WeCloud Security. Administrator's Guide

Transcription

1 WeCloud Security Administrator's Guide

2 WeCloud Security Administrator's Guide WeCloud Security provides a variety of useful features within a user-friendly web console to manage the functions including whitelisting of sender domains, releasing an from quarantine and forensic search capability of logs. This document provides a detailed description of all features and settings enabling you to quickly and easily take advantage of WeCloud Security. Please note that all screenshots in this guide are from WeCloud s development environment so there could be minor differences from the public clouds. If you feel that we missed out on something you expected to find in this guide, please tell our support. WeCloud Operating Status: Operating status: Administration: Scandinavian Cloud: International Cloud: Partner Administration: Scandinavian Cloud: International Cloud: Contact Information: Support: support@wecloud.com Order: order@wecloud.com Renewal: renewal@wecloud.com Date: Version: 17.05

3 New features in version Below are the release notes for version including a brief description of the new features introduced in this release. New Statistics A brand new statistics module is being introduced. The new module offers an updated graphical design, as well as additional data and details such as top-malware, per-user-stats, top-senders and archive usage. 2-Factor authentication To improve security and privacy we introduce the option to require SMS-verification passcodes in addition to username/password for administrator access to the Security Portal. IP-adress restricted access To improve security and privacy we introduce the option to restrict access to the customers Security Portal from selected IP-numbers or IP-ranges. Filter by custom header Option to quarantine s based on custom headers or header values. s triggering the custom header rules can either be stored in the regular spam quarantine (and thus available to end-users) or in the admin quarantine (and thus only available to admins). VBA Macro Detection s containing attached Microsoft Office files with active content (VBS Macros) may now be detected and blocked. The setting may be applied to a company profile, domain or a specific user. Brute force protection Extended brute-force protection to improve security and privacy. Automatic lock-out if brute force attempts are detected. Option to disable spam feedback The WeCloud Security system is continuously sending feedback containing spam, IP, sender, FP's and more from the live flow to improve the hitrate and quality of filter. New option introduced with this release allows for disabling of spam feedback on a per-customer-level. Please contact WeCloud support if you want to disable spam feedback. Domain specific QMS customisation QMS-report may now be customised on a per-domain-level. Optimised whitelabeling for partners Whitelabeling for partners has been optimized and now includes option to whitelabel QMS and notifications. Bugfixes Counter for bypassed s now added to overview. File type on outbound file type blocks now displayed in logs. Additional reasons displayed for BMA filtering. Whitelist from overview fixed. Other minor backend bugs fixed.

4 The Overview 1. Domain selector - All logs and settings are domain specific so make sure that you have the correct domain selected 2. Administration tabs 2.1. Overview - Quarantine and logs 2.2. Archive - Archived s (licensed separately) 2.3. Settings - Configuration options 2.4. Statistics Historical statistics 2.5. Logout 3. Quarantine 3.1. Inbound quarantine Inbound s quarantined by the spam filter (Note: these are the s that are reported to the end-users if QMS is enabled) 3.2. Outbound quarantine Outbound s quarantined by either spam filter or policies 3.3. Admin Quarantine This quarantine contains inbound s that are quarantined for other reasons than spam 4. Mail Filters 4.1. Delivered This allows for log searches for delivered s 4.2. Blocked This allows for log searches for blocked s 4.3. Failed This allows for log searches of failed deliveries (where the recipient server refuses to accept the from WeCloud s servers)

5 5. Tools 5.1. Advanced Filter - This allows for advanced log searches across all types of s 5.2. Hold Queue - This contains all s that are queued for retry 5.3. Pending - This contains s that has been processed by the filter but hasn't been written to the log database yet 5.4. Release Selected - This tool allows you to select multiple s in the Quarantine and release them all at once (this is only available when the Quarantine is selected) 5.5. Export to csv - This allows you to export your current search result to a csv file (this will open a new tab for the download in your browser)

6 Log Searches 1. Search options - This field allows you to define your search, the options available depends on what tool is selected in the left-hand menu. All options can be combined for granular searches Wildcard search by checking this box Sender/Recipient/Subject can be searched using partial addresses/subjects (Note: large wildcard searches can take longer to complete) 1.2. Sender The sending address 1.3. Recipient The recipient address 1.4. Subject The subject of the Time ranges - Quick functions for defining a time frame for the search 1.6. Date from - Define the start date of the search 1.7. Date to - Define the end date of the search 1.8. Type - Define what type of you're searching for (this is only available in Advanced Filter) 2. Search controls 2.1. Reset all search terms 2.2. Perform a search using the selected criteria 3. Search result Click any to get more detailed information (see details further on). Search results are shown using infinity scroll, so whenever the bottom of the result list is reached the service will collect more logs (20 at a time) The search result will be split up into days 3.2. Shows the status of the and also the country of origin of the sending server 3.3. Shows the time of the reaching WeCloud's servers

7 3.4. Shows the recipient address of the Shows the sending address of the (note: This is the envelope-sender) 3.6. Shows the subject of the

