Managing Messages

This option is available only when the recipient validation is configured on the page Settings > Users > User Authentication. See Managing user validation/authentication options. Selection enables the corresponding text field and check box.

ï€³ï€®ï€ˆ

In the text field Block message if the percentage of invalid recipients is at least, enter a value for the percentage of invalid recipients that determines if a message is blocked.

The default is 100%.

ï€´ï€®ï€ˆ

Enable the system to send a non-delivery report notification; mark the check box Send non-delivery report (NDR) only if a message is not blocked.

ï€µï€®ï€ˆ

Click OK.

The settings are saved.

Enabling archive message options

Use the Message Archive Queue settings to save all incoming messages to an archive message queue before they are scanned. Enabling this feature can impact storage capacity and system performance.

Enable message archive queue

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Message Control.

ï€²ï€®ï€ˆ

From the section Message Archive Queue, save incoming messages to an archive message queue; mark the check box Enable archive queue storage.

This option is disabled by default.

ï€³ï€®ï€ˆ

Click OK.

The settings are saved. View the archive queue by clicking archive in the queue list on the page Main > Message Management > Message Queues. See Managing message queues.

Enabling message sender verification

Use the Internal Sender Verification settings to ensure that an internal email sender is an authenticated user. This operation performs a check to confirm that an email sender from an internal domain is also an authenticated user. For email to pass this check function, a mail sender's address must match the sender's login authentication entry.

Enable internal sender verification

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Message Control.

ï€²ï€®ï€ˆ

From the section Internal Sender Verification, mark the check box Enable internal sender verification.

This option is disabled by default.

ï€³ï€®ï€ˆ

Click OK.

The settings are saved.

Enabling bounce address tag validation (BATV)

Bounce address tag validation (BATV) is a method for determining whether a bounce message to an address in your protected domain is valid. This method helps to prevent backscatter spam, in which a bounce message to your organization contains a forged recipient address.

With BATV enabled, the sender address of outbound email is marked with a unique tag. A bounce message addressed to that sender is examined for the presence of that unique tag. If the tag is detected, the bounce message is cleared for delivery. A bounce message without the tag is blocked.

Enable BATV

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Message Control.

ï€²ï€®ï€ˆ

From the section Bounce Address Tag Validation, mark the check box Enable Bounce Address Tag Validation.

Selection enables the corresponding pull-down menus.

ï€³ï€®ï€ˆ

Define user and IP address groups to bypass the BATV function; select the groups from among the following pull-down menus:

?ï€ˆ

Inbound IP address group

?ï€ˆ

Inbound domain group

?ï€ˆ

Outbound domain group

A domain group selected for outbound bypass must also be selected for inbound bypass. The default setting for each group is None.

Only user-defined domain and IP address groups are available in the pull-down menus. See Managing domain and IP address groups for information about creating domain and IP address groups.

ï€´ï€®ï€ˆ

Click OK.

The settings are saved.

Managing connection options

Administrator Help | Forcepoint Email Security | Version 8.5.x

The page Settings > Inbound/Outbound > Connection Control is used to configure connection settings, such as limiting the number of simultaneous connections per IP address and enabling real-time blacklist checking or reverse DNS verification.

The following settings can be configured on the page Connection Control:

?ï€ˆ

Configuring simultaneous connections

?ï€ˆ

Using a real-time blacklist

?ï€ˆ

Using reverse DNS verification

?ï€ˆ

Using the reputation service

?ï€ˆ

Delaying the SMTP greeting

?ï€ˆ

Enabling the SMTP VRFY command

?ï€ˆ

Enabling SMTP authentication for email hybrid service

?ï€ˆ

Changing the SMTP port

?ï€ˆ

Using access lists

To collect and view detailed information about some connections, you can allow connection control functions to save these details in the mail processing log, accessed via an appliance. When the function is activated, the log collects detailed data regardless of whether the connection control itself is enabled. This function is available for the following connection control options:

?ï€ˆ

Real-time blacklist (RBL)

?ï€ˆ

Reverse DNS lookup

?ï€ˆ

Reputation service

?ï€ˆ

SMTP greeting delay

Configuring simultaneous connections

Limiting the number of simultaneous connections can improve system performance. The Connection Options section is used to limit these connections.

Limit simultaneous connections

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section Connection Options, in the text field Simultaneous connections per IP, enter the maximum number of allowed simultaneous connections per IP address, from 1–500.

The default is 10.

ï€³ï€®ï€ˆ

In the text field Timeout, specify the maximum number of seconds of inactivity allowed before a connection is dropped, from 1–43200.

The default is 300.

ï€´ï€®ï€ˆ

Click OK.

The settings are saved.

Using a real-time blacklist

A Real-Time Blacklist (RBL) is a third-party published list of IP addresses that are known sources of spam. When RBL checking is enabled, messages from a sender listed on an RBL are prevented from entering your system. The Email Security module supports the use of the Spamhaus Datafeed server or the entry of up to three third-party RBLs for RBL lookups. Functionality is configured from the section Real-time Blacklist Options on the page Settings > Inbound/Outbound > Connection Control.

Configure the RBL

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section Real-time Blacklist Options, mark the check box Perform RBL check.

This feature is enabled by default.

ï€³ï€®ï€ˆ

Save detailed connection information in the appliance mail processing log; mark the check box Save connection details in the mail processing log.

If you enable this option without designating a third-party RBL, the email protection system still collects log information that email content filters can use for subsequent message analysis.

ï€´ï€®ï€ˆ

Under Spam RBL service, select one of the following RBL lookup methods:

?ï€ˆ

Spamhaus service

Use the Spamhaus server for RBL lookups.

?ï€ˆ

Domain address

Enter up to three domain addresses of the RBL services to use. Separate multiple addresses with a semicolon (;).

ï€µï€®ï€ˆ

Click OK.

The settings are saved.

Using reverse DNS verification

Reverse DNS lookup uses a pointer (PTR) record to determine the domain name that is associated with an individual sender IP address. The reverse DNS lookup function can determine whether email sent to your system is from a legitimate domain. Use of this option can enhance the detection of commercial bulk email. See Commercial bulk email.

However, if you enable Reverse DNS, server performance may be affected, or legitimate users may be rejected. This function is not enabled by default, but can be enabled from the section Reverse DNS Lookup Options on the page Settings > Inbound/Outbound > Connection Control.

Enable reverse DNS lookup

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section Reverse DNS Lookup Options, mark the check box Enable reverse DNS lookup.

Selection enables the corresponding check boxes.

ï€³ï€®ï€ˆ

Determine the response to a reverse DNS lookup by marking one or more of the following check boxes:

?ï€ˆ

Disconnect if the PTR record does not exist

?ï€ˆ

Disconnect if the PTR record does not match the A record

?ï€ˆ

Disconnect if a soft failure occurs during a reverse DNS lookup

If you select this option, a connection is terminated when the following events occur:

?ï€ˆ

Named DNS lookup cache service is down.

?ï€ˆ

Your DNS server is down.

?ï€ˆ

A timeout occurs during a DNS lookup.

?ï€ˆ

Disconnect if the PTR record does not match the SMTP EHLO/HELO greeting

ï€´ï€®ï€ˆ

Save detailed connection information in the appliance mail processing log; mark the check box Save connection details in the mail processing log.

ï€µï€®ï€ˆ

Click OK.

The settings are saved.

Using the reputation service

The email protection system can check an email sender's IP address against the reputation service, which classifies email senders based on past behavior. With this function, the email system can block mail from known spam senders. The reputation service is enabled from the section Reputation Service Options on the page Settings > Inbound/Outbound > Connection Control.

Configure the reputation service

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section Reputation Service Options, mark the check box Enable Reputation Service.

This is the default setting. Selection enables the corresponding radio buttons.

ï€³ï€®ï€ˆ

Select one of the following analysis levels to specify the threshold for blocking mail:

?ï€ˆ

Conservative

Blocks mail from addresses that send spam 100% of the time.

?ï€ˆ

Medium

Blocks mail from addresses that send spam 99% of the time.

?ï€ˆ

Aggressive

Blocks mail from addresses that send spam 97% of the time. This is the default.

?ï€ˆ

Custom

Selection enables the corresponding text field, in which you can enter a custom spam percentage. The email system blocks mail from addresses that send spam the specified percentage of time.

ï€´ï€®ï€ˆ

Save detailed connection information in the appliance mail processing log; mark the check box Save connection details in the mail processing log.

ï€µï€®ï€ˆ

Click OK.

The settings are saved.

Delaying the SMTP greeting

An SMTP greeting message can be delayed for a specified time interval, so that a connection from a client will be dropped if the client tries to send data during this time interval. This option can help prevent mail from spam-sending applications that send a high volume of messages very quickly. The connection is dropped as soon as a message is sent to the SMTP server before it is ready. This feature is not enabled by default, but can be enabled from the section SMTP Greeting Delay Options on the page Settings > Inbound/Outbound > Connection Control.

Configure the SMTP greeting delay

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section SMTP Greeting Delay Options, mark the check box Enable SMTP greeting delay.

Selection enables the corresponding field.

ï€³ï€®ï€ˆ

In the text field Delay time, specify the delay time, in seconds, from 1–60.

The default is 3 seconds.

ï€´ï€®ï€ˆ

Save detailed connection information in the appliance mail processing log; mark the check box Save connection details in the mail processing log.

ï€µï€®ï€ˆ

Click OK.

The settings are saved.

Enabling the SMTP VRFY command

The SMTP VRFY command can be used to verify an email username. When asked to validate a username, a receiving mail server responds with the user's login name. The SMTP VRFY Command section on the page Settings > Inbound/Outbound > Connection Control is used to configure this option.


	Important Use this command with care. Although helpful in validating a user, this command can also create a network security issue if the user information is retrieved by someone with malicious intent.

Enable the SMTP VRFY command

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section SMTP VRFY Command Option, mark the check box Enable SMTP VRFY command.

ï€³ï€®ï€ˆ

Click OK.

The settings are saved.

Enabling SMTP authentication for email hybrid service

By default, SMTP authentication is enabled for inbound messages that enter the system via the email hybrid service. This type of authentication provides additional authentication protection for email that is relayed to the email protection system from the hybrid service. The Email Hybrid Service SMTP Authentication section on the page Settings > Inbound/Outbound > Connection Control is used to enable or disable this option.

Disable SMTP authentication for Forcepoint Email Security Hybrid Module

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section Email Hybrid Service SMTP Authentication Option, unmark the check box Enable email hybrid service SMTP authentication.

This option is available only when your subscription includes Forcepoint Email Security Hybrid Module and the hybrid service is registered and enabled.

ï€³ï€®ï€ˆ

Click OK.

The settings are saved.

Changing the SMTP port

The default SMTP port number is 25. Proper communication with the email hybrid service requires the use of port 25 for SMTP. However, the SMTP Port Option settings on the page Settings > Inbound/Outbound > Connection Control can be used to customize the port number.


	ïŽï¯ï´ï¥ Changing this port setting causes module services to restart.

Change the SMTP port

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section SMTP Port Option, enter a valid port number in the text field SMTP port.

Valid values are from 25 to 5000.

ï€³ï€®ï€ˆ

Click OK.

The settings are saved. The Email Security module services are restarted.

Using access lists

An access list enables you to specify an IP address group for which certain email analysis is not performed. The Allow Access List Options on the page Settings > Inbound/Outbound > Connection Control are used to identify these IP addresses. Mail from these addresses bypasses the following email analysis:

?ï€ˆ

Connections per IP address

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

Directory harvest attack prevention

?ï€ˆ

Inbound relay control

?ï€ˆ

True Source IP detection

IP address groups are defined on the page Settings > Inbound/Outbound > IP Groups. The groups defined on that page appear for selection in the Connection Control Allow Access List Options section.

