<< Back to man.ChinaUnix.net

SMTP

The scope of the SMTP proxy is to control and optimize SMTP traffic in general and to protect your network by threats with the SMTP protocol. The SMTP (Simple Mail Transport protocol) protocol is used whenever you send a mail away through your Mail client to a remote mail server (Outgoing mail). It will also be used if you host a mail server within your LAN behind GREEN or your DMZ behind ORANGE and allow mail to be send from the outside directly to your mail server (Incoming mail).

Warning

In order to download mail from a remote mailserver by your local mail clients, the POP3 or IMAP protocol will be used. If you like to protect those traffic, too, you need to use the POP3 proxy. Scan of IMAP traffic is currently not supported.

With the mail proxy functionality, both sort of traffic (Incoming and outgoing mail) can be scanned agains virii, spam and other threats. Mail will be blocked if necessary and notices will be sent to both the receiving user and the administrator. With the possibility to scan incoming mail, the mail proxy can handle incoming connections and pass the mail to one or more internal mail servers in order to remove the necessity to have SMTP connections from the outside within your intern networks.

The following is a complete feature list, which will be described in detail on the following sections:

General Settings

Figure 7.61. General Settings

General Settings
Enabled

This enables the SMTP proxy in order to accept requests on port 25.

Note

Relaying is disabled without authentication in non transparent mode.

Transparent on <zone>

If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need of any special configuration changes on your clients.

Antivirus is enabled

Tick this on if you like to enable the antivirus. If you enable the antivirus, you can configure the antivirus by clicking on the Antivirus link. See the section called “Antivirus” for a detailed description.

Spamcheck is enabled

Tick this on if you like to enable the antispam. If you enable the spam filter, you may configure it by clicking on the Spam link. See the section called “AntiSpam” for a detailed description.

File Extension are blocked

Tick this on if you like to enable the file extension blocker. With this you may specify a list of file extensions which are not allowed as attachement. If you enable it, configure it by clicking on the File Extensions link. See the section called “Banned File Extension” for a detailed description.

Incoming Mail enabled

If you have an internal Mailserver and like the SMTP proxy to forward incoming mails to your internal server you need to tick this checkbox on.

Note

You need to configure the E-Mail domains for which it should be responsable. List the responsable domains within the page you reach by clicking on the Local Domains link. See the section called “Local Domains” for a detailed description.

Firewall logs outgoing connections

Tick this on if you want the firewall to log all established outgoing connections. Note that in some countries this may be illegal.

Save changes and restart

Save the settings and restart the SMTP proxy by pushing this button.

Antivirus

The Antivirus is a core functionality of the SMTP proxy module. It knows four different possibilities to handle mail containing a virus. You have also the possibility to configure an email address for notification of the recognized and handled threat.

Figure 7.62. SMTP Antivirus

SMTP Antivirus

The antivirus section provides the following configuration options:

Mode

This allows you to select the mode of handling infected emails. The following possibilities do exist:

DISCARD

In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a virus quarantine is defined a copy of the original email will be send or copied to the virus quarantine.

Note

In most cases this is the best mode for handling infected mails.

BOUNCE

In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a virus quarantine is defined a copy of the original email will be send or copied to the virus quarantine.

Warning

Sending notification mails to the sender is insofar not really helpful as worms normally do not send themselves in mails with real sender addresses. Worms nearly always use spoofed sender addresses, therefore such notifications always reach anyone but the right person. The SMTP proxy does not send bounces back to the sender if a worm will be recognized of which the SMTP proxy knows that it normally spoofs the sender address, but nevertheless is the benefit less to the problems which may be caused by this mode.

REJECT

The email will be rejected by the MTA. Basically this is the same as BOUNCE. (will probably be removed in future)

PASS

Mail will pass to its recipients, regardless of bad content.

Virus Admin

Gives you the possibility to specify a (fully qualified) administrator email address where virus notifications should be sent. (Default is empty)

Virus Quarantine

Location to put infected mail into. The following possibilites are valid:

leave empty

Disables the quarantine

virus-quarantine

Set this if you would like to store infected mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.

Warning

There is no possibility to control and manage the quarantine if you use this possibility.

any email address

You can specify any valid email address, where infected mail will be forwarded to. With this variant you can forward all infected mail within a POP3 or IMAP account where you may manage it easily.

