AXIGEN Mail Server System Administrator's Manual

Transcription

1 AXIGEN Mail Server System Administrator's Manual Product version 6.0 Last update on: 3/20/2008 6:52:15 PM Document version: 1.0

2 Copyright & trademark notices Notices This edition applies to version 6.0 of the licensed program AXIGEN and to all subsequent releases and modifications until otherwise indicated in new editions. References in this publication to GECAD TECHNOLOGIES S.A. products, programs, or services do not imply that GECAD TECHNOLOGIES S.A. intends to make these available in all countries in which GECAD TECHNOLOGIES S.A. operates. Evaluation and verification of operation in conjunction with other products, except those expressly designated by GECAD TECHNOLOGIES S.A., are the user's responsibility. GECAD TECHNOLOGIES S.A. may have patents or pending patent applications covering subject matter in this document. Supplying this document does not give you any license to these patents. You can send license inquiries, in writing, to the GECAD TECHNOLOGIES S.A. sales department, Copyright Acknowledgement (c) GECAD TECHNOLOGIES S.A All rights reserved. All rights reserved. This document is copyrighted and all rights are reserved by GECAD TECHNOLOGIES S.A. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage and retrieval system without the permission in writing from GECAD TECHNOLOGIES S.A. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. GECAD TECHNOLOGIES S.A. will not be responsible for any loss, costs or damages incurred due to the use of this documentation. AXIGEN TM Mail Server is a SOFTWARE PRODUCT of GECAD TECHNOLOGIES S.A. GECAD TECHNOLOGIES and AXIGEN TM are trademarks of GECAD TECHNOLOGIES S.A. Other company, product or service names may be trademarks or service marks of others. GECAD TECHNOLOGIES S.A. 10A Dimitrie Pompeiu Blvd., Connect Business Center, 2nd fl., Bucharest 2, ROMANIA; phone: ; fax: ; Sales: sales@axigen.com Technical support: support@axigen.com Website: (c) Copyright GECAD TECHNOLOGIES S.A All rights reserved. 2

3 Table of Contents Introduction Purpose of this Document...21 Structure of this document...21 Audience and knowledge requirements...21 Related documentation...22 Chapter 1. Mail Server Overview OS Compatibility...23 Integrated Messaging Solution...23 High Configurability...23 Innovative Storage...23 Advanced Security Tools...23 Automation Options...24 Clustering Support...24 Chapter 2. Getting Started with AXIGEN Software and Hardware requirements...25 Software requirements Hardware requirements Supported platforms...25 Tested platforms Installing on Linux...27 General installation steps...27 Files Provided for Installation Installing under RHEL, Fedora Core, Mandrake and SUSE (gcc3) Installing under Fedora Core, Mandriva and SUSE (gcc4) Installing under Debian Installing under Debian 4.0 and Ubuntu Installing under Gentoo Installing under Slackware Installing on BSD Installing on FreeBSD Installing on NetBSD Installing on OpenBSD Installing on OpenBSD Installing on Solaris i386 and Sparc Uninstalling under Linux

4 Uninstalling under RHEL, Fedora Core, Mandriva /Mandrake and SUSE (gcc3, gcc4) Uninstalling under Debian / Ubuntu Uninstalling under Gentoo Uninstalling under Slackware Uninstalling under BSD Uninstalling under FreeBSD Uninstalling under NetBSD Uninstalling under OpenBSD Uninstalling under Solaris Starting / Stopping / Restarting the Server Initial Server Configuration Setting the Admin Password Logging on to the WebAdmin Interface Creating a New Domain Adding an Account to an Existing Domain Automated Configuration with AXIGEN Configuration Wizard Chapter 3. Mail Server Architecture Services and Modules...51 Architecture Features...51 Administration Tools...51 Security Generic Server Configuration Running Services Other Generic Server Parameters Primary domain...52 SSL Random File DNR Settings Logging...53 DNR Options...53 Nameservers Services and Modules SMTP Receiving Listeners...54 Access Control...54 Authentication...54 Message Acceptance Rules

5 Flow Control...54 Milter...55 Logging Loop Protection...55 Error Control...55 Thread Management Processing Logging Delivery...56 Delivery Reports...56 Queue Parameters...56 Message statuses SMTP Sending Routing Rules...57 Logging...57 Thread Management POP Listeners...58 Access Control...58 Flow Control...59 Logging...59 Encryption and Authentication...59 Error Control...59 Thread Management...59 Compatibility with various POP3 Mail Clients IMAP Listeners...60 Access Control...60 Flow Control...60 Logging...60 Encryption and Authentication...61 Error Control...61 Thread Management...61 Compatibility with various IMAP Mail Clients...61 Public Folders...61 Internationalized Search Logging

6 Log Service Overview...61 Log Types...62 AXIGEN Log levels...62 Logging format...63 Rules...63 Attributes of the Log service Reporting WebMail Listeners...66 Access Control...66 Flow Control...66 Logging...66 HTTP Protocol Options...66 WebMail Options...66 Thread Management Storage Filling the Containers...68 Space saving filling procedure FTP Backup Service Listeners...69 Access Control...70 Flow Control...70 Logging...70 Error Control...70 Thread Management RPOP Service Logging...71 Thread Management Connectivity and Threading Listeners Rules Allow/Deny Rules...72 Rule Enforcement Policy Threads Clustering Support Cluster Overview LDAP Introduction

7 Setting up a new directory service for the cluster...74 Integrating an existing directory service with the cluster Basic Directory Setup LDAP Entry Structure LDAP Authentication AXIGEN Mapping System AXIGEN Authentication System AXIGEN Front-End Services Setup The SMTP Proxy The IMAP and POP3 Proxies The WebMail Proxy Mapping Setup AXIGEN Back-End Services Setup LDAP Routing Configuring OpenLDAP for AXIGEN Configuring LDAP Connectors in AXIGEN Configuring Mapping Parameters POP3 Proxy Service...86 Listeners...86 Access Control...86 Flow Control...86 Logging...86 Encryption and Authentication...86 Error Control...86 Thread Management...86 Back-end Server Connection Settings IMAP Proxy Service...87 Listeners...87 Access Control...87 Flow Control...87 Logging...87 Encryption and Authentication...87 Error Control...87 Thread Management...88 Back-end Server Connection Settings AXIGEN LDAP Authentication Integrating Active Directory into a cluster environment

8 Exotic Cluster Setups Groupware and collaboration Personal Organizer & AXIGEN Outlook Connector User folders and permissions Computing permissions...92 Permissions description...92 Types of permissions...92 Chapter 4. Mail Server Security Routing Rules Authentication and Encryption...95 Secure/Plain Connections and Authentication Methods...95 SSL parameters...96 Prerequisites and Settings for Each Active Directory User Defined for AXIGEN SPF and DomainKeys...98 Command line parameters...99 DomainKeys Verifier configuration...99 DomainKeys Signer configuration Starting/Stopping/Restarting the Domain Keys Daemons Mail Filtering Filter Types Active Filters Filtering Levels Message Acceptance Rules Routing Rules Antivirus / Antispam Filters Message Rules SIEVE Overview and Implementation in AXIGEN SIEVE Overview The AXIGEN SIEVE interpreter Action interaction Vacation interaction Vacation Extension The AXIGEN Filtering Module Filtering Module Implementation in AXIGEN Configuring the AXIGEN Filtering Module AXIMilter configuration AXIGEN Filtering Module Commands

9 Command line parameters Activating and Prioritising Filters and Rules Filter Priority Activation Inheritance Language Specifications for Policy Configuration Basic structure SMTP Events Methods Contexts Variables Structures Conditions Functions SMTP Functionalities (I) onconnect onehlo onmailfrom SMTP Functionalities (II) onrcptto onheadersreceived onbodychunk SMTP Functionalities (III) ondatareceived onrelay ondeliveryfailure ontemporarydeliveryfailure Chapter 5. User and Domain Configuration Domains User Accounts Groups Mailing Lists Mailing List Server Overview Administration of the Mail List Message Flow for AXIGEN List Server Templates explained Public Folders

10 Chapter 6. Working with the WebMail Module in AXIGEN Accessing/Leaving the WebMail Interface WebMail Features and Configuration Navigating in Your WebMail Account Searching within your account Working with Messages in WebMail Main Button Bar Composing a new message Steps for editing a new message in AXIGEN WebMail Marking messages Deleting messages WebMail Folders Public Folders Special Folders Managing Folders in WebMail Managing Contacts in WebMail Working with the Personal Organizer in WebMail Working with your Journal Configuring Account Settings in WebMail Configuring Personal Data WebMail Data Settings Mail Filtering in WebMail WebMail Filters Overview Setting Sharing Permissions Global Permissions Folder permissions Share a folder Subscribe to folders shared by other users Configuring WebMail RPOP Connections Connection details Retrieval settings Security RPOP Templates WebMail Account Information WebMail Blacklist Requesting Temporary Addresses

11 Chapter 7. Using AXIGEN WebMail features in Outlook Installing the AXIGEN Outlook Connector Server Side Rules Folder Sharing Open/Close other user's folders Manage Global Permissions Chapter 8. Administration Tools Overview Working with axigen.cfg Restrictions Definitions Structure of the axigen.cfg file Chapter 9. Configuring AXIGEN using WebAdmin WebAdmin Overview WebAdmin Features Thread Management Log Control WebAdmin Flow Control HTTP Protocol Options for WebAdmin Session Options for WebAdmin Working with WebAdmin Saving the Configuration in WebAdmin Confirmation / Error Messages Displaying/Hiding the Contextual Help Configuring Global Settings Managing AXIGEN Services Configure the Running Services SMTP Receiving Tab Logging Loop Protection Error Control Thread Management SMTP Sending Tab Logging Thread Management IMAP Tab Logging Encryption and Authentication

12 Error Control Thread Management POP3 Tab Logging Encryption and Authentication Error Control Thread Management WebMail Tab Logging HTTP Protocol Options Webmail Options Thread Management WebAdmin Tab Logging HTTP Protocol Options WebAdmin Options Thread Management DNR Tab Logging DNR Options Nameservers Remote POP Tab Logging Thread Management CLI Tab Logging CLI Options Error Control Thread Management Domains and Accounts The Manage Domains Tab Domains General Configuration Defining Domain Aliases Domain Message Filters Page Configuring the Message Appender Managing Account Defaults Account Defaults General Parameters

13 Configuring Account Quotas and Restrictions Managing Account Quotas Configuring Restrictions Password Policy Enforcement Session restrictions WebMail Restrictions Message Sending Restrictions Remote POP Restrictions Temporary Addresses Restrictions Managing Account Filters Manage Accounts Tab Accounts General Page Account Aliases Account Aliases Management Configuring Quotas and Restrictions Managing Account Quotas Configuring Restrictions Password Policy Enforcement Session restrictions WebMail Restrictions Message Sending Restrictions Remote POP Restrictions Temporary Addresses Restrictions Parameter inheritance Account WebMail Options Appearance Options Account Preferences Contacts Settings Defining a Signature Managing Message Filters Admin Filters Incoming Message Rules General Settings for the New Message Rule New Message Rule Conditions New Message Rule Actions User Filters Incoming Messages Rules

14 General Settings of the New Message Rule New Message Rule Conditions New Message Rule Actions Groups Tab Group General Configuration Groups Message Filters Mailing Lists Mailing Lists General Configuration Settings Services Info Members Subscription and Posting Subscription/Unsubscription Message posting Message Headers Message Templates Configuring Quotas and Restrictions Managing Mailing List Quotas Session Restrictions WebMail Restrictions Message Sending Restrictions Mailing Lists WebMail Options Appearance Options Preferences Mailing Lists Message Filters Configuring Public Folders Public Folders General Configuration Settings Configuring Public Folders Quotas Account Classes Tab Account Classes General Parameters Configuring Quotas and Restrictions Managing Account Quotas Configuring Restrictions Password Policy Enforcement Session restrictions

15 WebMail Restrictions Message Sending Restrictions Remote POP Restrictions Temporary Addresses Restrictions Parameter inheritance Managing Message Filters Security & Filtering AntiVirus and AntiSpam Tab Supported AV/AS Applications Setting the AntiVirus Actions AntiSpam Configuration Setting a WhiteList Spam Thresholds Additional AntiSpam Methods BlackList Sender Policy Framework Domain Keys authentication DNSBL (DNS BlackList) Safe IPs/IP Ranges DNS Check Global Access Control Access Restriction Acceptance & Routing Tab Acceptance Basic Settings Received messages Allowed ESMTP Commands Allow/Disallow local delivery Override default SMTP banner Routing Basic Settings Setting a Smart Host Remote delivery Outgoing connection settings Advanced Settings Advanced Settings Adding a new acceptance or routing rule New rule conditions Incoming Message Rules Tab

16 New Message Rule Page New rule conditions Actions Queue Processing Tab Logging Delivery Queue Parameters View Queue Viewing the Queue Detailed message information Actions to be taken for selected items Status & Monitoring Reporting Service Tab Logging Log types Data Collection SNMP Parameters Charts Tab Defined charts Available Chart Groups Refresh options Chart Parameters Configuration General settings Data Aggregation Display Settings Predefined styles Live Preview Storage Charts Overall Storage Per Domain Storage Detailed Storage Info All Storage Files & Domain Storage Object Storage & Message Storage Logging Local Services Log Local Services Log Overview

17 Log Collection Rules Log Collection Rules Log Collection Rule Configuration Settings section Logging Rotation Parameters View Log Files Log files Viewing, deleting or downloading a log file Log Server Settings Listeners Logging Settings Backup and Restore Tab Logging Error Control Thread Management Automatic Migration Tab Clustering Section Clustering Setup LDAP Connectors Page Logging Parameters Thread Management User Maps Page Routing and Authentication Page POP3 Proxy Tab Logging Encryption and Authentication Error Control Thread Management Back-end Server Connection Settings IMAP Proxy Tab Logging Encryption and Authentication Error Control Thread Management Back-end Server Connection Settings Administration Rights Section

18 Administrative Groups Tab Administrative Groups General General parameters Membership Membership hierarchy Members of the configured group Parents of the configured group Permissions Explicit Permissions Setting explicit permissions at server level Adding server permissions Setting explicit permissions at domain level Adding domain permissions Effective permissions Administrative Users Tab Administrative users' list Adding a new administrative user General General settings Membership Membership hierarchy Permissions Explicit Permissions Setting explicit permissions at server level Adding server permissions Setting explicit permissions at domain level Adding domain permissions Effective permissions Domain Admin Limits Configuration Domain Admin Limits Services Accounts and Account Classes Groups Mailing Lists Public Folders TCP Listeners and Control Rules

19 Listeners Configuring General Parameters General settings Flow control Access Control Other settings SSL Parameters for Listeners SSL configuration Path to certificate file/authorities Access and Flow Control Rules Service Level Flow Control Chapter 10. Configuring AXIGEN using CLI Service Description Special Contexts Login Context Initial Context Reporting Context Server Context Commands Context Commands-Server Context Commands-Storage Context Migration Context Common commands Connecting to CLI Troubleshoot the CLI Connection Context Specific Commands Login Context <login> Initial Context <#> Server Context <server#> CLI Context <server-cli#> Listener context <server-(service_name)-listener#> Allow Rule Context <server-(service_name)-listener-allowrule#> SSL Control Context <server-(service_name)-listener-sslcontrol#> Log Context <server-log#> Rule Context <server-log-rule#>

20 Chapter 11. Command Line Parameters for AXIGEN Display version Run in foreground Crash control Process ID Path to configuration file Using mqview tool to view status for messages in the queue POP3 Authentication Chapter 12. RFCs Currently Implemented by AXIGEN POP POP3 and IMAP Specifications SMTP specifications SMTP service extensions IMAP specifications HTTP specifications: DNS specifications Sieve extensions implemented in AXIGEN Generic RFCs Mailing Lists FTP Groupware SNMP

21 Introduction Purpose of this Document Congratulations on your decision to choose AXIGEN Mail Server as your messaging solution. This document serves as guide for AXIGEN Mail Server version 6.0 and subsequent versions until specified otherwise. Full information about AXIGEN product versions and licensing options can be found on the AXIGEN website. For an overview of AXIGEN Mail Server architecture and functionalities, see Chapter 3. Mail Server Architecture. Intended as reference guide for system administrators, this manual includes full documentation on mail server architecture, functionalities and configuration options. Structure of this document This document is divided in 12 main Chapters as follows: Chapter 1 - Brief overview of main AXIGEN features (commercial and technical differentiators) Chapter 2 Server startup instructions (requirements / install / uninstall / initial configuration) Chapters 3 through 7 Descriptions of architecture (modules/services), security functions and user management. These chapters provide general information about the server capabilities and functionalities. They also include direct references to configuration instructions for each feature/set of parameters in Chapter 9. Chapter 8 Brief overview of all existing AXIGEN configuration tools and description of the Configuration file (axigen.cfg). Chapter 9 WebAdmin (Web configuration interface) Administration Guide. This chapter provides detailed configuration instructions for all functionalities mentioned in Chapters 3-5. It also maps Configuration options provided by WebAdmin to configuration parameters present in the axigen.cfg file, the AXIGEN text-editable configuration file. Chapters 10 through 11 Description of the Command Line Interface possible configurations and available Command Line Parameters that allow you to perform different basic administration tasks. Chapter 12 List of RFCs currently implemented by AXIGEN Audience and knowledge requirements The intended audience for this manual is represented by administrators of the mail servers in companies where the version 6.0 of AXIGEN Mail Server is installed and evaluated. In order to build, extract and acquire the correct information from this manual, a regular audience should have: A detailed knowledge of general mail server abilities and functions Knowledge of network protocols 21

22 Related documentation Additional information regarding AXIGEN can be found in the following sources: AXIGEN HSP manual - Contains detailed instructions on HSP AXIGEN proprietary server-side scripting language information. This provides administrators with expansion capabilities for the AXIGEN WebAdmin / WebMail modules. (On demand only) AXIGEN Online documentation an online version of this manual AXIGEN Quick Installation and Configuration guide everything you need to get your server up and running AXIGEN Knowledgebase articles containing specific instructions in response to Support queries and troubleshooting procedures 22

23 Chapter 1. Mail Server Overview AXIGEN Mail Server is a fully self developed solution, truly innovative in several respects, particularly scalable and configurable. This messaging solution offers the entire range of mail services -SMTP, POP3, IMAP, WebMail - includes List server, Logging, Reporting and FTP Backup modules and provides various, flexible administration options (including a central Web administration interface - WebAdmin). OS Compatibility It is currently available for several Linux distributions, FreeBSD, OpenBSD, NetBSD and Solaris, working on several architectures, such as x86, SPARC and PowerPC. Development roadmap includes versions for Windows, Mac OS and other operating systems. AXIGEN uses MPA (Multi Platform Architecture), a proprietary cutting-edge technology that allows porting the AXIGEN server on multiple platforms while keeping the same set of features. This makes it possible to adapting the product to any demanded platform, while guaranteeing stability, and makes it easier for users to switch to a different platform, whenever their requirements change. Integrated Messaging Solution AXIGEN is an integrated service server, being able to successfully replace a solution based on several Open Source solutions. It is also modular, as it can run with any number of services inhibited. For instance, if you only want to run the SMTP service, AXIGEN can run with all other services inhibited by allocating all processing threads to SMTP. Thus, AXIGEN can accommodate any usage scenario - main mail server, backup server, mail relay server. High Configurability Built with administration needs in mind, AXIGEN provides System Administrators with unmatched configuration possibilities for each and every module and feature. For each and every AXIGEN module and feature, you can fine tune connection control, client management and make advanced settings for every domain and account you are managing. An example of advanced service configuration options in AXIGEN would be WebMail account and domain settings: mailbox quota, attachment size limit, mail size limit, session idle & activity timeout, maximum number of messages sent per hour by one account, HTML filtering level for HTML messages, etc. Innovative Storage AXIGEN Mail Storage uses a proprietary technology which optimizes space and mail flow. This innovative storage architecture, doubled by a similar queue architecture, with index based access reduces I/O operations and disk access. Messages are stored in container files, a proprietary format that supports an effective space-saving filling procedure, allowing system administrator to specify the locations and number of directories/files allowed for message storage. Advanced Security Tools In terms of security, an extensive security tool set is implemented, which is also highly configurable. System Administrators can flexibly use the filtering rules available at server, domain and user level, by specifying what filters to use, the order of applicable filters and the actions to be taken according to the results of the scanning process. Filtering in AXIGEN includes Antivirus/Antispam, Antispoofing (SPF authentication rules) Domain Keys and custom SIEVE scripts. AXIGEN integrates at present connectors for Open source Antispam and Antivirus applications (SpamAssassin and ClamAV) but thanks to its script interface for external connectors, it can integrate with virtually any AS/AV application requested by users. 23

24 Automation Options AXIGEN addresses automation requirements of System Administrators by providing them with an alternative configuration interface - CLI (Command Line Interface). Apart from providing an alternate method of performing basic configuration tasks, CLI automates repetitive tasks, which can be really time-consuming when performed manually. Automatic domain data migration is also available in WebAdmin, where you can easily set migration related parameters. Clustering Support AXIGEN allows system administrators to route SMTP, POP and IMAP connections to different machines running our messaging solutions. This new feature is based the integration of AXIGEN with OpenLDAP and it makes use of the SMTP In, POP3 Proxy and IMAP Proxy services. These are some of the distinctive AXIGEN features - to read more about them, their configuration procedures, and many more facilities and configuration options provided by AXIGEN, browse through this online documentation. 24

25 Chapter 2. Getting Started with AXIGEN This section gets you started with AXIGEN Mail Server, by outlining the software and hardware requirements your system needs to fulfill before you can install AXIGEN, the install and uninstall procedure for all available Linux distributions, BSD and Solaris platforms and initial configuration steps needed for the initial server run Software and Hardware requirements Software requirements AXIGEN has the following minimal software requirements: Linux OS, kernel 2.4/2.6 glibc version or later libstdc++ version 3.2 or later For BSD platforms requirements are as follows: FreeBSD 6.x NetBSD 3.0 or NetBSD 3.1 OpenBSD 4.1 or OpenBSD 4.2 For Solaris requirements are as follows: Solaris 10 For all platforms: Internet Explorer 6 or later/ Firefox 2.0 Hardware requirements AXIGEN has the following minimal hardware requirements: Processor: x86, minimum frequency 300 MHz RAM: 128 MB. Available space on HDD: 50 MB free space for installation purposes and default configuration files. The actual space AXIGEN will take on your hard disk depends on the number of accounts, domains, mailboxes and the size of messages stored on the mail server. Supported platforms Linux (x86, 32-bit) RedHat Enterprise Redhat Enterprise Linux 5 Redhat Enterprise Linux 4 Redhat Enterprise Linux 3 Fedora

26 CentOS 5.x 4.x SUSE SUSE Linux Enterprise Server SLES 10 SLES 9 SUSE Linux Gentoo Novell Ubuntu OES Server 7.10 Server 7.04 Server 6.10 Server 6.06 Debian Mandriva Corporate Server 4 Slackware BSD (x86, 32-bit) FreeBSD 6.x OpenBSD

27 NetBSD Solaris Solaris 10 SPARC Solaris PPC Solaris 10 Fedora 8 RedHat Enterprise Redhat Enterprise Linux 4 Tested platforms AXIGEN has been tested extensively and is guaranteed to work on the following Linux distributions: Gentoo, RedHat/Fedora, Slackware, Debian, Ubuntu, Mandrake/Mandriva, SUSE. AXIGEN also runs on BSD platforms (FreeBSD, NetBSD and OpenBSD) and on Solaris 10. AXIGEN runs on three different architectures: x86, PowerPC and SPARC Installing on Linux The following section describes the general installation steps for AXIGEN on RedHat and SUSE distributions. For instructions related to a specific Linux distribution, please refer to the Install file included in the installation kit or read the sections corresponding to the respective Linux distribution. General installation steps Here are the general steps to be taken in order to install AXIGEN. Unzip the original installation package. Read the Installing AXIGEN under RedHat and SUSE section for an example on how to unzip the installation files. Install AXIGEN files. Read the Installing AXIGEN under RedHat and SUSE section for an example on how to install the product. Configure axigen.cfg, as explained in the Configuring AXIGEN using axigen.cfg file section in order to adjust axigen.cfg file to your specific environment. Start the AXIGEN server (Read the Starting/Stopping/Restarting AXIGEN section for information on how to start AXIGEN). Create domains/accounts for your AXIGEN installation (more information can be found in the User and Domain Configuration section). Reconfigure axigen.cfg (if needed). Reload AXIGEN server. This way the changes committed in the main axigen.cfg file can take effect (changes to domains and accounts are made on the fly). Read the Starting/Stopping/Restarting AXIGEN section for information on how to reload AXIGEN. After the installation, no daemons or related application are started. 27

28 Files Provided for Installation The installation kit consists of the following files: INSTALL UNINSTALL README Distribution-specific package file(s). The following table shows the files and directories provided in the installation kit required for AXIGEN to run correctly: Directory/File /etc/init.d/ /etc/init.d/axigen /etc/rc.d/rc3.d/s80axigen /etc/rc.d/rc4.d/s80axigen /etc/rc.d/rc5.d/s80axigen /etc/rc.d/rc.axigen /etc/conf.d/axigen /etc/opt/ /etc/opt/axigen/ /etc/opt/axigen/axigen.cfg /opt/axigen/ /opt/axigen/bin/ /opt/axigen/bin/axigen /opt/axigen/bin/mqview /opt/axigen/share/ /opt/axigen/share/doc/ /opt/axigen/share/doc/readme /opt/axigen/share/doc/install /opt/axigen/share/doc/uninstall /opt/axigen/share/doc/license Description This is the initscript for AXIGEN. The script will start the daemon for the Gentoo, Debian, RedHat and SUSE distributions. Symbolic links to the above mentioned initscript file, needed to start the daemon in the respective run levels (only for RedHat and SUSE distributions). This is the initscript for AXIGEN in the Slackware distribution. This is the configuration file used by the AXIGEN initscript in the Gentoo distribution This is the main configuration file for AXIGEN. This is the AXIGEN daemon. This is the executable to be used for viewing the status of the queued messages. Please refer to the Command Line Parameters section for instructions on using this tool. Document containing the release notes for this version of AXIGEN. Document containing the installation instructions for AXIGEN Document containing the instructions for uninstalling AXIGEN. Document containing the license for AXIGEN. /opt/axigen/share/examples/ /opt/axigen/share/examples/axigen.cfg /opt/axigen/share/examples/domain.cfg /opt/axigen/share/examples/account.cfg Sample configuration files, containing the default values for AXIGEN parameters, as presented in this Manual. /var/opt/ /var/opt/axigen/ /var/opt/axigen/webmail/ Default directory used for storing files pertaining to AXIGEN WebMail module. 28

29 Installing under RHEL, Fedora Core, Mandrake and SUSE (gcc3) In order to install the AXIGEN Mail Server on RHEL, Fedora Core, Mandrake and SUSE follow these instructions: 1. Unzip installation file Unzip the downloaded file by issuing the following command in the same directory as the downloaded file: tar xzvf <install kit file> For example, to unpack the AXIGEN RPM package for the i386 architecture type in the directory where the file is located: tar xzvf axigen i386.rpm.gcc3.tar.gz 2. Installation In order to install the RPM package, you must issue (while logged in as root) the following command, from the same directory with the rpm file: rpm -ivh axigen-version-build.i386.rpm For instance, the corresponding command for the 6.0 AXIGEN version will be: rpm -ivh axigen gcc3-1.i386.rpm After the installation no daemons or related application will be started. 3. Configuration Before you start AXIGEN, you need to configure it. You can do that by modifying the main configuration file (please refer to the Initial Configuration section for more information). 4. Start AXIGEN In both RedHat and SUSE, the AXIGEN server can be started via its initscript, by issuing this command: /etc/init.d/axigen start The above installation steps apply for the following gcc3 distributions: Redhat Enterprise Linux 3 and 4 SUSE Linux Enterprise Server 9 These installation instructions apply for all RPM based distros (RHEL, SUSE) Installing under Fedora Core, Mandriva and SUSE (gcc4) In order to install the AXIGEN Mail Server on gcc4 based distributions (RHEL, Fedora Core, Mandriva, SUSE), follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> 29

30 For example, to unpack the AXIGEN installation file type the command below in the directory where the file is located: tar xzvf axigen i386.rpm.tar.gz 2. Installation Issue (while logged in as root) the following command, from the same directory as the rpm file: rpm -ivh axigen-version-build.i386.rpm For instance, the corresponding command for the 6.0 AXIGEN version will be: rpm -ivh axigen i386.rpm After the installation, no daemons or related application will be started. 3. Configuration Before you start AXIGEN, you need to configure it. You can do that by modifying the main configuration file (please refer to the Initial Configuration section for more information). 4. Start AXIGEN In RHEL, Fedora Core and Mandriva the AXIGEN server can be started via its initscript, by issuing this command: /etc/init.d/axigen start The above installation steps apply for the following gcc4 distributions: Redhat Enterprise Linux 5 Fedora Core 7 or higher SUSE Linux 10.0 or higher Mandriva or higher Installing under Debian 3.1 In order to install the AXIGEN Mail Server on Debian 3.1, follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> For example, to unpack the AXIGEN installation file for Debian 3.1 architecture, type the command below in the directory where the file is located: tar xzvf axigen i386.deb31.tar.gz 2. Installation In order to install the DEB package, you must issue (while logged in as root) the following command, from the same directory with the deb file: dpkg -i axigen_version-build_i386.deb For instance, the corresponding command for the 6.0 AXIGEN version will be: dpkg -i axigen_ _i386.deb After the installation no daemons or related application will be started. 30

31 3. Configuration Before you start AXIGEN, you need to configure it. You can do that by modifying the main configuration file and the other specific configuration files (please refer to the README file from the installation kit, for more information about their names and locations). More information about each configuration setting can be found in the sample configuration files installed by default, as comments. 4. Start AXIGEN In Debian 3.1, AXIGEN can be started via its initscript, by issuing: /etc/init.d/axigen start The above installation steps apply for the following distributions: Debian 3.1 architecture Installing under Debian 4.0 and Ubuntu In order to install the AXIGEN Mail Server on Debian 4.0 and Ubuntu follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> For example, to unpack the AXIGEN installation file for Debian architecture type the command below in the directory where the file is located: tar xzvf axigen i386.deb.tar.gz 2. Installation In order to install the DEB package, you must issue (while logged in as root) the following command, from the same directory with the deb file: dpkg -i axigen_version-build_i386.deb For instance, the corresponding command for the 6.0 AXIGEN version will be: dpkg -i axigen_ _i386.deb After the installation, no daemons or related application will be started. 3. Configuration Before you start AXIGEN, you need to configure it. You can do that by modifying the main configuration file and the other specific configuration files (please refer to the README file from the installation kit for more information about their names and locations). More information about each configuration setting can be found in the sample configuration files installed by default, as comments. 4. Start AXIGEN In Debian, AXIGEN can be started via its initscript, by issuing: /etc/init.d/axigen start These same instructions also apply to the Ubuntu distribution. 31

32 The above installation steps apply for the following distributions: Debian 4.0 Ubuntu Server 6.06, 6.10, 7.04, Installing under Gentoo In order to install the AXIGEN Mail Server on Gentoo follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> For example, to unpack the AXIGEN installation file for Gentoo architecture, type the command below in the directory where the file is located: tar xzvf axigen i386.ebuild.tar.gz 2. Installation In order to install the ebuild package, you must issue the following commands (while logged in as root) from the same directory as the ebuild file:./prepare.sh emerge axigen After the installation, no daemons or related applications are started. 3. Configuration Before you start AXIGEN, you need to configure it. You can do that by modifying the main configuration file and the other specific configuration files (please refer to the README file from the installation kit for more information about their names and locations). More information about each configuration setting can be found in the sample configuration files installed by default, as comments. 4. Start AXIGEN In Gentoo, AXIGEN can be started via its initscript, by issuing: /etc/init.d/axigen start Several settings for the AXIGEN initscript are available via the following file (please read the comments from this file for information about using them): /etc/conf.d/axigen The above installation steps apply for the following distributions: Gentoo , Installing under Slackware In order to install the AXIGEN Mail Server on Slackware, follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> 32

33 For example, to unpack AXIGEN TGZ for the Slackware architecture, type the command below in the directory where the file is located: tar xzvf axigen i386.slack.tar.gz 2. Installation In order to install the Slackware TGZ package, you must issue (while logged in as root) the following command, from the same directory with the tgz file: installpkg axigen-version.i386-1.tgz For instance, the corresponding command for the 6.0 AXIGEN version will be: installpkg axigen i386-1.tgz After the installation, no daemons or related applications are started. 3. Configuration Before you start AXIGEN, you need to configure it using the AXIGEN Configuration Wizard. For more details on this subject see the Automated Configuration with AXIGEN Configuration Wizard section. 4. Start AXIGEN In Slackware, AXIGEN can be started via its initscript, by issuing: /etc/rc.d/rc.axigen start In order to start AXIGEN initscript at boot time, you need to add the following line in the /etc/rc.d/rc.local file: [ -x /etc/rc.d/rc.axigen ] && /etc/rc.d/rc.axigen start and set the executable bit for the script: chmod +x /etc/rc.d/rc.axigen 2.3. Installing on BSD AXIGEN is available for several BSD platforms: FreeBSD, NetBSD and OpenBSD. As a general rule, for BSD platforms, the install command is: pkg_add axigen-version.tgz Installing on FreeBSD In order to install the AXIGEN Mail Server on FreeBSD, follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> For example, to unpack AXIGEN TGZ for the FreeBSD architecture type the command below in the directory where the file is located: tar xzvf axigen i386.freebsd.tar.gz 2. Installation Issue (while logged in as root), the following command, from the same directory as the tgz file: pkg_add axigen-version.tgz 33

34 For instance, the corresponding command for the 6.0 AXIGEN version will be: pkg_add axigen tgz After the installation, no daemons or related application will be started. 3. Configure AXIGEN Before you start the AXIGEN server, you need to configure it. You can do that by modifying the main configuration file and the other specific configuration files (please refer to the README file from the installation kit for more information about their names and locations). More information on each configuration setting can be found in the sample configuration files installed by default, as comments. 4. Start the AXIGEN server In FreeBSD, the AXIGEN server can be started via its initscript, by issuing: /usr/local/etc/rc.d/axigen.sh start Installing on NetBSD In order to install the AXIGEN Mail Server on NetBSD, follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> For example, to unpack AXIGEN TGZ for the NetBSD architecture, type the command below in the directory where the file is located: tar xzvf axigen i386.netbsd.tar.gz 2. Installation In order to install the NetBSD package, you must issue (while logged in as root), the following command from the same directory as the tgz file: pkg_add axigen-version.tgz For instance, the corresponding command for the 6.0 AXIGEN version will be: pkg_add axigen tgz After the installation, no daemons or related application will be started. 3. Configure AXIGEN Before you start the AXIGEN server you need to configure it. You can do that by modifying the main configuration file and the other specific configuration files (please refer to the README file from the installation kit for more information about their names and locations). More information about each configuration setting can be found in the sample configuration files installed by default, as comments. 34

35 4. Start the AXIGEN server In NetBSD, the AXIGEN server can be started via its initscript, by issuing: /etc/rc.d/axigen start Installing on OpenBSD 4.1 In order to install the AXIGEN Mail Server on OpenBSD 4.1, follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> For example, to unpack AXIGEN TGZ for the OpenBSD 4.1 architecture, type the command below in the directory where the file is located: tar xzvf axigen i386.openbsd41.tar.gz 2. Installation In order to install the OpenBSD package, you must issue (while logged in as root), the following command, from the same directory as the tgz file: pkg_add axigen-version.tgz For instance, the corresponding command for the 6.0 AXIGEN version will be: pkg_add axigen tgz After the installation, no daemons or related application will be started. 3. Configure AXIGEN Before you start the AXIGEN server, you need to configure it. You can do that by modifying the main configuration file and the other specific configuration files (please refer to the README file from the installation kit, for more information about their names and locations). More information about each configuration setting, can be found in the sample configuration files installed by default, as comments. 4. Start the AXIGEN server In OpenBSD, the AXIGEN server can be started via its initscript, by issuing: /usr/local/bin/axigen.sh start The above installation steps apply for the following distributions: OpenBSD Installing on OpenBSD In order to install the AXIGEN Mail Server on OpenBSD, follow these instructions: 1. Unzip installation file Issue the following command, in the same directory as the downloaded file, to unzip the installation file: tar xzvf <install kit file> 35

36 For example, to unpack AXIGEN TGZ for the OpenBSD architecture type the command below in the directory where the file is located: tar xzvf axigen i386.openbsd.tar.gz 2. Installation In order to install the OpenBSD package, you must issue (while logged in as root), the following command from the same directory as the tgz file: pkg_add axigen-version.tgz For instance, the corresponding command for the 6.0 AXIGEN version will be: pkg_add axigen tgz After the installation, no daemons or related application will be started. 3. Configure AXIGEN Before you start the AXIGEN server, you need to configure it. You can do that by modifying the main configuration file and the other specific configuration files (please refer to the README file from the installation kit, for more information about their names and locations). More information about each configuration setting can be found in the sample configuration files installed by default, as comments. 4. Start the AXIGEN server In OpenBSD, the AXIGEN server can be started via its initscript, by issuing: /usr/local/bin/axigen.sh start The above installation steps apply for the following distributions: OpenBSD Installing on Solaris i386 and Sparc In order to install the AXIGEN Mail Server on Solaris, follow these instructions: 1. Installation In order to install the Solaris/SunOS package, you must issue (while logged in as root), the following command, from the same directory as the AXIGEN uncompressed installation kit: gunzip axigen-version.tar.gz tar xvf axigen-version.tar pkgadd -d. For instance, for the 6.0 AXIGEN version the corresponding command will be: For Solaris i386: gunzip axigen i386.solaris.tar.gz tar xvf axigen i386.solaris.tar pkgadd -d. For Solaris Sparc: gunzip axigen sparc.solaris.tar.gz tar xvf axigen sparc.solaris.tar pkgadd -d. 36

