Endian banner

SMTP

Changed in version 2.5-armel: Removed Commtouch since there is no Commtouch’s version for ARM platforms.

New in version 3.0.5-2015-July: a couple of options to handle files with double extensions.

The SMTP proxy can relay and filter e-mail traffic when it is sent from the clients to the mail servers.

Note

While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.

The purpose of the SMTP proxy is to control and optimise the SMTP traffic and to protect the local networks from threats when using the SMTP protocol. SMTP is used whenever an e-mail is sent from a local e-mail client to a remote mail server, that is, for the outgoing e-mails. It will also be used if an mail server is running on the LAN (i.e., within the GREEN zone) or DMZ (ORANGE zone) and the e-mails can be sent from outside the local network (incoming requests) through t hat mail server, that is, when clients are allowed to send e-mails from the RED interface.

In order to download mail from a remote mailserver to a local e-mail client, the POP3 or IMAP protocol are used. In order to protect that traffic too, enable the POP3 proxy in Menubar ‣ Proxy ‣ POP3.

Warning

Scanning of IMAP traffic is currently not supported.

With the e-mail proxy functionality, both incoming and outgoing e-mail traffic can be scanned for viruses, spam, and other threats. E-mails are blocked if necessary and in that case both the receiving user and the administrator are notified. With the possibility to scan incoming e-mails, the e-mail proxy can handle incoming connections from the RED interface and pass the e-mail to one or more internal mail servers. Hence, it is possible to run an own mail server behind the firewall without the need to define appropriate port forwarding rules.

The SMTP proxy configuration is split into six tabs, each one tailored to one aspects of the SMTP proxy.

Configuration

This is the main configuration page for the SMTP proxy. The SMTP proxy can be enabled by clicking on the toggle switch swoff. When enabled, for each active zone can be chosen whether the SMTP proxy should be active, inactive, or transparent:

active
The SMTP proxy is enabled for the zone and accepts requests on port 25.
transparent mode
If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need to change the configuration on the clients. This option is not available for the RED zone.
inactive
The SMTP proxy is not enabled for that zone.

Additional options are available, grouped in five panels. Each panel can be expanded by clicking on the expand icon or hidden by clicking on the collapse icon.

Spam settings

In this panel there is the possibility to configure the software applications used by Endian UTM Appliance to recognise and filter out spam, configuring the following options:

Filter mail for spam
Enable the mail spam filter and allows the configuration of additional options that will appear below.
Choose spam handling

There are three actions that can be carried out on e-mails that have been recognised as spam:

  • move to default quarantine location: The spam e-mails will be moved to the default location.
  • send to quarantine email address: Spam e-mails are forwarded to a custom e-mail address that can be specified in the Spam quarantine email address textbox that will appear upon selecting this option.
  • mark as spam: The e-mail is marked as spam before delivery.
  • drop email: The spam e-mail is immediately deleted.

Changed in version 2.5: The possibility to specify a custom location in which to store spam e-mails has been removed.

New in version 3.0: The drop email option.

Spam subject
A prefix applied to the subject of all e-mails marked as spam.
Email used for spam notifications (spam admin)
The e-mail address that will receive a notification for each processed spam e-mail.
Spam tag level
If SpamAssassin’s spam score is greater than this number, the X-Spam-Status and X-Spam-Level headers are added to the e-mail.
Spam mark level
If SpamAssassin’s spam score is greater than this number, the Spam subject and X-Spam-Flag headers are added to the e-mail.
Spam quarantine level
Any e-mail that exceed this spam score will be moved to the quarantine location.
Send notification only below level
Send notification e-mails only if the spam score is below this number.
Spam filtering
Enable spam greylisting and show the next option.
Delay for greylisting (sec)
The greylisting delay in seconds can be a value between 30 and 3600.
Spam report
Tick the checkbox to add a report to the body of e-mails that are recognised as spam.
Japanization
Tick this box to activate the support for Japanese character sets in e-mails and filter Japanese spam e-mails.

Note

While most simple and well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is absolutely necessary to always train the spam filter in order to reach a personalised and stronger filter (bayes).

Virus settings

In this panel a few options can be configured to manage any virus found.

Scan mail for virus
Enable filtering of e-mails for viruses and to reveal the additional virus filter options.
Choose virus handling

There are three or four available actions (depending on the type of Endian UTM Appliance) that can be carried out on e-mails that have been recognised as spam. They are the same as in the Spam settings above:

  • move to default quarantine location: any e-mail containing virus will be moved to the default location.
  • send to quarantine email address: e-mails containing virus are forwarded to a custom e-mail address that can be specified in the Virus quarantine email address textbox that will appear upon selecting this option.
  • pass to recipient (regardless of bad contents): e-mail containing virus will be delivered normally.
  • drop email: The e-mail containing virus is immediately deleted.