Note

The email address must contain a @.

Warning

This email address must not have any virus scanner, otherwise the quarantined mail will be blocked by that server.

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

AntiSpam

The antispam module knows several different possibilities to protect you agains spam. In general spamassassin and amavisd-new is used to filter out spam. SpamAssassin incorporates several means of detecting spam. It has a “score tally” system where large numbers of inter-related rules fire off and total up a score to determine if a message is spam or not. In this system each rule affects the proper score of every other rule in the ruleset and the system tries to balance the most spam and nonspam each on the right side of the tolerance mark.

While much of the rules block much of simplier spam, well known spam and spam sent by known spam hosts, spammer always adapt their messages in order to knock out spam filters. Therefore it is necessary to also always train the spam filter in order to reach a personalized and stronger statistical filter (bayes).

Note

While the spam filter blocks much spam it never will block all of your spam.

Note

The spamassassin rules will not be updated automatically like the virus signatures. Here you can read why.

General Settings

Figure 7.63. SMTP Antispam

SMTP Antispam
Spam destination

This allows you to define what should be happen to spam mails. The following possibilities do exist:

DISCARD

In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a spam quarantine is defined a copy of the original email will be send or copied to the spam quarantine.

Note

In most cases this is not very useful, since it is possible that the spam filter may block also regular mail (false positives) if it is configured to restrictive.

Warning

Check your local law. In most countries it is illegal to delete mail without the permission of the recipient.

BOUNCE

In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a spam quarantine is defined a copy of the original email will be send or copied to the spam quarantine.

Warning

Sending notification mails to the sender of spam is insofar not really helpful as spammer then more than ever know that they hit a real email address. Furthermore, spammer mostly do not use their real sender addresses. They nearly always use spoofed sender addresses, therefore such notifications always reach anyone but the right person.

REJECT

The email will be rejected by the MTA. Basically this is the same as BOUNCE. (will probably be removed in future)

PASS

Mail will pass to its recipients, regardless of bad content.

Note

In most cases, this is the best mode you can use. The spam filter adds spam headers and changes the subject of the mail if it recognizes the mail as spam. The recipient then may use it's mail client to filter those mails itself.

Spam admin

Gives you the possibility to specify a (fully qualified) administrator email address where spam notifications should be sent. (Default is empty)

Spam quarantine

Location to put spam mail into. The following possibilites are valid:

leave empty

Disables the quarantine

spam-quarantine

Set this if you would like to store spam mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.

Warning

There is no possibility to control and manage the quarantine if you use this possibility.

any email address

You can specify any valid email address, where spam mail will be forwarded to. With this variant you can forward all spam mail within a POP3 or IMAP account where you may manage it easily.

Note

The email address must contain a @.

Warning

This email address must not have any blocking spam filter, otherwise the quarantined mail will be blocked by that server.

SPAM TAG Level:

If spam score is greater or equal to this level put spam info email headers into it. You will find them as X-Spam-Status and X-Spam-Level headers.

Note

This level will not block the mail regardless what you defined as spam destination.

Example 7.9. Example spam info headers

X-Spam-Status: No, score=-1.54 tagged_above=-4 required=6.31
 tests=[AWL=-0.723, BAYES_00=-2.599, HTML_80_90=0.146,
 HTML_FONT_SIZE_NONE=0.033, HTML_FONT_SIZE_TINY=0.533, HTML_FONT_TINY=0.964,
 HTML_IMAGE_RATIO_04=0.105, HTML_MESSAGE=0.001]
X-Spam-Score: -1.54
X-Spam-Level: 
SPAM MARK level

If spam score is greater or equal to this level, mark the mail as spam by tagging the subject line with *** SPAM *** and add the X-Spam-Flag header.

Note

This level will not block the mail regardless what you defined as spam destination.

Example 7.10. Example spam info headers

X-Spam-Status: Yes, hits=12.4 tagged_above=-10.0 required=5.3 tests=BAYES_99,
RCVD_HELO_IP_MISMATCH, RCVD_IN_XBL, RCVD_NUMERIC_HELO, SARE_FWDLOOK,
SARE_MONEYTERMS, SARE_OEM_FAKE_YEAR
X-Spam-Level: ************
X-Spam-Flag: YES

Note

Users may use X-Spam-Flag: YES as search string for their filter within mail clients.

