Safeguarding Your Mail System
In the Security page, you can enable spam filters, anti-virus scanning, or black and white list rules to protect your MailPlus Server and its clients.
Spam Filter
MailPlus Server provides various strategies for spam scanning and blocking, and allows auto learning from reported spam for accurate detection.
To enable anti-spam engine:
- Go to Spam, and tick Enable anti-spam engine.
- Click Edit Anti-spam Settings.
- Go to General in the pop-up to define spam filtering rules for the engine:
- Mark as spam if score is higher than: Select a spam score threshold. A message that exceeds the threshold will be marked as spam.
- Add the following to spam subjects: Select to specify custom text that will be added to the subject of spam messages for identification.
- Encapsulate spam as attachment:
- Yes: Report spam as an attachment encapsulated in a new message
- Yes, as plain text only: Report spam as plain text to avoid web bugs and malicious scripts.
- Auto white list: Tick to automatically add external email addresses that MailPlus users reply to into a system-internal white list.
- SpamAssassin Rules: Click to import/export a .cf file containing SpamAssassin rules. SpamAssassin rules are open-source rules that target on specific spam types.
- Custom Spam Filter: Click to set up spam filters to suit your needs:
- Address Filter: Click Create to specify spam/non-spam filters based on sender and recipient addresses. To import or export relevant rules for use, click Tools.
- Keyword Filter: Click Create to specify keywords and corresponding spam scores (a positive score for spam likelihood; a negative score for spam unlikelihood). A message will be marked as spam when its total keyword score exceeds the spam threshold.
- Delete spam interval (days): Spam messages will be automatically deleted after the specified days.
- Automatically update anti-spam rules: Tick to set a daily schedule to download the latest anti-spam rules.
- Click OK to save your settings.
Note:
- For accurate spam detection, enable Auto white list after Auto learning has been enabled for some time.
- You can download specialized SpamAssassin rules from this website.
- To create custom SpamAssassin rules, do the following:
- Refer to this website when creating rules.
- Save the rules as a .cf file for import.
- In Custom Spam Filter, you can set the rules with criteria as explained below:
Specified Criteria |
Targets |
admin@domain |
Any messages from the email address [admin@domain] |
admin@ |
Any messages from the account [admin] will be targeted |
@domain or domain |
Any messages from the domain [domain] |
@*.com or *.com |
Any messages from the domain ended by [.com] |
ad*@ |
Any messages from the account started by [ad] |
- The custom address filter formats of MailPlus Server 2.0.0 and onward are not the same as that of the previous versions, and the blacklist and whitelist are now merged into one single file. When importing the previous verions of rules, the system will determine the version of rules, and decide whether it is for the whitelist or blacklist based on the file name of the imported rules. Users need to check the file name before importing the file. If the system fails to determine whether the rules belong to the blacklist or whitelist, a window will pop up to ask the users to decide.
To enable automatic spam-learning:
After the anti-spam engine starts running, you can train MailPlus Server to better detect spam with specialized algorithms.
- Go to Spam, click Edit anti-spam setting, and go to Auto learning.
- Tick Auto learning.
- Specify the following spam score settings:
- Mark as spam if score is higher than: The spam threshold set in General is displayed here.
- Learn as spam if score is higher than: Set the spam threshold for auto learning.
- Learn as non-spam if score is lower than: Set the non-spam threshold for auto learning.
- Tick Enable spam reporting to allow client users to report spam and false spam using MailPlus or a third-party mail client (e.g. Microsoft Outlook):
- Forward spam to: Enter an email address that reported spam will be forwarded to.
- Forward false spam to: Enter an email address that reported false spam will be forwarded to.
- Click Reported Spam to view all reported spam and false spam, and manage them as follows:
- View: Click to view a reported message in plain text.
- Learn: Click Learn or Learn All to train the system for spam detection.
- Delete: Click to remove a reported message incorrectly identified by a client user.
