Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Protect | 183

The device offers comprehensive Email Security, preventing sophisticated forms of zero-hour threats and blended attacks involving spam, botnets, phishing, spyware and more. The basic email protection configuration includes:

• Creating policies to allow or deny email traffic to and from your Email Server.

• Apply Spam, Malware, Data and File protection on email traffic.

• SPX

• configuring an email threshold size for scanning

• specifying action to be taken if a virus is detected

• blocking mails based on sender or recipient

• blocking mails with certain file types.

SMTP Deployment Modes

SF can be deployed in Two (2) Modes:

• Legacy Mode

• MTA Mode

Legacy Mode

In Legacy Mode, SF acts as a transparent proxy that scans emails for malware and spam, applies SPX Encryption and

Data Protection. Refer to the following guides to see how SF can be configured to scan email traffic in Legacy Mode:

MTA Mode

In MTA Mode, SF acts as a Mail Transfer Agent. A Mail Transfer Agent (MTA) is a service that is responsible for receiving and routing emails to their specified destinations.

Deploy SF in MTA Mode when you want it to perform actual routing of emails as compared to Legacy Mode where

SF only forwards the email traffic as a proxy.

In MTA Mode, SF performs the following functions:

• Performs relaying and routing of emails. You can configure relaying of emails from Email > Relay Settings.

• Protects multiple Email Servers using SMTP Policies. From Email > Policies > SMTP Policies, you define the kind of protection you want to apply on each of your Email Domains.

• Displays email messages that are either waiting or failed to be delivered in the Email > Mail Spool.

• Displays logs for all the emails processed by the Device from Email > Mail Logs.

MTA Mode

Policies

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

This page allows configuration of SMTP Route and Scan Policies, SMTP Malware Scan Policies, SMTP Spam Scan

Policies and POP-IMAP Scan Policies:

• SMTP Route and Scan Policies (MTA Mode)

• SMTP Malware Scan Policies (Legacy Mode)

• SMTP Spam Scan Policies (Legacy Mode)

• POP3-IMAP Scan Policies (MTA and Legacy Mode)

SMTP Route and Scan Policies

SMTP Route and Scan policies appear only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.

Device allows you to create SMTP Route and Scan policies which can be used to protect multiple Domains on your internal Email Server(s). Using these policies, device protects the server(s) from remote attacks and additionally provide powerful virus scanning, email encryption and email filtering services.

| Protect | 184

Click Add Policy and then SMTP Route & Scan to add a new policy. To update an existing policy, click the desired policy.

SMTP Malware Scan Policies

SMTP Malware Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.

SMTP Malware Scan policies allow you to define action to be taken on emails if they are virus-infected or contain a protected attachment. Based on the action defined in rule, such emails can be delivered as they are, dropped, or cleaned and then delivered or quarantined.

A Malware Scan policy defines:

• whether to quarantine the email

• whether sender, receiver or administrator are to be notified

• whether to block the email containing a specified file type

• what action is to be taken if email is infected or contains a protected attachment: deliver as it is, drop, clean and then deliver

Note: You can also view the Quarantine from Protect > Email > SMTP Quarantine page.

A default SMTP Malware Scan policy named default-smtp-av is pre-configured in the device and applied to all

SMTP traffic as soon as you subscribe to the Email Protection Module. We recommend that you create separate rules fine-tuned to your specific network requirements to minimize the possibility of threats.

Click Add Policy and then SMTP Malware Scan to add a new policy. To update an existing policy, click the desired policy.

SMTP Spam Scan and POP-IMAP Scan Policies

SMTP Spam Scan policies appear only when Legacy mode is enabled.

POP-IMAP Scan policy is available in both MTA and Legacy modes.

When you subscribe to the Email Protection Module, SMTP Spam Scan and POP-IMAP Scan policies can be configured for particular senders and recipients.

A policy defines the action to be taken if an email is detected as Spam, Probable Spam, part of Virus Outbreak or

Probable Virus Outbreak.

To reduce the risk of losing legitimate messages, the Spam Quarantine repository (a storage location) provides administrators with a way to automatically quarantine emails that are identified as spam. This helps in managing spam and probable spam quarantined mails so that the user can take appropriate actions on such emails.

A default POP-IMAP Scan policy named default-pop-av is pre-configured in the device and applied to all POP3/S and IMAP/S traffic so that whenever a virus gets detected in an email, the virus-affected attachment is stripped from the email and the email body is replaced with a notification message.

