Email Gateway Security Configuration Guide
Secure Email Gateways (SEGs) provide comprehensive protection against email-based threats including spam, phishing, malware, and data loss. This guide covers architecture, configuration, and best practices for enterprise email security.
Email Gateway Architecture
┌─────────────────────────────────────────────────────────────────────────────┐
│ EMAIL GATEWAY ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ INBOUND EMAIL FLOW │
│ │
│ Internet Secure Email Gateway Internal Mail │
│ ┌───────┐ ┌──────────────────────────┐ ┌─────────────┐ │
│ │Sender │ │ │ │ Mail Server │ │
│ │ MTA │──────│ ┌──────────────────┐ │ │ (Exchange/ │ │
│ └───────┘ │ │ 1. Connection │ │ │ Google) │ │
│ │ │ Filtering │ │ └──────┬──────┘ │
│ MX Record │ │ - IP reputation │ │ │ │
│ Points Here │ │ - Rate limiting │ │ │ │
│ ▼ │ │ - Geo blocking │ │ ▼ │
│ ┌─────────┐ │ └────────┬─────────┘ │ ┌─────────────┐ │
│ │ Gateway │ │ │ │ │ User │ │
│ │ MX │────│ ┌────────▼─────────┐ │ │ Mailbox │ │
│ └─────────┘ │ │ 2. Authentication│ │ └─────────────┘ │
│ │ │ - SPF check │ │ │
│ │ │ - DKIM verify │ │ │
│ │ │ - DMARC enforce │ │ │
│ │ └────────┬─────────┘ │ │
│ │ │ │ │
│ │ ┌────────▼─────────┐ │ │
│ │ │ 3. Content │ │ │
│ │ │ Inspection │ │ │
│ │ │ - Spam scoring │ │ │
│ │ │ - Phishing detect│ │ │
│ │ │ - Malware scan │ │ │
│ │ │ - URL rewriting │ │ │
│ │ │ - Attachment │ │ │
│ │ │ sandboxing │ │ │
│ │ └────────┬─────────┘ │ │
│ │ │ │ │
│ │ ┌────────▼─────────┐ │ │
│ │ │ 4. Policy │ │ │
│ │ │ Enforcement │ │ │
│ │ │ - Allow │ │──▶ Deliver to user │
│ │ │ - Quarantine │ │──▶ Hold for review │
│ │ │ - Reject │ │──▶ Bounce back │
│ │ │ - Redirect │ │──▶ Admin review │
│ │ └──────────────────┘ │ │
│ │ │ │
│ └──────────────────────────┘ │
│ │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ OUTBOUND EMAIL FLOW │
│ │
│ Internal User Secure Email Gateway Internet │
│ ┌───────────┐ ┌──────────────────────────┐ ┌───────────┐ │
│ │ Mailbox │ │ │ │ Recipient │ │
│ │ │───│ ┌──────────────────┐ │───│ MTA │ │
│ └───────────┘ │ │ 1. DLP Scanning │ │ └───────────┘ │
│ │ │ - Credit cards │ │ │
│ │ │ - SSN patterns │ │ │
│ │ │ - Confidential │ │ │
│ │ │ keywords │ │ │
│ │ └────────┬─────────┘ │ │
│ │ │ │ │
│ │ ┌────────▼─────────┐ │ │
│ │ │ 2. Encryption │ │ │
│ │ │ - Policy-based │ │ │
│ │ │ - Keyword trigger│ │ │
│ │ │ - TLS enforcement│ │ │
│ │ └────────┬─────────┘ │ │
│ │ │ │ │
│ │ ┌────────▼─────────┐ │ │
│ │ │ 3. DKIM Signing │ │ │
│ │ │ - Add signature │ │ │
│ │ └──────────────────┘ │ │
│ │ │ │
│ └──────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Gateway Deployment Options
Option 1: Cloud-Based SEG (Most Common)
┌────────────────────────────────────────────────────────────────┐
│ CLOUD SEG DEPLOYMENT │
├────────────────────────────────────────────────────────────────┤
│ │
│ DNS MX Records: │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ example.com. MX 10 mx1.vendor-seg.com. │ │
│ │ example.com. MX 20 mx2.vendor-seg.com. │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