37 After the installation, no daemons or related application will be started. 2. Configuration Before you start the AXIGEN server you need to configure it. You can do that by modifying the main configuration file and the other specific configuration files (please refer to the README file from the installation kit for more information about their names and locations). More information about each configuration setting can be found in the sample configuration files installed by default, as comments. 3. Start the AXIGEN server In Solaris/SunOS, the AXIGEN server can be started via its initscript, by issuing: /etc/init.d/axigen start 2.5. Uninstalling under Linux This section provides instructions on how to uninstall the AXIGEN Mail Server under all available Linux distributions Uninstalling under RHEL, Fedora Core, Mandriva /Mandrake and SUSE (gcc3, gcc4) To uninstall the AXIGEN mail server under RHEL, Fedora Core, Mandriva/Mandrake and SUSE: 1. Remove the AXIGEN RPM package In order to remove the AXIGEN package and its related files and directories issue the following command, while logged in as root: rpm -e axigen The command explained above will also stop the AXIGEN daemon. 2. Optional: Remove the rest of the files/directories The command from the first step does not automatically remove the files that were modified after the installation (such as configuration files), non-empty directories and other files or directories that were not created as a result of the installation. All the files and/or directories that are contained in the following locations must be deleted manually: /etc/opt/axigen/ /var/opt/axigen/ The above installation steps apply for the following gcc3 distributions: Redhat Enterprise Linux 3 and 4 SUSE Linux Enterprise Server 9 and the following gcc4 distributions: Fedora Core 7 or 8 SUSE Linux 10.0 or higher Mandriva or higher 37

38 Uninstalling under Debian / Ubuntu To uninstall AXIGEN under Debian or Ubuntu, go through the following steps: 1. Remove the AXIGEN package In order to remove AXIGEN package and its related files and directories, you have two options: o o while logged in as root, issue the command: dpkg -P AXIGEN (to "purge" the package - this is the recommended option) while logged in as root, issue the command: dpkg -r AXIGEN (to "remove" the package). These commands also stop AXIGEN daemon. 2. Optional: Remove the rest of the files/directories The commands at Step 1 do not automatically remove the files that were modified after the installation (such as configuration files), non-empty directories and other files or folders that were not created as a result of the installation. All the files and/or directories that are contained in the following locations must be deleted manually: /etc/opt/axigen/ /var/opt/axigen/ /opt/axigen/ Uninstalling under Gentoo Here are the steps to be taken in order to uninstall AXIGEN under Gentoo: 1. Remove AXIGEN ebuild package In order to remove AXIGEN package and its related files and directories issue the following command, while logged in as root: emerge --unmerge AXIGEN This command also stops the AXIGEN daemon. 2. Optional: Remove the rest of the files/directories The command at Step 1 does not automatically remove the files that were modified after the installation (such as configuration files), non-empty directories and other files or folders that were not created as a result of the installation. All the files and/or directories that are contained in the following locations must be deleted manually: /etc/opt/axigen/ /var/opt/axigen/ /opt/axigen/ Uninstalling under Slackware Here are the steps to be taken in order to uninstall AXIGEN under Slackware: 1. Remove the AXIGEN Slackware TGZ package In order to remove the AXIGEN package and its related files and directories issue the following commands, while logged in as root: 38

39 First, stop the AXIGEN daemon: /etc/rc.d/rc.axigen stop Then remove AXIGEN package: removepkg axigen-version-i386 For instance, to remove AXIGEN version 6.0.0, the corresponding command will be: removepkg axigen i Optional: Remove the rest of the files/directories The command at Step 1 does not automatically remove the files that were modified after the installation (such as configuration files), non-empty directories and other files or folders that were not created as a result of the installation. All the files and/or directories that are contained in the following locations must be deleted manually: /etc/opt/axigen/ /var/opt/axigen/ /opt/axigen/ Also, you can remove the following line from the /etc/rc.d/rc.local: [ -x /etc/rc.d/rc.axigen ] && /etc/rc.d/rc.axigen start 2.6. Uninstalling under BSD The generic command used to uninstall the AXIGEN Mail Server for BSD platforms is: pkg_delete axigen-version Uninstalling under FreeBSD To uninstall AXIGEN Mail Server, follow these instructions: 1. Remove the AXIGEN package In order to remove the AXIGEN package and its related files and directories issue the following commands, while logged in as root: First, stop the AXIGEN daemon: /usr/local/etc/rc.d/axigen.sh stop Then remove the package pkg_delete axigen-version To uninstall version the corresponding command is: pkg_delete axigen Optional: Remove the rest of the files/directories The command from the first step does not automatically remove the files that were modified after the installation (such as configuration files), non-empty directories and other files or folders that were not created as a result of the installation. These files must be removed manually. 39

40 Uninstalling under NetBSD To uninstall AXIGEN Mail Server, follow these instructions: 1. Remove the AXIGEN package In order to remove the AXIGEN package and its related files and directories issue the following commands, while logged in as root: First, stop the AXIGEN daemon: /etc/rc.d/axigen stop Then remove the package: pkg_delete axigen-version For AXIGEN Mail Server version the corresponding command would be: pkg_delete axigen Optional: Remove the rest of the files/directories The command at the first step does not automatically remove the files that were modified after the installation (such as configuration files), non-empty directories and other files or folders that were not created as a result of the installation. These files must be removed manually Uninstalling under OpenBSD To uninstall AXIGEN Mail Server, follow these instructions: 1. Remove the AXIGEN package In order to remove the AXIGEN package and its related files and directories issue the following commands, while logged in as root: First, stop the AXIGEN daemon: /usr/local/bin/axigen.sh stop Then remove the package: pkg_delete axigen-version To remove AXIGEN Mail Server version 6.0.0, the corresponding command is: pkg_delete axigen Optional: Remove the rest of the files/directories The command from the first step does not automatically remove the files that were modified after the installation (such as configuration files), non-empty directories and other files or folders that were not created as a result of the installation. These files must be removed manually. 40

41 2.7. Uninstalling under Solaris Here are the steps to be taken in order to uninstall AXIGEN under Solaris: 1. Remove the AXIGEN package In order to remove the AXIGEN package and its related files and directories issue the following commands, while logged in as root: First, stop the AXIGEN daemon: /etc/init.d/axigen stop Then remove the package: pkgrm GCADAxigen 2. Optional: Remove the rest of the files/directories The command from the first step does not automatically remove the files that were modified after the installation (such as configuration files), non-empty directories and other files or folders that were not created as a result of the installation. These files must be removed manually Starting / Stopping / Restarting the Server This section lists common commands meant to start / stop / restart the server the axigenfilters script for various Linux distributions and FreeBSD. The 'axigenfilters' script manages (starts, stops and restarts) the Bundled SpamAssassin, the AXiMilter, the AXIGEN Signing Module and the AXIGEN Verifying Module. For the 'axigenfilters' script commands, replace axigen with axigenfilters in all the commands below. 1. Linux For RedHat, Debian, Gentoo and SUSE distributions You can start the server with the following command: /etc/init.d/axigen start To stop the server issue: /etc/init.d/axigen stop In order to restart the AXIGEN daemon (in order to reload the new configuration settings, for instance), you can use the 'restart' parameter: /etc/init.d/axigen restart To view the status of the AXIGEN demon, you can pass the 'status' parameter: /etc/init.d/axigen status In Slackware use the same commands applied to the /etc/rc.d/rc.axigen initscript, instead of /etc/init.d/axigen. For instance, to start the server issue: /etc/rc.d/rc.axigen start 2. FreeBSD In FreeBSD, the AXIGEN server can be started via its initscript, by issuing: usr/local/etc/rc.d/axigen.sh start 3. Solaris In Solaris/SunOS, the AXIGEN server can be started via its initscript, by issuing: etc/init.d/axigen start 41

42 To stop the server, you can issue: /etc/init.d/axigen stop In order to restart the AXIGEN daemon, you can use: /etc/init.d/axigen restart To reload the AXIGEN daemon (i.e. for new configuration settings to take effect), you can pass the 'reload' parameter to the initscript: /etc/init.d/axigen reload To view the AXIGEN daemon status, you can pass the 'status' parameter: etc/init.d/axigen status 2.9. Initial Server Configuration This section describes basic server configurations that you need to do in order to get your server up and running: setting the admin password, enabling the Web configuration interface, creating a domain and adding accounts. Some of these actions can also be performed automatically using the AXIGEN Configuration Wizard, also described in this section Setting the Admin Password Before accessing the WebAdmin interface it is mandatory to set the password for the AXIGEN admin account. To do that, go through these steps: 1. If the AXIGEN server is running, first stop it, using the following command: /etc/init.d/axigen stop 2. Run AXIGEN only with -A (or --admin-passwd) option. 3. Example: /opt/axigen/bin/axigen -A <password> 4. Restart the server. /etc/init.d/axigen restart Note: Currently you can use this password only with the admin username. For details on how to set the password using the Configuration Wizard, see the corresponding section Logging on to the WebAdmin Interface In AXIGEN 6.0, the WebAdmin service is enabled by default. The WebAdmin module, according to the default configuration listens to the 9000/tcp port. When typing in the IP/port combination to WebAdmin in your browser, the following login window will be displayed: 42

43 To configure the WebAdmin service for remote access, you can either do so when configuring it within the AXIGEN Configuration Wizard, or by modifying the IP/port combination in the axigen.cfg configuration file. For the configuration file option, follow the procedure below: 1. In the webadmin {} context, configure the default listener: webadmin = {... listeners = ( { address = :9000 enable = yes... } 2. You need to set in the listener's address parameter the IP address of the machine on which AXIGEN is installed. Or, you can set this parameter to (in this case, the listener will listen to all machine interfaces). When accessing the AXIGEN WebMail, you need to replace the IP from the URL with the IP address of the machine on which the AXIGEN Mail Server is installed. For example, if the machine running AXIGEN has the IP address, change the IP/port data under Server->WebAdmin- >Listeners->Address to match your IP/port: server {... webadmin {... listeners = ( {... address = :9000 enable = yes Remember to reload your AXIGEN Mail Server after each change in the configuration files. 3. Check the system log file(s) for confirmation that the WebAdmin service is correctly loaded. The system log file should display a message similar to the one below:...info: WEBADMIN: listener added : SUCCESS: WEBADMIN: started You can now login to WebAdmin. Start your favorite browser and enter the IP/port pair you have configured. In the example set above, the default address is Login using the admin username and the password you have previously set. For details on how to set the WebAdmin interface automatically, see the AXIGEN Configuration Wizard section Creating a New Domain The AXIGEN mail server stores each created domain in a unique domain location. The default location in AXIGEN is /var/opt/axigen/domains (for Linux/Solaris) and /var/axigen/domains (for *BSD). Important! When creating domains, one message storage location with the default 32GB size is recommended for each predicted 20GB of message occupied storage space. For larger spaces, additional message storage locations should be created or the default parameters modified in order to increase total average size for the location to correspond to the number of 20GB storages you need. It is recommended that the occupied space is 2/3 out of the storage location size. 43

44 You can add multiple message storage locations using WebAdmin (when creating the domain) or CLI (within the domain creation context). After creating the domain, additional locations cannot be added. When using CLI, the command to create multiple message storage locations is as follows: ADD MessagesLocation <path> To create a new Domain, please follow the steps presented below: 1. Click on the Manage Domains tab. The following page is displayed. 2. To add a new domain hit the Add Domain button displayed in the upper right corner of the Domain list. 3. Type the name of your domain in the New domain name text box. Note: AXIGEN is RFC compliant in terms of characters you can use when creating new domains and/or accounts. Please refer to the relevant RFC standard, Internet message format, available for instance on 4. Specify a password to protect the selected domain in the Postmaster Password text area or click the Set Random button to select a random password combination. When using this button the password randomly assigned is displayed under it. 5. Check the Enable MACL Support option so users in belonging to this domain will be able to set different permission levels on their folders in order to share them. 6. Only on domain creation you have the option to configure storage location details by clicking the Show button. Detailed information on storage is available in the corresponding Mail Server Architecture chapter. 7. Hit the Quick Add button to have the domain created with all the default parameters. 44

45 6. Hit the Advanced Config button to edit the domain-specific parameters according to your preferences. The following pages will be displayed: 7. Press the Save Configuration button (lower window section) to save your changes. You have successfully created a new domain. You can see the domains you have created on the server at any time by clicking the Manage Domains tab. Note: After defining your first domain, it will be set as primary domain. This will be considered your default domain for all incoming mail. You can make any domain primary at any time by pressing the corresponding Make primary button in the Domain list. To find out more about Domain configuration, see Domains section Adding an Account to an Existing Domain To add a new account to an existing domain: 1. In the WebAdmin page click on Manage Accounts tab. 2. Click on the domain for which you want to display the existing accounts or to add a new account. In the screenshot below no domain was selected. 3. In order to create a new account click the Add Account button. The domain you are creating the account in is displayed in the Domain name field if you have already selected a certain domain. If you press the Add Account button prior to the domain selection you will have to type the desired domain. Specify a name for the account 45

46 you are creating in the Account Name text field. Type a password of choice in the Account password text field or click the Set Random button to select a random password combination. When using this button the password randomly assigned is displayed under it. 4. To add the account press the Quick Add button. For advanced account settings click the Advanced Config link and the pages below will be displayed: 5. Press the Save Configuration button to save your changes. You have successfully added the 'patricia.miller' account to the 'mycompany.com' domain. For further details on accounts advanced settings, see the Accounts section. 46

47 Automated Configuration with AXIGEN Configuration Wizard Aiming to enhance, simplify and render the initial setup automatic, starting with version the AXIGEN Mail server includes the AXIGEN Configuration Wizard. In eleven easy steps the wizard enables system administrators to instantly set the admin password, configure the primary domain and set up an interface for the WebAdmin management tool and also for the POP3 and IMAP services. These actions were previously performed partly manually, partly using the WebAdmin interface. The AXIGEN Configuration Wizard is provided as part of all the AXIGEN Mail Server 6.0 installation packages, available for download on the AXIGEN site. Firstly, the wizard needs to be launched by issuing one of the following commands, depending on the platform you have installed the AXIGEN Mail Server on: 1. On Solaris and all Linux platforms: /opt/axigen/bin/axigen-cfg-wizard 2. On OpenBSD and FreeBSD: /usr/local/bin/axigen-cfg-wizard 3. On NetBSD: /usr/pkg/bin/axigen-cfg-wizard 1. Configuring the Admin Password After launching the AXIGEN Configuration Wizard, the first step you are prompted to take is specify the admin password. The password is required and therefore system administrators must type at least one character. Use the Password field to type your password and the Validate field to retype it for validation. To move from one field to another, please use the Tab or Enter keys. To proceed to the next step, when located on the Next button, press the Enter key. 2. Configuring your Primary Domain The next stage of running the wizard consists in configuring AXIGEN s primary domain. The wizard will automatically detect the machine s FQDN (Fully Qualified Domain Name) and based on it will propose the domain name as primary. If no domain can be detected, the default localdomain will be displayed. System administrators can edit the fields of this tab at any time. In the Primary Domain field, the wizard will display the automatically detected domain. Use the Domain Location field to edit the default storage path for the primary domain, 47

48 /var/opt/axigen/domains. To configure the primary domain password for the account postmaster, use the Postmaster account password field. To move from one field to another, please use the Tab or Enter keys. To proceed to the next step, when located on the Next button, press the Enter key. 3. Alias Configuration When running the wizard, this steps allows system administrators to select the alias they would like to configure for the primary domain defined at the previous step. There are three available options: Redirect all mails for root account to postmaster Add the 'localhost' alias to this domain Add the 'localhost.localdomain' alias to this domain To select or deselect one of the listed options, press Enter. 4. Configuring the WebAdmin Interface This following step performed by the AXIGEN Configuration Wizard is to select the WebAdmin Interface. The wizard will list all the existing interfaces with their respective IP addresses and ports, enabling system administrators to select a listener for WebAdmin. In the previous versions, the WebAdmin was initially accessed on its default listener, Select one of the listed interfaces, then move to the OK button (using the Tab or Enter keys) and then press Enter again. If you choose the first option, all, all the listed interfaces will be used as listeners for the WebAdmin management tool. If you choose a different interface, you will be prompted to confirm the choice you have made. 5. Configuring the SMTP Interface The next step performed by the AXIGEN Configuration Wizard is to select the SMTP Interface. The wizard will list all the existing interfaces with their respective IP addresses and ports, enabling system administrators to select a listener for SMTP. Select one of the listed interfaces, then move to the OK button (using the Tab or Enter keys) and then press Enter again. If you choose the first option, all, all the listed interfaces will be used as listeners for the SMTP service. If you choose a different interface, you will be prompted to confirm the choice you have made. 48

49 6. Services Selection The sixth step of the automatic configuration process allows system administrators to select the active services for the AXIGEN server. For each of the selected services, POP3, IMAP or WebMail, further settings are available within the following steps. If none of the three services is enabled, the wizard will skip directly to step 10 of the configuration. To select or deselect one of the listed options, press Enter. 7. Configuring the POP 3 Interface The next step performed by the AXIGEN Configuration Wizard is to select the POP3 Interface. The wizard will list all the existing interfaces with their respective IP addresses and ports, enabling system administrators to select a listener for the POP3 service. Select one of the listed interfaces, then move to the OK button (using the Tab or Enter keys) and then press Enter again. If you choose the first option, all, all the listed interfaces will be used as listeners for the POP3 service. If you choose a different interface, you will be prompted to confirm the choice you have made. 8. Configuring the IMAP Interface Step 8 performed by the AXIGEN Configuration Wizard is to select the IMAP Interface. The wizard will list all the existing interfaces with their respective IP addresses and ports, enabling system administrators to select a listener for the POP3 service. Select one of the listed interfaces, then move to the OK button (using the Tab or Enter keys) and then press Enter again. If you choose the first option, all, all the listed interfaces will be used as listeners for the POP3 service. If you choose a different interface, you will be prompted to confirm the choice you have made. 9. Configuring the WebMail Interface For the next step, the AXIGEN Configuration Wizard will allow system administrators to select the WebMail Interface. The wizard will list all the existing interfaces with their respective IP addresses and ports, enabling system administrators to select a listener for the WebMail service. 49

50 Select one of the listed interfaces, then move to the OK button (using the Tab or Enter keys) and then press Enter again. If you choose the first option, all, all the listed interfaces will be used as listeners for the WebMail service. If you choose a different interface, you will be prompted to confirm the choice you have made. 10. Configuring Relay Policies The AXIGEN Configuration Wizard will then prompt system administrators to select the networks allowed to relay s through the AXIGEN server without prior authentication. To select or deselect one of the listed options, press Enter. When one of the available networks is selected, a script configuring a Relay Policy is automatically created. For details on Relay Polices, please see the corresponding section of the online documentation. 11. Sendmail Wrapper Configuration This configuration steps is required if system administrators want command line applications such as mailix to be able to send s via AXIGEN. Such applications use the Sendmail Wrapper which thus needs to be configured to work correctly with AXIGEN. The Wizard describes in detail the actions taken when selecting "Yes" at this step. The Wizard will initially display a message prompting you to wait for the changes to be applied to your existing configuration and will then respond with a successful operation message. After completing these steps, the wizard will display a message summarizing the steps just taken. It will also instruct system administrators to start the AXIGEN service and then access the WebAdmin interface on the selected IP-port combination. Troubleshooting Firstly, on some distributions, the operating system sets the console display encoding to UTF-8. Thus all the wizard s messages would be displayed incorrectly. For troubleshooting, please consult this Knowledgebase article. Secondly, if any other message except the successful one is displayed by the wizard after taking the configuration steps, please contact the AXIGEN Support team at support@axigen.com. 50

51 Chapter 3. Mail Server Architecture AXIGEN is an integrated service SMTP, IMAP, POP, secured SSL/TLS, WebMail and list server, integrating advanced technologies and messaging services. Services and Modules AXIGEN Mail Server is an Internet-based mail server that provides messaging services over the Internet via connections using a Transmission Control Protocol/Internet Protocol (TCP/IP) network. AXIGEN Mail Server sends mail messages using the Simple Mail Transfer Protocol (SMTP). The messages can be retrieved using the Post Office Protocol version 3 (POP3), the Internet Message Access Protocol (IMAP) and WebMail. AXIGEN Mail Storage integrates a proprietary technology that allows storing messages in a special directory structure, guaranteeing an effective, fast mail flow and optimizing space-saving. Architecture Features AXIGEN incorporates a multi-threaded engine, which can break server activity into multiple parallel processing threads. This enables system administrators to allocate a certain number of processing threads to specific modules (SMTP incoming / SMTP outgoing / WebMail / IMAP, etc.) Running services can be configured at service, domain and account level. Most AXIGEN services (SMTP Incoming, SMTP Outgoing, POP, IMAP, WebMail) make use of configurable listeners to define rules for accepting or denying connections. Administration Tools The administration tools enable both centralized configuration (WebAdmin and Command Line Interface) and manual configuration (configuration file). For each service described in the Architecture chapter, configuration options are available in each of these tools (WebAdmin, CLI and the configuration file, axigen.cfg). Security AXIGEN incorporates an advanced filtering system and other innovative security tools (Antivirus, AntiSpam, Antispoofing - SPF Authentication, SSL/TLS authentication). Highly configurable logging and reporting services are also available, and an FTP Backup service allowing you to securely backup and restore your domain and user configuration. Below you can find a schema illustrating all AXIGEN components. 51

52 3.1. Generic Server Configuration In AXIGEN, there are a number of generic server settings referring to overall server behavior and functionalities, such as Running services, SSL and DNR related settings Running Services AXIGEN is a modular server running either as integrated service server or with certain services inhibited. When using AXIGEN as main mail server, it is recommended to run all services provided by AXIGEN - Processing, SMTP Incoming, SMTP Outgoing, POP3, IMAP, WebMail, WebAdmin, CLI, Log, Report, FTP Backup - in order to take full benefit of functionalities offered by the server. By default, when installing mail services the following services will be running: SMTP, IMAP, POP3, WebMail and WebAdmin. SMTP stands for all AXIGEN SMTP services: SMTP Incoming, SMTP Outgoing and Processing. To see configuration options on this parameter see the Configure the Running Services section. A similar option is available in WebAdmin at domain and account/mail list level with relevant choices for the respective level - see the Domains&Accounts section for configuration options Other Generic Server Parameters Primary domain In AXIGEN Mail Server you can specify a primary domain name, and than add as many domains (secondary domains) as your license type allows. The primary domain is the default domain for your mail server. This means that sent to "user_name" will automatically be transmitted to "user_name@primarydomain" The primary domain default value is the result of the 'getdomainname' function, which is the current domain name (local domain). SSL Random File In order to establish SSL connections, a file containing entropy data is used for generating random numbers. The path to this file needs to be defined in the Server Global settings. SSL parameters are also provided when defining listeners (see corresponding section). For more information on SSL in AXIGEN, see Authentication and Encryption. For more information on how to set generic server parameters using WebAdmin, see Configure the Running Services. 52

53 DNR Settings AXIGEN includes a Domain Name Resolver (DNR) module used to extract information from domain servers. The module implements the specifications from RFC1034 and RFC1035 and communicates with Domain Name Servers using UDP sockets on port 53. AXIGEN services using DNR: The SMTP Receiving service uses DNR for performing the SPF tests (this action involves PTR and TXT queries). The SMTP Sending service queries DNR for MX and A information about the domain where to relay the mail messages. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. DNR Options In this section you can configure the time period after the first DNR query is closed, maximum number of DNR query retries to be executed and number of results (IP addresses) cached for each DNR query type to be executed. Nameservers When performing DNR searches AXIGEN uses a list of known nameservers (specified in the OS configuration). In order to limit bandwidth and time consumed with DNS traffic a list of known hosts can be defined. Different priority values can be assigned to nameserver IP s to set the order in which you wish to query nameservers (the servers with the higher priority are queried first). For information on how to configure these parameters, please see DNR Tab Services and Modules This section includes brief overviews of all services and modules included in AXIGEN Mail Server SMTP Receiving The SMTP Receiving module in AXIGEN establishes the dialogue with other entities via SMTP/ESMTP protocols, receives the mail message (if all conditions set by the System Administrator are fulfilled) and forwards the mail message to the Processing module. 53

54 This module protects the Mail Server against attacks and ensures a good functionality (adjusted to the processing power of the hardware, the bandwidth, and other factors) due to functions as configurable listeners, thread and client management, user authentication and a built-in SPF authentication procedure. In AXIGEN, at SMTP Receiving level, SPF tests are being performed, thus ensuring basic sorting before reaching the queue. The SMTP Receiving module accepts connections as specified by SMTP listeners defined in the configuration file, receives the message and performs the SPF test. If the message passes the test it is placed in the Queue. By default the server accepts connections on :25. Listeners Listeners can be defined and managed to add extra flexibility and configurability to this service. For that, global access limitations, SSL Settings and access lists can be enforced on the address used by this service for binding. Access Control Access rules allow you to control connection to this service by defining simple access lists for specific Networks / IP Ranges / IP s. Service level access rules are automatically applied to all its listeners and will override for this service any existing Global Access rules. Authentication Authentication is a method for preventing non-desirable actions by granting access to AXIGEN server's SMTP Receiving features to authenticated users only. Note: The AXIGEN server supports authentication, meaning it can be instructed to accept only connections/messages from authenticated entities. However, not all mail clients support this feature. If your mail client does not support SMTP authentication, this feature will not be available. SMTP-Receiving Authentication parameters allow you to specify the authentication methods to be used for secured or unsecured connections. The available types are: Plain, Login, CramMD5, DigestMD5 and/or GSSAPI. For information on how to configure authentication parameters for SMTP-Receiving using the SMTP filtering system, see Acceptance and Routing Advanced Settings. Message Acceptance Rules At SMTP-connection level message acceptance rules can be configured and implemented to best suit security requirements. Incoming connections established via SMTP and the message flow can be easily managed, using already established policies, to help save space and resources for processing. The Message Acceptance Rules section provides more details on this subject. Flow Control Flow control parameters can be adjusted to fine tune the server s performance and avoid overloading it. Global access limitations to this listener can be enforced by setting the total number of simultaneous connections, concurrent connections from each remote IP address, number of new connections to the listener made in a time period interval, number of total connections from each remote IP address on a time interval period. The default interval for this time period is set to 1 minute. 54

55 Milter As an additional security enhancement, the SMTP Policy system can call external milter type filters. More information on functions defined for using external Milter filters are available in the SMTP Functionalities (I) chapter. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. Loop Protection To prevent looping s from increasing your mail server's traffic set a number of maximum received headers for all received s. Error Control To protect the server the number of failed/wrong commands, received from SMTP clients during one session, can be limited. When these limits are exceeded, incomplete connections or connections that are not RFC compliant will be dropped thus freeing important bandwidth. Important! If you do not specify a limit for the maximum number of (authentication) errors allowed for a SMTP client's session, security risks may arise. Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. For more details on how to configure SMTP Receiving parameters using WebAdmin see SMTP Receiving Tab Processing The Processing module manages the mail messages, transmitted from the SMTP Incoming and WebMail modules, in the AXIGEN Queue and delivers them to AXIGEN Storage (for local delivery) and to the SMTP Sending module (for external delivery). 55

56 The processing module interacts with: 1. the IMAP module uses the AXIGEN Processing module for Append operations executed on mailboxes; 2. the WebMail module uses the AXIGEN Processing module for Compose operations (after the message is composed, it is placed in AXIGEN Queue); Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. Delivery In case message can not be delivered for some non-critical reason, it can be re-scheduled, meaning AXIGEN will try to re-send it after a defined time interval is elapsed. AXIGEN mail scheduling feature can be adjusted in terms of: first delivery retry timeout for an , stop doubling retry timeout when it reaches and max. number of retries. Delivery Reports Temporary and permanent delivery error reports can be configured to be sent automatically when reaching a number of failed delivery attempts. The message can be customized by setting a specific notification sender, subject, beginning and ending body, or appending variables. Also the headers or even the entire original message can be set to be attached to your notification. Queue Parameters The messages received from SMTP clients are stored in a queue that is processed by AXIGEN according to specific rules. Different operations can be executed on this queue, such as inspecting the queue, specifying/modifying the path where the queue is stored, setting the maximum number of queue subdirectories, processing size (number of messages) and number of local delivery threads for local SMTP transactions. Note: Currently any change in the parameters specific to the Processing module requires a sever restart to become effective. Message statuses A message in the queue can have one of the following statuses: Incoming: The message is currently being received. It has not been treated in either way by AXIGEN. Received: The has been received. No action has been taken on it yet. Processing: Message processing is underway. Processed: The processing ended, successfully or not. If the message is successfully processed, the next specific action (for instance delivery) specified for the message is carried out. If the processing ends unsuccessfully, the message remains in Processed status. Sending: The process of sending the message is underway. Send Failure: The sending failed. Sent: The message has been sent. Raw received: The was received from the WebMail module. 56

57 Relay error: The SMTP Sending module did not manage to send the message to the addressing server. Local error: The SMTP Sending module did not manage to send the to the AXIGEN Storage. Filter reject: The message was rejected by a configured filter. Filter discard: The was deleted by a filter without any notification. Cleanup error: The NDR message could not be send to the sender. New mail: The has just arrived in the queue. Removed: The message was deleted. IO Error: The message could not be read from the disk. For more details on how to configure Processing parameters using WebAdmin see Processing Tab SMTP Sending The SMTP Sending module is responsible for sending messages directly to message recipients. AXIGEN SMTP Sending uses DNR (Domain Name Resolver) for mapping domain names to IP addresses and includes complete rescheduling procedures. By default, AXIGEN is configured not to allow open relaying. This means that the server does not automatically dispatch mail that is neither for nor from a local user. By using client management, SMTP Sending blocks spammers' attempts to relay large quantities of mail. Routing Rules Configuring Routing Rules allows system administrators to customize SMTP Sending actions for all or a part of the transmitted communication. For further information, see Routing Rules in the Mail Server Security chapter. If AXIGEN fails to send messages to a specific domain because this domain was down for some time, when the domain is up again, the first message that goes successfully to that domain will also queue the rest of the pending messages from the queue and will force delivery of all messages. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. 57

58 Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. For more details on how to configure SMTP Sending parameters using WebAdmin see SMTP Sending Tab POP3 AXIGEN POP3 module establishes connection with POP3 clients and retrieves mail messages from the storage unit. The server accepts connections as specified by the POP3 listeners defined in the configuration file. By default the server accepts connections on :110. In AXIGEN the POP3 module works as follows: shows only the messages that existed in the mailbox when the mailbox was opened; keeps zombie copies for the messages deleted during the current session; the module shows them as zero size messages, and the module reports an error when a client application tries to retrieve a deleted message; messages are retrieved using the RETR command and the message is marked with the "Seen" flag (you can view this flag when using an IMAP or WebMail client); Note: The server only manages mail messages in AXIGEN Storage format. For more information on this format, please consult the AXIGEN Storage section. Listeners Listeners can be defined and managed to add extra flexibility and configurability to this service. For that, global access limitations, SSL Settings and access lists can be enforced on the address used by this service for binding. Access Control Access rules allow you to control connection to this service by defining simple access lists for specific Networks / IP Ranges / IP s. Service level access rules are automatically applied to all its listeners and will override for this service any existing Global Access rules. 58

59 Flow Control Flow control parameters can be adjusted to fine tune the server s performance and avoid overloading it. Global access limitations to this listener can be enforced by setting the total number of simultaneous connections, concurrent connections from each remote IP address, number of new connections to the listener made in a time period interval, number of total connections from each remote IP address on a time interval period. The default interval for this time period is set to 1 minute. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. Encryption and Authentication Various authentication types can be used in AXIGEN for IMAP secured (SSL/TLS) or unsecured connections. Possible options are: normal login, plain, login, CramMD5, DigestMD5 and GSSAPI. By default, all these methods are selected (all types of authentication are allowed). Error Control To protect the server the number of failed/wrong commands, received from POP3 clients during one session, can be limited. When these limits are exceeded, incomplete connections or connections that are not RFC compliant will be dropped thus freeing important bandwidth. Important! If you do not specify a limit for the maximum number of (authentication) errors allowed for a POP3 client's session, security risks may arise. Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. Compatibility with various POP3 Mail Clients AXIGEN has been thoroughly tested and it is proven to work with Mozilla, Outlook, Outlook Express, ThunderBird, The BAT!, Eudora. For information on how to set up your POP3 account, see the corresponding section of the AXIGEN website. For more details on how to configure POP3 parameters using WebAdmin see POP3 Tab. 59

60 IMAP AXIGEN IMAP module establishes connection with IMAP clients and retrieves mail messages from the storage unit. The server accepts connections as specified by the IMAP listeners defined in the configuration file. By default the server accepts connections on :143. The IMAP module now implements a new extension, QUOTA, as described by the RFC 2087 standard. IMAP clients implementing the QUOTA extension can display mail box quota for a specific user account. So far, users were able to find out what their current mailbox quota was (space occupied/total space) only via WebMail. Listeners Listeners can be defined and managed to add extra flexibility and configurability to this service. For that, global access limitations, SSL Settings and access lists can be enforced on the address used by this service for binding. Access Control Access rules allow you to control connection to this service by defining simple access lists for specific Networks / IP Ranges / IP s. Service level access rules are automatically applied to all its listeners and will override for this service any existing Global Access rules. Flow Control Flow control parameters can be adjusted to fine tune the server s performance and avoid overloading it. Global access limitations to this listener can be enforced by setting the total number of simultaneous connections, concurrent connections from each remote IP address, number of new connections to the listener made in a time period interval, number of total connections from each remote IP address on a time interval period. The default interval for this time period is set to 1 minute. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. 60

61 Encryption and Authentication Various authentication types can be used in AXIGEN for IMAP secured (SSL/TLS) / unsecured connections. Possible options are: normal login, plain, login, cram-md5, digestmd5 and gssapi. By default, all these methods are selected (all types of authentication are allowed). Error Control To protect the server the number of failed/wrong commands, received from IMAP clients during one session, can be limited. When these limits are exceeded, incomplete connections or connections that are not RFC compliant will be dropped thus freeing important bandwidth. Important! If you do not specify a limit for the maximum number of (authentication) errors allowed for a IMAP client's session, security risks may arise. Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. Compatibility with various IMAP Mail Clients AXIGEN has been thoroughly tested and it is proven to work with Mozilla, Outlook, Outlook Express, ThunderBird, The BAT!, Eudora. For information on how to set up your IMAP account, see the corresponding section of the AXIGEN website. Public Folders Users may now share messages by simply copying and/or moving them to a public folder. System administrators can also associate a certain address with a public folder. Thus, s can be sent directly to the public folder, archiving options being also available. Internationalized Search When running an IMAP search for any IMAP client, the search text may contain languagespecific characters (i.e. using diacritics). For more details on how to configure IMAP parameters using WebAdmin see IMAP Tab Logging Log Service Overview AXIGEN offers an extremely flexible logging service, allowing you to select among different logging levels (how detailed the information logged should be), logging types (internal, external and system services are available) and where to store the information logged. You can set all these options for each AXIGEN TCP service and for the Log Service itself. The Log Service is responsible with collecting events relevant for the System Administrator. You can log (internally, remotely or using the system log) the activity of all services available in AXIGEN. AXIGEN Log Service can log internal data coming from other AXIGEN modules/services or data coming from the UDP port 2000 (default option). This data can be logged in the same 61

62 location or in different locations for separate services, depending on the configuration applied by the system administrator. For AXIGEN Log service, you can also specify the following information: on what address the Log listener should be listening (see the Log Listener section for more information); what hosts should be rejected by the Log service (using the listener denyrules, a priority and an enable/disable switch); what hosts should be accepted by the Log service (using the listener allowrules, a priority and an enable/disable switch). Log Types AXIGEN modules should define the log type using the "logtype" parameter, which can have any single values from the following three: - "internal", - "remote" or - "system" log. Use the "internal" option to send events to the Log Service running on the same AXIGEN server. The Server should have the Log Service activated. Use the "remote" option to send events to a Log Service running in another AXIGEN server, remotely, at the address specified using the "hostname" attribute. This AXIGEN Server must have the Log Service activated. Use the "system" option to send events to the syslog (for instance sysklogd) with facility "LOG_MAIL" and levels mapped as: 0 - no message sent 1 - LOG_CRIT 2 - LOG_ERR 4 - LOG_WARNING 8 - LOG_INFO 16 - LOG_DEBUG AXIGEN Log levels In AXIGEN the events are organized in 6 categories and you can select which category of events to collect. AXIGEN modules must define the "loglevel" parameter. In order to specify the desired sets of events to log you have to specify the correspondent log levels or a combination of thereof. The log levels in AXIGEN Mail Server are: 0: no messages are logged 1: log critical messages 2: log errors 4: log warnings 8: log informative messages 16: log protocol communication and the corresponding one-time combinations. Therefore the accepted values for the loglevel parameter are from 0 to 31. Example 1 - Combining log levels in AXIGEN Mail Server: If you set loglevel=15 =

63 AXIGEN Mail Server will log the following information: critical errors and errors and warnings and information. Example 2 Disabling the log service for one AXIGEN service Remember the log service is configured separately for AXIGEN Mail Server main services (IMAP, POP3, SMTP Incoming), so if you set loglevel = 0 in the IMAP log service section, no data for that specific service will be logged by the Log Server for the AXIGEN IMAP service. However, the Log server will continue logging other AXIGEN Mail Server services according to the settings defined for logging the respective services. Logging format The format used for data logging is the following: 'date hostname modulename:sessionid: user_message\n' AXIGEN Log service then transforms this data in a format similar to the one described below: 'date loglevel hostname modulename:sessionid: user_message\n' :08: johnd-l SMTP: : connection accepted from [ ] Example of log service configuration using the axigen.cfg file: loglevel = hostname = 'yourcompany.com' (this is the result of the standard 'hostname' command) modulename = 'SMTP' (other accepted values are: POP3, IMAP, WEBMAIL, RELAY, PROCESSING) sessionid (this is an UINT value written in hexa incremented separately for each connection of a protocol. For the processing module, as there is no relevant protocol, the value is currently 0; future versions will provide however as value the ID of the message in the working queue. loglevel is a 5 bits mask for the following values: LOG_none = 0x00, /// critical LOG_crit = 0x01, /// errors LOG_err = 0x02, /// warnings LOG_warn = 0x04, /// information LOG_info = 0x08, /// log protocol communication LOG_proto = 0x10, Rules Log Rules are used to define circumstances under which certain restrictions will be imposed on log files and the log level. Rules can be associated with host names, module names or both. For instance, a rule can be defined in order to specify the size, duration and number of old files kept for logs generated on a certain host, for a certain module (e.g. SMTP In). An ordered list is created with all log rules configurations using the 'priority' parameters as ordering key. You can define the Log rules at the AXIGEN main module's level, in the corresponding sections of the configuration file. The Log Service will check if the information sent by the modules is the information that is supposed to receive, according to the Log Service configuration. 63

