Online criminals hate us. We protect you from attacks that antivirus can't block.

MailSentry - E-Mail Security and Spamfilter (Configuration)

You can configure and setup the Mail Sentry - E-Mail Security and Spamfilter module by logging in the Heimdal Dashboard and accessing the Settings -> Perimeter section.

Screenshot_2.png

To add a new domain in the E-Mail Security and Spamfilter module, you have to Enable E-Mail Security and Spamfilter

 

CONFIGURATION

Screenshot_3.png

 

Domain name - allow you to add a domain name (eg. heimdalsecurity.com)

Inbound Host - allows you to set your email server, your port and to choose a TLS option (Optional, Require, None

Outbound IP/Provider - allows you to set the Outbound provider by selecting one from the dropdown or add the IP address or domain in the Public IP/Domain field.

More Inbound and Outbound settings can be added by hitting the +ADD button 

 

ADDITIONAL DOMAIN SETTINGS

Screenshot_4.png

Resend retention time - allows both administrators and users to resend any email filtered by MailSentry - E-Mail Security and Spamfilter in up to 30/90 days after it was originally received

Put inbound delivery on pause - allows you to put the system on pause for delivering emails (the system will check every 15 minutes for any changes)

Recipient verification - this option sends the emails through another port (2525) to verify recipients

Block outbound Danish CPR Number - scans the email for any Danish CPR number and blocks them if they include any sensitive information

Inbound Verification - Anti-Spoofing

DMARC** - checks if the incoming email from a domain is authorized by the domain's administrators and that the email (including attachments) have not been modified in the delivery process 

SPF** - checks if the incoming email from a domain comes from a host authorized by the domain's administrators 

Outbound Verification

DKIM** Signing - checks if the email is being sent by trusted servers and untampered

Force TLS transmission to any domain - encrypts the email message from Heimdal Security to the next hop email server

SEPO

SEPO In- adds another security check using SEPO and delivers the email to the SEPO Inbound Scan

SEPO Out - adds another security check using SEPO and checks CPR, Abnormal and Forced TLS delivery
 

ANTI SPAM SETTINGS

Screenshot_1.png

The Antispam Settings allow you to change the aggressiveness of the spam filter and to choose what actions to take on emails based on five different classification levels.

Enable Anti Spam Filtering - enables or disables all antispam filtering in MailSentry - E-Mail Security and Spamfilter within your organization

SCORE LEVEL - allows you to input a value between 0-100, where a higher number will make the classification stricter, and a lower number more relaxed

ACTION - allows you to choose an action for every classification (Reject, Quarantine, Tag subject, No Action).
- Reject will reject the email and not store it in any way
- Quarantine will store these emails for 90 days in MailSentry - E-Mail Security and Spamfilter
- Tag will add a tag to the email’s existing subject: # Warning: Possible Spam or Fraud! #
- No Action will make the emails pass unaltered through MailSentry - E-Mail Security and Spamfilter

PRESETS - allows you to change all spam settings to one of three predefined profiles: Moderate (relaxed setting), Default (medium setting) and Aggressive (restrictive setting).

 

SECURITY SETTINGS 

Screenshot_2.png

Security Settings will allow you to change the different Security settings for MailSentry - E-Mail Security and Spamfilter.

Antivirus & Antimalware - allows you to activate or deactivate the Heimdal malware & virus detection engines. This can be used to diagnose against false positives, in the event that MailSentry - E-Mail Security and Spamfilter detects legitimate emails and/or attachments as harmful, or containing malware.

Advanced Threat Protection (if licensed) - allows you to activate or deactivate the Heimdal detection systems against advanced threats. This can be used to diagnose against false positives, in the event that MailSentry - E-Mail Security and Spamfilter detects legitimate emails and/or attachments as harmful, or containing advanced threats.

Enable Email Security Advanced Threat Protection - allows you to enable the Advanced Threat Protection. detects new threats through Machine Learning and Dynamically developed detection mechanisms

Enable Email Security Macro Analyzer - allows you to execute macros and scripts within emails in a sandboxed environment for analysis & detection