│ Email Flow: │
│ Internet ──▶ Cloud SEG ──▶ Microsoft 365 / Google Workspace │
│ │
│ Vendors: Proofpoint, Mimecast, Barracuda, Cisco ESA │
│ │
│ Pros: │
│ ✓ No infrastructure to manage │
│ ✓ Global redundancy built-in │
│ ✓ Automatic updates │
│ ✓ Scales automatically │
│ │
│ Cons: │
│ ✗ Ongoing subscription cost │
│ ✗ Less control over infrastructure │
│ ✗ Data leaves your network │
│ │
└────────────────────────────────────────────────────────────────┘
Option 2: On-Premises Gateway
┌────────────────────────────────────────────────────────────────┐
│ ON-PREMISES SEG DEPLOYMENT │
├────────────────────────────────────────────────────────────────┤
│ │
│ DNS MX Records: │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ example.com. MX 10 mail-gw.example.com. │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
│ Network Architecture: │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ DMZ Internal │ │
│ │ ┌──────────┐ ┌──────────────┐ │ │
│ │ │ Internet │ ┌────────┐ │ Mail Server │ │ │
│ │ │ Firewall │───▶│ SEG │──▶│ (Exchange) │ │ │
│ │ └──────────┘ │Appliance│ └──────────────┘ │ │
│ │ └────────┘ │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ Products: Barracuda ESG, Cisco ESA, Fortimail │
│ │
│ Pros: │
│ ✓ Full control over data │
│ ✓ No ongoing cloud fees │
│ ✓ Custom integrations possible │
│ │
│ Cons: │
│ ✗ Hardware and maintenance costs │
│ ✗ Manual updates required │
│ ✗ Need redundancy planning │
│ │
└────────────────────────────────────────────────────────────────┘
Option 3: Built-in Cloud Security (Microsoft/Google)
┌────────────────────────────────────────────────────────────────┐
│ NATIVE CLOUD SECURITY DEPLOYMENT │
├────────────────────────────────────────────────────────────────┤
│ │
│ Microsoft 365 + Defender for Office 365: │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ example.com. MX 0 example-com.mail.protection. │ │
│ │ outlook.com. │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
│ Google Workspace + Advanced Phishing Protection: │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ example.com. MX 1 aspmx.l.google.com. │ │
│ │ example.com. MX 5 alt1.aspmx.l.google.com. │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
│ Pros: │
│ ✓ Tight integration with email platform │
│ ✓ Single vendor simplicity │
│ ✓ No additional MX routing │
│ ✓ Often included in existing license │
│ │
│ Cons: │
│ ✗ May lack advanced features of specialized SEGs │
│ ✗ Single point of failure/vendor lock-in │
│ ✗ Advanced features require premium licensing │
│ │
└────────────────────────────────────────────────────────────────┘
DNS Configuration for Email Gateways
MX Records
; Cloud SEG (e.g., Proofpoint)
example.com. IN MX 10 mx1.proofpoint.com.
example.com. IN MX 20 mx2.proofpoint.com.
; Cloud SEG (e.g., Mimecast)
example.com. IN MX 10 us-smtp-inbound-1.mimecast.com.
example.com. IN MX 20 us-smtp-inbound-2.mimecast.com.
; Cloud SEG (e.g., Barracuda)
example.com. IN MX 10 example-com.mail.barracudanetworks.com.
