Security

On the Security page, you can enable spam filters, antivirus scanning, or block/allow list to protect Synology MailPlus Server and its associated mail clients.

Antispam

Set up spam filters and configure auto-learning to achieve accurate spam detection.

Configuring the antispam engine

To enable the antispam engine:

Edit the general antispam settings for spam control.

1. Go to Antispam and select Enable antispam engine.
2. Select either of the following antispam engines:
   • Rspamd: A free and open-source antispam engine
   • Bitdefender: A paid security engine that requires licenses purchased from Bitdefender for MailPlus
3. If you select Rspamd as the engine, click Update Settings to set a daily schedule to download the latest rules. You can also click Manual Update to update immediately.
4. Under Spam control, you can find the following options:
   • Add the following to spam subjects: Adds the custom text to the subject of spam messages for alarm.
   • Move to the spam mailbox: Automatically relocates identified spam messages to the spam mailbox. If this option is not enabled, spam messages will remain in the Inbox.
   • Allow emails from known senders (Rspamd only): If an email is received within 24 hours in reply to an email sent by MailPlus Server, its spam score will drop by 4 points.
   • Define spam types (Bitdefender only): Select the types of emails you wish to flag as spam. Emails will be categorized by the Bitdefender engine.
   • Spam sensitivity level (Bitdefender only): Enter a value from 1 to 9. The higher the value is, the stricter the evaluation of spam will be, so emails are more likely to be classified as spam.
   • Encapsulate spam as attachment: Reports spam as an attachment encapsulated in a new message. You can choose As plain text only to avoid web bugs and malicious scripts.
5. Specify how long to keep spam messages in the Delete spam interval (days). Spam will be automatically deleted after the specified days.
6. Save the settings to complete the basic configuration. Refer to the following section to create custom rules and filters.

To configure advanced antispam settings:

Create filters and define rules to customize your antispam engine.

1. Go to Antispam.
2. Under Spam control, click Custom Spam Filter to set up the following two kinds of filters:
   • Address Filter: Click Create to add spam or non-spam filters based on sender and recipient addresses. Click Tools to import or export relevant rules for use.
   • Attachment Filter: Click Create to add spam filters based on attachment file types.
3. Also under Spam control, click Advanced to edit the following settings:
   • Mark as spam if score is higher than: Select a spam score threshold. A message that exceeds the threshold will be marked as spam.
   • SpamAssassin Rules: SpamAssassin rules are open-source rules that help target specific spam types. Click the button to import or export a .cf file containing your SpamAssassin rules.
   • Keyword Filter:
     • Click Create to specify keywords and the corresponding spam scores (a positive score for spam likelihood; a negative score for spam unlikelihood).
     • Tick the checkbox in the Enable column to enable or disable a filter.
     • Click Group Settings to group multiple keyword filters together so that you can quickly enable or disable a group of filters as a whole.
     • Select from the Group drop-down menu to switch among different groups.

Configuring auto-learning (Rspamd only)

Train your MailPlus Server to better detect spam with specialized algorithms.

1. Go to Antispam.
2. Under Spam control, click Advanced > Auto learning.
3. Enable Auto learning.
4. Specify the following score settings:
   • Mark as spam if score is higher than: The spam threshold set on the General tab will be displayed here.
   • Learn as spam if score is higher than: Set the spam threshold for auto-learning.
   • Learn as non-spam if score is lower than: Set the non-spam threshold for auto-learning.
5. Select Enable spam reporting to allow client users to report spam and false spam from MailPlus or a third-party email client (e.g., Microsoft Outlook).
   • Forward spam to: Enter an email address where the reported spam should be sent.
   • Forward false spam to: Enter an email address where the reported false spam should be sent.
6. Click Reported Spam to check all the reported spam and false spam and manage them as follows:
   • View: Click to view a reported message in plain text.
   • Learn and Learn All: Click to train the system for better spam detection.
   • Delete: Click to remove a reported message mistaken for spam.
   • Original Mail: Click to view a reported message in plain text and its email header.
7. Select Set daily schedule for learning reported spam to schedule the learning activities.