8 Inbound Quarantine details 1. Content selector 1.1. Shows the details and body of the Shows the headers of the (Note: Due to privacy settings for your account this option might not be available) 1.3. Shows the audit logs for the 2. Status bar -This will show the status of the (note: the released status is only visible until your server has accepted the released , then the is moved from the quarantine to the delivered logs) 3. Message details 3.1. Subject of the Recipient of the Sender of the (Note: this is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender or the sending domain 3.4. The time the arrived in the filter 3.5. Size of the IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender

9 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: this is only visible if the was sent using TLS) Reason for quarantining the 4. Content of the This will show the content of the in a safe text-only format (Note: Due to privacy settings for your account this option may not be available) 5. Release functions 5.1. Enter the address to release the to (this will default to the original recipient) 5.2. Release the to the address specified in 5.1, this will automatically report the to WeCloud as a false positive

10 Outbound Quarantine details 1. Content selector 1.1. Shows the details and body of the Shows the headers of the (Note: Due to privacy settings for your account this option might not be available) 1.3. Shows the audit logs for the 2. Status bar -This will show why the status of the (note: the released status is only visible until your server has accepted the released , then the is moved from the quarantine to the delivered logs) 3. Message details 3.1. Subject of the Recipient of the Sender of the (Note: this is the envelope-sender) 3.4. The time the arrived in the filter 3.5. Size of the IP of the server sending the Country of origin of the server sending the WeCloud ID of the

11 3.9. TLS info for the (Note: this is only visible if the was sent using TLS) Reason for quarantining the 4. Content of the This will show the content of the in a safe text-only format (Note: Due to privacy settings for your account this option may not be available) 5. Release functions 5.1. This field lists all recipients of the Release the to the recipient(s) specified in 5.1, this will automatically report the to WeCloud as a false positive in the case of a suspect spam block

12 Admin Quarantine details 1. Content selector 1.1. Shows the details and body of the Shows the headers of the (Note: Due to privacy settings for your account this option might not be available) 1.3. Shows the audit logs for the 2. Status bar -This will show the status of the (note: the released status is only visible until your server has accepted the released , then the is moved from the quarantine to the delivered logs) 3. Message details 3.1. Subject of the Recipient of the Sender of the (Note: this is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender or the sending domain 3.4. The time the arrived in the filter 3.5. Size of the IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access

13 to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: this is only visible if the was sent using TLS) Reason for quarantining the 4. Content of the This will show the content of the in a safe text-only format (Note: Due to privacy settings for your account this option may not be available) 5. Release functions 5.1. Enter the address to release the to (this will default to the original recipient) 5.2. Release the to the address specified in 5.1

14 Delivered details 1. Content selector 1.1. Shows the details of the Shows the delivery logs for the Shows the audit logs for the 2. Status bar - This will show that the has been delivered 3. Message details 3.1. Subject of the Recipient of the Sender of the (Note: This is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender 3.4. The time the arrived in the filter 3.5. Size of the IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: This is only visible if the was delivered using TLS) This shows the IP of the server that the has been delivered to This shows the response from the server the was delivered to

15 Blocked details Content selector 1.1. Shows the details of the Shows the audit logs for the 2. Status bar - This will show why the was blocked 3. Message details 3.1. Subject of the (Note: This will be empty if the was blocked before the data of the was received) 3.2. Recipient of the Sender of the (Note: this is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender 3.4. The time the arrived in the filter 3.5. Size of the (Note: This will be shown as 0.0 kb if the was blocked before the data of the was received) 3.6. IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: This is only visible if the was delivered using TLS)

16 Failed details Content selector 1.1. Shows the details of the Shows the delivery logs for the Shows the audit logs for the 2. Status bar - This will show that the delivery failed 3. Message details 3.1. Subject of the Recipient of the Sender of the (Note: this is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender 3.4. The time the arrived in the filter 3.5. Size of the IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: This is only visible if the was delivered using TLS) This shows the IP of the server that the delivery attempt was made to This shows the response from the server the was delivered to

17 Archive 1. Domain selector - All archived s are indexed on the domain so make sure that you have the correct domain selected 2. Archive tools 2.1. Restore Selected - This allows you to restore the selected s to the original recipients 2.2. Export to csv - This allows you to export your current log search to a csv file (this will open a new tab for the download in your browser) 3. Search options 3.1. Sender - Define parts of or a full sender address (any term entered will automatically start and end with wildcards) 3.2. Recipient - Define parts of or a full recipient address (any term entered will automatically start and end with wildcards) 3.3. Time ranges - Quick functions for defining a time frame for the search 3.4. Date from - Define the start date of the search 3.5. Date to - Define the end date of the search 4. Search controls 4.1. Reset all search terms 4.2. Perform a search with the selected criteria 5. Search result - Any can be clicked to get more detailed information (see details further on). Search results are shown using infinity scroll, so whenever the bottom of the result list is reached the service will collect more logs (20 at a time) The search result will be split up into days 5.2. Shows the status of the and also the country of origin of the sending server 5.3. Shows the time of the reaching WeCloud's servers