Changed in version 2.5: The possibility to specify a custom location in which to store e-mails containing viruses has been removed.

New in version 3.0: The drop email option.

Email used for virus notifications (virus admin)
The e-mail address that will receive a notification for each processed e-mail containing virus.

File settings

This panel contains settings to block any files attached to an e-mail depending on their extension. Whenever those file extensions are found in any attachment, the selected action will be performed.

Block files by extension
Activate the extensions-based filtering on files and reveal the additional virus filter options.
Choose handling of blocked files

There are three or four available actions (depending on the type of Endian UTM Appliance ) that can be carried out on e-mails that have blocked (They are the same as in the previous Spam settings and Virus settings boxes):

  • move to default quarantine location: e-mails containing blocked files will be moved to the default location.
  • send to quarantine email address: e-mails containing blocked files are forwarded to a custom e-mail address that can be specified in the Email used for blocked file notifications textbox that will appear upon selecting this option.
  • pass to recipient (regardless of blocked files): e-mails containing blocked files will be delivered normally

Changed in version 2.5: The possibility to specify a custom location in which to store e-mails containing blocked files has been removed.

Choose filetypes to block (by extension)

The file extensions to be blocked.

Hint

Hold down the CTRL key and click on the left mouse button to select multiple extensions.

Email used for blocked file notifications (file admin)
The e-mail address that will receive a notification for each processed e-mail containing blocked attachments.
Block archives that contain blocked filetypes

Tick the checkbox to block every archive that contains files with a blocked extension.

Hint

If Program (.exe) has been chosen as one filetype to block, any .zip, .tar.gz, or another archive containing a file ending in .exe will be blocked.

Block files with double extension
Enable the blocking of any file with a double extension. When ticked, the next option will appear.
Block files with double extension

In this textarea it is possible to write, one per line, all the extensions that should be blocked when they appear as the second extension for a file. Leaving the textarea empty has the same effect as the previous option were disabled. No wildacards are allowed.

Hint

The entry .jpg will block any file with extensions exe.jpg or bat.jpg, but will allow files with extensions jpg.exe, jpg.bat.

Note

Files with double extensions are usually malicious files which may appear as inoffensive images or documents, but when they are clicked, an application is executed that has the purpose to harm a computer or steal personal data. A file with a double extensions is exactly like a normal file, but whose name (e.g., image.jpg) is followed by .exe, .com, .vbs, .pif, .scr, .bat, .cmd or .dll (e.g., image.jpg.exe).

It is necessary to configure the e-mail domains for which each local server should be responsible. The list of combinations domain-SMTP server can be defined under Menubar ‣ Proxy ‣ SMTP ‣ Incoming domains.

Quarantine settings

There is only one option in this panel:

Quarantine retention time (in days)

The number of days that the e-mail will be stored in the special quarantine location on the Endian UTM Appliance before being automatically deleted.

Hint

The e-mails stored in the quarantine can be managed in the Mail Quarantine, located at Menubar ‣ Services ‣ Mail Quarantine.

Bypass transparent proxy

In the last panel custom lists of domains can be defined for which the transparent proxy should be disabled.

Bypass transparent proxy from SUBNET/IP/MAC
E-mails sent from these sources are not subject to the transparent proxy.
Bypass transparent proxy to SUBNET/IP
E-Mails sent to these destinations are not subject to the transparent proxy.

Black- & Whitelists

In this page there are four panels: Three allow the definition of several custom black- and whitelists, while the fourth allows to select and use existing RBL.

Accepted mail (Black- & Whitelists)

In the first panel any number of domains, sub-domains, or single e-mail addresses to be white- or blacklisted can be entered. For both of the lists any number of senders, recipients, and clients can be entered in the appropriate textareas, as follows:

Whitelist sender
All the e-mails sent from these addresses or domains will be accepted. This is the e-mail From: field.
Blacklist sender
All the e-mails sent from these addresses or domains will be rejected. This is the e-mail From: field.
Whitelist recipient
All the e-mails sent to these addresses or domains will be accepted. This is the e-mail To: field.
Blacklist recipient
All the e-mails sent to these addresses or domains will be rejected. This is the e-mail To: field.
Whitelist client
All the e-mails sent from these IP addresses or hosts will be accepted.
Blacklist client
All the e-mails sent from these IP addresses or hosts will be rejected.