Enable Email Security SHA256 Analyzer - allows you to quickly check an email, blocked by Email Security Advanced Threat Protection, against online malware analyst services Virustotal and Payload Security. This can be of use in establishing whether the threat and detection are a first of its kind, or if not, gaining more information on a specific malware sample. By enabling Email Security SHA256 Analyzer, MailSentry - E-Mail Security and Spamfilter generates a SHA256 hash checksum for each file detected as suspicious/bad/harmful/malicious. You can run the search or even download email parts through the Messaging Logs interface. To search & locate any email blocked by Email Security Advanced Threat Protection in Messaging Logs, you have to left-click the email and select Attachments. Here you will have the option to check the attachments checksum directly at VirusTotal or Hybrid Sandbox. You can download the full attachment for further investigation and analysis, but please be aware that downloading the full attachment can be a security risk (which also will be communicated via a dialogue box before potential download)

Email Security PDF Analyzer - executes PDF files and other container files within emails in a sandboxed environment for analysis & detection

Enable Email Security Phishing Protection - allows you to activate or deactivate the detection systems against phishing emails. This can be used to diagnose against false positives, in the event that MailSentry - E-Mail Security and Spamfilter detects legitimate emails as phishing emails

 

Action on Detection - allows you to define what MailSentry - E-Mail Security and Spamfilter shall do with emails containing threats, categorized by malware, ATP, and Phishing. 

 

BLACKLIST & WHITELIST

Screenshot_3.png

Will allow you to add email addresses, domains or IPs to the Blacklist or to the Whitelist, thus regulating specific email senders your organization needs to always block or allow. 

Blacklist - allows you to add complete email addresses, domains, or even sender IPs, to block all emails from them. You can also take action on the emails received from the blocked addresses/domains/IPs

Whitelist - allows you to add complete email addresses, domains, or even sender IPs, to allow all emails from them. Each entry within the Whitelist can be customized to bypass different scanning methods.
Note: Under normal circumstances, it is not advisable to allow sender IPs under whitelists, as this can provide open access for threats and spam in the event the sender's network or endpoints are compromised

 

ATTACHMENT SETTINGS

Screenshot_4.png

This feature will allow you to change the different settings for an email with attachments. The attachment filters can be enabled for the specific file extension, based on the attachment's filename. As an increasing number of threats are trying to bypass email filters by filename and/or file parser manipulation, MailSentry - E-Mail Security and Spamfilter also provides an advanced attachment filter, based on inspection and analysis of each attached file. The advanced attachment filter will also safeguard against users renaming or manipulating their files to bypass policies your organization has set up for allowable file types for email transmission. The list of dangerous files includes the following file extensions: .ac .air .apk .app .applescript .awk .bas .bat .cgi .chm .cmd .com .cpl .crt .csh .dld .dll .drv .elf .exe ._exe .fxp .hlp .hta .inf .ins .inx .isu .iqy .jar .js .jse .jsp .kix .ksh .lib .lnk .mcr .mem .mht .mpkg .mrc .ms .msc .msi .msp .mst .ocx .pas .pcd .pif .pkg .pl .prc .prg .py .pyc .pyo .reg .scpt .scr .sct .seed .sh .shb .shs .spr .sys .thm .tlb .udf .url .uue .vb .vbe .vbs .vdo .wcm .ws .wsc .wsf .wsh .xap .zlq

 

QUARANTINE SETTINGS

Screenshot_5.png

This feature allows you to change the notification settings for emails that have been sent to quarantine by MailSentry - E-Mail Security and Spamfilter. The Personal Quarantine Report by email, will send an email containing a notification of quarantined emails to the intended receiver of the quarantined emails in your organization.
Select types of e-mail in quarantine to be added to the report, and also define if it’s possible to preview and release the e-mail directly from the quarantine report.

General Quarantine Report Settings - allows you to set a sending schedule for the Quarantine Report. It can be configured for daily sending, weekly sending, or hourly sending

Advanced Threat Protection - allows you to specifiy what details should be included in the Quarantine Report 

View/Edit Quarantine Report - allows you to set the limits of the classification to be included in the Quarantine Report

Personal Quarantine Report by Email - allows you to enable the Personal Quarantine Report to be sent only be to recipients of quarantined emails. Users who do not have any quarantined emails will not receive a Personal Quarantine Report. Settings can be changed to select how often the Personal Quarantine Report by Email will be sent to the intended recipient of the quarantined emails in your organization

Admin Quarantine Report by Email - allows you to enable the Quarantine Report for the administrator. This report includes all quarantined emails within your organization in one complete quarantine report. You can add one or more recipients using the Receivers field (comma-separated list).

 

SMTP AUTH USERS

This feature allows you to add an SMTP Auth User (username, password, IP address required).

-----------------------------------------------------------

Below, you can read information about how Anti Spoofing Mechanisms work and what SPF, DKIM, or DMARC do.

