Security
In the Security page, you can enable spam filters, anti-virus scanning, or blacklist and whitelist rules to protect your Synology MailPlus Server and its clients.
Spam
Synology MailPlus Server provides various strategies for spam scanning and blocking and allows auto learning from reported spam for accurate detection.
To enable the anti-spam engine:
- Go to Spam and tick Enable anti-spam engine.
- Click Edit Anti-spam Settings.
- Go to General in the pop-up to define spam filtering rules for the engine:
- Mark as spam if score is higher than: Select a spam score threshold. A message that exceeds the threshold will be marked as spam.
- Add the following to spam subjects: Tick to specify custom text that will be added to the subject of spam messages for identification.
- Encapsulate spam as attachment:
- Yes: Report spam as an attachment encapsulated in a new message.
- Yes, as plain text only: Report spam as plain text to avoid web bugs and malicious scripts.
- Auto whitelist: Tick to automatically add external email addresses that Synology MailPlus users reply to into a system-internal whitelist.
- SpamAssassin Rules: Click to import/export a .cf file containing SpamAssassin rules. SpamAssassin rules are open-source rules that target specific spam types.
- Custom Spam Filter: Click to set up spam filters to suit your needs:
- Address Filter: Click Create to specify spam/non-spam filters based on sender and recipient addresses. To import or export relevant rules for use, click Tools.
- Keyword Filter:
- Create: Specify keywords and the corresponding spam scores (a positive score for spam likelihood; a negative score for spam unlikelihood). A message will be marked as spam when its total keyword score exceeds the spam threshold. You can enable or disable a filter by clicking the checkbox in the Enable field.
- Edit: Edit the selected filter.
- Delete: Delete the selected filter.
- Save: You have to click the Save button every time you make changes to a filter or group.
- Group setting: You can set up multiple groups to categorize keyword filters and enable or disable a group by clicking the checkbox in the Enable field. To create, edit, or delete a group, select the group and click the buttons in the toolbar.
- Group drop-down menu: Before creating a filter, you have to select the group the filter belongs to from the drop-down menu.
- Delete spam interval (days): Spam messages will be automatically deleted after the specified days.
- Automatically update anti-spam rules: Tick to set a daily schedule to download the latest anti-spam rules.
- Click Apply to save your settings.
Note:
- For accurate spam detection, enable Auto whitelist after Auto learning has been enabled for some time.
- You can download specialized SpamAssassin rules from this website.
- To create custom SpamAssassin rules, do the following:
- Refer to this website when creating rules.
- Save the rules as a .cf file for the import.
- In Custom Spam Filter, you can set the rules with criteria as explained below:
Specified Criteria |
Targets |
admin@domain |
Any messages from the email address [admin@domain] |
admin@* |
Any messages from the account [admin] will be targeted |
domain |
Any messages from the domain [domain] |
*.com |
Any messages from the domain ended by [.com] |
ad*@* |
Any messages from the account started by [ad] |
- The custom address filter formats of Synology MailPlus Server 2.0.0 and onward are not the same as that of the previous versions. The blacklist and whitelist of the previous versions are now merged into a single file. When users import the previous versions of rules, the system will determine the version of rules and decide whether it is for the whitelist or blacklist based on the file name of the imported rules. Users need to check the file name before importing the file. If the system fails to determine whether the rules belong to the blacklist or whitelist, a window will pop up to ask the users to decide.
To enable automatic spam-learning:
After the anti-spam engine starts running, you can train Synology MailPlus Server to better detect spam with specialized algorithms.
- Go to Spam, click Edit anti-spam setting, and go to Auto learning.
- Tick Auto learning.
- Specify the following spam score settings:
- Mark as spam if score is higher than: The spam threshold set in General is displayed here.
- Learn as spam if score is higher than: Set the spam threshold for auto learning.
- Learn as non-spam if score is lower than: Set the non-spam threshold for auto learning.
- Tick Enable spam reporting to allow client users to report spam and false spam using Synology MailPlus or a third-party mail client (e.g., Microsoft Outlook):
- Forward spam to: Enter an email address that reported spam will be forwarded to.
