Email tab

The Configuration: Email tab is available for the Sensor or All-In-One (Pinbox). It is used to configure email analysis. See the Email pages for information on how the appliances analyze email attachments.

The appliance can analyze email in a number of ways:

  • Inspect SMTP traffic You must enable a sniffing Sensor which then sniffs network traffic and processes all the email extracted from SMTP exchanges seen on the wire.

  • MTA (no delivery) The appliance accepts SMTP traffic on TCP port 25 that is forwarded to it by your main mail server.

  • MTA The appliance processes messages inline to the email transfer chain. It accepts messages from an upstream mail server on TCP port 25. It forwards any non-blocked email to upstream servers. You configure the upstream servers and other options in this section.

  • POP3/IMAP Inspect the contents of a local mailbox that acquires messages using the POP3 or IMAP protocols.

Note:

Only one mode at any time can be enabled on the appliance.

You can set the following configuration options:

Email analysis

If Enabled, the Sensor is configured to perform email analysis.

Inspect SMTP traffic

If Enabled, the Sensor is configured to sniff SMTP traffic from the wire and analyze it.

Note:

You must enable traffic sniffing before the Sensor can sniff SMTP traffic.

To expose most of the following options, you must toggle Inspect SMTP traffic to Disabled.

Email protocol

From the pull-down menu, select IMAP, POP3, MTA, or MTA (no delivery).

If MTA is selected, an SMTP server will be running on the Sensor, listening on TCP port 25. To analyze email, configure your mail server to forward a copy of your messages to the Sensor.

If IMAP or POP3 are selected, the rest of the settings are similar to any email client. You configure an email user and allow the Sensor to download emails from a predetermined mailbox in the organization. To analyze email, configure your mail server to forward a copy of your messages to this user.

Warning:

The Sensor deletes messages from this user inbox after processing them.

IMAP/POP3 mode

Email server

Mail server to connect to in IMAP or POP3 mode.

Email port

TCP Port to use to connect to the mail server in IMAP or POP3 mode.

Email username

Name of username to use to log into the mail server in IMAP or POP3 mode.

Warning:

The Sensor deletes messages from this user inbox after processing them.

Email password

Password to use to log into the mail server in IMAP or POP3 mode.

IMAP OAUTH

This toggle appears in IMAP mode. When Enabled, the Sensor uses OAuth authentication to authorize access to the IMAP mailbox. The Email username, Email password, and Use SSL for downloading emails fields and toggles are disabled.

To fully enable OAuth authentication, you must login to the Sensor appliance console (refer to the Sensor Installation and Administration guide for login details) and run the llmail_oauth_authorise script.

The script expects an application_id as input. This is the identifier of an Azure Application that is authorized to use the IMAP protocol to access users. See Register your application for more details.

Note:

The IMAP OAuth integration has only been tested against Microsoft Office 365. It may also work with other providers.

Use SSL for downloading emails

If Enabled in IMAP or POP3 mode, use SSL encryption when downloading emails.

Email polling interval (seconds)

The default polling interval for new mail messages is 60 seconds. Adjust this to suit the amount of email traffic seen in your network.

Sender source

Use the radio buttons to specify the header to use as the sender for reporting email:

  • Mail header-From
  • Mail header-Sender
  • Manually specify an email header
Recipient source

Use the radio buttons to specify the header to use as the recipient for reporting email:

  • Mail header-To
  • Manually specify an email header

MTA (no delivery) mode

Use SSL/TLS to receive emails

If Enabled in MTA (no delivery) or MTA mode, use SSL/TLS encryption to receive emails. Do not enable this if you want to use STARTTLS for incoming emails.

Allowed connections

Specify networks, using CIDR notation, that are allowed to connect to the Sensor. Leaving this empty allows all connections.