64 A log rule set includes the following information: the rule's priority ("1" means the rule has the highest priority possible) the hostname of the user of this rule the module of the user of this rule the level of log generated by the user of this log the name of the destination file the maximum size of the destination file in KB the maximum duration the destination file is used in seconds the maximum number of old files (saved) to be kept the rotate period (how often a new log file is created - daily, monthly, yearly) Attributes of the Log service AXIGEN Log service can log internal data coming from other modules/services or data coming from the UDP port 2000 (default value). This data can be logged in the same location or in different locations for separate services, depending on the configuration applied by system administrator. AXIGEN main modules must define the log type to be used by that specific module. The definition is executed via the "logtype" parameter that can have any of the following three values: "internal", "remote" or "system" log. The value for the loglevel parameter from the log clients (the services sending information for logging to AXIGEN Log service) specifies for themselves the log levels sent to the Log service. The value for the loglevel parameter from the log service's rule specifies the log levels accepted by the service from clients. Therefore if: clientlevel = 15 (the log level specified in the SMTP-In service page in WebAdmin for instance) and rulelevel = 9 (the log level specified in the rule defined for the SMTP-In module) the Log service will only log the lines on level 9 (critical information), even if the information retrieved from client also contains errors and warnings (this information is ignored). For information on how to configure log rules using WebAdmin, see the Adding and Editing Log Rules Reporting The reporting service can help you check server activity at global traffic and module level. The server jobs can be overseen by assigning the reporting service to collect data for parameters such as: - Inbound WebMail Connections - IMAP Append Requests - POP3 Inbound Connection - Queue Size - SMTP Outbound Connections - SYSTEM Load Average - Messages rejected by built-in filters 64

65 and many others. Data is temporary collected according to the time value, called synctime, (defined in the Data Collection section of the Reporting Service tab) and placed into a buffer. For each collected parameter, the buffer size is equal to the integer value from the division of the aggregation interval to the data collection time. For instance, if synctime is 120 seconds and aggregation interval is 25 minutes, 12 samples will be collected each 2 minutes. For each type of report, the aggregation function (average, maximum, minimum, total) is applied to the temporary data in the buffer and the result is stored in the database, the buffer is emptied and the process is repeated as many times as defined in the aggregation interval. Using the same example (and considering that the aggregation function is average ), after 25 minutes the arithmetic mean of the 12 samples is computed, stored in the database and the buffer is reset. After the database filled all its records the newest value will replace oldest one, meaning the database rotates. Thus databases have fixed sizes and fixed periods of time, the size is equal to the value defined by the Rotate database after storing parameter and the time is equal to the product of the aggregation interval and number of collected values. For instance, in the above example considering that the number of collected samples is 7, the size of the database will be 7 in terms of number of stored values and 7 X 25 = 175 minutes in terms of time. History for each collected parameter is displayed in a chart. The administrator can control some of the chart s properties such as colors and line styles from the Display settings tab of the Configure Chart section. The displayed chart has the following properties: Ox axis: o Scale: 1 hour, 1 day or 1 week, the first larger value than the aggregation interval X the rotate database parameter. So it is possible that the displayed interval is larger than the collected data interval, in this case the graphic the zone where there is no collected data will be empty. o Origin: the oldest value in the database o Value: timestamp for each collected value Oy axis: o Scale: selected automatically based on the highest value in the interval o Origin: 0 o Value: the collected value associated with the timestamp on the Ox axis For information on how to modify reporting settings as well as to define your own set of reporting data and graphics see the Reporting Tab chapter. For details on charts view in WebAdmin see Charts Tab WebMail AXIGEN WebMail establishes connection with the mail server via Web browsers, sends and retrieves mail messages to and from the storage unit. AXIGEN WebMail works with major web browsers such as Internet Explorer and Mozilla. With this module the users can securely access their mailboxes from Internet browsers, while the system administrators are in complete control of the content, functionality and look of the web pages. 65

66 Listeners Listeners can be defined and managed to add extra flexibility and configurability to this service. For that, global access limitations, SSL Settings and access lists can be enforced on the address used by this service for binding. Access Control Access rules allow you to control connection to this service by defining simple access lists for specific Networks / IP Ranges / IP s. Service level access rules are automatically applied to all its listeners and will override for this service any existing Global Access rules. Flow Control Flow control parameters can be adjusted to fine tune the server s performance and avoid overloading it. Global access limitations to this listener can be enforced by setting the total number of simultaneous connections, concurrent connections from each remote IP address, number of new connections to the listener made in a time period interval, number of total connections from each remote IP address on a time interval period. The default interval for this time period is set to 1 minute. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. HTTP Protocol Options WebMail allows you to set HTTP limits for any request made to the WebMail service. This prevents you from automatically accepting excessive amounts of data (HTTP headers, HTTP body and upload data). WebMail Options To facilitate login procedures for multi-domain environments, AXIGEN implements login domain selection. Users can select the domain from a drop-down list and then login with their username and password only. 66

67 To better manage security and resource related issues persistent connections can be allowed/denied and time limits on active/idle sessions imposed. Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. Other AXIGEN WebMail Features include: Complex customization - simple change of skin and behavior; Easy to use, secure and user-friendly due to Features like tree structure for folders view, common actions applied on folders (rename, delete, move, create), built in HTTP server etc.; Server Side Scripting Language - called HSP, used to generate HTML code; Personal Address Book - WebMail Contacts give users the possibility to select recipients from their personal contact list when composing new messages. New addresses can be added to the existing address book either manually or automatically, when receiving new s; Personal Organizer - comprises tools such as calendar, tasks, journal, notes and collaborative support. Through AXIGEN Outlook Connector, the Personal Organizer is synchronized between Outlook and AXIGEN's WebMail; Public Address Book - contains contacts set at domain level, that are also available when composing an ; Automatic filters and replies can be set trough WebMail interface wizards. Vacation/ out-of-office messages can be defined and enabled to be sent automatically as a response to all received s. Internationalized search and multiple languages support - language-specific characters can now be used when running a search; Public folders - users may now share messages by simply copying and/or moving them to a public folder. System administrators can also associate a certain address with a public folder. Thus, s can be sent directly to the public folder, archiving options being also available. Compose while attach - using IFrame technology users can continue the Compose action while attaching files to their messages. URL redirect rules and virtual host support - URL redirect rules are used for redirecting plain connections established on one listener towards a secure domain:port location. Redirects can also be used to redirect connections from a specified listener to a virtual host. This way, several domain names can be defined for the same IP address and several domains hosted on one single IP. This is useful, for instance, when you wish to have two different WebMail login pages for two different local domains hosted at the same IP. HTML mail filtering levels - parses the HTML code from the s and generates a safer (i.e. removes possibly unsafe scripts) and cleaner (i.e. converts to XHTMLlike) HTML code. This provides WebMail account users with the ability to set the HTML filtering level to be applied to all mail in HTML format. For more details on how to configure WebMail parameters using WebAdmin see WebMail Tab. 67

68 Storage AXIGEN Storage is a specific file structure with index based access allowing fast mail delivery, retrieve and query. AXIGEN Mail Storage checks the consistency of the messages placed in the storage and empties the queue only if the mail message is correctly stored. All domain and user configuration along with user messages are stored in AXIGEN specific storage. Each AXIGEN storage is defined by three elements: Storage directory: the directory where all storage file will be created Max. file size: maximum size of a data file (Storage Container). The default value is 256 MB. Max. files: maximum number of files. The default value is 128 files. Therefore the maximum capacity of each storage is Max. file size * Max. files and the default capacity is 32 GB. Inside storage directory, a list of files, named with 2 hexa digits followed by the.hsf extension -- e.g. 2A.hsf -- are created. There is also a file named hsf.dat which contains an unique id of the storage and the relation with other storages of the same domain. This information is useful in case some of the storage directories are moved to other locations. Another feature of AXIGEN storage is that it supports transactions, so that some critical operations of domain configuration changes are made safely. Filling the Containers When a Storage Container approaches its maximum size, (defined by the Max. file size parameter), another Storage Container will be created and the new messages will be stored herein. If the number of Storage Containers reaches the maximum value (defined by the Max. files parameter) and all of them have reached the maximum size, the storage is considered full and no more messages will be inserted. The data in the Storage Containers is written in blocks of 4KB, therefore usually the files size is a multiple of 4KB. These memory blocks are called nodes. Smaller blocks of memory are also available, for message parts smaller than 4KB. These smaller blocks are called formatted nodes. Each storage file can contain a maximum of 16 millions messages, and the maximum theoretical file size is 64GB (some limitations might apply, depending on your system configuration; currently AXIGEN limits this maximum size to 2GB). There can be maximum 128 files in one storage, and one domain can have over 4 billion message storages defined. The actual maximum capacity in terms of total message count and size depends on the specific messages in the storage. For more details, see Domains section. For each domain, at least three storages are used: one storage for domain configuration, where all domain specific configuration, the public folder and the list of domain objects (users, maillist, forwarders, etc) are stored; one storage for domain objects configuration, where all domain objects configurations and folders are stored; 68

69 one or more storages for messages, where all mails and other data associated with mails are stored; it is recommended to define each message storage on a different physical disk, since AXIGEN will use these storages in parallel. Space saving filling procedure The storage files with more free space have a priority when it comes to selecting the files in which a new message is added. The usage of the free space is also enhanced by message deletion. Each message in a storage file is identified by a pointerid (type UINT). The information related to these pointers-to-messages is stored in the same storage file FTP Backup Service AXIGEN Mail Server provides a FTP backup/restore service meant to enable regular backup operations for your entire domain and user configuration. This service is based on FTP (File Transfer Protocol, standard RFC 959). The FTP Backup service allows using any FTP client (including standard Web browsers) in order to connect to the backup machine using the admin username and password. You can replicate the entire domain and user (accounts, lists forwarders, folder recipients) folder structure on the backup machine. The FTP service generates a virtual structure, from which you can retrieve files whenever you need them. The directory structure created by the FTP service is similar to the one given below: / domains -> domains root director -example.org -> domain name directory -domainregistry.bin -> domain config file (binary) -domaincoreconfig.cfg -> domain config file (text) -users -> users root directory -postmaster -> user directory -Registry.bin -> user config file (binary) -CoreConfig.cfg -> user config file (text) -folders -> user folders root directory -INBOX -> user folder > other user folders -maillists -> maillists root directory > same folder structure as for `users -forwarders -> forwarders root directory > same folder structure as for `users' -publicfolder -> domain public folder root Listeners Listeners can be defined and managed to add extra flexibility and configurability to this service. For that, global access limitations, SSL Settings and access lists can be enforced on the address used by this service for binding. 69

70 Access Control Access rules allow you to control connection to this service by defining simple access lists for specific Networks / IP Ranges / IP s. Service level access rules are automatically applied to all its listeners and will override for this service any existing Global Access rules. Flow Control Flow control parameters can be adjusted to fine tune the server s performance and avoid overloading it. Global access limitations to this listener can be enforced by setting the total number of simultaneous connections, concurrent connections from each remote IP address, number of new connections to the listener made in a time period interval, number of total connections from each remote IP address on a time interval period. The default interval for this time period is set to 1 minute. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. Error Control To protect the server the number of failed/wrong commands, received from FTP clients during one session, can be limited. When these limits are exceeded, incomplete connections or connections that are not RFC compliant will be dropped thus freeing important bandwidth. Important! If you do not specify a limit for the maximum number of (authentication) errors allowed for a FTP client's session, security risks may arise. Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. For more details on how to configure FTP Backup parameters using WebAdmin see Backup and Restore Tab RPOP Service The AXIGEN RPOP module establishes remote POP connections to already existing accounts and retrieves all incoming traffic to the AXIGEN account. Each AXIGEN account user can configure and add RPOP connections when connected to WebMail. In order to establish such a connection, the user must specify the hostname and port for the existing account and the username and password required to login. Users can choose the folder to which the retrieved s will be directed, the time interval between subsequent retrievals and if the is deleted from the remote account or not after being transferred. Encryption options are also available. More details about adding and configuring RPOP connections are available in the Configuring WebMail RPOP Connections section. 70

71 Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. For more details on how to configure Remote POP parameters using WebAdmin see RPOP Tab Connectivity and Threading All AXIGEN modules implement a set of connectivity and threading functionalities and features that make it faster and easier to manage Listeners AXIGEN Mail Server can use different Listeners for its TCP services (SMTP Receiving, POP3, IMAP, WebMail, WebAdmin, CLI and FTP Backup) and UDP services (Log and Reporting). Listeners are network points of entry, associated with an interface address and port number that grant access to a specific TCP or UDP service. Listeners add extra flexibility and configurability to each AXIGEN service, as they can be used to grant differentiated access to the same services for different categories of users (e.g users within a specific domain). Moreover, listeners can be associated with a variety of rules that allow defining specific limitations for connections coming from IPs within specified IP sets. Listeners can be defined, using various parameters corresponding to that TCP service, from the configuration file (as of type "TcpListener" OBJECT-SET) or through WebAdmin (the web configuration interface). UDP service listeners have fewer parameters associated as connection related parameters do not apply to them. The following attributes are available for each listener: address - the "point of entry" address and port number enable - specifies whether the listener is enabled or not (this way you won't have to delete the listener when you want to discontinue its use) max. number of simultaneous connections and max. number of new connections in a defined time interval (seconds/minutes/hours/days) - parameters specifying limitations for network connections accepted for this listener max. connections from each remote IP address and max. connections from each remote IP address in a defined time interval (seconds/minutes/hours/days) - parameters specifying limitations for network connections from the same IP address accepted for this listener 71

72 TCP listeners can also be set to support SSL connections. Further SSL parameters are available for TCP listeners in AXIGEN: allowed SSL versions certificate file Max. chain verification depth Use Ephemeral Key Request certificate-based authentication from client and others. Below you can find a scheme for a quick understanding of the Log listeners: (in this context ':' can be translated as 'of type'): TCP service: 'listeners' : 'TcpListener' OBJECT-SET 'allowrules' : 'TcpAllowRule' OBJECT-SET 'denyrules' : 'IpRule' OBJECT-SET UDP service: 'listeners' : 'IpListener' OBJECT-SET For more information about the usage of these parameters in WebAdmin and specific details on their values and how to set them see Adding and Editing TCP Listeners. You can also configure listeners using the CLI tool, for more information see Configuring AXIGEN using CLI Rules Different rules can be associated with listeners, meant to sort connections based on various parameters, and to reject (deny rules) or accept (allow rules) them accordingly. Using deny and allow rules you can automatically accept/deny connections from specific IP addresses. Allow/Deny Rules Allow/Deny rules enable you to specify the rules for accepting/rejecting connections when these connections follow the limitations imposed by the listener. Allow/Deny Rules are defined using the following general attributes: specify a network/mask, IP range or single IP for which the reject/allow rule is applied check or uncheck the 'enable' option to specify if the rule is enabled or not You can then set priorities for when applying the rules and impose further connection limitations using the flow control parameters described below: max. number of simultaneous connections and max. number of new connections in a defined time interval (seconds/minutes/hours/days) - these parameters impose limitations on the number of connections initiated by any address within the rule IP set max. connections from each remote IP address and max. connections from each remote IP address in a defined time interval (seconds/minutes/hours/days) - these parameters impose limitations on the number of connections initiated by the same address within the rule IP set 72

73 Rule Enforcement Policy The policy for applying accept and deny rules for connections to listeners is described below: 1. The IP address from which the connection has been initiated is exposed. 2. AXIGEN verifies if this IP address is part of a set of IP addresses associated to one or more deny rules; if yes, the deny rule with the highest priority (meaning LOWEST value for the priority attribute) is applied. 3. AXIGEN verifies if this IP address is part of a set of IP addresses associated to one or more accept rules; if yes, the accept rule with the highest priority (meaning LOWEST value for priority attribute) is applied. 4. If the IP address from which the connection has been initiated is associated only with a deny rule, the connection is denied (closed) 5. If the IP address from which the connection has been initiated is associated with both a deny AND an allow rule, the rule with the highest priority is applied. If the rule with the highest priority is a deny rule, the connection is denied (closed). If the rule with the highest priority is an allow rule, the limitations (if any) for the specified connections from the allow rule are applied. If the allow rule and the deny rule have the same priority, the connection is accepted. 6. If the IP address from which the connection has been initiated is associated only with an accept rule, the verifications defined for connections in the accept rule are applied, and if fulfilled, the connection is accepted. After applying the limitations imposed by the rules, the global limitations defined at listener level are applied. Only then the connection is accepted (and the respective service protocol is applied on the accepted connection). If no allow rule is defined for the IP address from which the connection has been initiated, then the connection is considered as fulfilling the rules and the verifications defined globally (if any) for the current listener are applied. For details on how to configure rules using WebAdmin, see Adding and Editing TCP Rules. You can also configure Rules using CLI, for more details see Configuring AXIGEN using CLI Threads AXIGEN has a multi-threaded engine which allows separate module thread allocation. Combined with Linux OS multi processor capabilities, the multi-threaded engine can break server activity into multiple parallel processing threads. By allocating a number of threads to certain modules, (SMTP Receiving / SMTP Sending / WebMail / IMAP, etc.) resource (memory/cpu) distribution is adapted to usage scenario (main mail server / backup server / gateway mail server) and hardware resources. Thread allocation is performed using the connection thread control parameters available for most AXIGEN modules. Depending on your network specifications and conditions the workload can be adapted to the server's processing power, in order to prevent a system overload and/or improve its performance. More details on connection thread management using WebAdmin are available in each service description tab. These parameters are also accessible for configuration in each service section from axigen.cfg (see Configuring AXIGEN using the Configuration File). You can also configure connection thread parameters in each service context from CLI, for more information please see Configuring AXIGEN using CLI. 73

74 3.4. Clustering Support Having the system administrators' needs in mind, AXIGEN provides Clustering Support starting with version 3.0. Clustering support is based on OpenLDAP integration with AXIGEN and allows routing for the SMTP Incoming, POP3 Proxy and IMAP proxy services. This new feature enables system administrators to spread mailboxes on several AXIGEN servers and have a separate machine that routes POP3/IMAP connections to the appropriate mailbox server. Another important feature of the OpenLDAP integration with the AXIGEN Mail Server is the LDAP Authentication mechanism. This new method is available for all the AXIGEN services that require authentication: SMTP In, POP3, IMAP, WebMail, POP3 Proxy and IMAP Proxy. For a detailed example on how to setup a high availability distributed solution see this related article: Implementing, Deploying and Managing a High Availability Distributed Solution on AXIGEN Mail Server Cluster Overview This section includes a brief LDAP introduction, AXIGEN Mapping and Authentication systems, as well as front-end and back-end services setup in AXIGEN LDAP Introduction During the first stages of cluster planning the most important service that needs to be considered is the LDAP directory. The LDAP server will be a part of the cluster back-end section and will be set to make use of the high-availability clustering ability. The directory services are required for routing and authentication purposes. Without it, the proxies cannot route traffic to the designated node that stores an account. There are two situations a cluster engineer can encounter while setting up a cluster: No LDAP / Active Directory service is available and needs to be set up. A directory already exists and the cluster must be built around it. NOTE: Although a directory service is highly recommended, a local file can be used to route traffic in the back-end. Using a local file can slow a cluster very much and the proxies will require updates each time the configuration changes. More details on this topic are available in the AXIGEN Mapping System chapter. Setting up a new directory service for the cluster This type of setup can be created quite fast. The directory service must be installed and configured according to the cluster requirements, using the recommended default values, to be integrated as smoothly as possible with AXIGEN. Once the service is running, the next phase of cluster deployment should start and the proxies set in place. NOTE: Other fields can be added to the directory entries if the need arises. AXIGEN does not require exclusive access to any value or field, but merely relies on it to perform its tasks. Integrating an existing directory service with the cluster The toughest configuration scenario is the use of an already existing directory service within the cluster environment. There are special requirements that must be dealt with, such as directory and entry structure, as well as the information provided to the mail server during 74

75 normal operation. However, in most cases, to the existing entries some new fields need to be added and the already existing ones need to fit perfectly into the default entry model used by AXIGEN Mail Server. If AXIGEN and another application require the same field to have different types of values, then another, custom field, must be added to the entry structure to allow AXIGEN to behave as expected. NOTE: AXIGEN Mail Server can integrate with almost any type of entry structure used by a directory service. The only drawback here is that fields must be added to every entry of the directory that AXIGEN will use and this can prove very difficult with some setups. Starting with version 5.x recursive lookups in directories are available. Any user entries that require LDAP authentication should be inside the same group. The group itself can contain other user groups or the entries themselves Basic Directory Setup Entries in an LDAP Directory have a tree structure. These entries have their own attributes and unique identifiers. Attributes have names that are defined in the schemes used by the server. Unique identifiers are in fact the entry DN (distinguished name) containing an attribute (such as CN common name) followed by the identifier of the parent entry. If the cluster will use a new LDAP directory to perform the routing and authentication processes, a basic setup procedure is required to prepare the entries that are to be added. For the LDAP server to have a basic structural support for the entries it will hold, a basic configuration is required to be added, through an "ldapadd" command. This first entry will actually create an organization type of division in the directory and all other objects will be contained in this organization object. To create the object for the "example.tld" domain, use the following LDAP syntax: dn: dc=example,dc=tld objectclass: dcobject objectclass: organization dc: example o: tld Next, user objects that will be used by AXIGEN proxy services can be added in the newly created organization object. This is the entire initial setup the directory service requires, as a basic example. However, if more complex schemes need to be used, any number of branches can be defined. NOTE: An LDIF file can be used to import this information into the directory. This helps prevent issues related to LDAP syntax and can save the cluster engineer a lot of time. NOTE: LDAP connectors defined in AXIGEN need to be configured accordingly so that looking information in the structure, that has just been created, is possible. While adding the LDAP connector in the WebAdmin interface, certain settings need to be configured correctly, in such a manner, that the server can lookup information within the directory structure. The search base and search pattern are the most basic settings that control the way AXIGEN will perform the lookups. For the above example, using the same domain name, the values should be set as follows: Search Base: dc=example,dc=tld Search Pattern: mail=%e 75

76 The search base actually represents the exact branch in the directory that AXIGEN will consider the parent containing all user entries. The search process will try to match the "mail" property content against the pattern being looked up. This search pattern should return only one entry for each user account looked up by the server. The default value should be more than sufficient for most setups and unless a very special setup is used, it should not be changed. NOTE: For the search pattern to work with the above example, the "mail" property must exist for each user entry. No matches will be found in the directory if the property doesn t exist LDAP Entry Structure AXIGEN will use the set search pattern to match an entry from the LDAP directory. If a match is found, the entry is analyzed and certain properties for the entry are used to perform the routing and authentication actions. These properties need to be set in the LDAP connector options if they are required in the cluster setup. If they are missing the cluster will not function properly. In case the directory structure is already defined, the respective properties must be added to each user entry. If the directory is a fresh installation, each added user should have the properties defined beforehand. Below is an example of what a user LDIF file should contain for AXIGEN to use both routing and authentication for this user: dn: cn=user1,dc=example,dc=tld objectclass: inetorgperson objectclass: inetlocalmailrecipient cn: user-account sn: user-account mail: user-account@example.tld userpassword: user-account mailhost: The first line specifies where the user entry will be added and where its actual location in the directory structure will be. The next two lines define what properties this entry will be allowed to use. The common name and the surname are next, followed by the three main properties used by AXIGEN proxy services: The "mail" property is defined in the LDAP connector settings that AXIGEN tries to match during the search process. The "userpassword" property will be used by AXIGEN in the authentication process. The "mailhost" property specifies the back-end server a user account is hosted on. The properties are loaded from the schema files that LDAP uses through the "objectclass" definition lines. The fields can have different names, depending on the actual directory setup, but all of them can be set in the LDAP connector settings so that AXIGEN maintains its flexibility regarding already configured directory structures. In the above example, the "mailhost" property is the one providing the routing information back to the AXIGEN proxy, thus it must exist for the cluster setup to work correctly. The "userpassword" property, however, is optional as the authentication process can be performed locally, on each back-end. 76

77 NOTE: All the properties for entries in the LDAP directory are case sensitive. Also, the values defined in AXIGEN LDAP connector settings should match the properties used for directory entries LDAP Authentication The authentication process in a clustering environment can be performed either on the frontend or back-end nodes. This is why, depending on the setup to be deployed, LDAP authentication may not be required. A good example of such setup is the one-tier cluster. To delegate the authentication process to the proxy servers, a user password property must exist in all directory entries. Using the information stored in that field, the proxy service can compare the information provided by the client with what it found as a result of the lookup. WARNING: If the authentication is set to be performed using LDAP and the property does not exist, or is not defined, the authentication process will always fail and the user will be locked out of his account permanently. The password may contain information in one of the following formats: Clear text is a rather insecure method of storing passwords, but has very low processing power requirements. In addition, the speed at which the authentication process is performed is greater than for any of the other formats. Plain text will allow the password to be retrieved without binding to the LDAP server, but it will be encoded in base64 format. The password can easily be recovered if public access to the LDAP server is allowed. Encrypted hashes is the most secure method of storing passwords. However, they can be retrieved only by binding to the LDAP server using a privileged account. The connector should be set to bind and the account details should be filled in before attempting to use this format. The authentication process takes place on the front-end systems only if LDAP authentication is enabled for the proxy services. The authentication itself is actually performed twice, once on the front-end and once on the back-end. This would appear useless, while in fact, with the help of the front-ends only valid authentication requests will reach the back-end systems. Another advantage for using front-end authentication is preventing third-parties from ever reaching the back-end systems directly. This is a very important security feature and should be enforced as often as possible. NOTE: The authentication process depends on the success of the user entry lookup in the directory. If the account is not found, then the authentication process will fail. NOTE: LDAP Authentication can also be used for regular services on the back-end systems. This is actually recommended for speed increase and maintaining the overall cluster integrity and stability. For more detailed information please see AXIGEN Authentication System and AXIGEN LDAP Authentication. 77

78 AXIGEN Mapping System Mapping information is required to establish the routing behavior in any AXIGEN cluster. The theory behind the mapping system is fairly simple: using the entry returned by the front-end query, the field referring to the mail host (back-end) is assigned as the destination system for that user s session. The mapping data actually provides the information required by the front-end to decide what back-end holds the actual user account. The mapping system performs this routing task in two basic ways: Using a local user database mapping information is retrieved by parsing a locally defined file, containing all mapping patterns. Using an LDAP directory mapping information is retrieved from the LDAP directory. Both methods have the same result as long as they are configured properly. Mapping information is gathered using the AXIGEN User Map defined in the proxy configuration. The user map is used for routing and can also be used in the authentication process. The mapping system is one of the key elements in the front-end node configuration. Local user maps are read from a file formatted in a specific way so that AXIGEN can interpret and retrieve information from it. Single entries can be provided for individual users as well as regular expressions to match and map multiple user accounts to the same backend system. An LDAP directory is more recommended than the use of local files, because it is more productive while using a resource intensive setup such as a cluster. An LDAP directory can be used to perform the authentication process too, so using it makes more sense in a complex setup because it helps keep track of front-end behavior from a central point. Most clusters will use LDAP or Active Directory to perform the mapping process and all that is required for this to work is setting up the routing property. It is a very straight forward method and is preferred because of the multiple advantages LDAP provides. The mapping information is defined by selecting a user map in the proxy configuration. The selected user map will route connections to the back-end system using a local file or an LDAP directory. While using an LDAP directory, the cluster engineer is presented with two possible connection options: Password (Simple) should be used whenever the information held in the LDAP directory can be retrieved using a plain LDAP search. This would also include password fields that should be available in plain text (un-hashed). Bind (Authenticated) is required only if the information stored in the directory tree has one or more fields that are hashed (such as DSA or RSA encrypted passwords). In this case only an authorized user can retrieve useful information. Depending on the setup, both connections can be used in complete safety. However, some setups allow only bound connections. The most common example of such setup is Active Directory as it only allows authenticated users to search the directory tree and retrieve information. While using a local file to define mapping information, in the user map configuration, the file path and name must be specified. In addition, AXIGEN must be able to access the file and read information from it. The local mapping file syntax is simple and flexible. The basic format of the local file used by the mapping system is: <account-name-pattern> <back-end-system> 78

79 Example: In the above example, the account user1 in the domain example.tld will be assigned the back-end with the IP address The back-end system can also be specified with its domain name and its fully qualified domain name: backend3.example.tld and backend3 However, the above examples will also match the pattern because the address contains the search pattern To prevent this behavior, regular expressions must be applied to the entry: backend3 Using this format, the pattern will match only if the account name starts with the pattern entered. Using the above examples, any standard Perl regular expression can be designed to match the required accounts. This way, accounts can be mapped alphabetically, based on domain name and other types of criteria. NOTE: While setting up a cluster the mapping system must be configured carefully. The cluster engineer should make sure that for any particular search the results returned will not confuse the proxy services. If multiple entries are matched at the same time, only the first one will be taken into consideration. This can generate unexpected results for the end-users and can also generate other issues if multiple services depend on the cluster operation. NOTE: Custom mapping configurations can be used while migrating from previous setups. If the destination host already exists in the LDAP directory, the entry field (property) can be specified in the AXIGEN configuration to match it. NOTE: While using Active Directory, the routing property must be added manually for each of the users already defined by the domain administrator. Any of the unused attributes can be used to hold this information. The only consideration with this approach would be to use the same attribute for all users. For more detailed information please see Configuring Mapping Parameters AXIGEN Authentication System The authentication process is one of the most common safety measures used for any service. AXIGEN clusters also use authentication and support a wide variety of algorithms as well as password encryption. Any AXIGEN cluster can make use of the two authentication methods available: Internal Authentication - the account information defined and stored on the backend is used to process the authentication request. LDAP Authentication - the LDAP directory tree is used to search, retrieve and process the authentication request. While using the internal AXIGEN authentication system, the password is retrieved by the server from its local user information data. The password is defined during the account creation process and can be changed at a later time, either by the administrator or by the 79

80 user from within the WebMail interface. This method does not require an LDAP server to be set up but is very slow by comparison. LDAP authentication is very widely used in cluster setups because of the speed gain. Also, while using LDAP, the mapping system can be assigned to it and the resulting setup becomes a centralized configuration point for the proxy services. In addition, the LDAP server may already exist and contain the entries required, in which case the configuration overhead is reduced considerably. The LDAP authentication isolates the process from the actual AXIGEN account defined. This can arise some unexpected results such as different passwords within the directory and the back-end server. While a user can still change its password from the WebMail interface, this password will not be updated in the LDAP tree structure and the user can become easily confused. To prevent such issues, a thorough synchronization process must be implemented within the cluster. This type of authentication overrides the standard AXIGEN authentication method. As such, using LDAP to authenticate sessions for one service will also disable the internal authentication method for all services. LDAP authentication is performed using an LDAP connector that must be defined in advance. The directory tree must also be configured before the authentication process will succeed. The authentication process consists of a three stage process: LDAP query - During this stage, AXIGEN performs a lookup in the directory tree and expects the account password information as the result. Credential information matching - Using the information gathered during the first stage, AXIGEN compares what the client provided against what LDAP returned. Session authentication - If the above process was successful the session becomes authenticated. If any of the above stages fail for some reason, the session will not be authenticated. Thus, for the account that requests an authentication, the LDAP server must be able to return an entry and a valid password property. WARNING: If LDAP authentication is enabled and an account exists on any back-end system but has not yet been defined in the LDAP directory tree, the user will not be able to authenticate, even though it will be able to receive messages. NOTE: To prevent any issues while using the LDAP authentication method, some type of consistency checks should be run against the user database available in the directory tree and the AXIGEN internal user list. If the results are not identical, some users will not be able to use the services. NOTE: Similarly, if more than one entry is returned during an LDAP search for any account, only the first result will be taken into consideration. This may result in abnormal cluster behavior and some service users might not be able to log in. NOTE: Authenticating users using an existing Active Directory service can be achieved by configuring the LDAP connector, used by AXIGEN, to use the directory service. This setup must be carefully tuned to match the current directory configuration. For more details please visit AXIGEN LDAP Authentication. 80

81 AXIGEN Front-End Services Setup The services that run on the front-end nodes of the cluster are only the proxy services. All of these services can run on any number of systems without affecting the overall cluster availability. As long as one of the front-end nodes is still serving incoming requests, the cluster will be fully functional. Because all front-end nodes are identical, you can add or remove nodes at will. The more front-end nodes your cluster has, the more requests will be processed at the same time. It is important to have sufficient front-ends to keep up with the number of the requests, especially during peak activity times. The following services provide proxy abilities within AXIGEN: SMTP Proxy routes and authenticates incoming SMTP sessions. This service is vital for mail delivery within the cluster. IMAP Proxy routes and authenticates IMAP sessions. This service allows users to retrieve their messages from their back-end account through the proxy using the IMAP protocol. POP3 Proxy routes and authenticates POP3 sessions. This service allows users to retrieve their messages from their back-end account through the proxy using the POP3 protocol. WebMail Proxy routes and authenticates WebMail access requests. This service also renders the web pages requested by the web browser, using the information retrieved from the back-end server holding the user account The SMTP Proxy While configuring the AXIGEN cluster, the SMTP service can be set up using two methods. The default state of this protocol enables it to run as a local service, meaning it will try to deliver messages locally if the destination of an is a domain defined in the AXIGEN configuration. The second state, that can be enabled and disabled as required, is the routing state. If the SMTP service is set up to route connections, it will use its assigned user map to decide where an incoming connection must be forwarded. This action will only be taken for entries found in the user map. If the destination is not present in the mapping system and no result is returned, then the service will relay the message and normal SMTP policy rules will apply. NOTE: Because the SMTP service can only be reached from the outside while using the standard port 25, the proxy service should run on this port. Using another port for the proxy setup can render the cluster useless. NOTE: It is very important to consider the SMTP configuration for the cluster as any changes made for one front-end must be replicated on all of the other front-end nodes. This includes changes in the SMTP Policy script file and the main AXIGEN configuration file. WARNING: An open relay among the front-end nodes is very hard to spot and can cause many problems with spam and black lists. Special care is recommended while setting up SMTP proxies to prevent such issues. The SMTP proxy uses the same authentication method as all of the other services that run on that particular node. This is why, in the event that LDAP authentication is used, the same connector will be used for all services. 81

82 The IMAP and POP3 Proxies Both of these services provide similar functions within the cluster and from a configuration standpoint, they are identical. They both use the same authentication method, internal or LDAP, and in the second situation, they use the same connector. In a similar way, the same user map is used for the routing section of these services. The only notable difference between configurations of these services is the failover address and port used. The failover address is used in case a match is not found in the user map. As these services use different ports and different protocols, an IP-port pair can be specified as failover for each individual service. NOTE: For the SMTP service the failover address is not required because the message will get relayed or discarded if no routing information can be found. Both IMAP and POP3 proxy services can run on the same system as the IMAP and POP3 services, forwarding requests to the same system or another system when required. This helps with the design of single tier clusters that have neither stand-alone front-end nodes, nor load balancers. For more details on this topic please see IMAP Proxy Service and POP3 Proxy Service The WebMail Proxy UPDATE: This proxy has not yet been implemented and configuration details have not yet been released. This section has been marked for future updates. The WebMail proxy replaces the standard WebMail interface available on an individual AXIGEN server. The public area of the interface and the main login page are identical to the normal WebMail interface but the session information displayed after the login procedure has been completed and is preloaded from the back-end nodes Mapping Setup User maps are used to provide routing information to the proxy services running on a cluster node. More than one user map can be defined and each can be configured separately. A user map can have one of the three following types: Local File - Uses a specified path to load a local file containing the routing information. LDAP Password - Connects to an LDAP server using one of the defined connectors. LDAP Bind - Uses bound connections to an LDAP server requiring authentication such as an Active Directory tree. Once the type of the mapping is set, the configuration details must be solved. For the local file mapping to work, a local file with mapping information must exist. This file must have the correct permissions set for AXIGEN to access it and retrieve the information. With the LDAP mapping type, an LDAP connector must be selected from the list of defined connectors. If no connector has been defined, a new one must be set up so AXIGEN can retrieve the mapping information from the LDAP server. WARNING: Each user map can use one LDAP connector at a time. Therefore, only one base DN and only one search pattern can be set to retrieve the information from the directory. While defining the LDAP connector a search pattern, that can return all user 82

83 entries defined, should be used with caution so they can all access the system. If the pattern cannot match all entries, the ones excluded will never be matched by the mapping system even if they are defined in the LDAP directory. For additional information on this topic read the User Maps chapter AXIGEN Back-End Services Setup The cluster back-end systems are the actual information center for the entire setup. The system or systems that make up the back-end area of any cluster require access to storage resources. Thus, the AXIGEN services that run on these systems are very similar in configuration to the services that run on any stand-alone AXIGEN server. The back-end services used by the cluster nodes are: SMTP Services will provide functionality for the incoming and outgoing mail received by the accounts stored on the cluster node. The SMTP incoming service will accept connections from the SMTP proxies on the front-ends. IMAP and POP3 Services will accept routed connections from the respective proxy services. They will retrieve the information from the storage and pass it to the proxies to be displayed in the mail client. WebMail Service will provide the information required by the WebMail proxies to render the pages requested by the client. It will not be accessible directly, only through routed connections from the proxies. Other Services include other modules supported by the server that are independent on the cluster setup. These include the FTP Backup service, the CLI, the WebAdmin interface, RPOP etc. These systems have domains and accounts set up locally and take care of the imposed restrictions regarding disk space usage and quota management. All details concerning the actual user account settings must be defined and configured on the back-end systems, through any of the administration interfaces. All services that make use of an authentication mechanism in a cluster, using LDAP authentication, should also use this type of authentication in the back-end section. This is recommended because using the same resource to authenticate sessions provides increased integrity to the whole clustering system. Because LDAP authentication can be used by both routing and non-routing services, this approach should make sense in most cluster setups. NOTE: In the back-end, no routing is performed and consequently, no proxy services should be running. As such, while an LDAP connector can be defined to enable directory authentication, this connector should not be used to map any connections. WARNING: Setting up a routing SMTP service in the back-end will cause looping messages that will be discarded. Individual service configuration, except the authentication method, should be fairly straightforward and easy to perform, as the services themselves are not different in any way from the services used by any other AXIGEN server. 83

