Features
Custom Integrations
Extensive built in security and security Add ons
Multi-layer security
Has multiple layer security built in at all levels of Message processing.
Authentication / Encryption
Server supports authentication, meaning it can be instructed to accept only
connections/messages from authenticated entities. CRAM-MD5, LOGIN, PLAIN,
DIGEST-MD5 and GSSAPI methods (in this order) are available for client
authentication, reducing the risk of unauthorized connections.
SSL/TLS: All communication protocols can benefit from SSL/TLS technology which
allows sending encrypted messages across networks and preventing plain text
messages to be intercepted on the way from sender to recipient. This encryption
method guarantees secure data transmission over networks.
Multi-layer access control (firewall-like rules)
Stopping spammers and preventing DOS attacks is one of the most important tasks
of a mail server and the sooner the problem is identified in the mail stream ,
the better. This is why software has a built in Firewall at the application (TCP
listener) level that allows the administrator(s) to control connectivity
parameters.
Furthermore, Administrators may define IP sets that have specific sets of such
rules, applied with different priorities or IP sets whose connections are
denied.
Flow control
Flow control restrictions can be defined in addition to the access control
rules, in order to prevent the server and storage overload, as well as protect
the server from DDos attacks.
Restrict maximum simultaneous connections
Restrict the total number of simultaneous connections that a service may accept,
the maximum number of simultaneous connection accepted from the same IP address
in order to avoid attacks from a single IP. Additionally, privileged IP address
groups (trusted servers) may have different connection limits policies.
Restrict maximum incoming connections rate
Restrict the total number of connection per time unit that a service may accept,
the maximum number of connection per time unit accepted from the same IP address
in order to avoid attacks from a single IP. Additionally, privileged IP address
groups (trusted servers) may have different connection rate limits policies.
Selectively restrict maximum messages size
The server can be configured to accept different maximum messages sizes based on
sender/sender domain, recipient/recipient domain, remote IP address, connection
security, authentication level and other message or connection related
parameters, ensuring a flexible protection for the queue and the storage
(privileged users may have extended rights).
Sender validation (SPF compliant)
A standard-based SPF verification module for sender validation (if the remote
domain is properly configured with SPF information) in impleented.
Message integrity validation (DomainKeys compliant)
The messages' integrity may be checked if the originating server used DomainKeys
to sign them; locally-originated messages may be signed by Server to allow
validation by DomainKeys-compliant remote servers.
(Yahoo associates a higher spam score to unsigned messages.)
Blacklisting / Whitelisting
Permanently reject emails coming from untrusted senders - can be defined
globally by the administrator (server level) and further refined by the users
according to their personal needs (WebMail interface).
Administrators can also define Whitelists in order to permanently accept emails
coming from trusted sources (such as business partners or remote offices).
Country Filtering
Based on an IP-to-country database, administrators can block all emails coming
from untrusted countries; alternatively they can accept emails coming
exclusively from selected countries.
DNSBL
Administrators validate sender IPs against a selected list of DNSBLs (DNS
Blacklists) in order to block emails; at the same time, they can also choose to
skip this validation for custom defined IP Ranges.
DNS Checks
Additional validations that can be run to reject spam are by checking the
originating domain for MX entries and the originating IP for a reverse DNS
entry.
AntiVirus Filtering
Advanced Filtering System allows the system administrator to define a set of
filters and priorities at server, domain or user level, offering unparalleled
flexibility to setup company security policies:
* Domain 1: filter with 2 AV and 1 ASPAM applications
* Domain 2: filter with only 1 AV
* General Manager: filter with 3 AV and 1 ASPAM applications
Identity Confirmation
Identity Confirmation ? is basically the implementation of a Challenge /
Response-based antispam method. It enables users to effectively block unwanted
messages from reaching their inbox by intercepting incoming emails and requiring
new / unknown senders to confirm their identity, while allowing legitimate
communications to come through.
AntiSpam
After applying the above mentioned antispam methods, the remaining traffic is
further taken through a content filtering process (score based) & Bayesian
filtering (through the included SpamAssassin). Administrators can set the
thresholds over which the corresponding reject actions will be applied.
Commtouch Real Time AntiSpam Protection (available as Paid Add On for
dedicated clients only)
Real Time AntiSpam Protection - To prevent Spam outbreaks the minute they occur,
Software integrates Commtouch's award winning online service as an additional
AntiSpam layer *
Message Acceptance / Sending Policies
(includes expert-mode engine for acceptance rules)
Routing Policies
Virtual routing
Assign different outbound IP addresses to each domain; blacklisted IPs will only
affect the associated domain, and not other domains operating on the same
server.
Example:
* relay emails from domain 1 to route 1, using IP1
* relay emails from all other domains to route 2, using IP2
* specify a username/password authentication before routing emails
Built in DNS Cache
DNS query responses are cached; subsequent queries are resolved locally instead
of being re-sent over the network.
Anti-Impersonation
Enforce user authentication on message submission and verify that the sender
header matches the authentication credentials preventing impersonation attempts
from local accounts.
Message and connection parameters for security policies (message size,
anti-impersonation, SPF, access control, email address blacklisting /
whitelisting, DNS checks, open relay blocking, etc):
* Originating host's IP, ports, greeting
* Originator's email address, domain or username
* Recipient email address, routing information
* Message size, headers, number of recipients
* Connection security level (SSL / non-SSL)
* Authentication information
* Session statistics (total mails sent, total size)
* SPF interrogation result; etc
Secure passwords enforcement
Define password strength policies (minimum password length, required sets of characters and so on), restricting the users from setting simple passwords.
Message Flow Schematics

Outgoing Security Schematic

Incoming Security
Schematics