4.4. Policy

The policy how emails are handled in Email Gateway Security can be configured by the rules under the Security Rules page.

images/download/attachments/4658182/image-20200320-085459.png

Direction

In traditional configurations MetaDefender Email Gateway Security is wedged between the organization's email gateway and mail server (see the image below). In case of inbound email directions the email is received from the email gateway and sent towards the mail server. In case of outbound directions the email is received from the mail server and sent towards the email gateway.

images/inline/66b6dc61dfe2861e05c75d7488df8f049f952ec5.png images/download/attachments/4658182/image-20200320-083932.png images/inline/39812271ac5bba2e0191429c2f1197049b5bc40d.png

The direction of the email flow can be mapped to security rules in Email Gateway Security with defining:

  1. Where emails are coming from, and

  2. Where emails should be sent next after processing.

To configure direction for a certain security rule:

  1. Apply appropriate filter settings for the Security rules > rule / FILTER / Sender IP address filter (PREVIOUS HOP) to define where emails matching this rule are coming from.
    images/download/attachments/4658182/image-20200320-084732_%281%29.png

  2. Select the appropriate SMTP destination in Security rules > rule / GENERAL / SMTP relay server profile to define where emails matching this rule should be sent next after processing. For further details about server profiles see 4.6. Server profiles. images/download/attachments/4658182/image-20200320-123135.png

When the filter and the SMTP relay are set appropriately to match emails coming from or going to a certain direction, then the Security rules > rule / GENERAL / Rule direction can be set accordingly to Inbound or Outbound depending on the direction of the email flow.

images/download/attachments/4658182/image-20200320-085239.png

Rule order

Several security rules can be created that may target different messages from different sources going to different recipients. However, care must be taken how these rules are set up and ordered, as there is a first match and a no match policy (see the next two sections).

Specific rules should come first while generic rules should go at last.

images/download/attachments/4658182/direction.png

First match policy

If there are more matching rules in the system, then the email message will be accepted/rejected and processed according to the security policy of the first matching rule in the list.

No match policy

If there is no matching rule in the system (or no rule at all), then the email message will be rejected.

Risk of blocking email flow

Deleting all security rules from the system results all email messages being blocked.

Security rule configuration

Fitering

Sender IP address conditions

Sender IP addresses are the addresses of infrastructure elements in the deployment, from which MetaDefender Email Gateway Security is allowed to receive emails according to this rule.

Example

In case of a traditional setup, for example, sender is the email gateway for inbound messages and the mail server for outbound messages.

Type

IP address or subnet

Match type

EQUALS

Examples

IP

10.0.0.1

IP range

10.0.0.0/24

Relation

There is OR relation among entries in sender IP address conditions.

Sender domain or address conditions

Sender filter makes possible to apply security rule based on from what email address the email was sent. The value is taken from the SMTP communication’s MAIL FROM command that holds an email address.

Risk of spoofing

When using this filter please be aware of the fact that spoofing the sender of the email is a very easy task. A more secure way to use this filter would be for OUTBOUND emails only along with filtering to the sender IP.

Field details

Value type

email address

Field type

QRegExp

Match type

regular expression match

Examples

  • .+@opswat.com

  • somespecificuser@opswat.com

  • opswat.com (treated as .+@opswat.com)

Regular expression specialities

Please note that the "." (dot) in a regular expression matches any character. This means that .+@opswat.com can match test@opswat1com. If you want to match explicitly for a dot you should escape it like this: .+@opswat\.com

Relation

There is OR relation among the sender domain or email address conditions.

Recipient domain or address conditions

Recipient conditions can help to restrict emails matched by the rule to specific recipients. The value is taken from the SMTP communication’s RCPT TO command that holds an email address.

Benefits of recipient filtering

Recipient domain or email address conditions can also help to counter emails sent to invalid recipients; that do not even exist at an organization or among the partners, for example.

This kind of defense may protect against unnecessary overloads or even against malicious attacks.

Field details

The field details are identical to the field details of the sender domain or address conditions (for details see the Sender domain or address conditions section).

SMTP relay

After processing, emails must be forwarded by Email Gateway Security to an SMTP destination so that recipients can receive them.

For each security rule the SMTP destination can be set in Security rules > rule / GENERAL / SMTP relay server profile to define where emails matching this rule should be sent next after processing. For further details about server profiles see 4.6. Server profiles.

Security policy

The security policy of a certain rule is defined by the settings on the SCAN, ADVANCED THREAT PREVENTION, ZERO-DAY MALWARE PREVENTION, ANTI-PHISHING, UPLOAD ATTACHMENTS and ADVANCED tabs.

Scan

On the Scan tab of a certain rule it can be defined if emails matching this rule must be scanned at all, or not.

MetaDefender Core server profile

A MetaDefender Core server profile to which emails are sent for malware scanning and zero-day malware prevention. For further details see 4.6. Server profiles.

Scan email body and headers

Email Gateway Security is capable to process email headers, body and attachments, thus find malicious or sensitive content not only in attachments, but even in the body or headers.

images/download/attachments/4658182/image-20200527-115518.png

Advanced Threat Prevention

Using multiscanning, Email Gateway Security can utilize even 20 anti-malware engines to prevent advanced, unknown threats.

On this tab it can be configured what Email Gateway Security should do if its Advanced Threat Prevention feature found malware in one or more components of the email.

If Quarantine original email is enabled, then the original copy of the email is put into the 5.3. Quarantine regardless of how Handling of the email is set.