84 LDAP Routing The AXIGEN Mail Server provides routing options at SMTP In, POP3 Proxy and IMAP Proxy level through its integration with OpenLDAP. LDAP stands for Lightweight Directory Access Protocol. It is a model for Directory Services that provides a data/namespace model for both the directory and a specific protocol. A directory is a specialized database with a hierarchical structure designed for frequent queries but infrequent updates. Unlike general databases they don't contain transaction support or roll-back functionality. Directories are easily replicated to increase availability and reliability. In order to be configured for use within AXIGEN, OpenLDAP has to already be set up. OpenLDAP installations may very, depending on your preferred operating system. Integrating OpenLDAP with AXIGEN is a two-step process, as described below: 1. Configuring OpenLDAP for AXIGEN Note: In this document the localdomain.test address is used as an example. Please remember to edit it accordingly. please run the following command and then place the following text: # ldapadd -D "cn=admin,dc=localdomain,dc=test" W dn: dc=localdomain,dc=test objectclass: dcobject objectclass: organization dc: localdomain o: test In order to add users to the LDAP directory, add the following into a file. You may add as many users as you want in this file: dn: cn=user1,dc=localdomain,dc=test objectclass: inetorgperson objectclass: inetlocalmailrecipient cn: user1 sn: user1 mail: user1@localdomain userpassword: user1 mailhost: Then run the following command: # ldapadd -D "cn=admin,dc=localdomain,dc=test" -W -f file.txt You will be asked for the password you set up in the /etc/openldap/slapd.conf file (in our example, 'secret'). You can test if the user was added using the following command (the second version of the command includes authentication: # ldapsearch -b "dc=localdomain, dc=test" # ldapsearch -b "dc=localdomain, dc=test" -D "cn=admin,dc=localdomain,dc=test" -W In order to delete an entry, use the command: # ldapdelete -D "cn=admin,dc=localdomain,dc=test" W # cn=user7,dc=localdomain,dc=test To edit an LDAP entry, just use: # ldapmodify -D "cn=admin,dc=localdomain,dc=test" W # dn: cn=user5,dc=localdomain,dc=test 84

85 # changetype:modify # mailhost: # Note that you must press another <Enter> after the modified field. 2. Configuring LDAP Connectors in AXIGEN Login to WebAdmin using your preferred browser, press the 'UserDb' tab and go to the 'LDAP Connectors' section. Press 'Add new ldapconn' and fill in the fields: name - the name of this connector hosturl - the ldap host (e.g. 'ldap://localhost:389') binddn - the DN of the admin account (e.g. 'cn=admin,dc=localdomain,dc=test') bindpass - the password set in your /etc/openldap/slapd.conf file (e.g. 'secret') searchbase - the search base (e.g. 'dc=localdomain,dc=test', but using '%s' is recommended, as it is the expanded domain name, for use in the 'dc' style LDAP base.) searchpattern - the search pattern (e.g. 'mail=%e') passwordfield - the name of the field containing the password, defined in your user file created above (e.g. 'userpassword') axigenhostfield - the name of the field containing the mail host, defined in your user file created above (e.g. 'mailhost') usefirst - should the first returned field be used if more are found ('yes' or 'no') For more details on setting the above parameters in WebAdmin, see LDAP Connectors Configuring Mapping Parameters In order to successfully route connection on either of the supported protocols, SMTP, POP or IMAP, system administrators need to set mapping parameters. The easiest and most intuitive way of setting mapping parameters is through WebAdmin, AXIGEN's web-based administration interface. In the User Maps page you can add and configure a list of User Maps at server level. In order to do so, system administrators should access Clustering > Clustering Setup > User Maps page and hit the "Add User Map" button. 85

86 For each new user map, the following parameters are available: name, type (Local file, LDAP Password, LDAP Bind) and, as the case may be, either file location or defined LDAP Connectors. For details on how to set these parameters, see User Maps POP3 Proxy Service AXIGEN POP3 Proxy module establishes connection, trough remote servers, with POP3 clients. The server accepts connections as specified by the POP3 Proxy listeners defined in the configuration file. By default the server accepts connections on :110. Listeners Listeners can be defined and managed to add extra flexibility and configurability to this service. For that, global access limitations, SSL Settings and access lists can be enforced on the address used by this service for binding. Access Control Access rules allow you to control connection to this service by defining simple access lists for specific Networks / IP Ranges / IP s. Service level access rules are automatically applied to all its listeners and will override for this service any existing Global Access rules. Flow Control Flow control parameters can be adjusted to fine tune the server s performance and avoid overloading it. Global access limitations to this listener can be enforced by setting the total number of simultaneous connections, concurrent connections from each remote IP address, number of new connections to the listener made in a time period interval, number of total connections from each remote IP address on a time interval period. The default interval for this time period is set to 1 minute. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. Encryption and Authentication The POP3 Proxy service only supports PLAIN authentication, which is why it is recommended that StartTLS or SSL are used for encrypting the connection. The authentication can be performed on the POP3 proxy or on the back end server. Error Control To protect the server the number of failed/wrong commands, received from POP3 clients during one session, can be limited. When these limits are exceeded, incomplete connections or connections that are not RFC compliant will be dropped thus freeing important bandwidth. Important! If you do not specify a limit for the maximum number of (authentication) errors allowed for a POP3 client's session, security risks may arise. Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the 86

87 server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. Back-end Server Connection Settings In this section, you can allow a connection timeout to be set, specify the maximum number of connections between POP3 Proxy and the back-end Server, another local network interface IP address to be used for connections with the back-end server and whether or not to use SSL to connect to the back-end server. For more details on how to configure POP3 Proxy parameters using WebAdmin see POP3 Proxy Tab IMAP Proxy Service AXIGEN IMAP Proxy module establishes connection, trough remote servers, with IMAP clients. The server accepts connections as specified by the IMAP Proxy listeners defined in the configuration file. By default the server accepts connections on :110. Listeners Listeners can be defined and managed to add extra flexibility and configurability to this service. For that, global access limitations, SSL Settings and access lists can be enforced on the address used by this service for binding. Access Control Access rules allow you to control connection to this service by defining simple access lists for specific Networks / IP Ranges / IP s. Service level access rules are automatically applied to all its listeners and will override for this service any existing Global Access rules. Flow Control Flow control parameters can be adjusted to fine tune the server s performance and avoid overloading it. Global access limitations to this listener can be enforced by setting the total number of simultaneous connections, concurrent connections from each remote IP address, number of new connections to the listener made in a time period interval, number of total connections from each remote IP address on a time interval period. The default interval for this time period is set to 1 minute. Logging All AXIGEN main services can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. Encryption and Authentication The IMAP Proxy service only supports PLAIN authentication, which is why it is recommended that StartTLS or SSL are used for encrypting the connection. The authentication can be performed on the IMAP proxy or on the back end server. Error Control To protect the server the number of failed/wrong commands, received from POP3 clients during one session, can be limited. When these limits are exceeded, incomplete connections or connections that are not RFC compliant will be dropped thus freeing important bandwidth. 87

88 Important! If you do not specify a limit for the maximum number of (authentication) errors allowed for a POP3 client's session, security risks may arise. Thread Management AXIGEN Mail Server is designed to run on different machine configurations and operating systems, on networks with various traffic loads, structures, domain configurations, user rights etc. That is why, depending on all these variables, you can adapt the workload to the server s processing power to improve its performance or avoid overload by setting the minimum and maximum number of threads that can be opened at a specific moment of time. Back-end Server Connection Settings In this section, you can allow a connection timeout to be set, specify the maximum number of connections between IMAP Proxy and the back-end Server, another local network interface IP address to be used for connections with the back-end server and whether or not to use SSL to connect to the back-end server. For more details on how to configure IMAP Proxy parameters using WebAdmin see IMAP Proxy Tab AXIGEN LDAP Authentication Aiming to provide its users with a relatively simple way of adding new user database sources, starting with version 3.0, AXIGEN implements LDAP authentication methods. The new authentication engine adds two new authentication methods for both plain and secure connections, namely DIGEST-MD5 and GSSAPI. For more details on the new methods, see Authentication and Encryption. In order to enable LDAP authentication, system administrators need to first add and define a list LDAP Connectors. The connectors can be managed and configured via WebAdmin, on the UserDb tab. For details on how to add new LDAP Connectors, please see the corresponding section. A new section of corresponding to the UserDb tab has been added to the configuration file. Below you will find an example of how this section should be configured: userdb = { logtype = internal loglevel = 15 loghost = :2000 maxthreads = 5 ldapconnectors = ( { name = "ldap1" hosturl = "ldap://server1:389" binddn = "CN=Martin Brown,OU=USERS,OU=CompanyName1, OU=Companies,OU=CompanyName2,DC=server,DC=local" bindpass = "qwe123" searchbase = "OU=USERS,OU=CompanyName1,OU=Companies,OU=CompanyName2, DC=server,DC=local" searchpattern = "(samaccountname=%u)" passwordfield = "givenname" axigenhostfield = "" usefirst = yes } ) } 88

89 Two new parameters are also added for all services needing authentication: userdbconnectortype ( with hree available values: ldap ldapbind local) and userdbconnectorname. The services requiring authentication are SMTP In, POP3, IMAP, WebMail, POP3 Proxy and IMAP Proxy. For each of these services, the user database parameters can easily be configured using WebAdmin. The above described parameters are available on the General page of the tab corresponding to each service. For detailed instructions on configuring these parameters using WebAdmin, see the LDAP Connectors Page Integrating Active Directory into a cluster environment Active Directory is treated by AXIGEN just like any other LDAP directory. However, this implies certain configuration changes from the standard LDAP connector settings used in a general directory setup. Active Directory has predefined property names and these have to be used for the authentication process to be successful. The account name that needs to be matched against the AXIGEN internal user database is the "samaccountname" property. This property contains exactly the username required for the login procedure. Having this information will help us set up an LDAP search filter, later on, that will isolate a particular user in the Active Directory structure. Active Directory doesn t allow anonymous queries in its database. For this reason, any lookup should be performed by an already existing user in the AD. The returned information will then be forwarded to the proxy service and the authentication will be performed. This user may be a regular one (they have access to the database by default) or the domain administrator, as the one in the example below. In LDAP terms, the value of the Bind DN should reflect a user account that will have to be set up appropriately in the LDAP connector settings. The search base, which is the top most organizational element, contains all entries we are querying and needs to be known beforehand. Common to all the users, we are trying to authenticate as, is the LDAP path. Since AXIGEN can perform recursive lookups in the directory structure, this top unit may contain any number of smaller organizational units that comprise the actual accounts. The host name and port should be defined, in a similar manner, as for any other LDAP server. The default port on which the Active Directory can be contacted is the same, 389. The Bind DN field should contain a user account value similar to the one below: CN=administrator,CN=Users,DC=example,DC=tld The default location for the "administrator" account in the Active Directory is the "Users" container, right inside the root of the defined domain ("example.tld" in the above example). The password for the used account should be entered as the bind password. NOTE: These settings are used only while performing the actual lookup in the directory. They do not refer to the authentication settings for this particular account. To use a search base that will identify all accounts in the same container as the "administrator" account, the following type of string for its value should be set: CN=Users,DC=example,DC=tld The used search pattern must identify particular user entries in the directory. For this reason, the above mentioned value will be used to isolate particular accounts: 89

90 (samaccountname=%u) For each database entry we are searching for, this attribute should have exactly the same value as the user name (%u). The variable "%u" will expand as the username. The server should be configured to use only the first value found in the lookup. This should prevent errors if more than one match is found in a lookup. NOTE: This option can generate issues and may block users logging in. To prevent such problems, all users have to be unique. NOTE: The password field and the AXIGEN host (used in routing) should be left blank if only the Active Directory authentication is required. Even if users are authenticated in Active Directory, they still need to exist on the back-end servers. If a user account does not exist, the authentication will be successful but the inbox will not be selected. The only use for an Active Directory account that has no mailbox is to send s through the SMTP service using authenticated credentials. WARNING: This will enable any user to send authenticated messages even if they do not have an account created. If routing is used within the cluster environment (more than one node is present in the background), then a certain property must be defined for all the user accounts in the Active Directory. Any inactive property can be used for this purpose, but it is recommended that one of the extra added properties is used. NOTE: In the default Active Directory schema, there are over 10 properties unused by common services running on the network. These were left out exactly for the purpose of expanding the directory service and be used in conjunction with other applications. The property values should contain the IP address of the back-end server holding the account and the property name has to be set up in the LDAP connector settings. It is very important for all accounts to use the same property as all will be looked-up in the directory by the same connector. WARNING: The IP address of the back-end node should be set, for all users, in the same property or the cluster will become inaccessible to the ones that use a different property for the AXIGEN mail host. Even if the session is correctly authenticated, the inbox of some accounts will not be found because no destination back-end will be selected. The routing process can be set up using a local file instead of the LDAP connector. This removes the need of manually editing the values in Active Directory and is relatively hasslefree. However, using local files to process the routing information can increase the proxy servers overhead. Moreover, if there is more than one proxy, the same file version must be used across all nodes to ensure the cluster integrity and stability. The synchronization process has to be performed manually after each change. UPDATE: This may be subject to change in the future. The local files could be automatically redistributed. 90

91 Exotic Cluster Setups This chapter deals with common setups that are beyond the standard deployment of a clustering environment. Most of the examples here provide some sort of advantage like lower costs in exchange for a drawback such as higher risks and creation of single points of failure. UPDATE: This section should be updated if other cluster configuration environments are encountered Groupware and collaboration Starting with version 6.0 AXIGEN Mail Server introduces groupware services allowing network users to interact and work together by sharing folders, s, calendars, tasks etc. Complex permission hierarchies can be created to meet the specific collaboration and sharing needs of any organization Personal Organizer & AXIGEN Outlook Connector Having time management and mobility needs in mind a Personal Organizer module is available from both AXIGEN s WebMail interface and the client Outlook. The Personal Organizer comprises tools such as calendar, tasks, journal, notes and collaborative support. Aiming to adapt to all requirements generated by a competitive business environment, the new version's permission granting structure enables users to delegate sending tasks to their team members and view the free/busy status to avoid assigning events when a team member is already taking part in a different one. The AXIGEN Outlook Connector enhances the communication of Microsoft's client with the AXIGEN server, thus making the Personal Organizer available for Outlook users to take full advantage of all AXIGEN's features & capabilities. AXIGEN Outlook Connector implements most Exchange-like features including server-side Search Folders (such as Unread messages or Large Messages) which enables users to easily locate messages based on various filters. The new application also allows new folders (including special folders) creation on the server directly from Outlook. For a detailed usage description for the Personal Organizer in AXIGEN's WebMail Interface, please see the corresponding chapter of this Manual User folders and permissions Starting with version 6.0 users are allowed to perform operations on folders (view its contents, add items, delete items etc.) if permissions on the respective folder were defined. By default all users have permissions on their own folders and can allow other users to access one or more of their personal folders with different permission levels (read only, read and write etc.). These permissions can be set either from WebMail or Outlook and can be granted to a user or a group of users (defined by the system administrator in WebAdmin). Important! The system administrator has the right to set permissions on any user or public folder. 91

92 Computing permissions Each time the server needs to determine if a specific action on a specific resource is allowed or denied for a specific administrative user the following reasoning is used: - if the permission is set to deny on at least one of the parent folders in the chain, for the user or a group that the user belongs to, the permission will be denied - if the permission is not denied on any of parent folders in the chain but allowed on at least one, for the user and/or a group that the user belongs to, the permission will be allowed - if the permission is neutral (not set) on all parent folders in the chain, for the user and/or a group that the user belongs to, the permission will be denied The Effective permissions tab will show the final result of this operation. Permissions description Read items - Folder is visible and its contained items can be read. View items - Folder appears in hierarchy ("lookup"). Read folder content - Items in this folder may be read. Share the read / unread status - Changes to the read / unread flag are seen by other users does not apply for contacts, calendar, tasks, journal and notes folders). Set / clear flags - Modify flags other than read / unread and deleted / not deleted (does not apply for contacts, calendar, tasks, journal and notes folders). Add items - Add new items to folder (create new, move to, copy to). Both 'add items' and delete items' permissions are required for modifiying items. Add subfolders - Add new subfolders below this folder (create new, move to, copy to). Delete folder - Delete this folder, including all its contained items. Delete items - Delete items in this folder. Both 'add items' and 'delete items' permissions are required for modifying items. Mark items as deleted / not deleted - Modify the deleted / not deleted flag. Expunge folder - Purge items marked with the deleted flag. Manage permissions - Modify permissions on this folder. Types of permissions When new entities are created they can have two types of permissions: 1. Implicit permissions do not appear in the permissions list for resources, cannot be modified (they are resolved directly by the MACL engine) and cannot be overridden with an explicit 'DENY' from any level (above or below). These are: the 'postmaster' user has 'all rights' on all public folders the 'postmaster' user has 'Lookup' and 'Manage permissions' on all folders of all the accounts in its domain the 'postmaster' user has 'all rights' on his mailbox (and all subfolders) each user has 'all rights' on his/her mailbox (and all subfolders) 92

93 2. Default permissions are explicit, modifiable and appear when specific entities are created. They are: newly created folder in the PF namespace or in a mailbox other than the creator's, the creator has 'all rights', with 'apply to subfolders' if the newly created public folder is created from the WebAdmin interface, no explicit permissions are set for it when a new domain is created, the PF root contains the permission: 'all users in domain, allow, Lookup, apply to subfolders' Details on how to set folder permissions are available in the Setting Sharing Permissions chapter. 93

94 Chapter 4. Mail Server Security AXIGEN Mail Server comes with a full security feature set, guaranteeing secure reception, transit and delivery of and protection for your confidential data. Authentication AXIGEN server supports authentication, meaning it can be instructed to accept only connections/messages from authenticated entities. CRAM-MD5, LOGIN, PLAIN, DIGEST- MD5 and GSSAPI methods are available for client authentication, reducing the risk of unauthorized connections. Encryption(SSL/TLS) All AXIGEN communication protocols can benefit from SSL/TLS technology which allows sending encrypted messages across networks and preventing plain text messages to be intercepted on the way from sender to recipient. This encryption method guarantees secure data transmission over networks. Built In Firewall (application level) Stopping spammers and preventing DOS attacks is one of the most important tasks of a mail server and the sooner the problem is identified in the mail stream, the better. This is why AXIGEN has a built in Firewall at the application (TCP listener) level that allows Administrator to control connectivity parameters, like the following listener rules: - maximum simultaneous connections; - maximum connections to be accepted during a time interval; - maximum simultaneous connections accepted from a single host (that may be an attacker); Furthermore, Administrators may define IP sets that have specific sets of such rules, applied with different priorities or IP sets whose connections are denied. For more details see Listener Rules. Anti-spoofing (SPF and DomainKeys Compliant) SPF authentication is used by the SMTP Incoming module in AXIGEN to determine whether the mail message comes from an authorized source. DomainKeys is an authentication system designed to verify both the DNS domain of an sender and the message integrity. This additional authentication method significantly reduces spoofing attempts, that is, unauthorized attempts to gain server access, or assuming a fake identity when sending an . Message Acceptance Rules The system administrator can configure and implement message acceptance policies and adjust them to best suit their security requirements. Incoming connections established via SMTP and the message flow can be easily managed using the established policies. 94

95 Antivirus / Antispam The AXIGEN Mail Server can easily integrate with a large number of antivirus/antispam applications, either commercial, or open source. Starting with version 5.0 SpamAssassin is integrated within the AXIGEN kit. Available Antivirus applications: ClamAv, KAV(Kaspersky) for Mail Servers, BitDefender, Sophos, F-Prot, DrWeb, Symantec, F-Secure, Avast, etrust, Norman, Panda, McAfee. Available Antispam applications: SpamAssasin, AVG, Kaspersky Anti-Spam, Avira MailGate, BitDefender Mail Protection for Enterprises, Symantec Brightmail AntiSpam. Routing Rules The Processing policies correspond to the SMTP Processing and SMTP Outgoing modules. On one hand, they enable administrators to define the NDR (Non-Delivery Receipt) text and the conditions when such a message is returned.on the other hand, they allow system administrator to customize SMTP Outgoing actions for all or part of the relayed communication. Message Rules Message rules instruct the AXIGEN Mail Server to take certain actions on processed messages based on pieces of information contained by the message headers Authentication and Encryption AXIGEN Mail Server provides a variety of security options related to authentication and encryption for all connections established by/with the mail server. Secure/Plain Connections and Authentication Methods AXIGEN supports TLS enabled connections. TLS-enabled connections are connections that support the Transport Layer Security, a standard providing encryption and authentication service that can be negotiated during the startup phase of many Internet protocols, including SMTP, POP3 and IMAP, and used for general communication authentication and encryption over TCP/IP networks. All AXIGEN mail services (SMTP, IMAP, POP3) provide an AllowStartTLS parameter that you can enable and have the server advertise TLS capability. Authentication methods are available both for TLS-enabled connections and plain connections (non TLS-enabled). The methods supported by AXIGEN are: PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5 and GSSAPI. The PLAIN mechanism consists of a single message from the client to the server, in which the client sends the authorization identity (identity to login as), the authentication identity (identity whose password will be used) and the clear-text password. If left empty, the authorization identity is the same as the authentication identity. The PLAIN authentication mechanism is not recommended for use over an unencrypted network connection. The LOGIN mechanism is a non-standard mechanism, and is similar to the PLAIN mechanism except that this mechanism lacks the support for authorization identities. 95

96 The CRAM-MD5 is a challenge-response mechanism that transfers hashed passwords instead of clear text passwords. For insecure channels (e.g., when TLS is not used), it is safer than PLAIN. The DIGEST-MD5 is the required authentication mechanism for LDAP v3 servers. The Digest-MD5 is based on the HTTP Digest Authentication. In Digest-MD5, the LDAP server sends data that includes various authentication options that it is willing to support plus a special token to the LDAP client. The client responds by sending an encrypted response that indicates the authentication options that it has selected. The response is encrypted in such a way that proves that the client knows its password. The LDAP server then decrypts and verifies the client's response. GSSAPI is the Generic Security Services Application Programming Interface. Its primary use today is with Kerberos authentication. Kerberos is the primary authentication mechanism in Windows Active Directory. For information on configuring TLS and authentication methods related parameters, see: Configuring IMAP Authentication and Encryption Parameters Secure POP3 Connections Also, for all AXIGEN services, authentication error control parameters are available. That is, if on attempting to connect, clients fail to authenticate correctly a number of times, the connection is dropped. For information on these parameters, see the Connection Error Control sections for each module in Configuring AXIGEN using WebAdmin. SSL parameters AXIGEN supports SSL-enabled connections, providing advanced SSL parameters for TCP Listener configuration available for all its TCP Services (SMTP, IMAP, POP3, WebMail, CLI and WebAdmin). See SSL Parameters for Listeners for information on these parameters and how to configure them using WebAdmin. For information on configuring TLS and authentication methods related parameters, see: Configuring IMAP Authentication and Encryption Parameters and Secure POP3 Connections. Also, for all AXIGEN services, authentication error control parameters are available. That is, if on attempting to connect, clients fail to authenticate correctly a number of times, the connection is dropped. For information on these parameters, see the Connection Error Control sections for each module in Configuring AXIGEN using WebAdmin Kerberos Authentication within Active Directory Kerberos is the primary authentication mechanism in Windows Active Directory. Within the AXIGEN Mail Server, it is used as an authentication method through GSSAPI (Generic Security Services Application Programing Interface). In order to enable Kerberos authentication for your installed AXIGEN Mail Server, please follow the steps described below. 1. Create an account named "axigen_service" in Active Directory corresponding to each service you want to authenticate on from AXIGEN. Three accounts will be used for all AXIGEN supported services: axigen_smtp, axigen_imap, and axigen_pop. 2. Export the keys using the KTPASS utility: 96

97 1. Generate a key for the SMTP service: ktpass -princ smtp/axigen.hostname@realm - mapuser axigen_smtp -pass PASSWORD -out axigen-smtp.keytab 2. Generate a key for the IMAP service: ktpass -princ imap/axigen.hostname@realm - mapuser axigen_imap -pass PASSWORD -out axigen-imap.keytab 3. Generate keys for the POP3 service: ktpass -princ pop/axigen.hostname@realm - mapuser axigen_pop -pass PASSWORD -out axigen-pop.keytab In all commands shown above you must replace: axigen.hostname - with the domain AXIGEN users should use to login to REALM - with the Kerberos realm, particularly for Active Directory, with the domain name for which you want to authenticate PASSWORD - with the password for the corresponding "axigen_service" account, which you have previously created. Please note that the AXIGEN Mail Server IP address must reverse point to the same hostname you have specified above as "axigen.hostname". 3. Copy the exported key files on the AXIGEN machine in the /etc directory and merge them using the 'ktutil' application. Simply type 'ktutil' and issue the following commands in the application's subshell: load the needed keytab files, according to the services you want to use GSSAPI authentication with: rkt /etc/axigen-smtp.keytab rkt /etc/axigen-imap.keytab rkt /etc/axigen-pop.keytab write the new /etc/krb5.keytab file: wkt /etc/krb5.keytab exit the ktutil shell: quit At this moment, all necessary keys will be saved in the /etc/krb5.keytab file. Prerequisites and Settings for Each Active Directory User Defined for AXIGEN The AXIGEN Mail Server domain name must be the same as the full Active Directory domain name. Also, the accounts for which you want to use Kerberos authentication must be created within the AXIGEN Mail Server. Example The example below shows how to set up the Windows version of the Mozilla Thunderbird client to use Kerberos authentication with in an Active Directory environment: 1. Open the 'Account Settings' window from 'Tools' -> 'Account Settings...'. 2. Click 'Add Account'. This will open the 'Account Wizard'. 3. Select ' account' as the type of account to be created, then press 'Next'. 4. Fill in your name and address and press 'Next'. 5. In the next screen, select 'IMAP' or 'POP' incoming server types, according to your network policy. Set the 'incoming server' box to AXIGEN's fully qualified host name or the AXIGEN machine IP address. 97

98 6. Press 'Next' and fill in the user account name as stored in AXIGEN. In the last screen, fill in the account name, then press 'Next', review the settings and press 'Finish'. 7. Go to the 'Server settings' section of the newly created account and check the 'Use secure authentication' option. Also, if AXIGEN is configured to relay s from authenticated users only and if you have created a keytab corresponding to the 'smtp' service (as shown above), add the AXIGEN hostname in the 'Outgoing server (SMTP)' section, selecting the 'Username and password' checkbox from the 'Security and authentication' section. 8. Click the 'OK' button from the 'Account settings' window SPF and DomainKeys SPF (Sender Policy Framework) is a sender authentication method developed in order to ensure mail server's security by applying different anti-spoofing mechanisms. This mechanism consists in making a DNS request in order to determine whether the mail message comes from an authorized source, which is described in a SPF record, registered on the DNS. SPF records contain domain attributes that uniquely describe mail messages. The query may have one of the following seven possible results: pass: meaning the message meets the domain's definition for legitimate messages; neutral none soft fail fail: meaning the message does not meet the domain's definition for legitimate messages; temp error permanent error In case of permanent error, AXIGEN rejects the mail message generating the respective error. If a temporary error is generated, the AXIGEN returns an error message to the sending party. In all other cases the mail message is accepted. To enable SPF in AXIGEN or to add a SPF header to s, use the Message Acceptance Rules. DomainKeys Compliance Starting with version 2.0, AXIGEN Mail Server is also DomainKeys compliant. DomainKeys is an authentication system designed to verify both the DNS domain of an sender and the message integrity, ebedded in the AXIGEN Signing Module. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM). The AXIGEN Signing Module is only available for the commercial versions of the AXIGEN Mail Server. It does not work within free of evaluation versions. To test this specific feature, please contact our sales department. The AXIGEN Signing Module is only available for the commercial versions of the AXIGEN Mail Server. It does not work within free of evaluation versions. To test this specific feature, please contact our sales department. 98

99 AXIGEN Signing Module Usage and Configuration AXIGEN Signing Module is a module that provides AXIGEN with a tool to prevent forgery and possible repudiation. It implements the Yahoo DomainKeys concept that basically works by signing the contents of an and allows mail servers to verify that signature. The DomainKeys module is composed of two daemons that run independently of AXIGEN and of each other: the DomainKeys Signer and the DomainKeys Verifier. Each of them has a configuration file and communicates with AXIGEN using an AFSL connector. The signer's role is to sign s that come from AXIGEN and the verifier s role is to verify the mail which applies only if the mails were previously signed. In order to activate the DomainKeys filters, first make sure that the AxigenFilters service is started. For more information on this see Starting/Stopping/Restarting the Server. The DomainKeys Signing filter can be activated from WebAdmin in the 'Security & Filtering' menu, go to 'AntiVirus and AntiSpam' context, 'Supported Applications' tab, click the 'ENABLE' button for Application named 'DKSigner'. The DomainKeys Verifier can be enabled from WebAdmin in the 'Security & Filtering' menu, go to 'Additional AntiSpam Methods' context and click the 'Enable Domain Keys' check-box under 'Domain Keys'. Also, under this check-box some configurable actions for DK Verifier can be found. We strongly recommend that the DomainKeys Verifier AV/AS configuration filter to be activated with the highest priority and the signer with the lowest. Command line parameters The below listed command line parameters are to be used both for the signer and the verifier. -h displays this help message -v displays the version -f run in foreground -u <user> run as user. DEFAULT: 'AXIGEN' -g <group> run as group. DEFAULT: 'AXIGEN' -c <path>: path to the configuration file; the default paths are as follows: /etc/opt/axigen/axidkd.conf for DomainKeys Verifier /etc/opt/axigen/axidksd.conf for DomainKeys Signer DomainKeys Verifier configuration bindip <ip> - The address used to listen for connections from AXIGEN. bindport <port> - The port used for connections from AXIGEN. - DEFAULT: 1982 logtype <type> - This parameter defines where to log messages. It can be "system","file" or "stdout". The "system" value means that messages will be logged to the system log, "file" that they will be logged in a file and "stdout" that messages will be logged at standard output. WARNING: if "file" is selected for this property, the logfile must also be set. - DEFAULT "system" logfile <file> - In case that logtype has the value "file", this defines the file where messages are logged. - DEFAULT: "none" loglevel <level> - The level at which messages will be logged. Possible values are: o 0 - only error messages will be logged 99

100 o 1 - error and warning message will be logged o 2 - all messages will be logged o DEFAULT: 2 addauthheader - This options enables/disables adding the "Authentication-Results" header to the message after verification. It can take the values: yes or no. - DEFAULT: "yes" actiononpass - This option specifies what action should be sent to AXIGEN when the domainkeys verification yields a pass action (details on the actions that can be sent to AXIGEN in the AFSL documentation). The possible values are pass match discard error. - DEFAULT: "pass" actiononfail - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a fail action. Possible values are: pass match discard error. - DEFAULT: "match" actiononsoftfail - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a softfail action. Possible values: pass match discard error. - DEFAULT: "match" actiononneutral - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a neutral action. Possible values: pass match discard error. - DEFAULT: "pass" actionontemperror - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a temperror action. Possible values: pass match discard error. - DEFAULT: "error" actiononpermerror - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a permerror action. Possible values: pass match discard error. - DEFAULT: "match" rwtimeout <value> - This option specifies the timeout used when communicating with AXIGEN and with the Milter Implementation (in milisecconds). The range for this value is DEFAULT: 400 processingthreads <threads> - The number of processing threads which also reflects the maximum number of connections made to the milter implementation. The range for this value is DEFAULT: 16 DomainKeys Signer configuration bindip <ip> - The address used to listen for connections from AXIGEN. bindport <port> - The port used for connections from AXIGEN. - DEFAULT: 1982 logtype <type> - This parameter defines where to log messages. It can be "system","file" or "stdout". The "system" value means that messages will be logged to the system log, "file" that they will be logged in a file and "stdout" that messages will be logged at standard output. WARNING: if "file" is selected for this property, the logfile must also be set. - DEFAULT "system" logfile <file> - In case that logtype has the value "file", this defines the file where messages are logged. - DEFAULT: "none" loglevel <level> - The level at which messages will be logged. Possible values are: o 0 - only error messages will be logged o 1 - error and warning message will be logged o 2 - all messages will be logged o DEFAULT: 2 rwtimeout <value> - This option specifies the timeout used when communicating with AXIGEN and with the Milter Implementation (in milliseconds). The range for this value is DEFAULT: 400 privatekeypath - This path to the private key used for signing. This parameter is required. selector - The selector used to form the query for the public-key. This parameter is required 100

101 canonicalization - The canonicalization algorithm type. Possible values: simple nofws. - DEFAULT: "nofws" removeheaders - This option, if yes removes duplicate headers from the signature. Possible values: yes no. - DEFAULT: "no" processingthreads <threads> - The number of processing threads which also reflects the maximum number of connections made to the milter implementation. The range for this value is DEFAULT: 16 Starting/Stopping/Restarting the Domain Keys Daemons Slackware: To start the deamons, issue the following command: /etc/rc.d/rc.axigendk start To stop the deamons, you can issue: /etc/rc.d/rc.axigendk stop In order to restart the deamons, issue the command: /etc/rc.d/rc.axigendk restart Others (rmp-based, Ubuntu, Gentoo, Debian) To start the deamons, issue the following command: /etc/init.d/axigendk start To stop the deamons, you can issue: /etc/init.d/axigendk stop In order to restart the deamons, issue the command: /etc/init.d/axigendk restart 4.3. Mail Filtering AXIGEN provides various types of filters at each level of mail processing that allow you to increase mail traffic security and block any type of unwanted mail messages from reaching their intended recipient mailbox. The filtering system in AXIGEN is highly effective and allows maximum flexibility in defining what messages should be scanned, what filters should be used, the order in which these filters are applied and the actions taken according to the results of the scanning process. The filters can be applied both for incoming and for outgoing traffic. Filter Types 1. Message Acceptance Rules AXIGEN implements a set of message acceptance rules at SMTP-connection level. The system administrator can configure and implement message acceptance rules and adjust them to best suit their security requirements. Incoming connections established via SMTP and the message flow can be easily managed using the established rules. Moreover, they allow adding headers, changing addresses and other such actions. For more details, see the Message acceptance rules section. 2. Routing Rules To further fin-tune communication management at SMTP level, AXIGEN Mail Server implements Routing rules. The Routing rules correspond to the Processing and SMTP Outgoing modules and enable administrators to define the NDR (Non-Delivery Receipt) text and the conditions when such a message is returned. The system administrator can also customize SMTP Outgoing actions for all or part of the relayed communication. For further information, see the dedicated section in this chapter. 101

102 Important! The following filter types are defined in the WebAdmin interface and in the configuration file: type script - for Message rules type socket - for Antivirus/Antispam rules 3. Message rules Message rules instruct the AXIGEN Mail Server to take certain actions on processed messages based on pieces of information contained by the message headers. Using Message rules is safe since they do not operate on the mail content but only extract information from the mail header and take actions according to the pre-defined rules. See the Message rules section for further details. 4. Antivirus / Antispam Filters Antivirus / Antispam Filters can be easily used with the AXIGEN Mail Server to ensure a high security level for communication. Commercial Antivirus applications can communicate with AXIGEN either directly (using the AXIMilter module) or through AMAVIS. For more details, see the corresponding section of the current chapter. This type of filtering allows integration with virtually any third party applications, including Antivirus and Antispam applications. Currently, connectors for ClamAv Antivirus and SpamAssassin Anti-spam application (both open source) are implemented ensuring effective virus and spam protection for all mail traffic managed by AXIGEN Mail Server. Moreover, AXIGEN supports integration with Amavis, a generic interface used to connect a mail server to twelve different Antivirus applications: KAV(Kaspersky) for Mail Servers, BitDefender, Sophos, F-Prot, DrWeb, Symantec, F-Secure, Avast, etrust, Norman, Panda and McAfee. To see instructiuns on how to make AXIGEN work with ClamAV, see the corresponding AXIGEN forum posting. For SpamAssassin, you simply need to install the application, no further configurations are necessary. A sample setup procedure for connecting these two applications to AXIGEN is also given in the AXIGEN Install and Configuration Guide. For instructions on setting up the AXIGEN Mail Server integration with Amavis, see the dedicated article on the AXIGEN site. At this time the integration has been tested for Kaspersky and BitDefender but the procedure is similar for any of the products supported by Amavis. Active Filters Filter configuration in AXIGEN, also involves the notion of Active Filters. Although not a distinct filter category, the Active Filters designation is used to refer to filters currently enabled in AXIGEN. This designation is particularly useful when enabling filters. Filtering Levels In AXIGEN, you can apply filters at three levels: server level (these filters are applied to all s directed to any account / mail list from the server) domain level (these filters are applied to all s directed to the domain to which the account / mail list belongs) account / mail list level (these filters are applied only to the account / mail list for which the filters have been created) 102

103 Thus, a typical filtering chain in AXIGEN will contain different types of filters, applied on different levels. If one of the filters in the filtering chain yields an error (internal error, AFSL or any type of error), the being processed is kept in the processing queue and it will go through the filtering chain all over again, at a later time until all the filters in the chain can be applied. If all the filters in the filtering chain yield a PASS action, and the last one yields REJECT, the is rejected. In case one of the filters situated in the middle of the chain triggers a REJECT or DISCARD action, the will go through the filtering chain again. The order in which these filters will be applied, is based on their level and on their priority. See Activating Filters for details on activation inheritance and priority levels. AXIGEN Mail Servers can easily integrate with other third party applications through a simple interface which is made available as part of SDK (Software Development Kit). For more details on SDK delivery, please contact the AXIGEN Sales Department Message Acceptance Rules AXIGEN Mail Server implements a set of message acceptance rules at SMTP-connection level. The system administrator can configure and implement message acceptance rules and adjust them to best suit their security requirements. Incoming connections established via SMTP and the message flow can be easily managed using the established rules. Moreover, they allow adding headers, changing addresses and other such actions. Examples of message acceptance rules: allow incoming messages from a specific domain deny incoming messages with attachments exceeding 3 MB allow authenticated users only accept secured connections only deny looping s (when the number of Received headers exceeds 20) 103