SPF Records
Include gateway IPs in your SPF record:
; Proofpoint
example.com. IN TXT "v=spf1 include:spf.protection.outlook.com include:_spf.proofpoint.com -all"
; Mimecast
example.com. IN TXT "v=spf1 include:spf.protection.outlook.com include:us._netblocks.mimecast.com -all"
; Barracuda
example.com. IN TXT "v=spf1 include:spf.protection.outlook.com include:barracudanetworks.com -all"
Connector Configuration
After MX change, configure connectors to only accept email from your gateway:
Microsoft 365 Connector:
# Create inbound connector (PowerShell)
New-InboundConnector -Name "Gateway Inbound" `
-ConnectorType Partner `
-SenderDomains "*" `
-RestrictDomainsToIPAddresses $true `
-SenderIPAddresses "192.0.2.0/24", "198.51.100.0/24" `
-RequireTls $true
Google Workspace:
- Admin Console → Apps → Google Workspace → Gmail
- Hosts → Inbound Gateway
- Add gateway IPs and enable "Require TLS"
Spam Filtering Configuration
SpamAssassin Rules (Open Source)
# /etc/spamassassin/local.cf
# Required score to be considered spam
required_score 5.0
# Enable network checks
skip_rbl_checks 0
use_razor2 1
use_pyzor 1
# Bayes filtering
use_bayes 1
bayes_auto_learn 1
bayes_auto_learn_threshold_spam 6.0
bayes_auto_learn_threshold_nonspam 0.1
# Custom rules
header LOCAL_FROM_SUSPICIOUS From =~ /support@.*\.(xyz|top|click)$/i
score LOCAL_FROM_SUSPICIOUS 3.0
header LOCAL_SUBJECT_URGENT Subject =~ /urgent|immediately|action required/i
score LOCAL_SUBJECT_URGENT 1.5
# Whitelist trusted senders
whitelist_from *@trustedpartner.com
whitelist_from_rcvd *@vendor.com vendor.com
# Blacklist known bad
blacklist_from *@spammer.com
Rspamd Configuration
# /etc/rspamd/local.d/metrics.conf
actions {
reject = 15; # Reject emails scoring above 15
add_header = 6; # Add spam header above 6
greylist = 4; # Greylist above 4
}
# /etc/rspamd/local.d/multimap.conf
WHITELIST_FROM {
type = "from";
filter = "email:domain";
map = "file:///etc/rspamd/whitelist_domains.txt";
score = -5.0;
}
BLACKLIST_FROM {
type = "from";
filter = "email:domain";
map = "file:///etc/rspamd/blacklist_domains.txt";
score = 10.0;
}
Microsoft 365 Anti-Spam Policy
# Create anti-spam policy
Set-HostedContentFilterPolicy -Identity Default `
-BulkThreshold 6 `
-HighConfidenceSpamAction Quarantine `
-SpamAction MoveToJmf `
-BulkSpamAction MoveToJmf `
-PhishSpamAction Quarantine `
-HighConfidencePhishAction Quarantine `
-EnableLanguageBlockList $true `
-LanguageBlockList "RU","CN","BR" `
-EnableRegionBlockList $true `
-RegionBlockList "RU","CN","NG" `
-QuarantineRetentionPeriod 30 `
-EndUserSpamNotificationFrequency 1
Phishing Protection
URL Rewriting and Sandboxing
Most SEGs rewrite URLs to scan at click-time:
Original URL:
https://malicious-site.com/phishing-page
Rewritten URL (Proofpoint):
https://urldefense.proofpoint.com/v2/url?u=https-3A__malicious-2Dsite.com_phishing-2Dpage&d=...
