Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

Email Security

Last updated

In this article, you will learn everything you need to know about the Email Security module. The Email Security engines scan for the most intrusive method cybercriminals use to introduce malware and viruses into corporate systems. Lightweight, easy to deploy, and highly responsive, our Email Security anti-malware and anti-spam filter can be scaled to any number of endpoints within your organization. Its MX record-based analysis vectors keep all malicious emails out of your inbox, automatically removing malware-laced attachments, and filtering emails coming from malicious IPs or domains, or those containing malicious URLs. 

1. Description
2. How does Email Security work?
3. Email Security setup guide
4. Email Security view
5. Email Security settings

DESCRIPTION

Our Email Security uses market-leading spam detection and filtering engines that go beyond simple spam definitions. It proactively prevents even the most sophisticated email exploits that seek to harm your organization by bypassing regular spam filters and antivirus solutions. The Email Security features include anti-spam protection, botnet protection, Advanced Malware Filtering, Protection against DNS hijacking, Phishing protection, threat tracing & full audit log, social security number leakage detection (US, UK, DK, DE), personal quarantine report, 90-day email retention, deep attachment scanner, deep content inspection. 

HOW DOES EMAIL SECURITY WORK?

Email Security protects both Inbound and Outbound mail flows by acting like the man-in-the-middle, between the Internet and your organization's email server (in case of the Inbound Mail Flow) or vice-versa (in case of the Outbound Mail Flow). Below you have the diagram of the Email Security module:

EmailSecurity_General_Functional_Architecture.jpg
On the Inbound flow, emails that come from the Internet reach the organization's domain (example.com) and are forwarded to the HEIMDAL Security MX Records found on the domain's DNS (example: eu-esec-01.heimdalsecurity.com or eu-esec-02.heimdalsecurity.com for the Europe region). Once they reach the HEIMDAL servers, Email Security goes through the following flow:

  • Allowlist & Blocklist (Allowlist has priority over everything. Anything in the Allowlist is skipped from the Blocklist check);
  • Greylist check
  • IP Reputation check (only if Spam scanning is enabled); 
  • SPF/DMARC scanning;
  • Non-TLS check;
  • Virus scanning;
  • Spam scanning;
  • Attachment scanning;
  • Newsletter scanning;
  • Advanced Threat Protection;

If emails pass these checks, they are delivered to the organization's inbound Mail Server (configured in the HEIMDAL Dashboard - Network settings) to reach the recipient's inbox, but if the emails fail the checks, they can be tagged, quarantined, or rejected (depending on the settings configured in the HEIMDAL Dashboard - Network settings) before reaching the recipient's inbox. In the case of quarantined emails, the HEIMDAL Dashboard Admin can allow users to release the quarantined emails they have received or he can allow them himself.

On the Outbound flow, emails are sent from the organization's Outbound server using a forwarding rule/connector to reach the HEIMDAL Security smarthost (eu-esec-outbound.heimdalsecurity.com), where the Email Security engines perform the following operation:

  • Spam scanning;
  • Virus scanning;
  • Attachment scanning;
  • Advanced Threat Protection;

If emails pass these checks, they are delivered by the Email Security servers to the recipients, but if the emails fail the checks, they will be rejected or undelivered. 

EMAIL SECURITY setup guide

In order to set up Email Security without disrupting the email flow in your organization, you need to follow the steps below for each of the flows you are configuring. 

Setting up the Inbound Mail Flow 

A. Adding your domain to the HEIMDAL Dashboard
1. Log in to the HEIMDAL Dashboard and navigate to the Network Settings.
2. Click the Email Protection tab and make sure the Email Security module is enabled.
3. To add a new domain to be filtered by the Email Security engines click Add Domain.
4. Insert your Domain Name, your Inbound Mail Server (Domain or Public IP Address), and Save Changes.
chrome_8JMRbbh6oU.png
5. Additionally, you can configure the rest of the settings or leave them for a later time.
6. After having all the settings configured, press the Update Network Settings button.