Sender source

Same as IMAP/POP3 mode plus:

  • SMTP envelope-MAIL FROM
Recipient source

Same as IMAP/POP3 mode plus:

  • SMTP envelope-RCPT TO
Accepted recipient domains

Enter a regular expression to match against recipient domains that should be accepted by the Sensor. Any domains that do not match will be dropped.

Leaving this empty allows all domains.

MTA mode

Note:

All the configuration options from the MTA (no delivery) mode also apply to this mode.

Next-hop destinations

The Next-hop destinations widget is used to define the SMTP servers to which emails will be delivered once analyzed. Click the plus (add next-hop) icon to add a custom, domain based, next-hop destination. The existing Default next-hop section is used for all messages destined for any domain not otherwise specified.

Next-hop destinations options:

Domain next-hop

Define the SMTP server(s) to which emails destined for a specified receiving domain(s) will be delivered pending analysis.

Click the minus icon to collapse the destination details.

Click the delete icon to remove the next-hop entry. The icon turns red and a Cancel link displayed. Click the icon again to remove the next-hop entry.

Receiving domains

Enter email receiving domains. Type a period (.) in front of the domain name as a wild-card for any sub-domain (for example, .acme.com). A higher specificity takes precedence. Type space or comma (,) to end a domain entry.

You cannot edit the Receiving domains for the default next-hop. The period (.) is a wild-card for any domain.

Destination server

Define the following options:

  • Priority Enter the priority of the next hop server. Use a value from 0 to 100.

  • Host IP or FQDN Enter the IP address or domain name of the next hop server.

  • Port Enter the port number that the next hop server is listening on. The default port is TCP 25.

  • Encryption Select None, SSL/TLS, or STARTTLS from the pull-down menu.

    Note:

    If you select STARTTLS encryption, you must ensure Use SSL/TLS to receive emails is not enabled.

  • Actions Click the delete icon to delete the entry.

Click the plus (Add destination) icon to add a row to define another destination server.

Use separate outgoing SMTP server for bounces

If Enabled, bounced messages will be processed by the DSN Next-hop destinations servers.

DSN Next-hop destinations

The DSN Next-hop destinations widget is used to define the SMTP servers to which bounced emails will be delivered for further processing.

DSN Next-hop destinations options are the same as Next-hop destinations options.

Notify sender on bounce

If Enabled, notify the sender if the message is bounced by the next-hop server.

Always notify on bounce

Enter the email address of a user to notify in the event of a message bouncing.

Sender of failure notifications

Define the email address provided as the sender of bounced messages. You should use an address similar to no-reply@example.com.

Malicious subject tag

Define a prefix to add to the subject header of a message with suspicious or malicious content. Click the checkbox icon to disable this prefix.

Template for text added to email with suspicious/malicious content

Define a warning to be added to the body of the message with suspicious or malicious content. The system will insert information about the type of content discovered if you provide the variable {malicious-content}.

Inline warning

Use the radio buttons to determine if the warning is prepended to the message as a separate MIME part (recommended) or at the beginning of the first text MIME part (needed for Outlook Web Mail).

X-Lastline headers

If Enabled, insert X-Lastline headers into messages that have been processed by the Sensor.

Fail open configuration

Use the following options to configure the fail-open capabilities of the Sensor when it is configured to process email in full MTA mode:

Fail open on analysis

If Enabled, deliver new messages to the next-hop destination without further analysis if the analysis queue is full. In this condition, the Sensor is not capable of accepting further messages for analysis. This only occurs when there are severe issues with the Sensor and should not be considered normal.

When disabled, the Sensor will reject new incoming messages. These messages are rejected at the SMTP level, relying on the previous hop to react to the rejection by rerouting the messages via a fail-open destination.

Auto disable Analyst analysis

If Enabled, deliver messages that require in-depth analysis to the next-hop destination if the Analyst becomes unreachable.

The Sensor will attempt to identify permanent down-times of the Manager and the file analysis API by detecting subsequent upload failures. Once a sufficient number of upload failures is detected, analyst analysis will be disabled and messages requiring in-depth analysis will be allowed through without being fully analyzed.

