Policy Enforcement¶

Configure and enforce email policies to control message handling based on content, sender, recipient, size, and other criteria.

Overview¶

Mailborder's policy enforcement system allows you to:

Control message flow based on sender/recipient
Enforce size limits on messages and attachments
Block file types by extension or content
Restrict relay to authorized users/networks
Apply custom rules based on headers, content, or metadata
Override spam/virus decisions for specific scenarios

Policy Evaluation Order¶

1. Connection Policy (IP-based)
    ↓
2. Authentication Policy (SMTP AUTH required?)
    ↓
3. Relay Policy (authorized to send?)
    ↓
4. Sender Policy (from address allowed?)
    ↓
5. Recipient Policy (to address allowed?)
    ↓
6. Size Policy (message/attachment limits)
    ↓
7. Content Policy (attachment types, keywords)
    ↓
8. Spam/Virus Policy (override thresholds)
    ↓
9. Custom Policies (user-defined rules)

Connection Policies¶

IP-based Access Control¶

Allow specific networks:

sudo mb-policy add connection --allow --source 192.168.1.0/24 \
  --description "Internal network"

sudo mb-policy add connection --allow --source 10.0.0.0/8 \
  --description "Corporate VPN"

Block specific IPs:

sudo mb-policy add connection --deny --source 198.51.100.25 \
  --description "Known spam source"

Rate limiting by IP:

sudo mb-policy add connection --ratelimit --source 0.0.0.0/0 \
  --limit 100 --period 3600 \
  --description "Max 100 emails per hour per IP"

Connection Security¶

Require TLS:

sudo mb-config set policy.require_tls true

Minimum TLS version:

sudo mb-config set policy.min_tls_version 1.2

Reject plaintext AUTH:

sudo mb-config set policy.reject_plaintext_auth true

Authentication Policies¶

SMTP AUTH Requirements¶

Require authentication for all:

sudo mb-config set policy.require_auth true

Require auth for specific domains:

sudo mb-policy add auth --require --domain example.com

Exempt internal network:

sudo mb-policy add auth --exempt --source 192.168.1.0/24

Authentication Methods¶

Allowed methods:

sudo mb-config set policy.auth_methods "PLAIN LOGIN CRAM-MD5"

Disable weak methods:

sudo mb-config set policy.disable_plain_auth true

Relay Policies¶

Relay Authorization¶

Authorized relay networks:

sudo mb-config set relay.networks "192.168.1.0/24 10.0.0.0/8"

Require authentication for relay:

sudo mb-config set relay.require_auth true

Authorized domains to relay for:

sudo mb-domain add example.com --type local
sudo mb-domain add partner.com --type relay

Open Relay Protection¶

Open Relay Risk

An open relay allows anyone to send email through your server, leading to blacklisting and abuse.

Verify relay is closed:

sudo mb-test-relay

Expected output:

Testing relay configuration...
[PASS] Relay denied for external → external
[PASS] Relay allowed for authenticated users
[PASS] Relay allowed for local networks
Status: SECURE - Not an open relay

Relay Restrictions¶

Maximum recipients per message:

sudo mb-config set relay.max_recipients 100

Maximum messages per connection:

sudo mb-config set relay.max_messages 10

Rate limit per authenticated user:

sudo mb-policy add relay --ratelimit --user * \
  --limit 500 --period 3600 \
  --description "500 emails/hour per user"

Sender Policies¶

Sender Restrictions¶

Block specific senders:

sudo mb-blacklist add spammer@spam.com
sudo mb-blacklist add @spam-domain.com

Allow only specific senders:

sudo mb-policy add sender --allow --from @trusted-domain.com
sudo mb-policy add sender --deny --from *

Require SPF pass:

sudo mb-policy add sender --require-spf --action reject

Sender Verification¶

Verify sender domain exists:

sudo mb-config set policy.verify_sender_domain true

Reject invalid sender format:

sudo mb-config set policy.reject_invalid_sender true

Reject null sender (except bounce messages):

sudo mb-config set policy.reject_null_sender false

Sender Spoofing Protection¶

Reject mismatched domains:

sudo mb-policy add sender --reject-mismatch \
  --description "Reject From header != envelope sender domain"

DMARC enforcement:

sudo mb-config set policy.dmarc_enforce true
sudo mb-config set policy.dmarc_action quarantine  # or reject