- Original Mail: Click to view a reported message in plain text and its mail headers.
- To set a learning schedule, tick Set daily schedule for learning reported spam and specify the time.
- Click OK to save the settings.
Note:
- To help client users report spam and false spam from a third-party mail client (e.g. Microsoft Outlook), do the following:
- Provide them with the email addresses specified in Forward spam to and Forward false spam to for reporting.
- Ask them to use the client's built-in feature to forward such messages as attachment to the provided email addresses. If not forwarded as attachment, the messages cannot successfully reach MailPlus Server.
To enable DNSBL:
DNSBL (DNS-based Blackhole List) will filter out spam published through the Internet Domain Name Service (DNS) based on a list of IP addresses of computers or networks.
- Tick Enable postscreen protection against spams.
- Click DNSBL Settings to manage the DNSBL server list.
- Click Create. Input a DNSBL server and corresponding score, and click OK.
- Click Settings. Input the DNSBL score threshold, and click OK.
- Once you have done this, when a DNSBL server regards a mail client as a spam mail client, it will get corresponding score. When the total score exceeds the threshold, the mail client will be kicked.
- Click Apply to save your settings.
To enable greylist function:
Greylist is a mechanism for blocking spam emails. The greylist function will return a temporary error to mail clients. Since most spam mail clients do not try to continuously send spam to servers once its submission has been rejected, spam delivery will be blocked. Non-spam mail clients, however, will try to deliver mail again at a later time, and this time they will not be blocked by the greylist function. This way, non-spam emails can be delivered normally.
- Tick Enable greylist to enhance spam detection by temporarily rejecting suspicious incoming mail.
- To perform different actions for different IP/domains, please click Greylist Settings to refine your settings.
- Click Create.
- Specify the criteria for the rule, for example:
- Specify an IP range "192.168.0.0/24" as the target.
- Specify a domain "example.com" as the target. The system will check the domain information through sender's DNS Server, and see if it matches the domain set in the greylist.
- Select an action:
- Blacklist:Immediately end the connection.
- Greylist: Return temporary error. When the mail client resends the message after the greylist time period, the message will be accepted and the mail client will be added to the whitelist.
- Whitelist:Immediately accept the message.
- Click OK.
- To change the default action and the greylist time period, please click Settings to edit them.
- Click Apply.
Note:
- Greylist function may cause some emails to be delayed in delivery. After the mail client passes the greylist test, all its messages will be delivered immediately.
To reduce spam mails:
- Click the Advanced Settings button.
- Tick the checkboxes to reject emails that match the selected conditions.
Antivirus
You can run an antivirus engine to scan all incoming and outgoing messages for viruses. When a message is found infected, the system will delete/quarantine the message and send notifications to related recipients.
To enable antivirus engine:
- Go to Security > Antivirus > Antivirus.
- Tick Enable Anti-Virus Engine.
- Go to Select engine to select an antivirus engine:
- ClamAV: A free and open-source antivirus engine
- McAfee: An antivirus engine that requires the Antivirus by McAfee package (purchasable at Package Center) running on the Synology NAS
- When ClamAV is selected as the antivirus engine, consider the auxiliary options below:
- Use Google SafeBrowsing database: The system will use Google's SafeBrowsing database to detect malicious links in mails.
- Use other third-party database: The system will download virus definitions from third-party websites to improve virus detection accuracy.
- Auto-update virus definitions: Select to update virus definitions by the set daily schedule.
- Click Apply to save the settings.
Note:
- Only models with 512 MB RAM or more can auto-update virus definitions.
- Running antivirus scanning will consume around 300 MB RAM.
- Using Google's SafeBrowsing database or third-party databases for ClamAV may demand more system memory.
- To fine-tune the McAfee antivirus engine, go to the Antivirus by McAfee package to change relevant settings.
To manage infected messages:
When infected messages are detected, the system will react according to custom action policies.
- Go to Security > Antivirus > Actions.
