PDF

Mail Server Configuration

All domains that TUXGUARD Mail Gateway is configured to accept inbound mail should ensure that their mail servers are configured in such a way that:

  • All spam checks are disabled, this is to prevent wasted I/O in performing checks that have already been done by TUXGUARD Mail Gateway, to prevent backscatter as should those spam checks return an SMTP rejection when TUXGUARD Mail Gateway is delivering the message will force it to generate a bounce message to the sender and to prevent support issues that might arise from inaccurate spam checks on the mailbox host.
  • All rate limits and throttling are disabled, otherwise this can cause delivery failures or delays.
  • All firewall SMTP proxies or protocol ‘helpers’ are disabled. For example: Cisco ESMTP/SMTP inspection, Cisco PIX fixup protocol SMTP (Mailguard), Watchguard SMTP Proxy, Endian Mail Proxy etc.
  • Configured to reject any invalid recipients at the SMTP level. This is very important to prevent backscatter and to prevent wasted I/O in TUXGUARD Mail Gateway.

If your mail server is capable of accepting spam results from an external system or can be configured with system-wide rules to deliver messages to a ‘Spam’ or ‘Junk’ folder, then you should configure it to do so on the presence of the header X-Spam-Flag: YES.

Microsoft Exchange 2003

See https://support.microsoft.com/en-us/kb/823866#bookmark-6

Microsoft Exchange 2007

See https://technet.microsoft.com/en-us/library/bb123891(v=exchg.80).aspx ​.

You can use the Exchange Management Shell to automatically route messages that TUXGUARD Mail Gateway determined to be spam to the users ‘Junk Email’ folder by running:

New-TransportRule "TUXGUARD_Mail_Gateway_Spam" -HeaderContainsMessageHeader
"X-Spam-Flag" -HeaderContainsWords "YES" -SetSCL 6

Microsoft Exchange 2010

See https://technet.microsoft.com/en-us/library/bb123891(v=exchg.141).aspx for instructions if you use Edge Transport servers or http://www.jjclements.co.uk/2010/09/23/exchange-2010-recipient-filtering-on-a-hub-transport-server/ if you only have a Hub Tranport server.

You can use the Exchange Management Shell to automatically route messages that TUXGUARD Mail Gateway determined to be spam to the users ‘Junk Email’ folder by running:

New-TransportRule "TUXGUARD_Mail_Gateway_Spam" -HeaderContainsMessageHeader
"X-Spam-Flag" -HeaderContainsWords "YES" -SetSCL 6

Microsoft Exchange 2013/2016

This requires an Edge Transport server to work correctly. See https://technet.microsoft.com/en-us/library/bb125187%28v=exchg.150%29.aspx for instructions on how to reject unknown recipients. You will need to enable both recipient filtering and enable the Recipient Lookup

You can use the Exchange Management Shell to automatically route messages that TUXGUARD Mail Gateway determined to be spam to the users ‘Junk Email’ folder by running:

New-TransportRule "TUXGUARD_Mail_Gateway_Spam" -HeaderContainsMessageHeader
"X-Spam-Flag" -HeaderContainsWords "YES" -SetSCL 6

Office 365

For a domain being protected by TUXGUARD Mail Gateway the following settings should be configured in the Office365 Exchange Admin Center. These rules will ensure that Office365 honors any spam classified by TUXGUARD Mail Gateway and delivers it to the user's ‘Junk’ folder and to ensure that no other filtering is done by Office365.

Create the SMTP connector to accept email from the TUXGUARD Mail Gateway gateways.

Create the SMTP connector to send all outbound email through the TUXGUARD Mail Gateway gateways (this is optional. It’s only required if outbound email is to be routed to DefederMX servers)

Then create the mail flow rule to correctly process email from the TUXGUARD Mail Gateway gateways

In ‘mail flow’ -> ‘rules’, click the + icon and select the ‘Bypass spam filtering…’ option and enter the following settings:

Name: Honor TUXGUARD Mail Gateway classifications

Apply this rule if: A message header…. Includes any of these words.

Click the ‘Enter Text...’ link and specify the header name as ‘X-Spam-Flag’.

Click the ‘Enter words…’ link and add ‘YES’ and click ‘+’ to add it, then click ‘OK’.

Click ‘add condition’ and select ‘The sender… IP address is in any of these ranges or exactly matches’, then add the IP address(es) or IP address ranges of your TUXGUARD Mail Gateway installation, click ‘OK’ when complete.

Under ‘Do the following….’ ensure that ‘Set the spam confidence level (SCL) to…’ is set, then click the ‘Bypass spam filtering’ link and specify the SCL as ‘5’ in the drop-down and click ‘OK’.

Scroll down and tick the ‘Stop processing more rules’ option.

Click ‘Save’.

