Managing connection options

Administrator Help | Forcepoint Email Security | Version 8.5.x

The page Settings > Inbound/Outbound > Connection Control is used to configure connection settings, such as limiting the number of simultaneous connections per IP address and enabling real-time blacklist checking or reverse DNS verification.

The following settings can be configured on the page Connection Control:

Configuring simultaneous connections

Using a real-time blacklist

Using reverse DNS verification

Using the reputation service

Delaying the SMTP greeting

Enabling the SMTP VRFY command

Enabling SMTP authentication for email hybrid service

Changing the SMTP port

Using access lists

To collect and view detailed information about some connections, allow connection control functions to save these details in the mail processing log, accessed via an appliance. When the function is activated, the log collects detailed data regardless of whether the connection control itself is enabled. This function is available for the following connection control options:

Real-time blacklist (RBL)

Reverse DNS lookup

Reputation service

SMTP greeting delay

Configuring simultaneous connections

Limiting the number of simultaneous connections can improve system performance. The Connection Options section is used to limit these connections.

Limit simultaneous connections

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section Connection Options, in the text field Simultaneous connections per IP, enter the maximum number of allowed simultaneous connections per IP address, from 1–500.

The default is 10.

In the text field Timeout, specify the maximum number of seconds of inactivity allowed before a connection is dropped, from 1–43200.

The default is 300.

Click OK.

The settings are saved.

Using a real-time blacklist

A Real-Time Blacklist (RBL) is a third-party published list of IP addresses that are known sources of spam. When RBL checking is enabled, messages from a sender listed on an RBL are prevented from entering your system. The Email Security module supports the use of the Spamhaus Datafeed server or the entry of up to three third-party RBLs for RBL lookups. Functionality is configured from the section Real-time Blacklist Options on the page Settings > Inbound/Outbound > Connection Control.

Configure the RBL

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section Real-time Blacklist Options, mark the check box Perform RBL check.

This feature is enabled by default.

Save detailed connection information in the appliance mail processing log; mark the check box Save connection details in the mail processing log.

If you enable this option without designating a third-party RBL, the email protection system still collects log information that email content filters can use for subsequent message analysis.

Under Spam RBL service, select one of the following RBL lookup methods:

Spamhaus service

Use the Spamhaus server for RBL lookups.

Domain address

Enter up to three domain addresses of the RBL services to use. Separate multiple addresses with a semicolon (;).

Click OK.

The settings are saved.

Using reverse DNS verification

Reverse DNS lookup uses a pointer (PTR) record to determine the domain name that is associated with an individual sender IP address. The reverse DNS lookup function can determine whether email sent to your system is from a legitimate domain. Use of this option can enhance the detection of commercial bulk email. See Commercial bulk email.

However, if you enable Reverse DNS, server performance may be affected, or legitimate users may be rejected. This function is not enabled by default, but can be enabled from the section Reverse DNS Lookup Options on the page Settings > Inbound/Outbound > Connection Control.

Enable reverse DNS lookup

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section Reverse DNS Lookup Options, mark the check box Enable reverse DNS lookup.

Selection enables the corresponding check boxes.

Determine the response to a reverse DNS lookup by marking one or more of the following check boxes:

Disconnect if the PTR record does not exist

Disconnect if the PTR record does not match the A record

Disconnect if a soft failure occurs during a reverse DNS lookup

If you select this option, a connection is terminated when the following events occur:

Named DNS lookup cache service is down.

Your DNS server is down.

A timeout occurs during a DNS lookup.

Disconnect if the PTR record does not match the SMTP EHLO/HELO greeting

Save detailed connection information in the appliance mail processing log; mark the check box Save connection details in the mail processing log.

Click OK.

The settings are saved.

Using the reputation service

The email protection system can check an email sender's IP address against the reputation service, which classifies email senders based on past behavior. With this function, the email system can block mail from known spam senders. The reputation service is enabled from the section Reputation Service Options on the page Settings > Inbound/Outbound > Connection Control.

Configure the reputation service

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section Reputation Service Options, mark the check box Enable Reputation Service.

This is the default setting. Selection enables the corresponding radio buttons.

Select one of the following analysis levels to specify the threshold for blocking mail:

Conservative

Blocks mail from addresses that send spam 100% of the time.

Medium

Blocks mail from addresses that send spam 99% of the time.

Aggressive

Blocks mail from addresses that send spam 97% of the time. This is the default.

