Mailscreen FAQ

Settings can be adjusted from the Spam tab under Company Settings.
Most of these same settings can also be set from the Spam tab under each individual User (or Functional Account). The spam engine behavior is actually based on each individual user's spam settings. Company Settings > Spam are used as a default for any new user(s) created.

Some users might need different spam filter levels or options set. End Users (and admins) can manage their own filter settings.

Silent Users also have personal, customizable settings - but these must be set and managed by an admin. They don't have access to login and manage their own settings.

Enable The Anti-Spoofing Feature

First you need to enable the Anti-spoofing feature for the organization.

1. Navigate to Administration > Account Management > Features
2. Check the box labeled 'Enable Anti-Spoofing Policies'
3. Click Save

Configure Anti-Spoofing Policy

Once the Feature is enabled, you will need to configure the anti-spoofing policy you wish to apply to the organization.

4. Navigate to Security Settings > Malicious Content > Anti-Spoofing

There are three separate policies available to configure.

Inbound DMARC

5. Check the option you wish to apply for inbound DMARC policy evaluation

The recommended configuration for this policy is "Allow the sending domain's DMARC policy to determine whether or not to block messages.".If the sending domain has a published DMARC policy, this will prevent unauthorized senders from spoofing the foreign domain.

If "Ignore the sending domain's DMARC policy, but log the result" is chosen, messages that fail the DMARC check will be passed through the system. The result will be logged in logs and in the message's header.

Inbound DKIM

6. Check the options you wish to apply for inbound DKIM policy evaluation.

If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the message to see if it has been signed with DKIM. There are three results which can be acted on:

Inbound SPF

7. Check options you wish to apply for inbound SPF policy evaluation.

If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the sender's SPF policy (if it exists) and these policies will apply. There are three results which can be acted on:

8. Click Save

In addition, for each Anti-Spoofing policy, a list of exceptions can be created to exclude individual domains from the policies.

This feature has a wide range of settings (2 - 22) which endeavor to meet the needs of all users. It is possible to manage each user's spam trigger threshold by adjusting this slider to a trigger level more closely to their needs. The range includes:

Very Strict: 2 - 3
Strict: 4 - 5
Standard: 6 - 8
Loose: 9 - 14
Very Loose: 15 – 22

Within each of these ranges is a fine tuning range to keep detection in as small steps of increment that is required to detect and manage modern sophisticated botnets. Spam sliders and adjustments of trigger levels are available per user and per organisation. (The lower the trigger level, the more spam is stopped. The higher the trigger level, the less we stop spam.)

This setting allows the admin to determine who will have the ability to release messages from quarantine. If set to "User can release", each user can release their own messages from the quarantine using any of the available means.

If set to "Admin release only", users will be able to preview quarantined messages, but only an admin will be able to release the message from quarantine. If a user tries to release a message from quarantine from their quarantine digest report they will get the message "Email cannot be released without admin privileges, please contact your administrator"

When an Inbound mail arrives, we scan and score the email. Part of the score is based on whether or not our engine identifies the message as a phishing attempt.

If the message is identified as "phishing" it will add points to the total score. If this option is selected, it will add more points to the total score - making it more likely that the message will be quarantined.

If this option is unselected, it will still add points, but not as many - so the message would likely need additional factors to add enough points to exceed the threshold to be quarantined.

If the total score is above your sensitivity setting, it will be quarantined. If the total score is below your sensitivity setting, it will still not be quarantined - even though you have this option checked.

Similar to the above description for the Quarantine release policy. If this is set to "Yes" any message that is identified as a phishing attempt can not be released by an End User or Silent User. If they attempt to release a phishing message from quarantine, they will receive the error described above and be directed to contact their admin to release the message.

If this is set to "No", phishing messages will be treated like any other quarantined message and can be released by the user.

NOTE: If the Quarantine release policy is set to "Admin release only", this option is grayed out since it becomes irrelevant. If EVERY quarantined message requires admin privileges to release, then of course the same would apply to phishing messages.

Quarantine bulk email will quarantine emails if they are scanned and are identified as “Confirmed Bulk Email” based on numerous factors also of your spam sensitivity level.

When an Inbound mail arrives, and the spam setting “Quarantine bulk email” is checked. We scan the email and add additional bulk factors to the email if found to be a “Bulk” email.

Depending on your Spam Sensitivity Trigger Level if the email is “Confirmed Bulk Email”, this will add factors. If the overall results over your trigger level, it will be quarantined. If the overall results below your trigger level, It will not be quarantined.

