en-US
search-icon

Hosted Email Security 9.0 Admin Guide

System Settings

This chapter describes configuration information and system administration capabilities for the SonicWall Hosted Email Security system. It contains the following sections:

License Management

The System > License Management page allows you to view and manage current Security Service and Support Service for your Hosted Email Security solution.

Serial Number—The serial number of your SonicWall Hosted Email Security appliance/software.
Authentication Code—The code you entered upon purchasing/activating the SonicWall Hosted Email Security solution.
Model Number—The model number of the appliance. If you are using the SonicWall Hosted Email Security software, the model number is listed as Software.
Refresh Licenses—Click this button to refresh the license status for Security and Support services.
 
* 
NOTE: The hourly license update synchronizes with the online license manager and overwrite licenses applied by the offline method.

SonicWall Hosted Email Security has several service modules that must be licensed separately. For maximum effectiveness, all services are recommended.

The Security Service section of the table on the Administration page provides information on the status of the various offerings in your configuration.

 
 

Status

The status for the Security or Support Service may be one of the following:

Licensed

Services have a regular valid license.

Free Trial

Services are using a 14-day free trial license.

Not licensed

Service has not been licensed.

Perpetual

The base Key license comes with the purchase of the product and is perpetual. Note that the Base Key is the only perpetual license.

Count

The number of users to which the license applies.

Expiration

Expiration date of the service. Either a specific expiration date is listed or Never is listed, indicating no expiration.

The Support Service section of the table shows the kinds of service support agreements that have been licensed for your solution. It includes license status and expiration date.

Administration

The System > Administration page allows you to set up or change the parameters for the master account and account administration.

Email Security Master Account

The Email Security Master Account section allows you to change the master account username and password.

 
* 
NOTE: SonicWall strongly recommends that you change the master account password from the default.
To change the password:
1
On the System > Administration page, navigate to the Email Security Master Account section. Note that the Username you originally registered with appears as the default Username.
2
Type in the Old Password.
3
Type in the New Password.
4
Type the same new password in the Confirm password field.
5
Click Apply Changes.

Miscellaneous

The Miscellaneous section allows you to Enable Support user to handle organization changes.

1
Select the check box to enable this feature.
2
Click on Apply Changes.

Allow Admin Access from Specific IPs

This feature allows the administrator to add restricted IP addresses or address ranges. This restricts administrators so that they have admin access only from those specific IP addresses. The IP addresses can be entered in these formats: IPv4, IPv6, or IPv4 CIDR. Multiple IPs can be entered but must be separated by commas.

 
* 
IMPORTANT: Users with admin roles can be locked out of web access if the incorrect IPs are specified.

Network Architecture

The System > Network Architecture > Server Configuration page allows you to configure both inbound and outbound capabilities for your SonicWall Hosted Email Security server.

Server Configuration—Inbound

From the System > Network Architecture > Server Configuration page, click the Inbound tab to configure the inbound destination server, which is the email server that accepts good email after SonicWall Hosted Email Security removes and quarantines junk mail.

The following sections provide more detail:

Inbound Settings

The following screen shot shows the settings for the inbound path configuration and the table after describes the settings in detail.

 

Setting

Description

Any source IP address is allowed to connect to this path, but relaying is only allowed for emails sent to one of these domains.

This field only displays the domain for emails to be relayed to. Note the default domain listed is the domain you initially activated for the Hosted Email Security solution. Navigate to the Users, Groups & Domains > Domains page to configure domain settings.

Your mail server host name or IP address. If multiple destination servers are provided then emails will be routed using load balancing.

Enter the mail server host name or IP address. The default IP address is the address you initially activated for the Hosted Email Security solution. If multiple destination servers are provided separate them with a carriage return so that each server is listed on a separate line.

For IPv6, enclose the server name in square brackets, for example:

[2001:db8::1]:25

You can also select Round-robin or Fail-over mode. If Round Robin is selected, the email load is balanced by sending part of the email flow through each server listed in the box. If Fail-over is selected, email is sent to the servers listed only if the downstream server is unavailable.

Click the Test Downstream button to test connection to the specified mail server host name or address. A message displays notifying you if the connection was successful or if the connection failed.

Require the destination server to support STARTTLS

Select the check box to enable Transport Layer Security (TLS) encryption for your downstream email messages.

