SMTP

The SMTP proxy can relay and filter e-mail traffic when it is sent from the clients to the mail servers.

Note

While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.

The purpose of the SMTP proxy is to control and optimise the SMTP traffic and to protect the local networks from threats when using the SMTP protocol. SMTP is used whenever an e-mail is sent from a local e-mail client to a remote mail server, that is, for the outgoing e-mails. It will also be used if an mail server is running on the LAN (i.e., within the GREEN zone) or DMZ (ORANGE zone) and the e-mails can be sent from outside the local network (incoming requests) through t hat mail server, that is, when clients are allowed to send e-mails from the RED interface.

In order to download mail from a remote mailserver to a local e-mail client, the POP3 or IMAP protocol are used. In order to protect that traffic too, enable the POP3 proxy in Menubar ‣ Proxy ‣ POP3.

Warning

Scanning of IMAP traffic is currently not supported.

With the e-mail proxy functionality, both incoming and outgoing e-mail traffic can be scanned for viruses, spam, and other threats. E-mails are blocked if necessary and in that case both the receiving user and the administrator are notified. With the possibility to scan incoming e-mails, the e-mail proxy can handle incoming connections from the RED interface and pass the e-mail to one or more internal mail servers. Hence, it is possible to run an own mail server behind the firewall without the need to define appropriate port forwarding rules.

The SMTP proxy configuration options are grouped into tabs, each for a different part of the SMTP proxy.

Settings

This is the main configuration page for the SMTP proxy.

Enable the SMTP proxy

Tick the checkbox to enable the SMTP proxy.

Quarantine retention time

The number of days that the e-mail will be stored in the special quarantine location on the UTM before being automatically deleted.

Hint

The e-mails stored in the quarantine can be managed in the Quarantine, located at Menubar ‣ Services ‣ Mail Quarantine.

Bypass transparent proxy from (SUBNET or IP or MAC)

E-mails sent from these sources are not subject to the transparent proxy.

Bypass transparent proxy to (SUBNET or IP)

E-Mails sent to these destinations are not subject to the transparent proxy.

Require SMTP HELO

When this checkbox is ticked, the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session.

SMTP HELO name

The hostname to send with the SMTP EHLO or HELO command. The default value used is the REDIP, but a custom hostname in FQDN format can be supplied.

Hint

Use the hostname of the domain’s MX.

HELO/EHLO and hostname

Almost all mail servers require that clients connecting via SMTP announce themselves with a valid hostname along with the HELO/EHLO, or they drop the connection. However, the UTM uses its own hostname in order to announce to foreign e-mail servers, which is sometimes not publicly valid within the global DNS.

If that is the case, another custom hostname in FQDN format can be configured under Menubar ‣ Proxy ‣ SMTP ‣ Advanced ‣ Mail server settings ‣ SMTP Helo Name, that can be understood by the remote mail server.

Reject invalid hostname

Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname.

Always BCC to address

An e-mail address here that will receive a BCC of each message that goes through the SMTP proxy.

Mail template language

The language in which error messages should be sent, among those available: English, German, Italian, and Japanese.

Enable DSN on zones

Choose from the available zones those which will send a bounce message (i.e., a DSN message) to undeliverable e-mails or to e-mails that can not be correctly sent. In other words, it will be possible to receive delivery notification messages of emails only from zones that have been selected here.

Require Recipient address verification

Enable the check for a valid recipients address before sending the message.

Reject invalid recipient (non-FQDN)

Reject the request when the RCPT TO address is not in FQDN form, as required by the RFC 821.

Reject unknown recipient domain

Reject the connection if the domain of the recipient e-mail address has no DNS A or MX record.

Reject invalid sender (non-FQDN)

Reject the connecting client if the hostname supplied with the HELO or EHLO command is not a FQDN as required by the RFC 821.

Reject sender from unknown domains

Reject the connection if the domain of the sender e-mail address has no DNS A or MX record.

Hard error limit number

The maximum number of errors a remote SMTP client is allowed to produce without delivering mail. The SMTP Proxy server disconnects once this limit is exceeded (default 20).

Maximum email content size

Enter the maximum size in bytes allowed for a single e-mail message.

Troubleshooting STMP proxy.

When the message “Mail for xxx loops back to myself” appears in the log file, it is indicative of a misconfiguration in the custom SMTP HELO name on the appliance, that is the same as the hostname of the internal mailserver to which the incoming e-mail should be forwarded.

In that case the SMTP connection received from the internal mailserver will contain an hostname (the one in the HELO line from the SMTP Proxy setting), that is the same as the hostname of the internal mailserver, hence the internal mailserver believes to send and receive the same e-mail, producing the error message.