104 The message acceptance rules can consist in any number of such rules applied following a given priority. These rules can be set at SMTP Incoming level and help save space and resources for processing. The rules are defined using an AXIGEN proprietary scripting language and are at this time contained, along with the Processing and Relay policy scripts in a single file per installed server. They can also be created automatically via the WebAdmin Wizard. More details no how to do this are available in the Message Acceptance Settings chapter. Through the Message acceptance rules, a wide range of event handlers associated with the SMTP events are available, along with various methods, message headers, envelopes and peer information. The events are predefined blocks within the script that will be executed at specific moments by the server. For each event, the server calls certain methods which can have a configurable or predefined behavior. The available events at SMTP Incoming level are: onconnect onehlo onmailfrom onrcptto ondatareceived Message acceptance rules are based on a proprietary scripting language. For an overview of this language, please see the Language Specifications section Routing Rules To further fin-tune communication management at SMTP level, AXIGEN Mail Server implements Routing Rules. The Routing Rules correspond to the Processing and SMTP Outgoing modules and enable administrators to define the NDR (Non-Delivery Receipt) text and the conditions when such a message is returned. As an example, NDR responses are sent when the specified recipient of an message is invalid. Routing Rules also allow system administrators to customize SMTP Outgoing actions for all or part of the relayed communication. For example, they can establish a certain address where all s from a certain domain are relayed, or specify a username/password authentication before relaying s to a certain address. Routing rules can contain any number of predefined options, thus being easily adapted to various security requirements. The rules are defined using an AXIGEN proprietary scripting language and are at this time contained, along with the Message acceptance rules scripts in a single file per installed server. They can also be created automatically via the WebAdmin Wizard. For details on the options available in the WebAdmin Wizard, please see the corresponding section. 104

105 A wide range of event handlers associated with the SMTP events are available, along with various methods, message headers, envelopes and peer information are available when defining Routing rules. The events defined for the Routing rules and their contexts are as follows: Event Context onrelay ondeliveryfailure SMTP Sending Processing ontemporarydeliveryfailure Processing For a detailed description of the scripting language the rules are based on, please see the Language Specifications section Antivirus / Antispam Filters Antivirus / Antispam Filters can be easily used with the AXIGEN Mail Server to ensure a high security level for communication. IMPORTANT! The AXIGEN Mail Server can integrate with more than 14 antivirus applications - KAV(Kaspersky) for Mail Servers, BitDefender, Sophos, F-Prot, DrWeb, Symantec, F-Secure, Avast, etrust, Norman, Panda, McAfee, ClamAV - and 6 antispam applications - SpamAssassin, AVG, Kaspersky Anti-Spam, Avira MailGate, BitDefender Mail Protection for Enterprises, Symantec Brightmail AntiSpam. 1. Simple Integration with ClamAV and SpamAssassin To see instructions on how to make AXIGEN work with ClamAV, see the corresponding AXIGEN forum posting. For SpamAssassin, you simply need to install the application, no further configurations are necessary. A sample setup procedure for connecting these two applications to AXIGEN is also given in the AXIGEN Install and Configuration Guide. 2. Integration with Commercial Antivirus Applications Commercial Antivirus applications can communicate with AXIGEN either directly (using the AXIMilter module) or through AMAVIS. The AXIMilter module can communicate with any Antivirus application that has milter support, while AMAVIS provides support for the following security solutions: KAV(Kaspersky) for Mail Servers, BitDefender, Sophos, F-Prot, DrWeb, Symantec, F-Secure, Avast, etrust, Norman, Panda, McAfee. For instructions on setting up AXIMilter, see the AXIMilter section. More details on setting up the AXIGEN Mail Server integration with Amavis, are available on the AXIGEN site in this dedicated article. 3. Integration with commercial Antispam applications For instructions on how to integrate AXIGEN with AVG, Kaspersky Anti-Spam, Avira MailGate, BitDefender Mail Protection for Enterprises, Symantec Brightmail AntiSpam, please see the related Knowledgebase articles: 105

106 How to enable spam protection in AXIGEN using AVG How to enable anti-spam filtering in AXIGEN using the milter implementation of Kaspersky Anti-Spam How to enable anti-spam filtering in AXIGEN using the milter implementation of Avira MailGate How to enable anti-spam filtering in AXIGEN using the milter implementation of BitDefender Mail Protection for Enterprises How to enable anti-spam filtering in AXIGEN using the milter implementation of Symantec Brightmail AntiSpam Antivirus / Antispam Filters are dynamic filters executed by external processes. These types of filters are based on a file defining the communication protocol between AXIGEN and the external process executing the filter. Antivirus/Antispam Filters can also interact with Message rules, via two headers appended to messages. These headers contain a spam or virus level value which actually indicates the likelihood of that particular message being virus or spam. Based on these levels, actions imposed by the message rules can be taken, for instance moving messages above a certain level to a specified Quarantine folder. AXIGEN supports creating customized filter chain. This means system administrators can define and use as many Antivirus/Antispam Filters and Message rules as required by their security policies. In AXIGEN, antispam/antivirus filters calls are multithreaded - this means that filters can be applied on several s at the same time, improving thus service availability and processing speed. If one of the filters in the filtering chain does not respond, AXIGEN provides a failsafe mode, which allows pinging the filter regularly until the connection is reestablished. At that moment, the message filtering chain is resumed. This guarantees that every message goes through the entire filtering chain. AXIGEN Mail Servers can easily integrate with other third party applications through a simple interface which is made available as part of SDK (Software Development Kit). For more details on SDK delivery, please contact the AXIGEN Sales Department. For information on how to configure Antivirus/Antispam filters at different levels using WebAdmin, see: Manage Antivirus/Antispam Filters Domain Filter Configuration Groups Filter Configuration List Filter Configuration Antivirus/Antispam filters can also be configured using the CLI Filters context. For information on how to use the Command Line Interface, see Configuring AXIGEN using CLI Message Rules Message rules instruct the AXIGEN Mail Server to take certain actions on processed messages based on pieces of information contained by the message headers. Thus you can create rules like: messages from john@example.com copy to alex@localdomain; 106

107 messages from move to folder Jokes; all messages reply with "Out-of-office" message; Message rules are easily created using the provided Web Wizard by each individual user via the WebMail module of AXIGEN. For more details on Wizard usage, please see Mail Filtering in WebMail. More complex message rules can be created by the system administrator using a simple scripting language called SIEVE. The same language is used by the WebMail Wizard when defining message rules automatically. Using Message rules is safe since they do not operate on the mail content but only extract information from the mail header and take actions according to the pre-defined rules. They work basically by comparing different keys using different comparators and comparison methods, against headers of a mail message. Based on the result of the comparison, you can apply different actions to the corresponding mail message, i.e. reject, discard, redirect, etc. Message rules are static filters, where the filter itself is contained in a separate file. Different user-defined scripts can be included in any AXIGEN Filtering System. The supported language provides an extremely flexible filtering methodology, as users can define any number of script filters according to their needs. AXIGEN also implements the vacation extension. This means that message rules can be created and applied for generating out-of-office type automatic replies. Thus, auto-generated messages can be sent when the user of the account for which the vacation applies, is on vacation, out of office or in general away for an extended period of time. The vacation extension is an extra functionality also available via script files. Antivirus/Antispam Filters can also interact with Message rules, via two headers appended to messages. These headers contain a spam or virus level value which actually indicates the likelihood of that particular message being virus or spam. Based on these levels, actions imposed by the message rules can be taken, for instance moving messages above a certain level to a specified Quarantine folder. AXIGEN supports creating customized filter chain. This means system administrators can define and use as many Antivirus/Antispam Filters and Message rules as required by their security policies. For a complete description of message rules implementation in AXIGEN, see the SIEVE Language section. For a complete description of this language, see RFC Message rules can also be created from WebAdmin at different server levels. For more details on adding new message rules from WebAdmin, see: Configuring Message Rules Domain Filter Configuration Account Filter Configuration Filters can also be configured using the CLI Filters context (see Configuring AXIGEN using CLI) and by editing the configuration file (see Configuring AXIGEN using the Configuration File). 107

108 SIEVE Overview and Implementation in AXIGEN SIEVE Overview Sieve is a language created and used for mail filtering either on the server or on the client. The language is completely described in the RFC Sieve is an interpreted language that can be described as relatively simple. It has no loop structures, no variables (in the basic form) it has only an if control structure. Sieve works basically by comparing different keys using different comparators and comparison methods, against headers of a mail message and based on the result applies actions to the message, like reject, discard, redirect. The structure of Sieve as described in the RFC 3028 is: SIEVE defines 5 actions: keep, fileinto, reject, discard, redirect which are self-explanatory. It also defines 3 control commands: <stop> - which stops the processing to that point <if elsif else> structure require command - which defines an extension of the language. It tells the interpreter that the respective extension will be used in the script The if structure has the form: if <test> <block> elsif <test> <block> else <block> A block is a block of commands (actions and control commands - including other ifs) and a test can be one of the following: 1. address - tests a set of the address headers against a set of keys using different comparison methods 2. envelope - optional test 3. header - tests a set of the headers against a set of keys using different comparison methods: true, false - constants allof <other tests> - logic and between several tests anyof <other tests> - logic or between several tests not <test> - negation of a test exists - test if a set of headers exist size - test against the size of a message A test can take 2 values: true or false. After parsing a script against a mail message, several actions can result which may interact. Several constrains are defined regarding action interaction which will be explained in the next paragraph. If no action is to be taken after a complete parse of the script, or an error occurs, an implicit keep will ensure delivery of the message to the inbox. The AXIGEN SIEVE interpreter The interpreter uses the following restrictions and constrains in implementing the RFC 3028: it implements the extensions described in the rfcs: fileinto, reject, envelope, copy, relational, spamtest, virustest, subaddress 108

109 the relational test :count can only be used with the i;ascii-numeric comparator and when there are more then one strings in the second string list, only the first will be considered it implements the "i;octet", "i;ascii-ccasemap" and "i;ascii-numeric" comparators for the "i;ascii-numeric" comparator, the :matches and :contains tags, cannot be used. Error otherwise. it allows only require with (fileinto, reject, envelope, copy, vacation) arguments, gives an error message otherwise allows address and envelope test with the second string list (the values list) not tested for valid addresses (i.e. it allows part of addresses put in the values list) it allows only the: "From", "To", "CC", "Bcc", "Sender", "Resent-From", "Resent-To" headers to appear in the address test and only "To", "From" headers in the envelope test. Error otherwise. the require group of commands must appear first and must contain only required commands. Error otherwise. elsif and else must appear only after an if or an elsif. error otherwise there is one type of warning and five types of error messages: 1. "[Syntax Error]: given if there is a syntax error in the script 2. "[Parse Error]: if a semantic error appears 3. "[Semantic Error]: similar to parse error 4. "[Validation Error]: if the script is not compliant to this document 5. "[Run-time Error]: if something is wrong during a message parse numbers in the size test cannot be negative and cannot exceed 2^32-1. error otherwise numbers when using the i;ascii-numeric comparator cannot exceed 2^32-1 and cannot be negative. If a string used with this comparator starts with something other than a digit, or is null, or is negative, or it exceeds 2^32-1, it gets the value 2^32. Leading whitespace (SP,HTAB,CRLF) is ignored it does not allow two or more comparator, address-part, match-type tags in the address, hearer and envelope tests. Error otherwise. Action interaction General action interaction: the following constrains apply (error otherwise): reject can only be by itself and only once (eventually with stop) keep can appear with any action (except reject) several times, and a move to Inbox (or similar) will be executed once discard can appear with any action (except reject) several times and the result will be a discard only when solely discard actions are present or there is an implicit keep by using the :copy tag fileinto can appear several times with any action (except reject) and a move to the specified folder will be executed (if a move to the same folder is specified, it is treated as an error but a duplicate move will not be performed - a warning will be issued) redirect can appear several times and with any action (except reject), the result consisting in redirecting to the specified address only once (without giving an error if a duplicate reject with the same address appears) - a warning will be issued any action except stop, fileinto, vacation and redirect used with the :copy tag will cancel the implicit keep Vacation interaction vacation can appear once per script and all other appearances will be disregarded. 109

110 vacation used with discard, redirect, fileinto or explicit keep will not be an error and will not be considered to break the respective actions interaction rules Spamtest and Virustest Extension This implementation supports the spamtest and virustest extensions as described in the RFC 3685, but in each case, the following constrains appear: Spamtest a separate tool will be implemented that will map vendor specific information from antispam tool and a new header named "X-AxigenSpam-Level" will be added which can have the following values: 1- message was tested and is clear of spam 2-9- message was tested and has a varying likelihood of containing spam in increasing order 10- message was tested and definitely contains spam Virustest a separate tool will be implemented that will map vendor specific information from antivirus tool and a new header named "X-AxigenVirus-Level" will be added which can have the following values: 1- message was tested and contains no known viruses 2 - message was tested and contained a known virus which was replaced with harmless content 3 - message was tested and contained a known virus which was "cured" such that it is now harmless 4 - message was tested and possibly contains a known virus 5 - message was tested and definitely contains a known virus The possible values of the header SHOULD be only numbers and if so MUST be only the above numbers but may also have leading and trailing spaces and may contain alphanumeric characters after the numbers. There may be maximum one header of each type at a given moment, and when the tool has a value to assign to the header, it will assign it only if it is greater than the value already contained in the header. Vacation Extension The vacation extension is implemented using the draft: draft-ietf-sieve-vacation-04. The vacation extension is used to send auto-generated messages when the user of the account for which the vacation applies, is in vacation, out of office, in general away for an extended period of time. For a description of the syntax of this extension, please consult the SIEVE related documents and the draft this implementation is based of. Implementation specific issues like restrictions and constrains, and in general issues that appear in the draft with SHOULD or MAY, are defined below. 110

111 The minimum value for the vacation: days argument is 1 and the maximum is 45. If the value given to the days argument is less that 1 it will be considered 1 and if greater that 45, it will be considered 45. The default value if the days parameter is omitted is 7. The Previous Response Tracking feature (section 4.2 of the draft) is implemented using a CRC32 hash and the date when the response was sent. This means that there may be cases when a second response will be generated even though it was not supposed to, but the chances of that is negligible compared to the speed gain. The Limiting Replies to Personal Messages feature (section 4.6 of the draft) was implemented considering the same cases as in the draft, but this will change in a way to allow the administrator to define custom rules for recognizing auto-generated mails. The vacation response message is generated with all the features defined in the Section 5 of the draft except the References field that is not generated in this version of the implementation. The interaction between vacation and other actions is described above, under Action Interaction The AXIGEN Filtering Module Based on the Sendmail's Content Management Protocol (Milter), the AXIGEN Filtering Module (AXIMilter) provides an interface for third-party software (such as antivirus/antispam) to validate and modify messages as they pass through AXIGEN Mail Server. Through AXIMilter, AXIGEN can be integrated with various Antivirus and Antispam applications. At this time, the AXIGEN Messaging Solution integration with AXIMilter has been sucessfully tested for Kaspersky (kavmilter), Symantec Brightmail, Avast and Avira Filtering Module Implementation in AXIGEN A "milter" is a module used by a mail transfer agent (MTA) that allows the addition of very efficient Antivirus/Antispam filters in the mail processing chain. It makes decisions and takes actions during the SMTP sessions. The milter uses a communication protocol based on sockets. This protocol can be used to enable third party applications like anti-virus or antispam software to integrate with different MTAs supporting this milter module. AXIMilter is a daemon that runs separately from AXIGEN. It can be configured through its configuration file, located by default in /etc/opt/axigen/aximilter.conf. The configuration file can be specified using the command line arguments, if one wants to use configuration located elsewhere. The AXIGEN MTA communicates with the milter extension using the "aximilter.afsl" filter and the inet socket. The filter takes care of the communications and translations between the two parties. Any results passed on by the milter to the filter are interpreted and formatted by it and passed down the chain to AXIGEN. When the filter is defined and activated in the AXIGEN configuration you have to set the socket used for communications between AXIGEN and the milter extension. This is an inet 111

112 (TCP) type of socket. Through this socket AXIGEN will connect to the milter interface and give instructions (formatted by the filter file) to the third party application at the other end. This connection is also used to receive any results from the milter back to AXIGEN. Filter file purpose: Parse the information received Interpret and check the information Translate information Pass information Socket purpose: Establish a communications channel Transfer information Maintain the integrity of the information The milter extension takes the requests received from AXIGEN and passes them to the milter counterpart of the third party application. This communication is negotiated using the standard milter protocol. When the third party milter responds, information is again passed through the TCP socket and interpreted by the filter. Only then, based on the information received, AXIGEN is able to determine what action to take. The whole process chain can be described as follows. The AXIGEN MTA receives an and the processing chain begins. When AXIGEN reaches the filter designated for the milter extension it passes the necessary information through the socket. All the information is translated by the filter file and fed to the AXIMilter (AXIGEN's milter extension). AXIMilter then connects through a socket to the third party milter implementation and sends the request to make a decision about the fate of the particular . After deciding the action to be taken on the respective (to accept it or not and why) the information is again passed to AXIMilter through the socket between the two milter implementations. AXIMilter sends the results back to AXIGEN through the socket defined in the filter setup and it is again translated. When the AXIGEN MTA receives the information, it takes the necessary steps to deliver or discard the message Configuring the AXIGEN Filtering Module The AXIGEN Milter implementation filter can be enabled from WebAdmin in "AntiVirus and AntiSpam" context, enable the Application named 'aximilter'. For more information on Antivirus/Antispam Filters in AXIGEN, see Antivirus/Antispam Filters. AXIMilter configuration The milter configuration resides in the /etc/opt/axigen/aximilter.conf file. Depending on the setup you want to achieve there are multiple options to consider. Due to the TCP style of sockets used you can decide you want to use one machine as mail server and another one on the network as mail scanner. You can also use the same machine. There are some other options you should consider like the number of threads and/or connections you want to allow at any given time. This can have serious productivity and security implications. Below you can find explanations for the available configuration options: bindip <ip> is the variable that sets the interface AXIMilter will use to listen for connections from AXIGEN. If the machine running AXIMilter has more than one 112

113 interface you should change this variable to the IP of the interface available to the AXIGEN server. This should be set to a LAN IP address ensuring that the traffic between your MTA and AXIMilter is not visible to anyone else. If you run AXImilter and AXIGEN on the same machine you can leave this option unchanged. bindport <port> is the port that AXIGEN connects to when establishing a connection to the AXImilter extension. You can set this port to whatever you like as long as the port is not already bind by another process. This port must be used when creating the filter in the AXIGEN configuration. When AXIGEN initiates the connection to the socket, AXIMilter has to be listening for connections. If the port is not used by another process you can leave this option unchanged. DEFAULT: 1981 rwtimeout <value> is the maximum amount of time allocated to a connection session. It is expressed in milliseconds. Setting this value too high on a high traffic server might saturate all the available connections. Setting this too low on a slow machine might interfere with the communications transmitted. The range for this value is DEFAULT: 400 milterip <ip> is the IP address of the machine running the third party milter implementation. As with the "bindip" variable this should be set to the local IP address of that particular machine or left unchanged if the other milter runs locally. DEFAULT: " " milterport <port> is the port number AXIMilter connects to when establishing a connection with the third party milter implementation. This port has to be the same as the one specified in the configuration file of the third party software. This port is crucial in setting up a working milter implementation. If you change the port in the configuration of your software, you have to change it here too. Most anti-virus scanners use different ports so make sure to check which port you have to set here before testing your implementation. DEFAULT: 1990 logtype <type> - this parameter defines where to log messages. It can be "system","file" or "stdout". The "system" value means that messages will be logged to the system log, "file" that they will be logged in a file and "stdout" that messages will be logged at standard output. WARNING: if "file" is selected for this property, the logfile must also be set. - DEFAULT "system" logfile <file> - if logtype has the value "file", this defines the file where messages are logged. - DEFAULT: "none" loglevel <level> - the level at which messages will be logged. Possible values are: o 0 - only error messages will be logged o 1 - error and warning message will be logged o 2 - all messages will be logged o DEFAULT: 2 processingthreads <threads> is the number of threads ready to process requests. This number also limits the maximum connections that can be established to the AXIMilter extension. This means that if for example you set this value to 3, only a maximum 3 requests can be sent at any given time, thus only the fate of 3 s can be decided. When one of these connections is closed a new one can be opened. Make sure you balance this value so that you don't overload the server and at the same time you don't keep too many s waiting if you have a lot of traffic. The default value should be sufficient for most modern computers and at the same time should be reasonable enough on a medium-sized server. The range for this value is DEFAULT:

114 AXIGEN Filtering Module Commands Command line parameters -h displays this help message -v displays the version -f run in foreground -u <user> run as user. DEFAULT: 'axigen' -g <group> run as group. DEFAULT: 'axigen' -c <path>: path to the configuration file DEFAULT: /etc/opt/axigen/aximilter.conf Starting with version 5 the AXIMilter daemon is included in the AxigenFilters. A list of commands needed to start, stop, restart, or check the status is available in the Starting/Stopping/Restarting the Server section Activating and Prioritising Filters and Rules In AXIGEN Mail Server, you can activate Antivirus / Antispam filters by enabling them from 'AntiVirus and AntiSpam' context, and Message rules by adding and enabling them in the 'Incoming Message Rules' list, available in the 'Security & Filtering' menu in WebAdmin. Filter Priority Priorities between enabled Antivirus / Antispam filters or Message rules can be changed using the the up and down arrows under the Priority section from the same context that these can be Enabled/Disabled. Activation Inheritance All filters activated at server level, will automatically be applied at all filtering levels, according to their respective priority levels. The same is true for domain level filters, which can be activated at account / mail list level. Filters activated at domain level, are applied to all accounts belonging to the respective domain. Filters activated only at account level, will only be applied to that specific account. For information on how to activate filters using WebAdmin see the following pages: Managing Message Filters Domain Filter Configuration Account Filter Configuration List Filter Configuration Language Specifications for Policy Configuration The AXIGEN SMTP Policy system is defined in a single file per installed AXIGEN Mail Server and has events for the SMTP Incoming, Outgoing and Processing stages of a mail life cycle. The Policy system contains Message Acceptance Policies and Processing and Relay Policies. The file is known by the server by the means of smtpfiltersfile parameter. Important! Starting with version 5, changing the existent rules/methods or adding new rule/methods by directly editing the smtpfilter file is NOT recommended for normal usage. This could render unavailable in the corresponding context of SMTP filter/rules in WebAdmin and it is not advisable unless you need heavy tweaking and know what you are doing. 114

115 Instead of directly editing smtpfilters, for normal usage, the administrator should use the following context from the WebAdmin module: 'Security & Filtering' -> 'Acceptance & Routing'. If the specific WebAdmin context is invalidated by manual modifications of the smtpfilters file, then a warning will be displayed, and the user will be presented with the opportunity of overwriting the contents of the file. Since manual modification of smtpfilters file is not recommended anymore, a wizard that will help you build your required rules is available in WebAdmin. ATTENTION! If rules already exist in the smtpfilters file, using the wizard from WebAdmin will overwrite all of them, please first back-up your smtpfilters file. Basic structure The language is structured in blocks of two types: events and methods. The events are predefined blocks that will be executed at specific moments by the server. The methods are custom defined blocks that will be called from the language. Thus the basic structure of a language file is: event event1 { event event2 {.. } Comments inside the script file are allowed using the syntax: #comment until the end of line. SMTP Events The events defined for the SMTP filters and their contexts are as follows: Event Context onconnect onehlo onmailfrom onrcptto onheadersreceived onbodychunk ondatareceived onrelay ondeliveryfailure ontemporarydeliveryfailure SMTP Receiving SMTP Receiving SMTP Receiving SMTP Receiving SMTP Receiving SMTP Receiving SMTP Receiving SMTP Sending Processing Processing 115

116 Thus, the structure of the script file is: #Sample AXIGEN SMTP Filter #the event called when a connection is made to SMTP event onconnect {. code. } #the event called when smtp receives EHLO event onehlo {. call(ionel);. } method Ionel {. code } Methods Beside the custom methods, a number of predefined methods are also available. They are called in the same way and have a predefined behavior. The currently available predefined methods are: checkspf checkreversedns addheader addifnotexistsheader removefirstheader removeheader modifyheader modifyifexistsheader addrcpt discardrcpt A more comprehensive example of a script defined until now, can be: event onhelo { call(heloevent); } method heloevent {. call(checkspf); call(addheader); } Contexts This language defines a scripting language to be used especially for SMTP filtering. The SMPT process has three different contexts: Incoming, Outgoing and Processing. Thus the behavior of the same filter differs depending on the context to which it is applied. For example the SMTPIn events are triggered only within the SMTP Incoming context. The same applies to context dependent variables which will be detailed below. Variables After methods and events, the next as level of importance are the variables. They act as input and output to functions and also act as actions to be taken by the SMTP engine. All 116

117 variables are considered to be string or numbers and can be of three types: read-only variables (input variables); read-write variables (input/output variables); action variables - these variables can be either read-only or read-write but they are in this category because they can cause the SMTP engine to take an action or are involved in an action. Variable behavior is context-dependent. If a variable is an input variable for the SMTP Incoming context it will be set only in that context and will be "" in the SMTP Outgoing context. Furthermore, a variable will be set only after that variable's value is known. For example, the MailFromDomain variable will be "" in the onconnect and onehlo events and will be set only in onmailfrom event. Some variables are set/read by the engine but there are methods for reading/writing them from the code. The reading of a variable implies the comparing of the variable's value with another value or variable. This is done using test functions that form the test block of a conditional block. To set a variable, the function set is used: set(spfresult, "some value"); When a predefined method is called, it usually sets one or more variables as its output and usually requires setting one or more variable as its input. Apart from the predefined variables, custom variables also exist and they can be used later in the code. To define a variable you just set its value: set(avariable, "avalue"). The previous function defines a variable named avariable and sets its value to "avalue". A custom defined variable has lifetime that lasts until the end of a block. To preserve a variable across blocks and across contexts, the export function is used: export(avariable) The lifetime of a filter with its contexts is per message so the export function can be used to preserve the value of a variable specific to one message through different stages of SMTP. For example, at the SMTP Outgoing context, the value of MailFromDomain is not set but can be, if in one of the SMTP Incoming events, an export(mailfromdomain) was made. Within the SMTP Filter Language, the concept of variable expanding means that, within a string, a variable name may appear and at runtime the name will be replaced by the variable's value. In order for a variable to be expanded, its name must appear between "%" characters. An example of variable expanding is: event onconnect { set(avariable, "Hello."); set(smtpgreeting, "%avariable% This is my AXIGEN server"); } When you connect on the SMTP port, the greeting will be: "Hello. This is my AXIGEN server" This expanding mechanism also works for comparing two variables: event onconnect { set(avariable, "value"); set(bvariable, "value"); if (is(avariable,"%bvariable%) { 117

118 set(smtpaction,"reject"); } } Structures Condition blocks There are only block, sub-block, if and switch structures. The block structures were defined above. The if structure has the following form: if (conditions) { } else { } The sub-blocks mentioned above are part of the if and switch structure and as in the case of blocks, start with a "{" and end with a "}". The switch structure has the following form: switch (variable) { case <value>: { } case <value>: { } default: { } } Both the if and the switch structures can imbricate a maximum of 16 levels of imbrication. The case statements are exclusive, that means that if a case is matched, after the execution of the block, the switch structure is exited. Conditions The conditions are Boolean functions that are used in the if and switch tests. They split into 2 types: single conditions and logical groups. The single conditions are as follows: is(variable,value) - matches for equality; iscase(variable,value) - matches for equality and if strings, the match is case insensitive; match(variable,regexp) - regular expression match lessthen(variable,value) - number comparison greaterthen(variable,value) - number comparison greaterorequal(variable, value) - number comparison lessorequal(variable, value) - number comparison iprange(variable, range) - matches if the variable's value is in range. If the variable is not an ipaddress, the function returns false. Emample of how to define IP ranges: o (range) o /24 (cidr) o / (netmask) The logical groups are: not(condition) - negation of a condition allof(condition,condition,...) - similar to an AND between conditions anyof(condition,condition,...) - similar to an OR between conditions The logical groups allow a maximum of 16 levels of imbrication. 118

119 Functions The functions can be looked at as keywords from other languages. They are the building blocks of the language and their behavior is hard-coded. The functions available are: all the Boolean functions described above; call (method) - this executes a predefined of custom defined method. If the method is custom defined, it must be defined in the same script file as the call; export (variable) - this function exports a variable name and value to be used in another context. If the variable is custom defined it must be defined in the same script file; set (variable, value) - this sets the value of a RW variable; return - this function ends the current event or method execution SMTP Functionalities (I) A list of all events and all variables and methods that can be used by each event is presented below. The type (IN or OUT) and the access method (RO - read only, RW - read write, WO - write only) will be specified for each variable. Important! Certain variables are only interpreted within some events, while the remaining events ignore them. Therefore setting such a variable for an event that will ignore it will take no effect. This is also applicable to predefined methods. Not all variables marked as RO or not presented for a certain event will generate an error if set. The reason is they can be marked as RW for other events of the same context. However, setting them will have no effect. onconnect Called when a new client is connected. Variable Type Access Method Explanation Value set Default smtpport numeric IN,RO The local listener port the client used to connect Range: Not Applicable smtpip ip IN,RO The local interface IP the client used to connect IP Not Applicable remotesmtpport numeric IN,RO The remote port the connection was established through remotesmtpip ip IN,RO The remote IP the connection Range: IP Not Applicable Not Applicable 119

120 Variable Type Access Method Explanation Value set Default was established from. issslconnection choice IN,RO 'yes' if the Choice: Not Applicable connection is yes - the encrypted connection is (socket ssl), encrypted (socket no if it is not. ssl) no - the connection is not encrypted DNSBLServer text OUT,WO The DNSBL server name used by 'checkdnsbl' method. Text string DNSBLResult ip IN,RO The result of a IP 'checkdnsbl' call; if the client ip is not found using 'DNSBLServer' the result is an empty string DNSBLExplanation text IN,RO The explanation associated with the result returned by a 'checkdnsbl' call Text string smtpgreeting text OUT,WO The initial Text string message sent to the client (for the moment, it can be a static string only). AXIGEN specific greeting text smtpaction choice OUT,WO Determine what action the smtp engine shoud take for the current command. Choice: accept - the server accepts the current command reject - the server rejects the Takes action conforming with internal policies an the 120

121 Variable Type Access Method Explanation Value set Default current command and returns a permanent error tmpreject - the server rejects the current command and returns a temporary error abort - the server aborts the connection smtpexplanation text OUT,WO The message sent to the client in case of a reject or tmpreject action. Text string A default error message RFCBreak multival OUT,WO List of RFC Values: violation nofolding - permitted or Header lines requested. longer than 78 characters are permitted and no folding is perfomed on those lines bodycrlfcorrection - SMTP IN service is allowed to modify the body of 7Bit mime messages in order to fix invalid line terminator sequences (the single CR, LF or LFCR and CRCRLF sequences found in mail's body are replaced with CRLF) filtername text OUT,WO The name of the extenral filter to be added Text string Not Applicable 121

122 Variable Type Access Method Explanation Value set Default filtertype choice OUT,WO The type of the external filter to be added Choice: milter - The new external filter is of type MILTER Not Applicable filteraddress text OUT,WO The address of the new external filter Text string addfilterresult choice IN,RO Choice: ok - The addfilter call was successfull error - The addfilter call failed Not Applicable Not Applicable addfilterexplanation text IN,RO Text string Not Applicable filternamepattern text OUT,WO The pattern name of filters to be executed 'filtername'.result choice IN,RO The execution result of an external smtp filter Text string Choice: pass - The filter was executed and returned a positive result fail - The filter was executed and returned a rejection result neutral - The filter was not selected for execution by the lass executefilters call error - The filter was not executed because of system errors Not Applicable 'filtername'.action choice IN/OUT,RW The default Choice: action taken accept - The by the smtp engine accepts engine as a the current and result of the following executing an commands external smtp continue - The Not Applicable 122

123 Variable Type Access Method Explanation Value set Default filter engine accepts the current command discard - The engine ignores the current command tmpreject - The engine temporary rejects the current command reject - The engine permanently rejects the current command 'filtername'.explanation text IN,RO The explanation associated with the execution of an external smtp filter Methods Text string Not Applicable Name Explanation Input Parameters Output Parameters addfilter Adds an external smtp filter executefilters Execute onconnect method for selected filters checkdnsbl Checks if the clinent ip is black-listed in filtername-specifies the name of the filter to be added filtertype-specifies the type of the filter to be added filteraddress-specifies the address of the filter to be added filternamepattern-the selection name pattern of filters to be executed DNSBLServer-The DNS Black List server used to check the client addfilterresult- Indicates if the add filter operation was successfull addfilterexplanation- Indicates the failure reason of the add filter operation 'filtername'.result-the execution result of the filter named 'filtername' 'filtername'.action-the default smtp action taken as a result of executing the filter named 'filtername' DNSBLResult-The ip associated with the client ip in server 'DNSBLServer' 123

124 onehlo Name Explanation Input Parameters Output Parameters server 'DNSBLServer' Called after receiving the EHLO message sent by the client. ip DNSBLExplanation- Explanation associated with the 'DNSBLResult' Variable Type Access Method Explanation Value set Default smtpport numeric IN,RO The local listener port the client used to connect smtpip ip IN,RO The local interface IP IP the client used to connect remotesmtpport numeric IN,RO The remote port the connection was established through Range: Range: Not Applicable Not Applicable Not Applicable remotesmtpip ip IN,RO The remote IP the connection was established from IP Not Applicable issslconnection choice IN,RO 'yes' if the Choice: connection is encrypted (socket ssl), no if it is not. yes - the connection is encrypted (socket ssl) no - the connection is not encrypted Not Applicable ehlohost hostname IN,RO The hostname the client declares Hostname Not Applicable isesmtp choice IN,RO 'yes' if the client used EHLO, 'no' for HELO authuser text IN,RO Name of sucessfully authenticated user ('' if the Auth command was incorrectly used) Choice: yes - the client used EHLO no - the client used HELO Text string Not Applicable Not Applicable authmatchfrom choice OUT,WO Verifies if the sender address corresponds to the Choice: yes - the sender address corresponds yes 124

125 Variable Type Access Method Explanation Value set Default one used to authenticate. to the one used to authenticate no - the sender address does not correspond to the one used to authenticate mailcount numeric IN,RO Number of succesfully sent mails during this session. totalmailsize numeric IN,RO Total size of messages sent in the respective session (in octets). Range: Range: Not Applicable Not Applicable remotedelivery choice IN/OUT,RW Specifies which clients can send remote messages. localdelivery choice IN/OUT,RW Specifies which clients can send messages locally. Choice: all - all clients can send remote messages none - no clients can send remote messages auth - only authenticated clients can send remote messages Choice: maxrcptcount numeric IN/OUT,RW The maximum Range: number of recipients for an . maxdatasize numeric IN/OUT,RW The maximum size of a mail message (KB). all - all clients can send messages locally none - no clients can send messages locally auth - only authenticated clients can send messages locally Range: auth all

126 Variable Type Access Method Explanation Value set Default maxreceivedheaders numeric IN/OUT,RW The maximum size Range: of 'Received' headers after which the is considered to be looping. 30 allowstarttls choice IN/OUT,RW 'yes' if the Choice: STARTTLS yes - STARTTLS extension is extension is allowed allowed, 'no' if no - STARTTLS otherwise. extension is not allowed allowpipelining choice IN/OUT,RW 'yes' if the Choice: PIPELINING yes - PIPELINING extension is extension is allowed allowed, 'no' if no - PIPELINING otherwise. extension is not allowed allow8bitmime choice IN/OUT,RW 'yes' if the 8BIT Choice: extension is yes - 8BIT extension allowed, 'no' if is allowed otherwise. no - 8BIT extension is not allowed allowbinarydata choice IN/OUT,RW 'yes' if the BINARY Choice: extension is yes - BINARY allowed, 'no' if extension is allowed otherwise. no - BINARY extension is not allowed plainconnauthtypes multival IN/OUT,RW Allowed authentication types for a plain connection (possible values: 'all', 'none' or a 'plain', 'login', 'cram-md5', 'digestmd5' and 'gssapi' combination). Values: all - All authentication types are allowed for plain connections none - No authentication type is allowed for plain connections plain - PLAIN authentication is allowed for plain connections login - LOGIN authentication is allowed for plain yes yes yes yes all 126

127 Variable Type Access Method Explanation Value set Default connections cram-md5 - CRAM- MD5 authentication is allowed for plain connections digest-md5 - DIGEST-MD5 authentication is allowed for plain connections gssapi - GSSAPI authentication is allowed for plain connections secureconnauthtypes multival IN/OUT,RW Allowed authentication types for a SSL connection (possible values: 'all', 'none' or a 'plain', 'login', 'cram-md5' and 'gssapi' combination). Values: all - All authentication types are allowed for secure connections none - No authentication type is allowed for secure connections plain - PLAIN authentication is allowed for secure connections login - LOGIN authentication is allowed for secure connections cram-md5 - CRAM- MD5 authentication is allowed for secure connections digest-md5 - DIGEST-MD5 authentication is allowed for secure connections gssapi - GSSAPI authentication is allowed for secure connections all DNSBLServer text IN,RO The DNSBL server name used by 'checkdnsbl' method. DNSBLResult ip OUT,WO The result of a IP Text string 127

128 Variable Type Access Method Explanation Value set Default 'checkdnsbl' call; if the client ip is not found using 'DNSBLServer' the result is an empty string DNSBLExplanation text OUT,WO The explanation associated with the result returned by a 'checkdnsbl' call Text string SPFResult choice IN/OUT,RW Result of the SPF Choice: check (possible None - TBD values: 'None', Neutral - TBD 'Neutral', 'Pass', Pass - The message 'Fail', 'SoftFail', meets the domain's 'TempError', definition for 'PermError'; can be legitimate messages set manually or by Fail - The message calling the does not meet the 'checkspf' method; domain's definition if the result is 'Fail', for legitimate the subsequent messages 'MAIL FROM' SoftFail - TBD commands will fail. TemprError - TBD PermError - TBD SPFHeader text IN/OUT,RW The 'Received-SPF' Text string header value; if it's set to '', the header will no longer be added. SPFExplanation text IN/OUT,RW The explanation associated with the SPF response. Text string None Not Applicable Not Applicable smtpaction choice OUT,WO Determine what Choice: action the smtp engine shoud take for the current command. accept - the server accepts the current command reject - the server rejects the current command and returns a permanent error tmpreject - the server rejects the current command and returns a temporary Takes an action conforming with the internal policies 128

129 Variable Type Access Method Explanation Value set Default error abort - the server aborts the connection smtpexplanation text OUT,WO The message sent to the client in case of a reject or tmpreject action. ReverseDNSResult choice OUT,WO The result of a 'checkreversedns' call. Text string A default error message Choice: ReverseDNSName text OUT,WO The first name Text string associated with the client ip obtained with a 'checkreversedns' call. RFCBreak multival IN,RO List of RFC violation permitted or requested. Fail - the EHLO name was not found in the list of names associated with the client ip Pass - the EHLO name was found in the list of names associated with the client ip Neutral - no names was specified in the EHLO command Values: nofolding - Header lines longer than 78 characters are permitted and no folding is perfomed on those lines bodycrlfcorrection - SMTP IN service is allowed to modify the body of 7Bit mime messages in order to fix invalid line terminator sequences (the single CR, LF or LFCR and CRCRLF sequences found in mail's body are 129