Rewritten URL (Mimecast):
https://url.mimecast.com/s/abcd1234?domain=malicious-site.com
Safe Links Configuration (Microsoft 365)
# Create Safe Links policy
New-SafeLinksPolicy -Name "Company Safe Links" `
-IsEnabled $true `
-ScanUrls $true `
-EnableForInternalSenders $true `
-DeliverMessageAfterScan $true `
-DisableUrlRewrite $false `
-EnableOrganizationBranding $true `
-DoNotTrackUserClicks $false `
-DoNotRewriteUrls @("*.trustedsite.com", "*.internalapp.local")
Impersonation Protection
# Configure impersonation protection
Set-AntiPhishPolicy -Identity "Default" `
-EnableTargetedUserProtection $true `
-TargetedUsersToProtect "CEO","[email protected]" `
-EnableTargetedDomainsProtection $true `
-TargetedDomainsToProtect "example.com","subsidiary.com" `
-EnableMailboxIntelligence $true `
-EnableMailboxIntelligenceProtection $true `
-TargetedUserProtectionAction Quarantine `
-TargetedDomainProtectionAction Quarantine `
-EnableSimilarUsersSafetyTips $true `
-EnableSimilarDomainsSafetyTips $true `
-EnableUnusualCharactersSafetyTips $true
Malware and Attachment Scanning
ClamAV Configuration (Open Source)
# /etc/clamav/clamd.conf
# Update signatures every 4 hours
DatabaseMirror database.clamav.net
# Scan archive files
ScanArchive yes
ArchiveBlockEncrypted yes
# File size limits
MaxFileSize 50M
MaxScanSize 100M
# Scan specific file types
ScanOLE2 yes
ScanPDF yes
ScanHTML yes
ScanMail yes
# Block potentially unwanted applications
DetectPUA yes
Safe Attachments (Microsoft 365)
# Create Safe Attachments policy
New-SafeAttachmentPolicy -Name "Company Safe Attachments" `
-Enable $true `
-Action DynamicDelivery `
-ActionOnError $true `
-Redirect $true `
-RedirectAddress "[email protected]"
# DynamicDelivery: Delivers email immediately, attachments scanned in background
# Block: Blocks detected malware
# Replace: Replaces attachment with warning
File Type Blocking
┌─────────────────────────────────────────────────────────────────────────────┐
│ RECOMMENDED FILE BLOCKING POLICY │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ALWAYS BLOCK (High Risk): │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ .exe, .com, .bat, .cmd, .ps1, .vbs, .js, .jse, .wsf, .wsh │ │
│ │ .scr, .pif, .msi, .msp, .hta, .cpl, .msc, .dll │ │
│ │ .reg, .lnk, .inf, .scf │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ SCAN CAREFULLY (Medium Risk): │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ .doc, .docm, .xls, .xlsm, .ppt, .pptm (macro-enabled Office) │ │
│ │ .pdf (can contain scripts) │ │
│ │ .zip, .rar, .7z, .tar.gz (scan contents) │ │
│ │ .iso, .img (disk images) │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ ALLOW WITH SCANNING (Lower Risk): │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ .docx, .xlsx, .pptx (macro-free Office) │ │
│ │ .txt, .csv, .json, .xml │ │
│ │ .jpg, .png, .gif, .bmp │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Data Loss Prevention (DLP)
DLP Policy Configuration
┌─────────────────────────────────────────────────────────────────────────────┐
│ DLP POLICY FRAMEWORK │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ SENSITIVE DATA TYPES TO DETECT: │
│ │
│ Financial: │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Credit card numbers (PCI-DSS) │ │
│ │ Regex: \b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|...)\b │ │
│ │ • Bank account numbers │ │
│ │ • Financial statements keywords │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ Personal Identifiable Information (PII): │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Social Security Numbers (US) │ │
│ │ Regex: \b[0-9]{3}-[0-9]{2}-[0-9]{4}\b │ │
│ │ • Driver's license numbers │ │
│ │ • Passport numbers │ │
│ │ • Date of birth + name combinations │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ Healthcare (HIPAA): │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Medical record numbers │ │
│ │ • Health insurance IDs │ │
│ │ • Diagnosis codes (ICD-10) │ │
│ │ • Prescription information │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ Intellectual Property: │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ • Source code patterns │ │
│ │ • Document classifications ("CONFIDENTIAL", "SECRET") │ │
│ │ • Project code names │ │
│ │ • Patent/trademark references │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Microsoft 365 DLP Policy
# Create DLP policy for credit cards
New-DlpCompliancePolicy -Name "PCI-DSS Credit Card Policy" `
-ExchangeLocation All `
-Mode Enable
New-DlpComplianceRule -Name "Block External Credit Card Sharing" `
-Policy "PCI-DSS Credit Card Policy" `
-ContentContainsSensitiveInformation @{
Name = "Credit Card Number"
MinCount = 1
MaxCount = -1
} `
-ExceptIfRecipientDomainIs "example.com","trustedpartner.com" `
-BlockAccess $true `
-NotifyUser "SenderNotifyOnly" `
-NotifyEmailCustomText "This email was blocked because it contains credit card information."
