en-US
search-icon

Email Security 9.0 Admin Guide

Policy & Compliance

SonicWall Email Security’s Policy Management feature enables you to write policies to filter messages and their contents as they enter or exit your organization. Policies can be defined only by an administrator. Typical use of policies include capturing messages that contain certain business terms, such as trademarked product names, company intellectual property, and dangerous file attachments.

This chapter contains the following sections:

Policy Management and Mail Threats

As SonicWall Email Security evaluates email, it uses the following order when evaluating threats in email messages:

Virus
Likely Virus
Policy Filters
Phishing
Likely Phishing
Spam
Likely Spam

For example, if a message is both a virus and a spam, the message is categorized as a virus since virus is higher in precedence than spam. If SonicWall Email Security determines that the message is not any of the above threats, it is delivered to the destination server.

Policy Management plays a key role in evaluating the email threats by filtering email based on message contents and attachments. You can create policy filters in which you specify an action or actions you want Email Security to take on messages that meet the conditions you define. For example, you can specify words to search for—a product term, for example—in content, senders, or other parts of the email. After filtering for specified characteristics, you can choose from a list of actions to apply to the message and its attachments.

 
* 
NOTE: Any of the policies configured in the Policy section take precedence over any entries made in the Allowed List.

Filters

The Policy & Compliance > Filters page is where you manage preconfigured files and where you define new filters for both inbound and outbound paths.

* 
NOTE: Policies created on the inbound path can not be shared with the outbound path and vice versa. See Managing Filters for examples of adding inbound and outbound policies.

This section contains the following topics:

Preconfigured Inbound Filters

The following preconfigured filters are provided with Email Security. They are not enabled by default and need to be enabled if you want to use them.

To enable a preconfigured filter:
1
Identify the filter you want to enable.
2
Select Edit.
3
At the top of the Edit Filter page, check the box to Enable this filter.
4
Scroll to the bottom of the Edit Filter page and select Save This Filter.

Preconfigured Inbound Filters describes the preconfigured inbound filters.

 

Preconfigured Inbound Filters

Filter name

Function

Junk emails with attachments over 4MB

Stores all incoming email messages over 4MB in size in the Junk Box.

Strip potentially dangerous file attachments

Strips all attachments from the incoming email messages that triggered the filter conditions. Enable and edit this rule if you want to allow some of these attachments and not others.

PGP: Decrypt

Sends encrypted inbound messages to the PGP Universal Server for decryption. PGP is often used for signing, encrypting, and decrypting texts, emails, files, and directories.

Strip picture and movie attachments

Strips all attachments from the incoming email messages that triggered the filter conditions. Enable and edit this rule if you want to allow some of these attachments and not others.

Detect Personal Health Information (PHI) records in inbound mails

Detects personal health information by utilizing the Medical Drug Names pre-defined dictionary as an identifying tool.

Detect corporate financial information in inbound mails

Detects corporate financial information in the subject line or body of an email by utilizing the Financial Terms predefined dictionary as an identifying tool.

Detect Personal Financial Information (PFI) records n inbound mails

Detects personal financial information by using the Record ID definitions feature as an identifying tool looking for mails that match Social Security Number and Credit Card Number formats.

PGP: Decrypted by PGP

Delivers messages decrypted by the PGP server to the internal mail server.

Preconfigured Outbound Filters

The following preconfigured filters are provided with Email Security. They are not enabled by default and need to be enabled if you want to use them.

To enable a preconfigured filter:
1
Identify the filter you want to enable.
2
Select Edit.
3
At the top of the Edit Filter page, check the box to Enable this filter.
4
Scroll to the bottom of the Edit Filter page and select Save This Filter.

Preconfigured Outbound Filters describes the preconfigured outbound filters.

 

Preconfigured Outbound Filters

Filter name

Function

Detect Personal Financial Information (PFI) records in outbound mails

Detects personal financial information by using Record ID definitions feature as an identifying tool looking for mails that match Social Security Number and Credit Card Number formats.

Detect Personal Health Information (PHI) records in outbound emails

Detects personal health information by utilizing the Medical Drug Names pre-defined dictionary as an identifying tool.

PGP: Deliver Encrypted Msg

Delivers the encrypted message to the external recipient.