Detection of Spam attributes

The device uses Content Filtering, and premium and standard Realtime Blackhole Lists (RBLs) to check for the spam attributes in SMTP/S, POP3/S and IMAP/S emails:

• Premium

• Standard

RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam, that is, owners who are responsible for spam or are hijacked for spam relay. The device checks each RBL for the connecting IP Address. If the IP Address matches one on the list, then the specified action in the policy is taken.

Add SMTP Route and Scan Policy

SMTP Route and Scan policies appear only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

SMTP route and scan policy allows you to protect emails from spam and malware, to SPX-encrypt emails and to provide data and file protection.

1. Go to Protect > Email > Policies and click Add Policy. Click SMTP Route & Scan.

2. Enter the Name.

3. Enter the Domains and Routing Target details.

Protected Domain

Select the domains. The policy applies to emails to and from the selected domains. To add a new domain, click Create New.

Emails received by users of the protected domains are Inbound Emails.

Emails sent out by users of the protected domains are Outbound Emails.

Emails sent among users of protected domains are Internal Emails.

Route By

Select the email server to forward the emails to. Select from the following server types:

Available Options:

Static Host: From the Host List, select the static IP addresses of the internal email servers. If the first host in the selected list is not reachable, the device forwards emails to the next host until it reaches the end of the list. To create a new host, click Create.MX: Select to route emails based on

MX records.

Global Action

Select the action.Accept: Accepts all emails to the specified domains. You can apply SPX encryption on outbound emails by selecting the SPX Template from the drop-down list.Reject:

Rejects all emails to the specified domains. Sender is notified.

| Protect | 185

Figure 185: Domains and Routing Target

4. Turn on Spam Protection.

You can enable protection for inbound and outbound spam, virus outbreak and blacklisted sender IP addresses through RBLs. Select the action to be applied to spam and probable spam emails.

Available Actions:

• None

• Warn: Delivers the email to the recipient after adding a prefix to the subject. Specify the prefix in Prefix

Subject.

• Quarantine

• Drop: Drops the email without sending a notification to the sender.

Default: Drop

Figure 186: Spam Protection

5. Turn on Malware Protection.

Scanning

Select the scanning action.

Available Actions:

Disable: Emails are not scanned. Enable: Emails are scanned by the device's anti-virus engine.

Note:

In Sophos Firewall XG105, Cyberoam CR500iNG, and Sophos UTM SG105, and higher models, Enable is replaced by the following options.

Single Anti-Virus: The primary anti-virus engine scans the emails.

Dual Anti-Virus: The primary and secondary engines scan emails sequentially.

Select the Primary Anti-Virus Engine from Protect > Email > General Settings >

Malware Protection.

Detect zero-day threats with Sandstorm (Sandstorm Module required)

Enable to send emails for Sandstorm analysis. Emails found clean by Sandstorm will be delivered to the recipient(s) while selected action will be applied on those found malicious.

Note: Cannot implement Sandstorm with Single Anti-Virus Scanning, if Avira is the

Primary Anti-Virus Engine. You can update it from Protect > General Settings >

Malware Protection or Configure > Configure > System Services > Malware

Protection.

Scanned File Size (available if Detect zero-day threats with Sandstorm is enabled)

Enter the size of files that can be analyzed by Sandstorm. Files with size greater than that will not be analyzed.

Anti-virus Action

Select the action to be taken against malicious emails.

Available Actions:

• None

• Warn: Delivers the email to the recipient after adding a prefix to the subject. Specify the prefix in Prefix Subject.

• Quarantine

• Drop: Drops the email without sending a notification to the sender.

| Protect | 186

Notify Sender

Select to notify the sender about the infected email.

Quarantine unscannable content

Select to quarantine emails that could not be scanned. These include corrupt, encrypted, compressed files, oversized emails, and emails not scanned due to an internal error.

| Protect | 187

Figure 187: Malware Protection

6. Turn on File Protection to filter specific attachments.

Block File Types

Select the type of attachments you want to block. The corresponding MIME headers populate the

MIME Whitelist.

To select more than one file type, press Ctrl+Shift.

The device contains a default list of file types with the relevant file extensions.

Refer to Email > ... > File Type to view the list of file extensions.

Select All to block emails with an attachment.

Select None to allow emails with an attachment.

MIME White List

Select the MIME headers to be allowed during the malware scan. Unselected headers are blocked.

Drop Message Greater Than

Enter the maximum file size (in KB) to be scanned by the device. Larger emails are dropped.

Default: 51200 KB

Figure 188: File Protection

7. Turn on Data Protection. (applicable only to outbound emails)

Data Control List

Select the list to be applied to scan emails for sensitive information.

Data Control Lists (DCL) can be created from the pre-configured Sophos Content Control List

(CCL), which provides common financial and personally identifiable data types, like credit card numbers, social security numbers, postal addresses, or email addresses.