130 Variable Type Access Method Explanation Value set Default replaced with CRLF) filtername text OUT,WO The name of the extenral filter to be added filtertype choice OUT,WO The type of the external filter to be added Text string Choice: milter - The new external filter is of type MILTER Not Applicable Not Applicable filteraddress text OUT,WO The address of the new external filter Text string Not Applicable addfilterresult choice IN,RO Choice: ok - The addfilter call was successfull error - The addfilter call failed Not Applicable addfilterexplanation text IN,RO Text string Not Applicable filternamepattern text OUT,WO The pattern name Text string of filters to be executed 'filtername'.result choice IN,RO The execution result of an external smtp filter Choice: pass - The filter was executed and returned a positive result fail - The filter was executed and returned a rejection result neutral - The filter was not selected for execution by the lass executefilters call error - The filter was not executed because of system errors Not Applicable 'filtername'.action choice IN/OUT,RW The default action Choice: taken by the smtp accept - The engine engine as a result accepts the current of executing an and the following external smtp filter commands continue - The Not Applicable 130

131 Variable Type Access Method Explanation Value set Default engine accepts the current command discard - The engine ignores the current command tmpreject - The engine temporary rejects the current command reject - The engine permanently rejects the current command 'filtername'.explanation text IN,RO The explanation Text string associated with the execution of an external smtp filter Not Applicable Methods addfilter Name Explanation Input Parameters Output Parameters executefilters Adds an external smtp filter Execute onehlo method for selected filters checkreversedns Search the EHLO name in the list of names associated with the client ip checkdnsbl Checks if the clinent ip is black-listed in server filtername-specifies the name of the filter to be added filtertype-specifies the type of the filter to be added filteraddress- Specifies the address of the filter to be added filternamepattern- The selection name pattern of filters to be executed DNSBLServer-The DNS Black List server used to check the client ip addfilterresult- Indicates if the add filter operation was successfull addfilterexplanation- Indicates the failure reason of the add filter operation 'filtername'.result-the execution result of the filter named 'filtername' 'filtername'.action-the default smtp action taken as a result of executing the filter named 'filtername' ReverseDNSResult-The result of the method call ReverseDNSName-The primary name associated with the client ip DNSBLResult-The ip associated with the client ip in server 'DNSBLServer' 131

132 Name Explanation Input Parameters Output Parameters 'DNSBLServer' DNSBLExplanation- Explanation associated with the 'DNSBLResult' SPFResult-Result of the checkspf Calls the SPF SPF check module and the SPFHeader-Value of the results are Received-SPF header stored in the value 'SPFResult', SPFExplanation- 'SPFHeader' and Explanation associated 'SPFExplanation' with the SPF response variables onmailfrom Called as a result of the 'MAIL FROM' command issued by the client. Variable Type Access Method Explanation Value set Default smtpport numeric IN,RO the local listener Range: port the client used to connect smtpip ip IN,RO The local interface IP the client used to connect remotesmtpport numeric IN,RO The remote port Range: the connection was established through IP Not Applicable Not Applicable Not Applicable remotesmtpip ip IN,RO The remote IP the connection was established from IP Not Applicable issslconnection choice IN,RO 'yes' if the connection is encrypted (socket ssl), no if it is not. Choice: yes - the connection is encrypted (socket ssl) no - the connection is not encrypted Not Applicable ehlohost hostname IN,RO The hostname the client declares Hostname Not Applicable isesmtp choice IN,RO 'yes' if the client used EHLO, 'no' for HELO Choice: yes - the client used EHLO Not Applicable 132

133 Variable Type Access Method Explanation Value set Default no - the client used HELO authuser text IN,RO Name of sucessfully authenticated user ('' if the Auth command was incorrectly used) Text string Not Applicable authmatchfrom choice OUT,WO Verifies if the Choice: sender address yes - The sender corresponds to address corresponds the one used to to the one used to authenticate. authenticate no - The sender address does not correspond to the one used to authenticate yes mailcount numeric IN,RO Verifies if the sender address corresponds to the one used to authenticate. Range: Not Applicable totalmailsize numeric IN,RO Total size of messages sent in the respective session (in octets). remotedelivery choice IN/OUT,RW Specifies which clients can send remote messages. localdelivery choice IN/OUT,RW Specifies which clients can send messages locally. Range: Choice: all - all clients can send remote messages none - no clients can send remote messages auth - only authenticated clients can send remote messages Choice: all - all clients can send messages locally none - no clients can Not Applicable auth all 133

134 Variable Type Access Method Explanation Value set Default send messages locally auth - only authenticated clients can send messages locally maxrcptcount numeric IN/OUT,RW The maximum number of recipients for an . maxdatasize numeric IN/OUT,RW The maximum size of a mail message (KB). Range: Range: maxreceivedheaders numeric IN/OUT,RW The maximum Range: size of 'Received' headers after which the is considered to be looping DNSBLServer text IN,RO The DNSBL server name used by 'checkdnsbl' method. Text string DNSBLResult ip OUT,WO The result of a IP 'checkdnsbl' call; if the client ip is not found using 'DNSBLServer' the result is an empty string DNSBLExplanation text OUT,WO The explanation associated with the result returned by a 'checkdnsbl' call Text string SPFResult choice IN/OUT,RW Result of the Choice: SPF check None - TBD (possible values: Neutral - TBD 'None', 'Neutral', Pass - the message 'Pass', 'Fail', meets the domain's 'SoftFail', definition for 'TempError', legitimate messages None 134

135 Variable Type Access Method Explanation Value set Default 'PermError'; can be set manually or by calling the 'checkspf' method; if the result is 'Fail', the subsequent 'MAIL FROM' commands will fail. Fail - the message does not meet the domain's definition for legitimate messages SoftFail - TBD TemprError - TBD PermError - TBD SPFHeader text IN/OUT,RW The 'Received- Text string SPF' header value; if it's set to '', the header will no longer be added. Not Applicable SenderMXCheckResult choice IN,RO Result of the Choice: Sender MX verification (possible values: 'Pass', 'Fail', 'Neutral', 'Error'); see 'checksendermx' method. Pass - The sender has a valid MX Fail - The sender does not have a valid MX Neutral - No sender specified, is a NDR message Error - There was an error determining sender MX Not Applicable mailfrom text IN/OUT,RW The address Text string specified in mail from; if set manually, the new address will be used. mailfromlocalpart text IN,RO The local part of Text string the address specified in mail from; modified automatically along with the 'mailfrom' value. mailfromdomain text IN,RO The domain of the mail from address; modified automatically along with the Text string Not Applicable Not Applicable Not Applicable 135

136 Variable Type Access Method Explanation Value set Default 'mailfrom' value. mailfromauthuser text IN,RO The authenticated user specified in the mail from command. Text string Not Applicable mailfromsize numeric IN,RO The size specified in the mail from command. HeaderName text OUT,WO See header usage methods. HeaderValue text IN/OUT,RW See header usage methods. Range: Text string Text string Not Applicable Not Applicable Not Applicable delaydelivery text OUT,WO Enables and Text string configures delay delivery feature. It may be set to an absolute date (format RFC 2822) or to a relative date exprimated as +[[nnh] nnm]nn[s] overquotaaction choice OUT,WO Determine what Choice: action the smtp reject - the server engine shoud rejects the overquota take for a recipient with a recipient that is permanent error overquota. message tmpreject - the server rejects the overquota recipient with a temporary error message discard - the server accepts the overquota recipient without adding it to recipient list reject smtpaction choice OUT,WO Determine what action the smtp engine shoud take for the Choice: accept - the server accepts the current Takes an action conforming with the 136

137 Variable Type Access Method Explanation Value set Default current command. command reject - the server rejects the current command and returns a permanent error tmpreject - the server rejects the current command and returns a temporary error abort - the server aborts the connection internal policies smtpexplanation text OUT,WO The message sent to the client in case of a reject or tmpreject action. Text string A default error message RFCBreak multival IN,RO List of RFC Values: violation nofolding - Header permitted or lines longer than 78 requested. characters are permitted and no folding is perfomed on those lines bodycrlfcorrection - SMTP IN service is allowed to modify the body of 7Bit mime messages in order to fix invalid line terminator sequences (the single CR, LF or LFCR and CRCRLF sequences found in mail's body are replaced with CRLF) filtername text OUT,WO The name of the extenral filter to be added filtertype choice OUT,WO The type of the external filter to be added Text string Choice: milter - The new external filter is of type MILTER Not Applicable Not Applicable 137

138 Variable Type Access Method Explanation Value set Default filteraddress text OUT,WO The address of the new external filter Text string addfilterresult choice IN,RO Choice: ok - The addfilter call was successfull error - The addfilter call failed Not Applicable Not Applicable addfilterexplanation text IN,RO Text string Not Applicable filternamepattern text OUT,WO The pattern name of filters to be executed Text string 'filtername'.result choice IN,RO The execution Choice: result of an pass - The filter was external smtp executed and filter returned a positive result fail - The filter was executed and returned a rejection result neutral - The filter was not selected for execution by the lass executefilters call error - The filter was not executed because of system errors Not Applicable 'filtername'.action choice IN/OUT,RW The default action taken by the smtp engine as a result of executing external filter an smtp Choice: accept - The engine accepts the current and the following commands continue - The engine accepts the current command discard - The engine ignores the current command tmpreject - The engine temporary rejects the current command Not Applicable 138

139 Variable Type Access Method Explanation Value set Default reject - The engine permanently rejects the current command 'filtername'.explanation text IN,RO The explanation Text string associated with the execution of an external smtp filter Not Applicable addfilter Methods executefilters Name Explanation Input Parameters Output Parameters Adds an external smtp filter Execute onmailfrom method selected filters for checkdnsbl Checks if the clinent ip is black-listed in server 'DNSBLServer' checkspf Calls the SPF module and the results are stored in the 'SPFResult', 'SPFHeader' and 'SPFExplanation' variables checksendermx addheader Adds the specified header filtername-specifies the name of the filter to be added filtertype-specifies the type of the filter to be added filteraddress-specifies the address of the filter to be added filternamepattern-the selection name pattern of filters to be executed DNSBLServer-The DNS Black List server used to check the client ip HeaderName-Name of the header field to be addfilterresult-indicates if the add filter operation was successfull addfilterexplanation- Indicates the failure reason of the add filter operation 'filtername'.result-the execution result of the filter named 'filtername' 'filtername'.action-the default smtp action taken as a result of executing the filter named 'filtername' DNSBLResult-The ip associated with the client ip in server 'DNSBLServer' DNSBLExplanation- Explanation associated with the 'DNSBLResult' SPFResult-Result of the SPF check SPFHeader-Value of the Received-SPF header value SPFExplanation- Explanation associated with the SPF response SenderMXCheckResult- Result of the Sender MX check 139

140 Name Explanation Input Parameters Output Parameters through the added 'HeaderName' HeaderValue-Value of and the added field 'HeaderValue' variables addifnotexistsheader Adds the heather only if no other field with the removefirstheader same exists name Deletes the first instance of a field with the 'HeaderName' name from the header removeheader Deletes all instances of the field named 'HeaderName' from the header removeheadervalue modifyheader Deletes a specific instance of the field named 'HeaderName' from the header Modifies or adds a header modifyifexistsheader Modifies a header onrcptto SMTP Functionalities (II) HeaderName-Name of the header field to be added HeaderValue-Value of the added field HeaderName-Name of the header field to be removed HeaderName-Name of the header field to be removed HeaderName-Name of the header field to be removed HeaderValue-The value of the specific instance to be removed HeaderName-Name of the header field to be modified (or added if not exists) HeaderValue-The new field value HeaderName-Name of the header field to be modified HeaderValue-The new field value Called as a result of the 'RCPT TO' command issued by the client Variable Type Access Method Explanation Value set Default smtpport numeric IN,RO The local listener Range: Not 140

141 Variable Type Access Method Explanation Value set Default port the client used to connect Applicable smtpip ip IN,RO The local IP interface IP the client used to connect Not Applicable remotesmtpport choice IN,RO The remote port the connection was established through remotesmtpip ip IN,RO The remote IP the connection was established from Choice: IP Not Applicable Not Applicable issslconnection choice IN,RO 'yes' if the connection is encrypted (socket ssl), no if it is not. Choice: yes - the connection is encrypted (socket ssl) no - the connection is not encrypted Not Applicable ehlohost hostname IN,RO The hostname the client declares Hostname Not Applicable isesmtp choice IN,RO 'yes' if the client Choice: used EHLO, 'no' yes - the client for HELO used EHLO no - the client used HELO Not Applicable authuser text IN,RO Name of sucessfully authenticated user ('' if the Auth command was incorrectly used) mailcount numeric IN,RO Verifies if the sender address corresponds to the one used to authenticate. totalmailsize numeric IN,RO Total size of messages sent in the respective session (in octets). Text string Range: Range: Not Applicable Not Applicable Not Applicable 141

142 Variable Type Access Method Explanation Value set Default remotedelivery choice IN/OUT,RW Specifies which Choice: clients can send all - all clients can send remote remote messages messages. none - no clients can send remote messages auth - only authenticated clients can send remote messages localdelivery choice IN/OUT,RW Specifies which Choice: clients can send all - all clients can send messages locally. messages locally none - no clients can send messages locally auth - only authenticated clients can send messages locally auth all maxrcptcount numeric IN/OUT,RW The maximum Range: number of recipients for an . maxdatasize numeric IN/OUT,RW The maximum Range: size of a mail message (KB). maxreceivedheaders numeric IN/OUT,RW The maximum Range: size of 'Received' headers after which the is considered to be looping DNSBLServer text IN,RO The DNSBL Text string server name used by 'checkdnsbl' method. DNSBLResult ip OUT,WO The result of a IP 'checkdnsbl' call; if the client ip is not found using 'DNSBLServer' the result is an empty string DNSBLExplanation text OUT,WO The explanation Text string 142

143 Variable Type Access Method Explanation Value set Default associated with the result returned by a 'checkdnsbl' call SPFResult choice IN/OUT,RW Result of the SPF Choice: check (possible None - TBD values: 'None', Neutral - TBD 'Neutral', 'Pass', Pass - the message 'Fail', 'SoftFail', meets the domain's 'TempError', definition for legitimate 'PermError'; can messages be set manually Fail - the message or by calling the does not meet the 'checkspf' domain's definition for method; if the legitimate messages result is 'Fail', the SoftFail - TBD subsequent 'MAIL TemprError - TBD FROM' PermError - TBD commands will fail. SenderMXCheckResult choice IN,RO Result of the Choice: Sender MX Pass - The sender has verification a valid MX (possible values: Fail - The sender does 'Pass', 'Fail', not have a valid MX 'Neutral', 'Error'); Neutral - No sender see specified, is a NDR 'checksendermx' message method. Error - There was an error determining sender MX mailfrom text IN,RO The address Text string specified in mail from. mailfromlocalpart text IN,RO The local part of Text string the address specified in mail from; modified automatically along with the 'mailfrom' value. mailfromdomain text IN,RO The domain of the Text string mail from address; modified automatically along with the None Not Applicable Not Applicable Not Applicable Not Applicable 143

144 Variable Type Access Method Explanation Value set Default 'mailfrom' value. mailfromauthuser text IN,RO The authenticated Text string user specified in the mail from command. Not Applicable mailfromsize numeric IN,RO The size specified in the mail from command. Range: Not Applicable rcptcount numeric IN,RO Number of recipients communicated by the client up to the given moment. Range: currentrcpt text IN/OUT,RW The current Text string address communicated by the client as recipient; it can be set manually, causing the recipient address to change; if after setting it the 'addrcpt' method is called, the newly set address will be added to the one communicated by the client. currentrcptfolder text IN/OUT,RW In case of delivery Text string to a local domain, it specifies the folder the message will be delivered to. currentrcptlocalpart text IN,RO Local part of the recipient address; modified automatically when setting 'currentrcpt'. Text string Not Applicable Not Applicable INBOX Not Applicable currentrcptrelayhost text IN/OUT,RW SMTP routing Text string 144

145 Variable Type Access Method Explanation Value set Default host used to deliver the mail for this recipient. isrcptdomainlocal choice IN,RO States if the Choice: recipient domain yes - the recipient specified by the domain specified by client is a local the client is a local one one no - the recipient domain specified by the client is not a local one Not Applicable isrcptlocal choice IN,RO States if the Choice: recipient specified yes - the recipient by the client is a specified by the client local one is a local one no - the recipient specified by the client is not a local one Not Applicable HeaderName text OUT,WO See header usage methods. HeaderValue text IN/OUT,RW See header usage methods. delaydelivery text OUT,WO Enables and configures delay delivery feature. It may be set to an absolute date (format RFC 2822) or to a relative date exprimated as +[[nnh] nnm]nn[s] Text string Text string Text string Not Applicable Not Applicable overquotaaction chioce OUT,WO Determine what N/A action the smtp engine shoud take for a recipient that is overquota. reject isoverquota choice IN,RO Specifies if the current recipient is overquota. Choice: yes - The current recipient will exceed its quota limit if the current mail will be delivered to it Not Applicable 145

146 Variable Type Access Method Explanation Value set Default no - The current recipient may receive the current mail without exceeding its quota limit smtpaction choice OUT,WO Determine what Choice: action the smtp accept - the server engine shoud accepts the current take for the command current command. reject - the server rejects the current command and returns a permanent error tmpreject - the server rejects the current command and returns a temporary error abort - the server aborts the connection Takes an action conforming with the internal policies smtpexplanation text OUT,WO The message sent to the client in case of a reject or action. tmpreject Text string A default error message RFCBreak multival IN,RO List of RFC Values: violation nofolding - Header permitted or lines longer than 78 requested. characters are permitted and no folding is perfomed on those lines bodycrlfcorrection - SMTP IN service is allowed to modify the body of 7Bit mime messages in order to fix invalid line terminator sequences (the single CR, LF or LFCR and CRCRLF sequences found in mail's body are replaced with CRLF) filtername text OUT,WO The name of the Text string extenral filter to be added Not Applicable 146

147 Variable Type Access Method Explanation Value set Default filtertype choice OUT,WO The type of the Choice: external filter to milter - The new be added external filter is of type MILTER filteraddress text OUT,WO The address of Text string the new external filter addfilterresult choice IN,RO Choice: ok - The addfilter call was successfull error - The addfilter call failed Not Applicable Not Applicable Not Applicable addfilterexplanation text IN,RO Text string Not Applicable filternamepattern text OUT,WO The pattern name Text string of filters to be executed 'filtername'.result choice IN,RO The execution Choice: result of an pass - The filter was external smtp executed and returned filter a positive result fail - The filter was executed and returned a rejection result neutral - The filter was not selected for execution by the lass executefilters call error - The filter was not executed because of system errors 'filtername'.action choice IN/OUT,RW The default action taken by the smtp engine as a result of executing an external filter smtp Choice: accept - The engine accepts the current and the following commands continue - The engine accepts the current command discard - The engine ignores the current command tmpreject - The engine temporary rejects the Not Applicable Not Applicable 147

148 Variable Type Access Method Explanation Value set Default current command reject - The engine permanently rejects the current command 'filtername'.explanation text IN,RO The explanation Text string associated with the execution of an external smtp filter Not Applicable Methods addfilter executefilters Name Explanation Input Parameters Output Parameters Adds an external smtp filter Execute onrcptto method for selected filters checkdnsbl Checks if the clinent ip is blacklisted in server 'DNSBLServer' checksendermx addheader Adds the specified header through the 'HeaderName' and 'HeaderValue' variables filtername- Specifies the name of the filter to be added filtertype-specifies the type of the filter to be added filteraddress- Specifies the address of the filter to be added filternamepattern- The selection name pattern of filters to be executed DNSBLServer-The DNS Black List server used to check the client ip HeaderName- Name of the header field to be added HeaderValue-Value of the added field addfilterresult-indicates if the add filter operation was successfull addfilterexplanation- Indicates the failure reason of the add filter operation 'filtername'.result-the execution result of the filter named 'filtername' 'filtername'.action-the default smtp action taken as a result of executing the filter named 'filtername' DNSBLResult-The ip associated with the client ip in server 'DNSBLServer' DNSBLExplanation- Explanation associated with the 'DNSBLResult' SenderMXCheckResult- Result of the Sender MX check 148

149 Name Explanation Input Parameters Output Parameters HeaderNameaddIfNotExistsHeader Adds the heather Name of the header only if no other field to be added field with the same HeaderValue-Value name exists of the added field HeaderNameremoveFirstHeader Deletes the first Name of the header instance of a field field to be removed with the 'HeaderName' name from the header HeaderNameremoveHeader Deletes all Name of the header instances of the field to be removed field named 'HeaderName' from the header HeaderNameremoveHeaderValue Deletes a specific Name of the header instance of the field field to be removed named HeaderValue-The 'HeaderName' from value of the specific the header instance to be removed modifyheader Modifies or adds a header modifyifexistsheader Modifies a header addrcpt Adds the rcpt specified in 'currentrcpt' and 'currentrcptfolder'. HeaderName- Name of the header field to be modified (or added if not exists) HeaderValue-The new field value HeaderName- Name of the header field to be modified HeaderValue-The new field value currentrcpt- Address to be added in recipient list currentrcptfolder- Delivery folder discardrcpt Ignores a client's request of adding a RCPT, without responding with an error 149

150 onheadersreceived Called after the message header is received. Variable Type Access Method Explanation Value set Default smtpport numeric IN,RO The local listener port the client used to connect smtpip ip IN,RO The local interface IP the client used to connect Range: IP Not Applicable Not Applicable remotesmtpport number IN,RO The remote port the connection was established through remotesmtpip ip IN,RO The remote IP the connection was established from N/A IP Not Applicable Not Applicable issslconnection choice IN,RO 'yes' if the Choice: connection is yes - the encrypted (socket connection is ssl), no if it is not. encrypted (socket ssl) no - the connection is not encrypted Not Applicable ehlohost hostname IN,RO The hostname the client declares Hostname Not Applicable isesmtp choice IN,RO 'yes' if the client used EHLO, 'no' for HELO authuser text IN,RO Name of sucessfully authenticated user ('' if the Auth command was incorrectly used) Choice: yes - the client used EHLO no - the client used HELO Text string mailcount numeric IN,RO Verifies if the Range: sender address corresponds to the one used to authenticate. totalmailsize numeric IN,RO Total size of Range: messages sent in the respective Not Applicable Not Applicable Not Applicable Not Applicable 150

151 Variable Type Access Method Explanation Value set Default session (in octets). remotedelivery choice IN,RO Specifies which Choice: clients can send all - all clients can remote messages. send remote messages none - no clients can send remote messages auth - only authenticated clients can send remote messages localdelivery choice IN,RO Specifies which Choice: clients can send all - all clients can messages locally. send messages locally none - no clients can send messages locally auth - only authenticated clients can send messages locally maxrcptcount numeric IN,RO The maximum number of recipients for an . Range: auth all 1000 maxdatasize numeric IN/OUT,RW The maximum size Range: of a mail message (KB) maxreceivedheaders numeric IN/OUT,RW The maximum size Range: of 'Received' headers after which the is considered to be looping. 30 DNSBLServer text IN,RO The DNSBL server name used by 'checkdnsbl' method. DNSBLResult ip OUT,WO The result of a 'checkdnsbl' call; if the client ip is not found using Text string IP 151

152 Variable Type Access Method Explanation Value set Default 'DNSBLServer' the result is an empty string DNSBLExplanation text OUT,WO The explanation associated with the result returned by a 'checkdnsbl' call Text string SPFResult choice IN,RO Result of the SPF Choice: check (possible None - TBD values: 'None', Neutral - TBD 'Neutral', 'Pass', Pass - the message 'Fail', 'SoftFail', meets the domain's 'TempError', definition for 'PermError'; can be legitimate set manually or by messages calling the Fail - the message 'checkspf' method; does not meet the if the result is 'Fail', domain's definition the subsequent for legitimate 'MAIL FROM' messages commands will fail. SoftFail - TBD TemprError - TBD PermError - TBD SenderMXCheckResult choice IN,RO Result of the Choice: Sender MX verification (possible values: 'Pass', 'Fail', 'Neutral', 'Error'); see 'checksendermx' method. Pass - The sender has a valid MX Fail - The sender does not have a valid MX Neutral - No sender specified, is a NDR message Error - There was an error determining sender MX None Not Applicable mailfrom text IN,RO The address specified in mail from. Text string mailfromlocalpart text IN,RO The local part of the Text string address specified in mail from. mailfromdomain text IN,RO The domain of the Text string mail from address; modified Not Applicable Not Applicable Not Applicable 152

153 Variable Type Access Method Explanation Value set Default automatically along with the 'mailfrom' value. mailfromauthuser text IN,RO The authenticated user specified in the mail from command. Text string Not Applicable mailfromsize numeric IN,RO The size specified in the mail from command. Range: Not Applicable rcptcount numeric IN,RO Number of recipients communicated by the client up to the given moment. HeaderName text OUT,WO See header usage methods. HeaderValue text IN/OUT,RW See header usage methods. Range: Text string Text string Not Applicable Not Applicable Not Applicable existsheader choice IN,RO See 'checkexistsheader' method. Choice: yes - the header specified by 'HeaderName' was found no - the header specified by 'HeaderName' was not found Not Applicable delaydelivery text OUT,WO Enables and configures delay delivery feature. It may be set to an absolute date (format RFC 2822) or to a relative date exprimated as +[[nnh] nnm]nn[s] Text string smtpaction choice OUT,WO Determine what Choice: action the smtp accept - the server engine shoud take accepts the current for the current command command. reject - the server rejects the current command and Takes an action conforming with the internal policies 153

154 Variable Type Access Method Explanation Value set Default returns a permanent error tmpreject - the server rejects the current command and returns a temporary error abort - the server aborts the connection smtpexplanation text OUT,WO The message sent to the client in case of a reject or tmpreject action. Text string A default error message RFCBreak multival IN,RO List of RFC Values: violation permitted nofolding - Header or requested. lines longer than 78 characters are permitted and no folding is perfomed on those lines bodycrlfcorrection - SMTP IN service is allowed to modify the body of 7Bit mime messages in order to fix invalid line terminator sequences (the single CR, LF or LFCR and CRCRLF sequences found in mail's body are replaced with CRLF) filtername text OUT,WO The name of the extenral filter to be added filtertype choice OUT,WO The type of the external filter to be added Text string Choice: milter - The new external filter is of type MILTER Not Applicable Not Applicable filteraddress text OUT,WO The address of the new external filter Text string Not Applicable addfilterresult choice IN,RO Choice: Not 154

155 Variable Type Access Method Explanation Value set Default ok - The addfilter call was successfull error - The addfilter call failed Applicable addfilterexplanation text IN,RO Text string Not Applicable filternamepattern text OUT,WO The pattern name Text string of filters to be executed 'filtername'.result choice IN,RO The execution result of an external smtp filter Choice: 'filtername'.action choice IN/OUT,RW The default action Choice: taken by the smtp engine as a result of executing an external smtp filter pass - The filter was executed and returned a positive result fail - The filter was executed and returned a rejection result neutral - The filter was not selected for execution by the lass executefilters call error - The filter was not executed because of system errors accept - The engine accepts the current and the following commands continue - The engine accepts the current command discard - The engine ignores the current command tmpreject - The engine temporary rejects the current command reject - The engine permanently rejects the current command Not Applicable Not Applicable 155

156 Variable Type Access Method Explanation Value set Default 'filtername'.explanation text IN,RO The explanation associated with the execution of an external smtp filter Text string Not Applicable Methods Name Explanation Input Parameters Output Parameters addfilter Adds an external smtp filter executefilters checkdnsbl checksendermx readheader checkexistsheader filtername-specifies the name of the filter to be added filtertype-specifies the type of the filter to be added filteraddress-specifies the address of the filter to be added filternamepattern-the Execute selection name pattern onheadersreceived of filters to be executed method for selected filters Checks if the clinent ip is black-listed in server 'DNSBLServer' Read the value of a header specified by 'HeaderName'; the result is stored in 'HeaderValue' variable; if the header has more than one value, the values are separated by new line (CRLF) DNSBLServer-The DNS Black List server used to check the client ip HeaderName-Name of the header field to be read HeaderName-Name of the header field to be searched addfilterresult-indicates if the add filter operation was successfull addfilterexplanation- Indicates the failure reason of the add filter operation 'filtername'.result-the execution result of the filter named 'filtername' 'filtername'.action-the default smtp action taken as a result of executing the filter named 'filtername' DNSBLResult-The ip associated with the client ip in server 'DNSBLServer' DNSBLExplanation- Explanation associated with the 'DNSBLResult' SenderMXCheckResult- Result of the Sender MX check HeaderValue-The value of the header; set to empty string if the header is not found existsheader-set to 'yes' if the header is found, 'no' otherwise 156

157 Name Explanation Input Parameters Output Parameters HeaderName-Name of addheader Adds the specified the header field to be header through the added 'HeaderName' and HeaderValue-Value of 'HeaderValue' the added field variables addifnotexistsheader Adds the heather only if no other field with the same name exists removefirstheader Deletes the first instance of a field with the 'HeaderName' name from the header removeheader Deletes all instances of the field named 'HeaderName' from the header removeheadervalue modifyheader Deletes a specific instance of the field named 'HeaderName' from the header Modifies or adds a header modifyifexistsheader Modifies a header onbodychunk HeaderName-Name of the header field to be added HeaderValue-Value of the added field HeaderName-Name of the header field to be removed HeaderName-Name of the header field to be removed HeaderName-Name of the header field to be removed HeaderValue-The value of the specific instance to be removed HeaderName-Name of the header field to be modified (or added if not exists) HeaderValue-The new field value HeaderName-Name of the header field to be modified HeaderValue-The new field value Called every time a piece of the mail body is received. Variable Type Access Method Explanation Value set Default smtpport numeric IN,RO The local listener Range: port the client used to connect Not Applicable 157

158 Variable Type Access Method Explanation Value set Default smtpip ip IN,RO The local IP interface IP the client used to connect Not Applicable remotesmtpport number IN,RO The remote port the connection was established through remotesmtpip ip IN,RO The remote IP the connection was established from N/A IP Not Applicable Not Applicable issslconnection choice IN,RO 'yes' if the Choice: connection is yes - the encrypted (socket connection is ssl), no if it is not. encrypted (socket ssl) no - the connection is not encrypted Not Applicable ehlohost hostname IN,RO The hostname the client declares Hostname Not Applicable isesmtp choice IN,RO 'yes' if the client used EHLO, 'no' for HELO Choice: yes - the client used EHLO no - the client used HELO Not Applicable authuser text IN,RO Name of sucessfully authenticated user ('' if the Auth command was incorrectly used) mailcount numeric IN,RO Verifies if the sender address corresponds to the one used to authenticate. totalmailsize numeric IN,RO Total size of messages sent in the respective session (in octets). Text string Range: Range: Not Applicable Not Applicable Not Applicable 158

159 Variable Type Access Method Explanation Value set Default remotedelivery choice IN,RO Specifies which clients can send remote messages. localdelivery choice IN,RO Specifies which clients can send messages locally. Choice: all - all clients can send remote messages none - no clients can send remote messages auth - only authenticated clients can send remote messages Choice: all - all clients can send messages locally none - no clients can send messages locally auth - only authenticated clients can send messages locally auth all maxrcptcount numeric IN,RO The maximum Range: number of recipients for an DNSBLServer text IN,RO The DNSBL server name used by 'checkdnsbl' method. DNSBLResult ip OUT,WO The result of a IP 'checkdnsbl' call; if the client ip is not found using 'DNSBLServer' the result is an empty string Text string DNSBLExplanation text OUT,WO The explanation associated with the result Text string 159

160 Variable Type Access Method Explanation Value set Default returned by a 'checkdnsbl' call SPFResult choice IN,RO Result of the SPF Choice: check (possible None - TBD values: 'None', Neutral - TBD 'Neutral', 'Pass', Pass - the 'Fail', 'SoftFail', message meets 'TempError', the domain's 'PermError'; can definition for be set manually legitimate or by calling the messages 'checkspf' Fail - the method; if the message does result is 'Fail', the not meet the subsequent 'MAIL domain's FROM' definition for commands will legitimate fail. messages SoftFail - TBD TemprError - TBD PermError - TBD None SenderMXCheckResult choice IN,RO Result of the Choice: Sender MX Pass - The verification sender has a (possible values: valid MX 'Pass', 'Fail', Fail - The 'Neutral', 'Error'); sender does not see have a valid MX 'checksendermx' Neutral - No method. sender specified, is a NDR message Error - There was an error determining sender MX Not Applicable mailfrom text IN,RO The address specified in mail from. Text string Not Applicable mailfromlocalpart text IN,RO The local part of the address specified in mail from. Text string Not Applicable 160

161 Variable Type Access Method Explanation Value set Default mailfromdomain text IN,RO The domain of the Text string mail from address; modified automatically along with the 'mailfrom' value. mailfromauthuser text IN,RO The authenticated Text string user specified in the mail from command. Not Applicable Not Applicable mailfromsize numeric IN,RO The size specified in the mail from command. Range: Not Applicable rcptcount numeric IN,RO Number of recipients communicated by the client up to the given moment. Range: Not Applicable delaydelivery text OUT,WO Enables and configures delay delivery feature. It may be set to an absolute date (format RFC 2822) or to a relative date exprimated as +[[nnh] nnm]nn[s] Text string smtpaction choice OUT,WO Determine what Choice: action the smtp accept - the engine shoud server accepts take for the the current current command. command reject - the server rejects the current command and returns a permanent error tmpreject - the server rejects the current command and returns a Takes an action conforming with the internal policies 161

162 Variable Type Access Method Explanation Value set Default temporary error abort - the server aborts the connection smtpexplanation text OUT,WO The message sent to the client in case of a reject or action. tmpreject Text string A default error message filtername text OUT,WO The name of the Text string extenral filter to be added Not Applicable filtertype choice OUT,WO The type of the Choice: external filter to milter - The new be added external filter is of type MILTER Not Applicable filteraddress text OUT,WO The address of the new external filter Text string Not Applicable addfilterresult choice IN,RO SMTP Functionalities (III) ondatareceived Called after receiving the message successfully through the DATA or BDAT commands. Variable Type Access Method Explanation Value set Default smtpport numeric IN,RO The local listener Range: port the client used to connect smtpip ip IN,RO The local interface IP the client used to connect IP Not Applicable Not Applicable remotesmtpport number IN,RO The remote port the connection was established through remotesmtpip ip IN,RO The remote IP the connection was established from N/A IP Not Applicable Not Applicable 162

163 Variable Type Access Method Explanation Value set Default issslconnection choice IN,RO 'yes' if the Choice: connection is yes - the encrypted (socket connection is ssl), no if it is not. encrypted (socket ssl) no - the connection is not encrypted Not Applicable ehlohost hostname IN,RO The hostname the client declares Hostname Not Applicable isesmtp choice IN,RO 'yes' if the client used EHLO, 'no' for HELO Choice: yes - the client used EHLO no - the client used HELO Not Applicable authuser text IN,RO Name of sucessfully authenticated user ('' if the Auth command was incorrectly used) mailcount numeric IN,RO Verifies if the sender address corresponds to the one used to authenticate. totalmailsize numeric IN,RO Total size of messages sent in the respective session (in octets). Text string Range: Range: Not Applicable Not Applicable Not Applicable remotedelivery choice IN,RO Specifies which clients can send remote messages. Choice: all - all clients can send remote messages none - no clients can send remote messages auth - only authenticated clients can send remote auth 163

164 Variable Type Access Method Explanation Value set Default messages localdelivery choice IN,RO Specifies which clients can send messages locally. Choice: all - all clients can send messages locally none - no clients can send messages locally auth - only authenticated clients can send messages locally all maxrcptcount numeric IN,RO The maximum Range: number of recipients for an . maxdatasize numeric IN/OUT,RW The maximum size of a mail message (KB). Range: maxreceivedheaders numeric IN/OUT,RW The maximum Range: size of 'Received' headers after which the is considered to be looping DNSBLServer text IN,RO The DNSBL Text string server name used by 'checkdnsbl' method. DNSBLResult ip OUT,WO The result of a IP 'checkdnsbl' call; if the client ip is not found using 'DNSBLServer' the result is an empty string DNSBLExplanation text OUT,WO The explanation associated with the result returned by a 'checkdnsbl' call Text string 164

165 Variable Type Access Method Explanation Value set Default SPFResult choice IN,RO Result of the SPF Choice: check (possible None - TBD values: 'None', Neutral - TBD 'Neutral', 'Pass', Pass - the 'Fail', 'SoftFail', message meets 'TempError', the domain's 'PermError'; can definition for be set manually legitimate or by calling the messages 'checkspf' Fail - the method; if the message does result is 'Fail', the not meet the subsequent 'MAIL domain's FROM' definition for commands will legitimate fail. messages SoftFail - TBD TemprError - TBD PermError - TBD None SenderMXCheckResult choice IN,RO Result of the Choice: Sender MX Pass - The verification sender has a (possible values: valid MX 'Pass', 'Fail', Fail - The 'Neutral', 'Error'); sender does not see have a valid MX 'checksendermx' Neutral - No method. sender specified, is a NDR message Error - There was an error determining sender MX Not Applicable mailfrom text IN,RO The address specified in mail from. Text string Not Applicable mailfromlocalpart text IN,RO The local part of the address specified in mail from. mailfromdomain text IN,RO The domain of the mail from address; modified Text string Text string Not Applicable Not Applicable 165

166 Variable Type Access Method Explanation Value set Default automatically along with the 'mailfrom' value. mailfromauthuser text IN,RO The authenticated Text string user specified in the mail from command. Not Applicable mailfromsize numeric IN,RO The size specified in the mail from command. Range: Not Applicable rcptcount numeric IN,RO Number of recipients communicated by the client up to the given moment. Range: Not Applicable delaydelivery text OUT,WO Enables and configures delay delivery feature. It may be set to an absolute date (format RFC 2822) or to a relative date exprimated as +[[nnh] nnm]nn[s] Text string smtpaction choice OUT,WO Determine what Choice: action the smtp accept - the engine shoud server accepts take for the the current current command. command reject - the server rejects the current command and returns a permanent error tmpreject - the server rejects the current command and returns a temporary error abort - the server aborts the connection Takes an action conforming with the internal policies 166