Filtering spam using DNSBL and grey list

To enable DNSBL:

DNSBL helps filter out spam published through the Internet Domain Name Service (DNS) based on the IP addresses of computers or networks.

1. Go to Antispam.
2. Under DNSBL, select Enable postscreen protection against spam.
3. Click DNSBL Settings to manage the server list.
   • Click Create. Input a DNSBL server and the corresponding score.
   • Click Settings. Input the DNSBL score threshold to reject services when an email client's total score exceeds the value specified here.

To enable the grey list:

The system will check for any existing records of the same IP address, sender, or recipient when a new message arrives. If no records are found, the message is flagged as suspicious, and an error message is sent to the sender asking them to resend the message later. Ordinary senders usually comply, while most spammers give up.

1. Go to Antispam.
2. Under Grey List, select Enable the grey list to enhance spam detection by temporarily rejecting suspicious incoming mails.
3. Click Grey List Settings to apply different actions to messages from each IP address and domain.
4. Click Create.
5. Specify the rule criteria:
   • Source: Enter an IP range such as "192.168.0.0/24".
   • Domain: Enter a domain name such as "example.com". The system will check the sender's DNS information and see if it matches any of the domain names listed on the grey list.
6. Select an action:
   • Block list: Immediately ends the connection.
   • Grey list: Returns a temporary error. If the email client resends the message after the grey list period has expired, that message will be accepted and the client will be added to the allow list for future recognition.
   • Allow list: Accepts the message.
7. Click Settings to edit the default action and the grey list period.

Antivirus

Run an antivirus engine to scan all incoming and outgoing messages for viruses. When a message is found infected, the system will delete or quarantine the message and send notifications to the related recipients.

Configuring the antivirus engine

1. Go to Antivirus.
2. Select Enable antivirus engine.
3. Select any of the following antivirus engines:
   • ClamAV: A free and open-source antivirus engine
   • McAfee: A paid antivirus engine that requires Antivirus by McAfee to be installed on the Synology NAS
   • Bitdefender: A paid security engine that requires licenses purchased from Bitdefender for MailPlus
4. Click Update Settings to schedule updates for virus definitions. You can also click Manual Update to update immediately.
5. When ClamAV is selected as the engine, the following options are available:
   • Use Google Safe Browsing database to detect malicious links in emails
   • Use third-party databases to download their virus definitions

Managing infected messages

When an infected message is detected, the system will respond based on the predefined policies.

1. Go to Antivirus.
2. Choose what to do with an infected message from the Antivirus action menu:
   • Delete mail: Deletes the message. The message will not be sent to the intended recipient.
   • Save to quarantine: Holds the message in the quarantine. The message will not be sent to the intended recipient. Click Quarantine List at the bottom of the page to view and manage the quarantined messages.
   • Deliver anyway: Allows the message to be delivered to the intended recipient.
3. To mark infected messages, select Add subject prefix to infected mail and specify the text that will appear on the message subject.
4. To notify recipients about infected messages, select Send notifications to recipients after deleting or quarantining viruses. Customize the notification content in Template Settings.

Authentication

Enable authentication mechanisms to validate emails and reduce spam. With authentication enabled, emails will undergo thorough verification processes. If an email fails verification, a warning message will pop up to alert the user of suspicious content.

SPF

SPF, which stands for Sender Policy Framework, prevents email spoofing by specifying the servers that are allowed to send emails on behalf of a domain.

To enable SPF verification:

1. Go to Authentication.
2. Select Enable SPF verification to verify the sender identity and detect forged sender addresses.
3. Select Reject SPF softfail to reject emails with softfail verification results.

DKIM

DKIM, which stands for DomainKeys Identified Email, adds a digital signature to each outgoing email. This signature allows for validation, ensuring that the email is authorized by the domain owner.

