Security
On the Security page, you can enable spam filters, antivirus scanning, or blacklist and whitelist to protect your Synology MailPlus Server and its clients.
Antispam
Set up spam filters and configure auto-learning to achieve accurate and flexible spam detection.
To enable the antispam engine:
Edit the general antispam settings for flexible spam control.
- Go to Antispam and tick Enable antispam engine.
- Click Update Settings to set a daily schedule to download the latest antispam rules. You can also click Manual Update to update immediately.
- Under Spam control, you can find the following options:
- Add the following to spam subjects: Adds the custom text to the subject of spam messages for easy identification.
- Auto whitelist: When any MailPlus users have ever replied to an external email address, the spam scores of emails from that address will go down by four points.
- Encapsulate spam as attachment: Reports spam as an attachment encapsulated in a new message. You can choose As plain text only to avoid web bugs and malicious scripts.
- Specify how long to keep spam messages in the Delete spam interval (days). Spam messages will be automatically deleted after the specified days.
- Save the settings to complete the basic configuration. Refer to the following section to create custom rules and filters.
To configure advanced antispam settings:
Create filters and define rules to customize your antispam engine.
- Go to Antispam.
- Under Spam control, click Custom Spam Filter to set up the following two kinds of filters:
- Address Filter: Click Create to add spam or non-spam filters based on sender and recipient addresses. Click Tools to import or export relevant rules for use.
- Attachment Filter: Click Create to add spam filters based on attachment file types.
- Also under Spam control, click Advanced to edit the following settings:
- Mark as spam if score is higher than: Select a spam score threshold. A message that exceeds the threshold will be marked as spam.
- SpamAssassin Rules: SpamAssassin rules are open-source rules that help target specific spam types. Click the button to import or export a .cf file containing your SpamAssassin rules.
- Keyword Filter:
- Click Create to specify keywords and the corresponding spam scores (a positive score for spam likelihood; a negative score for spam unlikelihood).
- Tick the checkbox in the Enable column to enable or disable a filter.
- Click Group Settings to group multiple keyword filters together so that you can quickly enable or disable a group of filters as a whole.
- Select the group from the Group drop-down menu to switch among different groups.
- Remember to click Save every time you make changes to a filter or a group.
- Save the settings.
To enable automatic spam learning:
Train your MailPlus Server to better detect spam with specialized algorithms.
- Go to Antispam.
- Under Spam control, click Advanced > Auto learning.
- Enable Auto learning.
- Specify the following score settings:
- Mark as spam if score is higher than: The spam threshold set in the General tab will be displayed here.
- Learn as spam if score is higher than: Set the spam threshold for auto-learning.
- Learn as non-spam if score is lower than: Set the non-spam threshold for auto-learning.
- Tick Enable spam reporting to allow client users to report spam and false spam from Synology MailPlus or a third-party email client (e.g., Microsoft Outlook).
- Forward spam to: Enter an email address where the reported spam should be sent.
- Forward false spam to: Enter an email address where the reported false spam should be sent.
- Click Reported Spam to check all the reported spam and false spam and manage them as follows:
- View: Click to view a reported message in plain text.
- Learn and Learn All: Click to train the system for better spam detection.
- Delete: Click to remove a reported message incorrectly identified by a client user.
- Original Mail: Click to view a reported message in plain text and its email headers.
- Tick Set daily schedule for learning reported spam to schedule the learning activities.
- Save the settings.
Note:
- For accurate spam detection, enable Auto whitelist after Auto learning has been enabled for some time.
- You can download SpamAssassin rules from this website.
- To create custom SpamAssassin rules, do the following:
- Refer to this website to create your rules.
- Save the rules as a .cf file for the import.
- In the Custom Spam Filter, you can set the rules using the following patterns:
Patterns |
Targets |
admin@domain |
Any messages from the email address [admin@domain] |
admin@* |
Any messages from the account [admin] |
domain |
Any messages from the domain [domain] |
*.com |
Any messages from the domain ended with [.com] |
ad*@* |
Any messages from the account started with [ad] |
- Please enter the file types using simple regular expressions. For example, if you enter vb[es], emails that contain the vbe and vbs file types will be rejected.
- To help client users report spam and false spam from a third-party email client (e.g., Microsoft Outlook), do the following:
- Provide them with the email addresses specified in Forward spam to and Forward false spam to.
- Ask them to use the client's built-in feature to forward such messages as an attachment to the provided addresses. If not forwarded as an attachment, the messages cannot reach MailPlus Server.
- MailPlus Server needs at least 200 reported spam and non-spam respectively to apply the results of auto-learning to spam detection.
To enable DNSBL:
DNSBL (DNS-based Blackhole List) helps filter out spam published through the Internet Domain Name Service (DNS) based on the IP addresses of computers or networks.
- Go to Antispam.
- Under DNSBL, tick Enable postscreen protection against spam.
- Click DNSBL Settings to manage the server list.
- Click Create. Input a DNSBL server and the corresponding score.
- Click Settings. Input the DNSBL score threshold to reject services when an email client's total score exceeds the value specified here.
- Save the settings.
To enable the greylist function:
When there is a new message, the system will check if there are records of the same IP address, sender, or recipient. If no records are found, the message will be considered suspicious, and an error message will be sent to its sender, requesting the sender to send the message again later. Generally, ordinary senders will try to send messages again at a later time, while most spam senders will just give up sending. The greylist function blocks spam based on different reactions of the two.
- Go to Antispam.
- Under Greylist, tick Enable greylist to enhance spam detection by temporarily rejecting suspicious incoming mails.
- Click Greylist Settings to apply different actions to messages from different IP addresses or domains.
- Click Create.
- Specify the rule criteria:
- Source: Enter an IP range such as "192.168.0.0/24".