Most users want their spam filters on. But they might want to forward spam through to Customer Support for further analysis. To allow potential spam to get through, you could choose to enable Spam stamp & forward for the email addresses used by Customer Support, for example. The following settings are available:

No - (Default Setting) Quarantine spam email. Deliver all others

All - Deliver all messages, but stamp spam email with the subject tag below.

Partial - Delivery non-spam email normally. Quarantine very spammy email. Deliver moderately spammy email stamped with the subject tag below.

This is the actual text that will be added to the beginning of the subject line of emails classified as spam if Spam stamp & forward is enabled. The default setting is ***Spam***, but this can be changed based on your preference.

When enabled, the “Inbound sender DNS check” provides an additional validation on the domain of the sender on inbound email. The validation includes:

Sender Domain MX Records

A message will be rejected if the MAIL FROM domain has:

No DNS A or MX record, or

A malformed MX record such as a record with a zero-length MX hostname

Sender Domain MX Records that point to private / reserved IP ranges

This signals a severe DNS misconfiguration and as a result we would reject the message.

Update spam detection settings above for all existing user accounts

This checkbox, found next to the Save button is extremely important. This will push the above settings to all users (regardless of their personal settings currently set). Without checking this box, any changes you make in the Company Spam Settings will only apply to new users created after these changes are made. To apply your changes to existing users, you must check this box before saving.

MX records

MX 10 mx1-eu1.ppe-hosted.com

MX 10 mx2-eu1.ppe-hosted.com

SPF record

Include following spf host in your current SPF record

a:dispatch-eu.ppe-hosted.com

Example

"v=spf1 a:dispatch-eu.ppe-hosted.com ~all

outbound-eu1.ppe-hosted.com

PORTS

SMTP (TCP) 25

LDAP (TCP) 389

LDAP SSL (TCP) 636


INCLUDE

91.209.104.0/24

91.207.212.0/24

91.207.213.0/24

62.209.50.0/24

62.209.51.0/24

185.132.180.0/24

185.132.181.0/24

185.132.182.0/24

185.132.183.0/24

185.183.28.0/22


CIDR BREAKDOWN FOR

185.183.28.0/22

185.183.28.0/24

185.183.29.0/24

185.183.30.0/24

185.183.31.0/24

1. Sign-In to the Office 365 Admin portal.

2. Click on Admin > Exchange

This will launch Exchange Admin Center

3. Click mail flow > rules.

4. Click + icon to access the pull-down menu.

5. Select By-pass spam filtering

6. In the new rule window, complete the required fields:

Enter a value for Name (e.g. “By-pass Spam filtering for Mailscreen”)

• • For “Apply this rule if…” select “The sender...IP address is in any of these ranges or exactly matches”

  • Add Mailscreen IP addresses to the list.

    Type in the address followed by the + icon

    Repeat for each IP address

  • Ensure Set the Spam Confidence Lvel (SCL) to is selected in the Do the following... menu

  • Click Save.

1. Click Add Action,

2. Select "Modify the message properties" and "set a message header"

3. Set the message header: "X-MS-Exchange-Organization-SkipSafeLinksProcessing and value: 1"

4. Click Save.

An inbound connector is used to manage mail traffic between Microsoft 365 and Mailscreen.

1. While accessing the Exchange Admin Center, click mail flow then connectors.

2. Click + to launch control.

3. For “From” select “Partner Organization”.

4. For “To” select “Office 365”.

5. Click Next.

6. Enter a value for Name (e.g. “Mailscreen Inbound Connector”).

7. (Optional) Enter a value for Description (e.g. Inbound connector for Mailscreen").

8. Uncheck the turn it on setting. You will turn this outbound connector on once you are ready to cutover mail flow.

9. Click Next.

10. Select Use the sender's IP address.

11. Click Next.

12. Click +.

13. Add Mailscreen IP addresses to the list.

Click +.

Type in the address followed by OK.

Repeat for each IP address.

