The scope of the SMTP proxy is to control and optimize SMTP traffic in general and to protect your network by threats with the SMTP protocol. The SMTP (Simple Mail Transport protocol) protocol is used whenever you send a mail away through your Mail client to a remote mail server (Outgoing mail). It will also be used if you host a mail server within your LAN behind GREEN or your DMZ behind ORANGE and allow mail to be send from the outside directly to your mail server (Incoming mail).
Warning
In order to download mail from a remote mailserver by your local mail clients, the POP3 or IMAP protocol will be used. If you like to protect those traffic, too, you need to use the POP3 proxy. Scan of IMAP traffic is currently not supported.
With the mail proxy functionality, both sort of traffic (Incoming and outgoing mail) can be scanned agains virii, spam and other threats. Mail will be blocked if necessary and notices will be sent to both the receiving user and the administrator. With the possibility to scan incoming mail, the mail proxy can handle incoming connections and pass the mail to one or more internal mail servers in order to remove the necessity to have SMTP connections from the outside within your intern networks.
The following is a complete feature list, which will be described in detail on the following sections:
Multi-domain support
Configurable relaying policy per domain
Spool visualiation & managment
External authentication support
TLS Email Transport Encryption support
Mail statistics
Day, Week, Month, Year graphs
Spam, Virus, Bounced, Rejected
Configurable maximum mail data size
Spam blocking
Spam notification
Local/Remote Quarantine
Realtime Blacklist (RBL) support
Custom Client/Sender/Recipient black/whitelists
Content-matching rules, DNS-based, checksum-based and statistical filtering
Auto learning / Training
Subject and header modification on spam
Greylisting support
Virus scanning
Virus notification
Local/Remote Quarantine
Extension blocking
Notification
Block banned files
Double extension blocking
- Enabled
This enables the SMTP proxy in order to accept requests on port 25.
Note
Relaying is disabled without authentication in non transparent mode.
- Transparent on <zone>
If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need of any special configuration changes on your clients.
- Antivirus is enabled
Tick this on if you like to enable the antivirus. If you enable the antivirus, you can configure the antivirus by clicking on the Antivirus link. See the section called “Antivirus” for a detailed description.
- Spamcheck is enabled
Tick this on if you like to enable the antispam. If you enable the spam filter, you may configure it by clicking on the Spam link. See the section called “AntiSpam” for a detailed description.
- File Extension are blocked
Tick this on if you like to enable the file extension blocker. With this you may specify a list of file extensions which are not allowed as attachement. If you enable it, configure it by clicking on the File Extensions link. See the section called “Banned File Extension” for a detailed description.
- Incoming Mail enabled
If you have an internal Mailserver and like the SMTP proxy to forward incoming mails to your internal server you need to tick this checkbox on.
Note
You need to configure the E-Mail domains for which it should be responsable. List the responsable domains within the page you reach by clicking on the Local Domains link. See the section called “Local Domains” for a detailed description.
- Firewall logs outgoing connections
Tick this on if you want the firewall to log all established outgoing connections. Note that in some countries this may be illegal.
- Save changes and restart
Save the settings and restart the SMTP proxy by pushing this button.
The Antivirus is a core functionality of the SMTP proxy module. It knows four different possibilities to handle mail containing a virus. You have also the possibility to configure an email address for notification of the recognized and handled threat.
The antivirus section provides the following configuration options:
- Mode
This allows you to select the mode of handling infected emails. The following possibilities do exist:
- DISCARD
In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a virus quarantine is defined a copy of the original email will be send or copied to the virus quarantine.
Note
In most cases this is the best mode for handling infected mails.
- BOUNCE
In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a virus quarantine is defined a copy of the original email will be send or copied to the virus quarantine.
Warning
Sending notification mails to the sender is insofar not really helpful as worms normally do not send themselves in mails with real sender addresses. Worms nearly always use spoofed sender addresses, therefore such notifications always reach anyone but the right person. The SMTP proxy does not send bounces back to the sender if a worm will be recognized of which the SMTP proxy knows that it normally spoofs the sender address, but nevertheless is the benefit less to the problems which may be caused by this mode.