You can create a list from Protect > Email > Data Control List.

Data Control List Action

Select the action to be taken against emails containing sensitive information.

Available Actions:

Accept: Accepts the email and delivers it to the recipient.

Accept with SPX: Accepts and SPX-encrypts the email before delivering it to the recipient. Select the SPX Template to be applied to the email. You can create

SPX Templates

from Protect >

Email > Encryption.

Drop: Drops the email without sending a notification to the sender.

Notify Sender

Select to notify the sender that the email contains sensitive information.

Figure 189: Data Protection

Add POP-IMAP Scan Policy

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

Add a POP-IMAP scan policy to detect incoming and outgoing spam in POP/S and IMAP/S traffic.

1. Go to Protect > Email > Policies and click POP-IMAP Scan.

2. Enter a Name for the policy.

3. Enter email address or domain group details.

| Protect | 188

Sender

To specify the sender email addresses, select from the following options:

Contains: Specify the keywords to be matched with the senders' email addresses. Example:

If you specify the keyword 'mail', the rule applies to senders' email addresses such as [email protected], [email protected].

Equals: Specify the senders' exact email addresses.

To add a list of keywords or email addresses, click Create New.

Recipient

To specify the recipient email addresses select from the following options:

Contains: Specify the keywords to be matched with the recipient email addresses. Example:

If you specify the keyword 'mail', the rule applies to recipient email addresses such as [email protected], [email protected].

Equals: Specify the recipients' exact email addresses.

To add a list of keywords or email addresses, click Create New.

| Protect | 189

Figure 190: Email Address/Domain Group

4. Select from the following Filter Criteria based on which the specified action is to be taken:

Inbound Email is

Select from the following options:

Spam Probable Spam Virus Outbreak Probable Virus Outbreak

Source IP/Network Address

Sender's IP address matches the specified IP address.

Message Size

Sender's email size matches the specified restriction of message size.

Message Header

Select from the following message headers to match the specified keyword:

Subject From To Other

Select the type of keyword match from the following options:

Contains: Specify the keywords to be matched with the message header.

Equals: Specify the exact match to the actual headers.

None

Select to create a policy between specific senders and recipients without imposing any other condition.

| Protect | 190

Figure 191: Filter Criteria

5. Select the action.

Action

Action to be taken from the following options:

Available Options:

Accept: Email is accepted and delivered to the intended recipient. Prefix Subject: Email is accepted and delivered to the intended recipient after adding a prefix to the subject line. Specify the prefix in the To field. You can set the prefix to indicate the filter criteria.

Example:

Original subject line: Test mail

Tagged content: Probable Spam

Recipient receives email with the subject line: 'Probable Spam: Test mail'

6. Click Save.

Data Control List

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM and Sophos Firewall

Models.

You can create a Data Control List of confidential data by selecting from the Content Control List (CCL). The device provides CCLs based on expert definitions for common financial and personally identifiable data types (example: credit card and social security numbers, postal and email addresses).

Subsequently, you can use Data Control Lists to set Data Protection for emails.

Add a Data Control List

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM Models.

Add Data Control List allows you to create a list of confidential data types. The device provides Content Control

Lists (CCL) based on expert definitions for common financial and personally identifiable data types.

1. Go to Protect > Email > Data Control List and click Add.

2. Enter the name.

3. Select the CCLs (Content Control List) from the list. Filter the CCLs based on Type and Region.

| Protect | 191

Figure 192: Data Control List

4. Click Save.

SMTP Quarantine

SMTP Quarantine is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

The SMTP Quarantine allows you to filter the quarantined emails. The page displays all the emails quarantined by the device if they are found to be:

• From a blocked Source IP Address

• Destined to a blocked Destination IP Address

• Virus-infected

• Oversized

• Containing a Blocked Header

• Containing unscannable content or a protected attachment

• blocked by an RBL

• blocked by a Data Protection (DP)

• Spam

• Found malicious by Sandstorm

• quarantined due to any other reason

Use the filter to search for mails from the list of quarantined emails.

The filter result displays a list of all the quarantined emails based on the filter criteria.

Total utilization displays the percentage of the quarantine area used by quarantined emails. Once the quarantine repository is full older emails are purged.

Quarantine Digest

| Protect | 192

The Quarantine Digest is an email containing a list of quarantined emails filtered by the device and held in the user's quarantine area. If configured, the user receives a Quarantine Digest as per the frequency set in Email > Quarantine

Digest. The digest also provides a link to the User Portal from where the user can access quarantined emails and take the required action.