PGP: Encrypt

Sends outbound messages to the PGP Universal Server for encryption. PGP is often used for signing, encrypting, and decrypting texts, emails, files, and directories.

Send Secure Mail: Deliver Message via SecureMail Server

Delivers messages using the SecureMail Server.

Detect Corporate Financial Information in Outbound Mails

Detects corporate financial information in the subject line or body of an email by utilizing the Financial Terms predefined dictionary as an identifying tool.

Send Secure Mail: Deliver Message via Encryption Service

Delivers messages using the Encryption Service.

Adding Filters

You can add filter for email as it enters or exits your organization.

To create a policy filter:
1
Navigate to the Policy & Compliance > Filters page.
2
Select the Inbound or Outbound tab to create filters for inbound or outbound email messages.
3
Click the Add New Filter button. The Add Filter window displays.

* 
NOTE: The fields in the window change based on the actions you choose.
4
The Enable this Filter check box is checked by default. Uncheck the box to create rules that do not go into effect immediately.
5
Choose whether the filter matches All of the conditions or Any of the conditions
All—Causes email to be filtered only when all of the filter conditions apply (logical AND)
Any—Causes email to be filtered when any of the conditions apply (logical OR)
6
Choose the parts or types of message to filter in the Select field. See the following table for more information:
 

Select

Definition

Spam/Phishing Judgment

Filters messages based on the judgment that it is spam or phishing attempts.

Likely Spoof Judgment

Filters on messages based on the judgment that it is a Likely Spoof attempt.

Address Book

For any email coming is the policy first checks to see if the email address is a valid address in the address book, then takes further action based on how the policy is defined.

From

Filter by the sender’s name

To/Cc/Bcc

Filter by the names in the To, Cc, or Bcc fields

Subject

Filter by words in the subject

Body

Filter based on information in the body of the email

Subject or Body

Filter based on information in the subject and body of the email

Subject, Body, or Attachments

Filter based on information in the subject, body, and attachments of the email

Message headers

Filter by the RFC822 information in the message header fields, which includes information like the return path, date, message ID, received from, and other information

Attachment name

Filter attachments by name

Attachment contents

Filter based on information in the email attachments

Attachment Type

Filter based on type of attachment

Country Code

Filter based on sender’s country code

Size of message

Filter messages based on the size of the message

Number of recipients

Filter messages based on the number of recipients

RFC 822 Byte Scan

Scan the entire email message

Source IP

Filter messages based on the sender’s IP address

Single Message Header

Filter messages containing a single message header

Originating IP

Filter messages based on the IP address from where the message was sent

7
Choose the matching operation in the Matching field. The matching options vary based on the filtering option you selected.
8
Enter the value you want to filter in the Search Value text box, or select one of the other options listed, if enabled:
Use dictionary and Use record ID are part of the Compliance Subscription License.
 
* 
NOTE: If the Compliance Subscription License is active, the administrator has additional filtering conditions that can be set. The Use dictionary option of using terms from a dictionary can be selected, as well as the Use Record ID option which looks for numbers such as telephone numbers or social security numbers.
Use Attachment Type allows you to select a specific type of file attachment. About 137 files types are listed.
Use Country Code allows you to select the country code you want to filter on.
9
Select the appropriate check boxes to further refine your search:
Match Case—Filters a word or words sensitive to upper and lower case.
Intelligent Attachment Matching—Filters attachment names, such as .exe or .zip.
Disguised Text Identification—Filters disguised words through the sequence of its letters, for example Vi@gr@.
* 
NOTE: Disguised Text Identification cannot be used with Match Case and can be selected only for Body and Subject message parts.
10
Click the + icon if you want to add another layer of filtering.

You can add up to 20 layers. Filter layers are similar to rock sifters: Each additional layer adds further filtering that tests email for additional conditions.

11
Choose the response action from the Action drop down list. The following table describes the available response actions:
 

Action

Effect

Store in Junk Box

The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. The user has the option of unjunking the email.

Deliver and skip Spam and Phishing Analysis

The message is delivered without spam or phishing analysis.

Permanently delete

The email message is permanently deleted and no further processing occurs in any SonicWall Email Security module occurs. This option does not allow the user to review the email and can cause good email to be lost.