14. Click Next.

15. Ensure Reject email messages if they aren't over TLS is checked.

16. Click Next.

17. Click Save.

1. Sign-In to the Microsoft 365 Admin portal.

2. Click on Admin > Exchange.

This will launch Exchange Admin Center

3. Click Mail Flow > Connectors.

4. Click + to access menu.

5. For “From” select “Office 365”.

6. For “To” select “Partner Organization”.

7. Click Next.

8. Enter a value for Name (e.g. “Mailscreen”).

9. Enter a value for Description (e.g. Outbound connector for Mailscreen").

10. Uncheck the turn it on setting. You will turn this outbound connector on once you are ready to cutover mail flow.

11. Click Next.

12. For “When do you want to use this connector?” select “Only when email messages are sent to these domains”.

13. Click +.

14. Enter * to specify all domains.

15. Click OK.

16. Click Next.

17. For “How do you want to route email messages? “select “Route email through these smart hosts”.

18. Click + and enter your Mailscreen smart host value (outbound-eu1.ppe-hosted.com).

19. Click Save.

20. Click Next.

21. For “How should Office 365 connect to your partner organization's email server?” choose your preferred approach.

"If you choose “Always use Transport Layer Security (TLS) to secure the connection”, please choose “Any digital certificate, including self-signed certificates“.

22. Click Next.

23. Click Next.

24. Click + icon and enter an email address for validation.

25. Click OK.

26. Click Validate.

27. Click Save.

Customers hosted on Office365 may prefer to use Azure Active Directory to sync users and groups to Mailscreen. This will allow you to import:

· Active users (including both primary email address and user aliases)

· Distribution Groups

· Security Groups

Creating the Custom Application in Azure

1. Login to your Microsoft Azure portal as an admin user through https://aad.portal.azure.com
   
2. Navigate to Azure Active Directory > App Registrations > + New Registration
   
3. Enter a name for the application (i.e. Mailscreen Azure Sync).
   
4. Under Supported account types leave the default of 'Accounts in this organizational directory only (COMPANY NAME)'
   
5. Under the 'Redirect URI (optional)'
   

· Leave the default of "Web"

· Enter the Mailscreen interface URL: https://mailscreen.cloud-protect.net

6. Click Register.
   
7. You will now be able to view this app from the App Registrations view.
   
8. Copy your Application ID for future use. This will be the Application ID in Mailscreen

Permissions

1. In the Application ID just created, click on API Permissions > Add a permission > Microsoft API Graph

2. Ensure the following permissions are checked:

Delegated Permissions:

Directory

Directory.Read.All

Group

Group.Read.All

User

User.ReadBasic.All

Application Permissions

Directory

Directory.Read.All

3. Select Add Permissions (at the bottom)

4. Select Grant Admin Consent for <Company Name>

5. Select 'Yes' at the top

Key (Secret)

1. Navigate to Certificates and Secrets > + New Client Secret.
2. Enter a Key Description.
3. Choose a duration
4. Click Add.
5. The Key value will be displayed when you save the changes. Copy down the key value, as you will NOT be able to retrieve it after leaving the page.

Configuring Azure Within Mailscreen Interface

After logging into your Mailscreen interface (such as https://mailscreen.cloud-protect.net)

1. Navigate to User Management > Import & Sync > Azure Directory Sync.
   
   
2. Set the Default New User Role to either End User or Silent User.
   

End Users

Can login to the Mailscreen Admin Console and receive Quarantine Digests

Silent Users

Do not have access to the Mailscreen Admin console, nor do they receive Quarantine Digests by default, but can enabled.

3. Enter the below information:
   
   

4. Choose What to Sync by checking/unchecking the following fields:
   
   

Active Users

Distribution Groups

Security Groups

5. Choose How to Sync by checking/unchecking the following fields:

6. Choose When to Sync by selecting from the options under the Sync Frequencydropdown menu.
   

1 hour

3 hours

6 hours

12 hours

24 hours

Click Save at the bottom of the page. 

The page will refresh, and a prompt will confirm that the settings have been saved.

Prepare Your Environment

If you have Active Directory located on your premises, you can use Mailscreen Active Directory Sync option to add an automatically sync user accounts and groups between environments.

Before you begin, you will need the following:

1. An inbound connection that allows Mailscreen IP range to connect to your domain controller

2. A user account with read permissions to Active Directory, we recommend creating a username like “mailscreen-ad-sync” so you recognize this user as a service account for the Mailscreen services.

3. A user account with administrator privileges to Mailscreen

4. The Base DN (Distinguished Name)

· The Base DN is the starting point for directory server searches

· For example: DC=mycompany,DC=com, the Connector starts from this DN to create the list of users and groups to sync

The standard protocol for reading data to Active Directory is LDAP. LDAP traffic is unsecured by default. To make LDAP traffic secure, you can use the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocols. This combination is referred to as LDAP over SSL -- or LDAPS.

