True Source IP Detection - Administrator Help. Websense Security. v7.2

The True Source IP Detection feature allows the connection management features of Websense Email Security to be used effectively, even if it is downstream from a firewall or an internal mail relay. Instead of using the IP of the connecting upstream MTA, the information in the message header is used to determine the IP address of the first sender outside the network perimeter. See Example 1 and Example 2 below.

Where it is Used

This IP address is used when applying the following Email Connection Management techniques:

Blacklist, page 51

Reputation/DNS Blacklist, page 57

Directory Harvest Detection, page 59

SPF Check, page 64

Configuring True Source IP Detection

There are two steps to configuring Websense Email Security to use True Source IP Detection:

1. Define the Direct Mail Relays. These are mail relays that communicate directly to the Websense Email Security through SMTP from both inside and outside the network perimeter.

There are three type of Direct Mail Relays:

Trusted – Any SMTP conversation from an IP address or IP address range that is defined in the Direct Mail Relays list to be trusted will not have connection management applied.

Connections of this type should be used when the connecting mail relay is well known and trusted. For example, for outbound connections from internal mail servers or for inbound connections from mail servers run by trusted parties.

Untrusted – Any SMTP conversation from an IP address or IP address range that is defined in the Direct Mail Relays list and not set to be trusted will have connection management applied using the IP address determined from the True Source IP Detection (instead of the connecting IP Address). Other connection management such as Directory Harvest Detection can also be applied to these connections. Connections of this type should be used for internal mail relays and store and forward firewalls.

Unknown – Any SMTP conversation from an IP address or IP address range not defined in the Direct Mail Relays list will have connection management applied using the IP address of the connecting server. However, if the Allow connections from other direct relays check box is not selected, the

connection will be denied.

2. Define the Outlying Mail Relays. These are relays that exist within the network perimeter but do not communicate directly to Websense Email Security via SMTP.

These relays cannot be marked as trusted but in essence when determining the True Source IP they are treated that way.

Example 1 — Network with Firewall

For an environment using a firewall but no mail relay, the 2 steps to configure the mail relays to enable Email Connection Management to be used for email from sender A to the company mail server are:

1. Set Direct Mail Relays:

a. Set up B (store and forward firewall) as an non trusted Direct Mail Relay in the Inbound direction.

b. Set up Company Mail Server as a trusted direct connection in the outbound direction

2. Set Outlying Mail Relays:

None

This applies connection management using the IP Address of A—or any other external connection coming inbound through the firewall—but does not apply connection management outbound for the company mail server because this is trusted.

Example 2 — Network with Firewall and Mail Relay

For an environment using a firewall and a mail relay, the 2 steps to configure the mail relays to enable Email Connection Management to be used for email from sender A to the company mail server are:

1. Set Direct Mail Relays:

a. Set up C (Company Mail Relay) as an “untrusted” Direct Mail Relay in the Inbound direction.

b. Set up Company Mail Server as a trusted direct connection in the Outbound direction.

2. Set Outlying Mail Relays:

Set up B (store and forward firewall) as an Outlying Mail Relay as it does not communicate directly with the Websense Email Security but does forward mail to it.

This applies connection management using the IP Address of A—or any other external connection coming inbound via the firewall—but does not apply connection management outbound for the Company Mail Server because it is trusted.

Blacklist

If there are domains, email addresses or IP addresses from which you do not want to receive email, you can add them to the Blacklist. This is an important step in

preventing unwanted email content because:

The Receive Service will reject the email before the email content is transferred to your mail server

No hard disk space is wasted storing unwanted email

Fewer messages have to be processed by the Rules Service, which conserves system resources

When an email has been added to the Blacklist, an “Update Now” message is displayed in the Monitor. If you click Yes, a status message “Receive service configuration reloaded” is displayed in the Receive panel of the Monitor.

The Receive Service rejects any mail client that tries to send email from any of the set domains, email addresses or IP addresses, unless the mail client’s IP is added to the Trusted IP list with a setting of Open Relay.

If you have added a domain to the Blacklist, but want Websense Email Security to accept email from individuals within that domain, you can exclude individuals from the blacklist.

Warning

Do not add the protected domain to the Blacklist, or email to the protected domain will be rejected.