Setting Up Mail Routing Rules

The options in the Routing Rules pages allow you to specify a mail domain, its inbound mail acceptance rules, outbound mail delivery rules, and optional TLS settings. For additional information on using the mail routing rules to prevent spam, see the Tumbleweed Email Firewall Anti-spam Best Practices Guide.

To configure a mail routing rule:

1. In the main menu, click Set Up.

2. Under the Relays heading, click Routing Rules.

3. In the Set Up > Relay centers page, Mail Routing Rules tab, click Add. 4. In the Routing Rule name field, type a name for the rule. The name should

be logically related to the rule you are planning to build. If no name is specified, the first domain in the list will be used as the name.

5. Add routing addresses using either the Option 1 or Option 2 tab.

5a. For Option 1, type the addresses in the field. Separate multiple addresses by a space, comma, semicolon or return.

5b. For option 2, click Browse to select a pre-existing plain text file containing addresses.

5c. Click Next.

6. Configure the rule’s Inbound Mail Acceptance rules. See Figure 2.11.

Specify acceptance rules for when mail is From Internal Clients, Senders and Recipients, and From External Clients, Senders and Recipients, by marking the appropriate checkboxes.

To prevent open relaying, do not accept mail from external clients when mail address or domain is a recipient, for addresses and domains external to your organization.

7. Use the Bounce Action drop-down list to select what to do when Email Firewall is returning a message that had been previously accepted by Email Firewall. See Figure 2.12.

Figure 2.11: Mail Routing Rules Details: Inbound Mail Acceptance Rules

Figure 2.12: Mail Routing Rules Details: Inbound Mail Bounce Actions

The Bounce Action setting applies only to messages that must be returned by the SMTP Relay. If a policy action specifies that the Policy Engine should return a message in its entirety, the policy action overrides the SMTP Relay Bounce Action setting.

8. Optionally, configure the RDNS Addresses Components Required to Match, see Figure 2.13. In the fields, specify how many components of an email address must match the sender’s DNS or domain name before the SMTP Relay is allowed to accept the mail. For example, you may want to use this feature to allow mail only from a particular company user that is sent from that company’s domains.

For example, suppose you set the External Senders match requirement to 2, and the sender’s email address was [email protected]. If the RDNS lookup revealed mail was sent from mail.example.com there would be a match of the two right-most components, and the mail would be accepted by the Email Firewall SMTP Relay. However, if the machine’s RDNS host is something other than example.com, for example, alternate.com, there is no match and the mail would be rejected by the Email Firewall SMTP Relay.

9. Click Next.

10. Configure the rule’s Outbound Mail delivery options. See Figure 2.14.

If you use the RDNS matching requirements, keep in mind that this could block otherwise acceptable email sent from senders using ISP providers. Also, RDNS lookup may affect SMTP Relay performance.

Figure 2.13: Mail Routing Rules Details: RDNS Address Matching

Relays, or define a series of Relays. See2.5.13 Setting Up Mail Routing Rules on page 60 for more information.

10a.If you marked the either of the options to use relays, under the

Enter the Relays in the order of priority heading, use the Relay Type

drop-down list to select whether relay is a static Relay Host or MX for Domain.

10b.Complete the Relay Host or Domain Name field, and the port it connects on.

10c.Click Add to add it to the list. Repeat this process for additional relays to use.

10d.If there are multiple relays specified, mark the checkbox and use the Up and Down buttons to prioritize them.

11. Click Next.

12. Specify the TLS routing rules.

Figure 2.14: Mail Routing Rules Details: Outbound Mail Delivery

In order to configure TLS, a valid TLS certificate must first be imported and selected on the Setup TLS page. Until that has been done, the TLS options on this page are disabled. See 9.4 Setting Up Certificates for TLS on page 445 for more

12a.If you have not yet set up TLS, click the TLS Setup link and complete TLS setup, then return to the Set Up Routing Rules page and continue here. See 9.4 Setting Up Certificates for TLS on page 445 for more information.

12b.For Inbound TLS settings, if TLS is required, mark the Require TLS for Inbound Acceptance checkbox.

If client authentication is required, mark the Client Authentication for Inbound Acceptance checkbox. This means that the certificate presented by the remote host for TLS authentication must be asso-ciated with either the domain of the remote host or a specified domain, as specified under the TLS Authentication heading.

12c.For Outbound TLS Settings, mark the appropriate radio button to specify whether Email Firewall should never use, attempt to use, or is required to use TLS for this rule.

12d.If TLS with client authentication is required for inbound

acceptance, or if TLS is required for outbound delivery, mark the radio button to specify whether the certificate presented by the remote host should be associated with the domain of the remote host, or a specified domain.

If the certificate must be associated with a specified domain, enter the domain name in the field. It is only necessary to specify a spe-cific domain if mail from/to domains in this Routing Rule will be relayed by a host whose certificate is for a different domain (e.g. a service provider).

If authentication is not required select encryption Only - No Authen-tication Required. With this option, the mail from/to domains and the domain certificate are not compared and the result of the vali-dation of the certificate itself is ignored.

Using the encryption Only - No Authentication Required option is a security risk because it allows for "man in the middle" (MITM) attacks. The security risk is that an outsider is able to read, insert and modify the messages that are exchanged between two parties without either party knowing that a compromise of their communication link has occurred.

If the encryption Only - No Authentication Required option is enabled, there is no guarantee of the other party’s identity due to the lack of authentication.

13. When you have completed all the routing rules selections, click Save.

Setting Up Exact Matching for a Domain

In some cases you may want to have one rule for a domain and a different rule for that domain’s subdomains. You can accomplish this by configuring one mail routing rule for Example.com and a different mail routing rule for

*.Example.com.

The Email Firewall SMTP Relay uses a “best match” algorithm (see Best Match Algorithm and Wildcards on page 66), so an email address like

[email protected] will match the first rule, while an email address like [email protected] will match the second rule. This configuration allows you to have specific routing rules for a domain without matching on subdomains of that domain.

To set up exact matching for a domain:

1. In the main menu, click Set Up.

2. Under the Relays heading, click Routing Rules and then click Add. 3. Create a rule for the domain for which you want to do an exact match.

3a. Name the rule and make the appropriate selections. Follow the steps in 2.5.13 Setting Up Mail Routing Rules on page 60.

3b. Specify the relay to use.

3c. Click Save.

4. Create a second rule for all subdomains of that domain:

4a. Click Add.

4b. Name the rule and add the appropriate subdomains for which you want the rule to apply (or use the * to apply to all subdomains).

4c. Specify to use DNS.

4d. Click Save. For example:

Example.com = 10.10.10.10

*.Example.com = DNS

Unless you click Save in this page, none of the Outbound Delivery Routing Rules settings are saved to the database.

Best Match Algorithm and Wildcards

The best match algorithm works as follows. Note the use and placement of the wildcard character (*) in the domain descriptions.

If the Relay is considering the address <[email protected]>, it will search for a matching rule in the following order:

1. [email protected] 2. host.domain.com

3. user@*.host.domain.com 4. *.host.domain.com 5. user@*.domain.com 6. *.domain.com 7. domain.com 8. user@*.com 9. *.com 10. com 11. user@*

12. * (the default rule)

Editing Routing Rules

To edit an existing mail routing rule:

1. In the Mail Routing Rules page, click the routing rule name to open the rule.

2. To change the name of the rule, enter the new name in the field. Then click

Save.