To configure the sender domain:

1
Then click on Configure STARTTLS and the window for STARTTLS (SSL) Settings opens (see below).
2
Type the name of the upstream domain in Sender Domain field.
3
Select Add.

Directory Harvest Attack (DHA) Protection Settings

Directory Harvest Attack Protection allows you to configure settings to protect against spammers that attempt to find valid email addresses on your directory.

To configure any of the following settings:
1
Define the Action for messages sent to email addresses that are not in your LDAP server; choose one of the following actions:
Process all messages the same
Permanently delete
Reject invalid addresses
Always store in Junk Box
2
Chose one of the following options for how to Apply DHA protection to the recipient domains:
Apply to all recipient domains
Apply only to the recipient domains (and list the domains in the text box provided)
Apply to all recipient domains except those listed below (and list the domains in the text box)
 
* 
NOTE: Separate domains with a carriage return so that each domain appears on a separate line in the text field.
3
Scroll to the bottom of the page and select Apply Changes.

Spooling

The Inbound Spooling feature available on the Hosted Email Security solution allows users to spool, or hold, mail when all the customer’s receivers are unavailable. Inbound mail is then delivered when the receivers become available. The Hosted Email Security solution normally operates as an SMTP proxy, relaying email directly to your downstream receiver. However, it can also be configured to spool email when all of your organization’s downstream receivers are unavailable.

When spooling is engaged, the proxy directs all good mail to the Hosted Email Security MTA for queuing and later delivery. When spooling is disengaged, the proxy resumes directly relaying mail to the receivers, and the MTA delivers the queued mail.

To configure spooling:
1
Choose the spooling option that best suits your needs:
Never Spool Email—Select this option and the hosted server will act as an SMTP proxy, never spooling mail, regardless of the state of the downstream receivers. This is the default setting.
Automatic Fallback—Select this option to spool mail if the downstream receivers unexpectedly go down or become unreachable. When configured to Automatic Fallback, spooling engages after the receiver farm has been unavailable for a period of time. Spooling then disengages when the receiver farm becomes available again.
Always Spool Email—Select this option to leave the spooling feature engaged for all mail and to remain engaged until the mode is configured to one of the other options. Note that manual spooling is intended for situations when the administrator knows the receivers will be down, such as a scheduled maintenance.Email is not delivered to your organization’s email server while this option is selected.
 
* 
NOTE: The Automatic Fallback feature initiates if the server becomes completely unresponsive. Because the feature may take a few moment to verify that the server is completely unresponsive, sender may see a transient error message.
2
Select Apply Changes when done.

Server Configuration—Outbound

To configure the outbound domain, navigate to System > Network ARchitecture > Server Configuration. Then select the Outbound option.

The outbound path configuration options are described in more detail in the following sections:

Outbound Settings

Define the domain settings for the outbound path.

The following table defines the options available

 

Setting

Description

Relaying is allowed only for emails sent from one of these domains

This field only displays domain name(s) for emails to be relayed from. Note the default domain listed is the domain you initially activated for the Hosted Email Security solution. Navigate to the Users, Groups & Domains > Domains screen to manage Domain settings.

Only these IP addresses/FQDNs can connect and relay through this path

Enter the server name or IP address that the domain can connect to and relay through. Separate sour IP addresses with a carriage return so that each IP address appears on a separate line.

 

Test Upstream: Click this button to test connection to the specified server name or address. A message displays, notifying you if the connection was successful or if it failed.

Only this ISP can connect and relay through this path

When selected allows you to enable Office 365.

Require clients to connect using STARTTLS

Select the check box to enable Transport Layer Security (TLS) encryption for your outgoing email messages.

To configure the recipient domain:

1
Check the box to enable STARTTLS.
2
Select the Configure STARTTLS button. The window for STARTTLS (SSL) Settings for destination servers opens.
3
Type the name of the destination domain in Recipient Domain field.
4
Select Add.

Configure SMTP AUTH on this path

Select the Configure Authentication button. See below for details on how to configure SMTP AUTH.

Configure SMTP Authentication

Authentication provides a way for a mail server to verify the identity of the email sender. During authentication, the sender supplies credentials to the receiving mail server, which may refuse email delivery if the sender's identity cannot be verified.

To configure SMTP authentication on the recipient domain:
1
On the Outbound Server Configuration page, select Configure Authentication.