Possible solutions include:

  • To change the hostname of the internal mailserver.

  • To create a new publicly valid A Record within the DNS zone which also points to the UTM and use this hostname as the HELO line within the SMTP Proxy.

  • To use the numeric IP Address of the uplink as the HELO line.

See also

A step by step guide to set up a basic e-mail proxy can be found here.

Zones

For each zone defined. Choose the proxy mode by clicking on the icon on the right-hand side and select either option:

Enabled

The SMTP proxy is enabled for the zone and accepts requests on port 25.

Transparent

If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need to change the configuration on the clients. This option is not available for the RED zone.

Disabled

The SMTP proxy is not enabled for that zone.

Domains

The page presents a list of domains along with the mailserver responsible for each of them, if any has been defined. To add a new domain, click Add domain: A simple form will open, in which the combination domain-mailserver can be created.

Domain

The domain the mailserver is responsible for.

Mail server

The domain name or IP address of the mailserver.

The new entry will be shown at the bottom of the list.

Antispam

In this tab there is the possibility to configure the software applications used by UTM to recognise and filter out spam, configuring the following options:

Enable mail spam filtering

Tick the checkbox to enable the antispam filter and to allow the configuration of additional options that will appear below.

Spam handling

These actions can be carried out on e-mails that have been recognised as spam:

  • Move to default quarantine location: The spam e-mails will be moved to the default location.

  • Send to quarantine email address: Spam e-mails are forwarded to a custom e-mail address that can be specified in the Spam quarantine email address textbox that will appear upon selecting this option.

  • Mark as spam: The e-mail is marked as spam before delivery.

  • Drop email: The spam e-mail is immediately deleted.

Send quarantine email to

The email address to which the quarantined email will be forwarded.

Note

This option appears only when Send to quarantine email address is selected in the Spam handling option.

Spam email subject

A prefix applied to the subject of all e-mails marked as spam.

Notify spam email to

The e-mail address that will receive a notification for each processed spam e-mail.

Tag as spam

If SpamAssassin’s spam score is greater than this number, the X-Spam-Status and X-Spam-Level headers are added to the e-mail.

Send in quarantine

Any e-mail that exceed this spam score will be moved to the quarantine location.

Mark as spam

If SpamAssassin’s spam score is greater than this number, the Spam subject and X-Spam-Flag headers are added to the e-mail.

Send notification only below level

Send notification e-mails only if the spam score is below this number.

Enable graylisting for spam

Enable spam greylisting (see box below).

Delay for greylisting

The greylisting delay can be a value between 30 and 3600 seconds.

Add spam report to email body

Tick the checkbox to add a report to the body of e-mails that are recognised as spam.

Activate the support for Japanese emails

Tick this checkbox to activate the support for Japanese sets in e-mails and filter Japanese spam e-mails.

Note

While most simple and well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is necessary to always train the spam filter in order to reach a personalised and stronger (bayesian) filter.

Spam Greylisting

Spam greylisting is a method used by a MTA to verify whether an e-mail is legitimate by rejecting it a first time and waiting for a second dispatch of the same e-mail. If the e-mail is not received anymore the sender is considered as a spam source. The idea behind greylisting is that any mass spam bot will not try to resend any rejected e-mail, so only valid e-mails would be resent.

Antivirus

In this tab appear options to configure how to manage any virus found in the emails processed.

Scan mail for virus

Enable filtering of e-mails for viruses and to show the additional options.

Virus handling

There are three or four available actions (depending on the type of UTM) that can be carried out on e-mails that have been recognised as spam. They are the same as in the Spam settings above:

  • Move to default quarantine location: any e-mail containing virus will be moved to the default location.

  • Send to quarantine email address: e-mails containing virus are forwarded to a custom e-mail address that can be specified in the Virus quarantine email address textbox that will appear upon selecting this option.

  • Pass to recipient (regardless of bad contents): e-mail containing virus will be delivered normally.

  • Drop email: The e-mail containing virus is immediately deleted.

Send virus quarantine emails to

The email address to which the quarantined email will be forwarded.

Note

This option appears only when Send to quarantine email address is selected in the Virus handling option.

Notify virus to

The e-mail address that will receive a notification for each processed e-mail containing virus.

Send virus notifications from address

The e-mail address that will appear as sender of the notification.

Notify recipients about emails containing viruses

Tick the checkbox to send the original recipients of the e-mail a notification that the e-mail was blocked.