Analysis timeout

Set the maximum time in seconds the Sensor is allowed to delay a message while performing analysis. The default is 3,600 seconds (1 hour). Once processing the message exceeds the configured threshold, it will be allowed through without being fully analyzed. Messages are not expected to be held by the Sensor for a long time. Any such occurrences are probably a software or hardware issue. In this case a warning will be inserted into the monitoring logs.

Set the timeout value to zero to disable fail-open on analysis processing time. The Sensor can detain messages for an indefinite amount of time.

Analyst analysis timeout

Set the maximum time in seconds the Sensor is allowed to delay a message in the event that the Analyst is required to perform an in-depth analysis. The default is 1,800 seconds (30 minutes).

Quarantine configuration

Use the following options to configure the quarantine rules of the Sensor:

Local quarantine enabled

If Enabled and the Sensor is also configured to drop messages that contain malicious URLs and/or attachments, the dropped messages are stored on the local filesystem in a quarantine. These quarantined messages can either be deleted or released to the original recipient.

Local quarantine is enabled by default. Disabling it causes dropped messages to be deleted immediately and is not recommended.

Local quarantine storage

The amount of local filesystem space on the Sensor to reserve for quarantined messages. When this amount is exceeded, the oldest message will be removed.

When a message is removed due to this retention setting, the quarantine log is updated accordingly.

Local quarantine duration

The maximum number of days the mail sensor is allowed to quarantine an email message. When this amount is exceeded, messages that are older than the allowed number of days will be removed.

When a message is removed due to this retention setting, the quarantine log is updated accordingly.

Attachments

Inspect attachments

If Enabled, messages will be extracted and inspected for malicious attachments. This is on by default.

Drop emails with malicious attachments

If Enabled, messages with malicious attachments will be dropped.

This option is only available for MTA mode.

Attachment policy

Define the attachment policy from the pull-down menu. Select from Block, Warn, or Do not add in-line warning:

  • Block deletes any malicious attachments from the message. A prefix is added to the email subject, indicating the action taken. If the drop policy is enabled, this option is not available.
  • Warn preserves any malicious attachments, but warns the recipient. A prefix is added to the email subject, indicating the action taken.
  • Do not add in-line warning does no modification to the email or subject.

This option is only available for MTA mode.

Template for text used to replace blocked attachments

If Block is your selected attachment policy, this textbox is displayed. You can edit the example text. You should include the variables {original-filename} and {malicious-content}. The system uses these variables to insert information about the type of content discovered. The text is added to the message.

This option is only available for MTA mode.

Thresholds

Adjust the levels at which the system blocks or warns about malicious content with the sliders.

This option is only available for MTA mode.

URLs

Inspect URLs

If Enabled, the email body will be inspected for malicious URLs.

Drop emails with malicious URLs

If Enabled, messages with malicious URLs will be dropped.

This option is only available for MTA mode.

URL policy

Define the URL policy from the pull-down menu. Select from Block, Warn, or Do not add in-line warning:

  • Block deletes any malicious attachments from the message. A prefix is added to the email subject, indicating the action taken. If the drop policy is enabled, this option is not available.
  • Warn preserves any malicious attachments, but warns the recipient. A prefix is added to the email subject, indicating the action taken.
  • Do not add in-line warning does no modification to the email or subject.

This option is only available for MTA mode.

Text used to replace blocked URLs

If Block is your selected URL policy, this textbox is displayed. You can edit the example text. The text is added to the message.

This option is only available for MTA mode.

Thresholds

Adjust the levels at which the system blocks or warns about malicious content with the sliders.

This option is only available for MTA mode.

When you are done, click the Save and deploy button to enable your changes. Otherwise click Cancel to discard any changes.

If you have not made any changes, click the Retrigger configuration button to reload the appliance configuration.

Click Back to appliance list to return to the Overview tab