The rule should look like this example:

% TODO: insert image from page 79

Add another rule, click the + icon and select the ‘Bypass spam filtering…’ option and enter the following settings:

Name: Bypass spam filtering for mail from TUXGUARD Mail Gateway

Apply this rule if: The sender… IP address is in any of these ranges or exactly matches

Add the IP address(es) or IP address ranges of your TUXGUARD Mail Gateway installation and click ‘Save’.

Do the following… ‘Set the spam confidence level (SCL) to…’ ‘Bypass spam filtering’.

Click ‘Save’

The rule should look like this example:

% TODO: insert image from page 81

To ensure that Office365 correctly rejects invalid recipients, under ‘mail flow’ -> ‘accepted domains’, switch the ‘domain type’ from ‘Authoritative’ to ‘Internal relay’, click ‘Save’ and then change it back from ‘Internal relay’ back to ‘Authoritative’ again and click ‘Save’.

This was found to be necessary for Office365 servers to correctly reject invalid recipients, despite the documentation.

If you wish to scan Outbound mail from Office365 with TUXGUARD Mail Gateway, then create the following entry in TUXGUARD Mail Gateway -> ‘Maps’:

connect:.outbound.protection.outlook.com relay: true

Then in the Office365 Exchange Admin Center go to ‘mail flow’ -> ‘connectors’, click ‘+’ to add a new connector:

Select From: ‘Office 365’, To: ‘Partner Organization’ and click ‘Next’.

Enter ‘Route outbound mail to TUXGUARD Mail Gateway’ as the Name and click ‘Next’

Select ‘Only when email messages are sent to these domains’ and click ‘+’, enter ‘*’ as the domain name and click ‘Ok’, then click ‘Next’.

Select ‘Route email through these smart hosts’ and click ‘+’, enter the IP address or hostname of the TUXGUARD Mail Gateway outbound hosts and click ‘Save’, then click ‘Next’.

Untick ‘Always use Transport Layer Security (TLS) to secure the connection’ and click ‘Next’. Enter an external e-mail address in the area provided to validate the connector and click ‘Validate’.

Once validated click ‘Save’.

The added connector should look like this example:

% TODO: insert image from page 83

Google Apps

In the Google Apps Admin Console, navigate to Apps -> Google Apps -> Gmail.

In ‘Settings for Gmail’, scroll to the bottom of the page and click ‘Advanced Settings >>’.

In the ‘General Settings’ tab, scroll down the page to the ‘Spam’ heading and click ‘Configure’ on the ‘Inbound Gateway’ setting.

In the description field enter ‘TUXGUARD Mail Gateway’, then under gateway IPs add the external IP addresses of your TUXGUARD Mail Gateway systems and then tick the ‘Automatically detect external IP (recommended)’ option.

Under ‘Message Tagging’ tick the ‘Message is considered spam if the following regexp matches’, then under ‘Regexp’ enter:

^X-Spam-Flag:\s+YES\s*$

Then select ‘Message is spam if regexp matches’ and tick the ‘Disable Gmail spam evaluation on mail from this gateway; only use header value’ option

%TODO: insert image from page 85

Finally click ‘Add Setting’ and then ‘Save Changes’ to apply the changes. Once you have all inbound traffic being routed to Google Apps via TUXGUARD Mail Gateway, you may tick the ‘Reject all mail not from gateway IPs’ option to prevent anyone from bypassing TUXGUARD Mail Gateway and sending traffic directly to Google for your domains.

Zimbra

To disable Zimbra spam and attachment filtering by domain run:

zmprov md domain.tld +amavisBannedFilesLover TRUE
zmprov md domain.tld +amavisSpamLover TRUE

Where domain.tld is the domain name you wish to disable.

You can disable it completely for all domains by runnning:

zmprov -l ms `zmhostname` -zimbraServiceEnabled antivirus
zmprov -l ms `zmhostname` -zimbraServiceEnabled antispam

This will cause "***UNCHECKED***” to be prepended to the subject line of every email. To prevent this you must edit /opt/zimbra/amavisd/sbin/amavisd and change the following value:

$undecipherable_subject_tag = '***UNCHECKED*** ';
to
$undecipherable_subject_tag = '';

And restart Zimbra:
/etc/init.d/zimbra restart

Even with the Spam filtering disabled, Zimbra should still automatically deliver any message that TUXGUARD Mail Gateway thinks is spam to the recipient's ‘Junk’ folder.

If you have DSPAM enabled in TUXGUARD Mail Gateway, then you can configure the Zimbra ‘Junk’ and ‘Not Junk’ buttons to automatically send the training messages to the DSPAM training aliases by running:

zmprov mcf zimbraSpamIsSpamAccount spam@training.alias.com
zmprov mcf zimbraSpamIsNotSpamAccount notspam@training.alias.com