B. Adding the Email Security MX Records to your domains DNS Settings
1. Log in to the portal where you manage your domain's DNS Settings (your registrar's portal or your hosting company's portal | example: GoDaddy, HostGator, or others) and go to the DNS Settings. In case your domain's DNS hosting provider is Microsoft, note the fact that Microsoft 365 prefers its own Mail Server as the primary MX Record (example-com.mail.protection.outlook.com) and does not allow 3rd Party spam filters to be configured in your domain's DNS settings as primary MX Records.
mxrecords.png
2. Change your MX Records to point to the Email Security MX Records (make sure you use the MX Records corresponding to the region your customer account is stored):

  • eu-esec-01.heimdalsecurity.com (for customers stored in the Europe region);
  • eu-esec-02.heimdalsecurity.com (for customers stored in the Europe region);
  • us-esec-01.heimdalsecurity.com (for customers stored in the United States region);
  • us-esec-02.heimdalsecurity.com (for customers stored in the United States region);
  • uk-esec-01.heimdalsecurity.com (for customers stored in the United Kingdom region);
  • uk-esec-02.heimdalsecurity.com (for customers stored in the United Kingdom region);

mx_records.JPG
Once the configuration of the MX Records has been completed and the settings propagated, emails should be displayed and filtered by the Email Security module in the HEIMDAL Dashboard, under the Email Security view (Inbound view).
chrome_5v9Y1Cz9cw.png

Setting up the Outbound Mail Flow 

A. Adding your Outbound Mail Server(s) in the HEIMDAL Dashboard
1. Log in to the HEIMDAL Dashboard and navigate to the Network Settings.
2. Click the Email Protection tab and make sure the Email Security module is enabled.
3. Click the Edit button (the pencil icon) to edit the domain you have created.
4. Add your Outbound Mail Server (Domain or Public IP Address) by clicking the Add button, and Save Changes.
chrome_8JMRbbh6oU.png
5. After having all the settings configured, press the Update Network Settings button.

B. Adding the Email Security SPF, DMARC, DKIM records to your domain's DNS Settings
1. Log in to the portal where you manage your domain's DNS Settings (your registrar's portal or your hosting company's portal | example: GoDaddy, HostGator, Office 365, or others) and go to the DNS Settings.
2. Edit your SPF Records to include the Email Security SPF Records:

  • include:spf-esec.heimdalsecurity.com (for customers stored in the Europe region)
  • include:spf-esec-us.heimdalsecurity.com (for customers stored in the United States region)
  • include:spf-esec-uk.heimdalsecurity.com (for customers stored in the United Kingdom region)
    Example:     
    v=spf1 include:spf.protection.outlook.com include:spf-esec.heimdalsecurity.com -all

Make sure you don't remove any 3rd Party SPF Records that are already set up on your SPF Records. After adding the Email Security SPF Records, do an SPF Record Lookup to make sure the SPF Records are validating correctly (you can use mxtoolbox.com or any other online tool to check).
3. Add a DMARC Record:

  • Type: TXT
  • Host: _dmarc
  • Value: v=DMARC1; p=quarantine; rua=mailto:gcafy1yi@ag.dmarcian-eu.com, mailto:test1@example.com; ruf=mailto:gcafy1yi@fr.dmarcian-eu.com, mailto:test1@example.com;
  • TTL: 1/2 Hour

dmarc.JPG
4. Additionally, you can add DKIM Signature to make sure the emails you send are DKIM-signed. 