Store in Approval Box

The email message is stored in the Approval Box. It will not be delivered until an administrator approves it for delivery.

Reject with SMTP error code 550

The message is returned to sender with an error message indicating that it was not deliverable.

Deliver and reject with SMTP error code 550

The message is delivered to the recipient and is bounced back to the sender with an error message.

Route to

The message is routed to the specified email address. The message can be routed to only one email address.

Deliver and route to

Deliver to the recipients and also route to the specified email address. The message can be routed to only one email address

Route to IP

The message is routed to the specified IP address. The message can be routed to only one IP address.

Deliver and Route to IP

Deliver to the recipients and also route to the specified IP address. The message can be routed to only one IP address.

Encrypt

Message is sent to the encryption center for encryption. This action is used for outbound messages. The administrator must provide a name or IP address of SMTP server for encryption at the Policy & Compliance > Compliance Module > Encryption page.

Decrypt

Message is sent to the decryption center for decryption. This action is used for inbound messages. The administrator must provide a name or IP address of SMTP server for encryption at the Policy & Compliance > Compliance Module > Encryption page.

Route to Encryption Service

Message is sent for encryption to protect private information.

Tag subject with

The subject of the email is tagged with a the specified term.

Strip all attachments

Remove all the attachments from the email.

Append text to message

The specified text is appended to the message body.

Issue email notification

Sends an email notification to the recipients of the email that triggered the rule.

Add X-header to message

Adds an X-header to the email.

Remove X-header from message

Removes an X-header from an email.

Skip Capture

Message is not sent for Capture analysis.

12
Select the Stop processing policy filters check box when no additional filtering is required on a message. This check box is automatically selected and grayed out when you have selected a terminal action.
13
If additional actions need to be performed on the same message, select the + icon to the right. You cannot add the same action more than once to a specific filter rule. As a result, once an action has been selected, it is not available in the drop down list for further selection within the current filter rule.
14
Type a descriptive name in the Filter Name text box.
15
Select a policy group you want to apply this filter to. By default, Apply to everyone is selected and this filter applies to all email messages.
16
Add a brief description to the Purpose text box.
17
Click the Save This Filter button.

Language Support

Policy management supports filtering messages based on non-English terms in the Search Value. For example, you can search for a Japanese word or phrase in the body of a message. However, Email Security does not support adding text strings to email messages in languages other than English and does not support foreign language filter names.

Managing Filters

The Filters page lists all the filters created in the system for the Inbound and Outbound path. They are processed in the order they are listed.

From this view, you can Add New Filter, change the order of filters, Edit or Delete filters. Filters that have been enabled are indicated with a green tick mark.

To change a filter that has been saved:
1
On the Policy & Compliance > Filters page, select the Inbound or Outbound tab (wherever the filter is located).
2
Select the Edit button adjacent to the filter to be changed.
3
Change any of the filter conditions.
4
Select Save This Filter.
To delete a filter:
1
Select the Delete button adjacent to the filter.
2
Confirm your choice when asked.
To change the order of the filters:
1
Drag and drop the filter in the order you prefer.

Advanced Filtering

This section contains various advanced configuration examples related to Filters:

Creating a Multi-Layered Filter

You can create filters with multiple conditions chained together and multiple actions performed on the message if the specified conditions are met.

For an example, if the email message is:

sent from NASA and
the body contains the word Mars,

then take the following actions:

tag the subject with the term [Mars Update from NASA] and
route the message to engineering.
To create a multi-layered filter like the example above:
1
Click the Add New Filter button from the Policy & Compliance > Filters > Inbound page.
2
Select All conditions to be met.
3
With Specific Words operation, search for nasa.org in the message part From.
4
Select the + button to the right to add another condition.
5
With Specific Words operation, search for Mars in the message part Body. Enable Match Case to get an exact case match.
6
Select the action Tag Subject With. Set the Tag field to [Mars Update from NASA].
7
Verify that the Stop processing policy filters check box is not enabled.
8
Select the + icon to the right to add another action.
9
Select the action Route To and set the To field to engineering@company.com.
10
Select the Stop Processing Policy Filters check box to stop further policy filtering on this message.
11
Select the Save This Filter button.
Creating an Outbound Filter to Add a Company Disclaimer