Create and modify an access list

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Connection Control.

ï€²ï€®ï€ˆ

From the section Allow Access List Options, select an IP group name from the pull-down menu IP group.

The IP addresses in the group display in the list of IP addresses list and the Edit button is enabled.

ï€³ï€®ï€ˆ

Click Edit.

The Edit IP Groups page displays to configure the IP addresses. See Editing an IP address group.

ï€´ï€®ï€ˆ

In the section IP Address Group, add a predefined IP address group; from the field IP address file, click Browse and navigate to the desired text file.

The file format should be one IP address per line, and its maximum size is 10 MB.

Because mail from the Trusted IP Addresses group bypasses additional email analysis, that group should not be entered in the Allow Access List. See Managing domain and IP address groups.

ï€µï€®ï€ˆ

Manually add IP address entries; in the field IP address, enter an individual IP address and click >.

The information is added to the Added IP Addresses box on the right.


	ïŽï¯ï´ï¥ Any changes made here to an IP address group are reflected on the page Settings > Inbound/Outbound > IP Groups.

ï€¶ï€®ï€ˆ

Export the access list to a location in your network; click Export.

ï€·ï€®ï€ˆ

Delete an IP address from the Added IP Addresses list; select the IP address and click Remove.

ï€¸ï€®ï€ˆ

Click OK.

The Connection Control page displays with the newly configured IP addresses.

ï€¹ï€®ï€ˆ

Click OK.

The settings are saved.

DomainKeys Identified Mail (DKIM) integration

Administrator Help | Forcepoint Email Security | Version 8.5.x

The DomainKeys Identified Mail (DKIM) functionality provides an email authentication method to help ensure that a message is not modified while it is in transit from an organization's protected domains. The implementation depends on a set of keys (private and public), which a recipient domain can use to verify the sender domain. DKIM settings are configured on the page Settings > Inbound/Outbound > DKIM Settings.

A DKIM integration has the following components:

?ï€ˆ

Email signing

?ï€ˆ

Email verification

For the signing element, a private key resides in the mail transfer agent, providing a digital signature that is added to the header of each message sent from a protected domain. A public key is generated and published in the DNS as a text record that is used by a recipient mail system in the verification process.

A signing rule associates specified sender domains with a private and public key set.

Configuring a DKIM signing key

A signing key provides a digital signature for email sent from your protected domains. You may create a signing (private) key, import a key from a local directory, or export a key to a local directory.

The signing keys table includes the following information about each key:


Signing Key Item	Description
Key Name	Name of the signing key. Click the key name to open the Edit Signing Key page.
Key Size (bits)	Number of bits in the signing key. Currently, the only key size supported is 1024 bits.
Rule Name	Name of the rule with which the signing key is associated.
Public Key	Link that opens a View Public Key box, which displays the public key text record.

Configure the number of entries per page

?ï€ˆ

From the pull-down menu Per page, select the number of signing key entries per page, between 25 and 100.

Search entries by keyword

ï€±ï€®ï€ˆ

From the top right, enter a search term in the text field.

ï€²ï€®ï€ˆ

Click Search.

Search results display in the section DKIM Signing Keys.

ï€³ï€®ï€ˆ

Clear search results; click Show all keys.

The search field clears and all DKIM signing keys display.

Adding a key

Use the following steps to create a DKIM signing key on the page Settings > Inbound/Outbound > DKIM Settings:

ï€±ï€®ï€ˆ

From the section DKIM Signing Keys, click Add.

The Add Signing Key page displays.

ï€²ï€®ï€ˆ

In the text field Key name, enter a name for your key.

ï€³ï€®ï€ˆ

Select one of the following options for creating your key:

?ï€ˆ

Generate key to create the private key

This is the default. Only 1024-bit keys are supported.

?ï€ˆ

Private key to enter a key you have already created

Paste the key in the entry box.

ï€´ï€®ï€ˆ

Click OK.

The key is saved and displays in the section DKIM Signing Keys.

Deleting a key

?ï€ˆ

From the section DKIM Signing Keys, mark the check box for a key and select Delete.

The key is deleted. A key cannot be deleted if it is currently in use by a signing rule.

Editing a key

ï€±ï€®ï€ˆ

From the section DKIM Signing Keys, click the name of a key.

The Edit Signing Key page displays. The current private key displays in the text field.

ï€²ï€®ï€ˆ

Generate a new key; click the button Generate Key.

Only 1024-bit keys are supported. A new key is generated and displays in the text field.

ï€³ï€®ï€ˆ

Click OK.

The key is saved and displays in the section DKIM Signing Keys.

Importing or exporting a key

DKIM signing keys can be imported and exported on the page Settings > Inbound/Outbound > DKIM Settings.

Import a DKIM signing key

ï€±ï€®ï€ˆ

From the section DKIM Signing Keys, click Import.

The Import Key dialog box displays.

ï€²ï€®ï€ˆ

Click Browse and navigate to the desired key file.

ï€³ï€®ï€ˆ

Click Open.

The Import Key dialog box displays.

ï€´ï€®ï€ˆ

On the Import Key dialog box, click Import.

The key is imported. Duplicate key files cannot be imported.

Export a DKIM signing key

ï€±ï€®ï€ˆ

From the section DKIM Signing Keys, mark the check box for the key and click Export.

A dialog box displays.

ï€²ï€®ï€ˆ

Navigate to the desired directory location and click Save.

The key is exported.

Creating a DKIM signing rule

A DKIM signing rule associates a private/public key pair with a set of domains and email addresses. Signing rule options let you determine which message headers to sign, how much of the message body to sign, and whether to attach additional signature tags for such items as signature date/time or expiration time. Signing rules are configured on the page Settings > Inbound/Outbound > DKIM Settings.

The signing rules table includes the following information about each rule:


Signing Rule Item	Description
Rule Name	Name of the signing rule. Click the rule name to open the Edit Signing Rule page.
Domain	Domain name to which the signing rule applies.
Selector	Name component in addition to the domain name used in the DNS query. A given domain may have multiple selectors (e.g., for location or organization division).
Signing Key Name	Name of the signing key associated with this rule.
DNS Text Record	Link that opens a Generate DNS Text Record dialog box. See Generating a DNS text record (public key).
Test Rule	Link to test whether the signing rule is valid. A successful test must be performed before a rule can be enabled.
Status	Indicator of signing rule status (i.e., enabled or disabled). A rule must be enabled in order to take effect.

Configure the number of entries per page

?ï€ˆ

From the pull-down menu Per page, select the number of signing rule entries per page, between 25 and 100.

Search entries by keyword

ï€±ï€®ï€ˆ

From the top right, enter a search term in the text field.

ï€²ï€®ï€ˆ

Click Search.

Search results display in the section DKIM Signing Rules.

ï€³ï€®ï€ˆ

Clear search results; click Show all rules.

The search field clears and all DKIM signing rules display.

Adding a signing rule

Use the following steps to create a DKIM signing rule on the page Settings > Inbound/Outbound > DKIM Settings:

ï€±ï€®ï€ˆ

From the section DKIM Signing Rules, click Add.

The Add Signing Rule page displays.

ï€²ï€®ï€ˆ

In the text field Rule name, enter a name for your rule.

ï€³ï€®ï€ˆ

Enter the name of the domain to which this signing rule applies.

ï€´ï€®ï€ˆ

(Optional) Include the identity of the user or agent for whom the message is signed; mark the check box Include user identifier.

ï€µï€®ï€ˆ

(Optional) In the text field User identifier, enter the user identifier.

This field is not enabled if the check box Include user identifier is not marked.

ï€¶ï€®ï€ˆ

In the text field Selector, enter the domain name selector.

A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors.

ï€·ï€®ï€ˆ

From the pull-down menu Signing key, select the signing key to associate with this rule from the list of existing keys.

ï€¸ï€®ï€ˆ

Click Advanced Options.

A box displays with additional optional rule settings:

?ï€ˆ

From the pull-down menu Algorithm, select an encryption algorithm.

Options include RSA-SHA-1 or RSA-SHA-256. The default is RSA-SHA-1.

?ï€ˆ

In the section Canonicalization, specify a canonicalization method for message header and body.

The canonicalization process prepares a message header and body before email is signed. Canonicalization is required because email processing may introduce minor changes to a message.

The following header and body changes are made, based on the selection of Simple or Relaxed:

Simple (default)

Relaxed

Message Header

No header changes made

?ï€ˆ

Header names changed to lowercase

?ï€ˆ

Header line breaks removed

?ï€ˆ

Linear white spaces (including tabs and carriage returns) reduced to a single space

?ï€ˆ

Leading and trailing spaces stripped

Message Body

Empty lines at end of body stripped

?ï€ˆ

Empty lines at end of message body stripped

?ï€ˆ

Linear white spaces (including tabs and carriage returns) reduced to a single space

?ï€ˆ

Trailing spaces stripped

?ï€ˆ

From the list of standard headers, indicate the message headers to sign.

?ï€ˆ

In the field Additional headers, include other headers as a comma-separated list.

?ï€ˆ

Specify whether to sign the entire message body or only a portion.

For the latter selection, enter the maximum number of Kbytes to be signed. The default is 1024.

?ï€ˆ

Select any optional signature tags for the signing rule:

?ï€ˆ

t lets you add a signature creation timestamp.

?ï€ˆ

x lets you specify a signature expiration time in seconds.

The default is 3600 seconds.

?ï€ˆ

z adds the list of signed header fields to the signature.

ï€¹ï€®ï€ˆ

From the pull-down menu Signing rule options, select either Sign email messages or Do not sign email messages.

Next, create a list of email addresses to which this option applies.

?ï€ˆ

For example, if you select Sign email messages, then email from the addresses in the list is signed. Email from other addresses is not signed.

?ï€ˆ

If you select Do not sign email messages, then email from the addresses in the list is not signed, and email from all other users is signed.

Remove an email address from the list by selecting it and clicking Remove.

ï€±ï€°ï€®ï€ˆ

Click OK.

The settings are saved.

Importing or exporting a rule

DKIM signing rules can be imported or exported on the page Settings > Inbound/Outbound > DKIM Settings.

Import a DKIM signing rule

ï€±ï€®ï€ˆ

From the section DKIM Signing Rules, click Import.

The Import Rule dialog box displays.

ï€²ï€®ï€ˆ

Click Browse and navigate to the desired key rule file.

ï€³ï€®ï€ˆ

Click Open.

ï€´ï€®ï€ˆ

On the Import Rule dialog box, click Import.

The key rule is imported. Duplicate key rule files cannot be imported.

Export a DKIM signing rule

ï€±ï€®ï€ˆ

From the section DKIM Signing Rules, mark the check box for the rule and click Export.

A dialog box displays.

ï€²ï€®ï€ˆ

Navigate to the desired directory location and click Save.

The rule is exported.

Generating a DNS text record (public key)

Generate a public key for a rule from the DKIM Signing Rules table by clicking the link for the desired rule in the DNS Text Record column. A Generate DNS Text Record box that contains the new public key appears.

You can view a public key by clicking View for a particular private key in the DKIM Signing Keys table Public Key column.

Testing a rule

Ensure that you have created a valid rule by clicking the Test link in the Test Rule column of the DKIM Signing Rules table for the desired signing rule. The test performs a DNS lookup query. You receive confirmation of success or failure when the test is complete.

You must have performed a successful rule test before a rule can be enabled.

Enabling DKIM verification

The DKIM validation method uses the message header digital signature to associate a domain name with the email. The DKIM signature verification function retrieves signer information, including the public key, from the DNS. This signer information is analyzed and verified to determine message legitimacy.

