Configuring SonicWall Email Security to Ensure Maximum effectiveness, High Throughput
03/26/2020 1,222 People found this article helpful 492,387 Views
Description
Configuring SonicWall Email Security to Ensure Maximum Effectiveness, High Throughput, Deployment Best Practices
Cause
The following steps will be useful to ensure that mailflow is being dealt with correctly, and that the resources of the Email Security are being utilized in a more efficient manner.
This will also decrease issues relating to thumbprint insertion, eg, if you are consistently getting alerts relating to "Thumbprints are stale" even though networking connectivity has been verified.
Also, a brief configuration of the SonicWall Firewall is discussed, and how the SonicWall Firewall in front of the Email Security should be configured to verify connectivity for thumbprint downloads.
Resolution
Thumbprint Updates:
The first step is to ensure that you are keeping the Thumbprint updates as close to realtime as possible, go to Manage | System Setup | Server | Updates and set the time to 1 minute. (This ensures you are protected against new types of threats, and decreases the time of the update insertion which in turn limits the CPU resources). The update file size is usually minimal so there will only be a limited amount of network resources taken up for this purpose
Also make sure to exclude our datacenter IP/FQDN on the firewall from all security services like GAV , Anti-spyware, IPS,IDS and content filtering on port 80/443
IP Address of Datacenter:
204.212.170.220
204.212.170.210
204.212.170.14
208.17.117.200
204.212.170.230
Protocol: http/https
FQDNs :
eg-update.es.global.sonicwall.com
plugindefault.es.global.sonicwall.com
config.es.global.sonicwall.com
options.es.global.sonicwall.com
av.es.global.sonicwall.com
av-updates.mailfrontier.net
--
Relay Status:
Ensure that you are relaying only for emails sent to your domain, go to Manage | System Setup | Network | Server Configuration , select the inbound path and on each specified Source IP Contacting Path, ensure that the "Any source IP address is allowed to connect to this path, but relaying is allowed only for emails sent to one of these domains" option is selected, with your domains specified in the text pane.
-
Directory Harvest Attack (DHA) Protection Configuration Overview:
If you are utilising the LDAP functionality of the Email Security Appliance, DHA should be configured as per best practice. This will either delete or reject emails that are not destined for a "legitimate" email address on your domain. When configuring DHA, the following 3 options are available, these are discussed in further detail:
Go to Manage | Security Services | Connection Management | Directory Harvest Attack (DHA) protection
- Permanently delete: the best option for higher throughput environments, this will not send an NDR back to the sender and the mail will be deleted right away. End users that mis-spell an email address will not receive a bounceback.
- Reject invalid email addresses with SMTP error code 550: if this is set, setting it to a value of 0/1 seconds is sufficient, any longer than this can cause a large amount of junk mail replies to be held by the ES, utilizing throughput. However, end users that mis-spell an email will receive a bounceback.
NOTE: Best practise is to use Reject invalid email addresses with SMTP error code 550 with 0 Trapitting
- Always store in junkbox: is recommended only for very low volume environments, as DHA (emails not addressed to users within your environment) have the potential to be responsible for a substantial amount of junk mail.
-
Denial of Service/Throttling Overview:
Ensure that your Email Security Appliance is the "first touch" before configuring these options. Changes made to these options should be made after reviewing Inbound Good vs. Junk under Monitor | Dashboard . Note your maximum amount of legitimate connections being received Daily here and ensure that the Throttling/DoS setting match this as closely as possible. There can be scope to decrease the amount of connections, however this depends on factors such as the variety of connections coming in to the customers environment, and is beyond the scope of this KB.
-
Connection Management Continued:
2 of the most commonly used items will be covered here, these being Greylisting and Grid Network IP Reputation:
Greylisting: will hold an email in the queue and wait for the sending MTA to re-attempt a connection, which is when the Email Security will allow the mail through (this is usually 15 minutes, however this is dependant on the configuration of the sending MTA). This option can cause overhead on the appliance resources when the appliance is receiving connections from a high amount of "new" IP addresses. Also, when it is enabled, it will cause a delay per Newly Connecting IP when it is enabled.