Releasing Quarantined Email

Either the Administrator or the user can release the quarantined Emails. Administrator can release the quarantined

Emails from the Quarantine Area while the user can release them from his User Portal. Released quarantined

Emails are delivered to the intended recipient’s inbox. The Administrator can access the Quarantine Area from

Email > SMTP Quarantine, while user can logon to the User Portal and access the Quarantine Area from SMTP

Quarantine. If Quarantine Digest is configured, user will receive Digest of the quarantined mails as per the configured frequency.

Note:

• Virus-infected emails and the emails found malicious by Sandstorm cannot be released.

• To delete Sandstorm related emails, you need Read-Write permission for Sandstorm Activity.

Figure 193: SMTP Quarantine

Mail Spool

Mail Spool appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in

Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

Mail Spool displays emails that are waiting to be delivered. You can delete or retry sending these emails. This page does not display discarded emails.

1. Specify the filter criteria.

2. You can delete or retry sending the filtered emails.

Note:

• To delete or retry sending Sandstorm-related emails, you need Read-Write permission for Sandstorm

Activity.

• The device retries sending emails for three days. At the end of an additional four days, it discards the emails. You can view the discarded emails from Mail Logs.

Mail Logs

Mail Logs appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in

Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

Mail Logs allows you to view and filter email logs.

1. Specify the filter criteria.

2. Specify the criteria for Result Filter to display logs based on delivery status.

3. Specify the criteria for Reason Filter to display logs based on the scan result.

4. Click Filter.

| Protect | 193

Figure 194: Mail Logs

Encryption

SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

What is SPX Encryption?

SPX (Secure PDF Exchange) encryption is a next-generation version of email encryption. It is clientless and extremely easy to set up and customize in any environment. Using SPX encryption, email messages and any attachments sent to the Device are converted to a PDF document, which is then encrypted with a password. You can configure the Device to allow senders to select passwords for the recipients, or the server can generate the password for the recipient and store it for that recipient, or the server can generate one-time passwords for recipients.

When SPX encryption is enabled, there are two ways in which emails can be SPX encrypted:

• The user can download the Sophos Outlook Add-in from User Portal. After having it installed, an Encrypt button is displayed in the Microsoft Outlook user interface. To encrypt a single message, the user needs to click the

Encrypt button and then write and send the message.

Note:

If you do not use Outlook you can also trigger SPX encryption by setting the header field

X-Sophos-SPX-Encrypt to "yes".

• In the Data Protection feature, you can enforce SPX encryption of Emails containing sensitive data (see Email >

Policies > SMTP Policy).

The encrypted message is then sent to the recipient's mail server. Using any PDF reader, the recipient can decrypt the message with the password that was used to encrypt the PDF. SPX-encrypted email messages are accessible on all popular smartphone platforms that have native or third-party PDF file support, including Android, iOS, Blackberry and Windows Mobile devices.

The SPX-encrypted email contains a Reply button which links to the SPX Reply Portal. Using the SPX Reply Portal, the recipient is able to answer to the email in a secure way.

SPX Configuration

Default SPX Template

Select the SPX Template to be used by default. The Default Template is used if any user explicitly

SPX-encrypts an email and no template is selected in the Content Scanning Rule.

The user can SPX-encrypt an Email by:

• Manually setting the Email header X-Sophos-SPX-Encrypt to "yes".

• Installing the Sophos Outlook Add-on and clicking Encrypt before sending the Email.

If the Default SPX Template is set to None, then SPX encryption is not applied to Email.

Allow Secure Reply for

Enter the maximum time (in days) in which recipient can securely reply to an SPX-encrypted email using the SPX Reply Portal.

Keep Unused Password for

Enter the expiry time in days of an unused password.

For example, if Keep Unused Password for is set to 3 days, the password will expire at 0 o'clock 3 days after being generated if no SPX encrypted message has been sent for a specific recipient.

Default: 30 days

Allow Password Registration for

Enter the time in days after which the link to Password Registration Portal expires.

Default: 10 days

Send Error Notification To

Specify whom to send a notification when an SPX error occurs. You can send the notification to the sender or you can send no notification at all. Error messages will always be listed in the SMTP log.

| Protect | 194

Figure 195: SPX Configuration

SPX Portal Settings

Host Name

Enter the IP Address or Domain on which the Password Registration Portal is hosted.

Allowed Network(s)

Enter the networks from which password registration requests will be accepted.

Port

Enter the port on which the SPX Password Registration Portal should listen.

Default: 8094

| Protect | 195

Figure 196: SPX Portal Settings

SPX Password Reset

Reset Password for

Enter the Email Address for the recipient for whom you want to reset the password. New SPX email to this address requires the recipient to obtain a new password from the sender.

