< Home

CLI: Example for Configuring Mail Filtering by Email Address or Attachment

This section provides an example for configuring mail filtering by email address or attachment on the FW that serves as the security gateway on the intranet.

Networking Requirements

An enterprise has about 200 employees who work for two departments: sales and R&D. In addition, the enterprise has a domain name of its own and deploys a mail server on the intranet.

Figure 1 Mail filtering networking diagram based on MIME header

Restricts the mail transmission permissions to prevent confidential information from being leaked. To be more specific,

  • In the R&D department, only a few employees can send and receive email, and the others can receive but cannot send email.
  • In the sales department, all employees can send and receive email, but the maximum size of attachments cannot exceed 10 MB.

Configuration Roadmap

  1. Construct the intranet for the enterprise and deploy the FW as the security gateway.

    • Add the mail server to the dmz.
    • Add all the employees in the sales department to the user-defined sale security zone.
    • Add all the employees in the R&D department to the user-defined research security zone.
    • Add the Internet to the untrust zone.

  2. Configure mail filtering.

    The mail filtering profile is zone-specific. Plan the mail filtering policies for the security zones.

    Purpose

    Configuration Roadmap

    Grants John and Jane the permission to send and receive email, and other employees in the R&D department only the permission to receive email.

    Enable mail address checks in the sending direction between the research zone and the dmz to filter out email based on the sender addresses. Only John and Jane are permitted to send email.

    Grants all employees in the sales department the permission to send and receive email, but restricts the attachment size per email message to a maximum of 10 MB.

    Enable the mail attachment control in the sending direction between the sale zone and the dmz to restrict the maximum attachment size to 10 MB.

Procedure

  1. Set the interface IP address and add the interface to a security zone.
    1. Set an IP address for GigabitEthernet 0/0/1 and assign the interface to the untrust zone.

      <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

    2. Set an IP address for GigabitEthernet 0/0/2 and assign the interface to the dmz.

      [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

    3. Create security zone sale and add GE0/0/3 to the sale zone.

      [FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone name sale
[FW-zone-sale] set priority 60
[FW-zone-sale] add interface GigabitEthernet 0/0/3

    4. Create security zone research and add GE0/0/4 to the research zone.

      [FW] interface GigabitEthernet 0/0/4
[FW-GigabitEthernet0/0/4] ip address 10.4.0.1 24
[FW-GigabitEthernet0/0/4] quit
[FW] firewall zone name research
[FW-zone-research] set priority 70
[FW-zone-research] add interface GigabitEthernet 0/0/4

  2. Enable the mail attachment control in the sending direction between the sale zone and the dmz to restrict the maximum attachment size to 10 MB.
    1. Create a mail filtering profile.

      [FW] profile type mail-filter name profile_mail_sale_dmz
[FW-profile-mail-filter-profile_mail_sale_dmz] send-mail attachment max-size enable
[FW-profile-mail-filter-profile_mail_sale_dmz] send-mail attachment max-size 10240 action block
[FW-profile-mail-filter-profile_mail_sale_dmz] quit

    2. Configure a security policy for the sale -> dmz interzone.

      [FW] security-policy
[FW-policy-security] rule name policy_sec_sale_dmz
[FW-policy-security-rule-policy_sec_sale_dmz] source-zone sale
[FW-policy-security-rule-policy_sec_sale_dmz] destination-zone dmz
[FW-policy-security-rule-policy_sec_sale_dmz] profile mail-filter profile_mail_sale_dmz
[FW-policy-security-rule-policy_sec_sale_dmz] action permit
[FW-policy-security-rule-policy_sec_sale_dmz] quit
[FW-policy-security] quit

  3. Enable the mail address check in the sending direction between the research zone and the dmz to filter out email based on the sender email addresses. Only John and Jane are permitted to send email.
    1. Create a mail address group for John and Jane.

      [FW] mail-address-group name mail_group_research
[FW-mail-address-group-mail_group_research] pattern exact john_example@huawei.com
[FW-mail-address-group-mail_group_research] pattern exact jane_example@huawei.com
[FW-mail-address-group-mail_group_research] quit

    2. Create a mail filtering profile.

      [FW] profile type mail-filter name profile_mail_research_dmz
[FW-profile-mail-filter-profile_mail_research_dmz] send-mail sender filter-mode allow
[FW-profile-mail-filter-profile_mail_research_dmz] send-mail sender group name mail_group_research
[FW-profile-mail-filter-profile_mail_research_dmz] quit

    3. Configure a security policy for the research -> dmz interzone.

      [FW] security-policy
[FW-policy-security] rule name policy_sec_research_dmz
[FW-policy-security-rule-policy_sec_research_dmz] source-zone research
[FW-policy-security-rule-policy_sec_research_dmz] destination-zone dmz
[FW-policy-security-rule-policy_sec_research_dmz] profile mail-filter profile_mail_research_dmz
[FW-policy-security-rule-policy_sec_research_dmz] action permit
[FW-policy-security-rule-policy_sec_research_dmz] quit
[FW-policy-security] quit

  4. Commit the content security profiles.

    [FW] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: MAIL submitted configurations successfully.
Info: Finish committing engine compiling.

Configuration Scripts

#                                                                               
sysname FW      
#                                                                               
interface GigabitEthernet0/0/1   
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/2   
 undo shutdown
 ip address 10.2.0.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/3   
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/4   
 undo shutdown
 ip address 10.4.0.1 255.255.255.0
#                                                                               
firewall zone untrust                                                           
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone dmz                                                           
 add interface GigabitEthernet0/0/2
#                                                                               
firewall zone name sale id 4                                                    
 set priority 60                                                                
 add interface GigabitEthernet0/0/3
#                                                                               
firewall zone name research id 5                                                
 set priority 70
 add interface GigabitEthernet0/0/4
#                                                                               
mail-address-group name mail_group_research                                     
 pattern exact john_example@huawei.com                                          
 pattern exact jane_example@huawei.com                     
#                                                                               
profile type mail-filter name profile_mail_research_dmz                         
 send-mail sender filter-mode allow                                             
 send-mail sender group name mail_group_research                                
#                                                                               
profile type mail-filter name profile_mail_sale_dmz                             
 send-mail attachment max-size 10240 action block  
#                                                                               
security-policy                                                                 
 rule name policy_sec_sale_dmz                                                  
  source-zone sale                                                              
  destination-zone dmz                                                          
  profile mail-filter profile_mail_sale_dmz                                     
  action permit                                                                 
 rule name policy_sec_research_dmz                                              
  source-zone research                                                          
  destination-zone dmz                                                          
  profile mail-filter profile_mail_research_dmz                                 
  action permit
Parent Topic: Content Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >