may negatively impact communications, since even legitimate e-mails from those domains will be refused without the possibility to recover it. Since there is no possibility to directly influence the RBLs, it is necessary to take into account the policies applied from the organisations that manage the RBLs before using them. Endian is not responsible for any e-mail that might be lost using the RBLs.
Among the blacklist installed, there are:
This is a list which contains domains or IP networks whose administrators choose not to obey to the RFCs, the standards of the net.
The rfc-ignorant.org site has shut its service down on the 30th of November 2012 (see the announcement), but its content has been inherited by people at http://www.rfc-ignorant.de/. Their work, however, has not yet produced working RBLs as of today (November 2013).
Advanced users can modify the list from the
CLI, editing the
file, and modify the RBL variable.
Changed in version 2.5: In previous version, the file to
/var/efw/smtpscan/RBL, with the
/var/efw/smtpscan/default/RBL to be used
The RBLs are grouped into two boxes. On the left-hand side there are IP-based RBLs, while on the right-hand side there are domain-based RBLs. To activate all the RBLS in one box, click on the icon next to the box’s title bar (the icon will become ), while to enable only some of the RBLs, click on the icon next to each RBL’s name. In that case, the or icon on the title bar will be replaced by a icon.
In the third panel, greylisting whitelists can be created by adding entries for every recipient, IP address or network in the two textareas. To the items in the whitelist will not be applied any greylisting
Greylisting is a method used by a MTA to verify whether an e-mail is legitimate by rejecting it a first time and waiting for a second dispatch of the same e-mail. If the e-mail is not received anymore the sender is considered as a spam source. The idea behind greylisting is that any mass spam bot will not try to resend any rejected e-mail, so only valid e-mails would be resent.
Finally, in the last panel, explicit black- and whitelists for the spam filter are defined.
When incoming mail has been enabled (i.e., clients outside the RED interface can send e-mails from a local SMTP server) and e-mails to be sent should be forwarded to an mail server behind the Endian UTM Appliance - usually set up in the ORANGE zone - it is necessary to declare the domains to be accepted by the SMTP proxy and to which of the e-mail servers the incoming mail should be forwarded. It is possible to specify multiple mail servers behind the Endian UTM Appliance for different domains.
The page presents a list of domains along with the mailserver responsible for each of them, if any has been defined. To add a new domain, click on the Add a domain button: A simple form will open, in which the combination domain-mailserver can be created.
The new entry will be shown at the bottom of the list. The actions available for each domain are:
No confirmation is asked after clicking on the icon: The domain will removed immediately.
New in version 3.0.
The page shows a list of domains along with the smarthost responsible for the e-mails’ delivery to or reception from those domains. The information shown by the list are the same that shall be provided when adding a new domain. Available actions are:
To add a new domain, click on the Add new domain route button: A simple form will open, in which the combination domain-mailserver can be created.
Suppose you have set up two rules for domain routing: One with domain mydomain.com as the sender and uplink main as the route, and a second one with domain example.org as the receiver and uplink secondary as the route. What happens to an email that is sent from server foo.mydomain.com to a user on bar.example.org? The answer can be found in how the Endian UTM Appliance‘s MTA, postfix, processes the e-mails’ sending rules: It first reads all the rules involving the sources, then the rules involving the recipient. Thus, the e-mail that is sent from foo.mydomain.com to bar.example.org will be routed through through the secondary uplink.
This option allows to send a BCC of an e-mail to a given e-mail address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list show the direction, the address and the BCC address, if any, and the available actions:
To add a new mail route, click on the Add a Mail Route button. In the form that opens these options can be configured:
Neither the sender nor the recipient will be notified of the copy being sent to a third party. In most countries it is highly illegal to read other people’s private messages, so please do not misuse nor abuse of this feature.
In this page of the SMTP proxy configuration there are advanced settings options available, grouped in four panels, that can be shown or hidden by clicking on the or icons on the left of the panel title.
In the first panel a smarthost can be activated and configured. If the SMTP server has a dynamic IP address, for example when using an ISDN or an ADSL dialup Internet connection, there can be some troubles sending e-mails to other mail servers, since that IP address might have been blacklisted in some RBL (see Black- & Whitelists above) and therefore the remote mailserver might refuse the e-mails. Hence, it becomes necessary to use a smarthost for sending e-mails.
CTRLkey pressed and clicking on each of the desired methods.
In a few words, a smarthost is a mailserver used by the SMTP proxy as the outgoing SMTP server. The smarthost needs to accept the e-mails and relays them. Normally, the provider’s own SMTP server is used as the smarthost, since it will accept to relay the e-mails, while other mailservers would not.
This panel contains configuration options for the IMAP server that should be used for authentication when sending e-mails. These settings are especially important for SMTP incoming connections that are opened from the RED zone. The following settings can be configured:
In this panel, additional parameters of the SMTP server can be defined.
The hostname to send with the SMTP EHLO or HELO command. The default value used is the REDIP, but a custom hostname in FQDN format can be supplied.
Use the hostname of the domain’s MX.
HELO/EHLO and hostname
Almost all mail servers require that clients connecting via SMTP announce themselves with a valid hostname along with the HELO/EHLO, or they drop the connection. However, the Endian UTM Appliance uses its own hostname in order to announce to foreign e-mail servers, which is sometimes not publicly valid within the global DNS.
If that is the case, another custom hostname in FQDN format can be configured under, that can be understood by the remote mail server.
Finally, in this last panel additional parameters for the spam filter can be defined, by ticking one or more of the four checkboxes.
Troubleshooting STMP proxy.
When the message “Mail for xxx loops back to myself” appears in the log file, it is indicative of a misconfiguration in the custom SMTP HELO name on the appliance, that is the same as the hostname of the internal mailserver to which the incoming e-mail should be forwarded.
In that case the SMTP connection received from the internal mailserver will contain an hostname (the one in the HELO line from the SMTP Proxy setting), that is the same as the hostname of the internal mailserver, hence the internal mailserver believes to send and receive the same e-mail, producing the error message.
Possible solutions are:
- Change the hostname of the internal mailserver.
- Create a new publicly valid A Record within the DNS zone which also points to the Endian UTM Appliance and use this hostname as the HELO line within the SMTP Proxy.
- Use the numeric IP Address of the uplink as the HELO line.
A step by step guide to set up a basic e-mail proxy can be found here.
Changed in version 2.5-Arm: Removed as it is not available on the ARM architecture.
This page includes configuration settings for the anti-spam engine. The following options can be configured:
In the SPAM tag level section the following options can be configured. The valid values for each option are between -10 and 10 included.