Send notifications only to addresses of configured incoming domains

Tick the checkbox to send a notification only to recipients whose domain is configured in the Domains (see Proxy ‣ SMTP ‣ Domains).

File blocking

This tab contains settings to block any files attached to an e-mail depending on their extension. Whenever those file extensions are found in any attachment, the selected action will be performed.

Block files by extension

Activate the extensions-based filtering on files and reveal the additional virus filter options.

Blocked files handling

There are three available actions that can be carried out on e-mails that have blocked (They are the same as in the previous Spam settings and Virus settings tabs):

  • Move to default quarantine location: e-mails containing blocked files will be moved to the default location.

  • Send to quarantine email address: e-mails containing blocked files are forwarded to a custom e-mail address that can be specified in the Notify blocked files as and Notify blocked files as textboxes that will appear upon selecting this option.

  • Pass to recipient (regardless of blocked files): e-mails containing blocked files will be delivered normally

Notify blocked files as

The e-mail address that will appear as the sender of the notifications for each processed e-mail containing blocked attachments.

Notify blocked files to

The e-mail address that will receive the notification.

Note

These option and the previous one only appear if Send to quarantine email address as been selected for the blocked files handling option above.

File extensions to block

Enter the file extensions that will be blocked by the SMTP proxy, one at the time, then click the green + on the right-hand side.

Hint

Each extension must be preceded by a dot, for example .exe.

Block archives that contain blocked filetypes

Tick the checkbox to block every archive that contains files with a blocked extension.

Hint

If Program (.exe) has been chosen as one filetype to block, any .zip, .tar.gz, or another archive containing a file ending in .exe will be blocked.

Block files with double extension

Enable the blocking of any file with a double extension, like exe.jpg or bat.jpg. When ticked, the next option will appear.

Block files with double extensions ending in

In this textarea it is possible to write, one per line, all the extensions that should be blocked when they appear as the second extension of a file. It is necessary to provide at least one in the textarea, otherwise it has no effect. No wildacards are allowed.

Hint

The entry .jpg will block any file with extensions exe.jpg or bat.jpg, but will allow files with extensions jpg.exe, jpg.bat.

Note

Files with double extensions are usually malicious files which may appear as inoffensive images or documents in a file browser, but when they are clicked, an application is executed that has the purpose to harm a computer or steal personal data. A file with a double extensions is exactly like a normal file, but whose name (e.g., image.jpg) is followed by other extensions like .exe, .com, .vbs, .pif, .scr, .bat, .cmd or .dll (e.g., image.jpg.exe).

Authentication

This tab contains configuration options for the IMAP server that should be used for authentication when sending e-mails. These settings are especially important for SMTP incoming connections that are opened from the RED zone. The following settings can be configured:

Activate SMTP authentication with IMAP server

Tick this checkbox to enable IMAP authentication and to show additional options.

IMAP authentication address

The domain or IP address of the IMAP server.

IMAP authentication port

The port on which the IMAP server is listening, defaults to 143 for plain IMAP or 993 for IMAP over SSL.

Number of authentication daemons

How many concurrent logins are possible through the UTM.

Black and whitelists

In this tab there are a few panels which allow the definition of several custom blacklists and whitelists and to select and use existing RBL.

Sender

Whitelisted

All the e-mails sent from these addresses or domains will be accepted. This is the e-mail From: field.

Blacklisted

All the e-mails sent from these addresses or domains will be rejected. This is the e-mail From: field.

Recipients

Whitelisted

All the e-mails sent to these addresses or domains will be accepted. This is the e-mail To: field.

Blacklisted

All the e-mails sent to these addresses or domains will be rejected. This is the e-mail To: field.

Client

Whitelisted

All the e-mails sent from these IP addresses or hosts will be accepted.

Blacklisted

All the e-mails sent from these IP addresses or hosts will be rejected.

Spam

Whitelisted

All the e-mails sent from these IP addresses or hosts will be accepted.

Blacklisted

All the e-mails sent from these IP addresses or hosts will be rejected.

Realtime Blacklist (RBL)

An often used method to block spam e-mails are so called RBL, whose use can be configured in the second panel. These lists are created, managed, and updated by different organisations with the purpose to identify as quickly as possible new SMTP server used to send spam and block them. If a domain or sender IP address appears in one of the blacklists, e-mails sent from there will be rejected without further notice. The use of RBL saves bandwidth, since the mails will not be accepted and then handled like legitimate e-mails, but rather dismissed as soon as the sender’s IP address or domain is found in any blacklist. The UTM uses many different RBL, which are divided into IP-based and domain-based. The blacklist that belong on each category are shown by clicking on the small expand icon, and can be enabled or disabled by clicking on the red or green arrow on top of the list, or individually. The homepage of the various organisations that compile the lists is reachable by clicking on the list’s name.

