Hello, and welcome to this Sophos Certified course for UTM 9.5.

This is module 307:

Email Protection.

Sophos Certified Engineer

UTM ET307 – Email Protection

June 2017
Version: 9.5.0
Product version: UTM 9.5

© 2017 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.
Sophos Limited is a company registered in England number 2096520, whose
registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,
OX14 3YP.

Module 307 – Page 1

Once you complete this module you will be able to:
 Describe the main capabilities of the Email Protection module
 Configure SMTP email filtering
 Enable Data Protection rules
 Enable SPX encryption
 Manage the quarantine and mail logs

Module 307 – Page 2

The Sophos UTM provides comprehensive email protection for both server protocols,
SMTP/S, and the POP3 client protocol.

As with Web Protection, the UTM can use dual antivirus engine scanning to block
threats before they have a chance to enter the network.
Live antivirus lookups further improve the malware detection rates by consulting the
latest information from SophosLabs for possible threat matches using Sophos’ cloud
infrastructure.
The UTM also provides controls for attachments, allowing you to restrict which file
types are sent and received by file extension and MIME type.

The UTM stops spam, phishing and other unwanted email before it gets delivered and
clutters up mailboxes, using a combination of different recognition mechanisms to
offer high detection rates and low false positives.
The UTM provides the ability to scan content for sensitive data using rules created
and managed by SophosLabs, or custom rules created yourself. This can be paired
with the SPX encryption to secure sensitive data as it leaves the company.

Using email encryption, sensitive information can be automatically encrypted and

protected; and with Sophos’ SPX secure PDF exchange email encryption is easier to
configure and use. With the UTM handling the encryption and decryption of emails, it
is still able to perform the virus and content checks.
The UTM also provides tools to assist the administrator in managing the quarantine
and reviewing mail logs. To help reduce the administrative workload, the UTM
includes quarantine management for end users through the User Portal and
Quarantine Report emails.

Module 307 – Page 3

This table provides a comparison of the antivirus and antispam features available for
SMTP and POP3 scanning.

The very nature of POP3 means that the email has already been accepted on the mail
server, which means that a lot of the antispam techniques cannot be employed
making the process less efficient; however the UTM is still able to provide robust
malware and spam scanning.

Module 307 – Page 4

The SMTP proxy can forward both inbound and outbound mails, and can be
configured in two modes:
• Simple mode where all email domains use the same settings
• Profile mode where you can configure separate profiles for each domain or group
of domains

Module 307 – Page 5

The SMTP routing configuration defines which domains the UTM will accept and
process email for and where to send them once they have been checked. All domains
are treated the same, so if you select to use a static host list or DNS hostname, email
for all of the domains will be sent to the same internal mail server.

There is a third option for routing emails and that is to use mail exchanger (MX)
records. These can resolve to different mail servers but must be used with care, as
there will already be Internet facing MX records for these domains which were used
to route the email to the UTM in the first place.

The email recipients can be validated either using callout to the email server or Active
Directory. When callout is selected, the UTM will contact the downstream SMTP
server to find out if it will accept an email for the recipient.

Module 307 – Page 6

There are four types of relay configurations on the UTM.

1. Upstream relays. These are servers that deliver all of your email to your company.
It is important that if you have upstream relays that they are added for antispam
scanning to work effectively. You can also optionally choose to only accept emails
from the listed upstream relays.

2. Authenticated relay, where users can authenticate to relay email through the
UTM. This may be the case if users’ mail clients are sending the emails directly to
the UTM rather than to an internal mail server for delivery.

3. Host-based relay. This is the most common type of relay that will need to
configured, and it is where you specify any internal mail servers that you want to
be able to send email out to the Internet using the UTM.
Be careful not to open the UTM up as a relay to the whole Internet, as this will
likely result in your server being used for sending spam, and your public IP
addresses being added to a real-time blacklist.

4. Lastly, you can prevent hosts and networks from being able to connect to the SMTP
proxy. You may want to do this for guest networks for example.

Module 307 – Page 7

The UTM can optionally reject emails which contain malware while it is receiving the
email, however this can only be done by the first anti-virus engine. If you are using
dual engine scanning, the email is received onto the UTM before the second anti-
virus engine scans it. In this case the email will be quarantined.