Grid Network IP Reputation: to further limit the amount of "junk" connections, ensure this is enabled, however there is a small possibility that this may lead to an amount of False Positives, if this is indeed the case, enabling the "Disable checks for IP addresses of unauthenticated mail senders" option may decrease these.
For more information, please review the kb here:
"Email Security Connection Management, Miscellaneous Options":
https://support.sonicwall.com/sonicwall-email-security/kb/sw6861
-
Logging Level:
Go to Manage | System Setup | Server | Advanced General Settings, please review your current logging settings. The "Debug" (Level 2) logging level is recommended to be enabled only at the direction of a SonicWall Email Security Technical Support Representative for troubleshooting purposes. Having this enabled for a prolonged period of time will lead to decreased throughput and the appliances resources will be negatively impacted. Please ensure that this is set to "Info" (Level 3) and only set to "Debug" when requested to do so by a Support Representative, or when generating logs for troubleshooting purposes.
-
Anti-Spam > Spam Management:
Go to Manage | Security Services | Anti-spam | Spam Management Settings
A common misconfiguration is to "Skip spam analysis for internal email" when users are routing external mail through the appliance, this can result in a large amount of Spoofed mails getting through as the Email Security may see the domain listed on the header and leave the mail through as a result.
If you are routing internal email (email sent from one member of your organization to another, which does not leave your internal network) through , it is recommended that you enable this feature by checking this check box. Doing so will exclude internal emails from spam analysis, improving performance and reducing the risk of false positives.
If you are not routing internal email through , leave this check box unchecked.
Anti-Spam > Address Books:
A common misconfiguration is to add in the domain(s) sending out through the SonicWall Email Security Appliance into this field. This can cause a large amount of Spoofed Email to get through the appliance as the ES will see the domain on the header and leave it through as a result. Only add in domains/addresses/IPs here in the case that you are consistently getting mails marked due to collab/blacklisting.
Anti-Spam > Anti-Spam Aggressiveness:
Each environment is unique and as a result, this has to be tailored to your environment accordingly.
Anti-Spam > Languages:
The only changes that should be made here are to "Block All" (if you are not going to receive emails from this country) or set back to "No Opinion". The "Allow All" option should not be used, as it will effectively allow through all emails for that language.
Anti-Spam > Black List Services:
To further decrease the amount of potential spam coming through the appliance, Black List Services can be enabled. To enable these, go to Manage | Security Services | Anti-spam | Blacklist Services and add in a maximum of 2 RBLs. Anymore than 3 can decrease the throughput of your appliance, as the ES will query each RBL specified and so this should be configured with only a maximum of 3.
The list below details some of the commonly used RBL providers, please note that as these are all 3rd party utilities and so connectivity speeds to each RBL will vary depending on your geographical location and many other factors, SonicWall cannot advocate the usage of one RBL over the other, below is only a sample list of what RBLs you can utilize.