18 5.4. Shows the recipient address of the Shows the sending address of the (note: This is the envelope-sender) 5.6. Shows the subject of the Shows the size of the

19 Archived details 1. Content selector 1.1 Shows the details of the 1.2 Shows the headers of the (Note: Due to privacy settings for your account this option might not be available) 1.3 Shows the audit logs for the 1.4 Advanced tools Report the as a missed spam Open the original (Note: Due to privacy settings for your account this option might not be available) Download the original.eml file (Note: Due to privacy settings for your account this option might not be available)) 2. Message details 2.1 Subject of the 2.2 Recipient of the 2.3 Sender of the (Note: this is the envelope-sender) 2.4 The time the arrived in the filter 2.5 Size of the 2.6 IP of the server sending the

20 2.7 Country of origin of the server sending the 2.8 WeCloud Archive ID of the 2.9 A list of the attached files in the (Note: This is only visible if there are attached files in the ) 3. Content - This shows the content of the in a safe text-only format (Note: Due to privacy settings for your account this option might not be available) 4. Restore functions 4.1 Address part of the address to restore the to (this will default to the original recipient) 4.2 Domain part of the address to restore the to (this will be locked to the original domain) 4.3 Restore options

21 Settings menu 1. Overview of the functions activated 2. Antispam settings 3. QMS settings (Spam digest) 4. Antivirus settings 5. Inbound settings 6. Outbound settings 7. Archive options (these are read-only) 8. Custom lists for blocking and allowing s 9. Diagnostic tool for troubleshooting mailflow 10. Creating and editing Administrators 11. True Users is to define what addresses exists for the domain 12. Admin access to users quarantine zones and personal black/whitelists 13. Interface settings 14. Define what domains should be controlled by a company profile 15. Change password for the current admin account

22 Overview Settings 1. Settings overview 1.1. AntiSpam status 1.2. QMS status 1.3. AntiVirus status 1.4. Archive status 1.5. True Users status 2. Entries overview 2.1. Number of administrators registered for the domain 2.2. Number of True Users addresses registered for the domain 2.3. Number of addresses/domains whitelisted for the domain

23 2.4. Number of addresses/domains blacklisted for the domain 2.5. Number of originating countries with a default action defined for the domain 2.6. Number of file extensions blocked for the domain 2.7. Number of IP addresses whitelisted for the domain 2.8. Number of IP addresses blacklisted for the domain 2.9. Number of addresses/domains bypassing the antivirus for the domain Number of addresses/domains bypassing BMA for the domain Number of addresses/domains bypassing the file extension rules for the domain

24 Antispam Settings 1. Save your changes - The changes takes effect immediately 2. Audit logs 3. First layer defense 3.1. HeloCheck - This will block s where the sending server does not give a proper FQDN in the initial server greeting 3.2. SPF engine - This will block any where the sending domain has a hardfail in their SPF and the sending server/ip is not included in the SPF record (Note: This needs to be enabled for the other SPF options to be functional, it is also required for the Domain Protection function) 3.3. Quarantine SPF softfail - This will quarantine any where the sending domain has a softfail in their SPF and the sending server/ip is not included in the SPF record 3.4. SPF Block Temperror This will block any s where the lookup of the sender s SPF Record causes temporary error 3.5. SPF Block permerror This will block any s where the resolve of the sender s SPF Record causes a permanent error 3.6. Enable IP Reputation (RBL) - This checks if the sending IP is blacklisted and blocks s from blacklisted IPs 3.7. Block Mailer-demons - This will block mailer-daemon delivery reports

25 3.8. Quarantine Newsletters This will quarantine newsletters based on the presence of unsubscribe links the headers 3.9. Sender domain check - This checks if the sending domain is valid and otherwise blocks the 4. Content scanner options 4.1. Content scanner On/Off 4.2. Threshold for detecting spam based on content, the higher the threshold the "softer" the filter is, WeCloud do not recommend setting a higher score than 5 or lower than Action for s detected by the content engine. The options are: Quarantine - Quarantine the Tag Subject - Allow the but tag the subject (Note: An additional field appears below this option to allow for the tag to be defined) Tag Header - Allow the but tag it with an X-Header

26 QMS Settings 1. Save your changes - The changes takes effect immediately 2. Audit logs 3. QMS Options 3.1. QMS On/Off If On a spam digest will be sent out regularly according to the QMS settings 3.2. QMS Type This defines the format of the QMS report, the options are: notification This is a notification containing the number of new s in quarantine and a link to the online quarantine overview This is a notification containing a full list of the new s in quarantine (please see the separate QMS guide for an example)

27 3.3. QMS Interval This defines the interval of the QMS report, the options are: 1 day This schedules a daily QMS report 1 week This schedules a weekly QMS report 3.4. QMS Recipient If this field contains an address on your domain the QMS report for the domain will be sent to this address instead of personal QMS reports being sent to the endusers 3.5. QMS black/whitelist This defines if the end-users should be allowed to create personal black/whitelists within their quarantine portal (please see the separate QMS guide for more information) 4. QMS Customization 4.1. QMS Subject This will override the default subject for the QMS report 4.2. QMS header Any text entered here will be inserted at the top of the mail body of the QMS report 4.3. QMS footer Any text entered here will be inserted at the bottom of the mail body of the QMS report 4.4. QMS sender This will override the default sender of the QMS report (Note: This will only change the From: header of the and not the envelope-sender)

28 Antivirus Settings 1. Save your changes - The changes take effect immediately 2. Audit logs 3. Antivirus On/Off 4. Block nested zips On/Off If this is set to on the filter will block any s containing nested zips (a zip file within a zip file) 5. Block encrypted zip files On/Off If this is set to on the filter will block any s containing password protected zip files 6. Block files with VBA macros On/Off If this is set to on the filter will block any containing office files with macros 7. BMA On/Off Please see the section on BMA Enhanced Malware Analyzer for more information 8. Ignored BMA rules Tick the box for any rule in the current BMA set that you want to ignore for your flow

29 Inbound Delivery settings This is where you configure the server and port to use for the delivery of clean inbound s to your server. 1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect s in the hold queue as well) 2. Audit logs 3. Delivery settings 3.1. Delivery server - The hostname or IP address that we should deliver your s to (Note: we recommend always using a hostname if possible) 3.2. Delivery port - The port which we should deliver s over, 25 is the default for SMTP but we can do delivery over any port you specify 3.3. This will allow you to test the connectivity with your server

30 Inbound Routing settings This allows for third party integration with other services (for example, but not limited to, encryption services). The details of this is covered in a separate chapter of this guide. 1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect s in the hold que as well) 2. Delete settings - This will clear all routing configuration, this can take up to 20 minutes to take full effect (Note: changes here will affect s in the hold que as well) 3. Audit logs 4. Routing settings 4.1. Routing server - The hostname or IP address that we should reroute the s to (Note: we recommend always using a hostname if possible) 4.2. Delivery port - The port which we should route the s over 4.3. Enable relay On/Off - This defines if the routing rule is enabled or not 4.4. Relay smime only - If set to On only s encrypted with smime will be sent over the relay route 4.5. Enable archive - If set to On an additional copy of the will be stored after it is sent back to us from the external party (Note: this requires the domain to have archiving enabled)

31 Inbound Force TLS settings This allows you to set the default TLS behavior for your inbound traffic, and to add exceptions to that behavior 1. Add exceptions - This allows you to add sender and/or recipient exceptions (more info below) 2. Save your changes - The changes takes effect immediately 3. Delete settings - This will remove all exceptions that are marked in section 6 (Note: Delete is only visible if you have one or more exception selected) 4. Audit logs 5. Default setting - This is the default setting for the domain, if set to Off (Note: this is the recommended setting) all inbound s will use Opportunistic TLS except for the exceptions defined which will use Force TLS. If set to On all inbound s will have Force TLS except for the exceptions which will use Opportunistic TLS. 6. Exceptions 6.1. Senders - This will list exceptions based on the sending address/domain 6.2. Recipients - This will list exceptions based on the recipient address/domain 6.3. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Senders - select Senders exceptions only

32 Recipients - select Recipients exceptions only 6.4. Each exception will have a selection box to allow for deletion 6.5. This will list the exceptions

33 Inbound Force TLS settings Add exceptions 1. Sender exceptions - Enter any sending domains and/or addresses that should be an exception to the default TLS setting (Note: separate multiple entries with comma, tab, newline or semi-colon) 2. Recipient exceptions - Enter any recipient addresses that should be an exception to the default TLS setting (Note: separate multiple entries with comma, tab, newline or semi-colon) 3. Close without saving 4. Add the exceptions to your TLS configuration

34 Inbound Rewrite settings This will allow you to rewrite the recipient for specific inbound s 1. Add a new rule - More info below 2. Delete - This will delete the rules that are marked in section 4 (Note: Delete is only visible if you have one or more rules selected) 3. Audit logs 4. Rules - This will list the rules that you have configured 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. Each rule will have a selection box to allow for deletion 4.3. This will list the sender value for the rule 4.4. This will list the recipient value of the rule 4.5. This will list the rewritten recipient value 4.6. This will state if the original is discarded (i.e. If the is rerouted to the new recipient or if a copy is made) 4.7. This will list the priority of the rule (rules with lower priority has precedence over rules with higher priority) 4.8. This allows you to edit a rule

35 Inbound Rewrite settings Add rule This will allow you to have the scanning service to insert custom headers on inbound s 1. Sender(s) Add one or more senders (addresses and/or domains) that the rule should be active for 2. Recipient(s) - Add one or more recipient addresses that the rule should be active for (Note: Leave this empty if you want the rule to be valid for the whole domain) 3. New recipient(s) - Add one or more recipient addresses and/or domains that the should be rerouted to (Note: The recipients need to be on one of the domains on your account). If domains are entered here the address part of the recipient will stay the same and only the domain part will be rewritten 4. Discard original Checking this box will create a reroute rule (the original recipient will not receive the ) and leaving this box unchecked will create copies of the to the new recipient(s) but still deliver the to the original recipient 5. Close the window without saving changes 6. Add the rule to your rewrite configuration