2
Select whether to use SMTP authentication or not:
This path does not use SMTP authentication—This is the default setting, where no authentication is required.
This path uses credentials as follows—This option allows you to perform authentication from the upstream mail server or send authentication to the downstream mail server.
3
To authenticate from the upstream mail server, check the box for Authenticates the credentials it received from the upstream mail server and also choose one of the following:
Use This path accepts the following credentials if you want to configure a single set of credentials that is used for all email. These credentials can be used to identify a specific customer or server. Provide the username and password to complete the configuration.
Use This path uses user login credentials to authenticate to require user authentication.
4
To send authentication to the downstream mail server (for example, when sending outbound email through an ISP that requires authentication), select Sends an SMTP AUTH command with the following credentials to the downstream mail server and provide the username and password to complete the configuration.
 
* 
CAUTION: Authentication commands include credentials like usernames and passwords. To protect them they should only be transmitted over encrypted connections.
5
Define encryptions settings for your solution. You can opt for one or both of these options:
Checking Upstream connections enables encryption for upstream traffic.
Checking Downstream connections enables encryption for downstream traffic.
6
Select Apply to save settings.

LDAP Configuration

Hosted Email Security uses Lightweight Directory Access Protocol (LDAP) to integrate with your organization’s email environment. LDAP is an Internet protocol that email programs use to look up users’ contact information from a server. As users and email distribution lists are defined in your mail server, this information is automatically reflected in SonicWall Hosted Email Security in real time.

Many enterprise networks use directory servers like Active Directory or Lotus Domino to manage user information. These directory servers support LDAP, and SonicWall Hosted Email Security can automatically get user information from these directories using the LDAP. You can run SonicWall SonicWall Hosted Email Security without access to an LDAP server as well. If your organization does not use a directory server, users cannot access their Junk Boxes, and all inbound email is managed by the message-management settings defined by the administrator.

SonicWall SonicWall Hosted Email Security uses the following data from your mail environment:

Login Name and Password

When a user attempts to log into the SonicWall Hosted Email Security server, their login name and password are verified against the mail server using LDAP authentication. Therefore, changes made to the usernames and passwords are automatically uploaded to SonicWall Hosted Email Security in real time.

Multiple Email Aliases

If your organization allows users to have multiple email aliases, SonicWall Hosted Email Security ensures any individual settings defined for the user extends to all the user’s email aliases. This means that junk sent to those aliases aggregates into the same folder.

Email Groups or Distribution Lists

Email groups or distribution lists in your organization are imported into SonicWall SonicWall Hosted Email Security. You can manage the settings for the distribution list in the same way as a user’s settings.

LDAP groups allow you to assign roles to user groups and set spam-blocking options for user groups.

Configuring LDAP

SonicWall recommends completing the LDAP configuration to get the complete list of users who are allowed to login to their Junk Box. If a user does not appear in the User list in the User & Group screen, their email will be filtered, but they cannot view their personal Junk Box or change default message management settings.

To configure LDAP for user authentication:
1
Navigate to the System > LDAP Configuration screen to configure your Email Security solution for username and password authentication for all employees in the enterprise.
2
Click the Add Server button to add a new LDAP Server. Configuring the LDAP server is essential to enabling per-user access and management. These settings are limited according to the preferences set in the User Management pane. See User View Setup for more detail.
3
Check one of the following boxes that appear under the Settings section:
Show Enhanced LDAP Mappings fields—Select this option for Enhanced LDAP, or LDAP Redundancy. You will have to specify the Secondary Server IP address and Port number.
Auto-fill LDAP Query fields when saving configurations—Select this option to automatically fill the LDAP Query fields upon saving.
4
Enter the following information under the LDAP Server Configuration section:
Friendly Name—The friendly name for your LDAP server. This is an alphanumeric field that allows hyphens and periods, but no spaces. Maximum name length is 200 characters.
Primary Server Name or IP address—The DNS name or IP address of your LDAP server. This is also an alphanumeric field having the same parameters as the Friendly Name.
Port number—The TCP port running the LDAP service. The default LDAP port is 389.
LDAP server type—Choose the appropriate type of LDAP server from the drop down list.
LDAP page size—Specify the maximum page size to be queried. The default size is 100.
Requires SSL—Select this check box if your server requires a secured connection.
Allow LDAP referrals—Leaving this option unchecked disables LDAP referrals and speeds up logins. You may select this option if your organization has multiple LDAP servers in which the LDAP server can delegate parts of a request for information to other LDAP servers that may have more information.
5
In the Authentication Method section, specify if the LDAP login method for your server is by Anonymous Bind or Login.
6
If you specified Login in Step 5 above, provide the Login name and Password. This may be a regular user on the network, and does not have to be a network administrator.
* 
NOTE: Some LDAP servers allow any user to acquire a list of valid email addresses. This state of allowing full access to anybody who asks is called Anonymous Bind. In contrast to Anonymous Bind, most LDAP servers, such as Microsoft's Active Directory, require a valid username/password in order to get the list of valid email addresses. (Configuration checklist parameter O and P)
7
Click the Test LDAP Login button.