167 Variable Type Access Method Explanation Value set Default smtpexplanation text OUT,WO The message sent to the client in case of a reject or action. tmpreject Text string A default error message filtername text OUT,WO The name of the extenral filter to be added filtertype choice OUT,WO The type of the external filter to be added filteraddress text OUT,WO The address of the new external filter Text string Choice: milter - The new external filter is of type MILTER Text string addfilterresult choice IN,RO Choice: ok - The addfilter call was successfull error - The addfilter call failed Not Applicable Not Applicable Not Applicable Not Applicable addfilterexplanation text IN,RO Text string Not Applicable filternamepattern text OUT,WO The pattern name of filters to be executed Text string 'filtername'.result choice IN,RO The execution Choice: result of an external smtp filter pass - The filter was executed and returned a positive result fail - The filter was executed and returned a rejection result neutral - The filter was not selected for execution by the lass executefilters call Not Applicable 167

168 Variable Type Access Method Explanation Value set Default error - The filter was not executed because of system errors 'filtername'.action choice IN/OUT,RW The default action taken by the smtp engine as a result of executing an external filter smtp Choice: accept - The engine accepts the current and the following commands continue - The engine accepts the current command discard - The engine ignores the current command tmpreject - The engine temporary rejects the current command reject - The engine permanently rejects the current command 'filtername'.explanation text IN,RO The explanation Text string associated with the execution of an external smtp filter Not Applicable Not Applicable Methods Name Explanation Input Parameters Output Parameters addfilter Adds an external smtp filter filtername-specifies the name of the filter to be added filtertype-specifies the type of the filter to be added filteraddress- Specifies the address addfilterresult-indicates if the add filter operation was successfull addfilterexplanation- Indicates the failure reason of the add filter operation 168

169 Name Explanation Input Parameters Output Parameters of the filter to be added filternamepattern- 'filtername'.result-the executefilters Execute The selection name execution result of the filter ondatareceived pattern of filters to be named 'filtername' method for executed 'filtername'.action-the selected filters default smtp action taken as a result of executing the filter named 'filtername' checkdnsbl Checks if the clinent ip is black-listed in server 'DNSBLServer' checksendermx onrelay DNSBLServer-The DNS Black List server used to check the client ip DNSBLResult-The ip associated with the client ip in server 'DNSBLServer' DNSBLExplanation- Explanation associated with the 'DNSBLResult' SenderMXCheckResult- Result of the Sender MX check Called before establishing a relay connection in order to determine the connection parameters. Variable Type Access Method Explanation Value set Default localinterface ip IN/OUT,RW Local interface IP from which the connection will be attempted. IP remotesmtphost text IN/OUT,RW Hostname of the remote relay server. Text string remotesmtpport numeric OUT,WO The remote Range: port the connection will be established to remotesmtpip ip OUT,WO The remote port IP the connection will be established to IP Not Applicable Not Applicable authuser text OUT,WO User name used for authentication Text string None 169

170 Variable Type Access Method Explanation Value set Default to the remote server atuhpasswd text OUT,WO The user's Text string password used to authenticate mailfrom text IN,RO The address specified in mail from. mailfromlocalpart text IN,RO The local part of the address specified in mail from. Text string Text string Not Applicable Not Applicable mailfromdomain text IN,RO The domain of Text string the mail from address. mailfromauthuser text IN,RO The authenticated user specified Text string in the mail from command. Not Applicable Not Applicable rcptcount numeric IN,RO Number of recipients communicated by the client. Range: Not Applicable isfromlocaldomain choice IN,RO 'yes' if the mail Choice: was created yes - the mail locally, 'no' if it was created was received locally through no - the mail SMTPIn was received through SMTPIn Not Applicable mailsize numeric IN,RO Mail size in octets. Range: Not applicable maxconnections numeric OUT,WO Maximum number of allowed connections to the destination host Range: maxrcptcount numeric OUT,WO Maxium Range: 0 170

171 Variable Type Access Method Explanation Value set Default number of recipients to deliver to in a single SMTP transaction (0 means unlimited) smtpconnecttimeout numeric OUT,WO TCP timeout for SMTP relay connection Range: 300 chunksize numeric OUT,WO The maximum size of a data block that can be sent through BDAT Range: allowstarttls choice IN/OUT,RW 'yes' if the Choice: STARTTLS yes - extension is STARTTLS allowed, 'no' if extension is otherwise. allowed no - STARTTLS extension is not allowed allowpipelining choice IN/OUT,RW 'yes' if the Choice: PIPELINING yes - extension is PIPELINING allowed, 'no' if extension is otherwise. allowed no - PIPELINING extension is not allowed allow8bitmime choice IN/OUT,RW 'yes' if the Choice: 8BIT extension yes - 8BIT is allowed, 'no' extension is if otherwise. allowed no - 8BIT extension is not allowed B(100KB) yes yes yes allowbinarydata choice IN/OUT,RW 'yes' if the BINARY extension is allowed, 'no' if otherwise. Choice: yes - BINARY extension is yes 171

172 Variable Type Access Method Explanation Value set Default allowed no - BINARY extension is not allowed requestauth choice OUT,WO 'yes' if Choice: authentication yes - is mandatory, authenticatio 'no' if n is otherwise mandatory no - authenticatio n is not mandatory no strict7bitmime choice OUT,WO 'yes' if transmitting binary data to clients that do not advertise supporting such data is not allowed Choice: yes - transmitting binary data to clients that do not advertise supporting such data is not allowed no - transmitting binary data to clients that do not advertise supporting such data is allowed yes sslenabled choice OUT,WO 'yes' if the Choice: purpose is to yes - The establish a connection is SSL established connection with SSL enabled no - The connectin is established with SSL disabled plainconnauthtypes multival IN/OUT,RW Allowed Values: authentication all - All types for a authenticatio no crammd5 172

173 Variable Type Access Method Explanation Value set Default plain connection (possible values: 'all', 'none' or a 'login' 'cram- 'plain', and md5' combination). n types are allowed for plain connections none - No authenticatio n type is allowed for plain connections plain - PLAIN authenticatio n is allowed for plain connections login - LOGIN authenticatio n is allowed for plain connections cram-md5 - CRAM-MD5 authenticatio n is allowed for plain connections secureconnauthtypes multival IN/OUT,RW Allowed authentication types for a SSL connection (possible values: 'all', 'none' or a 'plain', 'login' and 'crammd5' combination). Values: all - All authenticatio n types are allowed for secure connections none - No authenticatio n type is allowed for secure connections plain - Plain authenticatio n is allowed for secure connections login - Login authenticatio n is allowed for secure connections all 173

174 Variable Type Access Method Explanation Value set Default crammd5 - Crammd5 authenticatio n is allowed for secure connections ondeliveryfailure Called when the mail delivery failed for a certain group of recipients. Variable Type Access Method Explanation Value set Default mailfrom text IN,RO The address specified in mail from. Text string Not Applicable mailfromlocalpart text IN,RO The local part of the address specified in mail from. mailfromdomain text IN,RO The domain of the mail from address. Text string Text string Not Applicable Not Applicable mailfromauthuser text IN,RO The authenticated Text string user specified in the mail from command. Not Applicable mailfromsize numeric IN,RO The size specified in the mail from command. Range: Not Applicable sendndr choice OUT,WO Specifies if the NDR will be sent or not Choice: yes - The NDR will be sent no - The NDR will not be sent ndrattachsource choice OUT,WO Specifies if the Choice: yes original no - message will be original attached to the is NDR not attached to the NDR yes 174

175 Variable Type Access Method Explanation Value set Default yes - original mail is entirely attached to the NDR header - only the header of the original mail is attached to the NDR ndrsubject text OUT,WO subject Text string sent as NDR (by default it is a hard-coded message) ndrsender text OUT,WO The Mail From field of the NDR header Text string TBD mailerdaemon@'primarydomain' ndrmessage text OUT,WO Text of the NDR message Text string TBD ndrrcptmessage text OUT,WO Part of the Text string message specified for each recipient individually; it can refer to the 'ndrrcptaddress' and 'ndrrcptfailinfo' fields TBD ndrmessagefooter text OUT,WO Message ending of the NDR mail ndrretrycount numeric IN,RO No. of delivery retries. ndrrcptaddress text IN,RO Recipient address for which the delivery has failed. - can only be used when setting the 'ndrrctpmessage' variable Text string Range: Text string TBD Not Applicable 175

176 Variable Type Access Method Explanation Value set Default ndrrcptfailinfo text IN,RO Reason for which Text string delivery has failed for a certain user - can only be used when setting the 'ndrrcptmessage' variable ontemporarydeliveryfailure Called when the mail delivery has temporarily failed for a certain group of recipients. Variable Type Access Method Explanation Value set Default mailfrom text IN/OUT,R W The address specified in mail from. Text string Not Applicable mailfromlocalpart text IN,RO The local part of the address specified in mail from. Text string Not Applicable mailfromdomain text IN,RO The domain of the mail from address. Text string Not Applicable mailfromauthuser text IN,RO The authenticated user specified in the mail from command. Text string Not Applicable mailfromsize numeri c IN,RO The size specified in the mail from command. Range: Not Applicable sendndr choice OUT,WO Specifies if a temporary error NDR will be sent or not Choice: yes - The temporary error NDR will be sent no - The temporary error NDR will not be sent no 176

177 Variable Type Access Method Explanation Value set Default ndrattachsource choice OUT,WO Specifies if the Choice: original no - original message will is not be attached to attached to the NDR the NDR yes - original mail is entirely attached to the NDR header - only the header of the original mail is attached to the NDR header ndrsubject text OUT,WO subject sent as NDR (by default it is a hard-coded message) ndrsender text OUT,WO The Mail From field of the NDR header Text string Text string TBD mailerdaemon@'prim arydomain' ndrmessage text OUT,WO Text of the NDR message ndrrcptmessage text OUT,WO Part of the message specified for each recipient individually; it can refer to the 'ndrrcptaddres s' and 'ndrrcptfailinf o' fields Text string Text string TBD TBD ndrmessagefooter text OUT,WO Message ending of the NDR mail Text string TBD ndrrescheduledate numeri c IN,RO Date the is scheduled to be delivered again Range: 177

178 Variable Type Access Method Explanation Value set Default ndrretrycount numeri c IN,RO No. of delivery retries. Range: Not Applicable ndrremainingretryc ount numeri c IN,RO No. of remaining delivery retries after which the mail delivery will be abandoned. Range: Not Applicable ndrrcptaddress text IN,RO Recipient address for which the delivery has failed. - can only be used when setting the 'ndrrctpmessa ge' variable Text string ndrrcptfailinfo text IN,RO Reason for Text string which delivery has failed for a certain user - can only be used when setting the 'ndrrcptmessa ge' variable 178

179 Chapter 5. User and Domain Configuration AXIGEN provides you with unmatched configurability for domain, user, group and mailing list configuration. For each type of entity, AXIGEN allows you to configure anything from services to run to advanced parameters regarding mailbox characteristics and WebMail behavior Domains In AXIGEN, domain management has several features that give you full and easy control of administered domains while enabling you to fine tune resource allocation for each of these domains. Two administration tools allow you to create domains: WebAdmin - also gives you access to all advanced domain configuration parameters. CLI - see Configuring AXIGEN using CLI for more details. Important! When creating domains, one message storage location is recommended for each predicted 20GB of message occupied storage space. For larger spaces, additional message storage locations should be created to correspond to the number of 20GB storages you need. You can add multiple message storage locations using WebAdmin (when creating the domain) or CLI (within the domain creation context). After creating the domain, additional locations cannot be added. When using CLI, the command to create multiple message storage locations is as follows: ADD MessagesLocation <path> Domain settings in AXIGEN are available at the following levels: General You can use AXIGEN to create as many domains as allowed by your license type, and for each of these domains. You can also specify the services to run for this domain, assign an IP address to this domain or create a 'catch all' account for all s sent to inexistent user accounts. See Domains General Configuration for information on how to configure general domain parameters using WebAdmin. Domain Aliases For all domains administered with the AXIGEN Mail Server, you can add as many aliases as you need. See Defining Domain Aliases to manage existing aliases and add new ones. Message Filters For each configured domain, you can manage the existing Antivirus /Antispam Filters and add as many Incoming Message Rules as you like. This way you can implement different security policies for different domains. For general information on filter types available in AXIGEN, see Mail Filtering. For detailed information on how to configure filters, see Domain Message Filters page. 179

180 Message Appender AXIGEN allows system administrators to define a certain text which is to be appended to all messages sent from a certain domain. See Message Appender page for details on editing appenders. Account Defaults Through Account Defaults, system administrators can set default values for certain parameters that will be automatically inherited by all new accounts and account classes, and can be explicitly set (overridden) in the advanced configuration of the respective account or account class. See Account Defaults for details on how to set their corresponding parameters. Domains and accounts can also be added using the Command Line Interface, but the best option for domain configuration is WebAdmin, which gives you easy access to all the categories of parameters mentioned above User Accounts In AXIGEN, account and user management has several features that give you full and easy control of administered accounts while enabling you to fine tune resource allocation for each of these accounts. Note that in order to create an account, you need to first create a domain. For details on how to create domains in AXIGEN, see the Creating a New Domain section. Two administration tools allow you to create domains and accounts: WebAdmin - also gives you access to all advanced account configuration parameters, see Manage Accounts Tab CLI - see Configuring AXIGEN using CLI for more details Account settings in AXIGEN are available at the following levels: General You can define as many accounts as allowed by your license type, and for each of these accounts, as many aliases as you need. At the account level, you can also specify the services to run. This is a distinctive feature of AXIGEN, as you can easily selectively restrict access to one or more services (i.e. WebMail) for certain users within one domain. You can also view the current mailbox size for an account, specify the mailbox quota for accounts and limit the number of messages sent per hour from that account. See Accounts General Page for information on how to configure general domain parameters using WebAdmin. WebMail For account behavior in WebMail, AXIGEN provides a variety of parameters allowing you to set attachment size and number limits, mail size limits, the maximum number of simultaneous sessions, and the HTML filtering level for messages. You can make special settings for one account or use the one inherited from domain level. See Account WebMail Options for information on how to configure WebMail parameters using WebAdmin. 180

181 Filtering For each configured account, you can add and activate any number of filters. This way you can implement different security policies for different accounts For general information on filter types available in AXIGEN, see Mail Filtering. For detailed information on how to configure filters, see Managing Message Filters. Further advanced settings, defining Inbox folders, limits and quota for each user account are also available in the Manage Accounts Tab. Accounts can also be added using the Command Line Interface, but the best option for account configuration is WebAdmin, which gives you access to all the categories of parameters mentioned above Groups Groups are functional entities meant to have s sent to specified addresses. Groups do not have an actual mailbox. They are defined with a generic name, such as 'Sales' or 'Team' or 'Office' and an address is created following the groupname@domain pattern, and then group members are added. Thus you can make sure that several recipients get from a published address (i.e. contact@mycompany.com). Also, you can change the recipient addresses without having to change the published address. For all managed groups, system administrators can add and remove members at any time. They can also add as many message rules as needed to ensure a proper security policy for any given group. In AXIGEN, the maximum number of groups that can be defined for a server/domain cannot be greater than the number of licensed mailboxes. These administration tools allow you to create and configure forwarders: WebAdmin - also gives you access to all advanced forwarder configuration parameters, see Groups tab CLI - see Configuring AXIGEN using CLI for more details 5.4. Mailing Lists Mailing List Server Overview In AXIGEN, the integrated list server provides advanced mailing lists administration options. For each list, advanced parameters allow administrators to specify: AXIGEN services running, content type, what messages are moderated messages, what headers to remove etc. WebMail specific settings allow configuring the way mail lists are viewed and managed on the Web (see Mailing List WebMail Options). The AXIGEN List Server also provides RFC compliant templates / macros for automated mailing list interaction which allow you to add header text and other types of text before and after the message body. For each list, standard text messages can be specified to be returned in the following cases: invalid user name, unknown user, request needs confirmation, user already subscribed, rejected response, welcome text, goodbye text, subscribe denied, etc. All these advanced parameters guarantee easy list administration and easily definable 181

182 custom appearance and behavior for each list. For information how to configure list parameters, see the Mailing Lists Tab. Administration of the Mail List The current version of AXIGEN Mail Server does not differentiate, from an operational point of view, a list administrator from a list moderator. This operational difference will be featured in a next version of AXIGEN Mail Server. Therefore, currently the person who creates the mail list will act as both administrator and moderator of the list created. Also, please note that, list users are distinct from user mailboxes, even if both entities are administered using AXIGEN Mail Server. Message Flow for AXIGEN List Server From the moderator / administrator point of view, the folders below describe the flow for a message sent to a list managed with AXIGEN Mail Server: INBOX: stores all messages that have been already delivered are to be delivered. PendingRequests: stores all the requests that have to be confirmed by the administrator. The administrator can confirm a message in this folder by moving it to ConfirmedRequests. Requests: stores all requests that need to be confirmed by their senders (for instance subscription requests). When such a confirmation is received and verified, the request is moved to ConfirmedRequests. ConfirmedRequests: stores all requests confirmed by their senders. Pending: stores all messages that need to be moderated. The moderation is executed by moving the corresponding message to: 1. INBOX (the message will be published) 2. Reject (the message is automatically rejected), 3. ToBeRejected (the message is stored for a future manual reject) Reject: When a message arrives in this folder, the sender of the message receives a reject message and the original message is moved to Deleted. ToBeRejected: stores messages that need to be manually rejected by one of the list moderators. Deleted: Here are stored all messages that have been rejected by list moderators. From the mail list user point of view: A mail list user would interact with the list in different stages: when subscribing to the mail list, when confirming his/her subscription, when making a request, when accessing the list WebMail page or root mailbox, etc. The answers received from the list server are generated automatically, depending on the initial configuration of the mail list (done by the administrator) and the administrator's corresponding actions. Templates explained From a mail list administrator/moderator point of view, most of the messages send as answers on a mail list created and operated with AXIGEN Mail Server are in fact expanded macros or templates. All macros have the following form: %[-][width][.precision]{macro letter} Here is the algorithm used when expanding these macros: len = strlen(macro text); width default = 0; precision default = INT_MAX; 182

183 left pading default = false; if minus => left pading = true; precision = min (len, precision); pading = max (0, min(512, pading - precision)); if left pading => the trailing spaces are inserted before macro text ; if not => the trailing spaces are inserted after the macro text; Here is the list of macro letters and their meanings: l - Name of the list d - The domain name of the list. r - A short description of the list. o - Operation to be executed (this option is valid only for the answers sent to requests). e - Address of the original message sender. i - Identity confirmation. This is a message in the following format: "confirm {ID message} {random number}" Note that this option can also be used as a boundary when building multipart messages. x - Row M - Original message (populated only for answers to automatically rejected messages. f - Sender of the message (can be either a name or an address). w - Original message date. s - Original message subject. m - Original Message ID n - The number of the digest message. For detailed information on how to configure mail lists in WebAdmin, see Mailing Lists. Lists can also be configures using CLI - see Configuring AXIGEN using CLI Public Folders Starting with version 2.0, AXIGEN supports Public Folders for the WebMail and IMAP services. System administrator can also associate addresses with a domain s public folder. Thus, s can be sent directly to the public folder, access being given instantly to all the account users within the respective domain. Public folders are defined per each domain managed by AXIGEN. For all defined public folders, one or more addresses can be defined. The Postmaster of each domain can create and/or delete folders and messages within the Public Folder, while the rest of the users have reading rights only on the existing folders and messages. While they cannot permanently delete messages from the Public Folders, when using WebMail, users can mark the messages they choose as deleted and also hide the s with such marks. Also, certain clients (such as Outlook) allow a similar behavior: marking for deletion and hiding such messages. Thus, users are not compelled to view messages that do not interest them. Users can set other types of flags for their Public Folders, such as Read/Unread or Flagged/Unflagged. These options are available both in WebMail and in clients (depending on their features), and affect the messages of the respective individual account, not the actual content of the Public Folders. For more details on configuring public folders, see Configuring Public Folders. 183

184 Chapter 6. Working with the WebMail Module in AXIGEN This chapter presents the AXIGEN WebMail Service features and configuration from a user's point of view. The sub-pages of this section will present in detail how to connect to the WebMail interface, manage the respective user account, add contacts to the address book or create and manage messages and WebMail folders. When accessing the WebMail interface through a browser, the individual user can configure all parameters relative to their respective account, except for certain limitations imposed by the administrator (in terms of attachment size, mailbox quota, etc.). For an overview of the WebMail service in AXIGEN, see the corresponding section in the Architecture Chapter. For tips on how to configure WebMail parameters and behavior using WebAdmin, see the WebMail Tab in the corresponding chapter Accessing/Leaving the WebMail Interface Connecting to AXIGEN WebMail To connect to AXIGEN WebMail, enter in your browser the IP:port combination where your AXIGEN WebMail service is running. If you are accessing WebMail from the machine on which AXIGEN is installed, this address is by default, Remote access If you are accessing the WebMail from a different machine, you need to set in the listener's address parameter the IP address of the machine on which AXIGEN is installed. Or, you can set this parameter to (in this case, the listener will listen to all machine interfaces). When accessing the AXIGEN WebMail, you need to replace the IP from the URL with the IP address of the machine on which the AXIGEN Mail Server is installed. For example, if the machine running AXIGEN has the IP address, change the IP/port data under Server->Webmail->Listeners->Address to match your IP/port:server {... web {... listeners = ( {... address = :9000 enable = yes Remember to reload your AXIGEN Mail Server after each change in the configuration files. In the window thus displayed, enter the WebMail username and password provided by the system administrator. 184

185 Note: To have the list of available domains displayed on the WebMail login page, make sure you have the following settings: - the Allow domain selection on login option from the Services > WebMail Tab is checked; - the Include this domain in WebMail's domain selection list option from the Domains >General page corresponding to your existing domains is checked. Leaving AXIGEN WebMail To close the current WebMail session, click the Logout link (right upper corner, next to the username and the Settings link) WebMail Features and Configuration Navigating in Your WebMail Account The left panel of your WebMail account displays a tree structure containing the folders currently existing in your WebMail account. When first accessing your WebMail account, the structure looks like this: The folder structure helps you browse and manage the messages in your WebMail account: 185

186 Browsing trough messages is possible also with the help of the Page navigation buttons (go to first, next, previous, last, or specific (by number) page) above the preview pane. If actions are performed on items in a page the interface will remember the page name so when the user returns to it will be the exact same page. The headers of the messages from the folder selected in the left panel are displayed on the upper right panel. When selecting an from the upper right panel by clicking on it, the message body will be displayed in the lower right Preview Pane. The Preview Pane can also be moved to the right of the message list. By default, the Preview Pane displays the sender, recipient(s) and date details of the horizontally. To have them displayed vertically, press the "+" icon in front of the Subject line, as shown in the below picture. Searching within your account You can search through the existing messages stored in your account using the quick search option or the Advanced Search option. For a quick search, go to the left corner of the WebMail page (above the folders tree structure), type your query in the search filed and press the Go button. The search results will be displayed in the same window and can be sorted by all fields displayed in the message list header (From, To, Subject, Date, Size). For an advanced search, access the more actions menu (under the Settings and Logout links) and choose the Advanced Search option. In the new window choose whether the query should match all or just part of the specified search elements. Add as many search criteria as you need by clicking the add new element link or delete them by hitting their corresponding trash-bin shaped button 186

187 Use the drop-down menu to select the new search element type. Available options include setting search criteria relative to the subject, sender, body, date, send date, To, Cc, size of the , flag, header or raw. To select the folders to search in click the Choose folders button and in the new window select them (public folders are not available), they will be displayed in the Selected folders section. Finally click the Search button to find the needed information. NOTE: The Search function also supports internationalized searches. Having this feature, language-specific characters can now be used when running a search (i.e. using diacritics) Working with Messages in WebMail Main Button Bar Use the New button to create a new message. The Reply and Reply to All buttons allow you to reply to a particular message or to all previously selected messages. Use the Forward button to redirect a received to a different recipient and the Move button to move an message to a different folder. The Delete button allows you to delete previously selected messages. For further actions on messages, use the More actions drop-down menu, which allows you to access the Advanced search, group messages by conversation, subject, sender or not group them at all, select all messages, invert a previous selection, deselect all messages or forward an as attachment. If any of the 'Group by' views are selected the result list, in the message list window, will be split in pages containing a defined number of messages (set in the WebMail Data tab). Navigation among pages is possible (go to first, next, previous, last, or specific (by number) page) and if actions are performed on items in a page the interface will remember the page name so when the user returns it will be the exact same page. Composing a new message To compose a new message, press on the New button. A pop-up window similar to the one below is displayed. 187

188 Steps for editing a new message in AXIGEN WebMail To edit an message you need to take the following steps: 1. Enter the addresses of the recipients in the To: field of the message (separated by commas if multiple) or add them from your existing address book by pressing the Addressbook button. The Addressbook gives users access to contacts defined for their account and also to Public and Domain contacts. First select the needed contact list, then select a specific one. addresses can be added automatically to the 'To', 'Cc' or 'Bcc' fields. To do so, click on the address to select it, then click the To, Cc or Bcc buttons. Press the OK button when you are done adding recipients or the Cancel button to quit. For any of these three address fields, when typing the recipient addresses, if the respective addresses are already in your address book, the autocomplete function will be enabled. Therefore, you can select the correct address and press Enter. 2. Use the Check addresses button to verify the validity of the addresses you have inserted. 3. Specify the subject of your message in the Subject: field. 4. Use a different originating address by clicking the Show From link (after the formatting buttons) and typing the address in the From field. 188

189 WARNING! This option works only if the user has the 'Send Mail as' permission from the mailbox owner. For information on how to define 'Send Mail as' permissions please see Sharing permissions. 5. Set the 'Reply-to' header for the message. When clicking the 'Show Reply-To' link, a new field appears containing the address defined in the settings window (which the user may override). If no value was defined in the Settings > Personal Data page the input field must be empty. 6. Edit your message in the message body. The user can now use rich text (Bold, Italic, Underline / Strike through, Different font face and size, Colors, Subscript, Superscript, Insert link, Bullets etc.). 7. Add attachments to your message by pressing the Attach button. To add an attachment, press on Browse, specify the path to the attachment and then press on the Upload link. To add multiple attachments, repeat these actions as many times as you need. 8. After adding one or more attachments to a WebMail message, the attachment list is displayed in the lower part of the screen. You can delete the attachments one by one, by clicking on the corresponding [delete] link. 9. You can save a draft of your current message at any time by pressing on the Save button and resume its editing at a later time. Marking messages To mark a message, you must first select it in the upper panel by clicking on it. Then choose one of the options displayed in the Mark as drop-down box: Select Mark as read to set the status of the currently selected message(s) to Read. Select Mark as not read to set the status of the currently selected message(s) to Not read. Select Flagged to add a flag to the currently selected message(s). Select Not Flagged to delete the flag for the currently selected message(s). This option is only available for previously flagged messages. Select Deleted to mark a message as deleted (it will be displayed in strikethrough style). When marking certain messages as deleted, you can also choose to hide them by pressing the Hide deleted button Select Not deleted to remove a deleted mark from a certain message. 189

190 Deleting messages To delete one or more messages, select the message(s) and click on the Delete button in the Main button bar. If you do not wish to see the deleted messages click the Hide deleted button. Deleted messages will be permanently deleted or sent to the Trash folder depending on the user setting in WebMail Data or the Move deleted s to Trash option set by the administrator in Account WebMail Options WebMail Folders Public Folders Through the Public Folders, users may now share messages, contacts, tasks etc. by simply copying and/or moving them to a public folder. System administrator can also associate a certain address with a public folder. Thus, s can be sent directly to the public folder, archiving options being also available. While they cannot permanently delete messages from the Public Folders, when using WebMail, users can mark the messages they choose as deleted and also hide the s with such marks. Thus, users are not compelled to view messages that do not interest them. Users can set other types of flags for their Public Folders, such as Read/Unread or Flagged/Unflagged. These options affect the messages of the respective individual account, not the actual content of the Public Folders. Special Folders From both WebMail and Outlook, one can create a special type of folder: Mail, Calendar, Tasks, Journal, Contacts, Notes. Each special folder has type-specific view to display its contents (i.e. Calendar view(es) for calendar-type folders, Contacts view for contact-type folders and so on). Aside from its specific view, each special folder type has a list view which consists of a list of objects in that folder. The list view has more pages so the user may view only a few items at a time. When editing an object in the list view, the user interface remembers the page so that after the object is updated the position in the list is not lost. While in the list view special messages can be copied or moved from one special folder to another, if the folders have the same type. This action can also be performed in Outlook. NOTE: After creation, the folder type cannot be modified. For special public folders all action buttons are displayed, regardless of the permissions. When editing an item, the action buttons in the edit pop-up are displayed or not depending on the permissions. For example if the current user does not have 'Edit' (i.e. delete & create) permission, the 'Save' button does not exist; moreover, all input controls are disabled. For information on how to set folder permissions please access the Sharing Permissions page. Managing Folders in WebMail Right click on any folder in the folder tree (be it personal, public or shared, mail, calendar, task, journal or notes) brings-up a context menu with the following options: New folder, Rename folder, Move folder, Empty folder, Delete folder, Sharing, Open/Close other user's folder. 190

191 These options always appear in the context menu, if they work or not depends on the specific permissions set on the selected folders. When clicking any of these options new pop-up window is displayed allowing you to make the desired changes. For example when creating a new folder a new window is displayed allowing you to specify the name of the new folder in the Folder name text area, the Folder type ( , Calendar, Tasks, Journal, Notes or Contacts) and select its location in the folder tree. To finish press the Create button or Cancel if you changed your mind. All folder options: creating, moving, deleting etc. have explicit instructions in their respective pop-up windows. Managing Contacts in WebMail To define your address book access the Contacts folder from the folder tree. You can either add them one by one or import an existing address book. Click the New contact button to create a new contact and fill in the details. 191

192 General Details Use the , First Name and Last name text fields to specify the name and address of the new contact you want to add. To specify the contact's nickname, use the Nickname field. Additional Info You can specify a personal , for non-professional purposes in the Personal field, phone numbers in the Phone and Mobile Phone fields and the home phone and address data in the Home address and Home phone fields. Using the Business field you can specify the business address for your new contact. Use the Business phone and Business address fields to specify the office contact details. Finally the Notes text field can be used to type any information regarding the currently edited contact. Make sure to press the Save&Close button to save the contact you just added or the details you changed. 192

193 Edit the contact by double clicking on it. To delete an existing contact, use the Delete icon on the right of the contact you would like to remove. To send a new to a contact in the list click the letter icon (next to the Delete icon). Click the Details link to see all the information regarding that contact. Press the Import contacts button to import external address books that were saved locally. Address book files must be in CSV(Comma Separated Value) format! Click the Browse button to specify the path to the desired external address book, then click on the Import contacts button. Should you choose to abort, press the Cancel button. Any new created mailbox has by default two public folders in the root of the public folder: Domain Contacts and Public Contacts. The Domain Contacts folder is read-only: no items can be modified or created in it, it cannot be deleted or renamed, no folders can be added to it, no permissions may be changed on it. NOTE: This applies for all users in the domain, including postmaster! The content of this folder is automatically and dynamically updated by the server and contains all the addresses for recipients in the domain. Public contacts can be added only by the domain Postmaster in the same way explained above. 193

194 6.5. Working with the Personal Organizer in WebMail Having time management and mobility needs in mind, starting with version 4.0, the AXIGEN Mail Server comes with a Personal Organizer module available from both AXIGEN s WebMail interface and Outlook client. The Personal Organizer comprises tools such as calendar, tasks, journal, notes and collaborative support. This section aims to explain how the new management tools can be used. Each of them - calendar, journal, notes, tasks - is described in a separate sub-section, with all its features and usage alternatives Working with your Calendar The Calendar helps users plan and schedule their work-related or personal events and to have a clear and detailed view of their work, thus enabling an improved time management. To access your Calendar, you can either click the Calendar folder in the folder tree structure placed on the left hand side of your WebMail account or click on any day of the calendar displayed in the lower left corner of the interface. The upper button bar displayed when the Calendar is accessed gives access to the following options: New event - creates a new event. To create an event in a certain day, either select it first using the calendar displayed in the lower left corner. Use the left and right arrows to change months of the current year and the double right and left arrows to change the year. Today - when hit, it marks the current day events Day view - displays the events for one day at a time Work-week view - displays work days, Monday to Friday 194

195 Week view - displays the entire week Month view - displays the events for the whole month List view - displays the existing list of events. Creating a New Event When creating a new event, you have to first type a Subject (required) and then a location, specifying where the event takes place. You can either create an event that lasts throughout the day by checking the All day event option, or you can specify limits for the new event. To do so, click the date and time selection boxes for both the Start and End date of your event. Should you like to be prompted that a certain event is about to start, check the Reminder box and set your desired time interval. You can also use the available text field to type in any details or explanations regarding your current event. Set the events transparency to "Busy" or "Free" using the drop-down menu in the Show time as section. This option will affect the resource availability displayed in the Free/Busy tab. More information is available below on this page. To save your event, press the Save & Close button. To abort configuring the event, hit Cancel. To define a repeating scenario, hit Recurrence and use the Invite button to invite others to attend the event you are creating. 195

196 Existing events can be edited at any given later date. To do so, select the desired entry by double-clicking it, regardless of the selected view type. After making the needed alterations, hit the Save & Close button. If the entry you want to edit is a recurring event, you will be asked whether you want to edit the entire series or only a single instance (occurrence) of the event: NOTE: This option is not available while in the list view. Should you like to delete the entry, press the Delete icon added to the editing window. Additionally, when using the List view, you can use the edit end delete icons appended to each event. Setting the Recurrence When hitting the Recurrence button, a pop-up window displays the available options. You can set a start and end time for the event by clicking the respective selection boxes. Thus, the Duration of your event will be automatically set. Click the Start selection box to select the starting date of the recurrence. You can choose to have the event repeated incessantly by checking the No end date option or the event can stop occurring after a number of occurrences (check the End after x occurrences option) or by a certain date (select the End by... option). You can set the event to o be repeated on a daily, weekly, monthly or yearly bases, according to a defined Recurrence pattern. Depending on the Recurrence pattern you select, you can access more detailed options: 196

197 Daily - you can have the event repeated every weekday by checking the corresponding option, Every weekday, or you can have it repeated every 2,3, x days by checking the corresponding option. Weekly - you can check a certain day(monday to Sunday) of every 1/2/etc week(s) for the recurrence Monthly - You can specify a certain day of every month (e.g. 25th of every month or every 2 months), or select from the other available options: first/second/third/fourth/last - day/weekday/weekend day/sunday/monday etc. of every 1/2/etc months. For example, you can set an event that occurs on the first weekday of every other month. Important! As the number of days differs depending on the month, if you set an event for the 31st, it will be scheduled in the last day of each month with 30 days. Yearly - You can set the event to occur on a certain date of a certain month (e.g. January 25th) or you can select from the other available options: first/second/third/fourth/last - day/weekday/weekend day/sunday/monday etc. of every January/February/etc months. For example, you can set a seminar attendance event for each first weekend day of every March. Finally, set the Range of recurrence for your event. Click the Start selection box to select a date. The event can be repeated incessantly if you choose the No end date option. Alternately, you can have it ended after a number of instances, by checking the End after x occurrences option and setting the desired number of repeats, or set an End by date and selecting the desired end date by clicking the respective selection box. 197

198 When you are done setting the event recurrence, hit OK. To abort the recurrence, hit Cancel. For already defined recurrence details, hit Remove Recurrence to prevent the event from repeating. Inviting Attendees When hitting the Invite Attendees button, a new text field and a To button are added in the upper side of the event editing window. If you want to abort inviting process, press the Cancel Invitation button that replaces the initial Invite Attendees option. You can either type the addresses of the persons you want to invite at the event, or you can access your existing contacts by hitting the To button. When accessing your contacts using the To button, a new pop-up window appears, allowing you to choose which contacts to display in the left hand pane, as shown below. Available options are 'All contacts', 'My contacts', 'Public contacts' and 'Domain contacts'. Select the address of the contact you want to invite with a mouse click, then press the To button. To select several contacts, press Ctrl on your keyboard. To delete a contact from the list of attendees to be invited, click their address in the right hand pane and press Delete on your keyboard. When you are done selecting attendees, press OK to have the invitations sent to them. To discard the inviting process, hit Cancel. 198

199 Attendees will then receive an invitation in their Inboxes, prompting them to take action: To view the details of the event they are invited to attend, users need to click on "open details". The available options are to Accept the meeting, to accept it without guaranteeing attendance - Tentative, Reject it, or Propose a change in the event details. When an attendee takes a certain action, other than Propose, the organizer receives a notification that requires no further action to be taken. If, on the other hand, the invited attendees have proposed changes to the event, the organizer will receive an prompting him/her to take action. The available options are Accept/Reject changes or Propose a new modification of the event specifics. 199

200 When dealing with proposed changes, attendees have one more option, Tentative, which gives them the possibility to accept the changes partially, without guaranteeing thy will actually take part in the event. Important! If participants to a certain event take different actions when changes are proposed (i.e. some accept them, while others reject them), the organizer has the final say. When inviting others to take part in a certain event, the event editing window will also be modified. A new tab called attendees will be added, showing the course of action taken by those invited. The available status options are 'Accepted', 'Declined', 'Tentative' and 'need action'. In the Free/Busy tab the attendee availability is displayed IF the user editing the event has the 'Read Free/Busy status' permission on the attendee's mailbox. This feature is available only in the WebMail interface. 200

201 Reminder options If you have chosen to be reminded of a certain event, at the specified time, a pop-up will appear at the given time and date. If no action is taken, it will reappear each time the WebMail interface is automatically refreshed. Hence, it depends on the refresh settings configured in the WebMail Data page. Alternatively, you can have the reminder postponed using the available snooze options, by choosing a repeat interval in the corresponding dropdown menu and by hitting the Snooze button. Important! If the auto-refresh option is disabled, reminders will not function. If you want to see the details of an event you are reminded of, press the Open Item button. To dismiss a certain task, select it and press the Dismiss button. Use the Dismiss All button to discard all pending events. Important! Further settings that determine Calendar behavior need to be set on the WebMail Data page. Each user needs to set the correct Time Zone and the Week start date in order to have deadlines and start times displayed correctly in their Calendar Working with your Journal The Journal allows you to add entries that help you keep track of your day-to-day tasks and actions. To access your Journal, click the corresponding folder in the folder tree structure placed on the left hand side of your WebMail account. 201

