Summary
Implement URL rewriting for inbound emails that redirects all links through a Hermes safe-link proxy endpoint. When a user clicks a rewritten link, Hermes checks the URL against malicious URL services (e.g., VirusTotal, Google Safe Browsing) before redirecting the user to the original destination. Outbound emails should have rewritten URLs restored to their original form.
Why
URL-based phishing and malware delivery is one of the most common email attack vectors. Even if an email passes spam/virus checks at delivery time, the linked URL may become malicious after delivery (delayed weaponization). Safe-link rewriting protects users at click-time, not just at delivery time.
Inbound Flow
- Email arrives and passes through Amavis content filtering
- Before delivery to mailbox (or relay), a URL rewriting filter processes the message body
- All URLs (http/https) in the email body are replaced with a Hermes proxy URL:
- Original:
https://example.com/page
- Rewritten:
https://hermes-console/safe-link?url=<encoded-original>&token=<HMAC>
- The HMAC token prevents tampering with the encoded URL
- Email is delivered with rewritten URLs
Click-Time Checking
- User clicks rewritten link in their email client
- Browser hits Hermes
/safe-link endpoint
- Hermes decodes and validates the URL (HMAC check)
- Hermes checks the URL against one or more threat intelligence services:
- VirusTotal API (free tier: 4 req/min, 500 req/day)
- Google Safe Browsing API (free tier: 10,000 req/day)
- URLhaus (free, no API key needed)
- Cache results to reduce API calls
- If safe: redirect user to original URL
- If malicious: show warning page with option to proceed or go back
- If service unavailable: configurable behavior (allow with warning, or block)
Outbound Flow
- When an email is sent outbound (relay), check if it contains Hermes rewritten URLs
- Restore all rewritten URLs to their original form before sending
- This prevents Hermes internal URLs from leaking to external recipients
Admin Settings
- Enable/disable URL rewriting globally
- Choose threat intelligence provider(s)
- API key configuration for VirusTotal/Google Safe Browsing
- Cache TTL for URL check results
- Whitelist domains that should never be rewritten (e.g., internal domains)
- Action on service unavailable (allow/warn/block)
Technical Considerations
- URL rewriting could be done via Amavis custom hook, a Postfix content filter, or a Sieve filter
- The safe-link endpoint should be publicly accessible (no Authelia) since email recipients click from external clients
- HMAC signing prevents URL manipulation
- Consider database table for caching URL check results with TTL
- Rate limiting on the safe-link endpoint to prevent abuse
- Handle HTML emails (rewrite href attributes) and plain text emails (rewrite bare URLs)
Similar Products
- Microsoft Defender Safe Links
- Proofpoint URL Defense
- Mimecast URL Protect
- Barracuda Link Protection
Dependencies
Summary
Implement URL rewriting for inbound emails that redirects all links through a Hermes safe-link proxy endpoint. When a user clicks a rewritten link, Hermes checks the URL against malicious URL services (e.g., VirusTotal, Google Safe Browsing) before redirecting the user to the original destination. Outbound emails should have rewritten URLs restored to their original form.
Why
URL-based phishing and malware delivery is one of the most common email attack vectors. Even if an email passes spam/virus checks at delivery time, the linked URL may become malicious after delivery (delayed weaponization). Safe-link rewriting protects users at click-time, not just at delivery time.
Inbound Flow
https://example.com/pagehttps://hermes-console/safe-link?url=<encoded-original>&token=<HMAC>Click-Time Checking
/safe-linkendpointOutbound Flow
Admin Settings
Technical Considerations
Similar Products
Dependencies