- REJECT
The email will be rejected by the MTA. Basically this is the same as BOUNCE. (will probably be removed in future)
- PASS
Mail will pass to its recipients, regardless of bad content.
- Virus Admin
Gives you the possibility to specify a (fully qualified) administrator email address where virus notifications should be sent. (Default is empty)
- Virus Quarantine
Location to put infected mail into. The following possibilites are valid:
- leave empty
Disables the quarantine
- virus-quarantine
Set this if you would like to store infected mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.
Warning
There is no possibility to control and manage the quarantine if you use this possibility.
- any email address
You can specify any valid email address, where infected mail will be forwarded to. With this variant you can forward all infected mail within a POP3 or IMAP account where you may manage it easily.
Note
The email address must contain a @.
Warning
This email address must not have any virus scanner, otherwise the quarantined mail will be blocked by that server.
- Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
The antispam module knows several different possibilities to protect you agains spam. In general spamassassin and amavisd-new is used to filter out spam. SpamAssassin incorporates several means of detecting spam. It has a “score tally” system where large numbers of inter-related rules fire off and total up a score to determine if a message is spam or not. In this system each rule affects the proper score of every other rule in the ruleset and the system tries to balance the most spam and nonspam each on the right side of the tolerance mark.
While much of the rules block much of simplier spam, well known spam and spam sent by known spam hosts, spammer always adapt their messages in order to knock out spam filters. Therefore it is necessary to also always train the spam filter in order to reach a personalized and stronger statistical filter (bayes).
Note
While the spam filter blocks much spam it never will block all of your spam.
Note
The spamassassin rules will not be updated automatically like the virus signatures. Here you can read why.
- Spam destination
This allows you to define what should be happen to spam mails. The following possibilities do exist:
- DISCARD
In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a spam quarantine is defined a copy of the original email will be send or copied to the spam quarantine.
Note
In most cases this is not very useful, since it is possible that the spam filter may block also regular mail (false positives) if it is configured to restrictive.
Warning
Check your local law. In most countries it is illegal to delete mail without the permission of the recipient.
- BOUNCE
In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a spam quarantine is defined a copy of the original email will be send or copied to the spam quarantine.
Warning
Sending notification mails to the sender of spam is insofar not really helpful as spammer then more than ever know that they hit a real email address. Furthermore, spammer mostly do not use their real sender addresses. They nearly always use spoofed sender addresses, therefore such notifications always reach anyone but the right person.
- REJECT
The email will be rejected by the MTA. Basically this is the same as BOUNCE. (will probably be removed in future)
- PASS
Mail will pass to its recipients, regardless of bad content.
Note
In most cases, this is the best mode you can use. The spam filter adds spam headers and changes the subject of the mail if it recognizes the mail as spam. The recipient then may use it's mail client to filter those mails itself.
- Spam admin
Gives you the possibility to specify a (fully qualified) administrator email address where spam notifications should be sent. (Default is empty)
- Spam quarantine
Location to put spam mail into. The following possibilites are valid:
- leave empty
Disables the quarantine
- spam-quarantine
Set this if you would like to store spam mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.
Warning
There is no possibility to control and manage the quarantine if you use this possibility.
- any email address
You can specify any valid email address, where spam mail will be forwarded to. With this variant you can forward all spam mail within a POP3 or IMAP account where you may manage it easily.
Note
The email address must contain a @.
Warning
This email address must not have any blocking spam filter, otherwise the quarantined mail will be blocked by that server.
- SPAM TAG Level:
If spam score is greater or equal to this level put spam info email headers into it. You will find them as X-Spam-Status and X-Spam-Level headers.
Note
This level will not block the mail regardless what you defined as spam destination.
