Email Security 9.0 Admin Guide

Deployment Planning

Before deploying your SonicWall Email Security solution, determine the appropriate architecture for your configuration. This section discusses the different modules available in SonicWall Email Security and the possible network topologies for planning.

NOTE: For installation and set up instructions for your SonicWall Email Security appliance, refer to the appropriate Getting Started Guide.


Available Module Licenses

Email Security comes with several modules that must be licensed separately. For maximum effectiveness, all modules are recommended. The following licenses are available:


Email Protection (Anti-Spam and Anti-Phishing)

Protects against email spam and phishing attacks.

Email Anti-Virus (McAfee and SonicWall Time Zero)

Provides updates for McAfee anti-virus definitions and SonicWall Time Zero technology for immediate protection from new virus outbreaks.

Email Anti-Virus (Kaspersky and SonicWall Time Zero)

Provides updates for Kaspersky anti-virus definitions and SonicWall Time Zero technology for immediate protection from new virus outbreaks.

Email Anti-Virus (SonicWall Grid A/V and SonicWall Time Zero)

Provides updates for SonicWall Grid anti-virus definitions and SonicWall Time Zero technology for immediate protection from new virus outbreaks.

Email Anti-Virus Cyren

Provides updates for Cyren anti-virus definitions and SonicWall Time Zero technology for immediate protection from new virus outbreaks.

Email Encryption Service

Features enabling the secure exchange of sensitive and confidential information. It includes predefined dictionaries to ensure proper protection.

Email Compliance Subscription

Provide license for compliance features. It includes predefined polices for easy compliance, allows multiple governance policies, identifies email for compliance policy enforcement, and provides compliance reporting and monitoring.

Capture for Email Security

Provides analysis of threats by examining their behavior in a managed environment.

Email Security and Mail Threats

The SonicWall Email Security can help you safeguard your data and meet compliance requirements. It can help protect your organization from outside attacks with effective virus, zombie, phishing and spam blocker. It leverage multiple-threat detection techniques. It can also help you better understand email usage, archive for compliance, efficiently perform e-discovery and audit all mailboxes and access controls to prevent violations.

When evaluating messages, Email Security processes incoming email using the following order of judgement. If Email Security determines that the message is not any of the following threats, it is delivered to the destination server:

Connection management (such as IP reputation, IP block, IP allow, IP defer)
DHA (Directory Harvest Attack)
Policy filter
Corporate Allow List
Corporate Block List
Personal Allow List
Personal Block List
SPF (Sender Policy Framework)

Some features, like SPF and DKIM, have the option to ignore the Allowed List. When you configure to Ignore Allowed Lists, Address Books do not give a “Free Pass” for that specific feature. Unselecting the check box for Ignore Allowed List gives the sender a “Free Pass” for that option only.

Email Security Deployment Architecture

When planing the Email Security can be configured in two ways: and All in One architecture or a Split Network architecture. Select the architecture before installation to avoid issues later.

All in One Architecture

In the All in One configuration, all machines running SonicWall Email Security analyze email, quarantine junk mail, and allow for management of administrator and user settings.

In an All in One configuration, you can also deploy multiple Email Security servers in a cluster setup wherein all of the gateways share the same configuration and data files. To set up such a cluster, begin by creating a shared directory, on either one of the SonicWall Email Security servers or on another dedicated server (preferred) running the same operating system. This shared directory is used to store data including user settings, quarantine email, and such from all the SonicWall Email Security servers in the cluster.

Split Network Architecture

A Split Network configuration is comprised of two kinds of servers: Control Centers and Remote Analyzers. Typically, this configuration has one Control Center and multiple Remote Analyzers, but Control Center functions can be distributed between several Control Centers, where each device performs a specific job, like main control center functions, searching, or reporting. This allows the work to be balanced between the Control Centers and is sometimes refers to as a cluster. The Split configuration is designed for organizations with remote physical data centers.

