On the POP3 > Advanced tab you can specify those hosts and networks that can skip the transparent mode of the POP3 proxy. In addition, it contains the POP3 proxy's prefetch option, which allows the prefetching of messages from a POP3 server and storing them in a database.

Transparent Mode Skiplist

Hosts and networks listed in the Skip transparent mode hosts/nets box will not be subject to the transparent interception of POP3 traffic. However, to allow POP3 traffic for these hosts and networks, select the Allow POP3 traffic for listed hosts/nets checkbox. If you do not select this checkbox, you must define specific firewall rules for the hosts and networks listed here.

POP3 Servers and Prefetch Settings

You can enter one or more POP3 servers here that are used in your network or by your end users, so that the servers are known to the proxy. Additionally, you can turn on prefetching.

To define a POP3 server, do the following:

  1. Add the DNS name of the POP3 server(s).

    In the POP3 servers box, click the Plus icon. In the Add Server dialog window, enter the DNS name and click Save.

    A new entry with the entered DNS name and the suffix Servers is displayed in the box. Sophos UTM on AWS automatically creates a DNS group with the specified DNS name and associates it with the new POP3 server entry.

  2. Specify the POP3 server's properties.

    In the POP3 servers box, click the Edit icon in front of the POP3 server. The Edit Server dialog window opens. Make the following settings:

    Name: If you want, modify the POP3 server's name.

    Hosts: The box automatically contains a DNS group with the DNS name specified above. Add or select additional hosts or DNS groups. Make sure to add only such hosts or DNS groups that serve the same POP3 accounts. For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.

    TLS certificate: Select a certificate from the drop-down list which will be used to negotiate TLS encryption with all remote hosts supporting it. You can create or upload certificates on the Site-to-site VPN > Certificate Management > Certificates tab.

    Note – For TLS encryption to work, the Scan TLS encrypted POP3 traffic checkbox in the TLS Settings section has to be enabled. For POP3 servers not defined here or not having a TLS certificate, you can select a default TLS certificate in the TLS Settings section.

    Comment (optional): Add a description or other information.

  3. Click Save.

    The POP3 server is defined.

If no POP3 server is specified and a mail gets caught by the proxy, the proxy replaces the mail with a notification to the recipient right away in the same connection stating that the mail has been quarantined. The quarantined mail can be viewed in Mail Manager, but is not associated to a server or account and therefore cannot be released in a later connection. Generally, releasing of emails from quarantine does only work for prefetched messages.

There are two scenarios:

  • If POP3 server(s) are given and prefetching is disabled, the proxy keeps track which quarantined mails belong to which server/account. Thus, quarantined mail can be released when the client polls the mailbox next time. For this to work, the proxy has to safely identify which IP addresses belong to which server (by their FQDN which you have entered in your mail client).
  • If POP3 server(s) are given and prefetching is enabled, the POP3 proxy periodically checks the POP3 server(s) for new messages. If a new message has arrived, it will be copied to the POP3 proxy, scanned and stored into a database on Sophos UTM on AWS. The message remains on the POP3 server. When a client tries to fetch new messages, it communicates with the POP3 proxy instead and only retrieves messages from this database.

A POP3 proxy supporting prefetching has a variety of benefits, among others:

  • No timeout problems between client and proxy or vice versa.
  • Delivery of messages is much faster because emails have been scanned in advance.
  • Blocked messages can be released from the User Portal—they will then be included in the next fetch.

If a message was blocked because it contained malicious content or because it was identified as spam, it will not be delivered to the client. Instead, such a message will be sent to the quarantine. A message held in quarantine is stored in the Mail Manager section of the User Portal, from where it can be deleted or released.

Use prefetch mode: To enable prefetch mode, select the checkbox and add one or more POP3 servers to the POP3 Servers box.

Prefetch interval: Select the time interval at which the POP3 proxy contacts the POP3 server to prefetch messages.