This section provides steps to add a company disclaimer to the end of each outgoing message from your organization. In this example, if email is sent from anyone at sonicwall.com, the following message is appended to the end of the message: This is my company disclaimer

To create the outbound policy filter:
1
In the SonicWall management interface, navigate to the Policy & Compliance > Filters screen, and click the Outbound tab.
2
Click the Add New Filter button.
3
Select All conditions to be met.
4
Select From in the Select drop down list.
5
Select Contains in the Matching drop down list.
6
Type sonicwall.com In the Search Value field.
7
To protect against internal spammers or zombies, click the + icon to add another condition.
8
Select Spam/Phishing Judgement from the Select drop down list.
9
Select is good in the Matching drop down list.
10
Select the action Append text to message.
11
In the Message text type: This is my company disclaimer.
12
Type the Filter Name: Outbound Disclaimer.
13
Select Apply to Everyone from the drop down menu for the Apply this filter to field.
14
Add a brief description to the Purpose Text field: for example, Adds a company disclaimer to outgoing mail.
15
Click the Save This Filter button.
Configuring a Policy Filter for Inbound Email

To filter email messages sent to your organization that are not judged as spam but contain the words “job application” in the subject or body of the email message, follow the procedures listed:

If an email is:

not judged as spam and
the subject or body of the email contains the words job application,

then take the following actions:

route the email to hr@sonicwall.com
To create the inbound policy filter like the example above:
1
Click the Add New Filter button under the Inbound tab.
2
Select All conditions to be met.
3
Select Spam/Phishing Judgement operation.
4
Set Matching to is not spam.
5
Select the + icon to add another condition.
6
Select the Subject or Body option from the drop down list.
7
Set Matching to with specific phrase.
8
Type the words job application in the Search value field.
9
Select the action Route to.
10
Enter the email address hr@sonicwall.com in the To field.
11
Name the filter Resume Routing.
12
Select Apply to Everyone from the drop down menu in the Apply this filter to section.
13
Add a brief description to the Purpose Text field.
14
Select the Save This Filter button.
Exclusive Actions

The action named Permanently delete is an exclusive action. It is terminal in nature and no further policy filtering is possible after this action has been performed. The Stop Processing Policy Filters check box is automatically enabled and grayed out if an exclusive action is selected.

Parameterized Notifications

Email Security supports parameterized notifications where you can use pre-defined parameters in the text fields for the Issue Email Notification action. These parameters get substituted with corresponding values when the message is processed. You can use these parameters in either the Subject or Message Text fields of the Issue Email Notification action. The parameters can be used multiple times and are substituted each time they are used. Each parameter entered should start and end with % symbol. Parameters for Notifications provides more details.

 

Parameters for Notifications

Parameter

Value

%SUBJECT%

the Subject content from the triggering email

%FROM%

the From content from the triggering email

%ATTACHMENT_NAMES%

a comma-separated list of attachment names from the triggering email

%FILTER_NAME%

the name of the policy filter which took the action on the triggering email

%MATCHED_RECORDID%

the Record ID file name which has a matching pattern in the triggering email

%MATCHED_TERM%

the Dictionary term which matched in the triggering email

Policy Groups

In some cases, you may want to associate a policy filter to a group of users rather than the entire organization. For example, you may want a policy filter to be applied to all incoming email messages sent to your sales team and no one else in your organization.

If you want policy filters you create to be applied to particular group of users, you first have to create policy groups from LDAP. Policy groups, once created, can be associated with either inbound or outbound policies.

This section contains the following topics:

Adding a New Policy Group

To add a new policy group:
1
Navigate to the Policy & Compliance > Policy Groups page.
2
Select the Add Group button.
3
From the Find all groups drop down menu, select one of three methods to locate a desired group:
equal to (fast)—search using the actual name
starting with (medium)—search using the first few characters
containing (slow)—search using a substring of characters
4
Type a search string in the text box.
5
Once the list of group names is displayed, select the check box of the group you wish to add.
6
Click on the Add Group button.

Removing a Policy Group

To remove a group, check the group(s) to be removed and select the Remove Group button. You can view the members of a group by selecting that group and clicking on the List Group Members button.