Realtime Blacklist (RBL)

An often used method to block spam e-mails are so called RBL, whose use can be configured in the second panel. These lists are created, managed, and updated by different organisations with the purpose to identify as quickly as possible new SMTP server used to send spam and block them. If a domain or sender IP address appears in one of the blacklists, e-mails sent from there will be rejected without further notice. The use of RBL saves bandwidth, since the mails will not be accepted and then handled like legitimate e-mails, but rather dismissed as soon as the sender’s IP address or domain is found in any blacklist. The Endian UTM Appliance uses many different RBL, which are divided into IP-based and domain-based. The blacklist that belong on each category are shown by clicking on the small expand icon, and can be enabled or disabled by clicking on the red or green arrow on top of the list, or individually. The homepage of the various organisations that compile the lists is reachable by clicking on the list’s name.

Warning

Sometimes it can happen that IP addresses or domains have been wrongly listed by an RBL operator. If this should happen, it may negatively impact communications, since even legitimate e-mails from those domains will be refused without the possibility to recover it. Since there is no possibility to directly influence the RBLs, it is necessary to take into account the policies applied from the organisations that manage the RBLs before using them. Endian is not responsible for any e-mail that might be lost using the RBLs.

Among the blacklist installed, there are:

bl.spamcop.net
A blacklist based on submissions from its users.
zen.spamhaus.org
This list replaces the old sbl-xbl.spamhaus.org and contains the Spamhaus block list as well as Spamhaus’ exploits block list and its policy block list.
cbl.abuseat.org
The CBL takes its source data from very large spamtraps. It only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (e.g., HTTP, socks, AnalogX, wingate etc.) that have been abused to send spam, worms, viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.
[name].dnsbl.sorbs.net and rhsbl.dnsbl.sorbs.net
Several blacklists are supplied from this organisation (replace [name] with safe, relays, etc), and can be activated individually or all together by enabling the dsnbl.sorbs.net blacklist.
uceprotect.net
Lists that hold domains of known spam sources for at most seven days. After this period, domains are delisted, but subsequent violations cause the application of more restrictive policies.
dsn.rfc-ignorant.org

This is a list which contains domains or IP networks whose administrators choose not to obey to the RFCs, the standards of the net.

Note

The rfc-ignorant.org site has shut its service down on the 30th of November 2012 (see the announcement), but its content has been inherited by people at http://www.rfc-ignorant.de/. Their work, however, has not yet produced working RBLs as of today (November 2013).

Note

Advanced users can modify the list from the CLI, editing the /var/efw/smtpscan/settings file, and modify the RBL variable.

Changed in version 2.5: In previous version, the file to modify was /var/efw/smtpscan/RBL, with the file /var/efw/smtpscan/default/RBL to be used as draft).

The RBLs are grouped into two boxes. On the left-hand side there are IP-based RBLs, while on the right-hand side there are domain-based RBLs. To activate all the RBLS in one box, click on the drop icon next to the box’s title bar (the icon will become accept), while to enable only some of the RBLs, click on the drop icon next to each RBL’s name. In that case, the drop or accept icon on the title bar will be replaced by a partial icon.

Spam greylisting

In the third panel, greylisting whitelists can be created by adding entries for every recipient, IP address or network in the two textareas. To the items in the whitelist will not be applied any greylisting

Whitelist recipient
All E-mail addresses or whole domains written in this textarea, e.g. test@example.com or example.com are considered “safe”, i.e., the e-mail received from them will not be checked for spam.
Whitelist client
All the mailserver’s address in this textarea are considered “safe”, i.e., all the e-mails coming from this server’s address will not be checked for spam.

Greylisting

Greylisting is a method used by a MTA to verify whether an e-mail is legitimate by rejecting it a first time and waiting for a second dispatch of the same e-mail. If the e-mail is not received anymore the sender is considered as a spam source. The idea behind greylisting is that any mass spam bot will not try to resend any rejected e-mail, so only valid e-mails would be resent.

Spam (Black- & Whitelists)

Finally, in the last panel, explicit black- and whitelists for the spam filter are defined.

Whitelist sender
E-mail addresses or whole domains can be whitelisted in this textarea (i.e., they will never be detected as spam), like e.g. test@example.com or the domain example.com.
Blacklist sender
E-mail addresses or whole domains can be blacklisted in this textarea (i.e., they will always be detected as spam), like e.g. test@example.com or the domain example.com.

Incoming domains

When incoming mail has been enabled (i.e., clients outside the RED interface can send e-mails from a local SMTP server) and e-mails to be sent should be forwarded to an mail server behind the Endian UTM Appliance - usually set up in the ORANGE zone - it is necessary to declare the domains to be accepted by the SMTP proxy and to which of the e-mail servers the incoming mail should be forwarded. It is possible to specify multiple mail servers behind the Endian UTM Appliance for different domains.