Note – The interval at which mail clients are allowed to connect to the POP3 server may vary from server to server. The prefetch interval should therefore not be set to a shorter interval than allowed by the POP3 server, because otherwise the download of POP3 messages would fail as long as the access to the POP3 server is blocked.
Note further that several mail clients may query the same POP3 account. Whenever messages were successfully fetched from a POP3 server, this will restart the timer until the server can be accessed for the next time. If for that reason the POP3 proxy cannot access a POP3 server four times in a row (default is every 15 minutes), the account password will be deleted from the proxy's mail database and no emails will be fetched until a mail client sends the password to the POP3 server again and successfully logs in.

Delete quarantined mails from server: When you select this option, quarantined messages will be deleted from the POP3 server immediately. This is useful to prevent that users get spam or virus messages when they connect to the POP3 server not via Sophos UTM on AWS, but for example via the POP3 server's web portal.

If the email client is configured to delete messages from the server after retrieving them, this information will be stored in the database, too. The next time the proxy is going to prefetch messages for this POP3 account, it will delete the messages from the server. This means, as long as no client fetches the messages from Sophos UTM on AWS and no delete command is configured, no message will be deleted from the POP3 server. Therefore, they can still be read, for example, via the web portal of the email provider.
Quarantined messages are deleted from the POP3 server in the following cases:

  • Messages are manually deleted via the Mail Manager.
  • Messages are manually deleted by users via the User Portal.
  • The message was released (either through the Quarantine Report or the User Portal) and the user's email client is configured to delete messages upon delivery.
  • The notification message has been deleted.
  • After the storage period has expired (see section Configuration in chapter Mail Manager).

In prefetch mode however, spam messages in quarantine cannot be deleted from the POP3 server directly by means of a client command.

Note – The email client must successfully connect to the POP3 server at least once for the prefetch function to operate properly. This is because Sophos UTM on AWS needs to store the name of the POP3 server, the username, and the user's password in a database in order to fetch POP3 messages on behalf of this user. This, however, cannot be achieved by configuring POP3 account credentials in the Sophos User Portal. The POP3 account credentials in the User Portal are needed for prefetched messages to appear in this user's portal and daily Quarantine Report.

Note for fetchmail users: The TOP method is not supported to download emails from the mail server for security reasons—messages that are received through TOP cannot be scanned. It will work if you specify the fetchall option (-a on command line). For more information, see "RETR or TOP" in the fetchmail manual.

Preferred Charset

In this section you can select a charset different than UTF-8 that will be used for those mail headers, which have been in some way changed by Sophos UTM on AWS (e.g. BATV). This is useful if your users who use mail clients which do not understand UTF-8. Generally the default charset for mail headers works fine for every region. Therefore only change this setting if you are sure this is what you want. If in doubt keep the default UTF-8.

TLS Settings

Scan TLS encrypted POP3 traffic: If enabled, Sophos UTM on AWS will scan TLS encrypted POP3 traffic. For this to work, TLS certificates have to be defined for the POP3 servers accessed by the POP3 clients (see POP3 Servers and Prefetch Settings section above and TLS certificate checkbox below).

If disabled, and a POP3 client tries to access a POP3 server via TLS, the connection will not be established.

TLS certificate: Select a certificate from the drop-down list which will be used for TLS encryption with all POP3 clients supporting TLS and trying to access a POP3 server that either is not listed in the POP3 servers box above or does not have a matching TLS certificate associated. The selected certificate will be presented to the POP3 client. POP3 clients usually verify that the TLS certificate presented by the POP3 server matches the configured POP3 server name. For this reason, most POP3 clients will display a warning that the certificate's hostname does not match the expected configured POP3 server's name. However, users can dismiss the warning and connect nevertheless. If you want to avoid this warning, add all used POP3 servers to the POP3 servers box above and configure matching TLS certificates for each of them.

If no certificate is selected here, and a POP3 client tries to access a POP3 server via TLS that is not listed in the POP3 servers box or does not have a matching TLS certificate associated, the connection will not be established.

Tip – You can create or upload certificates on the Site-to-site VPN > Certificate Management > Certificates tab.