Recipient Policies¶

Recipient Validation¶

Verify recipient exists:

sudo mb-config set policy.verify_recipient true

LDAP recipient validation:

sudo mb-config set policy.recipient_ldap_check true

Reject unknown recipients:

sudo mb-config set policy.reject_unknown_recipient true

Recipient Limits¶

Maximum recipients per message:

sudo mb-config set policy.max_recipients 50

Per-user recipient limits:

sudo mb-policy add recipient --limit --user user@example.com \
  --max 1000 --period 86400 \
  --description "Max 1000 recipients/day"

Recipient Lists¶

Allow only internal recipients:

sudo mb-policy add recipient --allow --domain example.com
sudo mb-policy add recipient --deny --domain *

Block specific recipient:

sudo mb-policy add recipient --deny --to abuse@example.com \
  --action discard

Size Policies¶

Message Size Limits¶

Global message size limit:

sudo mb-config set policy.max_message_size 52428800  # 50 MB

Per-sender size limits:

sudo mb-policy add size --limit --from @external-domain.com \
  --max-size 10485760 \
  --description "10 MB limit for external senders"

Reject oversized messages:

sudo mb-config set policy.reject_oversized true

Custom rejection message:

sudo mb-config set policy.oversized_message \
  "Message exceeds 50 MB limit. Please use file sharing service."

Attachment Size Limits¶

Maximum attachment size:

sudo mb-config set policy.max_attachment_size 26214400  # 25 MB

Total attachments size:

sudo mb-config set policy.max_attachments_total 52428800  # 50 MB

Maximum number of attachments:

sudo mb-config set policy.max_attachment_count 20

Content Policies¶

File Type Restrictions¶

Block executable files:

sudo mb-antivirus-block-ext add .exe
sudo mb-antivirus-block-ext add .scr
sudo mb-antivirus-block-ext add .bat
sudo mb-antivirus-block-ext add .cmd
sudo mb-antivirus-block-ext add .com
sudo mb-antivirus-block-ext add .pif

Block scripts:

sudo mb-antivirus-block-ext add .vbs
sudo mb-antivirus-block-ext add .js
sudo mb-antivirus-block-ext add .jar

Allow exceptions for whitelisted senders:

sudo mb-policy add content --allow-extensions --from @trusted-vendor.com \
  --extensions ".exe .msi"

Content Filtering¶

Block messages containing keywords:

sudo mb-policy add content --reject --body-contains "confidential" \
  --action quarantine \
  --description "Flag emails with 'confidential' for review"

Require encryption for sensitive data:

sudo mb-policy add content --require-encryption \
  --body-regex "SSN|social security|tax ID" \
  --action reject \
  --message "Sensitive information must be encrypted"

Header Policies¶

Require specific headers:

sudo mb-policy add header --require --name "X-Company-Approved" \
  --from @employee-domain.com

Block messages with spoofed headers:

sudo mb-policy add header --reject \
  --name "Received" --value "from unknown" \
  --action reject

Add custom headers:

sudo mb-policy add header --add \
  --name "X-Scanned-By" --value "Mailborder V6"

Spam and Virus Overrides¶

Per-Sender Thresholds¶

Lower threshold for external senders:

sudo mb-policy add spam --threshold \
  --from @external-domain.com \
  --pass 5.0 --quarantine 5.0 --reject 15.0

Higher threshold for trusted partners:

sudo mb-policy add spam --threshold \
  --from @trusted-partner.com \
  --pass 8.0 --quarantine 8.0 --reject 25.0

Skip spam check for whitelisted:

sudo mb-policy add spam --skip --from @whitelist-domain.com

Virus Scan Overrides¶

Skip virus scan for specific senders:

sudo mb-policy add virus --skip --from internal@example.com

Security Risk

Skipping virus scans should only be done for highly trusted sources.