You can enable DKIM verification on the page Settings > Inbound/Outbound > DKIM Settings, in the section DomainKeys Identified Mail (DKIM) Verification. Mark any or all of the following check boxes to activate DKIM verification:

?ï€ˆ

Enable DomainKeys Identified Mail (DKIM) verification for inbound messages

?ï€ˆ

Enable DomainKeys Identified Mail (DKIM) verification for outbound messages

?ï€ˆ

Enable DomainKeys Identified Mail (DKIM) verification for internal messages

By default, these check boxes are not marked.

You can configure a custom content policy filter to scan for a DKIM signature in the message header, along with a filter action to take when a message header triggers the filter. See Custom content.

Domain-based Message Authentication, Reporting and Conformance (DMARC) validation integration

Administrator Help | Forcepoint Email Security | Version 8.5.x

Domain-based Message Authentication, Reporting and Conformance (DMARC) uses the results of its Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validation processes, along with the sender domain's DMARC policy, to determine message disposition. Published in the sender's DNS record, a DMARC policy includes the sender's affirmation that its email is protected by SPF and DKIM validation, and provides instructions for handling mail that does not pass either of those checks on the recipient's end. A mechanism for reporting DMARC results is also provided.

SPF and DKIM analyses enabled and configured in the Email Security module are independent of DMARC verification. SPF checks are configured on the page Settings > Inbound/Outbound > Relay Control, whereas DKIM validation is configured on the page Settings > Inbound/Outbound > DKIM Settings. If either SPF or DKIM analysis is enabled in the Forcepoint Security Manager, DMARC can use the results in its own verification analysis.

Assuming a message is not dropped for failing either the SPF or DKIM check, DMARC validation comprises the following steps:

ï€±ï€®ï€ˆ

Extract the sender domain in the email header "From" field.

ï€²ï€®ï€ˆ

Query the DNS to determine if a DMARC policy exists for this domain.

?ï€ˆ

If a policy is found, retrieve the policy and continue with step 3.

?ï€ˆ

If a policy is not found, end the DMARC process.

ï€³ï€®ï€ˆ

Perform DKIM validation checks.

ï€´ï€®ï€ˆ

Perform SPF validation checks.

ï€µï€®ï€ˆ

Perform DMARC identifier checks to determine if the sender information in the message aligns with what the recipient knows about that sender as a result of the SPF and DKIM analyses.

ï€¶ï€®ï€ˆ

After completing the DMARC analysis, apply the DMARC policy to the message.

When you enable DMARC validation, a reporting mechanism is also included to provide the sender with information about the number of messages received from that sender domain and the results of the recipient's validation checks. Reports are sent to the email address specified in the sender domain's DNS text record via the RUA (reporting URL of aggregate reports) tag.

If SPF and DKIM are not enabled in the Email Security module, DMARC performs these checks. In this case, message disposition is determined only by the DMARC policy. A message is not rejected based on the individual SPF or DKIM analysis results.

For optimal protection, both SPF and DKIM validation settings should be configured and enabled on your email protection system, along with DMARC. See Configuring relay control options and DomainKeys Identified Mail (DKIM) integration.

Configure DMARC verification on the page Settings > Inbound/Outbound > DMARC Settings. Mark the check box for any or all of the following options:

?ï€ˆ

Enable DMARC verification for inbound messages

?ï€ˆ

Enable DMARC verification for outbound messages

?ï€ˆ

Enable DMARC verification for internal messages

True source IP detection

Administrator Help | Forcepoint Email Security | Version 8.5.x

True Source IP detection uses message header information and the number of network hops to an email appliance to determine the IP address of the first sender outside the network perimeter. This feature allows Connection Control techniques (such as reverse DNS lookup and reputation checks) to be applied effectively to sender information, even when the appliance is downstream from a firewall or an internal mail relay.

Define direct relays and network edge locations to determine whether True Source IP detection is performed. A direct relay is the network device that connects directly to the email appliance. All mail from a direct relay device is subject to True Source IP Detection. A network edge is the network device that connects directly to the Internet (e.g., a firewall).

If your subscription includes Forcepoint Email Security Hybrid Module, you can use True Source IP detection with email hybrid service analysis. An Email Hybrid Service IP Group is created based on information entered during a successful email Hybrid Module registration. The IP group appears in the direct relay IP address list on the page Settings > Inbound/Outbound > True Source IP. Although this IP group cannot be edited directly, its content is modified whenever you change an email hybrid service IP address (Settings > Hybrid Service > Hybrid Configuration).


	ïŽï¯ï´ï¥ If registration is not successful, the Email Hybrid Service IP Group is empty.

Mark the check box Use True Source IP Detection with email hybrid service analysis to enable True Source IP detection with hybrid service and display the Email Hybrid Service IP Group in the direct relay IP address list. The Email Hybrid Service IP Group does not appear if the check box is not marked.

Configure your direct relay and all network edge devices on the page Settings > Inbound/Outbound > True Source IP as follows:

ï€±ï€®ï€ˆ

Click Add.

The Add Direct Relay IP Address/IP Group page displays.

ï€²ï€®ï€ˆ

Enter the IP address for the direct relay device to the email appliance, or specify the existing IP group to use for your direct relay.

By default, the direct relay hop number is 1, because it is the closest network device to the email appliance.


	Important The IP address or group that you enter here must not already be defined in the Trusted IP Addresses group (Settings > Inbound/Outbound > IP Groups) or appear in the connection control Allow Access List (Settings > Inbound/Outbound > Connection Control).

ï€±ï€®ï€ˆ

In the field Check for header, enter header text to match for true source IP detection.

If this field is empty, the message Received field is analyzed for the true source IP.

ï€²ï€®ï€ˆ

Add the network edge device IP address and hop number to the email appliance; click Add Network Edge.

ï€³ï€®ï€ˆ

Click OK.

The settings are saved.

Enforced TLS connections

Administrator Help | Forcepoint Email Security | Version 8.5.x

The page Settings > Inbound/Outbound > Enforced TLS Connections is used to specify that connections to or from a specific IP or domain group use mandatory Transport Layer Security (TLS) and determine the security level used by that connection.

Functionality is used to define connection directions relative to the email SMTP server. Incoming connections are those from a protected or external domain or IP address group to the email protection system. Outgoing connections are those from the email system to a protected or external domain or IP address group.

After you define a group, you can change its order in the incoming or outgoing direction list. Select the group by marking its associated check box and use the Move Up or Move Down button to modify list order.

Delete a group by marking the check box and clicking Delete.

You may configure up to 32 incoming or outgoing connections.

Add an incoming or outgoing connection for which to use TLS

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Enforced TLS Connections.

ï€²ï€®ï€ˆ

Click Add.

The Add Incoming Connection page displays.

ï€³ï€®ï€ˆ

In the text field Name, enter a name for your enforced TLS connection.

ï€´ï€®ï€ˆ

From the pull-down menu Priority order, select a priority order for the connection.

ï€µï€®ï€ˆ

Specify the security level for the connection.

Security level options include the following:

?ï€ˆ

Encrypt, the minimum enforcement level, used in all security levels

This security level is the only option available for incoming connections.

?ï€ˆ

Encrypt and check CN, validation of a certificate's common name

?ï€ˆ

Verify, validation that the certificate is from a trusted CA

?ï€ˆ

Verify and check CN, validation of the certificate's common name and that the certificate is from a trusted CA


	Important To use the two "verify" options, you must have imported a trusted CA certificate. See Managing Transport Layer Security (TLS) certificates.

ï€¶ï€®ï€ˆ

Select one of the following connection encryption strength options:

?ï€ˆ

Medium, which involves the use of cipher suites that use 128-bit encryption

?ï€ˆ

High, which includes most cipher suites with key lengths larger than 128 bits

ï€·ï€®ï€ˆ

Define the IP address or domain group subject to forced TLS connection; select one of the following options:

?ï€ˆ

Any (for all connections)

This option applies to any connection, regardless of IP or domain address.

?ï€ˆ

IP address group

Select an existing IP address group in the pull-down menu or create a new group using Add New IP Group.

?ï€ˆ

Domain address group

Select an existing domain address group in the pull-down menu or create a new group using Add New Domain Group.

ï€¸ï€®ï€ˆ

Click OK.

The settings are saved.

Controlling directory harvest attacks

Administrator Help | Forcepoint Email Security | Version 8.5.x

A directory harvest attack is used by questionable sources to gain access to an organization's internal email accounts. A directory attack not only consumes large amounts of system resource but also, through the acquisition of email accounts, creates spam problems for email end users. With directory attack prevention settings, you can limit the maximum number of messages and connections coming from an IP address over a given time period. These settings are configured on the page Settings > Inbound/Outbound > Directory Attacks.

Configure directory attack control

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Directory Attacks.

ï€²ï€®ï€ˆ

Enable the directory harvest attack prevention function; mark the check box Limit the number of messages/connections per IP every.

ï€³ï€®ï€ˆ

From the pull-down menu, set the time period, from 1 second to 60 minutes.

The default is 60 seconds.

ï€´ï€®ï€ˆ

Set the maximum number of messages allowed from an individual IP address during the specified time period.

The default is 30.

ï€µï€®ï€ˆ

Set the maximum number of connections allowed from an individual IP address during the specified time period.

The default is 30.

ï€¶ï€®ï€ˆ

If you have enabled the directory attack prevention option, you can also enable settings to block an IP address when a specific set of recipient conditions occurs; mark the check box Block the IP address for and enter the time interval during which to block an IP address.

The default is 3 hours.

ï€·ï€®ï€ˆ

Enter the conditions for blocking the IP address:

?ï€ˆ

Maximum number of message recipients

The default is 5.

?ï€ˆ

Maximum percentage of invalid addresses among the recipients

The default is 50%.

When these recipient limitations are exceeded, the connection is dropped automatically.

This option is available only when the recipient validation option is used (see Adding user authentication settings).

ï€¸ï€®ï€ˆ

Click OK.

The settings are saved.

Configuring relay control options

Administrator Help | Forcepoint Email Security | Version 8.5.x

Functionality on the page Settings > Inbound/Outbound > Relay Control is used to prevent the unauthorized use of your mail system as an open relay by limiting the domains and IP address groups for which your server is allowed to relay mail. Protected domains are defined on the page Settings > Users > Domain Groups. Trusted IP address groups are defined on the page Settings > Inbound/Outbound > IP Groups.

Configure relay control settings on the page Settings > Inbound/Outbound > Relay Control as follows:

ï€±ï€®ï€ˆ

In the section Inbound Relay Options, enable Sender Policy Framework (SPF) checking by marking the check box Enable SPF.

This option is enabled by default.

ï€²ï€®ï€ˆ

Mark the relevant check boxes to configure the SPF check function to reject mail for the following results:

?ï€ˆ

Fail. The domain owner's SPF record does not authorize the sender host machine to send email for the domain.

?ï€ˆ

SoftFail. The domain owner's SPF record allows the sender host machine to send email for this domain, even though the host is not explicitly authorized to do so.

?ï€ˆ

Neutral. The domain owner's SPF record makes no statement as to whether the sender host machine is authorized to send email for the domain.

?ï€ˆ

None. The lack of definitive SPF information prevents an SPF check (e.g., an SPF record does not exist).

?ï€ˆ

PermError. A permanent error occurs (e.g., the SPF record has an invalid format).

?ï€ˆ

TempError. A transient error occurs (e.g., a DNS timeout).

These options are not marked by default.

ï€³ï€®ï€ˆ

In the Bypass SPF Option box, specify a sender domain group for which SPF settings are bypassed.

