If you manage a McAfee Email Gateway or Email and Web Security appliance, you may have have wondered how to specify valid senders for your internal domains, beyond the valid relay servers list, since the EWS/MEG interface does not have a concept of inside and outside networks/servers. Instead of the inside/outside metaphor, MEG and EWS use one of the following methods in order to provide anti-spoofing.
- Sender Policy Framework (SPF) and/or SenderID
- Permitted and blocked sender lists
Below is a more in-depth description of each method and how to implement it on your McAfee Email Gateway / Email and Web Security Appliance
Method 1 - SPF / SenderID
Both SPF and SenderID make use of a DNS record (TXT or SPF type) so the owner of the domain in question can specify the range of valid e-mail senders for his domain, which in turn an MTA can look up to confirm whether an e-mail is being sent from an authorized server. The main difference is that SPF only protects the envelope header (MAIL FROM) whereas SenderID can inspect and apply policies based on the email body header addresses.
Further information about SPF and SenderID, and the caveats of using either can be found at:
Below is the procedure on how to configure usage of SPF and/or SenderID on the McAfee Email Gateway / Email and Web Security appliance as per our Knowledge Base article KB66215
After implementing Sender ID or SPF on your DNS server, do the following on the Appliance:
- Log on to the Appliance Management Console.
- Select System, Users, Groups and services, Policy Groups.
- Click Email Senders and Recipients.
- Click Add to create a new group, name the new group (for example, Antispoof).
- Select Rule type Sender email address is and add the local domain addresses as such:
- Click OK.
- Select Email , Email Policies, Scanning policies.
- Click Add Policy...
- Name the policy (for example, Anti spoof policy).
- Under rule type select for User group the group created earlier (Antispoof in this example).
- Click OK.
- Under the Spam column in the new policy, click Sender Authentication Link. Click Yes to enable it if disabled.
- Select the SPF, Sender ID and DKIM tab.
- Select the option implemented on your DNS server, SPF or Sender ID.
- Select the action to trigger against the email that failed the check. Reject and close is recommended to prevent spoofed email.
IMPORTANT: The option of adding Score has nothing to do with the Anti-spam score. The actions based on this score can be configured on the Cumulative Score and Other Options tab.
Method 2 - Permitted and blocked sender lists
Although SPF / SenderID is the preferred method to prevent email domain spoofing, the McAfee Email Gateway / Email and Web Security appliance allows for the configuration of permitted and blocked sender lists that allow for the administrator to prevent spoofing at a local level, where using a DNS record would not be applicable or desirable.
The following procedure (as per our Knowledge Base KB66253) allows the administrator to define an anti-spoofing policy:
- Open the Appliance management console.
- Select Email, Email configuration, Receiving Email and Permitted and blocked senders.
- In the Permitted Senders list, type all IP addresses or Message Transfer Agent (MTA) IP addresses allowed to send using the domain mydomain.com. For example: Network 192.168.1.135/24.
- In the Deny Sender list, add the local domain email addresses. This denies all sender IP addresses trying to send as mydomain.com that are not in the Permit Sender list.
Add the local domain addresses as such:
- *@ mydomain.com
- *@ mydomain2.com
- Click the green tick to apply the configuration changes.
IMPORTANT: Ensure that the firewall IP address is not in the permit list as inbound SMTP relayed by the firewall has the IP address of the firewall.