C. Adding a rule/connector on your Mail Server to relays emails to the Email Security smarthost
1. Go to your Outbound Mail Server settings and create a rule/connector to relay all the outbound emails through the Email Security smarthost: 

  • eu-esec-outbound.heimdalsecurity.com (port 25, 587, 2525);
  • us-esec-outbound.heimdalsecurity.com (port 25, 587, 2525);
  • uk-esec-outbound.heimdalsecurity.com (port 25, 587, 2525);

Once the configuration of the smarthost has been completed, emails should be displayed and filtered by the Email Security module in the HEIMDAL Dashboard, under the Email Security view (Outbound view).
chrome_CmRO0nA0Sn.png

IMPORTANT
In order for Email Security to work, you need to make sure that the Email Security IP Addresses are not blocklisted/greylisted by your environment or by your hosting company. Verify your firewall settings and allow SMTP from these IP Addresses.

  • 20.50.183.144 (eu-esec-01.heimdalsecurity.com)
  • 20.50.183.146 (eu-esec-01.heimdalsecurity.com)
  • 20.50.183.145 (eu-esec-02.heimdalsecurity.com)
  • 20.50.183.147 (eu-esec-02.heimdalsecurity.com)
  • 20.50.183.150 (eu-esec-backup.heimdalsecurity.com) 
  • 20.50.183.151 (eu-esec-backup.heimdalsecurity.com) 
  • 20.88.177.217 (us-esec-01.heimdalsecurity.com)
  • 20.88.177.218 (us-esec-01.heimdalsecurity.com)
  • 20.88.177.217 (us-esec-02.heimdalsecurity.com)
  • 20.88.177.218 (us-esec-02.heimdalsecurity.com)
  • 172.166.114.48 (uk-esec-01.heimdalsecurity.com)
  • 172.166.114.49 (uk-esec-01.heimdalsecurity.com)
  • 172.166.114.48 (uk-esec-02.heimdalsecurity.com)
  • 172.166.114.49 (uk-esec-02.heimdalsecurity.com)

In case your firewall includes special rules for Inbound & Outbound traffic, make sure you whitelist the following:

  • 20.50.183.133/29 (port 25 for Inbound traffic)
  • 20.88.177.217, 20.88.177.218, 172.166.114.48, 172.166.114.49
  • 20.50.183.144/29 (all ports for Outbound traffic)
  • 20.88.177.208, 20.88.177.209,172.166.114.50,172.166.114.51

EMAIL SECURITY view

The Email Protection - Email Security view displays all the information regarding the Inbound Mail Flow and the Outbound Mail Flow in your organization. The collected information refers to emails that are DELIVERED, QUARANTINED, QUEUED, UNDELIVERED, or REJECTED.
On the top, you see a statistic regarding the number of Scanned Emails, the number of Spam Emails, the number of Virus detections, and the number of detected Advanced Threats.
chrome_jao1j7nIbZ.png

The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines, while the Domain Status view displays the status of the MX, SPF, and DMARC Records that are set up on your domain(s). 
The Advanced Filter allows you to filter your searches by Domain, To, From, Type, Status, Spam Classification, Minimum Spam Score, and Maximum Spam Score.
chrome_s5I1tU7A3v.png

In the Inbound view, you can see a list of all inbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Inbound view refreshes in real time). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:

  • Release - this action will release the selected email in case it has been quarantined and you think is safe;
  • Resend - this action will resend the selected email;
  • Report - this action will automatically mark the selected email as Spam and an email notification will be sent to the Heimdal Security Team.

In the Outbound view, you can see a list of all outbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Outbound view refreshes in real-time). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:

  • Resend - this action will resend the selected email;
  • Report - this action will automatically mark the selected email as Spam and an email notification will be sent to the Heimdal Security Team.

The Show Details button will display a popup with various email details (Main, Advanced, Header, and Body). In the Main tab, you can use the Select a domain dropdown field to take actions for the specified domains.