36 Inbound Header settings This will allow you to have the scanning service to insert custom headers on inbound s 1. Add a new header More info below 2. Delete This will delete the header inserts that are marked in section 4 (Note: Delete is only visible if you have one or more header insert selected) 3. Audit logs 4. Header inserts This will list the Headers inserts that you have configured 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. This will list the Header key to be inserted 4.3. This will list the value to be inserted for the Header key 4.4. Each Header insert will have a selection box to allow for deletion 1. Key Enter the key to be added to the header 2. Value Enter the value to be added for the specified key 3. Close without saving 4. Save the setting

37 Inbound Header filters This will allow you to have the scanning service to insert custom headers on inbound s 1. Add a new header filter More info below 2. Delete This will delete the header inserts that are marked in section 4 (Note: Delete is only visible if you have one or more header filter selected) 3. Audit logs 4. Header filters This will list the Headers filters that you have configured 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. This will list the Header key to be filtered 4.3. This will list the value to be filtered for the Header key 4.4. This will list the action of the filter 4.5. Each Header insert will have a selection box to allow for deletion

38 Inbound Header filters Add filter 1. Action Select the action the filter should take if an matches the criteria, the options are: Spam Quarantine This classifies the as spam and allows the end user to release it Admin Quarantine This puts the in the admin quarantine and only allows admins to release it 2. Key Enter the key to be filtered 3. Value Enter the value required for the header field to trigger the filter, if this is left empty any that contains the specified header will trigger the filter 4. Close without saving 5. Save the setting

39 Inbound Notification settings Here you can configure in which cases the user on your end should be notified when the filter blocks an addressed to the user. 1. Save your changes - The changes take effect immediately 2. Audit logs 3. Quarantined by BMA This will generate a notification whenever an is put into quarantine by BMA 4. Blocked by BMA This will generate a notification whenever an is blocked by BMA 5. Blocked by File extension - This will generate a notification whenever an is blocked due to containing files listed under Lists File extensions 6. Blocked by Nested Zip - This will generate a notification whenever an is blocked due to nested zips being blocked under Antivirus settings 7. Blocked by Encrypted Zip Files - This will generate a notification whenever an is blocked due to encrypted zip files being blocked under Antivirus settings 8. Blocked by Containing macro - This will generate a notification whenever an is blocked due to VBA macros being blocked under Antivirus settings 9. Blocked by Header filter This will generate a notification whenever an is quarantined due to inbound header filters 10. Blocked by RBL - This will send a notification whenever an is blocked because the sending IP is blacklisted 11. Blocked by Country - This will generate a notification whenever an is blocked because the sending country has been blacklisted under Lists Countries 12. Blocked by IP - This will generate a notification whenever an is blocked because the sending IP has been blocked under Lists IP 13. Blocked Antivirus - This will generate a notification whenever an is blocked by the antivirus scanning

40 Outbound User settings SMTP authentication is one of the options to authenticate your outbound traffic through the WeCloud scanning (this is suitable if you want the end-users to send s through WeCloud directly from their clients or if you for example have a dynamic IP and still want to be able to send your s out via the service. Please note that this feature requires the communication to be protected by TLS and to use port Add user More info below 2. Delete This will delete the users that are marked in section 4 (Note: Delete is only visible if you have one or more users selected) 3. Audit logs 4. Users 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. This will list the users, domain users will be marked with a * (Note: A domain user is a user/password combination that can authenticate traffic for the whole domain) 4.3. This will allow you to send a new password to a user 4.4. Each user will have a selection box to allow for deletion

41 Outbound User settings Add user 1. User entries Enter the user(s) that should be created, separate multiple entries by using comma, tab, newline or semi-colon (Note: all users must be in the form of an address and the domain part needs to match the currently selected domain) 2. Notify user If this is checked an will be sent to the created user(s) with their password, if this is unchecked the password will instead be showed on screen when the user is created 3. Domain user If this is checked the user(s) will be allowed to authorize s for the whole domain (this is used when the authentication is setup on server level, if this is unchecked the user(s) created will only be allowed to authorize s sent from their own address (this is used when the authentication is setup on the end-user level 4. Close without saving 5. Save the settings

42 Outbound IP settings IP authentication is the preferred option to authenticate your outbound traffic in the WeCloud scanning. Please note that this authentication method should only be used if you have a static IP 1. Add IP More info below 2. Delete This will delete the IPs that are marked in section 4 (Note: Delete is only visible if you have one or more IPs selected) 3. Audit logs 4. IPs 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. This will list the IPs 4.3. Each IP will have a selection box to allow for deletion