To enable DKIM verification:

1. Go to Authentication.
2. Select Enable DKIM verification on inbound emails to check for a valid DKIM signature on incoming emails. Emails rejected by DKIM will be moved to the Spam folder on the MailPlus client, and a warning message will pop up when users open such emails.
3. Under Minimum key length for DKIM verification, choose a value from the drop-down menu. Emails with DKIM keys shorter than the set value will be rejected. Setting a longer key length enhances security by preventing emails from less secure domains from passing the verification.

To enable DKIM signing:

1. Go to Domain and double-click the domain in use.
2. On the General tab, click Advanced.
3. Select Enable DKIM signing on outbound emails to ensure that all emails from the domain have a DKIM signature.
4. Go to Security > Authentication > DKIM to add your trusted internal hosts or subnets to the Allow List. This ensures that emails sent from these sources, whether through MailPlus, third-party email clients, or terminals, will have a DKIM signature.

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) controls the handling of emails that fail SPF and DKIM checks. It also provides valuable reporting for domain owners to detect spoofing attacks.

To enable DMARC:

1. Go to Authentication.
2. Select Enable DMARC to validate the senders' email domains. Emails quarantined by DMARC will be moved to the Spam folder on the MailPlus client, and a warning message will pop up when users open such emails.
3. Add a TXT record as follows to your public DNS, so that your emails will be able to pass DMARC authentication of other email servers:
   • TXT record name: _dmarc.your domain
your domain should be replaced with your actual domain name. Example: _dmarc.example.com
   • TXT record value: v=DMARC1; p=policy enforced on unauthenticated messages; pct=percentage of messages subjected to the specified policy; rua=reporting URI of aggregate reports
     Example: v=DMARC1; p=quarantine; pct=20; rua=mailto:aggrep@example.com

DANE

DANE, which stands for DNS-based Authentication of Named Entities, helps authenticate the identity of recipient servers, thereby establishing a secure channel between the sender and recipient.

To enable DANE:

Enable DANE to let MailPlus Server validate other servers' TLS certificates when initiating mail transport.

1. Go to Authentication.
2. Select Enable DANE verification.
3. Choose either of the following levels:
   • Opportunistic verification: DANE verification will be performed only when the receiving server supports DANE and has TLSA records set up.
   • Mandatory verification: DANE verification will always be performed.
4. Add your trusted recipient domains to the Allow List so that emails sent to these domains will skip the DANE verification.

To deploy TLSA records:

Generate and publish a TLSA record, so that other mail servers can authenticate MailPlus Server before delivering emails.

1. Click Generate TLSA Record.
2. Specify the parameters for your TLSA record. See RFC 6698 for the meaning of each parameter.
3. Click OK to generate the record.
4. Go to your public DNS settings and add a record as follows:
   • Type: Set to TLSA.
   • Usage, Selector, and Matching type: Enter the parameters given in MailPlus Server.
   • Certificate: Paste the certificate association data from MailPlus Server.

To know more about how DANE works, you can refer to this article.

Content Scan

Configure the system to scan messages for dangerous content.

To scan for dangerous content:

1. Go to Content Scan.
2. Select Enable dangerous content scan.
3. Choose whether or not to enable the following options:
   • Reject partial messages: Since these messages cannot be scanned properly for viruses and inappropriate content, they will be rejected to avoid potential virus infection.
   • Reject external message bodies: Messages that have bodies stored elsewhere on the Internet will be rejected to avoid fetching viruses when downloading the message bodies.
   • Highlight phishing fraud: The sections containing potential phishing fraud will be highlighted to remind users of the risk.
   • Convert HTML into plain text: HTML messages with dangerous tags will be automatically converted to plain text to ensure their harmlessness, while preserving the readability of the text content for recipients.
   • Choose one of the following actions for each tag:
     • Reject: Reject messages containing the corresponding tag.
     • Allow: Delivers messages containing the corresponding tag.
     • Make tags ineffective: Delivers messages containing the corresponding tag after rendering the tag ineffective so that recipients can still view the content.