ï¡ï€®ï€ˆ

Mark the check box Bypass SPF validation for senders in the following domain group

ï¢ï€®ï€ˆ

Select a sender domain from the pull-down menu Domain group

ï€´ï€®ï€ˆ

In the section Outbound Relay Options, select the relay setting for senders in protected domains when SMTP authentication is not required; Allow relays only for senders from trusted IP addresses or Allow all outbound relays.

The default setting is Allow relays only for senders from trusted IP addresses. Allowing all outbound relays may create a security vulnerability in your system.

You must use the default setting if you use SMTP authentication.

?ï€ˆ

Mark the check boxes for the IP groups for which to allow relays.

ï€µï€®ï€ˆ

In the section Internal Relay Options, select the relay setting for mail between protected domains when SMTP authentication is not required; Allow relays only for senders from trusted IP addresses or Allow all internal relays.

The default setting is Allow relays only for senders from trusted IP addresses. Allowing all internal relays may create a security vulnerability in your system.

The default setting is required if you use SMTP authentication.

ï€¶ï€®ï€ˆ

Click OK.

The settings are saved.

Configuring delivery routes

Administrator Help | Forcepoint Email Security | Version 8.5.x

Configure delivery routes on the page Settings > Inbound/Outbound > Mail Routing. You can create the following types of message routes:

?ï€ˆ

User directory-based routes

?ï€ˆ

Domain-based routes

Change the order of a user directory- or domain-based route by marking its associated check box and using the Move Up or Move Down buttons.

Copying a route

Use the following steps to copy a route on the page Settings > Inbound/Outbound > Mail Routing:

ï€±ï€®ï€ˆ

Select a route in the route list by marking the check box next to its name.

ï€²ï€®ï€ˆ

Click Copy.

A new route appears in the route list, using the original route name followed by a number in parentheses. The number added indicates the order that copies of the original route are created (1, 2, 3, etc.).

ï€³ï€®ï€ˆ

Click the new route name to edit route properties as desired.

Removing a route

To remove a route, select the route by marking the check box next to its name and click Delete.

The default domain-based route cannot be deleted.

User directory-based routes

Administrator Help | Forcepoint Email Security | Version 8.5.x

Delivery routes based on user directory entries are examined first for a match with an email message recipient. Domain group entries are validated against the selected user directory to determine whether email will be delivered via a specified route.

Adding a user directory-based route

Use the following steps to add a user directory-based delivery route on the page Settings > Inbound/Outbound > Mail Routing:

ï€±ï€®ï€ˆ

Click Add.

The Add User Directory-based Route page displays.

ï€²ï€®ï€ˆ

In the field Name, enter a name for your new route.

Length must be between 4 and 50 characters.

ï€³ï€®ï€ˆ

From the pull-down menu Route order, select an order number to determine the scanning order of the route.

ï€´ï€®ï€ˆ

From the pre-defined domains in the pull-down menu Domain group, select a destination domain.

The default is Protected Domain. Information about the domain group appears in the Domain details box.

To edit your selected domain group, click Edit to open the Edit Domain Group page. See Editing a domain group.

ï€µï€®ï€ˆ

In the section User Directories, select the user directories to use to define your route.

Select from the list of currently defined user directories and click the arrow button to move them to the Selected User Directories box.


	ïŽï¯ï´ï¥ ESMTP user directories are not included in the directory list. ESMTP user directories cannot be used for user directory-based routes.

?ï€ˆ

To add a new user directory, click Add user directory.

The Add User Directory page displays. See Adding and configuring a user directory.

?ï€ˆ

To remove a user directory from the Recipients list, select it and click Delete.

ï€¶ï€®ï€ˆ

In the section Delivery Method, select the delivery method:

?ï€ˆ

Based on the recipient's domain (using the Domain Name System [DNS]).

?ï€ˆ

Based on SMTP server IP address designation (using smart host).

If you select this option, an SMTP Server List opens:

ï¡ï€®ï€ˆ

Click Add to open the Add SMTP Server dialog box

ï¢ï€®ï€ˆ

Enter the SMTP server IP address or hostname and port

ï£ï€®ï€ˆ

Mark the check box Enable MX lookup to enable the MX lookup function

Important

If you entered an IP address in the previous step, the MX lookup option is not available.

If you entered a hostname in the previous step, this option is available.

?ï€ˆ

Mark the Enable MX lookup check box for message delivery based on the hostname MX record.

?ï€ˆ

If you do not mark this check box, message delivery is based on the hostname A record.

ï¤ï€®ï€ˆ

Enter a preference number for this server, from 1–65535.

The default value is 5.

If a single route has multiple defined server addresses, mail is delivered in order of server preference. When multiple routes have the same preference, round robin delivery is used.

You may enter no more than 16 addresses in the SMTP Server List.

ï€·ï€®ï€ˆ

In the section Delivery Options, select any desired security delivery options.

ï¡ï€®ï€ˆ

Ensure email traffic uses opportunistic TLS protocols; mark the check box Use opportunistic Transport Layer Security (TLS)

ï¢ï€®ï€ˆ

Ensure that users supply credentials; mark the check box Require authentication

Enter the appropriate user name and password in the Authentication Information box. You must use the SMTP server IP address delivery method for users to authenticate.

ï€¸ï€®ï€ˆ

Click OK.

The settings are saved and the new route displays under User Directory-based Routes.

Domain-based routes

Administrator Help | Forcepoint Email Security | Version 8.5.x

Delivery routes based on domain groups are examined after defined user directory-based routes for a match with an email message recipient. If a match is made with a user directory-based route, domain-based routes are not examined for matches.


	Important The Protected Domain group defined on the page Settings > Users > Domain Groups should not be used to configure delivery routes if you need to define domain-based delivery routes via multiple SMTP servers. Create domain groups that contain subsets of the Protected Domain group for mail routing purposes.

Adding a domain-based route

Use the following steps to add a domain-based delivery route on the page Settings > Inbound/Outbound > Mail Routing:

ï€±ï€®ï€ˆ

Click Add.

The Add Domain-based Route page displays.

ï€²ï€®ï€ˆ

In the field Name, enter a name for your new route.

ï€³ï€®ï€ˆ

From the pull-down menu Route order, select an order number to determine the route's scanning order.

ï€´ï€®ï€ˆ

From the pre-defined domains in the pull-down menu Domain group, select a destination domain.

Default is Protected Domain. Information about the domain group appears in the Domain details box.

To edit your selected domain group, click Edit to open the Edit Domain Group page. See Editing a domain group.

ï€µï€®ï€ˆ

Select the delivery method:

?ï€ˆ

Based on the recipient's domain (using the Domain Name System [DNS])

?ï€ˆ

Based on SMTP server IP address designation (using smart host)

If you select this option, an SMTP Server List opens.

ï¡ï€®ï€ˆ

Click Add.

The Add SMTP Server dialog box displays.

ï¢ï€®ï€ˆ

Enter the SMTP server IP address or hostname and port.

ï£ï€®ï€ˆ

Mark the check box Enable MX lookup to enable the MX lookup function.

Important

If you entered an IP address in the previous step, the MX lookup option is not available.

If you entered a hostname in the previous step, this option is available.

?ï€ˆ

Mark the check box Enable MX lookup for message delivery based on the hostname MX record.

?ï€ˆ

If you do not mark this check box, message delivery is based on the hostname A record.

ï¤ï€®ï€ˆ

Enter a preference number for this server (from 1–65535; default value is 5).

If a single route has multiple defined server addresses, mail is delivered in order of server preference. When multiple routes have the same preference, round robin delivery is used.

You may enter no more than 16 addresses in the SMTP Server List.

ï€¶ï€®ï€ˆ

Select any desired security delivery options:

ï¡ï€®ï€ˆ

Enable email traffic to use opportunistic TLS protocol; select Use opportunistic Transport Layer Security (TLS).

ï¢ï€®ï€ˆ

Ensure that users supply credentials; select Require authentication.

Enter the appropriate user name and password in the Authentication Information box. You must use the SMTP server IP address delivery method for users to authenticate.

Rewriting email and domain addresses

Administrator Help | Forcepoint Email Security | Version 8.5.x

An email envelope recipient address can be rewritten to redirect message delivery to a different address. Envelope sender and message header addresses can also be rewritten to mask address details from message recipients. Configure address rewriting for inbound, outbound, and internal email on the page Settings > Inbound/Outbound > Address Rewriting. Email or domain addresses in an address rewrite list can be added, exported, or deleted.

Adding recipient address rewrite entries

On the page Settings > Inbound/Outbound > Address Rewriting, use the Inbound Messages tab to specify recipient address rewrite entries for inbound messages and the Outbound and Internal Messages tab for outbound or internal message redirection. The email envelope recipient address is rewritten based on the entries in the Envelope Recipient Address Rewrite List.

Add recipient rewrite entries

ï€±ï€®ï€ˆ

On the page Settings > Inbound/Outbound > Address Rewriting, click the Inbound Messages tab or the Outbound and Internal Messages tab to display the settings.

ï€²ï€®ï€ˆ

From the Envelope Recipient Address Rewrite List, click Add.

The Add Recipient Email or Domain Address page displays.

ï€³ï€®ï€ˆ

Enter your addresses in one of two ways:

?ï€ˆ

Mark the check box Individual email address or domain rewrite entry and enter the original recipient address and the rewrite address in the appropriate entry fields.

An email address entry may have multiple rewrite entries, with each entry separated by a space. A domain address may have only one rewrite entry.

?ï€ˆ

If you have an existing email or domain address rewrite entry file, mark the check box Email address or domain rewrite entry file and browse to the file File size may not exceed 10 MB.

ï€´ï€®ï€ˆ

Click OK.

Your entries appear in the Envelope Recipient Address Rewrite List.

Adding message header address rewrite entries

On the page Settings > Inbound/Outbound > Address Rewriting, use the Inbound Messages tab to add message header address rewrite entries for inbound messages and the Outbound and Internal Messages tab for outbound or internal message address masking. The email envelope sender address and message header addresses are rewritten based on the entries in the Envelope Sender and Message Header Rewrite List.

Add address rewrite entries

ï€±ï€®ï€ˆ

On the page Settings > Inbound/Outbound > Address Rewriting, click the Inbound Messages tab or the Outbound and Internal Messages tab to display the settings.

ï€²ï€®ï€ˆ

From the Envelope Sender and Message Header Rewrite List, click Add.

The Add Sender Email or Domain Address page displays.

ï€³ï€®ï€ˆ

Enter your addresses in one of two ways:

?ï€ˆ

Mark the check box Individual email address or domain rewrite entry and enter the original sender address and the rewrite address in the appropriate entry fields.

Each email or domain address entry may have only one rewrite entry.

?ï€ˆ

If you have an existing email or domain address rewrite entry file, mark the check box Email address or domain rewrite entry file and browse to the file.

File size may not exceed 10 MB.

ï€´ï€®ï€ˆ

Click OK.

Your entries appear in the Envelope Sender and Message Header Rewrite List.

Exporting address rewrite entries

All email or domain addresses in an address rewrite list can be exported to a text file.

ï€±ï€®ï€ˆ

On the page Settings > Inbound/Outbound > Address Rewriting, click the Inbound Messages tab or the Outbound and Internal Messages tab to display the settings.

ï€²ï€®ï€ˆ

Mark the check box for the list to be exported and click Export.

ï€³ï€®ï€ˆ

From the Save As dialog box, select a directory to which to export the text file and click Save.

The selected address rewrite list is exported. A success message displays at the top of the Address Rewriting page.

Deleting address rewrite entries

Email or domain addresses in an address rewrite list can be deleted individually or in bulk.