43 Outbound IP settings Add IP 1. Entries Enter the IPs to be added, multiple entries should be separated by comma, tab, newline or semi-colon 2. Close without saving 3. Add my IP Add the IP that you are currently accessing the interface from to the Entries 4. Save the settings

44 Outbound Routing settings This allows for third party integration with other services (for example, but not limited to, encryption services). The details of this is covered in a separate chapter of this guide. 1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect s in the hold que as well) 2. Delete settings - This will clear all routing configuration, this can take up to 20 minutes to take full effect (Note: changes here will affect s in the hold que as well) 3. Audit logs 4. Routing settings 4.1. Routing server - The hostname or IP address that we should reroute the s to (Note: we recommend always using a hostname if possible) 4.2. Delivery port - The port which we should route the s over 4.3. Enable relay On/Off - This defines if the routing rule is enabled or not 4.4. Enable archive - If set to On an additional copy of the will be stored after it is sent back to us from the external party (Note: this requires the domain to have archiving enabled)

45 Outbound Header settings This will allow you to have the scanning service to insert custom headers on outbound s 1. Add a new header More info below 2. Delete This will delete the header inserts that are marked in section 4 (Note: Delete is only visible if you have one or more header insert selected) 3. Audit logs 4. Header inserts This will list the Headers inserts that you have configured 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. This will list the Header key to be inserted 4.3. This will list the value to be inserted for the Header key 4.4. Each Header insert will have a selection box to allow for deletion 1. Key Enter the key to be added to the header 2. Value Enter the value to be added for the specified key 3. Close without saving 4. Save the setting

46 Outbound Notification settings Here you can configure in which cases the system should notify either an end user or an auditor when an is blocked in the outbound scanning (Please see the Outbound Notification Appendix for a sample of the notification ) 1. Save your changes - The changes take effect immediately 2. Audit logs 3. Blocked by Antispam This defines the notification setting if the outbound spam filter detects a suspected spam 4. Blocked by Antivirus This defines the notification setting if the outbound antivirus filter detects a virus 5. Blocked by File extension This defines the notification setting if an outbound contains a prohibited filetype (as listed under Outbound -> File extensions) 6. Blocked by Recipient block This defines the notification if an outbound is sent to a blocked recipient (as listed under Outbound -> Block recipient) 7. Auditor An address listed here will receive notifications for blocked s where the action is set to Auditor 8. Action - This is where you can set the notification action for blocked outbound s, the options are: User This will notify the sender of the blocked outbound Auditor This will notify the auditor when an outbound is blocked Off This will turn off the notifications when an outbound is blocked (Note: No NDR will be sent to the sender if an outbound is blocked)

47 Outbound File extension settings Here you can configure what filetypes are not allowed in your outbound flow 1. Add More info below 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This lists the file extensions that will cause a block 5.3. Each entry will have a selection box to allow for deletion

48 Outbound File extension settings - Add 1. Add file block This dropdown will give you access to different default groupings of file extensions, the options are: Programs This is a collection of executable files Scripts This is a collection of script files Shortcuts This is a collection of shortcut files Others This is a collection of other files you might wish to block Microsoft Office This is a collection of office files All This includes all the predefined file sets above 2. Entries This is where you can add entries to block, multiple entries should be separated by comma, tab, newline or semi-colon 3. Close without saving 4. Save the entries

49 Outbound Block recipient settings Outbound s where one or more of the recipient addresses or domains are listed here will be blocked by the outbound scanning 1. Add More info below 2. Delete This will delete the entries that are marked in section 6 (Note: Delete is only visible if you have one or more entries selected) 3. Search box Use this to search for entries, the search result will show while you type (Note: You do not have to write complete addresses or domains when searching) 4. Audit logs 5. Total amount of entries 6. Entries 6.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Domains - selects all domains s - selects all addresses 6.2. This lists the addresses and/or domains in your whitelist 6.3. Each entry will have a selection box to allow for deletion

50 Archiving Settings This will show the settings configured by WeCloud for your archive. These settings require an additional license and can only be changed by WeCloud.

51 Lists Settings Whitelist Any sending addresses or domains listed here will bypass the antispam engines but not any other policies or filters (Please see the section on Bypasses and Whitelists for more info). Please note that the system looks at the Envelope sender and that this might not be the same as the sender shown to the recipient in some cases 1. Add Use this to add entries to the whitelist 2. Delete This will delete the entries that are marked in section 6 (Note: Delete is only visible if you have one or more entries selected) 3. Search box Use this to search for entries, the search result will show while you type (Note: You do not have to write complete addresses or domains when searching) 4. Audit logs 5. Total amount of entries 6. Entries 6.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Domains - selects all domains s - selects all addresses 6.2. This lists the addresses and/or domains in your whitelist 6.3. This shows the date and time that the entry was created 6.4. Each entry will have a selection box to allow for deletion