- Go to Anti-virus action to define how to manage an infected message:
- Delete mail: An infected message will be deleted without reaching intended recipients.
- Save to quarantine: An infected message will be quarantined without reaching intended recipients. Click Quarantine List to view and manage quarantined messages.
- Deliver anyway: An infected message will be allowed through to intended recipients.
- To notify recipients of an infected message when it is deleted or quarantined, tick Send notifications to recipients after deleting or quarantining viruses. Click Template Settings to customize notifications.
- To mark infected messages, select Add subject prefix to infected mail and specify the text to appear on their subjects.
- Click Apply to save the settings.
Authentication
You can enable authentication mechanisms to validate inbound emails and reduce spam. When this mechanism is enabled, inbound email will go through all of the following verification processes. If the user opens an email that does not pass any of the verification processes, a warning dialog will appear to remind the user to verify the email source.
To enable SPF verification:
- Tick Enable SPF verification to verify sender identity and detect forged sender addresses.
- Tick Reject SPF softfail if necessary. Emails that have softfail verification results will be rejected.
To enable DKIM verification:
- Tick Enable DKIM verification on inbound emails to check for a valid DKIM signature on incoming emails. Emails rejected by DKIM will be moved to the Spam folder of MailPlus Client, and a warning will appear when users view such emails.
- Under Minimum key length for DKIM verification, select a value from the drop-down menu. Emails with DKIM keys shorter than the set value will be rejected. Lowering the values will allow emails with shorter keys to pass the verification. However, we recommend setting a longer key length so that emails from less secure domains with shorter keys cannot pass the verification.
To enable DKIM signing and create DKIM white list:
- Go to Domain > Advanced > DKIM to enable DKIM signing, all corresponding outbound emails from the domain will be signed with DKIM.
- Go to Security > Authentication > DKIM, and click the White List button to specify an internal host or subnet in the white list. Corresponding outbound emails sent from the specified source via MailPlus, third-party mail clients, and terminal will carry a DKIM signature.
To enable DMARC:
- Tick Enable DMARC to validate the senders' email domains. Emails quarantined by DMARC will be moved to the Spam folder of MailPlus Client, and a warning will appear when users view such emails.
- Update your DNS records using a TXT record, so that your outbound emails will be able to pass DMARC authentication of other mail servers. The TXT record should be added as follows:
- TXT record name: _dmarc.[your domain]
([your domain] should be replaced with your domain name. Example: _dmarc.example.com)
- TXT record value: v=DMARC1; p=[Policy for domain]; pct=[% of messages subjected to filtering]; rua=[Reporting URI of aggregate reports]
(Example: v=DMARC1; p=quarantine; pct=20; rua=mailto:aggrep@example.com)
Content Scan
You can configure the system to filter emails by attachment file types, and scan messages for potentially dangerous content.
To filter emails by attachment file types:
- Click the Attachment Filter button.
- Click Create to enter file types. Emails that contain attachments of the listed file types will be rejected.
Note:
- Please enter the file types using simple regular expressions. For example, if you enter vb[es], emails that contain the vbe and vbs file types will be rejected.
To scan emails for dangerous content:
- Tick Enable dangerous content scan.
- Tick the desired boxes:
- Reject partial messages: Since these messages cannot be scanned properly for viruses and inappropriate content, they will be rejected to avoid potential virus infection.
- Reject external message bodies: Messages that have bodies stored elsewhere on the Internet will be rejected to avoid fetching viruses from other Internet sites when downloading the message bodies.
- Highlight phishing fraud: The sections containing potential phishing fraud will be highlighted in the messages.
- Convert HTML into plain text: If HTML messages contain dangerous tags, they will be converted to plain text to make the HTML harmless, while still allowing you to read the text content.
- Reject: Reject messages containing corresponding tags.
- Allow: Allow corresponding tags in messages.
- Make tags ineffective: Allow corresponding tags in messages but make them ineffective so that users are still able to see the text content.
- Click OK to save settings.