If a user is present in more than one group, that user is treated to be a member of the group that is listed highest in the list. You can change group ordering, by clicking on the arrows to the left of listed groups. To change the order in which groups are listed, use the up and down arrow icons to the left of the groups.

For example in the above illustration, if jdoe@company.com is listed under both SalesEngineering and Sales, the policy filter that is associated with SalesEngineering is applied to email messages for jdoe@company.com.

Multiple LDAP Groups

To manage policy groups from multiple LDAP servers:
1
Navigate to the Policy & Compliance > Policy Groups page.
2
Select an option from the Using LDAP drop down list and click the Go button. You are connected to that LDAP server.
3
Click the Add Group button. The groups on that LDAP server are retrieved and presented.
4
Choose the groups you want to add policies to.
5
When you have selected the groups, click the Add Group button. Your groups are added.

You can now apply policies to these groups. If a user is a member of more than one group, actions are only taken on the first group the system reads.

Compliance

The Policy & Compliance > Compliance module is accessible through the optional purchase of a Compliance Subscription License Key. It helps organizations ensure that email complies with relevant regulations and/or corporate policies. Once the Compliance Module is activated, the network administrator has access to the Encryption and Archiving features as well as additional filtering tools that enhance the standard module.

When the Compliance Module license expires, filters that were created during the valid license period continue to work, taking advantage of the advanced features. However, the administrator cannot add any new filters until the Compliance Subscription License Key us renewed.

Topics:  

Dictionaries

A dictionary is a convenient collection of set of words or phrases that you can group together for use in policy filters. A dictionary can be specified as a search value in a policy filter. Dictionaries can be created or modified either manually or by importing from a file on the file system.

A predefined dictionary is a group of words or phrases all belonging to a specific theme such as medical or financial terms, which can be used as a database of words that filters can look for. By default, SonicWall provides these pre-installed dictionaries:

Financial Terms
Medical Drug Names
PGP_AnyPartMsg_SpecificPhrase
PGP_AnyPartMsg_SpecificWords
PGP_EmailHeader_SpecificWord
Encryption Service IPs

These dictionaries may be modified by clicking the Edit button. For more information on adding or importing dictionaries, see the following topics:

Add New Dictionary

To manually add a dictionary:
1
Click on the Add New Dictionary button.

2
Type the new dictionary name in the Dictionary name field.
3
Enter a word or phrase in the Dictionary Terms text field.
4
Select Add Term.
5
Repeat for all the terms you want to add to the dictionary.
6
Click Save Dictionary. You are automatically returned to the Policy & Compliance > Compliance > Dictionaries module.

Import Dictionary

To import a dictionary from a file on the file system:
1
Click on the Import Dictionary button.

2
Choose New dictionary name or Replace dictionary by selecting the appropriate button next to your selection.
3
Find the import file by selecting Browse... and navigating to the correct location.

The imported file should contain one word or phrase per line and each line should be separate by a carriage return.

4
Click the Import button.

Delete Dictionaries or Terms

To delete a dictionary:
1
Navigate to Policy & Compliance > Compliance > Dictionaries.
2
Select the Delete button for the dictionary you want removed.
3
Confirm your intention to delete that dictionary when asked.
To delete terms from a dictionary:
1
Navigate to Policy & Compliance > Compliance > Dictionaries.
2
Select the Edit button for the dictionary whose terms you want to remove.

3
Check the box by the terms you wan to delete.
4
Select Delete Selected Terms.
5
Select Save Dictionary save the changes.

Approval Boxes

An Approval Box is a list of stored email messages that are waiting for an administrator to take action. They are not delivered until an administrator approves them for delivery. The View Approval Box drop down list allows you to have two different views of Approval Boxes: The Manager view and the individual approval box view.

To see a list of the Approval Boxes that have been created, select Approval Box Manager from the drop down list in the View field. The Approval Box Manager view allows you to edit or delete existing Approval Boxes, and to create new Approval Boxes.

To see the contents of a particular Approval Box, choose the desired Approval Box name from the table. This page allows you to search the messages stored in that Approval Box and to take action on any of those messages.