Figure 197: Password Reset

SPX Templates

The SPX template defines the layout of the PDF file, password settings and recipient instructions. You can also define different SPX templates. So, if you are managing various customer domains, you can assign them customized SPX templates containing, for example, different company logos and texts.

Figure 198: SPX Templates

Add SPX Templates

SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

This page allows you to define new SPX Templates or modify existing templates.

1. Go to Protect > Email > Encryption > SPX Templates and click Add.

2. Enter parameter values for the following basic settings.

Name

Specify the name to uniquely identify the template. The name should be a string containing alphanumeric and special characters EXCEPT forward slash (/), backslash (\), comma (,), double quote (") and single quote (').

Description

Specify details of the template.

Organization Name

Specify the organization name to be displayed on notifications concerning SPX sent to the administrator or the email sender, depending on your settings.

PDF Encryption

Select the encryption standard of the PDF file.

Page Size

Select the page size of the PDF file.

| Protect | 196

Figure 199: General Settings

3. Enter Password Settings.

Password Type

Select how you want to generate the password for accessing the encrypted email message. The sender always has to take care of transferring the password in a safe way to the recipient, unless you select Specified by recipient.

Available Options:

Specified by Sender:

If you select this, the email sender should provide the password. The sender has to enter the password into the Subject field, using the following format:

[secure:<password>]<subject text> where <password> is the password to open the encrypted PDF file and <subject text> is the random subject. Of course, the password will be removed by the Device before the email is sent to the recipient.

Generated one-time password for every email:

The Device automatically creates a new password for each affected email. An email notification is mailed to the sender containing instructions and the one-time generated password.

The HTML content of this Email can be customized from Notification Subject and Notification

Body. You can reset to the default content by clicking Reset .

Generated and stored for recipient:

The Device automatically creates a recipient-specific password when the first email is sent to a recipient. This password will be sent to the sender. With the next email, the same password is used automatically. The password will expire when it is not used for a configured time period, and it can

be reset by the administrator, see

Encryption

.

The HTML content of this Email can be customized from Notification Subject and Notification

Body. You can reset to the default content by clicking Reset .

Specified by recipient:

If you select this, the email recipient should provide the password. The recipient receives an email notification containing a link leading to the Password Registration Portal to register a password and the Sender receives a failure notification. After registration, the recipient is able to view the current encrypted mail and any future encrypted mails using the same password from this or other senders from the same organization.

Note: The Recipient's password generated via Specified by recipient method and

Generated and stored for recipient are mutually exclusive. The recipient will have to use the respective password when email is received after SPX Encryption using different methods.

| Protect | 197

Figure 200: Password Settings

4. Specify Recipient Instructions:

Instructions for Recipient

The body of the email that is sent from the Device to the email recipient containing instructions concerning the encrypted email. Simple HTML markup and hyperlinks are allowed. You can also use variables, e.g.,

%%ORGANIZATION_NAME%%

Tip: The Default SPX Template on this tab contains all available variables and gives a useful example of recipient instructions. The variables used are:

• ENVELOPE_TO: The recipient for whom the password is generated.

• PASSWORD: The password to open SPX encrypted Email

• ORGANIZATION_NAME: The name provided in the Organization Name field.

• SENDER: The sender of the email.

• REG_LINK: The link to the Registration Portal for registering the password.

Figure 201: Recipient Instructions

5. Enable SPX Portal Settings

Enable SPX Reply Portal

Click to enable users to securely reply to SPX-encrypted emails using the SPX Reply Portal. You also have the option to Include Original Body into Reply.

| Protect | 198

Figure 202: SPX Portal Settings

General Settings

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

Email Configuration allows you to configure the general settings Email traffic. This page contains the following sections.

SMTP Deployment Mode

MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.

Click button to switch to MTA/Legacy Mode.

In MTA Mode, Device acts as a Mail Transfer Agent (MTA). In Legacy Mode, Device acts as a transparent proxy.

When acting as an MTA, Device is responsible for routing Emails to and from the protected Email Server(s). In this state Device allows you to:

• configure relay of inbound and outbound Emails from Email > Relay Settings.

• set up multiple SMTP Profiles to protect multiple Domains on your internal Email Server or multiple Email

Servers from Email > Policies > SMTP Policies.

• view email messages that are either waiting for delivery or have produced an error in the Email > Mail Spool.

• view the logs for all the emails processed by the Device from Email > Mail Logs.

Default: MTA Mode is enabled.

Note:

• On enabling MTA Mode, a firewall rule to allow SMTP/SMTPS traffic is automatically created.

• If you have migrated from CyberoamOS to SFOSv16 OR SFOSv15 to SFOSv16, Legacy Mode will be enabled by default.