52 Lists Settings Blacklist Any sending addresses or domains listed here will be blocked by the system. Please note that the system looks at the Envelope sender and that this might not be the same as the sender shown to the recipient in some cases 1. Add Use this to add entries to the blacklist 2. Delete This will delete the entries that are marked in section 6 (Note: Delete is only visible if you have one or more entries selected) 3. Search box Use this to search for entries, the search result will show while you type (Note: You do not have to write complete addresses or domains when searching) 4. Audit logs 5. Total amount of entries 6. Entries 6.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Domains - selects all domains s - selects all addresses 6.2. This lists the addresses and/or domains in your blacklist 6.3. This shows the date and time that the entry was created 6.4. Each entry will have a selection box to allow for deletion

53 Lists Settings - Countries This will allow you to set default actions based on the Geo-IP mapping done for all sending IPs for inbound s. 1. Add More info below 2. Delete This will delete the entries that are marked in section 6 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Whitelisted - selects all whitelist entries Quarantined - selects all quarantine entries Blacklisted selects all blacklist entries 5.2. This lists the countries you have set default actions for 5.3. This shows the action for the listed countries 5.4. This allows you to edit the default action for the listed countries 5.5. Each entry will have a selection box to allow for deletion

54 Lists Settings Countries Add entry 1. Country Use the dropdown to select the country that you want to create a default action for 2. Action Use the dropdown to select the action for s from servers in the selected country, the options are: Whitelist Don't spam scan s from the selected country Blacklist Block all s from the selected country Quarantine Quarantine all s from the selected country 3. Close without saving 4. Save the entry

55 Lists Settings File extensions This will allow you to block s containing specific files 1. Add More info below 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This lists the file extensions that will cause a block 5.3. Each entry will have a selection box to allow for deletion

56 Lists Settings File extensions - Add 5. Add file block This dropdown will give you access to different default groupings of file extensions, the options are: Programs This is a collection of executable files Scripts This is a collection of script files Shortcuts This is a collection of shortcut files Others This is a collection of other files you might wish to block Office This is a collection of office files All This will include all the predefined file sets above 6. Entries This is where you can add entries to block, multiple entries should be separated by comma, tab, newline or semi-colon 7. Close without saving 8. Save the entries

57 Lists Settings - IP This will allow you to blacklist or whitelist IP addresses or ranges 1. Add More info below 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Whitelisted selects all whitelist entries Blacklisted selects all blacklist entries 5.2. This lists the IPs 5.3. This will show if the IP is whitelisted or blacklisted 5.4. Each entry will have a selection box to allow for deletion

58 Lists Settings IP - Add 1. Action Use the dropdown to select if the IPs should be blacklisted or whitelisted 2. Entries Enter the IP addresses and/or IP ranges to add to the list, multiple entries should be separated by comma, tab, newline or semi-colon. (Note: ranges can be entered with either CIDR or by entering start-end IPs) 3. Close without saving 4. Save the entries

59 Lists Settings Bypass This will allow you to allow senders to bypass selected engines (please see the section on Bypasses and Whitelists for more info) 1. Add Use this to add entries to the bypass list (more info below) 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Antivirus selects all antivirus bypasses BMA selects all BMA bypasses File Extension selects all file extension bypasses Domains selects all listed domains s selects all listed addresses 5.2. This lists the addresses and/or domains 5.3. This lists the type of bypass 5.4. Each entry will have a selection box to allow for deletion

60 Lists Settings Bypass - Add 1. Action Use the dropdown to select the engine to bypass 2. Entries Enter the addresses and/or domains to add to the list, multiple entries should be separated by comma, tab, newline or semi-colon. 3. Close without saving 4. Save the entries

61 Lists Settings Domain Protection This will allow you add Domain Protection to specific domains (see separate chapter on Domain Protection for more details) 1. Add Use this to add entries to the domain protection list 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This lists the domains 5.3. Each entry will have a selection box to allow for deletion

62 Diagnostics This will allow you to run a simple diagnostics of your configuration 1. Run This will initiate the test 2. MX Record Check This will check the MX Records you have configured for the domain 2.1. Result of the test 2.2. This will show your configured MX Records 3. Delivery check This will test the connectivity to your server 3.1. Result of the test 3.2. This will list the server and port you have configured under your inbound settings 3.3. This will show a transcript of the communication test with your server

63 User Settings This will allow you to manage the administrators and user profiles for your account 1. User control 1.1. Add new user More info below 1.2. This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 1.3. This will remove the disable status on any entries that are marked in section 5 (Note: Enable is only visible if you have one or more entries selected) 1.4. This will disable the entries that are marked in section 5 (Note: Disable is only visible if you have one or more entries selected) 2. Search box Use this to search for entries, the search result will show while you type 3. Audit logs 4. Total amount of entries 5. Entries (Note: any disabled user will be marked with a strike through) 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This will list the name of the users 5.3. This will list the type of the user (Note: If the type is marked with a * the user also has a User Profile enabled) 5.4. This will list the address of the user (Note: The address is also the user name) 5.5. This will list the time and date of creation for the user 5.6. This will allow you to edit the settings for the user 5.7. Each entry will have a selection box to allow for deletion and enable/disable