Handling of the email may be:

  • Block email: the email is blocked. If Notify recipients if email is blocked is enabled, then a notification will be sent to the recipients. For further details see 4.8. Alert, notification and quarantine report emails. images/download/attachments/4658182/image-20200324-121950.png

  • Delete blocked contents: the blocked contents (e.g. infected attachments) are removed from the email. The remaining is delivered.

  • Deliver blocked contents: the email is delivered containing the potentially malicious (infected) contents.

Risk of outbreak

Selecting Deliver blocked contents will deliver potentially malicious contents to recipients.

If Email Gateway Security is set to Notify recipients if email is blocked then notifications may be limited to the case of emails with password protected attachments. To do so set Send notifications for to Only emails with password protected attachments.

images/download/attachments/4658182/image-20200324-125914.png

Zero-Day Malware Prevention

Using content disarm and reconstruction, Email Gateway Security can prevent zero-day malware in over 85 common file types.

The content disarm and reconstruction capabilities can be configured for each MetaDefender Core server. For further details see 4.6. Server profiles.

On this tab it can be configured what Email Gateway Security should do if its Zero-Day Malware Prevention feature applied disarm and reconstruction to one or more components of the email.

If Quarantine original email is enabled, then the original copy of the email is put into the 5.3. Quarantine.

images/download/attachments/4658182/image-20200324-133657.png

Anti-phishing

If Enable MetaDefender Cloud Dynamic Antiphishing is turned on, all links in the email body will be redirected through MetaDefender.com Safe URL redirect service.

Upload attachments

Prerequisites

Configuring the Upload attachments capability requires some technical understanding of MetaDefender Vault.

For details about MetaDefender Vault see https://onlinehelp.opswat.com/vault/.

For details about integrating Email Gateway Security and Vault see 5.7. Integration with MetaDefender Vault.

The Upload attachments capability requires a MetaDefender Vault server profile to be configured and set for the MetaDefender Vault server profile value. For details see 4.6. Server profiles.

Attachment notice

Setting the Attachment notice a custom notification text can be configured to be appended to emails notifying recipients about where they can access their files in MetaDefender Vault.

The Attachment notice works the same way as other disclaimers do. For details see 4.4.1. Disclaimers.

Required disclaimer variable

You should not remove %[]vault_list[]% from the notification texts as it would lead to missing URLs. For details see 4.4.1. Disclaimers.

images/download/attachments/4658182/image-20200324-142151.png

Upload blocked attachments

By selecting this option, the original copy of every attachment which was blocked will be uploaded to MetaDefender Vault.

Upload sanitized attachments

By selecting this option, the sanitized copy of every attachment which was sanitized will be uploaded to MetaDefender Vault.

To upload the original copy of the sanitized attachments see 4.4. Policy.

Upload partially sanitized attachments

By selecting this option, the original copy of every attachment which was partially sanitized will be uploaded to MetaDefender Vault.

Requires MetaDefender Core setting

This requires the 'Distinguish partial archive sanitization result' option checked in the MetaDefender Core rule used to scan content with. See MetaDefender Core > 3.6.2. Workflow template configuration for more information.

Upload original of sanitized attachments

By selecting this option, the original copy of every attachment which was sanitized will be uploaded to MetaDefender Vault.

Upload only once

If both Upload original of sanitized attachments and Upload attachments that failed sanitization are enabled –and the sanitization fails– then the original file will be uploaded only once.

Upload attachments that failed sanitization

By selecting this option every attachment where the sanitization failed will be uploaded to MetaDefender Vault.

Upload only once

If both Upload original of sanitized attachments and Upload attachments that failed sanitization are enabled –and the sanitization fails– then the original file will be uploaded only once.

Upload bypassed attachments

By selecting this option every attachment that was bypassed (for details see 5.4. Bypassing) by Email Gateway Security will be uploaded to MetaDefender Vault.

Upload allowed attachments

By selecting this option every attachment which was allowed will be uploaded to MetaDefender Vault.

Allowed but sanitized won't upload

Please note that if an attachment is allowed but gets sanitized then it won't be uploaded if only the Upload allowed attachments option is set.

If you want to upload these kind of attachments you should have Upload original of sanitized attachments enabled.

Options

Remove uploaded attachments from email

By enabling this option every attachment which was successfully uploaded to MetaDefender Vault will be removed from the email. If uploading an attachment fails the removal will be skipped.

Blocked files

Blocked files will be removed regardless this setting if the action for blocked contents is to Delete blocked contents.

Include scan result

By enabling this option, Email Gateway Security will upload the scan results to Vault besides the attachment as metadata. As a result Vault will know the verdict of the scan and can make the file available immediately.

Upload to user's own vault account

Depending whether the email was matched by an inbound or an outbound rule, based on the email addresses, the files will be uploaded to the recipients' (inbound) or senders' (outbound) own Vault accounts (when the account exists on the Vault at all). This feature requires appropriate permissions (impersonation) on Vault.

No account on Vault

If no account exist with the recipient email address on the Vault, then the file will be uploaded to the account that is assigned to the API key specified in the Vault server profile set for the matching rule.

Example
images/download/attachments/4658182/own_vault_account.png

Advanced

The advanced scan settings policy define certain exceptions from the default behavior.

Retry

Email Gateway Security can be configured to be in retrying to process emails. For details see 4.3. Settings.

Risk of potentially harmful content

If Bypass if all retry fail is configured for certain settings, and the email gets bypassed finally, then the original, potentially harmful email is delivered.

The recipient may be notified about the fact of bypassing. To do so set the Bypass email disclaimer. For details see 4.4.1. Disclaimers.