The page presents a list of domains along with the mailserver responsible for each of them, if any has been defined. To add a new domain, click on the Add a domain button: A simple form will open, in which the combination domain-mailserver can be created.

Domain
The domain this mailserver is responsible for.
Mailserver IP
The IP address of the mailserver.

The new entry will be shown at the bottom of the list. The actions available for each domain are:

  • edit - modify the domain’s property.
  • delete - remove the domain.

Warning

No confirmation is asked after clicking on the delete icon: The domain will removed immediately.

Domain routing

New in version 3.0.

The page shows a list of domains along with the smarthost responsible for the e-mails’ delivery to or reception from those domains. The information shown by the list are the same that shall be provided when adding a new domain. Available actions are:

  • edit - modify the domain routing.
  • delete - remove the domain routing.

To add a new domain, click on the Add new domain route button: A simple form will open, in which the combination domain-mailserver can be created.

Direction
Decide whether the rule will be applied to the domain associated with the sender or with the recipient.
Domain
The domain this mailserver is responsible for.
Outgoing address
The interface or IP address of the uplink through which the e-mails will be sent, among those available in the drop-down menu. If left blank, it will be left to the smarthost the choice of the uplink or IP address to be used.
Smarthost
A tick on this checkbox will reveal more options to override the system’s smarthost and configure an external one. The options are the same that are in the Smarthost configuration below.

Rule’s priority

Suppose you have set up two rules for domain routing: One with domain mydomain.com as the sender and uplink main as the route, and a second one with domain example.org as the receiver and uplink secondary as the route. What happens to an email that is sent from server foo.mydomain.com to a user on bar.example.org? The answer can be found in how the Endian UTM Appliance‘s MTA, postfix, processes the e-mails’ sending rules: It first reads all the rules involving the sources, then the rules involving the recipient. Thus, the e-mail that is sent from foo.mydomain.com to bar.example.org will be routed through through the secondary uplink.

Mail Routing

This option allows to send a BCC of an e-mail to a given e-mail address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list show the direction, the address and the BCC address, if any, and the available actions:

  • edit - modify the mail routing.
  • delete - remove the mail routing.

To add a new mail route, click on the Add a Mail Route button. In the form that opens these options can be configured:

Direction
Select from the drop-down menu whether the mail route should be defined for a sender or recipient of the e-mail.
Mail address
Depending on the direction chosen, this will be the e-mail address of the recipient or sender to which the route should be applied.
BCC address
The e-mail address which are the recipient of the copy of the e-mails.

Warning

Neither the sender nor the recipient will be notified of the copy being sent to a third party. In most countries it is highly illegal to read other people’s private messages, so please do not misuse nor abuse of this feature.

Advanced

In this page of the SMTP proxy configuration there are advanced settings options available, grouped in four panels, that can be shown or hidden by clicking on the expand or collapse icons on the left of the panel title.

Smarthost configuration

In the first panel a smarthost can be activated and configured. If the SMTP server has a dynamic IP address, for example when using an ISDN or an ADSL dialup Internet connection, there can be some troubles sending e-mails to other mail servers, since that IP address might have been blacklisted in some RBL (see Black- & Whitelists above) and therefore the remote mailserver might refuse the e-mails. Hence, it becomes necessary to use a smarthost for sending e-mails.

Smarthost for delivery
Tick this checkbox to enable a smarthost for delivering e-mails and to show additional options.
Smarthost address
The IP address or hostname of the smarthost.
Smarthost port
The port on which the smarthost is listening, defaults to 25.
Smarthost authentication
Tick this checkbox if the smarthost requires authentication. The next three extra options are then shown.
Smarthost username
The username used for authentication on the smarthost.
Smarthost password
The password used for authentication on the smarthost.
Choose authentication method
The authentication methods required by the smarthost: PLAIN, LOGIN, CRAM-MD5, and DIGEST-MD5 are supported. More methods can be chosen by holding the CTRL key pressed and clicking on each of the desired methods.

Note

In a few words, a smarthost is a mailserver used by the SMTP proxy as the outgoing SMTP server. The smarthost needs to accept the e-mails and relays them. Normally, the provider’s own SMTP server is used as the smarthost, since it will accept to relay the e-mails, while other mailservers would not.