  • Blocklist sender - adds the sender (the one who sends the email) to the blocklist of the selected domain(s);
  • Allowlist sender - adds the sender (the one who sends the email) to the allowlist of the selected domain(s);
  • Blocklist domain - adds the sender's domain (the one who sends the email) to the blocklist of the selected domain(s);
  • Allowlist domain - adds the sender's domain (the one who sends the email) to the allowlist of the selected domain(s);
  • Allowlist email based on subject - adds the sender's email to the allowlist of the selected subject(s). Unchecking the SPF/DMARC scanning will still perform an SPF/DMARC check to increase security;
  • Blocklist email based on subject - adds the sender's email to the blocklist of the selected subject(s).

chrome_aD1hyKIwqg.png
In the Advanced Status tab, you can use the Select a domain dropdown field to take more actions for the specified domains.

  • Blocklist Source IP - adds the Source IP Address (the source IP Address of the sending server) to the blocklist of the selected domain;
  • Blocklist Destination IP - adds the Destination IP Address (the destination IP Address where the email is sent to) to the blocklist of the selected domain;
  • Allowlist Source IP - adds the Source IP Address (the source IP Address of the sending server) to the allowlist of the selected domain;
  • Allowlist Destination IP - adds the Destination IP Address (the destination IP Address where the email is sent to) to the allowlist of the selected domain.

chrome_L6ZR7J6gTw.png
In the Header tab, you see information about the Envelope-From the Header-From:

chrome_AMscVi2l4o.png

EMAIL SECURITY settings

In order to set up Email Protection - Email Security in the HEIMDAL Dashboard, you have to log in and access the Network Settings section:

chrome_rqreI1ux98.png

Email Security - enables the Email Security module;
Grant consent - installs the Heimdal Security ESEC enterprise application in Azure AD to allow the HEIMDAL Dashboard to get mailbox count from the Microsoft Graph/Office 365 API.

Configuration

Add Domain - allows you to add the domain that will be filtered by the Email Security engine;
Domain name - allow you to add a domain name (eg. heimdalsecurity.com);
Inbound Host - allows you to set your Inbound Mail Server Domain/Public IP, your Port and to choose a TLS option (eg. heimdalsecurity-com.mail.protection.outlook.com:25);
Outbound IP/Provider - allows you to set the Outbound SMTP Server by selecting one from the dropdown or adding the Public IP Address or domain name of the SMTP Server in the Public IP/Domain field;

chrome_twkhob8OG8.png
Outbound Relay Region Redirection - allows you to configure a domain to redirect the outbound flow through a regional Email Security relay server (USA available at the moment). This is an option that helps when the domain(s) you are sending emails to is/are applying Geo-Location restrictions. (This feature is visible and can be configured only by the Support Team).

Additional Domain Settings

Put inbound delivery on pause - allows you to pause the inbound email delivery (the system will check every 15 minutes for any changes);
Recipient verification - this option allows the Email Security servers to verify if a recipient's email address exists before sending them an email. If a user does not exist, it will block the email before reaching the mail server. Recipient verification helps improve the spam block rate by using resources more efficiently. Usually, Exchange uses port 2525 for recipient (receipt) validation. (This feature is visible and can be configured only by the Support Team);
Block outbound Danish CPR number if no TLS transmission - this option will block outbound emails when a Danish CPR number is detected, even if the Force TLS (encrypted) transmission is enabled for any domains;
Always block outbound Danish CPR Number - scans the email for any Danish CPR number and blocks them if they include any Danish CPR Number;
DMARC** - checks if the incoming email comes from a sender that is authorized to send emails on behalf of the sending domain and that the email has not been modified in the delivery process;
SPF** - checks if the incoming email comes from a host that is authorized by the domain's administrators to send on behalf of the domain;
Sender Rewriting Scheme (SRS) - allows the Email Security engine to rewrite the Envelope From address for all Inbound emails). The Header From field will remain unchanged. This feature bypasses the requirement to allowlist the HEIMDAL Email Security IP Addresses on your organization's Mail Server. This feature is recommended only in case of not being able to allowlist the HEIMDAL Email Security IP Addresses;
Block emails without TLS - allows you to tag, quarantine, reject emails that are not transmitted through TLS. the quarantine will store the emails for 90 days, while the reject will not store them in any way;
Force TLS - encrypts the email message from Heimdal Security to the recipient's email server;
Force TLS transmission to any domain - encrypts the email message from Heimdal Security to the next-hop email server;
DKIM** Signing - allows you to generate and configure a DKIM Signature that will be included in the outbound email header; after generating it, the DKIM Signature needs to be validated through the Check DNS button with the DKIM Record specified on the domain DNS Settings; after validation, the configured selector can be enabled;
SEPO In - allows you to use the SEPO encryption service and delivers the email to the SEPO Inbound Scan Server;
SEPO Out - allows you to use the SEPO encryption service and checks CPR, Abnormal and Forced TLS delivery;
Block emails without TLS - allows you to intercept emails without TLS and choose whether to tag/block/quarantine them;