Figure 203: SMTP Deployment Mode

Banner Settings

Append Banner to All Outbound Messages

Enable to add a banner at the end of all outgoing Email messages.

The banner is appended ONLY when SMTP and SMTPS Scanning is enabled in the relevant

Business Application Policy(s).

Email Banner

Specify a banner to be added to all outgoing Emails. Only text banners are allowed.

Example:

This email contains confidential information. You are not authorized to copy the contents without the consent of the sender. Please do not print this email unless it is absolutely necessary. Spread environmental awareness.

| Protect | 199

Figure 204: Banner Settings

SMTP Settings

SMTP Hostname

Specify the SMTP hostname to be used in HELO and SMTP banner strings. By default, Device uses

'Sophos' as hostname.

Note: For Legacy Mode, this hostname is applicable only to system-generated notification emails.

Don't Scan Emails Greater Than

Specify maximum file size (in KB) for scanning. Files exceeding this size received through SMTP/S will not be scanned.

Default - 1024 KB

Specify 0 to increase the default file size scanning restriction to 51200 KB.

Action for Oversize Email

Specify the action for Oversize Emails.

Available Options

Accept: All the oversize mails are forwarded to the recipient without scanning.Reject: All the oversize mails are rejected and sender is notified.Drop: All the oversized mails are dropped, without notifying the sender.

Bypass Spam Check for SMTP/S Authenticated Connections (Available in Legacy Mode only)

Enable to bypass Spam Scanning for Email messages received over SMTP/S connections authenticated by the Email Server.

Verify Sender's IP Reputation

Click to verify the reputation of the sender IP Address. When enabled, the Device dynamically checks the sender’s IP Address of all Emails. If the IP Address is found to be responsible for sending spam email or malicious contents, the Device takes action as per the configured Scanning

Rules.

If enabled, specify an action for Confirmed Spam Emails and Probable Spam Emails.

Available Options

Accept: All the spam Emails are forwarded to the recipient after scanning as per the configuration.

Reject: All the spam mails are rejected and a notification is sent to the Email sender. Drop: All the spam mails are dropped, without notifying the sender.

As it is a global option, if spam scanning is enabled, all the mails will first be subjected to IP

Reputation filtering followed by filtering based on actions configured in the spam policy.

Default - Disable

SMTP DoS Settings

Enable to configure SMTP DoS Settings which protect the network from SMTP DoS Attacks.

If this is enabled, specify values for Maximum Connections, Maximum Connections/Host,

Maximum Emails/Connection, Maximum Recipients/Email, Email Rate per Minute/Host and

Connections Rate per Second/Host.

Maximum Connections (Available if SMTP DoS Settings Enabled)

Specify maximum number of connections that can be established with the Email Server.

Default - 1024

Acceptable Range - 1 - 20000

Maximum Connections/Host (Available if SMTP DoS Settings Enabled)

Specify maximum number of connections allowed to the Email Server from a particular host.

Default - 64

Acceptable Range - 1 - 10000

Maximum Emails/Connection (Available if SMTP DoS Settings Enabled)

Specify maximum number of Emails that can be sent in a single connection.

Default - 512

Acceptable Range - 1 - 1000

Maximum Recipients/Email (Available if SMTP DoS Settings Enabled)

Specify maximum number of recipientsfor a single Email.

Default - 100

Acceptable Range - 1 - 256

Email Rate per Minute/Host (Available if SMTP DoS Settings Enabled)

Specify number of Emails to be sent from a particular host in one minute.

Default - 512

Acceptable Range - 1 - 20000

Connection Rate per Second/Host (Available if SMTP DoS Settings Enabled)

Specify number of connections allowed to the Email Server from a particular host in one second.

Default - 8

Acceptable Range - 1 - 20000

| Protect | 200

Figure 205: SMTP Settings

POP/S and IMAP/S Settings

Don't Scan Emails Greater Than

Specify maximum file size (in KB) for scanning. Files exceeding this size received through POP/

IMAP will not be scanned.

Default - 1024 KB

Specify 0 to increase the default file size restriction to 10240 KB.

Recipient Headers

Specify Header value to detect recipient for POP3/IMAP.

Default - Delivered-To, Received, X-RCPT-TO

| Protect | 201

Figure 206: POP/S and IMAP/S Settings

SMTP TLS Configuration

TLS Certificate

Select the CA Certificate or Server Certificate for scanning SMTP traffic over SSL from the available options.

Available Options

Default ApplianceCertificate SecurityAppliance_SSL_CA List of custom CA Certificates and

Server Certificates, if added. You can create the custom CA Certificate from Certificates >

Certificate Authorities and custom Server Certificate from Certificates > Certificates.