A successful test indicates a simple connection was made to the LDAP server. If you are using anonymous bind access, be aware that even if the connection is successful, anonymous bind privileges might not be high enough to retrieve the data required by SonicWall Hosted Email Security.

8
Click Save Changes.

LDAP Query Panel

To access the LDAP Query Panel settings window, click the Friendly Name link or the Edit button of the server you wish to configure. If the Auto-fill LDAP Query Fields check box is selected in the Settings section, the fields in the LDAP Query Panel section are automatically filled in with default values after the basic configuration steps are completed.

Query Information for LDAP Users

1
Enter values for the following fields:
Directory node to begin search—The node of the LDAP directory to start a search for users (configuration checklist parameter Q).
Filter—The LDAP filter used to retrieve users from the directory.
User login name attribute—The LDAP attribute that corresponds to the user ID.
Email alias attribute—The LDAP attribute that corresponds to email aliases.
Use SMTP addresses only—Select the check box to enable the use of SMTP addresses.
2
Click the Test User Query button to verify that the configuration is correct.
3
Click Save Changes to save and apply all changes made.
 
* 
NOTE: Click the Auto-fill User Fields button to have SonicWall Hosted Email Security automatically complete the remainder of this section.

Query Information for LDAP Groups

If you have a large number of user mailboxes, applying these changes could take several minutes.

1
Enter values for the following fields:
Directory node to begin search—The node of the LDAP directory to start a search for users. (Configuration checklist parameter Q).
Filter—The LDAP filter used to retrieve groups from the directory.
Group name attribute—The LDAP attribute that corresponds to group names.
Group members attribute—The LDAP attribute that corresponds to group members.
User member attribute—The LDAP attribute that specifies attribute inside each user's entry in LDAP that lists the groups or mailing lists that this user is a member of.
2
Click the Test User Query button to verify that the configuration is correct.
3
Click Save Changes to save and apply all changes made.
* 
NOTE: Click the Auto-fill Group Fields button to have SonicWall Hosted Email Security automatically complete the remainder of this section.

Add LDAP Mappings

On some LDAP servers, such as Lotus Domino, some valid addresses do not appear in LDAP. Use this section with LDAP servers that only store the “local” or “user” portion of the email addresses. Click the View Rules button. The LDAP Mappings screen displays:

This panel provides a way to add additional mappings from one domain to another. For example, a mapping could be added that would ensure emails addressed to anybody@engr.corp.com are sent to anybody@corp.com.

It also provides a way of substituting single characters in email addresses. For example, a substitution could be created that would replace all the spaces to the left of the "@" sign in an email address with a "-". In this example, email addressed to Casey Colin@corp.com would be sent to Casey-Colin@corp.com.

* 
NOTE: This feature does not make changes to your LDAP system or rewrite any email addresses; it makes changes to the way Hosted Email Security interprets certain email addresses.
To add LDAP Mappings:
1
Click the Friendly Name link or the Edit button of the server you wish to configure.
2
Scroll to the Add LDAP Mappings section, and click View Rules.
3
From the first drop down list, choose one of the following:
Domain is—Choose this option to add additional mappings from one domain to another.
Replace with—Choose this option from the second drop down menu to replace the domain.
Also add—Choose this option from the second drop down menu, then when first domain is found, the second domain is added to the list of valid domains. For example, if “engr.corp.com” is the first domain and “sales.corps.com” is the second, then when the domain “engr.corp.com” is found in the list of valid LDAP domains, then “sales.corps.com” is also added to that list.
Left hand side character is—Choose this option to add character substitution mappings.
Replace with—Choose this option from the second drop down menu to replace all characters to the left of the "@" sign in the email address.
Also add—Choose this option from the second drop down menu to add a second email address to the list of valid email addresses.
4
Click the Add Mapping button.
* 
NOTE: This screen does not make changes to your LDAP system or rewrite any email addresses; it only makes changes to the way SonicWall Hosted Email Security interprets certain email addresses.