ï€±ï€®ï€ˆ

On the page Settings > Inbound/Outbound > Address Rewriting, click the Inbound Messages tab or the Outbound and Internal Messages tab to display the settings.

ï€²ï€®ï€ˆ

Mark the check boxes for any entries to be deleted and click Delete.

The selected entries are deleted. A success message displays at the top of the Address Rewriting page.

URL Sandbox

Administrator Help | Forcepoint Email Security | Version 8.5.x

The URL sandbox function provides real-time analysis of uncategorized URLs that are embedded in inbound email. When a user clicks an uncategorized URL, a notification message prompts the user to initiate URL analysis, because the link may not be safe. If the user chooses not to analyze the URL, the requested web page is not accessible.

If analysis determines that the link is not malicious, the user receives a notification that lists the URL and category or categories of the page, and clicks Continue to site.

If the link is deemed malicious or if applicable policy does not allow a user to access uncategorized web pages, the user is notified that the site is blocked:

The user may also be notified in the following cases:

?ï€ˆ

If the function cannot access the requested page due to an inaccessible server or because the link is incorrect.

?ï€ˆ

If the protocol is not supported. Supported protocols are HTTP, HTTPS, and FTP. If you have selected the option Allow the recipient to follow links with an unsupported protocol, the user can proceed to view the page if desired; otherwise, the user cannot access the page.

Your subscription must include the Forcepoint Email Security Hybrid Module. URL sandbox capability is available only after the email hybrid service is successfully registered and enabled. See Email hybrid service configuration.

The URL sandbox configuration settings include three components:

?ï€ˆ

Default settings that apply to any recipient not covered by specific settings

?ï€ˆ

Recipient-specific settings that apply to an individual domain or email address

?ï€ˆ

List of domains to which sandbox settings do not apply

Use the page Settings > Inbound/Outbound > URL Sandbox to configure the URL sandbox feature:

ï€±ï€®ï€ˆ

In the section Default Settings, specify the settings that apply to any recipient not covered by recipient-specific settings:

ï¡ï€®ï€ˆ

Activate the URL sandbox function; mark the check box Analyze suspicious URLs.

By default, the check box is not marked.

ï¢ï€®ï€ˆ

If the URL sandbox is enabled, allow users to click unclassified URL links; mark the check box Allow the recipient to follow links to unclassified URLs.

By default, the check box is not marked.

ï£ï€®ï€ˆ

Allow users to click a link that may redirect to a site with an unsupported protocol; mark the check box Allow the recipient to follow links with an unsupported protocol.

ï¤ï€®ï€ˆ

Replace the original URL with other text; enter the string in the entry field below the check box.

Leave this field blank to keep the original URL.

ï€²ï€®ï€ˆ

Use the section Recipient-specific Settings to add custom sandbox settings for individual domain or email addresses:

ï¡ï€®ï€ˆ

Create sandbox settings for a particular group of addresses; click Add.

ï¢ï€®ï€ˆ

In the Recipient Email/Domain Address List, enter comma-separated email or domain addresses to which the settings should apply.

Wildcards are not permitted.

ï£ï€®ï€ˆ

Activate the URL sandbox function for these addresses; mark the check box Analyze suspicious URLs.

By default, the check box is not marked.

ï¤ï€®ï€ˆ

If the URL sandbox is enabled, allow the specified users to click unclassified URL links; mark the check box Allow the recipient to follow links to unclassified URLs.

By default, the check box is not marked.

ï¥ï€®ï€ˆ

Allow users to click a link that may redirect to a site with an unsupported protocol; mark the check box Allow the recipient to follow links with an unsupported protocol.

ï¦ï€®ï€ˆ

Replace the original URL with other text; enter the string in the entry field below the check box.

Leave this field blank to keep the original URL.

ï€³ï€®ï€ˆ

Enable the sandbox to examine URLs even if they appear in a message that contains the digital signature of a trusted sender; at the bottom of the section URL Sandbox, mark the check box Analyze suspicious URLs that appear in digitally signed email.

By default, the check box is not marked.

ï€´ï€®ï€ˆ

In the entry field above the check box, enter the URL domains that should bypass the URL sandbox.

Do not use wildcards, and separate multiple entries with a comma.

ï€µï€®ï€ˆ

Click OK.

The settings are saved.

To delete a set of recipient-specific settings, mark the check box next to the address list and click Delete.

Phishing detection and education

Administrator Help | Forcepoint Email Security | Version 8.5.x

Phishing involves an attempt to obtain personal information like passwords or credit card numbers via email while pretending to be a trusted entity. For example, an email message that purports to be from a known financial institution or popular web site may actually be an attempt to steal personal information.

The phishing detection and education function provides cloud-based analysis of an inbound message for phishing email characteristics. To use the phishing detection and education feature, your subscription must include the Forcepoint Email Security Hybrid Module. It is necessary to successfully register with the email hybrid service before you configure phishing detection and education capabilities. See Email hybrid service configuration.

Functionality requires rules to be defined that determine which sender domains are analyzed and how a suspected phishing email is handled. Suspect email may be treated the same as spam (blocked and saved to a spam queue) or be replaced by a message that educates the recipient about phishing attack email.

Dashboard charts and presentation reports can be configured to display suspected phishing attack data.

The page Settings > Inbound/Outbound > Phishing Detection includes the following tabs for configuring phishing detection:

?ï€ˆ

Phishing Rules, which contains a list of all your phishing rules. A default rule applies to domains that are not included in any other defined rule. See Adding a phishing detection rule.

The default rule cannot be deleted. Delete any other phishing rule from the list by marking its associated check box and clicking Delete, then clicking Save to Cloud Service.

?ï€ˆ

Phishing Education Pages, which contains a list of all the education pages you have defined. A default page applies when a custom page is not specified for a phishing rule. See Creating a phishing education page.

Delete any phishing education page (except the default page) from the list by marking its associated check box and clicking Delete. You may not delete a page that is being used by a phishing rule.

Click Save to Cloud Service only if you receive an error message regarding a synchronization issue with the cloud service.

Adding a phishing detection rule

Administrator Help | Forcepoint Email Security | Version 8.5.x

Use the following steps to configure a phishing detection rule:

ï€±ï€®ï€ˆ

On the Phishing Rules tab, click Add Rule.

The Add Rule page displays.

ï€²ï€®ï€ˆ

In the field Phishing rule name, enter a name for the rule.

ï€³ï€®ï€ˆ

In the field Domain names, specify the domains to which this rule applies.

Separate multiple domains with a semicolon.

ï€´ï€®ï€ˆ

Select a phishing action option for this phishing rule:

?ï€ˆ

Treat as spam.

Selection quarantines the suspected phishing message.

?ï€ˆ

Educate: Replace the URL with a link to the selected phishing education page and deliver the message.

ï€µï€®ï€ˆ

Configure individual user exceptions to the phishing rule.

For example, you may want to select a different action for a particular user or group or present a different phishing education page for that user or group.

ï¡ï€®ï€ˆ

Click Add User Exception.

The Add User Exception dialog box displays.

ï¢ï€®ï€ˆ

In the text field Description, enter a brief description of this exception.

ï£ï€®ï€ˆ

In the text field Email addresses, specify the email addresses for the users or groups to whom this exception applies.

ï¤ï€®ï€ˆ

Select a phishing action option for this user exception:

?ï€ˆ

Treat as spam.

Selection quarantines the suspected phishing message.

?ï€ˆ

Educate: Replace the URL with a link to the selected phishing education page and deliver the message.

ï¥ï€®ï€ˆ

Click Add.

ï€¶ï€®ï€ˆ

Click OK.

The phishing rule is saved.

ï€·ï€®ï€ˆ

On the Phishing Rules tab, click Save to Cloud Service.

The phishing detection settings are sent to the email hybrid service.

Creating a phishing education page

Administrator Help | Forcepoint Email Security | Version 8.5.x

Create a new phishing education page by copying an existing page and renaming it. You can also customize the default message template to suit your needs. A default page is used when a custom page is not specified for a phishing rule.

Copy an existing phishing education page

ï€±ï€®ï€ˆ

On the Phishing Education Pages tab, click Copy Page.

ï€²ï€®ï€ˆ

In the text field Page name, enter a name for the phishing education page copy.

ï€³ï€®ï€ˆ

Click OK.

Create a custom phishing education page

ï€±ï€®ï€ˆ

On the Phishing Education Pages tab, click Add Page.

The Add Phishing Education Page screen displays.

ï€²ï€®ï€ˆ

Enter a name and description for the phishing education page.

ï€³ï€®ï€ˆ

In the text field Page title, specify a title for the page.

This title appears as the browser window name.

ï€´ï€®ï€ˆ

In the Phishing Education Page Editor, specify the desired text and images.

ï€µï€®ï€ˆ

Click OK.


	ïŽï¯ï´ï¥ If you receive an error message regarding a synchronization problem with the cloud service, click Save to Cloud Service on the tab Phishing Education Pages to send your phishing education page settings to the email hybrid service.

Managing message queues

Administrator Help | Forcepoint Email Security | Version 8.5.x

The page Main > Message Management > Message Queues is used to view, create, and configure message queues. You can also modify the following default queues:

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

?ï€ˆ

All blocked messages across all queues are accessed on the page Main > Message Management > Blocked Messages (see Managing the blocked message queue). Temporarily delayed messages can be viewed on the page Main > Message Management > Delayed Messages (see Managing the delayed message queue).

Message queues list

Administrator Help | Forcepoint Email Security | Version 8.5.x

The following table details the information available in the Queue List on the Message Queues page.


Parameter	Description
Queue Name	Displays the name of the queue. Click a queue name in the Queue List to view and manage the messages in the queue. See Viewing a message queue.
Status	Indicates whether the queue is in use or not. From the Status column, click Referenced to display a list of the email functions that use the queue. During a queue move operation, an icon in this column indicates whether the move is in progress or has failed.
Message Volume	Indicates the total number of messages in the queue. The number of messages a delegated administrator sees may be less than the total displayed in this column, depending on the permissions granted to that administrator.
Size/Total	Indicates the queue's current size as a portion of its maximum configured size.
Storage Location	Displays the location of queue storage (Local, via Network File System [NFS], or via Samba). Icons in this column indicate storage status, such as low disk space or a lost connection.
Properties	Contains a link to a page displaying the queue's current settings. Click this Edit link to change any queue settings.

Remove a user-created queue by marking the check box next to the queue name in the Queue List and clicking Delete. You cannot delete a default queue.

Creating a message queue

Administrator Help | Forcepoint Email Security | Version 8.5.x

Use the following steps to create a new message queue on the page Main > Message Management > Message Queues:

ï€±ï€®ï€ˆ

Below the Queue List, click Add.

The Add Queue page displays.

ï€²ï€®ï€ˆ

In the text field Queue name, enter a name for the new queue.

ï€³ï€®ï€ˆ

Select the storage location for this queue:

?ï€ˆ

Store the queue locally; click Local.

?ï€ˆ

Use the NFS protocol for file storage; click Via Network File System (NFS). Enter the IP address or hostname of the storage location, along with its shared path.


	ïŽï¯ï´ï¥ NFS version 3 or later is supported.

?ï€ˆ

Use Samba to facilitate file storage; click Via Samba.

?ï€ˆ

Enter the following information for Samba:

?ï€ˆ

IP address or hostname of the storage location

?ï€ˆ

Its shared path

?ï€ˆ

Username

?ï€ˆ

Password

ï€´ï€®ï€ˆ

Configure the maximum number of days a message is retained in the queue; in the field Maximum message retention, enter a number from 1 to 180 days.