Custom

Selection enables the corresponding text field in which to enter a custom spam percentage. The email system blocks mail from addresses that send spam the specified percentage of time.

Save detailed connection information in the appliance mail processing log; mark the check box Save connection details in the mail processing log.

Click OK.

The settings are saved.

Delaying the SMTP greeting

An SMTP greeting message can be delayed for a specified time interval, so that a connection from a client will be dropped if the client tries to send data during this time interval. This option can help prevent mail from spam-sending applications that send a high volume of messages very quickly. The connection is dropped as soon as a message is sent to the SMTP server before it is ready. This feature is not enabled by default, but can be enabled from the section SMTP Greeting Delay Options on the page Settings > Inbound/Outbound > Connection Control.

Configure the SMTP greeting delay

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section SMTP Greeting Delay Options, mark the check box Enable SMTP greeting delay.

Selection enables the corresponding field.

In the text field Delay time, specify the delay time, in seconds, from 1–60.

The default is 3 seconds.

Save detailed connection information in the appliance mail processing log; mark the check box Save connection details in the mail processing log.

Click OK.

The settings are saved.

Enabling the SMTP VRFY command

The SMTP VRFY command can be used to verify an email username. When asked to validate a username, a receiving mail server responds with the user's login name. The SMTP VRFY Command section on the page Settings > Inbound/Outbound > Connection Control is used to configure this option.


	Important Use this command with care. Although helpful in validating a user, this command can also create a network security issue if the user information is retrieved by someone with malicious intent.

Enable the SMTP VRFY command

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section SMTP VRFY Command Option, mark the check box Enable SMTP VRFY command.

Click OK.

The settings are saved.

Enabling SMTP authentication for email hybrid service

By default, SMTP authentication is enabled for inbound messages that enter the system via the email hybrid service. This type of authentication provides additional authentication protection for email that is relayed to the email protection system from the hybrid service. The Email Hybrid Service SMTP Authentication section on the page Settings > Inbound/Outbound > Connection Control is used to enable or disable this option.

Disable SMTP authentication for Forcepoint Email Security Hybrid Module

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section Email Hybrid Service SMTP Authentication Option, unmark the check box Enable email hybrid service SMTP authentication.

This option is available only when your subscription includes Forcepoint Email Security Hybrid Module and the hybrid service is registered and enabled.

Click OK.

The settings are saved.

Changing the SMTP port

The default SMTP port number is 25. Proper communication with the email hybrid service requires the use of port 25 for SMTP. However, the SMTP Port Option settings on the page Settings > Inbound/Outbound > Connection Control can be used to customize the port number.


	Note Changing this port setting causes module services to restart.

Change the SMTP port

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section SMTP Port Option, enter a valid port number in the text field SMTP port.

Valid values are from 25 to 5000.

Click OK.

The settings are saved. The Email Security module services are restarted.

Using access lists

An access list enables you to specify an IP address group for which certain email analysis is not performed. The Allow Access List Options on the page Settings > Inbound/Outbound > Connection Control are used to identify these IP addresses. Mail from these addresses bypasses the following email analysis:

Connections per IP address

Directory harvest attack prevention

Inbound relay control

True Source IP detection

IP address groups are defined on the page Settings > Inbound/Outbound > IP Groups. The groups defined on that page appear for selection in the Connection Control Allow Access List Options section.

Create and modify an access list

Navigate to the page Settings > Inbound/Outbound > Connection Control.

From the section Allow Access List Options, select an IP group name from the pull-down menu IP group.

The IP addresses in the group display in the list of IP addresses list and the Edit button is enabled.

Click Edit.

The Edit IP Groups page displays to configure the IP addresses. See Editing an IP address group.

In the section IP Address Group, add a predefined IP address group; from the field IP address file, click Browse and navigate to the desired text file.

The file format should be one IP address per line, and its maximum size is 10 MB.

Because mail from the Trusted IP Addresses group bypasses additional email analysis, that group should not be entered in the Allow Access List. See Managing domain and IP address groups.

Manually add IP address entries; in the field IP address, enter an individual IP address and click >.

The information is added to the Added IP Addresses box on the right.


	Note Any changes made here to an IP address group are reflected on the page Settings > Inbound/Outbound > IP Groups.

Export the access list to a location in your network; click Export.

Delete an IP address from the Added IP Addresses list; select the IP address and click Remove.

Click OK.

The Connection Control page displays with the newly configured IP addresses.

Click OK.

The settings are saved.