◦        SPF (Sender Policy Framework)
          More about SPF: https://en.wikipedia.org/wiki/Sender_Policy_Framework
◦        DKIM (Domain Keys Identified Mail)
          More about DKIM: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
◦        DMARC (Domain-based Message Authentication, Reporting & Conformance)
         Read more about DMARC: https://dmarc.org/wiki/FAQ

 

**SPF (Required for domains using MailSentry security outbound sending system)

SPF records basically tell the world what hosts or IPs are allowed to send an email for your domain. When email servers receive an email that claims to be from your domain, they can look up your SPF record and if the sending server is included. We strongly recommend you set up an SPF record that includes MailSentry - E-Mail Security and Spamfilter. This will not only make your email seem more legitimate and thus less likely to be sent to spam folders, but it will also help protect your domain from attackers who send emails with forged headers pretending to be you.

MailSentry - E-Mail Security and Spamfilter SPF record to include: _spf.centiumsecurity.dk

The “include:_spf.centiumsecurity.dk” means you allow the servers of MailSentry to send on behalf of your domain. If you want to keep an existing SPF record, simply add the “include:_spf.centiumsecurity.dk” to it right after the “v=spf1”.

**DKIM
DKIM is a method of email authentication that cryptographically verifies if an email is sent by trusted servers and untampered. Basically, when a server sends an email for your domain, it will calculate an encrypted hash of the email contents using a private key (that only trusted servers know) and add it to the email headers as a DKIM signature. The receiving server will verify the email contents by looking up the corresponding public key in your domain’s DNS records, decrypting the encrypted hash, calculating a new hash based on the email contents is received, and see if the decrypted hash matches the new hash. If there is a match, then the email was not changed and so DKIM passes. Otherwise, DKIM fails and the email is treated with suspicion.

Important: The DKIM record for your domain, is added to the hostname of your domain in the following syntax:

selector._domainkey.domainname (selector is predefined as centium{currentdate} )

Example: If domainname is defendas.com, the TXT DKIM public key is added to:

centium{currentdate}._domainkey.defendas.com

It can seem complicated but implementing DKIM for your domain is quite easy in MailSentry - E-Mail Security and Spamfilter. Once you request a new certificate for your domain, MailSentry will generate a DKIM key pair and show you the TXT record to add if you want to enable DKIM signing. This record contains the public key and is different for every domain.

Once you added the TXT record to your domain, you can ‘Check DNS’ to verify your public DKIM key and enable outbound signing if validation is successful.

Some online services provide DKIM verification to test if your e-mails are DKIM signed correctly by sending e-mails to a specific e-mail address. Here is a few, but more can be found online:

https://www.port25.com/authentication-checker/

http://dkimvalidator.com/

**DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) makes it possible to instruct the receiving server in how to handle a received email coming (or pretending to come) from your domain which fails the SPF and DKIM email verification checks. DMARC enables you to choose one of three predefined actions to unverified emails: none, quarantine, and reject.

A basic DMARC TXT record example: v=DMARC1; p=none; rua=mailto:your@emailaddress.com

The “p=” specifies the action to take for emails that fail DMARC and here, “none” basically means don’t do anything, accept the email as usual. The “rua=” is an optional parameter that specifies an email address where other email services can send aggregate reports to so you can see how many of your emails are failing DMARC. Once you are confident your legitimate emails are passing DMARC (either SPF passes or DKIM passes), then you may want to set “p=quarantine”, which tells the receiving server to send failed emails to the spam folder. Even more aggressively, you can set “p=reject” to tell the receiving server to not accept failed emails. We advise working towards “p=quarantine” or even “p=reject” if you think you are likely to be a target of spoofing. For example, Yahoo, PayPal, and eBay use “reject” to prevent spammers from impersonating them.

Important: The DMARC record for your domain, is added to the hostname of your domain in the following syntax:

_dmarc.domainname

Example: If domain name is defendas.com, the TXT DMARC record is added to _dmarc.defendas.com

MailSentry - E-Mail Security and Spamfilter is supporting the collection and reporting of DMARC reports. With the addition of an online service which provides DMARC Wizards to create your DMARC record as you want, and provide you with the full DMARC records and reports, your organization has fully implemented DMARC for their email infrastructure.

Examples of Online Service for DMARC record wizards & reporting:

https://dmarcian.com/dmarc-inspector/

https://www.dmarcanalyzer.com/

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.