- Forward false spam to: Enter an email address that reported false spam will be forwarded to.
- Click Reported Spam to view all reported spam and false spam, and manage them as follows:
- View: Click to view a reported message in plain text.
- Learn: Click Learn or Learn All to train the system for spam detection.
- Delete: Click to remove a reported message incorrectly identified by a client user.
- Original Mail: Click to view a reported message in plain text and its mail headers.
- To set a learning schedule, tick Set daily schedule for learning reported spam and specify the time.
- Click OK to save the settings.
Note:
- To help client users report spam and false spam from a third-party mail client (e.g., Microsoft Outlook), do the following:
- Provide them with the email addresses specified in Forward spam to and Forward false spam to for reporting.
- Ask them to use the client's built-in feature to forward such messages as an attachment to the provided email addresses. If not forwarded as an attachment, the messages cannot successfully reach Synology MailPlus Server.
To enable DNSBL:
DNSBL (DNS-based Blackhole List) will filter out spam published through the Internet Domain Name Service (DNS) based on a list of IP addresses of computers or networks.
- Tick Enable postscreen protection against spams.
- Click DNSBL Settings to manage the DNSBL server list.
- Click Create. Input a DNSBL server and the corresponding score, and click OK.
- Click Settings. Input the DNSBL score threshold and click OK.
- Once you have done this, when a DNSBL server regards a mail client as a spam mail client, it will get the corresponding score. When the total score exceeds the threshold, the mail client will be kicked.
- Click Apply to save your settings.
To enable the greylist function:
Greylist is a mechanism for blocking spam emails. The greylist function will return a temporary error to mail clients. Since most spam mail clients do not try to continuously send spam to servers. Once the submission has been rejected, spam delivery will be blocked. Non-spam mail clients; however, will try to deliver emails again at a later time, and this time they will not be blocked by the greylist function. In this way, non-spam emails can be delivered normally.
- Tick Enable greylist to enhance spam detection by temporarily rejecting suspicious incoming mail.
- To perform different actions for different IP/domains, please click Greylist Settings to refine your settings.
- Click Create.
- Specify the criteria for the rule, for example:
- Specify an IP range "192.168.0.0/24" as the target.
- Specify a domain "example.com" as the target. The system will check the domain information through the sender's DNS server and see if it matches the domain set in the greylist.
- Select an action:
- Blacklist: Immediately end the connection.
- Greylist: Return a temporary error. When the mail client resends the message after the greylist time period, the message will be accepted and the mail client will be added to the whitelist.
- Whitelist: Immediately accept the message.
- Click OK.
- To change the default action and the greylist time period, please click Settings to edit them.
- Click Apply.
Note:
- Greylist function may cause some emails to be delayed in delivery. After the mail client passes the greylist test, all its messages will be delivered immediately.
Antivirus
You can run an antivirus engine to scan all incoming and outgoing messages for viruses. When a message is found infected, the system will delete/quarantine the message and send notifications to related recipients.
To enable the antivirus engine:
- Go to Security > Antivirus > Antivirus.
- Tick Enable Anti-Virus Engine.
- Go to Select engine to select an antivirus engine:
- ClamAV: A free and open-source antivirus engine
- McAfee: An antivirus engine that requires the Antivirus by McAfee package (purchasable at Package Center) running on the Synology NAS
- When ClamAV is selected as the antivirus engine, consider the auxiliary options below:
- Use Google SafeBrowsing database: The system will use Google's SafeBrowsing database to detect malicious links in emails.
- Use other third-party databases: The system will download virus definitions from third-party websites to improve virus detection accuracy.
- Auto-update virus definitions: Select to update virus definitions by the set daily schedule.
- Click Apply to save the settings.
Note:
- Only models with 512 MB RAM or more can auto-update virus definitions.
- Running antivirus scanning will consume around 300 MB RAM.
- Using Google's SafeBrowsing database or third-party databases for ClamAV may demand more system memory.
- To fine-tune the McAfee antivirus engine, go to the Antivirus by McAfee package to change relevant settings.
To manage infected messages:
When infected messages are detected, the system will react according to custom action policies.