-
- bl.spamcop.net
- cbl.abuseat.org
- b.barracudacentral.org
- dnsbl.sorbs.net
- http.dnsbl.sorbs.net
- dul.dnsbl.sorbs.net
- misc.dnsbl.sorbs.net
- smtp.dnsbl.sorbs.net
- socks.dnsbl.sorbs.net
- spam.dnsbl.sorbs.net
- web.dnsbl.sorbs.net
- zombie.dnsbl.sorbs.net
- dnsbl-1.uceprotect.net
- dnsbl-2.uceprotect.net
- dnsbl-3.uceprotect.net
- pbl.spamhaus.org
- sbl.spamhaus.org
- xbl.spamhaus.org
- zen.spamhaus.org
- bl.spamcannibal.org
- psbl.surriel.com
- ubl.unsubscore.com
- dnsbl.njabl.org
- combined.njabl.org
- rbl.spamlab.com
- dyna.spamrats.com
- noptr.spamrats.com
- spam.spamrats.com
- cbl.anti-spam.org.cn
- cdl.anti-spam.org.cn
- dnsbl.inps.de
- drone.abuse.ch
- httpbl.abuse.ch
- korea.services.net
- short.rbl.jp
- virus.rbl.jp
- spamrbl.imp.ch
- wormrbl.imp.ch
- virbl.bit.nl
- rbl.suresupport.com
- dsn.rfc-ignorant.org
- ips.backscatterer.org
- spamguard.leadmon.net
- opm.tornevall.org
- netblock.pedantic.org
- multi.surbl.org
- ix.dnsbl.manitu.net
- tor.dan.me.uk
- rbl.efnetrbl.org
- relays.mail-abuse.org
- blackholes.mail-abuse.org
- rbl-plus.mail-abuse.org
- dnsbl.dronebl.org
- access.redhawk.org
- db.wpbl.info
- rbl.interserver.net
-
To further limit mails arriving in from sources that may be a part of your selected RBL database(s), you can use the "Treat all email that arrives from sources on the Black List Services as Likely Spam", however this may lead to an amount of mail being marked as Likely Spam, so the nature of the senders delivering mail through the appliance should be taken into consideration before utilizing this step.
Also, if this option is enabled and you are seeing a large amount of mails coming in as Likely Spam due to RBLs, Email Security support cannot provide further assistance as the sender themselves will have to take sufficient measures to get their IP removed from the RBL they are listed on. The only option in this case would be to untick the option detailed above from an Email Security prospective.
-
Message Logs / Archiving :
For high volume throughput environments, the amount of time the Auditing is set for is recommended to not be above 30 days. To set this, go to the Investigate | Logs | Message Logs and select the "Settings" button, then change the "Keep auditing files for:" button to 30 days or under.
-
If you require Auditing for an extended period of time eg, Archiving, the recommendation is to use the Archiving Feature, available under Manage | Policy & Compliance | Compliance | Archiving (note that the Archiving module has to be purchased as part of the Compliance module to enable this functionality). Archiving to an External SMTP Server is preferred as Archiving to the local Filesystem would have a negative effect on throughput/performance.
Junk Box Management:
This varies depending on the amount of mail you are junking, however anything over 30 days is generally not recommended when throughput is a priority.
To set this, go to Mange | Junk Box | Junk Box Settings, and change the "Number of days to store in Junk Box before deleting:" accordingly.
The combination of these settings will ensure that your appliance is configured for maximum throughput, while maintaining maximum effectiveness for the filtering of your email flow.
Configuring the SonicWall Firewall to ensure Thumbprints are not filtered:
-
Fragmentation Settings:
- Go to Network>Interfaces and click the Configure icon behind the WAN port.
- On the Advanced Properties of the WAN port:
- -Enable "Fragment non-VPN outbound packets larger than this Interface's MTU ";
- -Disable "Ignore Don't Fragment (DF) Bit ".
-
-IPS/GAV/ASW/CFS Exclusion:
On the Security Services Sub Menu, Enable the Exclusion list and add the IP address of the SonicWall Email Security to the following:
- Content Filter
- Security Services
- Gateway Anti-Virus
- Intrusion Prevention
- Anti-Spyware
-
SSO Agent:
If this is a new deployment of the ES Appliance and you utilizing SSO (Single Sign On) on the SonicWall Firewall, you will need to ensure the following is performed so that http traffic is being received by the appliance. To ensure that the Email Security is bypassed for SSO traffic, go to;
Users > Settings > Configure SSO > Enforcement > SSO Bypass > and input the Address Object you created for the Email Security into the "Bypass the Single SIgn On process for traffic from" dropdown menu and accept.
-
-
The steps/information detailed above should ensure the appliance is configured as optimally as possible for your environment, as well as applying best practice steps regarding traffic flow for the thumbprint traffic to the appliance.
NOTE: If the navigation or the screenshot looks different from the one mentioned above , you may be in an older firmware version and would require a firmware upgrade. Please refer the link below to upgrade the firmware to latest version.
https://www.sonicwall.com/en-us/support/knowledge-base/170504270079039
Related Articles
Categories