Mail Security

When email traffic checking is configured, NGFW can check SMTP and POP3 traffic. IMAP не поддерживается, в том числе, и при настройке SSL инспектирования.
Проверяться может и зашифрованный трафик этих протоколов.

Two types of checks are supported:

  • Blocking SMTP when the sender's server IP address is present in one of DNSBL databases --- this is the most effective method to quickly and with minimal expenditure of resources cut off messages from obvious spammers;

  • Marking email messages based on the antispam check results; also requires a license for the Mail security module.

Attention! It is NOT recommended blocking SMTP based on the results of antispam check. The recommended way is to have the "Spam/Not Spam" decision made by the email server (or an additional antispam software) and use the marking provided by UserGate NGFW as one of the criteria with a heavier weight assigned.


You can display the antispam module's statistics in the Dashboard by adding the "Mail protection summary" or "Mail protection graphs" widgets.

You can configure both a white and black list of IP addresses in the antispam settings. Here we are talking specifically about IP addresses from which connections will not be immediately accepted (for blacklists) without analyzing some additional data. In the rules, you can add lists of addresses on the envelope from / envelope to tabs. The rule will work as a black list with a Block action configured for it and as a white list with a Pass action.

You can use the * character to denote "any", i.e., *@domain.com means all addresses from this domain.

Using the Mail security section, you can configure the checking of transit email traffic for spam messages. POP3(S) and SMTP(S) email protocols are supported. The mail security feature requires that the NGFW license include the corresponding module.

Protection is normally required for the incoming email traffic from the Internet to the company's internal mail servers and sometimes for the outgoing email traffic from servers or user computers.

To protect the incoming email traffic from the internet to the mail servers, follow these steps:

Name

Description

Step 1. Publish the mail server to the Internet.

See the DNAT Rules section. It is recommended to create separate DNAT rules for the SMTP and POP3 protocols instead of publishing both using the same rule. Make sure to specify the SMTP protocol as the service and not TCP.

Step 2. Allow the SMTP(S) and POP3(S) services in the Internet-connected zone.

See the Zone Configuration section.

Step 3. Create the mail security rules.

Create the desired mail security rules. The creation of these rules is described in more detail later in this chapter.

When there is no need to publish the mail server, protecting email traffic amounts to the following steps:

Name

Description

Step 1. Create the mail security rules.

Create the desired mail security rules. The creation of these rules is described in more detail later in this chapter.

To configure an email traffic filtering rule, go to the Security policies ➜ Mail security section, click Add, and fill in the rule's fields.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note If there are no rules created, email traffic is not checked.

Note For a rule to be triggered, all conditions specified in the rule's settings must match.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Action

The action applied to the email traffic when all of the rule's conditions match:

  • Pass: passes the traffic as is.

  • Mark: marks email messages with a special tag in the message subject or an additional field.

  • Drop with error: blocks the email and reports a delivery error to the SMTP server for SMTP(S) traffic or POP3 client for POP3(S) traffic.

  • Drop without error: blocks the email without a notification.

Enable logging

Enable the logging of rule triggers in the Mail security log.

Checking

The method used to check email traffic:

  • UserGate antispam check: checks email traffic for spam.

  • DNSBL check: checks for spam using the DNSBL technology. This is only applicable to SMTP traffic. When email traffic is checked using DNSBL, the IP address of the SMTP server used to send spam is blocked at the SMTP connection establishment stage, allowing for a substantial load reduction on other antispam mechanisms.

Header

The field where the marking tag is placed.

Mark

The text of the tag used to mark emails.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Destination

The IP addresses, Geo-IP, or URL (host) lists of the traffic destination.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Users

The users or user groups to which this rule will be applied.

Service

The email protocol (POP3 or SMTP), to which this rule will be applied.

Envelop from

The sender's email address specified in the Envelope from field. Only for the SMTP protocol.

Envelop to

The recipient's email address specified in the Envelope to field. Only for the SMTP protocol.

The recommended spam protection settings are summarized below.

For the SMTP(S) protocol:

  • First rule in the list: blocking with DNSBL. It is recommended to leave the Envelope from/Envelope to lists empty. In that case, DNSBL will reject connections from SMTP servers known to send spam before they are established. If these fields contain recipient email addresses, the system will have to receive the messages in full to analyze the fields, which will increase the server load and reduce the email traffic checking performance.

  • Second rule: Mark emails using UserGate antispam check. Here you can use any exceptions, including Envelope from/Envelope to.

For the POP3(S) protocol:

  • Action: Mark.

  • Checking: UserGate antispam check.