1
Secure Email Gateway options for SmarterMail
Question asked by Gregor Mendelson - 7/18/2024 at 3:14 PM
Unanswered
Hello Community,

Which secure email gateway providers are you all using with your SmarterMail servers?

I'm familiar with Barracuda's Email Gateway Defense product, but would like to know what else is out there that works inline with MX record redirection since so many of the current providers seem to be moving to an API-based solution that only work with Office 365 / Exchange / Google Workspace.

Here are a few of the security features that I'm hoping to implement by adding a 3rd party secure gateway:

- Email Remediation
- Email Continuity
- Customizable Email Banners
- Report link/button for spam or suspicious emails
- Link Analysis & Rewriting
- Malicious Link Click Log
- Integrated Security Awareness Training
- Email Attachement Scanning
- Outbound Mail Scanning

Thank you! :)

8 Replies

Reply to Thread
0
Douglas Foster Replied
Five years ago, I got mad at Barracuda's limitations and went shopping for an alternative.   I found lots of expensive options that lacked features which I thought should be the minimum capability of any competent product.  So today, I have home-grown tools working that sit in front of my Barracuda.  My tools do sender authentication and sender filtering using a rules engine.   Barracuda provides content filtering.   Barracuda is also a pretty effective tool for message log review 

When shopping for a commercial filtering solution, much depends on your situation:

Are  you filtering to protect your own organization or are you running an email hosting service that filters email for multiple organizations?     If you are protecting yourself, you have more flexibility to decide what is and is not allowed.  If your are filtering for others,  you have to worry about how much they are willing to pay for the filtering part of  your service.

Is your organization willing to put ongoing labor into tuning the email filtering environment, or do you want to give away the problem to a vendor because you have no resources to invest yourself?   From listening to news reports, we know that many big organizations are falling victims to ransomware, some of which must be because of email-borne attacks.   We are never told which filtering products failed to protect those victim companies!   We can bet assume that big organizations are using the expensive cloud solutions, and that they are not a silver bullet against a ransomware disaster.

What is your concept of a "clean" email environment?   Perhaps half of the email that we block is nuisance advertising.  We block it because every allowed message imposes costs on the user and his organization.  It takes him time to decide whether the message is wanted or not, time that he is not spending on his other work obligations.   It also costs the organization storage and CPU.   If a user has too many nuisance messages, he is likely to miss messages that are actually important to his job.  While I can reasonably hope that an outsourcing vendor will block malicious traffic, I don't expect him to understand what constitutes "nuisance" messages to my organization.   Maybe you will be able to train the fancy products to your situation, but that means the solution is no longer hands-off for you.

Because SmarterMail attracts budget-conscious organizations, the prior posts on this forum indicate that we use a lot of free or inexpensive tools like Declude, SpamAssassin, and RSpamd.

My custom tools have been around a few principles:

I want to authenticate every message, because all human communication is interpreted in the context of the speaker's identity.   If I don't have an accurate identity, then I don't have accurate communication.   DMARC and SPF don't get provide enough coverage and don't tell me how to handle exceptions.   So I needed to build alternate authentication mechanisms for senders who do not pass SPF and DMARC.   

Alternate authentication requires multiple-attribute filtering rules.  If an organization has a missing or incorrect SPF policy, a replacement rule would be:

  • If HELO name is *.appriver.com", and HELO is verified by forward-confirmed DNS, and MAILFOM name is "*@exmaple.com", then treat the message as equivalent to SPF PASS. 
Most commercial products are no better than Barracuda, because they only provide single-attribute rules.  In Barracuda, any allow rule requires whitelisting, so the same allow rule is reduced to:

  • If the MAILFROM name is "*@example.com", then Whitelist the message whether the message is legitimate or an impersonation.
I never want to whitelist a malicious impersonation, so any ALLOW rule must be tied to an authentication mechanism, an authenticated identifier, and (usually) an identifier that is trusted by proxy because of the authenticated identifier.   I cannot do that with single-attribute allow rules, so I cannot make safe ALLOW rules in most commercial products, including Barracuda.   Declude and its successor Declude Reboot provide a customizable rules engine, so it became my starting point.   But they require an investment of elbow grease.