IMAP Server for SMTP authentication

This panel contains configuration options for the IMAP server that should be used for authentication when sending e-mails. These settings are especially important for SMTP incoming connections that are opened from the RED zone. The following settings can be configured:

SMTP authentication
Tick this checkbox to enable IMAP authentication and to show additional options.
Choose number of authentication daemons
How many concurrent logins are possible through the Endian UTM Appliance.
IMAP authentication server
The IP address of the IMAP server.
IMAP authentication port
The port on which the IMAP server is listening, defaults to 143 for plain IMAP or 993 for IMAP over SSL.

Mail server settings

In this panel, additional parameters of the SMTP server can be defined.

SMTP HELO
When this checkbox is ticked, the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session.
Invalid hostname
Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname.
SMTP HELO name

The hostname to send with the SMTP EHLO or HELO command. The default value used is the REDIP, but a custom hostname in FQDN format can be supplied.

Hint

Use the hostname of the domain’s MX.

Always BCC to address
An e-mail address here that will receive a BCC of each message that goes through the SMTP proxy.
Choose mailtemplate language
The language in which error messages should be sent, among those available: English, German, Italian, and Japanese.
Verify recipient address
Enable the check for a valid recipients address before sending the message.
Choose hard error limit
The maximum number of errors a remote SMTP client is allowed to produce without delivering mail. The SMTP Proxy server disconnects once this limit is exceeded (default 20).
Choose maximal email contentsize
The maximum size allowed for a single e-mail message. Several predefined values can be selected from the drop-down menu. Choosing the custom email contentsize option reveals the next option.
Custom maximum email contentsize (in KB)
The maximum size in mega bytes of the e-mail that will be accepted by the SMTP server.
Enable DSN on zones
Choose from the available zones those which will send a bounce message (i.e., a DSN message) to undeliverable e-mails or to e-mails that can not be correctly sent. In other words, it will be possible to receive delivery notification messages of emails only from zones that have been selected here.

HELO/EHLO and hostname

Almost all mail servers require that clients connecting via SMTP announce themselves with a valid hostname along with the HELO/EHLO, or they drop the connection. However, the Endian UTM Appliance uses its own hostname in order to announce to foreign e-mail servers, which is sometimes not publicly valid within the global DNS.

If that is the case, another custom hostname in FQDN format can be configured under Menubar ‣ Proxy ‣ SMTP ‣ Advanced ‣ Mail server settings ‣ SMTP Helo Name, that can be understood by the remote mail server.

Spam prevention

Finally, in this last panel additional parameters for the spam filter can be defined, by ticking one or more of the four checkboxes.

invalid recipient
Reject the request when the RCPT TO address is not in FQDN form, as required by the RFC 821.
invalid sender
Reject the connecting client if the hostname supplied with the HELO or EHLO command is not a FQDN as required by the RFC 821.
unknown recipient domain
Reject the connection if the domain of the recipient e-mail address has no DNS A or MX record.
unknown sender
Reject the connection if the domain of the sender e-mail address has no DNS A or MX record.

Troubleshooting STMP proxy.

When the message “Mail for xxx loops back to myself” appears in the log file, it is indicative of a misconfiguration in the custom SMTP HELO name on the appliance, that is the same as the hostname of the internal mailserver to which the incoming e-mail should be forwarded.

In that case the SMTP connection received from the internal mailserver will contain an hostname (the one in the HELO line from the SMTP Proxy setting), that is the same as the hostname of the internal mailserver, hence the internal mailserver believes to send and receive the same e-mail, producing the error message.

Possible solutions are:

  • Change the hostname of the internal mailserver.
  • Create a new publicly valid A Record within the DNS zone which also points to the Endian UTM Appliance and use this hostname as the HELO line within the SMTP Proxy.
  • Use the numeric IP Address of the uplink as the HELO line.

See also

A step by step guide to set up a basic e-mail proxy can be found here.

Anti-Spam

Changed in version 2.5-Arm: Removed as it is not available on the ARM architecture.

This page includes configuration settings for the anti-spam engine. The following options can be configured:

Enable spamassassin shortcircuit
Check this box to skip spamassassin whenever Cyren (former Commtouch) marks a message as spam.
Ignore IPs/Networks
Here IPs and networks which should not be checked by Cyren can be defined.

In the SPAM tag level section the following options can be configured. The valid values for each option are between -10 and 10 included.

CONFIRMED
Every e-mail with a tag level above this value will be recognised as spam.
BULK
Every e-mail with a tag level above this value will be identified as bulk mail.
SUSPECTED
Every e-mail with a tag level above this value will is suspected to contain spam.
UNKNOWN
E-mails with a tag level below this value will be classified as unknown.
NONSPAM
E-mails with a tag level below this value will be recognised as non-spam mails.