The Split configuration allows you to manage SonicWall Email Security so that email messages are filtered in multiple remote locations through Remote Analyzers at those locations. The entire setup is centrally managed through the Control Center at a single location.

The Control Center controls, monitors, and communicates with all Remote Analyzers, in addition to storing or quarantining the junk email it receives from the Remote Analyzers. It manages all the data files, which consist of statistical data such as how much email has been received, network usage, remote hardware space used, and hourly spam statistics. The Control Center also queries LDAP servers to ensure valid users are logging in to SonicWall Email Security. End users can log in to a Control Center to manage their junk mail.

Remote Analyzers analyze incoming email to determine whether it is good or junk. It sends junk email to the Control Center where it is quarantined. It routes good mail to its destination server. Only administrators can log in to a Remote Analyzer.

NOTE: The Replicator is the SonicWall Email Security component that automatically sends data updates from the Control Center to the Remote Analyzer, ensuring that these components are always synchronized. Replicator logs are stored in the Control Center’s logs directory. You can review replication activity from these logs for troubleshooting purposes.

Selecting an Architecture

SonicWall recommends the All in One configuration whenever possible because of its simplicity. Choose a Split Network configuration to support multiple physical data centers that can be centrally managed from a single location.

IMPORTANT: Make the deployment architecture decision before installing Email Security on the device. If you change the setup from a Control Center to a Remote Analyzer or vice versa, some data may be lost in the transition. There are no obvious advantages to changing a device.

Email Security as the First-Touch/Last-Touch Server

In a deployment where Email Security is the first-touch and last-touch server in the DMZ, change your MX records to point to the SonicWall Email Security setup. Also, all the inbound and outbound connections (typically port 25) for SonicWall Email Security must be properly configured in your firewalls.

In this configuration, SonicWall Email Security can be configured on the inbound path to be either a SMTP Proxy or a MTA (see Proxy versus MTA for more information). On the outbound path, it must be configured to be a MTA. This setup also can be extended to a cluster with multiple SonicWall Email Security servers all using a shared drive for data location.

To configure Email Security as he first-touch/last-touch server:
Configure Email Security server with a static IP address on your DMZ.
In your firewall, add the private IP address for an inbound NAT Rule to an Internet addressable IP address for TCP port 25 (SMTP).
In the public DNS server on the Internet, create an A record, mapping a name such as smtp.my_domain.com, to the Internet addressable IP address you assigned in step 2.
Update your email domain’s MX record to point to the new record. You need to deploy the SonicWall Email Security for each MX record.
NOTE: SonicWall does not recommend a network topology where Email Security is not the first-touch and last-touch SMTP server because security mechanisms such as SPF and Connection Management cannot be used. If you opt for this topology, Email Security can be configured to be either an MTA or a proxy.

Proxy versus MTA

SonicWall Email Security can run either as an SMTP proxy or a Mail Transfer Agent (MTA).

The SMTP proxy operates by connecting to a destination SMTP server before accepting messages from a sending SMTP server. Note that SMTP proxies can only send email to one server. Benefits of the SMTP proxy include:

All processing occurs in memory, significantly reducing the latency and providing higher throughput.
There is no queue and SonicWall Email Security does not lose any email messages.
Email Security automatically respects your existing failover strategies if your mail infrastructure experiences a failure.

The MTA service operates by writing messages to disk and allows message routing. Some benefits of the MTA are:

Routing messages to different domains based on MX records or LDAP mapping
Queuing messages by temporarily storing messages on disk and retrying delivery later in case the receiving server is not ready
Allowing Email Security to be the last touch mail gateway for outbound traffic

Inbound and Outbound Email Flow

Email Security can process both inbound and outbound email on the same machine. In an All in One configuration, each Email Security instance can support both inbound and outbound email. In a Split configuration, each Remote Analyzer can support both inbound and outbound email.

For inbound email flow, DNS configuration and firewall rules need to be set to direct email traffic to SonicWall Email Security. Whereas, for outbound email flow, the downstream email server must be configured to send all email to SonicWall Email Security (Smart Host Configuration).