64 User Settings Add User 1. Firstname 2. Lastname 3. address This will also be the username 4. Read-only Setting this to On will render the user unable to change anything in the interface, the user will also be unable to access other users quarantine zones via the Token Manager (Note: This needs to be combined with one or more of the user rights in sections 5-7) 5. User profile Setting this to On will allow the user to have their settings separated from the domain settings (Note: This also means that the user will not get any changes to the settings made on domain level) 6. Domain admin Setting this to On will allow you to select one or more of your domains that this user will get access to (Note: This type of user will not automatically get access to new domains that you add to the account) 7. Company admin Setting this to On will give the user access to all domains on your account (Note: This will automatically give the user access to new domains that are added to your account as well) 8. Notify user Setting this to On will send an with the login credentials to the user when created, setting this to Off will instead show the credentials on screen when the user is created (Note: We highly recommend setting this to Off and then ask the user to use the Forgot Password function on the login page so that no credentials are sent via ) 9. Close without saving 10. Save the entries

65 True Users settings This will allow you to specify what addresses are valid for your domain (Note: If you specify addresses here WeCloud will only accept s for those addresses, s to any other recipients will be rejected) 1. Add Add one or more addresses to your list of true users 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Search box Use this to search for entries, the search result will show while you type 4. Audit logs 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This will list the addresses registered as true users 5.3. Each entry will have a selection box to allow for deletion

66 Token Manager Any user that receive a QMS report will automatically be created as a token user. The Token Manager allows an admin to login to the personal quarantine as the selected user in order to manage their quarantine and (if activated in the QMS settings) their black/whitelists 1. This will list all users created by the QMS system 2. This allows the administrator to login as the selected user This is not available to read only administrators (Note: The login will open a separate tab so the administrator will not be logged out from the administrator interface)

67 Interface Settings - Customize This will allow you to specify account wide customizations to the different s generated by the system 1. Save your changes - The changes take effect immediately 2. Audit logs 3. Name for system mail sender This defines the name of the sender of system mails to your users 4. Sending address for system mails This defines the sending address for system mails to your users (Note: This only changes the From: header and not the envelope-sender) 5. Name for notification mail sender This defines the name of the sender of notification mails to your users 6. Sending address for notification mails This defines the sending address for notification mails to your users (Note: This only changes the From: header and not the envelope-sender) 7. Name for QMS mail sender This defines the name of the sender of QMS mails to your users 8. Sending address for QMS mails This defines the sending address for QMS mails to your users (Note: This only changes the From: header and not the envelope-sender)

68 Interface Settings - Options This will allow you to specify the settings for the interface and the s generated by the system to your users 1. Save your changes - The changes take effect immediately 2. Audit logs 3. Time zone Use the dropdown to select the time zone for your domain (Note: This will control the timestamps in you logs and the time of day that your QMS reports are sent out) 4. Default domain Use the dropdown to select what domain should be the default selected domain when you log into your account 5. Notify/QMS Language Use the dropdown to select the language for s generated by the system to your users

69 Interface Settings Login restrictions This will allow you to restrict logins to the interface to specific IPs. Please be aware that this setting is account wide and affects all admin users. Note: These restrictions do not restrict your partner or WeCloud from accessing your account. Please be aware that if you enable this option with incorrect IP addresses you will not be able to login and change these settings, use with caution. 1. Add IP Add IPs to the list 2. Delete This will delete the entries that are marked in section 4 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Entries 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. This will list the IP addresses registered 4.3. Each entry will have a selection box to allow for deletion

70 Interface Settings OTP SMS This will allow you to enable 2-factor authentication for your admin user. Note: This could render your partner unable to access your account. WeCloud, however, will always be able to access your account 1. Add IP Add IPs to the list 2. Audit logs 3. Mobile Enter the cell phone number to be used for 2-factor authentication

71 Company Profile settings By activating the Company Profile you can easily manage the settings for multiple of your domains by changing a single profile. If company Profile is activated a new option "Company Profile" becomes available in the domain selector and all changes of settings on the specified slave domains will be deactivated. Please note that all settings on the slave domains will be overridden when the Company Profile is activated. The Company Profile controls the following settings for its slave domains: Antispam > All settings QMS > All settings Antivirus > all settings Inbound > Delivery, Routing, Inbound headers, Notifications Outbound > IP, Routing, Outbound headers, Notifications, File extensions, Block recipient Archive > All settings Lists > All settings Interface > All settings 1. Enable This will enable the company profile according to your settings (Note: When you have a company profile active this will instead read Edit and allow you to change your settings to the profile) 2. Source domain Use the dropdown to select the source domain that the settings for the profile will be copied from (Note: even though only some settings are controlled by the profile, all settings will be copied from it and used as a foundation on any domain that you include in the profile) 3. Slave domain(s) This will allow you to select which domains your company profile should take control of (Note: All settings on these domains will be overwritten by the company profile settings) 4. Master domain The master domain selected in section 2 will automatically be selected