User View Setup

On the System > User View Setup page, configure how the end-users of the SonicWall Hosted Email Security solution access the system and what capabilities of the solution are exposed to the end users. Be sure LDAP configuration is complete before setting this up.

To configure the general settings:
1
Select the Login enabled check box to allow users to log into Hosted Email Security and have access to their per-user Junk Box. If you disable this, mail is still analyzed and quarantined, but users cannot access their Junk Box.
2
Select which items appear in the User Navigation Toolbar:
Select the Anti-Spam check box to include the user-configurable options available for blocking spam emails. Users can customize the categories People, Companies, and Lists into their personal Allowed and Blocked lists. You can grant users full control over these settings by selecting the Full user control over anti-spam aggressiveness settings check box, or force them to accept the corporate aggressiveness defaults by not selecting this check box.
Select the Reports check box to provide junk email blocking information about your organization. Even if this option is selected, users may view only a small subset of the reports available to administrators.
Select the Policy check box to allow the user to define personal policies.
Select the Settings check box to provide options for management of the user's Junk Box.
Select the Spam Management check box to allow users to manage their individual spam settings.
Select the Allow audit view to Helpdesk users check box to enable access to the audit view for Helpdesk users.
3
Define the User Download Settings:
With the Allow users to download SonicWall Junk Button for Outlook check box selected, users can download the SonicWall Hosted Email Security Junk Button for Outlook. The Junk Button is a lightweight plug-in for Microsoft Outlook. It allows users to mark emails they receive as junk, but does not filter email.
With the Allow users to download SonicWall Anti-Spam Desktop for Outlook and Outlook Express check box selected, users can download the Anti-Spam Desktop. Anti-Spam Desktop is a plug-in for Microsoft Outlook and Outlook Express that filters spam and allows users to mark emails they receive as junk or good email.
With the Allow users to Download SonicWall Secure Mail Outlook plugin check box selected, users will be able to download the Secure Mail plug-in for Microsoft Outlook. The Secure Mail button allows users to send mail securely through the Encryption Service. See Encryption Service for more information about this feature.
4
Define the settings for Quarantined Junk Mail Preview Settings:
Select the Users can preview their own quarantined junk mail check box to enable users to view their individual mail that is junked.
Choose the other types of users can preview quarantined junk mail. These roles are configured within Hosted Email Security and include Administrators or Help Desk and Group Administrators.
5
Choose to enable the Reports view settings. Users are not usually shown reports which include information about users, such as email addresses. Select the Show reports that display information about individual employees check box to give user access to those reports.
6
Select Apply Changes to save the settings or select Revert to go back to the prior settings.

Monitoring

The System > Monitoring screen allows you to configure system monitoring settings and alerts. Note that some of these fields may be pre-defined based on the information provided upon initial setup of the SonicWall Hosted Email Security solution.

Monitoring

The following settings are available for configuration:

Email address of the administrator who receives emergency alerts—The email address of the mail server administrator. Enter the complete email address: for example, user@example.com. Separate multiple email addresses with a comma if you list more than one.
Use MX Record to deliver mails—the system resolves the <domain_name> using DNS with MX record entry.
Name or IP address of backup SMTP servers—Enter the name or IP address of one or more SMTP servers that can be used as fallback servers to send alerts to if the configured downstream email server(s) cannot be contacted. For example, mail2.example.com or 10.100.0.1. Separate multiple entries with a a comma.
Customized Signature—Enter a signature to append at the end of your email messages if you want a customized signature.
Subscribe to alerts—Select the check box to receive alerts.
View Alerts—Click this button to view all configured alerts. See Viewing Alerts for more information.
Test Fallbacks—Click this button to test the name or IP address(es) listed as backup SMTP servers. You get a message stating whether the test was successful or not

Viewing Alerts

Under the Configuring System Monitoring section of the System > Monitoring page, you can select the View Alerts button to see the Alert history for a specific Host.

Alert History in SonicWall Hosted Email Security provide the following details:

A time stamp in both local time and GMT
The severity level of the alert, which could be one of the following: Info, Warning, or Critical
 
* 
NOTE: In the Filter On section, you can choose which severity levels to display. Check the box next to the severity level to enable displaying those alerts. After making your selection, click on Apply Filter.
The domain to which the alert applies
A summary of the alert