- Domain: Enter a domain name such as "example.com". The system will check the sender's DNS information and see if it matches the domain name listed on the greylist.
- Select an action:
- Blacklist: Immediately ends the connection.
- Greylist: Returns a temporary error. When the email client resends the message after the greylist time, the message will be accepted and the email client will be added to the whitelist for future recognition.
- Whitelist: Immediately accepts the message.
- Click Settings to edit the default action and the greylist time period.
- Save the settings.
Note:
- The greylist function may cause emails to be delayed in delivery.
- Once an email client has passed the greylist test, all its messages will be delivered immediately.
Antivirus
Run an antivirus engine to scan all incoming and outgoing messages for viruses. When a message is found infected, the system will delete or quarantine the message and send notifications to the related recipients.
To enable the antivirus engine:
- Go to Antivirus.
- Tick Enable antivirus engine.
- Select either of the following antivirus engines:
- ClamAV: A free and open-source antivirus engine
- McAfee: A paid antivirus engine that requires Antivirus by McAfee (purchasable at Package Center) to run on the Synology NAS
- Click Update Settings to set a daily schedule to update the virus definitions. You can also click Manual Update to update immediately.
- When ClamAV is selected as the antivirus engine, consider the additional options below:
- Use Google Safe Browsing database to detect malicious links in emails
- Use third-party databases to download their virus definitions
- Save the settings.
Note:
- To ensure smooth running of security engines, we recommend using Synology NAS models with at least 2 GB RAM.
- Running antivirus scanning will consume around 300 MB RAM.
- Using Google Safe Browsing database or any other third-party database for ClamAV may demand more memory.
- If you need to fine-tune the McAfee engine, launch Antivirus by McAfee to edit the relevant settings.
To manage infected messages:
When an infected message is detected, the system will react according to user-defined policies.
- Go to Antivirus.
- Choose what to do with an infected message from the Antivirus action menu:
- Delete mail: Deletes the message. The message will not be sent to the intended recipient.
- Save to quarantine: Holds the message in the quarantine. The message will not be sent to the intended recipient. Click Quarantine List at the bottom of the page to view and manage the quarantined messages.
- Deliver anyway: Allows the message to reach the intended recipient.
- To mark infected messages, tick Add subject prefix to infected mail and specify the text that will appear on the message subject.
- To notify recipients of an infected message when it gets deleted or quarantined, tick Send notifications to recipients after deleting or quarantining viruses. Click Template Settings to define the notification content.
- Save the settings.
Authentication
Apply authentication mechanisms to validate inbound emails and reduce spam. With authentication enabled, an inbound email needs to go through all the verification processes. When the user opens an email that does not pass the verification, a warning message will pop up to remind the user of the suspicious email.
To enable SPF verification:
- Go to Authentication.
- Tick Enable SPF verification to verify the sender identity and detect forged sender addresses.
- Tick Reject SPF softfail to reject emails with softfail verification results.
- Save the settings.
To enable DKIM verification:
- Go to Authentication.
- Tick Enable DKIM verification on inbound emails to check for a valid DKIM signature on incoming emails. Emails rejected by DKIM will be moved to the Spam folder of the MailPlus client, and a warning message will pop up when users open such emails.
- Under Minimum key length for DKIM verification, select a value from the drop-down menu. Emails with DKIM keys shorter than the set value will be rejected. Lowering the value will allow emails with shorter keys to pass the verification. Thus, we recommend setting a longer key length so that emails from less secure domains with shorter keys cannot pass the verification.
- Save the settings.
To enable DKIM signing and create a DKIM whitelist:
- Go to Domain and double-click the domain in use.
- At the General tab, click Advanced.
- Tick Enable DKIM signing on outbound emails, so that all the emails from the domain will carry a DKIM signature.
- Go to Security > Authentication > DKIM and click Whitelist to add an internal host or subnet to the whitelist. Outbound emails sent from the specified source via Synology MailPlus, a third-party email client, or the terminal will all carry a DKIM signature.
- Save the settings.
To enable DMARC:
- Go to Authentication.
- Tick Enable DMARC to validate the senders' email domains. Emails quarantined by DMARC will be moved to the Spam folder of the MailPlus client, and a warning message will pop up when users open such emails.
- Update your DNS records using a TXT record, so that your outbound emails will be able to pass DMARC authentication of other email servers. The TXT record should be added as follows:
- TXT record name: _dmarc.[your domain]
[your domain] should be replaced with your actual domain name. Example: _dmarc.example.com
- TXT record value: v=DMARC1; p=[Policy for domain]; pct=[% of messages subjected to filtering]; rua=[Reporting URI of aggregate reports]
Example: v=DMARC1; p=quarantine; pct=20; rua=mailto:aggrep@example.com
Content Scan
Configure the system to scan messages for potentially dangerous content.
To scan emails for dangerous content:
- Go to Content Scan.
- Tick Enable dangerous content scan.
- Enable the desired options below:
- Reject partial messages: Since these messages cannot be scanned properly for viruses and inappropriate content, they will be rejected to avoid potential virus infection.
- Reject external message bodies: Messages that have bodies stored elsewhere on the Internet will be rejected to avoid fetching viruses when downloading the message bodies.
- Highlight phishing fraud: The sections containing potential phishing fraud will be highlighted to remind users of the risk.
- Convert HTML into plain text: If HTML messages contain dangerous tags, they will be converted to plain text to make the messages harmless, while still allowing recipients to read the text content.
- Choose one of the following actions for each tag:
- Reject: Reject messages containing the corresponding tag.
- Allow: Delivers messages containing the corresponding tag.
- Make tags ineffective: Delivers messages containing the corresponding tag after making the tag ineffective so that recipients are still able to see the content.
- Save the settings.