SPAM quarantine level

If spam score is greater or equal to this level then the spam evasive action which you selected in spam destination will be used.

Note

This is the level which may delete spam mail if you selected to DISCARD spam mail.

Sendernotification only under level

If spam score is greater to this level no notification mails will be sent to the administrator.

SPAM subject

String to prepend to subject header field when message exceeds SPAM MARK level.

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Greylisting

Greylisting is a simple method of defending electronic mail users against e-mail spam. In short, a mail transfer agent which uses greylisting will temporarily reject any email from a sender it does not recognize. The sender will be delayed for the configured time. If the mail is legitimate, the originating server will try again to send it later. If the delay time is elapsed, the destination will accept it. Spammer normaly will not retry to send temporarily rejected mail, since this is cost effective. However, even spam sources which re-transmit later will be more likely to be listed in DNSBLs and distributed signature systems such as pyzor.

Figure 7.64. Greylisting

Greylisting
greylisting activated

Tick this on if you want to enable greylisting.

delay(sec)

You can change the delay from 30 secs to maximum 3600 (1 hour).

Whitelist recipient

With this you can whitelist an address or a complete domain (one entry per line).

Whitelist client

You can exclude a Mailserver address in order to bypass the greylisting for this mail server (one entry per line).

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button

Banned File Extension

This allows you to block files with certain file extensions which may be attached to mails. Mails which contain such attachements will be recognized and the selected action will be performed for the respective mail.

Figure 7.65. banned files

banned files
Blocked File Extensions

You can select one or multiple file extension. In order to select multiple files press the control key and select the desired entries with the mouse.

Note

File Extension Block must be enabled in gereral settings.

Banned files destination

This allows you to define what should be happen to mails containing files with banned extensions. The following possibilities do exist:

DISCARD

In this mode the email will not be delivered to its recipients and deleted without sending a notification to the sender. If a banned files quarantine is defined a copy of the original email will be send or copied to the quarantine.

BOUNCE

In this mode the email will not be delivered to its recipients but bounced back to the sender in form of a delivery status notification with a non-delivery notification. If a banned files quarantine is defined a copy of the original email will be send or copied to the quarantine.

Note

Normaly it may be wise to use this variant, since senders then know what they are doing wrong.

REJECT

The email will be rejected by the MTA. Basically this is the same as BOUNCE. (will probably be removed in future)

PASS

Mail will pass to its recipients, regardless of bad content.

Banned files quarantine

Location to put mail with banned files into. The following possibilites are valid:

leave empty

Disables the quarantine

spam-quarantine

Set this if you would like to store bad mails on the firewall. You will find the mails in /var/amavis/virusmails/. This is the default.

Warning

There is no possibility to control and manage the quarantine if you use this possibility.

any email address

You can specify any valid email address, where bad mail will be forwarded to. With this variant you can forward all bad mail within a POP3 or IMAP account where you may manage it easily.

Note

The email address must contain a @.

Admin notification

Gives you the possibility to specify a (fully qualified) administrator email address where notifications about bad attachements should be sent. (Default is empty)

Block double extension:

tick this if you want block attachements which have one of the following double extensions.

  • filename.XXX.exe

  • filename.XXX.vbs

  • filename.XXX.pif

  • filename.XXX.scr

  • filename.XXX.bat

  • filename.XXX.cmd

  • filename.XXX.com

  • filename.XXX.dll

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Blacklists/Whitelists

A oftenly used method to block certain spam are so called real-time blacklists (RBL). Those have been created by many different organisations and will be managed, administrated and actualised by them. If a domain or a sender ip address is listed within one of those blacklists, the mail will be refused promptly and without the need and possibility to gather more information about it. This saves more bandwith in comparision to the RBL of the antispam module, since the mail will not be accepted and then handled, but refused as soon as a listed ip address will be recognized.

This dialogue gives also the possibility to explicitely block (blacklist) or explicitely allow (whitelist) certain sender, recipients, ip addresses or networks.

Real-time Spam Black Lists (RBL)

A DNS-based Blackhole List (DNSBL, Real-time Blackhole List or RBL), is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming.

