Safeguarding Your Mail System

In the Security page, you can enable spam filters, anti-virus scanning, or black and white list rules to protect your MailPlus Server and its clients.

Spam Filter

MailPlus Server provides various strategies for spam scanning and blocking, and allows auto learning from reported spams for accurate detection.

To enable anti-spam engine:

1. Go to Spam, and tick the Enable anti-spam engine (recommended) checkbox.
2. Click the Edit Anti-spam Settings button.
3. Go to the General tab in the pop-up window to define spam filtering rules for the engine:
   • Mark as spam if score is higher than: Select a spam score threshold. A message that exceeds the threshold will be marked as spam.
   • Add the following to spam subjects: Select to specify custom text that will be added to the subject of spam messages for identification.
   • Encapsulate spam as attachment:
     • Yes: Report spam as an attachment encapsulated in a new message.
     • Yes, as plain text only: Report spam as plain text to avoid web bugs and malicious scripts.
   • Auto white list: Select to automatically add external email addresses that MailPlus users reply to into a system-internal white list.
   • SpamAssassin Rules: Click to import/export a .cf file containing SpamAssassin rules. SpamAssassin rules are open-source rules that target on specific spam types.
   • Custom Spam Filter: Click to set up spam filters to suit your needs:
     • Address Filter: Click Create to specify spam/non-spam filters based on sender and recipient addresses. To import or export relevant rules for use, click Tools.
     • Keyword Filter: Click Create to specify keywords and corresponding spam scores (a positive score for spam likelihood; a negative score for spam unlikelihood). A message will be marked as spam when its total keyword score exceeds the spam threshold.
4. Delete spam interval (days): Spam messages will be automatically deleted after the specified days.
5. Automatically update anti-spam rules: Tick to set a daily schedule to download the latest anti-spam rules.
6. Click Apply to save the settings.

To enable automatic spam-learning:

After the anti-spam engine starts running, you can train MailPlus Server to better detect spam with specialized algorithms.

1. Go to Spam, click Edit Anti-spam Settings button, and go to the Auto Learning tab in the pop-up window.
2. Tick the Auto learning checkbox.
3. Specify the following spam score settings:
   • Mark as spam if score is higher than: The spam threshold set in the General tab will be displayed here.
   • Learn as spam if score is higher than: Set the spam threshold for auto learning.
   • Learn as non-spam if score is lower than: Set the non-spam threshold for auto learning.
4. Tick the Enable spam reporting checkbox to allow client users to report spam and false spam using MailPlus or a third-party mail client (e.g. Microsoft Outlook):
   • Forward spam to: Enter an email address that reported spam will be forwarded to.
   • Forward false spam to: Enter an email address that reported false spam will be forwarded to.
5. Click the Reported Spam button to view all reported spam and false spam, and manage them as follows:
   • View: Click to view a reported message in plain text.
   • Learn: Click Learn or Learn All to train the system for spam detection.
   • Delete: Click to remove a reported message incorrectly identified by a client user.
   • Original Mail: Click to view a reported message in plain text and its mail headers.
6. To set a learning schedule, tick the Set daily schedule for learning reported spam checkbox and specify the time.
7. Click OK to save the settings.

To enable DNSBL:

DNSBL (DNS-based Blackhole List) will filter out spam published through the Internet Domain Name Service (DNS) based on a list of IP addresses of computers or networks.

1. Go to Spam, and tick the Enable postscreen protection against spams checkbox.
2. Click the DNSBL Settings button to manage the DNSBL server list.
   1. Click Create. Enter a DNSBL server and corresponding score, and click OK.
   2. Click Settings. Enter the DNSBL score threshold, and click OK.
   3. Once you have done this, when a DNSBL server regards a mail client as a spam mail client, it will get a corresponding score. When the total score exceeds the threshold, the mail client will be kicked.
3. Click Apply to save your settings.

To enable greylist function:

Greylist is a mechanism for blocking spam emails. The greylist function will return a temporary error to mail clients. Since most spam mail clients will not continuously send spam to servers once its submission has been rejected, spam delivery will be blocked. Non-spam mail clients, however, will try to deliver mail again at a later time, and this time they will not be blocked by the greylist function. This way, non-spam emails can be delivered normally.

1. Go to Spam, and tick the Enable greylist to enhance spam detection by temporarily rejecting suspicious incoming mails checkbox.
2. To perform different actions for different IP/domains, please click the Greylist Settings button to refine your settings.
3. Click Create.
4. Specify the criteria for the rule. For example:
   1. Specify an IP range "192.168.0.0/24" as the target.
   2. Specify a domain "example.com" as the target. The system will check the domain information through the sender's DNS Server, and see if it matches the domain set in the greylist.
5. Select an action:
   • Blacklist: Immediately end the connection.
   • Greylist: Return a temporary error. When the mail client resends the message after the greylist time period, the message will be accepted and the mail client will be added to the whitelist.
   • Whitelist: Immediately accept the message.
6. Click OK.
7. To change the default action and the greylist time period, please click Settings in the Greylist Settings pop-up window to edit them.
8. Click OK to save the settings.