Anti-Spam Settings

The Antispam Settings allow you to change the aggressiveness of the spam filter and to choose what actions to take on emails based on five different classification levels and scores between -0.1 and 100.
Anti-Spam Settings - enables or disables the antispam filtering engine on the selected domain;

anti-spam_settings.PNG

CLASSIFICATION - each email that is being filtered by the HEIMDAL Email Security module gets a classification from one of the anti-spam engines. The emails can be classified as Confirmed Spam, High Possible Spam, Possible Spam, Suspected Spam, All other Emails;
SCORE LEVEL - allows you to customize a value between 0-100 that will serve as a limit for the action that will be taken on each email; a lower number/score will make the Anti Spam engine detect emails that are less likely to be spam, and a higher number will make the Anti Spam engine detect emails are likely to be spam;
ACTION - allows you to choose an action for every type of classification (Reject, Quarantine, Tag Subject, No Action).

  • Reject will reject the email without storing it on the HEIMDAL Servers;
  • Quarantine will quarantine the emails and will store them for 90 days on the HEIMDAL Servers;
  • Tag will add a tag to the email’s existing subject: # Warning: Possible Spam or Fraud! #;
  • No Action will make the emails pass unaltered through the Email Security engine.

Examples:

  • if the Score level is set to >= 3, emails that get a score level of 2 will not be flagged (they will be DELIVERED), while emails that get a score level of 3 or higher will be flagged as SPAM (they will be Tagged, Quarantined, Rejected or No Action, depending on the set Action);
  • if the classification for Possible SPAMs has a set Score Level of 2 and an action of Quarantine, all emails that are tagged as "Possible SPAM" and have a Score Level equal to or higher than 2 will be quarantined and flagged as SPAM in the Email Security view (within the HEIMDAL Dashboard).

Presets - allow you to use the recommended presets for Anti-Spam settings: Moderate (relaxed settings), Default (regular settings), Aggressive (restrictive settings);
Newsletter scanning - will scan for emails that are newsletters or look like newsletters;

Security Settings

In the Security Settings section, you can change the different Security Settings for Email Security.
chrome_twuJJ1PoeM.png