Warning

Sometimes it can happen that IP addresses or domains have been wrongly listed by an RBL operator. If this should happen, it may negatively impact communications, since even legitimate e-mails from those domains will be refused without the possibility to recover it. Since there is no possibility to directly influence the RBLs, it is necessary to take into account the policies applied from the organisations that manage the RBLs before using them. Endian is not responsible for any e-mail that might be lost using the RBLs.

Among the blacklist installed, there are:

bl.spamcop.net

A blacklist based on submissions from its users.

zen.spamhaus.org

This list contains the Spamhaus block list as well as Spamhaus’ exploits block list and its policy block list.

cbl.abuseat.org

The CBL takes its source data from very large spamtraps. It only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (e.g., HTTP, socks, AnalogX, wingate etc.) that have been abused to send spam, worms, viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.

[name].dnsbl.sorbs.net and rhsbl.dnsbl.sorbs.net

Several blacklists are supplied from this organisation (replace [name] with safe, relays, spam, and zombie), and can be activated individually or all together by enabling the dsnbl.sorbs.net blacklist.

uceprotect.net

Lists that hold domains of known spam sources for at most seven days. After this period, domains are delisted, but subsequent violations cause the application of more restrictive policies.

The RBLs are grouped into two lists: IP based and Domain based RBLs. Enter some letter in the underneath text box (Search value…) of either list to filter the available RBLs, then click each item that match your search. To activate all the RBLS in one box, click Select all.

Domain routing

The page shows a list of domains along with the smarthost responsible for delivering the e-mails’ to or from those domains. The information shown by the list are the same that shall be provided when adding a new domain.

To add a new domain, click Add route: A simple form will open, in which the combination domain-mailserver can be created. In the Detail tab these option are available.

Direction

Decide whether the rule will be applied to the domain associated with the e-mail-‘s sender or recipient.

Domain

The domain this mailserver is responsible for.

Outgoing IP

Choose from the drop-down menu the IP address of the uplink through which the e-mails will be sent.

In the Smarthost tab all option for the smarthost are available, which are the same that are in the Smart host configuration.

Rule’s priority in Domain Routing

Suppose you have set up two rules for domain routing: One with domain mydomain.com as the sender and uplink main as the route, and a second one with domain example.org as the receiver and uplink secondary as the route. What happens to an email that is sent from server foo.mydomain.com to a user on bar.example.org? The answer can be found in how the UTM‘s MTA, postfix, processes the e-mails’ sending rules: It first reads all the rules involving the sources, then the rules involving the recipient. Thus, the e-mail that is sent from foo.mydomain.com to bar.example.org will be routed through through the secondary uplink.

Mail routing

This option allows to send a BCC of an e-mail to a given e-mail address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list show the direction, the address and the BCC address, if any, and the available actions.

To add a new mail route, click Add route button. In the form that opens these options can be configured:

Direction

Select from the drop-down menu whether the mail route should be defined for the Sender or Recipient of the e-mail.

Mail address

Depending on the direction chosen, this will be the e-mail address of the recipient or sender to which the route should be applied.

BCC address

The e-mail address which are the recipient of the copy of the e-mails.

Warning

Neither the sender nor the recipient will be notified of the copy being sent to a third party. In most countries it is highly illegal to read other people’s private messages, so please neither misuse nor abuse of this feature.

Smart host

In this tab a smarthost can be activated and configured. If the SMTP server has a dynamic IP address, for example when using an ISDN or an ADSL dialup Internet connection, there can be some troubles sending e-mails to other mail servers, since that IP address might have been blacklisted in some RBL (see Black- & Whitelists above) and therefore the remote mailserver might refuse the e-mails. Hence, it becomes necessary to use a smarthost for sending e-mails.

Activate smarthost for delivery

Tick this checkbox to enable a smarthost for delivering e-mails and to show additional options.

Smarthost address

The IP address or hostname of the smarthost.

Smarthost port

The port on which the smarthost is listening, defaults to 25.

Smarthost requires authentication

Tick this checkbox if the smarthost requires authentication. The next three extra options are then shown.

Authentication method

The authentication methods required by the smarthost: PLAIN, LOGIN, CRAM, and DIGEST-MD5 are supported. Select the method or methods supported by the smarthost or click Select all in case all are accepted.

Username

The username used for authentication on the smarthost.

Password

The password used for authentication on the smarthost.