Allow Invalid Certificate

If enabled, SMTP over SSL connections will be allowed with an invalid certificate from the Email

Server. Disable this option to reject such connections.

Default - Enable

Require TLS Negotiation with Host/Net

Select the remote host (Email Server) or network from available options on whose connections

TLS encryption is to be enforced. In other words, the Device will always initiate TLS-secured connections when Emails are to be sent to selected hosts/networks. If TLS is enforced but connection cannot be established, then Emails to that remote host/network are discarded.

Require TLS Negotiation with Sender Domain

Specify the Sender Domain(s) on whose Email connections TLS encryption is to be enforced.

Sender Domain is the domain of the Email sender. Emails from the specified Sender Domain will be sent over TLS-encrypted connections only. If TLS is enforced but connection cannot be established, then Emails from that sender domain are discarded.

Skip TLS Negotiation Hosts/Nets

Select the remote host (Email Server) or network from available options on whose connections TLS encryption is to be skipped or bypassed. When configured, SMTP connections to selected hosts will be established in clear text and unencrypted.

| Protect | 202

Figure 207: SMTP TLS Configuration

POP and IMAP TLS Configuration

TLS Certificate

Select the CA for scanning POP and IMAP traffic over SSL from the available options.

Available Options

DefaultSecurityAppliance_SSL_CAList of custom CAs if added. You can create the custom CA from Certificates > Certificate Authorities.

Allow Invalid Certificate

If enabled, POP and IMAP over SSL connections will be allowed with invalid certificate from the

Mail Server. Disable to reject such connections.

Default - Enable

Figure 208: POP and IMAP TLS Configuration

Email Journaling (Available in Legacy Mode only)

Email being one of the most important communication and business tools in use by organizations, email journaling has become an integral part of every organization.

Using the Device's Email Journaling, the administrator can store all incoming Emails, or Emails for a specific recipient or a group of recipients and thereby keep a close watch over data leakage.

| Protect | 203

| Protect | 204

The device can journal all Emails intended for single or multiple recipients and can forward them to a single administrator or multiple administrators.

This section displays a list of the archivers created and provides options to

add a new archiver

,

update the parameters of existing archiver

, or delete the archiver. You can filter the list based on recipient name.

Figure 209: Email Journaling

Spam Check Exceptions

To bypass spam scanning of certain domains, define the domains as Spam Check Exceptions. The page lists all the domains configured to be exempted from spam scanning.

It also provides the options to add a new domain and delete an existing domain.

Figure 210: Spam Check Exceptions

Malware Protection

Malware Protection is available in Sophos Firewall XG105, Cyberoam CR500iNG, Sophos UTM SG105, and higher models.

Sophos Firewall offers dual anti-virus scanning, wherein traffic is scanned by two (2) anti-virus engines. Traffic is first scanned by the primary engine, and then by the secondary engine.

Primary Anti Virus Engine

Select the primary anti-virus engine for traffic scanning. For dual scan, packets are first scanned by the primary engine and then by the secondary engine. For single scan, only the primary engine is used.

Available OptionsSophosAvira

Note: Selecting Avira will disable Sandstorm in all SMTP Policies with Single Anti-Virus Scanning.

Figure 211: Malware Protection

Advanced SMTP Settings (Available in MTA Mode only)

Reject invalid HELO or missing RDNS

Select this option if you want to reject hosts that send invalid HELO/EHLO arguments or lack

RDNS entries. Select Do strict RDNS checks if you want to additionally reject email from hosts with invalid RDNS records. An RDNS record is invalid if the found hostname does not resolve back to the original IP address.

Scan Outgoing Mails

Enable to scan all outgoing email traffic. Email is quarantined if found to be malware infected, or marked as Spam.

| Protect | 205

Figure 212: Advanced SMTP Settings

Address Groups

Policies are applied on Email Addresses. To make configuration easier and simpler, the Administrator can group the addresses that require the same scanning policy. The policy applied to the address group is applicable to all the group members. Hence when the group is used in a number of rules, it becomes much easier to add or remove addresses from the group rather than updating individual rules. Hence, just with the one update, the Administrator can re-align the rules.

An Address Group is a grouping by:

• Email Address or Domain

• IP Address

• RBL (Real time black hole List) (applicable only for the spam email)

An address can be a member of multiple groups.