To setup your domain controller to accept LDAP over SSL, please refer to the following Microsoft article:

https://support.microsoft.com/en-ca/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority

1. Log in to the user interface

2. Navigate to User Management > Import & Sync > Active Direcotry Sync.

3. Select the default role that should be used for user accounts that are added to Mailscreen

Silent User

A user account with a silent user role will receive the quarantine digest email but will not have login rights to the interface

End User

A user account with an end user role Will receive the quarantine digest email and will have login rights to the interface

4. Specify the IP address or hostname of your Active Directory that Mailscreen will connect to

5. Specify the username and password of the account that Mailscreen should use to connect to your Active Directory

6. Select the connection port that Mailscreen should use

· LDAP (389)

· LDAP over SSL (636) (recommended)

7. Enter the Base DN that Mailscreen should use to connect to your Active Directory

8. Choose what you would like Mailscreen to sync:

· Active users

· Disabled user accounts

· Functional accounts

· Security groups

· Include items hidden from the GAL

9. Choose how you would like Mailscreen to sync:

1. Add

Create new user accounts and groups

2. Sync updated accounts

Update existing user accounts and groups

3. Delete removed accounts

Remove accounts from Mailscreen that are no longer found in Active Directory

4. Sync frequency

Never

1 hour

3 hours

6 hours

12 hours

24 hours

Another way to provision users to the service is with SMTP Discovery. When enabled, SMTP Discovery allows email to be relayed to non-licensed users. Users become licensed users when one of the following occurs:

Manually added within a span of 30 days.

A specified number of valid messages are received for that unique address.

One valid message has been sent outbound from your email server via the Mailscreen platform.

An administrator can change the SMTP Discovery settings.

Please Note:
Users will only be automatically added for received messages if Expired Addresses Default to New User is enabled, and only added automatically for outbound if Auto-add New Users Detected via Outbound is enabled (both under the SMTP Discovery settings.) If these options are not used, they will need to be added via the Discovered list within the New User report, or via the SMTP Discovery report under User Management > SMTP Discovery.

Enable or disable SMTP Discovery

1. Navigate to Account Management > Features.

2. Disable (uncheck) or Enable (check) the SMTP Discovery checkbox.

3. Click Save.

Configure SMTP Discovery settings

1. Navigate to Account Management > SMTP Discovery

2. Choose the default privileges type for new users.

End User: Receive the quarantined digest and can login to the Mailscreen user interface.

Silent User: Receive the quarantine digest and are not granted access to login to the Mailscreen user interface.

3. Select Inbound Detection Threshold.

· The number of clean emails in a 1-month period before the address appears on the SMTP Discovery list.

4. Choose how many times you would like to be notified about an address before it expires.

· The named technical contact will receive a weekly notification of discovered addresses. This selection determines the number of notifications, which will be delivered before an address expires. Mailscreen will not deliver email to an expired address.

5. Disable (uncheck) or Enable (check) if expired addresses default to new users.

· This setting may create new users. As a result, this option can only be controlled by the Organization Administrator.

6. Disable (uncheck) or Enable (check) if aliases should be automatically associated with accounts.

7. Disable (uncheck) or Enable (check) if users detected via outbound should become licensed.

· This setting may create new users. As a result, this option can only be controlled by the Organization Administrator.

8. Disable (uncheck) or Enable (check) to send out a report on new users.

9. Disable (uncheck) or Enable (check) to send out a report on new aliases.

10. Disable (uncheck) or Enable (check) to include the administrator contact in report.

11. Click Save.

SMTP Discovery management

Choosing the SMTP Discovery method to add customer accounts will require a certain amount of on-going management attention and administration to ensure accounts are up to date and license balances are accurate.

To make this process more manageable for you we have added the ability for partners to set the following specifications:

1. Choose what Mailscreen should do with newly discovered addresses.

2. Decide how we should manage these new addresses for you.

3. Stipulate what notifications we should send.

Please configure these new options for your entire user-base or on a per-customer basis and make the changes as soon as possible. The new settings will not take effect until the options are fully configured, otherwise the current SMTP settings will remain active or the defaults will become activated.

We continue to recommend LDAP (Active Directory) as the preferred option for adding new customer accounts as it’s the most accurate and requires minimal on-going management (set and forget) as it updates automatically itself every 24hours.

Where LDAP is not possible however please configure the following options for SMTP discovery. Please note, the SMTP Discovery process executes 4 times a day, so you may see some delay in discovered addresses appearing in the interface.

SMTP Discovery settings

These settings will allow you to specify what Mailscreen should do with newly discovered addresses, choose how we manage these and stipulate what notifications we should send.