Antivirus & Anti-Malware - allows you to activate or deactivate the malware & virus detection engines. This can be used to diagnose against false positives, in the event that Email Security detects legitimate emails and/or attachments as harmful, or containing malware;
Advanced Threat Protection (this feature is included in the Email Security Advanced licensing option) - allows you to activate or deactivate the detection systems against advanced threats. This can be used to diagnose false positives, in the event of legitimate emails and/or attachments as harmful or contain advanced threats.
Enable Email Security Advanced Threat Protection - enable/disable Advanced Threat Protection, which detects new threats through Machine Learning and Dynamically developed detection mechanisms. The ATP has been integrated with the DarkLayer Guard filter, which increases the detection capabilities;
Enable Email Security Macro Analyzer - allows you to execute macros and scripts within emails in a sandboxed environment for analysis & detection;
Enable Email Security SHA256 Analyzer - this feature quickly checks the email blocked by Email Security Advanced Threat Protection against online malware analyst services Virustotal and Payload Security. This can be of use in gaining more information on a specific malware sample. Email Security generates a SHA256 hash checksum for each file detected as suspicious/bad/harmful/malicious. You can run the search or even download email parts through the Messaging Logs interface. To search & locate any email blocked by Email Security Advanced Threat Protection in Messaging Logs, you have to left-click the email and select Attachments. Here you will have the option to check the attachments checksum directly at VirusTotal or Hybrid Sandbox. You can download the full attachment for further investigation and analysis, but please be aware that downloading the full attachment can be a security risk (which also will be communicated via a dialogue box before potential download);
Email Security PDF Analyzer - executes PDF files and other container files within emails in a sandboxed environment for analysis & detection;
Enable Email Security Phishing Protection - enable or disable the detection systems against phishing emails. This can be used to diagnose against false positives, in the event that Email Security detects legitimate emails as phishing emails;
Force ATP scanning if released - allow the email to be scanned by the ATP Email Security engines after being released from quarantine (due to previously having been detected by the Antivirus, Anti-Malware, and Anti Spam engines). An email that is not confirmed malicious by the Advanced Threat Protection will be delivered but it will be flagged as Released to ATP. If Advanced Threat Protection confirms that the email is malicious, the email will be quarantined and the type will be changed from Released to ATP into ATP;
Action on Detection - allows you to configure the actions that will be taken by Email Security on emails containing threats, categorized by malware, ATP, and Phishing (None, Quarantine, Tag Subject, Reject);

Blocklist, Allowlist & Greylist

These functionalities will allow you to add email addresses, domains, IP Addresses, or Email Subjects to the Blocklist or to the Allowlist, thus regulating specific email senders your organization needs to always block or allow.
Blocklist - allows you to blocklist an email address, a domain, or a sender IP Address that is sending emails to your domain or to blocklist an email based on the email subject and take action against them (Quarantined, Reject, Delete). If you want to edit an existing blocklisting rule, you can click the Pencil button:
block.png
In the Blocklist editor, you can edit the action that will be performed on the email matching the blocklist rule and you can leave a note for any HEIMDAL Dashboard Administrator that will go through these settings.
chrome_BiouMQLLVy.png
The Allowlist takes precedence over the Blocklist, so, if you allowlist the sender's email address (test@example.com) and blocklist the sender's domain (example.com), the email should be received by the recipient.
The Import CSV functionality allows you to import a blocklist from a CSV file (you can download a sample by hovering the Blocklist info bubble.
Allowlist - allows you to allowlist an email address, a domain, or a sender IP Address that is sending emails to your domain or to allowlist an email based on the email subject and can be customized to bypass different scanning methods. Under normal circumstances, it is not advisable to allow sender IP Addresses, as this can provide open access for threats and spam in the event the sender's network or endpoints are compromised. If you want to edit an existing allow listing rule, you can click the Pencil button:
allow.png
In the Allowlist editor, you can edit the allowlisting settings performed on the email matching the allowlist rule and you can leave a note for any HEIMDAL Dashboard Administrator that will go through these settings.

  • SPF/DMARC scanning - while unticked, the specified email address/domain/IP Address will be allowlisted for SPF/DMARC scanning;
  • Spam scanning - while unticked, the specified email address/domain/IP Address will be allowlisted for Spam scanning; 
  • Virus scanning - while unticked, the specified email address/domain/IP Address will be allowlisted for Virus scanning; 
  • Attachment detection - while unticked, the specified email address/domain/IP Address will be allowlisted for attachment scanning;
  • Advanced Threat Protection - while unticked, the specified email address/domain/IP Address will be allowlisted for Advanced Threat Protection scanning; 
  • Non-TLS block - while unticked, the specified email address/domain/IP Address will allow emails that are not sent with TLS;
  • Check Header - while enabled, the header sender information will be checked. The SPF/DMARC scanning engine will not be allowlisted for security reasons.