Lower scan recursion for large archives:

sudo mb-policy add virus --recursion \
  --from @bulk-sender.com \
  --max-recursion 5

Custom Policies¶

Rule-Based Policies¶

Create custom policy:

sudo mb-policy create --name "executive-protection" \
  --description "Enhanced filtering for executives"

Add conditions:

sudo mb-policy rule add executive-protection \
  --condition "recipient in @example.com" \
  --condition "recipient contains 'ceo|cfo|president'" \
  --action "set spam threshold 4.0" \
  --action "require spf pass" \
  --action "require dkim pass"

Enable policy:

sudo mb-policy enable executive-protection

Time-Based Policies¶

Business hours policy:

sudo mb-policy create --name "business-hours" \
  --schedule "Mon-Fri 08:00-18:00 America/New_York"

sudo mb-policy rule add business-hours \
  --action "allow all"

After-hours restrictions:

sudo mb-policy create --name "after-hours" \
  --schedule "Mon-Fri 18:00-08:00,Sat-Sun 00:00-23:59"

sudo mb-policy rule add after-hours \
  --condition "size > 10485760" \
  --action "defer until 08:00"

Conditional Actions¶

Quarantine high-risk combinations:

sudo mb-policy rule add high-risk \
  --condition "from @*.ru" \
  --condition "has attachment .zip" \
  --condition "spam score > 4.0" \
  --action quarantine \
  --notify admin@example.com

Enhanced logging:

sudo mb-policy rule add audit-sensitive \
  --condition "recipient contains 'finance|accounting|payroll'" \
  --action "log detailed" \
  --action "add header X-Policy-Match: sensitive"

Policy Management¶

List Policies¶

View all policies:

sudo mb-policy list

Example output:

Policy Name              Status    Priority  Matches
---------------------------------------------------------
connection-ratelimit     enabled   100       5,234
require-auth-external    enabled   200       1,892
executive-protection     enabled   300       45
block-executables        enabled   400       12
after-hours              enabled   500       0 (schedule inactive)

View specific policy:

sudo mb-policy show executive-protection

Modify Policies¶

Change priority:

sudo mb-policy set-priority executive-protection 50

Enable/disable:

sudo mb-policy enable connection-ratelimit
sudo mb-policy disable after-hours

Delete policy:

sudo mb-policy delete old-policy-name

Testing Policies¶

Test against email:

sudo mb-policy test /path/to/email.eml

Example output:

Testing policy evaluation...

Matched policies:
  [PASS] connection-ratelimit (priority 100)
  [PASS] require-auth-external (priority 200)
  [MATCH] executive-protection (priority 300)
    - Condition matched: recipient contains 'ceo'
    - Action: set spam threshold 4.0
    - Action: require spf pass
  [SKIP] block-executables (no attachments)

Final verdict: PASS (with modified threshold)

Dry-run mode:

sudo mb-config set policy.dry_run true

This logs policy actions without enforcing them.

Policy Examples¶

Example 1: Department-Specific Filtering¶

Finance department - strict filtering:

sudo mb-policy create --name "finance-strict"

sudo mb-policy rule add finance-strict \
  --condition "recipient in finance@example.com" \
  --action "set spam threshold 3.0" \
  --action "require spf pass" \
  --action "require dkim pass" \
  --action "reject score > 10.0" \
  --action "quarantine has-attachment .exe"

Example 2: Partner Organization Integration¶

Trusted partner with relaxed filtering:

sudo mb-policy create --name "partner-acme"

sudo mb-policy rule add partner-acme \
  --condition "from @acme-corp.com" \
  --condition "spf pass" \
  --action "set spam threshold 8.0" \
  --action "skip greylisting" \
  --action "allow extension .exe"

Example 3: Bulk Sender Policy¶

Mailing list with size/attachment restrictions:

sudo mb-policy create --name "mailing-lists"

sudo mb-policy rule add mailing-lists \
  --condition "from @newsletter-service.com" \
  --action "max size 5242880" \
  --action "reject has-attachment" \
  --action "max recipients 1000"

Example 4: Geographic Restrictions¶

Block emails from high-risk countries:

sudo mb-policy create --name "geo-restrictions"

sudo mb-policy rule add geo-restrictions \
  --condition "geoip from CN,RU,KP" \
  --condition "not from @known-partner.com" \
  --action "quarantine score > 2.0" \
  --action "reject score > 5.0"

Example 5: Executive Protection¶

VIP protection with multiple layers:

sudo mb-policy create --name "vip-protection"

sudo mb-policy rule add vip-protection \
  --condition "recipient in ceo@,cfo@,president@" \
  --action "set spam threshold 2.0" \
  --action "reject has-url-shortener" \
  --action "quarantine new-sender" \
  --action "require dmarc pass" \
  --action "block extension .exe,.scr,.bat" \
  --action "notify security@example.com"

Monitoring Policy Enforcement¶

Policy Statistics¶

View policy matches:

sudo mb-policy stats

Example output:

Last 24 hours:

Policy                   Matches   Actions
-----------------------------------------------
connection-ratelimit     5,234     100 deferred
executive-protection     45        45 threshold adjusted
block-executables        12        12 rejected
geo-restrictions         234       180 quarantined, 54 rejected

Per-policy details:

sudo mb-policy stats executive-protection

Real-time Monitoring¶

Watch policy log:

sudo tail -f /var/log/mailborder/policy.log

Filter by policy:

sudo grep "executive-protection" /var/log/mailborder/policy.log

Audit Trail¶

Policy change history:

sudo mb-audit-log --type policy

Example output:

2025-01-13 10:23:45  admin@example.com  POLICY_CREATED  executive-protection
2025-01-13 10:25:12  admin@example.com  POLICY_ENABLED  executive-protection
2025-01-13 14:30:00  admin@example.com  POLICY_MODIFIED  executive-protection (threshold changed)

Troubleshooting¶

Policy Not Matching¶

Debug policy evaluation:

sudo mb-policy test /path/to/email.eml --debug

Check policy syntax:

sudo mb-policy validate executive-protection

Common issues: 1. Priority too low (other policies take precedence) 2. Condition syntax error 3. Policy disabled 4. Conflicting policies

Unintended Rejections¶

Find which policy rejected message:

sudo grep "REJECTED" /var/log/mailborder/policy.log | grep "<message-id>"

Temporarily disable policy:

sudo mb-policy disable problematic-policy

Review and adjust conditions:

sudo mb-policy show problematic-policy
sudo mb-policy rule modify problematic-policy --condition "..."

Performance Issues¶

Too many policies:

sudo mb-policy list | wc -l

Optimize policy order: - Most frequently matched policies at low priority numbers - Expensive checks (regex, content scanning) after simple checks

Enable policy caching:

sudo mb-config set policy.cache_enabled true
sudo mb-config set policy.cache_ttl 300

Best Practices¶

Policy Design¶

Start simple - Add complexity as needed
Test before enforcing - Use dry-run mode
Document policies - Include description and reason
Order by frequency - Most common matches first
Avoid over-blocking - Better to quarantine than reject

Security Recommendations¶

Always enforce relay restrictions - Prevent open relay
Require authentication - For external senders
Block dangerous extensions - .exe, .scr, .vbs, etc.
Implement rate limiting - Prevent abuse
Use whitelists sparingly - Review regularly

Maintenance¶

Review statistics weekly - Identify ineffective policies
Update exceptions - As business needs change
Monitor false positives - Adjust thresholds
Audit policy changes - Track who modified what
Test regularly - Ensure policies work as intended

Performance Optimization¶

Limit policy count - Combine similar policies
Optimize condition order - Fast checks first
Cache policy results - For repeated evaluations
Use specific conditions - Avoid wildcards when possible
Monitor processing time - Remove slow policies

Policy Enforcement¶

Overview¶

Policy Evaluation Order¶

Connection Policies¶

IP-based Access Control¶

Connection Security¶

Authentication Policies¶

SMTP AUTH Requirements¶

Authentication Methods¶

Relay Policies¶

Relay Authorization¶

Open Relay Protection¶

Relay Restrictions¶

Sender Policies¶

Sender Restrictions¶

Sender Verification¶

Sender Spoofing Protection¶

Recipient Policies¶

Recipient Validation¶

Recipient Limits¶

Recipient Lists¶

Size Policies¶

Message Size Limits¶

Attachment Size Limits¶

Content Policies¶

File Type Restrictions¶

Content Filtering¶

Header Policies¶

Spam and Virus Overrides¶

Per-Sender Thresholds¶

Virus Scan Overrides¶

Custom Policies¶

Rule-Based Policies¶

Time-Based Policies¶

Conditional Actions¶

Policy Management¶

List Policies¶

Modify Policies¶

Testing Policies¶

Policy Examples¶

Example 1: Department-Specific Filtering¶

Example 2: Partner Organization Integration¶

Example 3: Bulk Sender Policy¶

Example 4: Geographic Restrictions¶

Example 5: Executive Protection¶

Monitoring Policy Enforcement¶

Policy Statistics¶

Real-time Monitoring¶

Audit Trail¶

Troubleshooting¶

Policy Not Matching¶

Unintended Rejections¶

Performance Issues¶

Best Practices¶

Policy Design¶

Security Recommendations¶

Maintenance¶

Performance Optimization¶

See Also¶