Default is 180 for default queues, 30 for administrator-created queues.

ï€µï€®ï€ˆ

Configure the maximum queue size, from 1 to 51200 MB.

Default is 1024.

ï€¶ï€®ï€ˆ

For an appliance in a cluster, specify the maximum storage size (in MB) assigned to each cluster machine.

ï€·ï€®ï€ˆ

Click OK.

The settings are saved.

Changing message queue properties

The Edit Queue page is used to change a message queue's properties.

ï€±ï€®ï€ˆ

In the Queue List, from the Properties column of the message queue to be edited, click Edit.

The Edit Queue page displays.

ï€²ï€®ï€ˆ

Configure the settings and click OK.

The settings are saved.

Viewing a message queue

Administrator Help | Forcepoint Email Security | Version 8.5.x

The View Messages in a Queue page displays the messages in a message queue, with functionality to view by a specific time or date range, search messages, or perform actions such as Deliver, Delete, and Reprocess.

?ï€ˆ

From the Queue List, click a queue name.

The View Messages in a Queue page displays.

View messages by date/time range

Use the View from/to fields to specify the desired date/time range for viewing entries. The calendar includes the following options:

?ï€ˆ

Change the month and year by using the back and next arrows around the month and year at the top of the calendar.

?ï€ˆ

Set the calendar to the current date by clicking the date in the lower left corner of the calendar.

?ï€ˆ

Click Clean to clear the current date/time calendar selection.

?ï€ˆ

Click Today to set the calendar date to today's date.

Set the time range in hours and minutes in the entry fields to the right of the calendar.

?ï€ˆ

Click the arrow to the right of the View date/time range to display the desired queue items.

Search messages by keyword

Use the Search functionality to perform a keyword search of the message queue, and to refine a search by message IDs, senders, recipients, subjects, or policies applied. You can also search on the name of the appliance that processed the messages (Processed By category). The Search functionality includes the following options:

ï€±ï€®ï€ˆ

In the text field, enter a keyword.

ï€²ï€®ï€ˆ

From the pull-down menu, click a category on which to search; ID, Subject, Sender, Recipient, Policy/Rule, Processed By, or All.

ï€³ï€®ï€ˆ

Click Search.

The messages matching the search parameters display.

Configure the number of messages to display

Use the Per Page menu to configure how many messages to view on each page of the queue.

?ï€ˆ

From the pull-down menu per page, select the number of messages to display on each page; 25, 50, or 100.

The default is 25.

The following table details the information displayed in the list of messages.

Parameter

Description

Sender

Sender email address.

Recipient

Recipient email address.

Subject

Message subject.

Click the link to display the View Message page for viewing message information and contents. See Viewing a message in a queue.

Size

Message size.

Date/Time

Date and time of message receipt.

Policy/Rule

Policy and rule applied to the message. If a data loss prevention (DLP) policy is applied to a message, this information displays as a clickable link.

Click View Incident to open the DLP incident information in the Data module, where the message was processed.

This column does not display in the archive queue.

Message Type

Type of message (for example, spam, virus, exception, commercial bulk, advanced malware detection - cloud, advanced malware detection - on-premises, spoofed email, URL analysis, encryption error, or decryption error).

Processed By

Name of the appliance that processed the message.

Quarantined Reason

Indicates why a message was sent to a quarantine queue:

?ï€ˆ

Antivirus filter

?ï€ˆ

Email hybrid service

?ï€ˆ

URL analysis filter

?ï€ˆ

Bounce address tag validation

?ï€ˆ

Digital fingerprinting antispam tool

?ï€ˆ

LexiRules antispam tool

?ï€ˆ

Heuristics antispam tool

?ï€ˆ

Commercial bulk email filter

?ï€ˆ

Custom content filter

?ï€ˆ

Block List (Personal Email Manager Always Block List entry)

?ï€ˆ

Archive feature (a setting on the page Settings > Inbound/Outbound > Message Control)

?ï€ˆ

Data loss prevention

?ï€ˆ

Exception (message exception)

?ï€ˆ

For a message attachment analyzed by Forcepoint Advanced Malware Detection for Email - Cloud, click View report(s) to open a pop-up box with links to an Advanced Malware Detection - Cloud report on each file examined.


	ïŽï¯ï´ï¥ In high-traffic situations, a large number of virus filter and URL filter exceptions may occur, incorrectly sending many messages to the exception queue. After the situation is resolved, select the affected email and use the Reprocess action to restart email processing.

Select a message in the queue and perform the following actions:


Action	Description
Deliver	Deliver the message to its recipient(s).
Delete	Delete the message from the queue.
Reprocess	Delete the message from the queue and restart the email processing function as if the email system were receiving it for the first time. For the archive queue, this action is called Process.
Not Spam	Report that the message should not be classified as spam and release the message for delivery. This option is available only when spam messages are selected.
More Actions	Pull-down menu functionality to select additional actions to perform. See the following table for more information.
Refresh	Refresh the queue contents list to view up-to-date queue contents.

The pull-down menu More Actions includes the following operations:


Action	Description
Resume Processing	A message that has both spam and virus characteristics may be isolated by one type of filter before it has been processed by the other type. If the original quarantine is a false positive, use this action to make sure the message is processed by all relevant filters rather than delivered after only the first analysis.
Add to Always Block List	Add the message sender to the Always Block List.
Add to Always Permit List	Add the message sender to the Always Permit List.
Forward	Forward the message to one or more recipients. The forwarded message is added as an attachment to the forwarding message.
Download	Download the message in .eml format. Downloaded email is saved in a zip file.
Clear message queue	Delete all the messages in the queue.
Reprocess all messages	Reprocess messages in your search result. Only the first 5000 entries in your search result are reprocessed.
Delete all messages	Delete messages in your search result. Only the first 5000 entries in your search result are deleted.

Managing the blocked message queue

Administrator Help | Forcepoint Email Security | Version 8.5.x

The page Main > Message Management > Blocked Messages lists all blocked messages from most queues across all appliances together in a single table, with a column entry that indicates the name of the queue in which a message is stored. Messages in the archive and Delayed Messages queues are not included on this page.

View messages by date/time range

Use the View from/to fields to specify the desired date/time range for viewing entries. The calendar includes the following options:

?ï€ˆ

Change the month and year by using the back and next arrows around the month and year at the top of the calendar.

?ï€ˆ

Set the calendar to the current date by clicking the date in the lower left corner of the calendar.

?ï€ˆ

Click Clean to clear the current date/time calendar selection.

?ï€ˆ

Click Today to set the calendar date to today's date.

Set the time range in hours and minutes in the entry fields to the right of the calendar.

?ï€ˆ

Click the arrow to the right of the View date/time range to display the desired queue items.

Search messages by keyword

Use the Search functionality to perform a keyword search of blocked messages, and to refine a search by message IDs, senders, recipients, subjects, or policies applied. You can also search on an individual queue or on the name of the appliance that processed the messages (Processed By category). The Search functionality includes the following options:

ï€±ï€®ï€ˆ

In the text field, enter a keyword.

ï€²ï€®ï€ˆ

From the pull-down menu, click a category on which to search; ID, Subject, Sender, Recipient, Policy/Rule, Processed By, or All.

ï€³ï€®ï€ˆ

Click Search.

The messages matching the search parameters display.

Configure the number of messages to display

Use the Per Page menu to configure how many messages to view on each page of the queue.

?ï€ˆ

From the pull-down menu per page, select the number of messages to display on each page; 25, 50, or 100.

The default is 25.

The following table details the information displayed in the list of blocked messages.

Parameter

Description

Sender

Sender email address.

Recipient

Recipient email address.

Subject

Message subject.

Click the link to display the View Message page for viewing message information and contents. See Viewing a message in a queue.

Size

Message size.

Date/Time

Date and time of message receipt.

Policy/Rule

Policy and rule applied to the message. If a data loss prevention (DLP) policy is applied to a message, this information displays as a clickable link.

Click View Incident to open the DLP incident information in the Data module, where the message was processed.

This column does not display in the archive queue.

Queue

Queue in which the message is stored (for example, spam, virus, exception, encryption-fail, or decryption-fail).

Message Type

Processed By

Name of the appliance that processed the message.

Quarantined Reason

Indicates why a message was sent to a quarantine queue:

?ï€ˆ

Antivirus filter

?ï€ˆ

Email hybrid service

?ï€ˆ

URL analysis filter

?ï€ˆ

Bounce address tag validation

?ï€ˆ

Digital fingerprinting antispam tool

?ï€ˆ

LexiRules antispam tool

?ï€ˆ

Heuristics antispam tool

?ï€ˆ

Commercial bulk email filter

?ï€ˆ

Custom content filter

?ï€ˆ

Block List (Personal Email Manager Always Block List entry)

?ï€ˆ

Archive feature (a setting on the page Settings > Inbound/Outbound > Message Control)

?ï€ˆ

Data loss prevention

?ï€ˆ

Exception (message exception)

?ï€ˆ

Select a message in the blocked messages queue and perform the following actions:


Action	Description
Deliver	Deliver the message to its recipient(s).
Delete	Delete the message from the queue.
Reprocess	Delete the message from the queue and restart the email processing function as if the email system were receiving it for the first time.
Not Spam	Report that the message should not be classified as spam and release the message for delivery. This option is available only when spam messages are selected.
Refresh	Refresh the queue contents list to view up-to-date queue contents.

The pull-down menu More Actions includes the following operations:


Action	Description
Resume Processing	A message that has both spam and virus characteristics may be isolated by one type of filter before it has been processed by the other type. If the original quarantine is a false positive, use this action to make sure the message is processed by all relevant filters rather than delivered after only the first analysis.
Add to Always Block List	Add the message sender to the Always Block List.
Add to Always Permit List	Add the message sender to the Always Permit List.
Forward	Forward the message to one or more recipients. The forwarded message is added as an attachment to the forwarding message.
Download	Download the message in .eml format. Downloaded email is saved in a zip file.
Reprocess all messages	Reprocess the messages in your search result. Only the first 5000 entries in your search result are reprocessed.
Delete all messages	Delete the messages in your search result. Only the first 5000 entries in your search result are deleted.

Managing the delayed message queue

Administrator Help | Forcepoint Email Security | Version 8.5.x

Email that is temporarily undeliverable as a result of various connection issues is sent to the delayed messages queue. Delayed messages may be automatically resent by the system. See Handling undelivered messages for information about setting the delayed messages delivery retry interval and configuring a notification message to be sent for undelivered email.

Delayed message delivery may also be scheduled for a future date using a custom content filter action. See Custom content for information about custom content filters and Creating and configuring a filter action for details about scheduling a delayed message delivery.

View the messages in this queue and manually perform necessary processing activities on the page Main > Message Management > Delayed Messages.

View messages by date/time range

When the Delayed Messages page displays, the most recent messages are shown. Use the View from/to fields to specify the desired date/time range for viewing messages. The calendar includes the following options:

?ï€ˆ

Change the month and year by using the back and next arrows around the month and year at the top of the calendar.

?ï€ˆ

Set the calendar to the current date by clicking the date in the lower left corner of the calendar.

?ï€ˆ

Click Clean to clear the current date/time calendar selection.

?ï€ˆ

Click Today to set the calendar date to today's date.

Set the time range in hours and minutes in the entry fields to the right of the calendar.

?ï€ˆ

Click the arrow to the right of the View date/time range to display the desired queue items.

Search messages by keyword

Use the Search functionality to perform a keyword search of delayed messages, and to refine a search by message IDs, senders, recipients, subjects, or reasons for delay. If appliances are configured in a cluster, you can also search on the name of the appliance that processed the messages (Processed By category). The Search functionality includes the following options:

ï€±ï€®ï€ˆ

In the text field, enter a keyword.

