8.9. Mail Security

Using the Mail security section, you can configure the checking of transit email traffic for spam messages. POP3(S) and SMTP(S) email protocols are supported. The mail security feature requires that the UserGate license include the corresponding module.

Protection is normally required for the incoming email traffic from the Internet to the company's internal mail servers and sometimes for the outgoing email traffic from servers or user computers.

To protect the incoming email traffic from the internet to the mail servers, follow these steps:

Task

Description

Step 1. Publish the mail server to the Internet.

See the section DNAT Rules. It is recommended to create separate DNAT rules for the SMTP and POP3 protocols instead of publishing both using the same rule. Make sure to specify the SMTP protocol as the service and not TCP.

Step 2. Allow the SMTP(S) and POP3(S) services in the Internet-connected zone.

See the section Zone Configuration.

Step 3. Create the mail security rules.

Create the desired mail security rules. The creation of these rules is described in more detail later in this chapter.

When there is no need to publish the mail server, protecting email traffic amounts to the following steps:

Task

Description

Step 1. Create the mail security rules.

Create the desired mail security rules. The creation of these rules is described in more detail later in this chapter.

To configure an email traffic filtering rule, go to the Security policies --> Mail security section, click Add, and fill in the rule's fields.

Note

The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note

If there are no rules created, email traffic is not checked.

Note

For a rule to be triggered, all conditions specified in the rule's settings must match.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Action

The action applied to the email traffic when all of the rule's conditions match:

  • Pass: passes the traffic as is.

  • Mark: marks email messages with a special tag in the message subject or an additional field.

  • Drop with error: blocks the email and reports a delivery error to the SMTP server for SMTP(S) traffic or POP3 client for POP3(S) traffic.

  • Drop without error: blocks the email without a notification to that effect.

Checking

The method used to check email traffic:

  • UserGate antispam check: checks email traffic for spam.

  • DNSBL: checks for spam using the DNSBL technology. This is only applicable to SMTP traffic. When email traffic is checked using DNSBL, the IP address of the SMTP server used to send spam is blocked at the SMTP connection establishment stage, allowing for a substantial load reduction on other antispam mechanisms.

Header

The field where the marking tag is placed.

Mark

The text of the tag used to mark emails.

Source

The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Destination

The IP addresses, GeoIP, or URL (host) lists of the traffic destination.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Users

The users or user groups to which this rule will be applied.

Service

The email protocol (POP3 or SMTP), to which this rule will be applied.

Envelope from

The sender's email address specified in the Envelope from field. Only for the SMTP protocol.

Envelope to

The recipient's email address specified in the Envelope to field. Only for the SMTP protocol.

The recommended spam protection settings are summarized below.

For the SMTP(S) protocol:

  • First rule in the list: DNSBL. It is recommended to leave the Envelope from/Envelope to lists empty. In that case, DNSBL will reject connections from SMTP servers known to send spam before they are established. If these fields contain recipient email addresses, the system will have to receive the messages in full to analyze the fields, which will increase the server load and reduce the email traffic checking performance.

  • Second rule: Mark emails using UserGate antispam check. Here you can use any exceptions, including Envelope from/Envelope to.

For the POP3(S) protocol:

  • Action: Mark.

  • Checking: UserGate antispam check.