Example 7.9. Example spam info headers
X-Spam-Status: No, score=-1.54 tagged_above=-4 required=6.31 tests=[AWL=-0.723, BAYES_00=-2.599, HTML_80_90=0.146, HTML_FONT_SIZE_NONE=0.033, HTML_FONT_SIZE_TINY=0.533, HTML_FONT_TINY=0.964, HTML_IMAGE_RATIO_04=0.105, HTML_MESSAGE=0.001] X-Spam-Score: -1.54 X-Spam-Level:
- SPAM MARK level
If spam score is greater or equal to this level, mark the mail as spam by tagging the subject line with *** SPAM *** and add the X-Spam-Flag header.
Note
This level will not block the mail regardless what you defined as spam destination.
Example 7.10. Example spam info headers
X-Spam-Status: Yes, hits=12.4 tagged_above=-10.0 required=5.3 tests=BAYES_99, RCVD_HELO_IP_MISMATCH, RCVD_IN_XBL, RCVD_NUMERIC_HELO, SARE_FWDLOOK, SARE_MONEYTERMS, SARE_OEM_FAKE_YEAR X-Spam-Level: ************ X-Spam-Flag: YES
Note
Users may use X-Spam-Flag: YES as search string for their filter within mail clients.
- SPAM quarantine level
If spam score is greater or equal to this level then the spam evasive action which you selected in spam destination will be used.
Note
This is the level which may delete spam mail if you selected to DISCARD spam mail.
- Sendernotification only under level
If spam score is greater to this level no notification mails will be sent to the administrator.
- SPAM subject
String to prepend to subject header field when message exceeds SPAM MARK level.
- Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
Greylisting is a simple method of defending electronic mail users against e-mail spam. In short, a mail transfer agent which uses greylisting will temporarily reject any email from a sender it does not recognize. The sender will be delayed for the configured time. If the mail is legitimate, the originating server will try again to send it later. If the delay time is elapsed, the destination will accept it. Spammer normaly will not retry to send temporarily rejected mail, since this is cost effective. However, even spam sources which re-transmit later will be more likely to be listed in DNSBLs and distributed signature systems such as pyzor.
- greylisting activated
Tick this on if you want to enable greylisting.
- delay(sec)
You can change the delay from 30 secs to maximum 3600 (1 hour).
- Whitelist recipient
With this you can whitelist an address or a complete domain (one entry per line).
- Whitelist client
You can exclude a Mailserver address in order to bypass the greylisting for this mail server (one entry per line).
- Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button
This allows you to block files with certain file extensions which may be attached to mails. Mails which contain such attachements will be recognized and the selected action will be performed for the respective mail.
- Blocked File Extensions
You can select one or multiple file extension. In order to select multiple files press the control key and select the desired entries with the mouse.
Note
File Extension Block must be enabled in gereral settings.
- Banned files destination
This allows you to define what should be happen to mails containing files with banned extensions. The following possibilities do exist:
- DISCARD
In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a banned files quarantine is defined a copy of the original email will be send or copied to the quarantine.
- BOUNCE
In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a banned files quarantine is defined a copy of the original email will be send or copied to the quarantine.
Note
Normaly it may be wise to use this variant, since senders then know what they are doing wrong.
- REJECT
The email will be rejected by the MTA. Basically this is the same as BOUNCE. (will probably be removed in future)
- PASS
Mail will pass to its recipients, regardless of bad content.
- Banned files quarantine
Location to put mail with banned files into. The following possibilites are valid:
- leave empty
Disables the quarantine
- spam-quarantine
Set this if you would like to store bad mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.
Warning
There is no possibility to control and manage the quarantine if you use this possibility.
- any email address
You can specify any valid email address, where bad mail will be forwarded to. With this variant you can forward all bad mail within a POP3 or IMAP account where you may manage it easily.
Note
The email address must contain a @.