Warning

It may happen that IP addresses have been wrongly listed by the RBL operator. If this should happen, it may negatively impact your communication, to the effect that mail will be refused without the possibility to recover it. You also have no direct influence on the RBL's.

Figure 7.66. Real-time Black Lists

Real-time Black Lists
bl.spamcop.net

RBL based on user submission.(www.spamcop.net)

sbl-xbl.spamhaus.org

The SBL is a realtime database of IP addresses of verified spam sources (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits (www.spamhaus.org).

cbl.abuseat.org

The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.

The CBL does NOT list open SMTP relays (cbl.abuseat.org).

dul.dnsbl.sorbs.net

This contains a list of Dynamic IP Address ranges (www.au.sorbs.net).

list.dsbl.org

DSBL is the Distributed Sender Blackhole List, it publishes the IP addresses of hosts which have sent special test email to listme@listme.dsbl.org or another listing address.The main delivery mechanism of spammers is the abuse of non-secure servers. For this reason, many people want to know which servers are non-secure so they can refuse email from these servers. DSBL is intended as a place to publish whether a server is non-secure (www.dsbl.org).

relays.ordb.org

ORDB.org is the Open Relay Database. ORDB.org is a non-profit organisation which stores a IP-addresses of verified open SMTP relays. These relays are, or are likely to be, used as conduits for sending unsolicited bulk email, also known as spam. By accessing this list, system administrators are allowed to choose to accept or deny email exchange with servers at these addresses (www.ordb.org).

opm.blitzed.org

OPM is designed to list IPs confirmed to be running insecure proxies. These can be present because of misconfiguration of legitimately-installed software, or they can be due to the installation of trojans, viruses and other malware. OPM differs from other open proxy DNSBLs in that it tries not to proxy test remote hosts unless they are implicated in reports of abuse, and it aggressively expires old IPs, especially those known to be used for dynamic leases, such as dialup customers.

The opm.blized.org does NOT list open SMTP relays (wiki.blitzed.org/OPM).

dsn.rfc-ignorant.org

The dsn.rfc-ignorant.org is a list which contain domains or IP networks whose administrators choose not to obey the RFCs, the building block “rules” of the net (www.rfc-ignorant.org).

save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Note

advanced users can modify the list by editing the file /var/efw/smtpd/default/RBL.

Custom black/whitelists

You have full control and can blacklist, whitelist specific sender/recipient or client.

Figure 7.67. black/whitelists

black/whitelists
Sender Whitelist/Blacklist

There are multiple ways to deny (blacklist) or allow (whitelist) a sender or domain (one per line).

These addresses covered by this listings will be compared with the senders email address of each incoming mail.

Domain (with subdomains)

Allow or deny a complete domain with all it's subdomains.

Example 7.11. Allow or deny a complete domain

endian.it
sub.example.com

This will cover each email address under both domains and it's subdomains, like mail@sub.endian.it.

Subdomains

Allow or deny only the subdomains of the specified domain. In order to achieve this, lead the domain name with a dot.

Example 7.12. Allow or deny only the subdomains of a domain

.endian.it
.sub.example.com

This will cover each email address under each subdomain of both domains. For instance it will include mail@test.endian.it but exclude info@endian.it.

Address

Allow or deny a single fully qualified email address or any email address having the specified user part.

Example 7.13. Allow or deny single email addresses or user names.

info@endian.it
postmaster@
abuse@

This will cover the single email address info@endian.it of course, and each email address with postmaster or abuse as user part, like postmaster@riaa.org.

Recipient Whitelist/Blacklist

There are multiple ways to deny or allow a single recipient or domain (one per line).

These addresses covered by this listings will be compared with the recipient's email address of each incoming mail.

Domain (with subdomains)

Allow or deny a complete domain with all it's subdomains.

Example 7.14. Allow or deny a complete domain

endian.it
sub.example.com

This will cover each email address under both domains and it's subdomains, like mail@sub.endian.it.

Subdomains

Allow or deny only the subdomains of the specified domain. In order to achieve this, lead the domain name with a dot.

Example 7.15. Allow or deny only the subdomains of a domain

.endian.it
.sub.example.com

This will cover each email address under each subdomain of both domains. For instance it will include mail@test.endian.it but exclude info@endian.it.