0
JerseyConnect Team Replied
We currently use GoSecure as our mail gateway and it does most of what you listed. Last year we looked at alternatives just to see what was out there and yeah we came away with the impression that most providers in that space are catering to M365/Exchange. The closest other provider we found was SpamTitan. It was a fine solution, just made more sense for us to sick with the incumbent.
0
Daniel Replied
Proxmox mail gateway, we use it with eset antivirus over commandline  (clamav seems to be not that good)
0
Douglas Foster Replied
To specific features:
Email Remediation
This is really a server-side issue.  You really need a SmarterMail API to find and remove emails that you decide are spam-getting-through,   That capability has been requested but does not yet exist.   Once it exists, you need a user interface to it..   When that happens, SmarterMail will provide a user interface, because third-party integration is likely to be rare.  The problem is not as easy as it sounds.   If a spammer sends one message with 50 recipients, removal is as easy as finding all occurrences of a specific message ID.   In the more common case that the spammer sends 50 separate messages to 50 people, you need to know how to build the list of message IDs that are all part of the same attack.

Link Rewrite
The spam filter should block messages that have known-bad links when the message is received, but this feature protects protects against links that change destination or change reputation score after the email message has been received.   Every network needs a good web filter to protect all web browsing, not just email-based links.   If you have that capability, email links will be protected by that web filter as long as the message is read while on your network.    If you don't have that capability, you need to fix that vulnerability.   But this feature add protection against attacks when messages are ready on a mobile device when the user is not on your network and therefore not protected by your web filter.

Email Banners
SmarterMail implements email banners in a way that displaces the preview window content.   There is a way to implement content banners without having that effect, by extracting the initial content and putting it in a display=none section above the banner.   Test your prospective vendor's implementation to see if it has this benefit,

Forwarding considerations
If you allow off-site forwarding, you need to be concerned about delivery to the final destination.   Features that modify content, including link rewrite and custom email banners, will break DKIM signatures and make forwarded mail look more suspicious.   If you can enforce a policy that prohibits offsite forwarding, you will save yourself a lot of headaches and provide more flexibility in spam filtering.   But not every organization is willing and able to enforce that rule.



0
Todd R Replied
I work as a CISO for an MSSP.  We are big fans of Trustifi.  I've personally used Barracuda, Cisco Secure, Proofpoint and Mimecast.

Trustifi has, almost, all of the features that you're looking for and it's very competitively priced.  They have great support based out of Las Vegas, Nevada.

- Email Remediation - Yes however as others mentioned it's not likely to find something that will natively integrate with SM.
- Email Continuity - Yes
- Customizable Email Banners - Yes
- Report link/button for spam or suspicious emails - Yes
- Link Analysis & Rewriting - Yes
- Malicious Link Click Log - Yes
- Integrated Security Awareness Training - Yes. However, SAT is very cheap and there are great companies like Ninjio that specialize in this.  I've found that using a dedicated SAT is often times better because there's higher engagement.  
- Email Attachment Scanning - Yes
- Outbound Mail Scanning - Yes

In addition, they also have encrypted emails, archiving, admin review and release of quarantined and greymail, open and geo location data.  The list goes on.

Works well with SM.  You have to setup the external gateway and for inbound you have to whitelist their IP addresses.  

If you're interested in pricing or want screenshots etc just DM me.
0
Stefano Replied
I use Proxmox Mail Gateway for basic clients, but Libraesva ESG is the best solution I've ever tried.
I suggest it a lot.
0
I use FortiMail VM and, although it is a little complicated to set up, I am quite satisfied with it...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
John Quest Replied
The best solution is using a separate SmarterMail server configured in for a gateway and using Mails Best Friend DR, formerly known as Declude.

While it has an "out of the box" configuration it is also highly adaptable, flexible and customizable. 

Reply to Thread