ï€²ï€®ï€ˆ

From the pull-down menu, click a category on which to search; ID, Subject, Sender, Recipient, Processed By, Reason for Delay, or All.

ï€³ï€®ï€ˆ

Click Search.

The messages matching the search parameters display.

Configure the number of messages to display

Use the Per Page menu to configure how many messages to view on each page of the queue.

?ï€ˆ

From the pull-down menu per page, select the number of messages to display on each page; 25, 50, or 100.

The default is 25.

The following table details the information displayed in the list of delayed messages.

Parameter

Description

Sender

Sender email address.

Recipient

Recipient email address.

Subject

Message subject.

Click the link to display the View Message page for viewing message information and contents. See Viewing a message in a queue.

Size

Message size.

Date/Time

Date and time of message receipt.

Policy/Rule

Policy and rule applied to the message. If a data loss prevention (DLP) policy is applied to a message, this information displays as a clickable link.

Click View Incident to open the DLP incident information in the Data module, where the message was processed.

This column does not display in the archive queue.

Next Scheduled Delivery Attempt

Date of the next scheduled message delivery attempt.

Reason for Delay

Reason a message is delayed. Entries in this column may be one of the following:

?ï€ˆ

Temporary connection issue delay n. A temporary delay due to connection issues; n is the number of retry attempts remaining for the message.

?ï€ˆ

Scheduled delay. An intentional delay that is scheduled via a custom content filter action (see Creating and configuring a filter action for information).

?ï€ˆ

Advanced Malware Detection - Cloud or Advanced Malware Detection - On-Premises delay. A temporary delay due to in-progress advanced file analysis.

Processed By

Name of the appliance that processed the message.

Select a message in the queue and perform the following actions:


Action	Description
Release	Attempt the message delivery immediately.
Delete	Delete the message from the queue.
Refresh	Refresh the queue contents list to view up-to-date queue contents.

The pull-down menu More Actions includes the following operations:


Action	Description
Forward	Forward the message to one or more recipients. The forwarded message is added as an attachment to the forwarding message.
Download	Download the message in .eml format. Downloaded email is saved in a zip file.
Release all messages	Attempt to deliver all the messages in the queue.
Delete all messages	Delete the messages in your search result. Only the first 5000 entries in your search result are deleted.

Viewing a message in a queue

Administrator Help | Forcepoint Email Security | Version 8.5.x

Use the View Message page to view details about a message or the message contents from any message queue, including Blocked Messages, Delayed Messages, or any default or custom queue on the page Message Queues. Click the link for a message in the Subject column of a queue to open the View Message page.

The Back link at the top of the page returns you to the View Queue page. The Previous and Next links let you navigate to the previous or next message in the queue messages list.

The following information about a selected message is displayed on the View Message page:


Field Name	Description
Sender	Sender email address.
Recipient	Recipient email address.
From	Name of the sender.
To	Name of the recipient.
Date	Date the message was received.
Policy	Name of the policy applied to the message.
Message type	Message type, indicating message analysis result or filter type (Clean, Virus, Spam, Data Loss Prevention, Exception, Commercial Bulk, Phishing, Advanced Malware Detection - Cloud, Advanced Malware Detection - On-Premises, Spoofed Email, URL Analysis, Email Attachment, or Custom Content).
Processed by	Name of the appliance that processed the message.
Header	Click the link to view the message header.
Attachment	If the message contains an attachment, a link allows you to open it.
Subject	Message subject.

All message actions available ton any View Queue page are also available on the View Message page, except Clear All Messages or Release All Messages. See Viewing a message queue. You can also choose to view message contents in either text or HTML format or to Clear message queue from the pull-down menu More Actions.

Configuring message exception settings

Administrator Help | Forcepoint Email Security | Version 8.5.x

The page Settings > Inbound/Outbound > Exceptions specifies how to handle messages that cannot be processed for some reason. Configure message exception settings as follows:

ï€±ï€®ï€ˆ

Mark one or more check boxes to specify the action(s) to perform on a message that cannot be processed:

?ï€ˆ

Deliver the message when an exception is caused by an antivirus filter.

?ï€ˆ

Deliver the message when an exception is caused by an antispam filter (default setting).

?ï€ˆ

Deliver the message when an exception is caused by the advanced file analysis filter.

?ï€ˆ

Deliver the message when an exception is caused by the commercial bulk email filter.

?ï€ˆ

Deliver the message when an exception is caused by a data loss prevention policy (default setting).

?ï€ˆ

Deliver messages when an exception is caused by any other system operation.

?ï€ˆ

Save exception messages to a queue (default setting).

Select the desired folder from the pull-down menu (default is exception). The list includes all the default queue names and any administrator-created queues. To add a new queue, select Add Folder from the pull-down menu to open the Add Queue screen.


	ï—ï¡ï²ï®ï©ï®ï§ You must have the save option selected to save undelivered messages to a queue. If this option is not selected, messages may be dropped

ï€²ï€®ï€ˆ

Send a notification regarding the unprocessed message; mark the check box Send notification to enable the Notification Properties section.

ï€³ï€®ï€ˆ

Select the notification message sender from the following choices:

?ï€ˆ

Original email sender

This is the default.

?ï€ˆ

Administrator

If you use this option, you must configure a valid administrator email address on the page Settings > General > System Settings (see Setting system notification email addresses).

?ï€ˆ

Custom

Specify a single email address in this field.

ï€´ï€®ï€ˆ

Mark one or more check boxes to specify notification message recipients from among the following choices:

?ï€ˆ

Original email sender

?ï€ˆ

Original email recipient

?ï€ˆ

Administrator

This is the default. If you use this option, you must configure a valid administrator email address on the page Settings > General > Settings (see Setting system notification email addresses).

?ï€ˆ

User specified; enter one or more email addresses, separated by semicolons, in this field

ï€µï€®ï€ˆ

In the text field Subject, specify the subject line of your notification message.

ï€¶ï€®ï€ˆ

In the text field Content, enter the body of your notification message.

ï€·ï€®ï€ˆ

Attach the original message to the notification message; mark the check box Attach original message.

ï€¸ï€®ï€ˆ

Click OK.

The settings are saved.

Handling undelivered messages

Administrator Help | Forcepoint Email Security | Version 8.5.x

Message delivery options help you control how undeliverable mail is handled. Options for these operations are configured on the page Settings > Inbound/Outbound > Message Non-Delivery Options.

Use the following steps to determine how to handle messages that are temporarily undeliverable due to error situations:

ï€±ï€®ï€ˆ

In the field Retry interval, enter the time for the message retry interval, in minutes.


	Important Message delivery retry intervals are calculated exponentially. For example, using the default entry of 15, retry attempts are made in 15, 30, 60, 120, 240, etc., minutes.

ï€²ï€®ï€ˆ

In the field Maximum retry period, enter the time for the maximum period for retrying message delivery, in minutes.

The default is 1440.

ï€³ï€®ï€ˆ

In the field Notification email address, enter an email address to which to send notifications that a non-delivery report (NDR) cannot be delivered to the original sender at the end of the retry period.

Mark the check box Use Administrator email address to send these messages to the administrator.

You must configure the administrator address on the page Settings > General > System Settings (see Setting system notification email addresses).

ï€´ï€®ï€ˆ

Click OK.

The settings are saved.

Traffic shaping options

Administrator Help | Forcepoint Email Security | Version 8.5.x

The page Settings > Inbound/Outbound > Traffic Shaping is used to determine the rate of traffic delivery for a specified source or destination group based on domain group or user directory settings. For example, these settings allow you to send large volumes of email at a rate that prevents possible blacklisting of the domain.

Change the order of a traffic shaping group by marking its associated check box and using the Move Up and Move Down buttons. Copy an existing traffic shaping group by marking its associated check box and clicking Copy. You can delete a traffic shaping group by marking its associated check box and clicking Delete.

In addition to specifying source and destination user groups, the following message delivery settings may be modified as part of traffic shaping:

?ï€ˆ

Maximum number of concurrent connections

?ï€ˆ

Maximum number of messages per connection within a designated time period

?ï€ˆ

Maximum number of recipients per message

?ï€ˆ

Use of the SMTP session cache, for which the maximum number of messages per session and the session duration are specified

The default traffic shaping group contains no traffic source or destination user groups.

Add message traffic shaping controls in your system

ï€±ï€®ï€ˆ

On the page Traffic Shaping, click Add.

The Add Traffic Shaping Group page displays.

ï€²ï€®ï€ˆ

In the text field Traffic shaping group name, enter a name.

ï€³ï€®ï€ˆ

From the pull-down menu Order, specify the location in which this group should appear in the traffic shaping group list.

ï€´ï€®ï€ˆ

Select the status of your traffic shaping group: Active or Disabled.

ï€µï€®ï€ˆ

Configure an email source for the traffic shaping group, if desired.

From Source type, designate one of the following source types:

?ï€ˆ

All sources

?ï€ˆ

Domain group

This is the default. Select the domain group from the pull-down menu. Modify the selected domain group by clicking Edit.

?ï€ˆ

User directory

Select a user directory from the list, or create a new user directory by clicking Add user directory.

ï€¶ï€®ï€ˆ

Configure an email destination traffic shaping group, if desired.

From Destination type, designate one of the following destination types:

?ï€ˆ

All destinations

?ï€ˆ

Domain group

This is the default. Select the domain group from the pull-down menu. Modify the selected domain group by clicking Edit.

?ï€ˆ

User directory

Select a user directory from the list, or create a new user directory by clicking Add user directory.

ï€·ï€®ï€ˆ

In the field Maximum number of concurrent connections, enter the maximum number of simultaneous message deliveries to an individual routing address.

The range of values is 5–50; default value is 20.

ï€¸ï€®ï€ˆ

In the field Maximum number of messages per connection, enter the maximum number of messages per connection within a defined time period.

The range of values for number of messages is 1–10000; default value is 10000. The time range is 60 seconds to 30 minutes; default value is 60 seconds.

ï€¹ï€®ï€ˆ

In the field Maximum number of recipients, enter the maximum number of message recipients per message delivery.

The range of values is 5–100; default value is 50.

ï€±ï€°ï€®ï€ˆ

Use an SMTP session cache; mark the check box Enable SMTP session cache.

This is the default.

ï¡ï€®ï€ˆ

Enter the maximum number of messages allowed per SMTP session.

Range of values is 5–100; default is 10. Enter zero (0) to specify an unlimited number of messages per session.

ï¢ï€®ï€ˆ

Enter the duration of the SMTP session, in seconds.

Range of values is 60–600 seconds; default value is 300 seconds.

ï€±ï€±ï€®ï€ˆ

Click OK.

The settings are saved. The new group displays on the page Traffic Shaping.

Handling encrypted messages

Administrator Help | Forcepoint Email Security | Version 8.5.x

An email content policy configured in the Data Security module may specify that a message should be encrypted for delivery. To encrypt specific outbound messages, you must create an email DLP policy that includes an encryption action plan in the Data Security module (Main > Policy Management > DLP Policies).

The following types of message encryption are supported:

?ï€ˆ

Mandatory Transport Layer Security encryption

?ï€ˆ

Forcepoint email encryption

?ï€ˆ

Third-party encryption application

?ï€ˆ

Secure Message Delivery

Specify the type of encryption to use on the page Settings > Inbound/Outbound > Encryption.

Mandatory Transport Layer Security encryption

Transport Layer Security (TLS) is an Internet protocol that provides security for all email transmissions—inbound, outbound, and internal. The client and server negotiate a secure "handshake" connection for the transmission to occur, provided both the client and the server support the same version of TLS.

