Security

In the Security page, you can enable spam filters, anti-virus scanning, or blacklist and whitelist rules to protect your Synology MailPlus Server and its clients.

Spam

Synology MailPlus Server provides various strategies for spam scanning and blocking and allows auto learning from reported spam for accurate detection.

To enable the anti-spam engine:

  1. Go to Spam and tick Enable anti-spam engine.
  2. Click Edit Anti-spam Settings.
  3. Go to General in the pop-up to define spam filtering rules for the engine:
  4. Delete spam interval (days): Spam messages will be automatically deleted after the specified days.
  5. Automatically update anti-spam rules: Tick to set a daily schedule to download the latest anti-spam rules.
  6. Click Apply to save your settings.

Note:

To enable automatic spam-learning:

After the anti-spam engine starts running, you can train Synology MailPlus Server to better detect spam with specialized algorithms.

  1. Go to Spam, click Edit anti-spam setting, and go to Auto learning.
  2. Tick Auto learning.
  3. Specify the following spam score settings:
  4. Tick Enable spam reporting to allow client users to report spam and false spam using Synology MailPlus or a third-party mail client (e.g., Microsoft Outlook):
  5. Click Reported Spam to view all reported spam and false spam, and manage them as follows:
  6. To set a learning schedule, tick Set daily schedule for learning reported spam and specify the time.
  7. Click OK to save the settings.

Note:

To enable DNSBL:

DNSBL (DNS-based Blackhole List) will filter out spam published through the Internet Domain Name Service (DNS) based on a list of IP addresses of computers or networks.

  1. Tick Enable postscreen protection against spams.
  2. Click DNSBL Settings to manage the DNSBL server list.
    1. Click Create. Input a DNSBL server and the corresponding score, and click OK.
    2. Click Settings. Input the DNSBL score threshold and click OK.
    3. Once you have done this, when a DNSBL server regards a mail client as a spam mail client, it will get the corresponding score. When the total score exceeds the threshold, the mail client will be kicked.
  3. Click Apply to save your settings.

To enable the greylist function:

Greylist is a mechanism for blocking spam emails. The greylist function will return a temporary error to mail clients. Since most spam mail clients do not try to continuously send spam to servers. Once the submission has been rejected, spam delivery will be blocked. Non-spam mail clients; however, will try to deliver emails again at a later time, and this time they will not be blocked by the greylist function. In this way, non-spam emails can be delivered normally.

  1. Tick Enable greylist to enhance spam detection by temporarily rejecting suspicious incoming mail.
  2. To perform different actions for different IP/domains, please click Greylist Settings to refine your settings.
  3. Click Create.
  4. Specify the criteria for the rule, for example:
    1. Specify an IP range "192.168.0.0/24" as the target.
    2. Specify a domain "example.com" as the target. The system will check the domain information through the sender's DNS server and see if it matches the domain set in the greylist.
  5. Select an action:
  6. Click OK.
  7. To change the default action and the greylist time period, please click Settings to edit them.
  8. Click Apply.

Note:

Antivirus

You can run an antivirus engine to scan all incoming and outgoing messages for viruses. When a message is found infected, the system will delete/quarantine the message and send notifications to related recipients.

To enable the antivirus engine:

  1. Go to Security > Antivirus > Antivirus.
  2. Tick Enable Anti-Virus Engine.
  3. Go to Select engine to select an antivirus engine:
  4. When ClamAV is selected as the antivirus engine, consider the auxiliary options below:
  5. Auto-update virus definitions: Select to update virus definitions by the set daily schedule.
  6. Click Apply to save the settings.

Note:

To manage infected messages:

When infected messages are detected, the system will react according to custom action policies.

  1. Go to Security > Antivirus > Actions.
  2. Go to Anti-virus action to define how to manage an infected message:
  3. To notify recipients of an infected message when it is deleted or quarantined, tick Send notifications to recipients after deleting or quarantining viruses. Click Template Settings to customize notifications.
  4. To mark infected messages, select Add subject prefix to infected mail and specify the text to appear on their subjects.
  5. Click Apply to save the settings.

Authentication

You can enable authentication mechanisms to validate inbound emails and reduce spam. When this mechanism is enabled, an inbound email will go through all of the following verification processes. If the user opens an email that does not pass any of the verification processes, a warning dialog will appear to remind the user to verify the email source.

To enable SPF verification:

  1. Tick Enable SPF verification to verify the sender identity and detect forged sender addresses.
  2. Tick Reject SPF softfail if necessary. Emails that have softfail verification results will be rejected.

To enable DKIM verification:

  1. Tick Enable DKIM verification on inbound emails to check for a valid DKIM signature on incoming emails. Emails rejected by DKIM will be moved to the Spam folder of Synology MailPlus client, and a warning will appear when users view such emails.
  2. Under Minimum key length for DKIM verification, select a value from the drop-down menu. Emails with DKIM keys shorter than the set value will be rejected. Lowering the values will allow emails with shorter keys to pass the verification. However, we recommend setting a longer key length so that emails from less secure domains with shorter keys cannot pass the verification.

To enable DKIM signing and create DKIM whitelist:

  1. Go to Domain and double-click the domain. Click the Advanced button. At the DKIM section, you can enable DKIM signing, all the corresponding outbound emails from the domain will be signed with DKIM.
  2. Go to Security > Authentication > DKIM and click the Whitelist button to specify an internal host or subnet in the whitelist. Corresponding outbound emails sent from the specified source via Synology MailPlus, third-party mail clients, and the terminal will carry a DKIM signature.

To enable DMARC:

  1. Tick Enable DMARC to validate the senders' email domains. Emails quarantined by DMARC will be moved to the Spam folder of Synology MailPlus client, and a warning will appear when users view such emails.
  2. Update your DNS records using a TXT record, so that your outbound emails will be able to pass DMARC authentication of other mail servers. The TXT record should be added as follows:

Content Scan

You can configure the system to filter emails by attachment file types and scan messages for potentially dangerous content.

To filter emails by attachment file types:

  1. Click the Attachment Filter button.
  2. Click Create to enter file types. Emails that contain attachments of the listed file types will be rejected.

Note:

To scan emails for dangerous content:

  1. Tick Enable dangerous content scan.
  2. Tick the desired boxes:
  3. Click Apply to save settings.