Proofpoint DLP Rule
# Proofpoint DLP Policy
rules:
- name: "Block SSN External"
conditions:
- type: "content"
patterns:
- name: "US SSN"
regex: '\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b'
min_count: 1
- type: "recipient"
external: true
actions:
- type: "block"
reason: "Contains Social Security Numbers"
- type: "notify"
recipients:
- "[email protected]"
Email Encryption
Policy-Based Encryption
┌─────────────────────────────────────────────────────────────────────────────┐
│ EMAIL ENCRYPTION TRIGGERS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ AUTOMATIC ENCRYPTION WHEN: │
│ │
│ 1. Keyword Triggers: │
│ [Encrypt], [Secure], [Confidential] in subject │
│ │
│ 2. Recipient Domain: │
│ External recipients (non-company domains) │
│ │
│ 3. Content Detection: │
│ Credit cards, SSN, PHI detected by DLP │
│ │
│ 4. Attachment Types: │
│ Specific file extensions or classifications │
│ │
│ 5. Manual Selection: │
│ User clicks "Encrypt" button in mail client │
│ │
│ ENCRYPTION METHODS: │
│ │
│ ┌─────────────────┬───────────────────────────────────────────────────┐ │
│ │ Method │ Description │ │
│ ├─────────────────┼───────────────────────────────────────────────────┤ │
│ │ TLS (Transport) │ Encrypted in transit between servers │ │
│ │ S/MIME │ Certificate-based, end-to-end │ │
│ │ PGP │ Key-based, end-to-end │ │
│ │ Portal │ Recipient accesses via secure web portal │ │
│ │ Office 365 OME │ Microsoft's message encryption service │ │
│ └─────────────────┴───────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Microsoft 365 Message Encryption
# Create encryption rule
New-TransportRule -Name "Encrypt External Confidential" `
-SentToScope NotInOrganization `
-SubjectOrBodyContainsWords "Confidential","[Encrypt]" `
-ApplyOME $true `
-ApplyRightsProtectionTemplate "Encrypt"
# Create rule for DLP triggers
New-TransportRule -Name "Encrypt Credit Card Emails" `
-SentToScope NotInOrganization `
-MessageContainsDataClassifications @{
Name = "Credit Card Number"
MinCount = 1
} `
-ApplyOME $true
Quarantine Management
Best Practices
┌─────────────────────────────────────────────────────────────────────────────┐
│ QUARANTINE MANAGEMENT FRAMEWORK │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ QUARANTINE CATEGORIES: │
│ │
│ ┌──────────────────┬─────────────────────┬────────────────────────────┐ │
│ │ Category │ User Self-Service │ Admin Action │ │
│ ├──────────────────┼─────────────────────┼────────────────────────────┤ │
│ │ Spam │ ✓ Can release │ Review patterns │ │
│ │ Bulk mail │ ✓ Can release │ Tune threshold │ │
│ │ Phishing │ ✗ Admin only │ Investigate, block sender │ │
│ │ Malware │ ✗ Admin only │ Never release, report │ │
│ │ DLP violations │ ✗ Admin only │ Review, approve/deny │ │
│ │ Policy blocked │ Depends on policy │ Review policy │ │
│ └──────────────────┴─────────────────────┴────────────────────────────┘ │
│ │
│ RETENTION: │
│ • Spam/Bulk: 14-30 days │
│ • Phishing: 30 days (for investigation) │
│ • Malware: 15 days then auto-delete │
│ • DLP: 30 days or as required by policy │
│ │
│ NOTIFICATIONS: │
│ • Daily digest to users for spam/bulk │
│ • Immediate alert to security for phishing/malware │
│ • Weekly summary to admins │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Microsoft 365 Quarantine Settings