Enable TLS encryption with no backup method

In the Email Security module, if you select only TLS for message encryption and the client and server cannot negotiate a secure TLS connection, the message is sent to a delayed message queue for a later delivery attempt.

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Encryption.

ï€²ï€®ï€ˆ

From the pull-down menu Encryption method, select Transport Layer Security (TLS).

ï€³ï€®ï€ˆ

Use only TLS for message encryption; from TLS Encryption Backup Options, select Use TLS only (no backup encryption method; message is queued for later delivery attempt).

ï€´ï€®ï€ˆ

Click OK.

The settings are saved.

Enable TLS encryption with a backup method

If you select TLS for message encryption, you can designate another encryption option as a backup method in case the TLS connection fails. Specifying a backup option allows you a second opportunity for message encryption in the event of an unsuccessful TLS connection. If both the TLS and backup connections fail, the message is sent to a delayed message queue for a later connection attempt.

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Encryption.

ï€²ï€®ï€ˆ

From the pull-down menu Encryption method, select Transport Layer Security (TLS).

ï€³ï€®ï€ˆ

From TLS Encryption Backup Options, select one of the following options:

?ï€ˆ

Use Forcepoint Email Encryption as backup encryption method

This option is available only if your subscription includes the Forcepoint Email Security - Encryption Module.

?ï€ˆ

Use third-party application as backup encryption method

?ï€ˆ

Use secure message delivery as backup encryption method

Additional options display according to your selection.

ï€´ï€®ï€ˆ

Configure the settings for the selected backup method.

See Third-party encryption application and Secure Message Delivery.

ï€µï€®ï€ˆ

Click OK.

The settings are saved.

Forcepoint email encryption

The Forcepoint Email Encryption option enables the email hybrid service to perform message encryption on outbound messages. Forcepoint email encryption is available only if your subscription includes the Forcepoint Email Security Hybrid Module and the Forcepoint Email Security - Encryption Module, and if the email hybrid service is registered and enabled.

You can also specify Forcepoint Email Encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.

When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If the secure connection is not made, the message is placed in a delayed message queue for a later delivery attempt.

The SMTP server addresses used to route email to the email hybrid service for encryption are configured during the Forcepoint Email Security Hybrid Module registration process. Use the Delivery Route page under Settings > Hybrid Service > Hybrid Configuration to add outbound SMTP server addresses (see Define delivery routes).

If the email hybrid service detects spam or a virus in an encrypted outbound message, the mail is returned to the message sender.

The email hybrid service attempts to decrypt inbound encrypted mail and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.

The hybrid service does not encrypt inbound or internal mail. A DLP policy must be modified to designate only outbound messages for encryption when the email hybrid service is used.

See Forcepoint Email Security Message Encryption for more information.

Enable Forcepoint email encryption

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Encryption.

ï€²ï€®ï€ˆ

From the pull-down menu Encryption method, select Forcepoint Email Encryption.

ï€³ï€®ï€ˆ

Click OK.

The settings are saved.

Third-party encryption application

The email protection system supports the use of third-party software for email encryption. The third-party application used must support the use of x-headers for communication with the email system.

You can also specify third-party application encryption as a backup encryption method if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.

The email protection system can be configured to add an x-header to a message that triggers a DLP encryption policy. Other x-headers indicate encryption success or failure. These x-headers facilitate communication between the email system and the encryption software. You must ensure that the x-header settings made on the Encryption page match the corresponding settings in the third-party software configuration.

Configure third-party application encryption

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Encryption.

ï€²ï€®ï€ˆ

From the pull-down menu Encryption method, select Third-party application.

Applicable configuration options display.

ï€³ï€®ï€ˆ

Add encryption servers (up to 32) to the Encryption Server List:

ï¡ï€®ï€ˆ

Enter the IP address or hostname and port number of each server.

ï¢ï€®ï€ˆ

Use the MX lookup feature; mark the check box Enable MX lookup.

If you entered an IP address in the previous step, the MX lookup option is not available.

ï£ï€®ï€ˆ

Click the arrow to the right of the Add Encryption Server box to add the server to the Encryption Server List.

Delete a server from the list; select it and click Remove.

ï€´ï€®ï€ˆ

In the pull-down menu Encrypted IP address group, specify an IP address group if decryption is enabled or if encrypted email is configured to route back to the email software.

The default is Encryption Gateway.

ï€µï€®ï€ˆ

Configure users to present credentials to view encrypted mail; mark the check box Require authentication and supply the desired user name and password in the appropriate fields.

Authentication must be supported and configured on your encryption server to use this function.

ï€¶ï€®ï€ˆ

In the field Encryption X-Header, specify an x-header to be added to a message that should be encrypted.

This x-header value must also be set and enabled on your encryption server.

ï€·ï€®ï€ˆ

In the field Encryption Success X-Header, specify an x-header to be added to a message that has been successfully encrypted.

This x-header value must also be set and enabled on your encryption server.

ï€¸ï€®ï€ˆ

In the field Encryption Failure X-Header, specify an x-header to be added to a message for which encryption has failed.

This x-header value must also be set and enabled on your encryption server.

ï€¹ï€®ï€ˆ

Select any desired encryption failure options:

?ï€ˆ

Mark the check box Send messages to queue.

Select a queue for these messages from the pull-down menu. The default is the virus queue.

?ï€ˆ

Mark the check box Send notification to original sender.

?ï€ˆ

In the section Notification Details, enter the notification message subject and content in the appropriate fields.

?ï€ˆ

Include the original message as an attachment to the notification message; mark the check box Attach original message.

?ï€ˆ

Deliver the message that failed the encryption operation; select Deliver message.

This is the default.

?ï€ˆ

Do not deliver the message that failed the encryption operation; select Drop message.

ï€±ï€°ï€®ï€ˆ

Decrypt encrypted messages; mark the check box Enable decryption

ï€±ï€±ï€®ï€ˆ

Select any desired decryption options:

?ï€ˆ

In the field Content type, enter the message content types to decrypt, separated by semicolons.

Maximum length is 49 characters. Default entries include multipart/signed, multipart/encrypted, and application/pkcs7-mime.

?ï€ˆ

In the field X-Header, specify a message x-header that identifies a message to decrypt.

This x-header value must also be set and enabled on your encryption server.

?ï€ˆ

In the field Decryption X-Header, specify an x-header to be added to a message that should be decrypted.

This x-header value must also be set and enabled on your encryption server.

?ï€ˆ

In the field Decryption Success X-Header, specify an x-header to be added to a message that has been successfully decrypted.

This x-header value must also be set and enabled on your encryption server.

?ï€ˆ

In the field Decryption Failure X-Header, specify an x-header to be added to a message for which decryption has failed.

This x-header value must also be set and enabled on your encryption server.

?ï€ˆ

Forward a message that has failed decryption to a specific queue; mark the check box On decryption failure and select a queue for these messages from the pull-down menu.

The default is the virus queue.

ï€±ï€²ï€®ï€ˆ

Click OK.

The settings are saved.

Secure Message Delivery

Secure Message Delivery is an on-premises encryption method used to configure delivery options for a secure portal in which recipients of your organization's email may view, send, and manage encrypted email. For example, you may wish to include sensitive personal financial information in a message to a client. The portal provides a secure location for the transmission of this data.

Users within your organization who send and receive secure messages handle these messages via their local email clients, not the secure portal.

Secure messages are stored in a default secure-encryption queue (Main > Message Management > Message Queues). You can search for and delete messages in the secure-encryption queue view. Message details may not be viewed. The maximum queue size and number of days a message is retained are configured on the Edit Queue page. See Managing message queues.

You can also specify Secure Message Delivery as a backup encryption method for outbound email if mandatory TLS encryption is selected. See Mandatory Transport Layer Security encryption.

The Secure Message portal can be displayed in one of nine languages, which the end user selects during the registration process. The Forcepoint Secure Messaging User Help is available in Forcepoint Documentation, also in nine languages. It describes the user registration process and how to use the secure message portal.

Configure Secure Message Delivery encryption

ï€±ï€®ï€ˆ

Navigate to the page Settings > Inbound/Outbound > Encryption.

ï€²ï€®ï€ˆ

From the pull-down menu Encryption method, select Secure Message Delivery.

ï€³ï€®ï€ˆ

Enter the IP address or hostname for the appliance that hosts the secure message delivery portal.

The maximum length for the hostname is 64 characters.

Entering a hostname rather than an IP address is recommended, to avoid potential Microsoft Outlook warning messages generated in an end user's inbox by the notification message.


	Important The entry in this field should be mapped to the E1 interface (for a V10000 appliance) or the P1 interface (for a V5000 appliance). Ensure that the interface you use is visible from outside your internal network.

If you have an appliance cluster, enter the IP address or hostname for one cluster appliance (primary or secondary). The cluster load balancing function directs traffic appropriately.


	ïŽï¯ï´ï¥ Secure messaging uses the same port configured for the Personal Email Manager portal (Settings > Personal Email > Notification Message).

ï€´ï€®ï€ˆ

Specify the actions that your users are allowed to perform in the secure portal, along with the types of recipients to whom these users can send secure messages:

?ï€ˆ

Enforce strong password policy

With this policy in force, an end-user password must meet the following requirements:

?ï€ˆ

Between eight and 15 characters

?ï€ˆ

At least one uppercase letter

?ï€ˆ

At least one lowercase letter

?ï€ˆ

At least one number

?ï€ˆ

At least one special character; supported characters include:

! " # $ & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

End users are prompted to create strong passwords in the Secure Messaging portal.

?ï€ˆ

Maximum message size

End-user message size includes any attachments. The default value is 50 MB; maximum value is 100 MB.

?ï€ˆ

Reply all to secure messages received in the portal

An end user may reply to all message recipients. However, if the option Internal domain email addresses only is selected for Allowed Recipients, the user may reply only to recipients inside your organization.

The recipient list cannot be modified for this type of message.

?ï€ˆ

Forward secure messages received in the portal

An end user may forward any secure message received to allowed recipients.

?ï€ˆ

Compose new secure messages within the portal

An end user may compose and send a new secure message to allowed recipients.

?ï€ˆ

Attach files to secure messages sent from the portal

An end user may send an attachment in a secure message

These options are all selected by default.

The Allowed Recipients box offers options for the types of recipients to whom your customer may reply, forward, or send new secure messages. For security purposes, the recipient list must include at least one email address within your organization.

?ï€ˆ

Internal domain email addresses only. Only email addresses within your organization's protected domains may be specified as recipients.

?ï€ˆ

Internal and external domain email addresses (at least one internal email address required). Email addresses outside your organization's protected domains may be specified as recipients, but at least one address within your domains must be entered (default selection).

See Protected Domain group for more information about determining your protected domains.

ï€µï€®ï€ˆ

From the Secure Email End-User Notification section, use the configure the notification email that users receive when secure messages sent to them have been delivered to the portal for viewing.

Any customizations you make to the notification message template are lost when upgrading to a new version of Forcepoint Email Security. After upgrade, you will need to reconfigure your customized templates.

?ï€ˆ

Use the default message or customize it to suit your needs.

The $URL$ field must be included in your notification because it creates the link the end user clicks to access the secure email portal.

?ï€ˆ

In the field Sender, enter one sender address for the notification.

The sender address must belong to your internal protected domain. Because you do not want responses to the notification, ensure that the sender address is configured to drop any direct replies to the notification.

?ï€ˆ

In the field Subject, enter an email subject.

ï€¶ï€®ï€ˆ

After you have configured your notification message, click Preview Message to view it.

ï€·ï€®ï€ˆ

Click OK.

The settings are saved.