In the malware configuration you can select whether to enable single engine scanning
for performance, or dual engine scanning for increased protection, and what action
to take for email containing viruses, either quarantine them or black hole them.
This is also where you can enable Sophos Sandstorm for Email Protection.
If the antivirus engines are unable to scan content because it is either malformed or
encrypted, you can select to quarantine it as it cannot be guaranteed to be clean.

The UTM can filter attachments based on their MIME type. This is a more reliable
way of checking what file format an attachment is than using the file extension.
Attachments MIME types can either be quarantined or whitelisted. The UTM provides
tick boxes to configure commonly quarantined MIME types for audio, video and
executable files.

By default, the UTM will block attachments with common executable file extensions.
The list of blocked file extensions can easily be managed by adding and removing
extensions.

Module 307 – Page 8

The UTM can optionally reject spam emails during the receipt of the message once it
has enough information to classify it. This can be done with either spam or confirmed
spam. The definition of these are:
• Spam: emails which are most likely to be spam
• Confirmed spam: emails which are almost certainly spam

In the spam filter section you can configure what action to take on emails which are
categorized as spam or confirmed spam by the heuristic spam filter. The options are:
• Off: deliver the email
• Warn: add a spam marker to the subject line, this can be customized
• Quarantine
• Blackhole: delete

When real-time blackhole lists are enabled, external IP reputation databases are used
to determine if the sending server is a known spammer. The default RBLs used are:
• CYREN IP Reputation
• cbl.abuseat.org
You can also configure additional RBLs to use.

Heuristic spam filter

• Patented process RPD (Recurrent Pattern DetectionTM)
• Generates a hash for each message
• This hash is sent via HTTP to the provider's external server
• Ranked based on the provider's response
• Feedback from CYREN server:
• no spam
• Spam

Module 307 – Page 9

• confirmed spam

Module 307 – Page 9

The anti-spam configuration contains a global sender blacklist which supports
wildcards.

The expression filter can be used to scan the subject and body of emails for specific
content using regular expressions (Perl Compatible Regular Expressions – PCRE) or
simple case insensitive strings. Emails that match the expression filter are
quarantined.

Advanced anti-spam options can also be enabled, including reverse DNS checks,
greylisting, BATV and SPF.

Greylisting
• Greylisting is carried out early on in SMTP communication
• A message is temporarily rejected for a period of at least 5 minutes before being
accepted at the next delivery attempt
• For each rejected email, an entry is created in the Sophos UTM database
• Many tools used by spam senders to dispatch emails en masse do not support
repeat sending of emails
• NOTE: Activating greylisting will increase the load on your email servers

BATV
• BATV cryptographically signs the envelope for an email, which serves as proof that
the email really came from the original sender
• BATV reliably stops the receipt of virus warning messages and rejects any spam
with a blank sender address
• BATV eliminates fake "bounce/NDR" messages sent by external (third-party)
servers

Module 307 – Page 10

SPF: Sender Policy Framework (http://www.openspf.org)
SPF tackles faked sender addresses by checking the IP addresses defined for delivery
for an email domain. Domain owners use DNS entries to flag their sender email
server and receiving SMTP gateways check the sender address in SMTP
communication based on the SPF entry in the DNS record, and can differentiate
between authentic and fake messages before any actual message content is
transmitted.

Module 307 – Page 10

Exceptions can be created to exclude emails from any of the checks based on the
source host, sender or recipient. If the email is to multiple recipients the exception
will be matched if any one of the recipients matches, resulting in the configured
checks being skipped for all recipients.

Module 307 – Page 11

Complete the following tasks in Lab 6
• Task 1: Enable the Quarantine Report
• Task 2: Configure Simple Email Protection

Prior to completing these tasks you must have completed all steps up to the end of
Lab 5 Task 6.

Module 307 – Page 12

The UTM can scan emails and attachments for confidential, personally identifiable,
financial and health information and take action to protect that data from accidental
leakage. To do this, Sophos provides over 200 Content Control Lists (CCLs), created
and managed by SophosLabs, for detecting a wide range of different sensitive data
including bank details, phone numbers, address, social security numbers and more.

The CCLs are categorized by type and region so that you can easily select the ones
that are relevant to your business.

In addition to the CCLs provided by Sophos you can also create your own rules using
regular expressions.