- Admin notification
Gives you the possibility to specify a (fully qualified) administrator email address where notifications about bad attachements should be sent. (Default is empty)
- Block double extension:
tick this if you want block attachements which have one of the following double extensions.
filename.XXX.exe
filename.XXX.vbs
filename.XXX.pif
filename.XXX.scr
filename.XXX.bat
filename.XXX.cmd
filename.XXX.com
filename.XXX.dll
- Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
A oftenly used method to block certain spam are so called real-time blacklists (RBL). Those have been created by many different organisations and will be managed, administrated and actualised by them. If a domain or a sender ip address is listed within one of those blacklists, the mail will be refused promptly and without the need and possibility to gather more information about it. This saves more bandwith in comparision to the RBL of the antispam module, since the mail will not be accepted and then handled, but refused as soon as a listed ip address will be recognized.
This dialogue gives also the possibility to explicitely block (blacklist) or explicitely allow (whitelist) certain sender, recipients, ip addresses or networks.
A DNS-based Blackhole List (DNSBL, Real-time Blackhole List or RBL), is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming.
Warning
It may happen that IP addresses have been wrongly listed by the RBL operator. If this should happen, it may negatively impact your communication, to the effect that mail will be refused without the possibility to recover it. You also have no direct influence on the RBL's.
- bl.spamcop.net
RBL based on user submission.(www.spamcop.net)
- sbl-xbl.spamhaus.org
The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.
The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits (www.spamhaus.org).
- cbl.abuseat.org
The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.
The CBL does NOT list open SMTP relays (cbl.abuseat.org).
- dul.dnsbl.sorbs.net
This contains a list of Dynamic IP Address ranges (www.au.sorbs.net).
- list.dsbl.org
DSBL is the Distributed Sender Blackhole List, it publishes the IP addresses of hosts which have sent special test email to listme@listme.dsbl.org or another listing address.The main delivery mechanism of spammers is the abuse of non-secure servers. For this reason, many people want to know which servers are non-secure so they can refuse email from these servers. DSBL is intended as a place to publish whether a server is non-secure (www.dsbl.org).
- relays.ordb.org
ORDB.org is the Open Relay Database. ORDB.org is a non-profit organisation which stores a IP-addresses of verified open SMTP relays. These relays are, or are likely to be, used as conduits for sending unsolicited bulk email, also known as spam. By accessing this list, system administrators are allowed to choose to accept or deny email exchange with servers at these addresses (www.ordb.org).
- opm.blitzed.org
OPM is designed to list IPs confirmed to be running insecure proxies. These can be present because of misconfiguration of legitimately-installed software, or they can be due to the installation of trojans, viruses and other malware. OPM differs from other open proxy DNSBLs in that it tries not to proxy test remote hosts unless they are implicated in reports of abuse, and it aggressively expires old IPs, especially those known to be used for dynamic leases, such as dialup customers.
The opm.blized.org does NOT list open SMTP relays (wiki.blitzed.org/OPM).
- dsn.rfc-ignorant.org
The dsn.rfc-ignorant.org is a list which contain domains or IP networks whose administrators choose not to obey the RFCs, the building block “rules” of the net (www.rfc-ignorant.org).
- save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
Note
advanced users can modify the list by editing the file /var/efw/smtpd/default/RBL.
You have full control and can blacklist, whitelist specific sender/recipient or client.
- Sender Whitelist/Blacklist
There are multiple ways to deny (blacklist) or allow (whitelist) a sender or domain (one per line).
These addresses covered by this listings will be compared with the senders email address of each incoming mail.
- Domain (with subdomains)
Allow or deny a complete domain with all it's subdomains.
This will cover each email address under both domains and it's subdomains, like mail@sub.endian.it.
- Subdomains
Allow or deny only the subdomains of the specified domain. In order to achieve this, lead the domain name with a dot.
This will cover each email address under each subdomain of both domains. For instance it will include mail@test.endian.it but exclude info@endian.it.
- Address
Allow or deny a single fully qualified email address or any email address having the specified user part.
This will cover the single email address info@endian.it of course, and each email address with postmaster or abuse as user part, like postmaster@riaa.org.
- Recipient Whitelist/Blacklist
There are multiple ways to deny or allow a single recipient or domain (one per line).
These addresses covered by this listings will be compared with the recipient's email address of each incoming mail.