- Go to Security > Antivirus > Actions.
- Go to Anti-virus action to define how to manage an infected message:
- Delete mail: An infected message will be deleted without reaching intended recipients.
- Save to quarantine: An infected message will be quarantined without reaching intended recipients. Click Quarantine List to view and manage quarantined messages.
- Deliver anyway: An infected message will be allowed through to intended recipients.
- To notify recipients of an infected message when it is deleted or quarantined, tick Send notifications to recipients after deleting or quarantining viruses. Click Template Settings to customize notifications.
- To mark infected messages, select Add subject prefix to infected mail and specify the text to appear on their subjects.
- Click Apply to save the settings.
Authentication
You can enable authentication mechanisms to validate inbound emails and reduce spam. When this mechanism is enabled, an inbound email will go through all of the following verification processes. If the user opens an email that does not pass any of the verification processes, a warning dialog will appear to remind the user to verify the email source.
To enable SPF verification:
- Tick Enable SPF verification to verify the sender identity and detect forged sender addresses.
- Tick Reject SPF softfail if necessary. Emails that have softfail verification results will be rejected.
To enable DKIM verification:
- Tick Enable DKIM verification on inbound emails to check for a valid DKIM signature on incoming emails. Emails rejected by DKIM will be moved to the Spam folder of Synology MailPlus client, and a warning will appear when users view such emails.
- Under Minimum key length for DKIM verification, select a value from the drop-down menu. Emails with DKIM keys shorter than the set value will be rejected. Lowering the values will allow emails with shorter keys to pass the verification. However, we recommend setting a longer key length so that emails from less secure domains with shorter keys cannot pass the verification.
To enable DKIM signing and create DKIM whitelist:
- Go to Domain and double-click the domain. Click the Advanced button. At the DKIM section, you can enable DKIM signing, all the corresponding outbound emails from the domain will be signed with DKIM.
- Go to Security > Authentication > DKIM and click the Whitelist button to specify an internal host or subnet in the whitelist. Corresponding outbound emails sent from the specified source via Synology MailPlus, third-party mail clients, and the terminal will carry a DKIM signature.
To enable DMARC:
- Tick Enable DMARC to validate the senders' email domains. Emails quarantined by DMARC will be moved to the Spam folder of Synology MailPlus client, and a warning will appear when users view such emails.
- Update your DNS records using a TXT record, so that your outbound emails will be able to pass DMARC authentication of other mail servers. The TXT record should be added as follows:
- TXT record name: _dmarc.[your domain]
([your domain] should be replaced with your domain name. Example: _dmarc.example.com)
- TXT record value: v=DMARC1; p=[Policy for domain]; pct=[% of messages subjected to filtering]; rua=[Reporting URI of aggregate reports]
(Example: v=DMARC1; p=quarantine; pct=20; rua=mailto:aggrep@example.com)
Content Scan
You can configure the system to filter emails by attachment file types and scan messages for potentially dangerous content.
To filter emails by attachment file types:
- Click the Attachment Filter button.
- Click Create to enter file types. Emails that contain attachments of the listed file types will be rejected.
Note:
- Please enter the file types using simple regular expressions. For example, if you enter vb[es], emails that contain the vbe and vbs file types will be rejected.
To scan emails for dangerous content:
- Tick Enable dangerous content scan.
- Tick the desired boxes:
- Reject partial messages: Since these messages cannot be scanned properly for viruses and inappropriate content, they will be rejected to avoid potential virus infection.
- Reject external message bodies: Messages that have bodies stored elsewhere on the Internet will be rejected to avoid fetching viruses from other Internet sites when downloading the message bodies.
- Highlight phishing fraud: The sections containing potential phishing fraud will be highlighted in the messages.
- Convert HTML into plain text: If HTML messages contain dangerous tags, they will be converted to plain text to make the HTML harmless, while still allowing you to read the text content.
- Reject: Reject messages containing the corresponding tags.
- Allow: Allow corresponding tags in messages.
- Make tags ineffective: Allow corresponding tags in messages but make them ineffective so that users are still able to see the text content.
- Click Apply to save settings.