Mail filter¶

Grey list¶

The grey lists [1] exploit the expected performance of a mail server dedicated to spam in order recognize them by their behavior and discard or not the received mail, or at least hinder spamming.

These servers are optimized to send as many emails as possible in minimal time. For this, messages are autogenerated and sent without caring if they are received. When you have a grey list system, the emails considered as potential spam are rejected and the mail server is asked to send the email again. If the server is actually a spammer server, probably it doesn’t have the necessary tools to manage this request and therefore the email will never reach the recipient. On the contrary, if the email was legitimate, the sending server won’t have problem in re-sending it.

In case of Zentyal, the strategy used is to pretend to be out of service. When a new server sends an email, Zentyal responds “I’m temporarily out of service, try again in 300 seconds.” [2], if the sending server complies with the request, it will re-send the email after this time and Zentyal will mark it as a valid server.

In Zentyal, the grey list exempts the email sent from internal networks, from objects with allowed email relay policy and from addresses that are in the antispam whitelist.

Schema on how the grey list works

The Grey list will be configured from Mail ‣ Grey list with the following values:

Greylist configuration

Enabled:

Click to enable greylisting.

Grey list duration (seconds):

Seconds the sending server must wait before re-sending the email.

Retry window (hours):

Time in hours in which the sending server can send mail. If the server has sent any mail during this time, this server will go to the grey list. In a grey list the server can send all the emails it wishes with no time restrictions.

Entry time-to-live (days):

Days the data of the evaluated servers will be stored in the grey list. After the configured days, when the server sends email again, it must go through the greylisting process described above.

Content filtering system¶

The mail content filtering is done by the antivirus and spam detectors. To carry out this task, Zentyal uses an interface between the MTA [3] and these applications. Therefore, the amavisd-new [4] application is used to ensure that the email isn’t spam and it doesn’t contain virus.

In addition, this interface carries out the following checks:

• File and extension white and black lists.
• Mail filtering of email with malformed headers.

Antivirus¶

Zentyal uses the ClamAV [5] antivirus, that is a antivirus toolkit specially designed to scan email attachments in a MTA. ClamAV has a database updater that allows the programmed updates and digital signatures through freshclam program. This database is updated daily with the newly found virus. Furthermore, the antivirus is capable of natively scanning a number of file formats, such as Zip, BinHex, PDF, etc.

In Antivirus you can check if the system antivirus is installed and updated.

Antivirus message

You can update from Software Management, as you will see in Software updates.

It is optional to install the antivirus module, but if you install it, you can see how it integrates several Zentyal modules, increasing the security configuration options of different services, such as SMTP filter, POP proxy, HTTP proxy or file sharing.

Antispam¶

The antispam filter gives to each email a spam score and if the email reaches the spam threshold it is considered as junk mail. If not, it is considered as legitimate email. The latter kind of mail is often called ham.

The spam scanner uses the following techniques to assign scores:

• Blacklists published via DNS (DNSBL).
• URI blacklists that trac antispam websites.
• Filters based on the message checksum, checking emails that are identical, but with some few changes.
• Bayesian filter, a statistical algorithm that learns from its past mistakes when classifying an email as spam or ham.
• Static rules.
• Other. [6]

Zentyal uses Spamassassin [7] as spam detector.

The general configuration of the filter is done from Mail filter ‣ Antispam:

Antispam configuration

Spam threshold:

Mail will be considered spam if the score is above this value.

Spam subject tag:

Tag to add to the mail subject in case it is spam.

Use Bayesian classifier:

If marked, Bayesian filter will be used. Otherwise it will ignored

Auto-whitelist:

Considers the account history of the sending server when giving the score to the message; if the sender has sent plenty of ham emails, it is highly probable that the next email will be ham and not spam.

Auto-learn:

If marked, the filter will learn from the received messages, which score passes the auto-learn thresholds.

Autolearn spam threshold:

Filter will learn that email is spam if the score is above this value. You should not set a low value, since it may cause false positives. The value must be greater than the spam threshold.

Autolearn ham threshold:

Filter will learn that email is ham if the score is below this value. You should not set a high value, since it may cause false negatives. The value must be less than 0.

From Sender Policy you can configure senders whose emails are always accepted (whitelist), always marked as spam (blacklist) or always processed by the antispam filter (process)

From Train Bayesian spam filter you can train the Bayesian filter by sending it a mailbox in Mbox [8] format, containing only spam or ham. You can find many sample files from the Internet to train the Bayesian filter, but usually you get more accurate result if you use email received in the sites you need to protect. The more trained the filter is, the better results you get in detecting if a message is junk or not.

File-based Access Control Lists¶

You can filter the files attached to the mails by using Mail filter ‣ Files ACL (File Access Control Lists).

Here you can allow or deny mail according to the extensions of the attached files or their MIME types.

Attached file filter

SMTP mail filter¶

From Mail filter ‣ SMTP mail filter you can configure the behavior of the earlier filters, when Zentyal receives mail by SMTP. From General you can configure the general behavior of all incoming mail:

General parameters for the SMTP filter

Enabled:

Check to enable SMTP filter.

Antivirus enabled:

Check to make the filter look for viruses.

Antispam enabled:

Check to make the filter look for spam.

Service port:

Port to be used by the SMTP filter.

Notify of problematic messages that aren’t spam:

You can send notifications to a mailbox when you receive problematic emails that aren’t spam, for example, emails infected by virus.

From Filter policies you can configure how the filter must act with different types of emails.

SMTP filter policies

You can perform following actions with problematic emails:

Pass:

Do nothing, let the email reach its recipient.

Reject:

Discard the message before it reaches the recipient, notifying the sender that the message has been rejected.

Bounce:

Like Reject, but enclosing a copy of the message in the notification.

Discard

Discard the message before it reaches the recipient, not notifying the sender.

From Virtual domains you can configure the behavior of the filter for virtual domains of the mail. These settings override the previously defined general settings.

To customize the configuration of a virtual domain of the mail, click on Add new.

Filter parameters per virtual domain of the mail

The parameters that can be overridden are the following:

Domain:

Virtual domain you want to customize. Those configured in Mail ‣ Virtual domain are available.

Use virus / spam filtering:

If enabled, the email received in this domain will be filtered in search of virus or spam

Spam threshold:

You can use the default score for spam or custom value.

Learn from the spam IMAP folders of the accounts:

If enabled, when emails are taken to the spam folder the filter learns them as spam. Likewise, if you move a message from the spam folder to a regular folder, the filter learns it as ham.

*Ham* / *spam* learning account:

If enabled, ham@dominio and spam@dominio accounts will be created. The users can send emails to these accounts to train the filter. All the email sent to ham@dominio will be learned at not-spam while the email sent to spam@dominio will be learned as spam.

Once you have added the domain, you can add addresses to your whitelist, blacklist or force the processing from Antispam policy for senders.