 
* 
NOTE: Only users who have administrative rights can see the contents of an approval box. See Users, Groups & Organizations for managing user rights and privileges.
To set up an Approval Box:
1
Navigate to the Policy & Compliance > Compliance Module > Approval Boxes page.
2
Create the Approval Box by selecting Add New Approval Box.

3
Enter the Name of Approval Box. This name appears in the approval box table and in the drop down list that allows you to select the detailed view of individual approval boxes.
4
From the Default action drop down list, select an action to be taken. This action is automatically taken on the message waiting for approval if the administrator does not respond to the notification within the period of time specified.
 

None

No action is taken. The email remains in the Approval Box.

Approve & Deliver

The email is passed to the recipient.

Delete

The email is deleted.

Bounce Back to Sender

The email is automatically bounced back to the sender and removed from the Approval Box after the specified length of time elapses.

5
Select the amount of time the messages are held in the Approval Box before action is automatically taken. The time values range from 1 hour to 30 days.
6
Enter a list of Notification recipients in the text box. Separate multiple email addresses with a carriage return.
 
* 
NOTE: Make sure that the email recipients you list are users that have administrative rights to the SonicWall server. If they do not have administrative access, they cannot view the approval boxes when they receive email notification.
7
Select a Frequency of notifications value from the drop down list for this approval box. Email notification is sent according to the schedule you choose here.
8
Write the Email subject line for this notification, like Notification of emails awaiting approval.
9
Click the Apply Changes button to save your changes.
10
Navigate to the Policy & Compliance > Filters page.
11
Create a policy filter that has the Action as Store in Approval Box.
12
Choose the desired Approval Box for email messages caught by that filter.

Encryption

The Policy & Compliance > Compliance Module > Encryption section configures the servers used to encrypt and decrypt messages. Once configured, you may create a policy filter for which the action is to encrypt or decrypt messages.

A policy action of encrypt can be used to direct confidential outbound messages to the encryption server. A policy action of decrypt can be used to direct confidential inbound messages to the decryption server.

Record ID Definitions

Record ID Definitions can be used to detect specific IDs described by a series of generic patterns. The Policy & Compliance > Compliance Module > Record ID Definitions section allows the administrator to predefine a cluster or clusters of letters and numbers into logical sets of groups such as social security numbers, patient medical record numbers, or credit card numbers. When these patterns are discovered, compliance actions can be taken to ensure that the organization's privacy and security regulations are met. The filter stops processing a message after it finds the first matching Record ID Definition.

By default, Email Security provides the following Record ID Definitions pre-installed:

ABA Bank Routing Number
Canadian Social Security Number
Credit Card Number
Date
Phone Number
Social Security Number
Zip Code

To add a new Record ID Definition:
1
Navigate to the Policy & Compliance > Compliance > Record ID Definitions page.
2
Click the Add New Record ID Definition button.

3
Enter a name in the Record Definition Name field.
4
Enter a Records Definition Pattern, including correct spacing, dashes or other symbols. Use the key to set values to the sets of characters.
5
Click Add Pattern to add the term to the Record ID. Repeat this step for each Record ID as necessary.
6
Select Save Definition when finished.

Archiving

The Policy & Compliance > Compliance > Archiving section is used to configure how messages are archived. Once configured, you may create a policy filter for which the action is “Route copy to archive.” Messages can be archived either to a remote archive server or to a file system.

Archiving to a Remote Server

To archive messages to a remote server:
1
Navigate to the Policy & Compliance > Compliance > Archiving page.

2
Select the External SMTP Server option.
3
Enter the IP address of archive server where email messages should be routed for archiving. This IP address is used with the Route copy to archive policy action.

Archiving to a File System

To archive messages to a file system:
1
Navigate to the Policy & Compliance > Compliance > Archiving page.
2
Click the File system option.

3
Select the archive settings for both inbound and outbound emails. The following options are available:
Do not archive emails—Email messages are not archived.
Archive emails that are delivered to users in your organization—Email messages that are delivered are archived. Quarantined email messages are not archived.
Archive all <inbound/outbound> emails—All emails are archived, including those that are quarantined in the Junk Box.
4
Select a length of time for emails to be archived. Values range from 1 Day to 7 Years.
5
Select Apply Changes.