Yandex Mail integration with external data loss prevention systems

To protect outgoing mail from leaks, you can use DLP systems in Yandex 360 for Business. DLP (Data Loss Prevention) is a technology that helps detect and prevent unauthorized disclosure of confidential information by employees, such as personal data, trade secrets, intellectual property, and so on.

Integration with DLP systems is available with the Advanced and Optimal plans.

How it works

After setting up the integration, all outgoing employee emails are routed to the DLP system. DLP uses the set filters to determine whether the outgoing mail contains data that's considered confidential. If a violation is detected, the system acts according to its settings: sends notifications to the security administrator, records the event in the internal audit log, and so on.

You can also use a DLP system to check incoming emails for restricted information, phishing, and spam.

Alert

The default maximum throughput for DLP systems is 10,000 emails/hour. The limit applies to all emails in total: both outgoing and incoming. To increase the limit, contact your account manager.

Setting up communication with DLP

  1. In your Yandex 360 for Business organization, create a separate user for working with the DLP system (for example, with the username "dlp"). How to do this

  2. Set up forwarding of outgoing mail of all employees to the mailbox of the DLP user you've created. This is done via the API.

    1. Use the instructions on the Accessing the API page to issue an OAuth token. When creating an application, select the permissions ya360_admin:mail_read_routing_rules and ya360_admin:mail_write_routing_rules.

      If you've already created an OAuth application, but it doesn't have the necessary permissions, add them. After saving the changes, the system will prompt you to issue a new token.

    2. Find your organization ID: open admin.yandex.ru and select General settings → Company profile. You can see the ID below the organization name.

      Screenshot

    3. Get the list of message filters configured in your organization — you need to update it.

      1. Create and submit an API request to get the list of filters:

        • HTTP method: GET

        • Request URL:

          https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mail/routing/rules

          where {ORGANIZATION} is the ID of the organization you got at Step 2.2.

          Example
          https://api360.yandex.net/admin/v1/org/1234567/mail/routing/rules

        • Header:

          Authorization: OAuth {OAUTH-TOKEN}

          where {OAUTH-TOKEN} is the OAuth token you got at Step 2.1.

        If you use Windows, you can submit a request to get the list of message filters using a curl command formatted as follows:

        curl -X GET -H "Authorization: OAuth {OAUTH-TOKEN}" https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mail/routing/rules

        where

        {OAUTH-TOKEN} is the OAuth token you got at Step 2.1.
        {ORGANIZATION} is the ID of the organization you got at Step 2.2.

        I don't understand how to do this
        1. Prepare the command: copy the example into any text editor, replacing the values with your token and organization ID.
        2. Click the search button on the Windows taskbar, type cmd in the search bar, and press Enter.
        3. The "Command line" window will open. Insert the command you've prepared there and press Enter.

      2. Analyze the response you receive:

        • If there are no message filters in the list, proceed to the next step.
        • If the list is not empty, copy the response, create a file in any text editor, paste the response there, and save it in JSON format (for example, with the name rules-list.json).

    4. Prepare a new list of filters. The exact steps depend on the response received to the previous request.

      At the beginning of the list, add a filter for forwarding outbound messages to the DLP user's mailbox.

      1. Use a text editor to open the rules-list.json file.

      2. After {"rules":[, add the following code:

        {"terminal":false,"condition":{},"actions":[{"data":{"email":"dlp@domain.ru"},"action":"forward"}],"scope":{"direction":"outbound"}},

        where dlp@domain.ru is the email address of the user created at Step 1.

      3. Save the file with the name rules-list-new.json.

      Create a file with the name rules-list-new.json and the following contents:

      {
  "rules": [
    {
      "terminal": false,
      "condition": {},
      "actions": [
        {
          "data": {
            "email": "dlp@domain.ru"
          },
          "action": "forward"
        }
      ],
      "scope": {
        "direction": "outbound"
      }
    }
  ]
}

      where dlp@domain.ru is the email address of the user created at Step 1.

    5. Create and submit an API request that creates a filter for forwarding outbound mail.

      • HTTP method: PUT

      • Request URL:

      https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mail/routing/rules

      where {ORGANIZATION} is the ID of the organization you got at Step 2.2.

      • Headers:

        Authorization: OAuth {OAUTH-TOKEN}
Content-Type: application/json

        where {OAUTH-TOKEN} is the OAuth token you got at Step 2.1.

      • Request body is in the rules-list-new.json file you created at Step 2.4.

      If you use Windows, you can submit a request to create a mail forwarding filter using a curl command formatted as follows:

      curl -X PUT -H "Authorization: OAuth {OAUTH-TOKEN}" -H "Content-Type: application/json" -d "@rules-list-new.json" https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mail/routing/rules

      where

      {OAUTH-TOKEN} is the OAuth token you got at Step 2.1.

      rules-list-new.json is the file with the request body you created at Step 2.4.

      {ORGANIZATION} is the ID of the organization you got at Step 2.2.

      I don't understand how to do this
      1. Prepare the command: copy the example into any text editor, replacing the values with your token and organization ID.
      2. Open the folder containing the rules-list-new.json file.
      3. Click on empty space in the address bar.
      4. Type cmd there and press Enter.
      5. The "Command line" window will open. Insert the command you've prepared and press Enter.

    6. You can verify that the filter has been created by submitting an API request to view message filters following the instructions from Step 2.3.

  3. To check incoming messages for confidential information, you need to set up filters that forward these emails to the DLP user's mailbox. You can do this in the Yandex 360 for Business interface by following the instruction.

  4. Set up the DLP user's mailbox to work over the IMAP protocol:

    1. Open the Email clients section in the Yandex Mail settings of the DLP user.

    2. In the Use a mail client to retrieve your Yandex mail section, select the options:

      • From the imap.yandex.com server via IMAP
      • IMAP authorization methodApp passwords and OAuth tokens

    3. Save your changes.

  5. Create an application password to access the DLP user's mailbox:

    1. Go to the App passwords page of Yandex ID of the DLP user.

    2. In Create an app password, click in Email address.

    3. Come up with a password name, such as "dlp-access". The password will be displayed in the list under this name.

    4. Click Next. The generated password will appear on the screen. Copy and save it.

      Alert

      The password is only shown once. If you closed the window without saving it, delete the current password and create a new one.

  6. In the external DLP system, configure the connection to the DLP user's mailbox over IMAP using the generated application password. General setup parameters:

    • Mail server address — imap.yandex.ru.
    • Connection security — SSL.
    • Port — 993.

For detailed setup instructions, refer to the documentation or support of your DLP system's developers.

Contact support

An API is a special mechanism for managing Yandex 360 services designed primarily for process automation. There are two ways to work with the API: create a special application (which can be done by a developer) or use the computer's command line. You can find the developer documentation here.

Special software that protects data from theft or leakage.

Special code allowing access to data on behalf of a specific user.

A universal format for representing structured data in the form of text. It's widely used in web development, APIs, data exchange, and information storage.

A two-way protocol for receiving messages from the mail server. Messages and folders are stored on the server and synchronized with the email client, giving you the option to access your email on different devices. We recommend using the IMAP protocol for Yandex Mail.

Previous
How to improve security
Next
Service applications