An RBL is a list of IP Addresses whose owners are responsible for spam or are hijacked for a spam relay. These IP

Addresses might also be used for spreading viruses. The Device checks each RBL for the connecting IP Address and the action configured in the policy is taken if the IP Address is found in any of the RBL lists. The Administrator can directly use the two default RBL groups shipped with the Device or update them as per their requirement:

• Premium RBL Services

• Standard RBL Services

The Address Group page displays a list of all the default and custom groups and provides options to add a new group, update the parameters, import addresses in the existing group, or delete the group. You can sort the list based on address group name.

Add Address Group

1. Go to Protect > Email > Address Group and click Add.

2. Enter a name and description.

3. Group Type: Select to add email addresses or domains to the address group.

Available Options:

RBL (IPv4) or RBL(IPv6):

Select to add RBLs of IPv4 or IPv6 addresses or domain names.

If the connecting IP address is found on the RBL, the device takes the action specified by the relevant policy.

Email Address/Domain:

Select to add the email address or domain name.

Import: Select to upload a CSV or text file.

Manual: Select to add individual email addresses or domains.

Note:

• You can import a maximum of 400 email addresses or domains in a single file.

• Invalid and duplicate entries are not imported.

| Protect | 206

Figure 213: Address Group

4. Click Save.

Relay Settings

Relay Settings appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in

Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

You can configure an SF Device to act as an email relay, allowing mail servers to send emails through it. You can specify the criteria for one or all parameters.

1. Specify the criteria for Host Based Relay to allow or block the specified hosts/networks from using the device as email relay.

a) To set Allow Relay from Hosts/Networks, select from the list.

Note: Do not select Any. This causes the device to act as an open relay server, allowing anyone on the

Internet, including spammers to send messages through the device.

b) To set Block Relay from Hosts/Networks, select from the list.

2. Specify the criteria for Upstream Host to select the upstream hosts/networks from which the device allows or blocks inbound emails.

| Protect | 207 a) To set Allow Relay from Hosts/Networks, select from the list. If all of your inbound emails are routed via an upstream filtering service or ISP, enter their IP addresses here. Select Any to accept emails directly from the sender.

b) To set Block Relay from Hosts/Networks, select from the list.

Note:

• For Allow Relay from Hosts/Networks, only emails that are destined to an internal domain are accepted.

• The device allows hosts/networks specified in the Allow list even when they are part of the Block list.

This can happen when you select a group or network that they belong to, or 'Any' in the Block list.

3. Specify the Authenticated Relay Settings to allow only authenticated users and groups to use the device as email relay.

a) Select Enable Authenticated Relay.

b) Select the Users or Groups from the list.

4. Click Apply.

File Types

A file type is a classification that is determined by file extension and MIME header. You can include file types in web policies to control access to files that match the specified criteria. The default file types contain some common criteria and you can create additional types.

Using File Types with Policy Rules

You can create file types to control access to files on a more granular level. For example, you may want to allow access to SQL files but deny access to all other database files. In this case, you would create a file type for SQL files and a policy that specifies the following rules in the following order:

1. Allow access to SQL files

2. Block access to all database files

Add File Type

1. Go to Protect > Web > File Type and click Add.

2. Type a name.

3. (Optional) Select a template.

You can select from predefined or custom file types. If you do not wish to use a template, choose Blank.

4. Specify the file extension and MIME header.

| Protect | 208

Figure 214: Add File Type

Quarantine Digest

Quarantine Digest is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.

This feature requires a subscription. It can be configured but cannot be enforced without a valid Email

Protection subscription.

Quarantine Digest allows you to set the frequency at which the digest email is sent to the user. You can enable or disable user access to quarantined emails on the user portal. You can also enable quarantine digest for all users or to specific users and groups.

Quarantine Digest provides the date and time of message receipt, sender and recipient's email addresses and subject of the message.

Quarantine Digest Settings for All Users

1. Go to Protect > Email > Quarantine Digest.

2. Select Enable Quarantine Digest to email the digest to all users.

a. Set the Email Frequency of the digest. Set the interval, time, and day of week, based on the selection.

b. In the From Email Address box, enter the address from which the email is to be sent.

c. In the Display Name box, specify the name of the quarantine digest sender.

d. Click Send Test Email. Enter the To Email Address and click Send.

e. To set the IP address of the user portal, select the Reference User Portal IP from the list.

Note: Users located behind the selected port can click the "My Account" link in the digest email to gain access to quarantined emails on the user portal. Others can access the user portal by typing https://

<IP Address of SF Device> in the browser.

Example: If Port1 is selected as the Reference User Portal IP, only users located behind Port1 will be redirected to the user portal when they click on "My Account".

3. Click Apply.

Override Quarantine Digest Settings for Specific Users

1. Go to Protect > Email > Quarantine Digest.

2. Click Change User's Quarantine Digest Settings, to apply the settings to specific users or groups.