Antivirus

You can run an antivirus engine to scan all incoming and outgoing messages for viruses. When a message is found infected, the system will delete/quarantine the message and send notifications to related recipients.

To enable antivirus engine:

1. Go to Antivirus > Antivirus, and tick the Enable Anti-Virus Engine checkbox.
2. Select an antivirus engine in Select engine:
   • ClamAV: A free and open-source antivirus engine
   • McAfee: An antivirus engine that requires the Antivirus by McAfee package (purchasable at Package Center) running on the Synology NAS
3. When ClamAV is selected as the antivirus engine, consider the auxiliary options below:
   • Use Google SafeBrowsing database: The system will use Google's SafeBrowsing database to detect malicious links in mails.
   • Use other third-party database: The system will download virus definitions from third-party websites to improve virus detection accuracy.
   • Auto-update virus definitions: Select to update virus definitions by the set daily schedule.
4. Click Apply to save the settings.

To manage infected messages:

When infected messages are detected, the system will react according to custom action policies.

1. Go to Antivirus > Actions.
2. Define how to manage an infected message in Anti-virus action:
   • Delete mail: An infected message will be deleted without reaching intended recipients.
   • Save to quarantine: An infected message will be quarantined without reaching intended recipients. Click the Quarantine List button to view and manage quarantined messages.
   • Deliver anyway: An infected message will be allowed through to intended recipients.
3. To notify recipients of an infected message when it is deleted or quarantined, tick the Send notifications to recipients after deleting or quarantining viruses checkbox. Click the Template Settings button to customize notifications.
4. To mark infected messages, tick the Add subject prefix to infected mail checkbox and specify the text to appear on their subjects.
5. Click Apply to save the settings.

Authentication

You can enable authentication mechanisms to validate inbound emails and reduce spam.

To enable SPF verification:

1. Go to Authentication > SPF, and tick the Enable SPF verification checkbox to verify sender identity and detect forged sender addresses.
2. Tick the Reject SPF softfail checkbox if necessary. Emails that have softfail verification results will be rejected.
3. Click Apply to save the settings.

To enable DKIM verification:

1. Go to Authentication > DKIM, and tick the Enable DKIM verification on inbound emails checkbox to verify valid DKIM signature on incoming emails.
2. Click Apply to save settings.

To enable DKIM signing and create DKIM white list:

1. Go to Domain on the left panel.
2. Select a domain name and click Edit.
3. Click the Advanced button.
4. Go to DKIM to enable DKIM signing, all corresponding outbound emails from the domain will be signed with DKIM.
5. Click OK to save the settings.
6. Go to Security on the left panel.
7. Go to Authentication > DKIM, and click the White List button to specify an internal host or subnet in the white list. Corresponding outbound emails sent from the specified source via MailPlus, third-party mail clients, and the terminal will carry a DKIM signature.
8. Click Finish to save the settings.

To enable DMARC:

1. Go to Authentication > DMARC, and tick the Enable DMARC checkbox to validate the senders' email domains.
2. Update your DNS records using a TXT record, so that your outbound emails will be able to pass DMARC authentication of other mail servers. The TXT record should be added as follows:
   • TXT record name: _dmarc.[your domain]
     ([your domain] should be replaced with your domain name. E.g, _dmarc.example.com)
   • TXT record value: v=DMARC1; p=[Policy for domain]; pct=[% of messages subjected to filtering]; rua=[Reporting URI of aggregate reports]
     (E.g, v=DMARC1; p=quarantine; pct=20; rua=mailto:aggrep@example.com)
3. Click Apply to save the settings.

Content Scan

You can configure the system to filter emails by attachment file types, and scan messages for potentially dangerous content.

To filter emails by attachment file types:

1. Go to Content Scan > Attachment Filter, and click the Attachment Filter button.
2. Click Create to enter file types. Emails that contain attachments of the listed file types will be rejected.
3. Click Finish to save the settings.

To scan emails for dangerous content:

1. Go to Content Scan > Content Scan, and tick the Enable dangerous content scan checkbox.
2. Tick the desired checkboxes:
   • Reject partial messages: Since these messages cannot be scanned properly for viruses and inappropriate content, they will be rejected to avoid potential virus infection.
   • Reject external message bodies: Messages that have bodies stored elsewhere on the Internet will be rejected to avoid fetching viruses from other Internet sites when downloading the message bodies.
   • Highlight phishing fraud: The sections containing potential phishing fraud will be highlighted in the messages.
   • Convert HTML into plain text: If HTML messages contain dangerous tags, they will be converted to plain text to make the HTML harmless, while still allowing you to read the text content.
     • Reject: Reject messages containing corresponding tags.
     • Allow: Allow corresponding tags in messages.
     • Make tags ineffective: Allow corresponding tags in messages but make them ineffective so that users are still able to see the text content.
3. Click Apply to save the settings.