Default New User Privileges: Select the default user type, Silent Users will not receive Welcome emails or be able to log on to the interface, End Users will have both.

Inbound Detection Threshold: Select how many clean emails Mailscreen must detect before the email address appears on the SMTP discovery list.

How many times would you like to be notified about an address...: Choose the number of weekly SMTP Discovery report notifications you would like to receive before the email address expires from the SMTP discovery list.

Expired Addresses Default to New User: Selecting this option enables you to specify that any email address which has expired from the SMTP discovery list is added as a new user rather than being marked as invalid. NB. An invalid address will no longer receive email.

Auto-add Detected Alias Addresses: Select this option to allow SMTP Discovery to add detected alias addresses automatically. NB. Mailscreen has logic in place to help us deduce as far as possible an alias address for a user e.g. joe.bloggs@company.com could be an alias of j.bloggs@company.com. However, a less obvious alias should be added manually to avoid being misconstrued as a user and the associated licensing implications.

Auto-add New Users Detected via Outbound: You can select this option if you wish SMTP Discovery to automatically add to the system any new address which is detected as sending outbound email.

Report On New Users: Select this option if you wish for Mailscreen to send a confirmation to the technical and/or admin contact, notifying them that a new user has been added by SMTP Discovery.

Report On New Aliases: Selecting this option will prompt Mailscreen to send out a confirmation to the technical and/or admin contact associated with an account, notifying them that an alias address has been added by SMTP Discovery.

Include Admin Contact in the Report: Select this option if you require the Admin Contact to be sent the Report as well as the Tech contact.

Adding discovered users via the Web Interface

1. Navigate to User Management > SMTP Discovery

2. Use the pulldown to select Discovered List for discovered accounts or Marked Invalid for accounts that have been marked invalid (and can no longer receive messages.)

3. Click the check box next to any accounts you would like to have added as users.

4. Change the pulldown next to the Apply button to Create user account (to add as a normal user), Create function account (to add as a functional account), or Mark as invalid (to move them to the Marked Invalid List. This prevents them from receiving any emails.)

5. Click Apply.

Note:
SMTP Discovery will be disabled if LDAP 24-hour sync is enabled.

Configure Mailscreen

While logged into the Mailscreen user interface, Navigate to Account Management > Domains tab.

Click Managed Hosted Services.

Choose Microsoft 365.

Click Save.

Azure Active Directory SSO Integration

Mailscreen supports integration with Identity Providers for authentication adhering to Security Assertion Markup Language (SAML) standards. Multiple identity providers for an organization are fully supported. Mailscreen supports single sign-on (SSO) via Security Assertion Markup Language. When working with an external IdP, it can be set up as your identity provider (IdP) for SSO to Mailscreen Console.

Create SAML/SSO Configuration in Mailscreen Console

1. Navigate to Administration > Account Management > Identity Providers.
2. At the top right-hand corner, click ADD IDENTITY PROVIDER.
3. In the New Identity Provider dialog panel, add a meaningful name and description to the Identity Provider. The given name will display on the Identity Provider button on the main login screen.
4. In the Icon section, select the appropriate icon according to your desired integration. (Microsoft)
5. Click Next

Configuring SAML/SSO in Azure Portal

1. Log into Microsoft Azure portal as administrator.
2. Go to Azure Active Directory > Enterprise applications.
3. Click New Application then Create your own application.
4. Give your app a name and select Integrate any other application you don't find in the gallery (Non-gallery).
5. Click Create.
6. Navigate to Properties.
7. Change Assignment required? to No and save. If this option is set to yes, then users and other apps or services must first be assigned this application before being able to access it.
8. Go to Single sign-on > SAML and edit Basic SAML Configuration.
9. Copy and paste the values from Mailscreen Identity Provider setup into the Basic SAML Configuration fields.
10. Click Save and Close panel.
11. On the same page, under SAML Signing Certificate click Edit.
12. Change Signing Option to Sign SAML response and assertion
13. Click Save and Close panel.
14. Next, download Certificate (Base64).
15. Under step 4, copy and paste the values into Mailscreen Identity Provider setup:
    1. Azure AD Identifier -> Identity Provider Single SignOn URL
    2. Login URL -> Identity Provider Login URL
    3. Logout URL -> Identity Provider Logout URL
    4. Certificate from Step 11 -> Identity Provider X.509 Certificate
16. Click Enable Single Sign-On. When enabled, the Identity Provider Sign in with button will display on main login screen.
17. Click Save and Close.