Module 307 – Page 13

Secure PDF Exchange (SPX) encryption provides an easy way to send encrypted emails
without the need to exchange keys or certificates with the recipient. The original
email is converted to a PDF with any attachments and then encrypted using either
128-bit or 256-bit AES.

Inside the encrypted PDF a button is provided so the recipient can reply securely. The
button opens the Secure Reply Portal on the sender’s UTM where they can reply to
the original message including with attachments.

There are three ways for the encryption password to be created:

1. The sender can define the encryption password in the subject line using an
encryption tag
2. The UTM can generate the password and email it to the sender. This password
can be generated for each email, or stored and reused for a recipient
3. The recipient can create their own password using a self-registration portal

Module 307 – Page 14

We’ll now take a look at the workflow for the different ways the password is set,
starting with where the password is specified by the sender. In all of these examples
the email will be encrypted because it matches a scanning rule created on the
firewall.

1. John sends a confidential email that will match a scanning rule on the firewall
which has an SPX template selected. He includes a password in the subject line

2. The UTM receives the email and converts it to a PDF, encrypts it and then attaches
it to a template email. This email is sent to Kate, and explains to her how SPX works

3. Kate receives the email with the encrypted PDF attached, but doesn’t have the
password to open it yet

4. John needs to give the password to Kate via a separate and secure channel. This
could be over the phone, via SMS, or IM

5. Kate can now decrypt the email using the password from John

Module 307 – Page 15

Now let’s look at the case where the password is generated by Sophos UTM.

1. John sends a confidential email that will match a scanning rule on the firewall
which has an SPX template selected

2. The UTM receives the email and converts it to a PDF, encrypts it and then attaches
it to a template email. This email is sent to Kate, and explains to her how SPX works

3. Sophos UTM sends the encryption password to the sender, in this example that is
John

4. Kate receives the email with the encrypted PDF attached but doesn’t have the
password to open it yet

5. John needs to give the password to Kate via a separate and secure channel. This
could be over the phone, via SMS, or IM

6. Kate can now decrypt the email using the password from John

If the option to generate the password once and store it has been selected, then the
next time an email is sent to Kate she can use the same password to open it, without
John having to resend a new password each time.

Module 307 – Page 16

Finally, let’s walk through the process when the recipient creates their own password.

1. John sends a confidential email that will match a scanning rule on the firewall
which has an SPX template selected

2. The UTM receives the email and checks to see if Kate has a password for
encrypting the email. If there is no password for Kate, the firewall sends her an email
with a link to the self-registration portal and asks her to set a password

3. Kate receives the email and follows the link to the self-registration portal where
she creates a password

4. The UTM encrypts the email with the password Kate created and sends it to her

5. Kate receives the email and can decrypt it using the password she had set at the
portal

The next time an email is sent to Kate it will be encrypted and sent to her using the
same password.

Module 307 – Page 17

The UTM will encrypt email using SPX in two scenarios:
1. When a user selects encryption using the Sophos Outlook plugin. This plugin adds
an additional x-header to the email being sent, which the UTM is looking out for.
The plugin can be downloaded as an MSI from the WebAdmin
2. When Data Protection detects confidential data, and the Data Protection policy is
configured to enforce SPX encryption

Module 307 – Page 18

Within the encrypted PDF the recipient can access any files that were attached to the
original email before it was encrypted and use the Reply button to send a reply using
the secure reply portal.

This opens a browser to the portal on the UTM, which is secured using HTTPS and
runs on port 10444 by default.

Module 307 – Page 19

SPX is easy to configure and the setup requires little or no action from an
administrator.

In the configuration the administrator can set the password length and optionally
require special characters.

If the secure reply portal is going to be used, access settings such as the port, listen
address and allowed networks can be configured. Because the original email needs to
be stored on the UTM for the secure reply portal you can configure how long it
remains available. The longer this is set for the more disk space SPX will require.

Module 307 – Page 20

The SPX template configuration allows you to customize:
• The encryption used for creating the PDF
• How the password is set and the associated email template
• The email template for the SPX instructions that are sent to the recipient
• Enable the secure reply portal

Note that the active SPX template is selected in the global SMTP settings.