Address

Allow or deny a single fully qualified email address or any email address having the specified user part.

Example 7.16. Allow or deny single email addresses or user names.

info@endian.it
postmaster@
abuse@

This will cover the single email address info@endian.it of course, and each email address with postmaster or abuse as user part, like postmaster@riaa.org.

Warning

If the SMTP proxy runs in transparent mode, each IP address of subnet's known by the Endian Firewall will be allowed automtically. Therefore it is not possible to blacklist the recipient which has one of those ip addresses.

Client Whitelist/Blacklist

You can also block or allow a single IP address or subnet from which mail will be sent (one per line).

Example 7.17. Allow or deny ip block.

80.190.233.143
80.190.233.0/24
Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Note

The whitelist overwrites the blacklists. You can blacklist a whole subnet and then whitelist a single address.

Local Domains

If you have enabled incoming mail and like to forward it to a mailserver behind Endian Firewall which exists within GREEN or ORANGE zone, you need to configure which domains will be accepted by the SMTP proxy and where it should be forward to. It is possible to specify multiple mail server behind Endian Firewall for different domains. It is also easily possible to use Endian Firewall as a backup MX.

Figure 7.68. Local Domains

Local Domains

Note

Incoming mail must be enabled in order to enable this functionality.

Advanced settings

This section covers advanced settings of the SMTP proxy.

Smarthost

If you have a dynamic IP address because you use ISDN or ADSL as dialup internet connection, you will get problems sending mails to other mail servers. More and more mail server compare DNS with it's reverse DNS, while other mailserver check if your ip address is listed as a dynamic IP address and refuse mail if it is so. Therefore it could be necessary to use a smarthost for sending emails.

A smarthost is a mail server which your smtp proxy will use as outgoing SMTP. The smarthost need to accept your mail and relays it for you. Normaly you may use your providers SMTP as smart host, since it will accept to relay your mails and other mailserver may not.

Figure 7.69. Smarthost

Smarthost
Smarthost enabled for delivery

Tick this on to send all outgoing mail through the smarthost.

Address of Smarthost

Outgoing mailserver for final delivery.

Note

Normaly you may use your providers SMTP as smart host, since it will accept to relay your mails and other mailserver may not.

Authentication required

Some mailservers require authentication. Tick this on if the mail server requires authentication.

Username

Username to use for the authentication.

Password

Password to use for the authentication.

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

IMAP Server for SMTP Authentication

The SMTP Proxy can query a remote IMAP Server to authenticate users. So it is possible to use the SMTP Proxy from remote with authentication to relay to any external domain.

Figure 7.70. IMAP Server for SMTP Authentication

IMAP Server for SMTP Authentication
Authentication enabled

Tick this on to enable the remote authentication.

IMAP Server

Address of the remote IMAP Server.

Number authentication daemons

If you have many concurrent users you can increase the number of authentication daemons (default 5).

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.

Advanced settings

There are even more advanced configuration possibilities for the SMTP proxy. You may change the maximal size of a single email address, change the language of smtp proxy mails, or make the mail server more restrictive and RFC strict in order to fight against spam.

Figure 7.71. Advanced Settings

Advanced Settings
Smtpd helo required

If this is enabled the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session (default enabled).

Note

Requiring this will stop some UCE malware.

Reject invalid hostname

Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname (default enabled).

Reject non fqdn sender

Reject the connecting client when the hostname supplied within the client HELO or EHLO command is not a fully-qualified domain name, as required by the RFC (default enabled).

Reject unknow sender domain

Reject the connected client when the sender mail address has no DNS A or MX record (default enabled).

Reject unknow recipient domain

Reject the connected client when the recipient mail address has no DNS A or MX record (default enabled).

Smtpd hard error limit

The maximal number of errors a remote SMTP client is allowed to make without delivering mail. The SMTP Proxy server disconnects when the limit is exceeded (default 20).

Language E-Mail Templates

Allows to specify the language for the error messages (default English).

Maximal E-Mail size

The maximal allowed size (in MBytes) a message can have (default 10MB).

Save changes and restart

Save the settings and restart the SMTP Proxy by clicking the save changes and restart button.