This article explains how to set up SMTP callback verification on incoming messages in order to attempt to verify the sending address is a valid one on the sending domain and not a forged address.
From the Dashboard, after logging in:
- Click on Security, in the lower-left corner
- Locate the Anti-Spoofing section
- Click on Call Back Verify
You may then configure the following settings:
-
Use callback verification to verify senders
SecurityGateway will contact the purported domain mail server of the sending address when it receives a message, and attempt to verify the sender as being valid through a normal SMTP session, using either the VFRY command, or a RCPT TO command. This option is disabled by default.
-
Try VRFY command first (if supported by the sender's mail server)
If the sender's domain mail server supports the extended SMTP command VRFY, SecurityGateway will use it to try and verify the sending address. This option is enabled by default.
-
Send message from this address
This is the address that SecurityGateway will send in the MAIL FROM command if it cannot use the VRFY command to verify the sending address on the server. By default, this is set to use 'postmaster'. Note that if the domain is not specified, SecurityGateway will use the recipient's domain.
-
Try NULL From first
When SecurityGateway connects to a sender's domain email server, it will attempt to send a null character ('<>') for the MAIL FROM: address, before using the address provided in the field above. This option is enabled by default.
-
-
If a sender fails callback verification...
If SecurityGateway attempts to 'call back' to the sender's domain mail server and cannot verify the sender as valid, it can perform one of three options: refuse to accept the message completely, quarantine it for later review, or accept it for delivery. By default, failed messages will be quarantined.
-
... tag subject with xx
If you choose to accept messages that fail callback verification, SecurityGateway will add the following line to the start of the subject. By default, this is disabled, and set to '*** SPAM ***'
-
... add xx points to message score
If you choose to accept messages that fail callback verification, SecurityGateway will add the provided number of points to the message score. By default, this is enabled, and set to 1.0.
-
Exclude messages from whitelisted senders
If the sending email address, domain, or IP address is in SecurityGateway's whitelist, or in the recipient's personal whitelist, then the message will not be subject to callback verification. By default, this is enabled.
-
Exclude messages from authenticated sessions
If the sending session authenticates with a username and password on the SecurityGateway server, then the message will not be subject to callback verification. By default, this is enabled.