chrome_hLeJKzmAzs.png
The Allowlist takes precedence over the Blocklist, so, if you allowlist the sender's email address (test@example.com) and blocklist the sender's domain (example.com), the email should be received by the recipient. Allowlisting an email based on the subject will NOT bypass the SPF/DMARC check even if it's disabled in the allowlist.
The Import CSV functionality allows you to import a blocklist from a CSV file (you can download a sample by hovering the Allowlist info bubble.
Domain greylist threshold - allows you to enable and set the domain greylisting interval from 1 to 90 days. Domain Greylisting will collect and store data on sending domain names for the number of days set on the threshold slider. This feature works in conjunction with the Tag greylisted emails, which adds a tag (# Unknown domain: Possible spam/phishing mail #) in the Subject field of each email that is coming from a sender's domain name that has not been sending emails to your organization in the last 1 to 90 days (according to the value set on the Domain greylist threshold). We recommend having the Domain greylist threshold activated for at least 30 days prior to enabling the Tag greylisted emails option for better data collection. Also, know that the data collection on sending domain names will be done if all the above conditions are met:

  • recipient's domain is not the same as the sender's domain;
  • sender's domain is not in the list of common domains;
  • sender's domain was not allowlisted.

Tag greylisted emails - adds a tag (# Unknown domain: Possible spam/phishing mail #) in the Subject field of each email that is coming from a sender's domain name that has not been sending emails to your organization in the last 1 to 90 days (according to the value set on the Domain greylist threshold). Each email will be scanned in the background. 

Attachment Settings

This feature will allow you to change the different settings for an email with attachments. The attachment filters can be enabled for specific file extensions. As an increasing number of threats are trying to bypass email filters by filename and/or file parser manipulation, Email Security also provides an advanced attachment filter, based on inspection and analysis of each attached file. The advanced attachment filter will also safeguard against users renaming or manipulating their files to bypass policies your organization has set up for allowable file types for email transmission.

chrome_8oBwn6Jr6L.png

  • Executables - allows you to intercept and take action on emails with attached executable files (EXE files);
  • Dangeours files - allows you to intercept and take action on emails with attached files with the following file extensions: .ac .air .apk .app .applescript .awk .bas .bat .cgi .chm .cmd .com .cpl .crt .csh .dld .dll .drv .elf .exe ._exe .fxp .hlp .hta .inf .ins .inx .isu .iqy .jar .js .jse .jsp .kix .ksh .lib .lnk .mcr .mem .mht .mpkg .mrc .ms .msc .msi .msp .mst .ocx .pas .pcd .pif .pkg .pl .prc .prg .py .pyc .pyo .reg .scpt .scr .sct .seed .sh .shb .shs .spr .sys .thm .tlb .udf .url .uue .vb .vbe .vbs .vdo .wcm .ws .wsc .wsf .wsh .xap .zlq;
  • Password Protected Files - allows you to intercept and take action on emails with attached files that are password protected (usually archives);
  • Multiple file extensions - all the emails having attachments made of more than one extension will be handled based on the selected Action on Detection;
  • Filtering by Extension - allows you to define your own file extensions to be filtered by the Email Security engine. Please note that threats in attachments are masked by false file extensions when compared to the real content of the attachment. This feature works only for the Inbound mail flow and will block emails including external attachments;
  • Add Extension - allows you to add a file extension (E.g. exe, without the dot [.] in front of the file extension);

Quarantine Settings

This feature allows you to change the notification settings for emails that have been sent to quarantine by Email Security. Depending on the configuration, Email Security sends email notifications to the users that receive emails that are quarantined, but also allows Administrators to receive email notifications about the emails that are quarantined in your organization. You can select what types of quarantined emails to add to the report, and also define if it’s possible to preview and release the emails directly from the Quarantine Report.