Module 307 – Page 21

If OpenPGP or S/MIME encryption have been configured on the UTM, there may be
times when an email triggers both the OpenPGP or S/MIME and SPX encryption.
Rather than encrypt the email twice, you can choose to prefer to use SPX encryption.
In this case, whenever SPX encryption is triggered by data protection or the Outlook
plugin, the email will only be encrypted with SPX and not OpenPGP or S/MIME. If SPX
encryption is not triggered, the email will be encrypted by OpenPGP or S/MIME as
normal.

Module 307 – Page 22

Where you may need to apply different settings to different mail domains you can use
SMTP Profiles. In this mode, you configure the SMTP settings as before, but you can
then create additional profiles that override these settings for selected email
domains.

By default the global settings are used, so you only need to configure those sections
that you want to have different settings.

Some policy options also allow you to add additional settings to the global settings
without overriding them completely, for example blocked file extensions.

Module 307 – Page 23

Mail Manager is an administrative tool for managing all emails stored on the Sophos
UTM. The Mail Manager menu displays an overview of mail statistics of emails stored
on the UTM and processed in the last 24 hours. From here the Mail Manager can be
launched in a new window.

SMTP and POP3 have separate quarantines which can be viewed, filtered and
searched.

Filters:
• Quarantine type: malware, spam, term/expression, file extension, MIME type,
unscannable, other error
• Filter options: profile/domain, sender/recipient, date received
• Sort by: date received, sender address, email size

Note: please be aware that only the administrator can release any emails located in
quarantine. Users can only release filtered emails in the user portal or through the
quarantine report.

Mail Manager can also be used to search and filter the SMTP log which can help with
troubleshooting.

Module 307 – Page 24

Quarantine Reports can be configured to be sent to users who have had new items
quarantined allowing them to release items and add senders to their personal
whitelist. These can be sent once or twice a day at set times you can configure.

Spam sent to email aliases of a user will be listed in an individual Quarantine Report
for each email alias which will be sent to the user’s primary email address.

To prevent a single recipient of a mailing list email releasing it from the quarantine to
all recipients you can define mailing list patterns. When these are matched the user
who is releasing the email must enter their email address so that it can be released
only to them. If a mailing list pattern is not matched then it will be released to all
recipients.

Within the advanced settings you can override the hostname and change the default
port used for the release links in the Quarantine Report emails. You can also
configure which networks users are able to release emails from. While it is possible to
make this accessible from the Internet, it is not recommended.

By default users are not able to release all quarantined items, for example; emails
containing malware. You can configure which quarantine reasons users will be able to
release emails for. These options are:
• Malware
• Spam
• Expression
• File extension
• Unscannable
• MIME-Type

Module 307 – Page 25

• Other

Note: the Quarantine Report will be created in the language which is used within the
WebAdmin.

Module 307 – Page 25

The User Portal provides users with another option for managing their quarantined
items and personal sender whitelist and blacklist. Filtered emails are displayed for all
configured email addresses including aliases.

The User Portal provides the same interface as Mail Manager for filtering, searching,
previewing and releasing emails. Users also have access to see the mail log
information for their emails enabling them to see which emails have been sent,
received and blocked.

Using their personal sender whitelist and blacklist users can filter messages using:
• A full email address. E.g., johnsmith@sophos.com
• A whole domain using a wildcard. E.g., *@sophos.com

Module 307 – Page 26

Complete the following tasks in Lab 6
• Task 3: Configure Data Protection
• Task 4: Configure SPX Encryption
• Task 5: Configure SMTP Profiles

Prior to completing these tasks you must have completed all steps up to the end of
Lab 6 Task 2.

Module 307 – Page 27

Please take a few moments to answer the following knowledge check questions.

Module 307 – Page 28

Module 307 – Page 29
Module 307 – Page 30
Module 307 – Page 31
Module 307 – Page 32
Module 307 – Page 33
Module 307 – Page 34
Module 307 – Page 35
Module 307 – Page 36
On completion of this module, you can now:
 Describe the main capabilities of the Email Protection module
 Configure SMTP email filtering
 Enable Data Protection rules
 Enable SPX encryption
 Manage the quarantine and mail logs

Module 307 – Page 37

Now that you have completed this module, you should complete Module 308:
Wireless and Remote Access.

Module 307 – Page 38

Module 307 – Page 39