# Configure quarantine policy
Set-QuarantinePolicy -Identity DefaultFullAccessPolicy `
-EndUserQuarantinePermissionsValue 27 `
-ESNEnabled $true
# Configure quarantine notifications
Set-HostedContentFilterPolicy -Identity Default `
-EnableEndUserSpamNotifications $true `
-EndUserSpamNotificationFrequency 1 `
-EndUserSpamNotificationLimit 50 `
-EndUserSpamNotificationCustomFromAddress "[email protected]" `
-EndUserSpamNotificationCustomFromName "Email Security"
Monitoring and Reporting
Key Metrics to Track
┌─────────────────────────────────────────────────────────────────────────────┐
│ EMAIL SECURITY METRICS DASHBOARD │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ THREAT METRICS (Daily/Weekly) │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Metric │ Target │ Alert Threshold │ │
│ ├─────────────────────────────────┼─────────────┼───────────────────────┤ │
│ │ Spam blocked │ Track trend │ >50% increase │ │
│ │ Phishing blocked │ Track trend │ >25% increase │ │
│ │ Malware blocked │ Zero goal │ Any detection │ │
│ │ BEC attempts blocked │ Track trend │ Any detection │ │
│ │ Impersonation attempts │ Track trend │ >10% increase │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ AUTHENTICATION METRICS (Daily) │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Metric │ Target │ Alert Threshold │ │
│ ├─────────────────────────────────┼─────────────┼───────────────────────┤ │
│ │ SPF pass rate (legitimate) │ >99% │ <95% │ │
│ │ DKIM pass rate (legitimate) │ >99% │ <95% │ │
│ │ DMARC pass rate │ >99% │ <95% │ │
│ │ TLS encryption rate │ >95% │ <90% │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
│ OPERATIONAL METRICS │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Metric │ Target │ Alert Threshold │ │
│ ├─────────────────────────────────┼─────────────┼───────────────────────┤ │
│ │ False positive rate │ <0.1% │ >1% │ │
│ │ Quarantine release rate │ <5% │ >10% │ │
│ │ DLP policy violations │ Track trend │ >25% increase │ │
│ │ User-reported phishing │ Encourage │ Track for patterns │ │
│ │ Delivery latency │ <30 seconds │ >2 minutes │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Log Collection
# Syslog configuration for email gateway
# /etc/rsyslog.d/50-mailgateway.conf
# Send mail logs to SIEM
mail.* @siem.example.com:514
# Local logging with rotation
mail.* /var/log/mail/mailgateway.log
Testing Your Gateway
Malware Detection Test (EICAR)
# Create EICAR test file (harmless but triggers AV)
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.txt
# Email as attachment (should be blocked)
echo "Test malware detection" | mail -a eicar.txt -s "Malware Test" [email protected]
Spam Detection Test (GTUBE)
# GTUBE string triggers spam filters
GTUBE="XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X"
echo "$GTUBE" | mail -s "Spam Test" [email protected]
Phishing Simulation
Use authorized phishing simulation platforms:
- KnowBe4
- Proofpoint Security Awareness
- Cofense PhishMe
- Microsoft Attack Simulator
Related Resources
- Email Authentication Complete Guide - Hub article
- SPF, DKIM, DMARC Overview - Authentication basics
- MTA-STS Guide - TLS enforcement
- Email Header Forensics - Investigate threats
Tools
- SPF Record Generator - Include gateway IPs
- MX Record Checker - Verify gateway configuration
- DNS Lookup - Check DNS records