configuration.PNG

General Quarantine Report Settings - allows you to set a sending schedule for the Quarantine Report. It can be configured for daily sending, weekly sending, or hourly sending;
End user Custom Quarantine Report - allows the user to generate a custom Quarantine Report (based on the slider below). It can be generated by pressing the Get Report button or from the regular Quarantine Report email;
View & Edit Quarantine Report - allows you to set the limits of the classification to be included in the Quarantine Report;

  • View & Edit Template - allows you to customize the way the Quarantine Report header and footer look like;
    chrome_d4hXyHviiH.png
  • Spam limits - allows you to define the Score Level interval for each Spam Classification to be included in the Quarantine Report;
    chrome_LMjG3XwrU0.png
  • Test report - this feature allows you to send a test Quarantine Report to an email address that you specify;
  • Get Report - manually sends a Quarantine Report to the specified email address; 

Admin Quarantine Report by Email - allows you to enable the Quarantine Report for Administrators only. This report includes all quarantined emails from within your organization in one complete Quarantine Report. You can add one or more recipients using the Receivers field (comma-separated list). To avoid spam-releasing conflicts, enabling this feature will disable the User Quarantine Report;
User Quarantine Report by Email - allows you to enable the User Quarantine Report to be sent to recipients of quarantined emails. The users who do not receive any quarantined emails will not receive a User Quarantine Report. To avoid spam-releasing conflicts, enabling this feature will disable the Admin Quarantine Report;
Advanced Threat Protection - allows you to define what type of quarantined emails should be included in the Quarantine Report (Spam, Malware, ATP, Attachment, SPF, Non-TLS) and to enable whether to Preview, Release, or Allow the Sender right from the quarantined email right from the Quarantine Report notification.

Limits

This feature allows you to set a limit for the outbound mail flow in terms of minute rate and daily rate:
chrome_2YXZ0vTgu4.png

Outbound minute rate - allows you to set an outbound minute rate of 10 to 200 minutes;
Outbound daily rate - allows you to set an outbound daily rate of 500 to 10,000 emails per day. All emails that exceed the limit will be rejected.

SMTP AUTH USERS

This feature allows you to add an SMTP Authenticated User for a Printer or a Copy-Machine to send out emails through Email Security. To use this feature you need to specify a username, a password, and an IP Address:

chrome_n3HIcIa0YI.png

  • Username: smtp (or any other username)
  • Password: <your-password>
  • Confirm Password: <confirm-your-password>
  • IP Address: <your-IP-Address>

Press Add, then Save changes and Update Nework Settings.

To test the SMTP Auth feature, you can use the following command-line in a PowerShell window or the script below:

Send-MailMessage -From 'smtp@yourdomain.com' -To 'recipient@otherdomain.com' -Subject 'Test Email' -Body 'Testing the SMTP Relay Service' -SmtpServer 'eu-esec-outbound.heimdalsecurity.com' -Usessl -Port 587 -Credential (Get-Credential)

You will be prompted to insert the credentials (smtp@yourdomain.com* and password) you added in the HEIMDAL Dashboard. Although in the Heimdal Dashboard, the username does not include the domain, in the authentication popup you are required to specify the domain.  

$username = 'test@example.com'
$password = 'mypassword1234'
$securepassword = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($username, $securepassword)

Send-MailMessage -From 'test@example.com' -To 'test@internet.com' -Subject 'Test Email' -Body 'Testing the SMTP Relay Service' -SmtpServer 'eu-esec-outbound.heimdalsecurity.com' -Usessl -Port 587 -Credential $mycreds

Copy settings

This feature consists of a popping modal that will allow you to copy the settings from the domain that is being edited to another domain (or multiple domains) configured in the Email Security module. It is important to know that the domain that is being edited will include the changes you already applied on each tab.
chrome_n3HIcIa0YI.png

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.