- Domain (with subdomains)
Allow or deny a complete domain with all it's subdomains.
This will cover each email address under both domains and it's subdomains, like mail@sub.endian.it.
- Subdomains
Allow or deny only the subdomains of the specified domain. In order to achieve this, lead the domain name with a dot.
This will cover each email address under each subdomain of both domains. For instance it will include mail@test.endian.it but exclude info@endian.it.
- Address
Allow or deny a single fully qualified email address or any email address having the specified user part.
This will cover the single email address info@endian.it of course, and each email address with postmaster or abuse as user part, like postmaster@riaa.org.
Warning
If the SMTP proxy runs in transparent mode, each IP address of subnet's known by the Endian Firewall will be allowed automtically. Therefore it is not possible to blacklist the recipient which has one of those ip addresses.
- Client Whitelist/Blacklist
You can also block or allow a single IP address or subnet from which mail will be sent (one per line).
- Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
Note
The whitelist overwrites the blacklists. You can blacklist a whole subnet and then whitelist a single address.
If you have enabled incoming mail and like to forward it to a mailserver behind Endian Firewall which exists within GREEN or ORANGE zone, you need to configure which domains will be accepted by the SMTP proxy and where it should be forward to. It is possible to specify multiple mail server behind Endian Firewall for different domains. It is also easily possible to use Endian Firewall as a backup MX.
Note
Incoming mail must be enabled in order to enable this functionality.
This section covers advanced settings of the SMTP proxy.
If you have a dynamic IP address because you use ISDN or ADSL as dialup internet connection, you will get problems sending mails to other mail servers. More and more mail server compare DNS with it's reverse DNS, while other mailserver check if your ip address is listed as a dynamic IP address and refuse mail if it is so. Therefore it could be necessary to use a smarthost for sending emails.
A smarthost is a mail server which your smtp proxy will use as outgoing SMTP. The smarthost need to accept your mail and relays it for you. Normaly you may use your providers SMTP as smart host, since it will accept to relay your mails and other mailserver may not.
- Smarthost enabled for delivery
Tick this on to send all outgoing mail through the smarthost.
- Address of Smarthost
Outgoing mailserver for final delivery.
Note
Normaly you may use your providers SMTP as smart host, since it will accept to relay your mails and other mailserver may not.
- Authentication required
Some mailservers require authentication. Tick this on if the mail server requires authentication.
- Username
Username to use for the authentication.
- Password
Password to use for the authentication.
- Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
The SMTP Proxy can query a remote IMAP Server to authenticate users. So it is possible to use the SMTP Proxy from remote with authentication to relay to any external domain.
- Authentication enabled
Tick this on to enable the remote authentication.
- IMAP Server
Address of the remote IMAP Server.
- Number authentication daemons
If you have many concurrent users you can increase the number of authentication daemons (default 5).
- Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.
There are even more advanced configuration possibilities for the SMTP proxy. You may change the maximal size of a single email address, change the language of smtp proxy mails, or make the mail server more restrictive and RFC strict in order to fight against spam.
- Smtpd helo required
If this is enabled the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session (default enabled).
Note
Requiring this will stop some UCE malware.
- Reject invalid hostname
Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname (default enabled).
- Reject non fqdn sender
Reject the connecting client when the hostname supplied within the client HELO or EHLO command is not a fully-qualified domain name, as required by the RFC (default enabled).
- Reject unknow sender domain
Reject the connected client when the sender mail address has no DNS A or MX record (default enabled).
- Reject unknow recipient domain
Reject the connected client when the recipient mail address has no DNS A or MX record (default enabled).
- Smtpd hard error limit
The maximal number of errors a remote SMTP client is allowed to make without delivering mail. The SMTP Proxy server disconnects when the limit is exceeded (default 20).
- Language E-Mail Templates
Allows to specify the language for the error messages (default English).
- Maximal E-Mail size
The maximal allowed size (in MBytes) a message can have (default 10MB).
- Save changes and restart
Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.