Security

You can enable spam filters, antivirus scan, black and white list, content scan, and authentication to protect the mail system and client users.

Spam

Enable spam filters and set security rules to avoid spam.

To enable SpamAssassin filter:

Tick Enable SpamAssassin filter engine to filter out spam based on content-matching rules.
Enter the number of days in the Delete spam interval field to specify when spam will be deleted.
Click SpamAssassin Settings to see more options.
- Set the score threshold which messages must exceed to be marked as spam (Low: 5; Medium: 7.5; High: 10).
- Specify the subject prefix to mark spam.
- Choose to report spam as an attachment encapsulated in a new message, or convert it into plain text to avoid malicious web bugs and scripts.
- Enable Auto learning or Auto white list to improve spam filtering. If Auto learning is enabled, set the spam score which messages must exceed to be added to the learning database. Auto white list will assign a corresponding score to messages automatically.
- Click Custom Spam Filter to create and manage rules to mark certain messages as spam or non-spam. Rules that mark messages as non-spam take priority over rules that mark messages as spam. You can also import your rules to improve spam detection.
Click OK to save the settings.

Note:

Spam will be moved to junk automatically and deleted when the specified time elapses.
To achieve accuracy in spam detection, enable Auto white list after Auto learning has been enabled for a while.
To create custom rules, please refer to this website.
The rules to be imported into the Custom Spam Filter must be in CF format.

To enable DNS-based Blackhole List filter:

Use DNS-based Blackhole Lists (DNSBLs) to filter out spam published through the Internet Domain Name Service.

Tick Enable DNS-based Blackhole List filter.
Click DNSBL Servers to manage the server list.
Click Create and specify the DNSBL Servers and the Server type. Click OK.

To apply advanced security rules:

The high-security settings here might block legitimate messages, so please make sure you fully understand which type of senders you want to block before enabling any options.

Click Advanced Anti-Spam Settings.
Enable the following options based on your needs:
- Reject unauthorized pipelining requests: Blocks connections that keep sending SMTP requests.
- Reject unknown client hostnames: Blocks client connections from a host without an analyzable IP address or hostname.
- Reject HELO hostnames without fully qualified domain name (FQDN): Blocks connections when hostnames have incomplete domain names during HELO or EHLO.
- Reject unknown HELO hostnames: Blocks connections when hostnames do not have valid DNS entries during HELO or EHLO.
- Reject senders without fully qualified domain name (FQDN): Rejects messages when the sender's domain name does not match the RFC standard FQDN format.
- Reject senders using unknown domains: Rejects messages when the intended recipients are not existing client users of your Synology Mail Server and when the sender domain does not have a valid DNS entry.
Click OK to save the settings.

Antivirus

Enable antivirus to scan all inbound and outbound messages for viruses. If an infected message is detected, the system will delete the message and notify the sender.

Note:

To ensure the smooth running of security engines, it is recommended that you use models with at least 2 GB RAM.

Black and White List

Use the black and white list to reject, discard, or allow certain messages based on various criteria, such as senders, domains, or client IP addresses. For example, you can create a rule to reject messages sent from a certain email address (e.g., "menelaus@argos.com"), a domain (e.g., "argos.com"), or clients from a certain IP address ("192.168.123.456").

To create black and white list rules:

Click Black and White List.
Click Create.
Specify the criteria for the rule. For example:
- If you specify the IP address as "192", messages from "192.*.*.*" will be targeted.
- If you specify the email address as "admin@", messages from "admin@domain" will be targeted.
Choose what to do with messages that meet the criteria:
- Reject it: Messages will not be sent from or received by Synology Mail Server.
- Accept it: Messages will be accepted whether they are blocked by DNSBL or not.
- Discard it: Messages will be discarded and Synology Mail Server will not inform the sender.
Click OK to save the settings.

Rule Priority:

Messages that match multiple types of rules are handled in the following order: IP address of mail client > Sender rules > Recipient rules.
For example, there are the following two rules:
- IP address of mail client: 192.168.48.15 --> Reject it
- 'From:' address contains: username@mail.com --> Accept it
In this case, if a message is sent from "username@mail.com," but the IP address of the client that sent the message is "192.168.48.15," then the message will be rejected, because IP address of mail client rules have greater priority.
Rules with matching content but different actions are handled in the following order: Reject it > Discard it > Accept it.

Note:

The rules to be imported must be in the Postfix format.

To set daily sending quota:

Tick Enable daily sending quota.
Enter a quota to limit the number of messages users are allowed to send daily. Enter 0 if you do not want to impose any limits.
Click Advanced Settings if you want to set an individual quota for specific users.

To filter messages by attachment file types:

Click Attachment Filter.
Click Create to enter file types. Messages that contain attachments of the listed file types will be rejected.

Note:

Please use simple regular expression when entering file types. For example, if you enter vb[es], both the vbe and vbs file types will be rejected.

Content Scan

Allow the system to scan messages for potentially dangerous content.

To scan messages for dangerous content:

Tick Enable dangerous content scan.
Tick the desired checkboxes:
- Reject partial messages: When messages cannot be scanned properly for viruses and inappropriate content, they will be rejected to avoid potential virus infection.
- Reject external message bodies: Messages whose bodies are stored elsewhere on the Internet will be rejected to avoid fetching viruses from other Internet sites when downloading the message bodies.
- Highlight phishing fraud: The sections containing potential phishing fraud will be highlighted in the messages.
- Convert HTML into plain text: If HTML messages contain dangerous tags, they will be converted to plain text to make the HTML harmless, while still allowing you to read the text content.
  - Reject: Rejects messages containing specified tags.
  - Allow: Allows specified tags in messages.
  - Make tags ineffective: Allows specified tags in messages but makes them ineffective so that users are still able to see the text content.
Click OK to save the settings.

Authentication

Enable authentication mechanism to validate inbound messages and reduce spam.

To enable SPF:

Tick Enable SPF verification to verify sender identity and detect forged sender addresses.
Tick Reject SPF softfail if necessary. Messages whose verification result is softfail will be rejected.

To enable DKIM:

Tick Enable DKIM to sign outbound messages and to validate inbound messages based on sender signatures.
Enter a DKIM selector prefix of your own choice and click Generate Public Key.
Add and update the public key to your DNS records using a TXT record, so that other mail servers will be able to authenticate your DKIM signature. The TXT record should be added as follows:
- TXT record name: [DKIM selector prefix]._domainkey.[your domain]
  [DKIM selector prefix] should be replaced with the prefix you entered above, and [your domain] should be replaced with your actual domain name.
  For example: 123._domainkey.example.com
- TXT record value: v=DKIM1; k=rsa; p=[DKIM public key]
  [DKIM public key] should be replaced with the key you generated above.
  For example: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQE

To enable DMARC:

Tick Enable DMARC to validate senders' email domains.
Update your DNS records using a TXT record, so that your outbound messages will be able to pass DMARC authentication of other mail servers. The TXT record should be added as follows:
- TXT record name: _dmarc.[your domain]
  [your domain] should be replaced with your actual domain name.
  For example: _dmarc.example.com
- TXT record value: v=DMARC1; p=[Policy for domain]; pct=[% of messages subjected to filtering]; rua=[Reporting URI of aggregate reports]
  For example: v=DMARC1; p=quarantine; pct=20; rua=mailto:aggrep@example.com

Was this article helpful?

Yes ／ No