202 The upper button bar displayed when the Journal is accessed gives access to the following options: New journal - creates a new journal entry. Today - when hit, it marks the journal entries for the current day Day view - displays journal entries for one day at a time Month view - displays journal entries on a monthly basis List view - displays the existing list of journal entries. Creating a New Journal Entry When hitting the New journal button, the options relative to the new entry are displayed in a pop-up window. To add a new entry, you have to fill in the two required fields: Subject, referring to the entry description, and the Type drop-down menu. There are several available types of entries, such as Phone call, Message, Task, Conversation, etc: Click the Start time selection boxes to set a starting date and time for your journal entry. In the displayed calendar, use the left and right arrows to change months of the current year and the double right and left arrows to change the year. 202

203 Click the Duration selection box to specify a time frame for your journal entry. You can then edit the actual journal note in the available text field. When you are done editing the entry, hit the Save & Close button. If you want to discard the journal entry, press the Cancel button. Existing Journal entries can be edited at any given later date. To do so, select the desired entry by double-clicking it. After making the needed alterations, hit the Save & Close button. Should you like to delete the entry, press the Delete icon added to the editing window. When using the List view, journal entries can be edited by double clicking on them and deleted by clicking their corresponding delete icon. Important! Further settings that determine Journal behavior need to be set on the WebMail Data page. Each user needs to set the correct Time Zone and the Week start date in order to have start and end times displayed correctly in their Journal Working with your Notes The Note tool allows you to add quick notes while working. Notes are best suited when one needs to write down something very quickly and has little time to add more details. To access your Notes, click the corresponding folder in the folder tree structure placed on the left hand side of your WebMail account. When hitting the New note button, a small pop-up window is displayed. 203

204 Type the note in the given field and either close the pop-up window using your browsers "x" button, or hit the Close window to save this note link in order to have your text saved. Notes can be edited by double clicking on them and deleted by clicking their corresponding delete icon Working with your Tasks Tasks helps users organize their work-related tasks and collaborate with others on ongoing projects. By enabling them to permanently check the level of completion, tasks offer a clear and detailed view of their workload. To access your Tasks, click the Tasks folder in the folder tree structure placed on the left hand side of your WebMail account. The upper button bar displayed when the Tasks are accessed enables the following options: New taks - creates a new event. All tasks - lists all your tasks 204

205 Uncompleted tasks - displays the user's uncompleted tasks Completed tasks - displays the user's completed tasks Creating a New Task When creating a new task, first type a Subject in the corresponding text field, then set the tasks's completion deadline using the Due Date selection box. Use the left and right arrows of the selection calendar to switch between months of a certain year and the double left and right arrows to switch between different years. To successfully define a time frame for the task, also configure its Start date, using the corresponding selection box. Furthermore, you can prioritize tasks using the Priority dropdown menu. Available options are: 'Low', 'Normal' and 'High'. To keep track of the completion process, type a percentage in the %Complete text field. Should you like to be prompted that a certain event is about to start, check the Reminder box and set your desired time interval. You can also use the available text field to type in any details or explanations regarding your current task. To save your task, press the Save & Close button. To abort configuring the task, hit Cancel. To define a repeating scenario, hit Recurrence and use the Assign task button to have the respective task assigned to different users. 205

206 Existing tasks can be edited at any given later date by double clicking it. After making the needed alterations, hit the Save & Close button. To mark a task as completed, use the corresponding icon placed next to the Assign task button. Should you like to delete the entry, press the Delete icon in the editing window. Additionally, you can use the delete icons appended to each task or check it as completed. Setting the Recurrence When hitting the Recurrence button you can set the task to o be repeated on a daily, weekly, monthly, yearly basis or according to a defined Recurrence pattern. Depending on the Recurrence pattern you select you can access more detailed options: Daily - have the event repeated every weekday by checking the corresponding option, Every weekday, or you can have it repeated every 2,3, x days by checking the corresponding option. Weekly - check a certain day of the week for the recurrence Monthly - specify a certain day of every month (e.g. 25th of every month or every 2 months), or select from the other available options: first/second/third/fourth/last - day/weekday/weekend day/sunday/monday etc. of every 1/2/etc months. For example, you can set an event that occurs on the first weekday of every other month. Important! As the number of days differs depending on the month, if you set an event for the 31st, it will be scheduled in the last day of each month with 30 days. Yearly - set the event to occur on a certain date of a certain month (e.g. January 25th) or you can select from the other available options: first/second/third/fourth/last - day/weekday/weekend day/sunday/monday etc. of every January/February/etc months. For example, you can set a seminar attendance event for each first weekend day of every March. 206

207 Then set the Range of recurrence for your task. Click the Start selection box to select a date. The task can be repeated incessantly if you choose the No end date option. Alternately, you can have it ended after a number of instances, by checking the End after x occurrences option and setting the desired number of repeats, or set an End by date and selecting the desired end date by clicking the respective selection box. When you are done setting the task recurrence hit OK. To abort the recurrence hit Cancel. For already defined recurrence details, hit Remove Recurrence to prevent the task from repeating. Assigning tasks When hitting the Assign task button, a new text field and a To button are added in the upper side of the event editing window. If you want to abort inviting process, press the Cancel Assignment button that replaces the initial Assign task option. You can either type the addresses of the persons you want to assign the task to, or you can access your existing contacts by hitting the To button. When accessing your contacts using the To button, a new pop-up window appears, allowing you to choose which contacts to display in the left hand pane, as shown below. Available options are 'All contacts', 'My contacts', 'Public contacts' and 'Domain contacts'. 207

208 Select the address of the contact you want to have the task assigned to with a mouse click, then press the To button. To select several contacts, press Ctrl on your keyboard. To delete a contact from the list of assignees, click their address in the right hand pane and press Delete on your keyboard. When you are done selecting assignees, press OK to have the assignments sent to them. To discard the assigning process, hit Cancel. Assignees will then receive an assignment in their Inboxes, prompting them to take action: To view the details of the event they are invited to attend, users need to click on "open details". The available options are to Accept or Reject the task and the organizer receives a confirmation . When assigning tasks to others, the editing window will also be modified. A new tab called Attendees will be added, showing the course of action taken by those you have selected. The available status options are 'accepted', 'declined' and 'need action'. 208

209 Reminder options If you have chosen to be reminded of a certain task, at a specified time, a pop-up will appear at the given time and date. If no action is taken, it will reappear after the starting time each time the WebMail interface is automatically refreshed. Hence, it depends on the refresh settings configured in the WebMail Data page. Alternatively, you can have the reminder postponed using the available snooze options, by choosing a repeat interval in the corresponding drop-down menu and by hitting the Snooze button. Important! If the auto-refresh option is disabled, reminders will not function. If you want to see the details of an event you are reminded of, press the Open Item button. To dismiss a certain task, click to select it, then press the Dismiss button. When a task is dismissed, it is also removed from the Reminder window. Use the Dismiss All button to discard all pending tasks. Important! Further settings that determine Tasks behavior need to be set on the WebMail Data page. Each user needs to set the correct Time Zone and the Week start date in order to have their Tasks deadlines and start times displayed correctly Configuring Account Settings in WebMail To access the WebMail account parameters, click Settings (right upper corner, WebMail upper right panel), next to the Logout link. In this section users are given access to eight configuration tabs: Personal Data - containing options relative to the user's personal details; WebMail Data - gives access to settings managing the WebMail account behavior (all these parameters can be configured via WebAdmin from the Account > WebMail Data page); Filters - gives access to filter configuration using the AXIGEN Rules Wizard; Sharing permissions - gives share access to your folders (allow other users to see your schedule or send s in your name); RPOP Connections - this feature allows you to organize user's communication by retrieving from other remote accounts; Account Info - quota related parameters can be viewed in this page; Blacklist - block addresses you do not wish to receive messages from; 209

210 Temporary - request one or more temporary addresses (or alias); Configuring Personal Data While on the Personal Data page, users can define personal details such as their first and last name, change the current password to their WebMail account or fill in Business Details. General Information To set your first and last name, use the two corresponding text fields, First name and Last name. To choose a nickname, use the Nickname field. 210

211 Define a Reply-To header for all the messages you send (including replies and forwards) so when someone replies your in the To field the address set here appears instead of the one in the 'From' header. When composing an it can be overridden or missing if it was not defined. Personal Details You can specify a personal , for non-professional purposes in the Personal field. Add your phone numbers in the Phone and Mobile Phone fields and home phone and address data in the Home address and Home phone fields. Your Password The password previously defined by the administrator when creating the account can be changed from the Personal Data page. To do so, first type the current password in the Old password field, then type a new one using the Password field and finally confirm the new selected password in the Retype password field. Business Details Use the Business phone, Business address and Business fields to specify your office contact details. After modifying any of these parameters, remember to press the Save changes button to save these changes. Use the Cancel button to undo the changes you have just made instead of saving them WebMail Data Settings When accessing the WebMail Data page, users have access to settings used to configure the behavior of their WebMail account. 211

212 Appearance Use the Skin name drop-down box to select the skin of your WebMail account. At this time three options are available: Classic, Coolwater and Webreflection. The Language drop-down menu allows you to select the language of the WebMail account. Available choices are English (en), Romanian (ro), German (de), Norwegian (no), Dutch (nl), Spanish (es), Portuguese (pt), Italian (it), Danish (dk), Swedish (se), Chinese (cn), Persian (fa), French (fr), Greek (gr), Hungarian (hu), Macedonian (mk), Polish (pl), Russian (ru), Turkish (tr) and Czech (cz). The Page size text box allows the user to specify the number of messages displayed on one WebMail page. The HTML Body Filtering level specifies which HTML filtering level will be used when displaying HTML format messages. The HTML filtering level stand for the following: No Filtering Low level filtering - converts the message to standard XHTML Medium level filtering - generates the body based on a list of known/allowed attributes and tags. Anything that is not on this 'allowed list' is removed. This level removes java script, styles, etc. High level filtering - generates the body based only on text components. This means that only plain text components remain in the message. This forth level is the strictest and may actually damage some formatting, but it is also the safest. Use the Week start date drop-down menu to select a day to be displayed first in the week for your calendar. To specify your Time Zone, use the corresponding drop-down menu. The date field is automatically adjusted according to the defined local time zone when displaying a message (in both the message list window and the open message popup). Preferences Choose to be asked for confirmation before emptying a folder using the Confirm empty folder drop-down box. Choose to ask for a confirmation when an message is deleted using the Confirm delete mail drop-down box. Use the Delete to Trash drop-down box to specify if a message deleted from your WebMail account is saved to Trash folder ("yes") or permanently deleted. To have a copy of sent messages saved in the Sent folder, choose the value "yes" for the Save to sent parameter. Set the refresh interval for your WebMail interface by typing the desired value in the Autorefresh interval text field. Please note that if you set this value to 0 it means that the option is disabled. Use the Display new notification drop-down box to choose if you wish to be notified when a new arrives. Configuring your signature To configure a signature that will be appended to all your outgoing s, use the Signature text field. 212

213 After changing any of the settings above, remember to press the Save changes button to save the new values Mail Filtering in WebMail The filter wizard accessible from the Filters page allows users to easily create a filtering system to manage their flow. Moreover, auto replies can be set for all or certain received messages. When first accessing the Filters page, a list of the already defined filters is displayed. If no filter has been previously set, the list will be blank. The Sender not in AB Actions allows you to apply certain actions to messages containing recipients that are not in the address book. To enable this option just check the box in front of it and choose either of the Send NDR, Move to Trash or Discard options from the dropdown list. To delete a filter, use the Delete button on the right of the respective filter. To edit an existing filter, press its corresponding Edit button. Click the New filter button to create a new filter. To create an automatic reply for certain/all messages hit the New responder button. Whether creating a new filter or editing an existing one the options displayed are the same. 213

214 Use the name text filed to specify a name for the currently defined filter. You can further select if the messages filtered should match all or any of the defined criteria using the corresponding check boxes. Next use the drop-down menu to select what conditions should the messages meet for the filter to apply. Available options include setting conditions relative to the subject, sender, receiver, Cc, To or Cc, size of the , as well as a customization option accessible by choosing Custom. Finally use the Actions area to define the actions to be taken (i.e. moving, copying, deleting, or redirecting it to a certain address etc.) if an message matches the specified criteria. - use this icon to add a new criterion and/or a new action; - use this icon to remove one of the previously created criteria and/or actions. To set the order in which defined filters should apply use the up and down arrows in front of them. When setting a Responder (automatic reply) to be sent to the messages matching the defined filter, the following fields also need to be configured: Use the Subject and the Message fields to define the subject and body of the response to be sent. Set the Days between subsequent responses and Additional own addresses (use the same responder for other addresses) by editing their corresponding fields. When you are done configuring the filter or responder press the Save changes button WebMail Filters Overview The mail filtering features allow users to create named filters and specify actions to be taken on the matching messages. A filter is composed of a set of 'filtering expressions' or "expressions" and a set of actions. 214

215 An expression (filtering expression) is composed of a header name, an operator and an optional value. The expression can be applied to a mail message and will give a matching/unmatching response. A filter contains the following: Name Priority Enabled/Disabled state ExpressionOperator: operator to compose multiple filtering expressions (And/Or) Expressions Actions A (filtering) expression contains the following Header: the mail message header the expression to witch the matching criteria will be applied Operator: operator specific to the header type Value(optional): a value that the operator may need (depends on the operator) Supported Headers/Operators/Values Header(s) Supported operators (negated or not) Supported values Comments Subject To To or Cc Cc Custom Contains Is Begins Ends with with String When Custom is selected the name of the custom header must be specified. From Contains Is Begins Ends with with String Size Is greater than Is lower than Action Data String describing size, e.g.: 1024 (bytes) 1K (1 kilobyte = 2^10 bytes 1M (1 megabyte = 2^20 bytes) 1.4G (1.4 gygabytes = 1.4 * 2^30 bytes) Action Data Type Description Move to string The path to the location is given as UTF8 Copy to string The path to the location is given as UTF8 Delete (move to trash) (none) (none) The message will be moved to trash. 215

216 Forward to address The message will be forwarded to the given address. No copy will be saved. Vacation days number mininum > 0 maximum > 7 (must) maximum > 30 (should) if omitted, days defaults to 7 or minimum (whichever is greater) if given value > maximum, days defaults to maximum if given value < minimum, days defaults to minimum Filter Container subject string (utf8) Alternate subject for response. If not given, the incoming mail's subject is used text string (utf8) Body of the response message. The FilterContainer is responsible for serializing an ordered collection of filters into a file and for parsing a sieve script that contains one or more filters. The parts of the scripts that are not recognized are stored as raw text in memory. When doing the serialization, the container will reorder the scripts. The ones that were edited by WebMail will be written at the beginning of the file while all 'raw' scripts will be written at the end. A script is recognized as being a WebMail script if: contains only directives that have been implemented in WebMail filters has a header with the following data: o Name: user specified string o Id: internal integer to uniquely identify the script o Position: integer used for ordering the scripts o Enabled: boolean If the script has a header but has been edited by hand to contain other directives it is rejected and put into the raw scripts collection. If the script does not have a header but can be handled as a WebMail script it will be given an auto-generated id, a last position in the list and an auto-generated name. 216

217 Setting Sharing Permissions In the Setting Sharing Permissions tab you can allow share access to your folders, access folders shared by other users, allow other users to see your schedule or send s in your name. Global Permissions Read Free-Busy status If a user editing a calendar event has the 'Read Free-Busy' permission for the attendee's mailbox the availability is displayed. This option is available only for the WebMail interface. Send Mail As When sending a new message (from either SMTP, MAPI or WebMail) another 'From' address can be set if the user has the 'Send Mail As' permission for that mailbox. Folder permissions These permissions can be defined on both folder level and on mailbox level (in this case, they act on all subfolders in the user's mailbox). To share a folder right click on it and choose share. Share a folder To control a folder's sharing permissions, go to the tree folder on the left, right click on it and choose the Sharing option. When accessing Sharing options for a folder a list of the already defined permissions is displayed. If no permission has been previously set the list will be blank. 217

218 To edit an existing permission use its corresponding Edit button, to delete it hit the recycle bin shaped Delete button. Click the Add button to add a user or a group of users (only domain contacts are available) and set the permission level on the folder. There are 6 levels to choose from: No access (all permissions are denied) Viewer (view and read folder is allowed) Contributor (view, read folder and add items is allowed) Editor (view, read folder, set/clear flags, add items, mark items as deleted/not deleted and expunge is allowed) Master (all permissions are allowed) Custom (each permission is defined individually according to your needs) Each permission may be allowed explicitly, denied explicitly or not specified. Permissions act hierarchically (are inherited on the group hierarchy). Additionally, resource hierarchies (a folder being parent to another folder) also benefit from the inheritance algorithm. In the Effective Permissions tab you will be able to see what permissions are specifically allowed or not. 218

219 IMPORTANT! In the same way domain Postmasters set permissions for Public Folders. Subscribe to folders shared by other users Click the Subscribe button to have access to folders shared by other users. You can either type the address in the Shared by field or click the Select button to choose it from the contacts list in your domain. WARNING! This option works only for users in the same domain that have set one of the permissions level (except None) described above. The folder will appear in the Shared Folders section of your folder tree: If you do not wish to see the folders shared by a certain user anymore close them by right clicking on the folder displaying the user's name or one of its subfolders and choosing the Close user option Configuring WebMail RPOP Connections When first accessing the RPOP Connections tab, a list of the already defined connections is displayed. If no connections have been previously set, the list will be blank. 219

220 To delete a RPOP connection, click the Delete icon corresponding to it. To edit a connection, click the Edit icon corresponding to its name. In order to add a new connection, press the Add connection link. Whether you are adding or editing a RPOP connections, the parameters you need to configure are the same. Connection details Specify the name or IP address of the host from which the s are retrieved using the Hostname field. To set the port on which the retrieval from the desired hostname is made, use the Port field. Use the Username and Password fields to specify the authentication details needed to connect for retrieval. Retrieval settings Use the Retrieval interval field to specify the minimum interval in minutes between two retrievals. Then specify a certain folder of your WebMail account where you want the s stored using the Folder field. You can also select if messages are deleted or not from the remote server after retrieval, using the Delete on retrieval drop-down box. Security Select the desired type of encryption used on the RPOP connection you are configuring from the Encryption drop-down box. The available options are 'none', 'SSL' and "TLS'. Use the Enable APOP drop-down box to specify if you want to enable APOP authentication for the respective connection. RPOP Templates s from Yahoo or Gmail accounts are now available in your WebMail account with the RPOP Templates. Click Add Yahoo! Mail/Gmail, fill in the account name, password, set the retrieval settings and click the Save connection button to create a new RPOP entry containing defaults for the selected provider (Yahoo, Gmail). 220

221 By default, a new folder is created in Inbox named 'Gmail mail' or 'Yahoo mail'. The user can choose not to use the default but instead pick a folder from the list (in this case no new folder is created). WARNING: POP3 access is only available for Yahoo! Mail Plus users. When you are done configuring these parameters, remember to press the Save connection button WebMail Account Information The Account Information page allows users to view data relative to their mailbox quota. They can verify at any time the total quota of their mailbox, their used and remaining quota. The Total Quota value is set by the server administrator and cannot be modified by the user. For more details see the Account > Quota section. The used and remaining quota values change dynamically as the WebMail account total message size changes WebMail Blacklist When accessing the Blacklist tab in WebMail Settings you can make a list of addresses you do not wish to receive s from. When first accessing this page there are no addresses in the list. 221

222 To add an address to the Blacklist type it in the text filed and click the Add button. If you entered your list an address by accident or you do not wish to block it anymore click its corresponding delete button Requesting Temporary Addresses When accessing the Temporary tab you can request one or more temporary addresses (or alias) that can be used for publishing on the web, subscribing to various sites etc. When you click the Generate button the server automatically creates a random valid alias (out of letters and numbers, in the same domain as the user) and activates it. As long as the addresses exist they are treated as account aliases, meaning mail sent to those addresses is received in the user's Inbox. They can be manually deleted by clicking the Recycle Bin button next to it or automatically expire after a specified period. The expiry period as well as the number of temporary addresses you can request are set by the server administrator at domain or account level and cannot be modified by the user. For more details see the Configuring Account Quotas and Restrictions and Configuring Quotas and Restrictions sections. 222

223 Chapter 7. Using AXIGEN WebMail features in Outlook This section describes how you can take full advantage of all AXIGEN's features and capabilities when using Outlook as your client. The AXIGEN Outlook Connector enhances the communication of Microsoft's client with the AXIGEN server making available the Personal Organizer, and contacts management etc Installing the AXIGEN Outlook Connector The AXIGEN Outlook Connector comes with an installation wizard and needs to be setup on each machine using Outlook as an client and having messaging communications handled by the AXIGEN Mail Server. The installation process is an extremely easy threestep procedure, as shown below. Important! The AXIGEN Outlook Connector can be installed on the following platforms: Windows XP Professional SP 2 with Outlook 2003/SP3 or 2007/SP1 Windows Vista Business with Outlook 2007/SP1 To run the wizard, double-click the executable file which will then prompt the wizard welcome window. Click Next to start installing. The second step consists in reading and agreeing to the End-User License Agreement. Click I Agree to start the actual installation process or Cancel to quit installing the connector. Click Back to go back to the welcome window. 223

224 If you agree to the product EULA, the AXIGEN Outlook Connector will be installed. To exit the setup wizard, click Finish, as shown below. After running the setup wizard, you will have to configure Outlook for use with the AXIGEN Outlook Connector. To do so, please follow the steps below: 1. Add a new Outlook profile, if you don't have one: 1.1. Go to Start-> Control Panel -> Mail applet Select 'Show Profiles...' -> 'Add...', add a name for your new profile, select 'Ok'. 2. Add a new account to the profile you have just added: 2.1. From the ' ' section, choose 'Add a new account' In the ' Accounts' dialog, 'Server Type' section choose 'Additional Server Types' In ' Accounts' dialog, 'Additional Server Types' section choose 'Axigen Mail Server'. 3. Fill all required settings for the 'Axigen Outlook Connector' service: 224

225 3.1. Fill in the 'Server Name' edit control with the IP or the server name of the AXIGEN Mail Server. If you do not have the required information, please contact your system administrator for more details Fill in the 'IMAP Port' and 'SMTP Port' fields, with the ports on which the IMAP and SMTP services are listening (Example: IMAP / SMTP - 25). If you do not have the required information, please contact your system administrator for more details Enable the 'Windows Native (kerberos)' option so the connector will use the credentials of the logged in user to authenticate to the AXIGEN account (if the server is configured to allow this type of authentication). Enabling this option disables the account name and password fields since the current user credentials from the kerberos ticket will be used Fill in the 'Account Name' and 'Password' fields with the account name and password provided by your mail server administrator Check the 'Use secure authentication' option to instruct the Connector to use secured authentication. If the server is not configured to allow this type of authentication enabling this option will yield login failure Use the 'Remember Password' option so you won't have to type it in each time you open Outlook Click the 'Test Connection...' button to verify that the details you entered are correct and complete and your account is working. 4. Start Outlook and select the profile name you have added at step 1 from the 'Choose Profile' dialog Server Side Rules Users can easily create a filtering system to manage their flow with the Server Side Rules. When first accessing the Mail Processing Rules window a list of the already defined filters is displayed. If no filter has been previously set the list will be blank. To edit or delete an existing filter select it and use the Edit or Delete buttons. Change priorities between filters by selecting them and using the Up and Down buttons. Click the New button to create a new filter. Whether creating a new filter or editing an existing one the options displayed are the same. 225

226 - use this icon to add a new criterion and/or a new action; - use this icon to remove one of the previously created criteria and/or actions. Select what conditions should the messages meet for the filter to apply. Available options include setting conditions relative to the subject, sender, receiver, Cc, To or Cc, size of the , as well as a customization option accessible by choosing Custom. Next select if the filtered messages should match all or any of the defined criteria. In the second window edit the conditions previously selected by clicking an underlined value. Click the Cancel or Next button to quit/continue editing the filter. Further define the actions to be taken (i.e. moving, copying, deleting, or redirecting it to a certain address etc.) if an message matches the previously specified criteria. In the second window edit the selected actions by clicking an underlined value. Click the Cancel/Next button to quit/continue editing the filter or the Back button to go back to the conditions window. 226

227 Finally use the name text field to specify a name for the currently defined filter and enable it by checking the Turn on this rule option. Review the rule description to make sure it is defined correctly and click the Finish button. You can quit editing the rule by clicking Cancel or go back to the Actions window by hitting the Back button Folder Sharing To control a folder's sharing permissions, go to the tree folder on the left, right click on the folder you wish to set permissions on, choose Sharing or Properties and in the new window select the Folder Permissions tab. When accessing this tab for a folder a list of the already defined permissions is displayed. If no permission has been previously set the list will be blank. Check the Apply to subfolders option so the permissions set for the current folder will be automatically applied to its sub-folders. Click the Add button to add a user or a group of users and set the permission level on the folder. There are 6 levels to choose from: No access (all permissions are denied) 227

228 Viewer (view and read folder is allowed) Contributor (view, read folder and add items is allowed) Editor (view, read folder, set/clear flags, add items, mark items as deleted/not deleted and expunge is allowed) Master (all permissions are allowed) Custom (each permission is defined individually according to your needs) Each permission may be allowed explicitly, denied explicitly or not specified. Permissions act hierarchically (are inherited on the group hierarchy). Additionally, resource hierarchies (a folder being parent to another folder) also benefit from the inheritance algorithm. In the Effective Permissions tab you will be able to see what permissions are specifically allowed or not. IMPORTANT! In the same way domain Postmasters set permissions for Public Folders. 228

229 7.4. Open/Close other user's folders To have access to folders shared by other users go to the Tools menu > Axigen Mail Server > Open other user s folder or right click on a folder in the folder tree and choose Open other user's folders... from the contextual menu. A warning will pop-up asking you to allow access to the addresses stored in Outlook, check the Allow access for option, choose the desired time interval from the drop-down menu and click Yes. The address book will open and you will be able to select from the list or type the address of the user whose folder you wish to subscribe to. WARNING! This option works only for users in the same domain that have set one of the permissions level (except No access). The folder will appear in the Shared Folders section of your folder tree: 229

230 If you do not wish to see the folders shared by a certain user anymore close them by going to Tools > Axigen Mail Server > Close other user's folders or right click on a folder in the folder tree and choose Close other user's folders from the contextual menu. In the new window that will pop-up select the user and click Ok Manage Global Permissions To manage the Read free/busy status and Send Mail As permissions in Outlook go to Tools > Axigen Mail Server > Manage Global Permissions. In the new window a list of users that have either of the two permissions defined is displayed. Each user in the list can be deleted or configured using the Delete and Edit buttons. To add a user to the list click the Add button. In the new window click the Select user button to open the address book and choose a contact, then check the Allow or Deny options for the two permissions. When clicking the Select user button a warning will pop-up asking you to allow access to the addresses stored in Outlook, check the Allow access for option, choose the desired time interval from the drop-down menu and click Yes. 230

231 In the Effective Permissions tab you will be able to see what permissions are specifically allowed or not. 231

232 Chapter 8. Administration Tools Overview AXIGEN Mail Server provides several alternatives for mail server administration. WebAdmin WebAdmin is a central administration Web interface that allows configuring the mail server using a tab-organized GUI. Allowing secure access (HTTPS protocol), WebAdmin provides fully described parameters (long description, default values, possible values, suggested values). WebAdmin allows configuring the server remotely, over the Internet and provides access to most parameters for every module. This configuration method is highly intuitive, has a fast learning curve and can be used by anyone with users-level skills. For detailed information on how to use WebAdmin, see Configuring AXIGEN using WebAdmin. CLI - Command line configuration interface CLI is a TCP service with specified dedicated socket accessible using Telnet applications and Netcat. CLI provides added functionality as, apart from providing an alternate method of performing basic configuration tasks, it allows automating administration tasks using scripts (adding users, migration). For detailed information on how to use CLI, see Configuring AXIGEN using CLI. Delegated Administration Delegated administration enables the easy creation of administrative groups, with predetermined membership hierarchies and permissions, assigned to specific domains. Administrative users can further be created within one or more of the available groups. An administrative user will then automatically inherit the parameters of the group it is being created in. Administrative users can be assigned to one or more groups with a few mouse clicks. Membership can be limited or expanded by the system administrator at any time. Permissions are assigned to each user through a Quick Add button and allow in-depth configuration. Fine-tune user access by allowing or denying permissions at server and domain management level. For example, a certain user cannot create accounts or access the WebMail service, while being able to create public folders and configure CLI service parameters. Delegated administration options are implemented by AXIGEN's AACL module, which comes with a distinct storage that handles permissions for all administrative users. For detailed information on how to set Delegated Administration parameters, see the Administration Rights Section. Config file The configuration file allows you to perform extensive configuration by manually editing this text file - axigen.cfg. This administration method allows fine tuning the server functioning to existing hardware configuration and mailing requirements. Experienced System Administrators have a readily accessible method of setting both basic and very advanced parameters directly, without going through an administration interface. For information on using the axigen.cfg file, see the subsequent page. 232

233 8.1. Working with axigen.cfg The general server configuration file currently used by AXIGEN Mail Server is located by default in /var/opt/axigen/run/axigen.cfg (Linux/Solaris) or /var/axigen/run/axigen.cfg (*BSD). A sample configuration file can also be found in the /opt/axigen/share/examples directory. The axigen.cfg file includes the complete specifications for AXIGEN configuration. Besides containing configuration data specific for AXIGEN modules, axigen.cfg is also used for specifying the primary domain for AXIGEN server (primarydomain). Using axigen.cfg, you have access to all AXIGEN Mail Server configuration parameters. Using a text editor, you can manually edit the parameter values and modify the server configuration. The configuration file also contains information on default and possible values and a short explanation for each parameter: The same options are available when using WebAdmin, except that changes to the configuration are made through the Web GUI. Detailed information on how to configure each parameter and information on its functions are given in the Configuring AXIGEN using WebAdmin sub-sections. Restrictions When working with axigen.cfg file, you need to follow the restrictions listed below: maximum attribute name length: 64 maximum attribute value length: 128 (expressed as string in configuration file). Each STRING value is limited to this length, 255 Note: Each time you modify the main configuration file, a reload signal must be sent to AXIGEN, in order to load the new configuration settings. Definitions Important! All time attributes (timeouts and time intervals) are specified in seconds. All data sizes are specified in KB. When working with axigen.cfg file, the following terms should be used with the meanings specified below: UINT: an unsigned integer. STRING: a case insensitive string, possibly quoted using double quotes. CS_STRING: a case sensitive string, possibly quoted using double quotes. IP: an IPv4 address in decimal numbers-and-dots format, i.e.: IP_SET: a set for IPv4 addresses specified in one of the following modes: 1. IP interval IP address/ip mask / IP address/ip mask size /8 IP_PORT: an IPv4 address in decimal numbers-and-dots format followed by a ":" char and a decimal port number, i.e.: :25 CHOICE: a single STRING from a specified set of STRINGs, i.e.: "yes" from ("yes" "no") set CHOICE-SET: a subset of STRINGs from the specified set of STRINGs; the subset must be specified between round parentheses () 233

234 Structure of the axigen.cfg file In axigen.cfg, all objects and attributes are commented using a hash character (#) Also, any block inside /*... */ is treated as comment. Default values, restrictions and examples for each attribute as provided as comments. The file is structured based on main configuration objects (server, main services). The attributes corresponding to one object are enclosed in curly brackets {}. The values of an attribute are enclosed in parentheses (). When several objects are grouped in a object set, they are also enclosed in parentheses (). Levels of subordination are indicated by indentation (upper levels will be left-aligned). For instance, this is how the beginning of the section for the SMTP-In service looks in the text file. All you have to do is manually edit the values of the parameters, as instructed in the # lines. # SMTP service # TYPE: SMTP-OUTGOING-SERVICE OBJECT smtpoutgoing = { # maximum number of threads handling remote SMTP delivery # TYPE: UINT # MIN-MAX: # DEFAULT: 20 maxconnthreads = 20 # minimum number of threads handling remote SMTP delivery # TYPE: UINT # MIN-MAX: # DEFAULT: 2 minconnthreads = 2 # service's logging level # TYPE: UINT # MIN-MAX: 0-31 # DEFAULT: 15 loglevel = 15 # service's logging type # TYPE: CHOICE internal system remote # DEFAULT: internal logtype = internal # service's remote logging host (used only if logtype=remote) # TYPE: IP_PORT # VALIDITY: only host IP addresses # DEFAULT: :2000 loghost = :2000 # list of rules to be applied by the relay module when connecting to a relay server # There is always defined a 'catch all' client rule with the following attributes: # priority =

235 # patternin = "*" # patternout = "*" # authuser = "" # authpass = "" # maxconnections = 5 # smtpport = 25 # smtpip = (use client MX) # requestauth = no # allowstarttls = yes # secureconnauthtypes = ( all ) # plainconnauthtypes = ( all ) clients = ( { # priority for this rule, 1 is highest # TYPE: REQUIRED UINT # MIN-MAX: (1001 is reserved for catch all clients) # DEFAULT: N/A priority =

236 Chapter 9. Configuring AXIGEN using WebAdmin WebAdmin Overview AXIGEN WebAdmin is the recommended administration tool for AXIGEN. While alternative methods are provided (Command Line Interface, text-editable configuration file), WebAdmin is the most intuitive and user-friendly tool. WebAdmin is a web-based configuration interface, tested for Mozilla and Internet Explorer, which gives you access to all configuration parameters for all services in AXIGEN Mail Server. Functionally, it is considered an AXIGEN service, and it can be started and stopped at any time. WebAdmin is enabled by default in the latest versions of AXIGEN Mail Server, and can be accessed by default on the :9000 address. For information on how to set the WebAdmin interface and set the WebAdmin admin password using the AXIGEN Configuration Wizard, see the corresponding section of the this manual. The current chapter Configuring AXIGEN using WebAdmin is dedicated to configuration options provided in WebAdmin, acting as a complete Administration Guide for AXIGEN Mail Server. It provides information on the configuration of all parameters included in the respective tabs. WebAdmin Features The WebAdmin service, offers a wide range of functionalities which make it extremely configurable and secure. Thread Management AXIGEN can run on a large variety of systems and machines, in networks with very different traffic loads, structures, domain configurations, user rights, authorization procedures, etc. Depending on your specific network specifications and conditions, you can adapt the workload to the server's processing power, in order to prevent a system overload or to improve server performance by setting different numbers of processing threads for the WebAdmin service, depending on your traffic load. First, system administrators need to set a number of threads to be allotted when the WebAdmin service is started. To efficiently manage peak periods, a corresponding number of threads is allotted for overloads caused by high traffic. For information on how to configure connection thread control parameters for WebAdmin, see WebAdmin Thread Management. Log Control Just like all the other AXIGEN main services, the WebAdmin module can log different types of events. The system administrator can specify what events are logged, where and how they are logged. See Logging service for more details on logging in AXIGEN. For information on how to configure log control parameters for WebAdmin, see WebAdmin Log Control. WebAdmin Flow Control In WebAdmin, to efficiently manage the traffic flow, you can allow a maximum number of simultaneous connections, a maximum number of connections from a distinct remote IP, and 236

237 further fine tune your options by limiting the number of total connections or connection from a certain IP in a given time frame. For information on how to configure flow control parameters for WebAdmin, see Access and Flow Control Rules. HTTP Protocol Options for WebAdmin WebAdmin allows you to set HTTP limits for any request made to the WebAdmin service. This prevents you from automatically accepting excessive amounts of data (HTTP headers, HTTP body and upload data). For information on how to configure HTTP limits for WebAdmin, see WebAdmin HTTP Protocol Options. Session Options for WebAdmin In WebAdmin, you can impose time limits on sessions, either active or idle. By doing this, you can better manage security and resource related issues. For information on how to configure connection and session control parameters for WebAdmin, see WebAdmin Session Options. Working with WebAdmin WebAdmin has several tabs, listed on the left hand side, each of them corresponding either to a certain section (Global Settings, Domain &Accounts, Administrative Rights, etc). Sections can be expanded - to see the tabs they contain - and retracted by clicking the section name. When first logged in, the Overview page displays a server summary (containing version, permission, running services and antivirus/antispam information). It also displays a list of Quick Links for some of the most commonly used configuration pages, grouped under three main sections: Domain & Accounts, Server Maintenance and Services & Security. 237

238 Below are described some basic principles you should keep in mind while working with AXIGEN WebAdmin. Saving the Configuration in WebAdmin After changing any parameter value in WebAdmin, you need to save the new values in the configuration files. In order to do this, you need to press the Save Configuration button available on all tabs, pages and sub-pages where needed. In the example below, a random password set for a user account is being saved. Confirmation / Error Messages After each command issued, you should check the confirmation message displayed in the upper section of the page. In the example below, parameters of an account have been changed successfully. In the following example, an account creation operation has failed and you are informed on this status both in the upper section of the WebAdmin page: 238

239 Displaying/Hiding the Contextual Help Starting with version 5.0, the WebAdmin Interface implements a Contextual Help feature, which guides system administrators through their daily actions by explaining all the available options and parameters. Contextual Help is activated by default and displayed in the right hand side of each page. To close the Contextual Help window, hit the question mark button as shown in the above screenshot. Once deactivated, you can open it again by hitting the same button, as shown below: 239

240 9.1. Configuring Global Settings The Global Settings tab gives axed to a few general parameters and to registering the AXIGEN Mail Server with your license key. It also displays all the information concerning the uploaded license key. In the Primary Domain text field, the domain currently set as primary is displayed. Use this field to change it to another existing domain. The SSL Random File text field is used to specify the path to the file with random seed data, used first by the SSL library to seed the random number generator. To have the disk input/output buffering activated, please check the Enable disk I/O buffering option. To upload a license key file in the WebAdmin interface, hit the Upload new key button and browse to its current location on your computer. After successfully uploading it, all the details relative to the license type - including company, expiry date, version, included add-ons, and different counters for mailboxes, domains, etc - will be displayed. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 240

241 9.2. Managing AXIGEN Services The Services section enables system administrators to manage and configure the SMTP Receiving, SMTP Sending, IMAP, POP3, WebMail, WebAdmin, DNR, Remote POP and CLI services of the AXIGEN Mail Server. The subsequent configuration pages of this section contain information on logging, error control, thread management and other service-specific parameters Configure the Running Services The Service Management tab allows you to monitor and configure the AXIGEN Mail Server's running services. By default, when installing AXIGEN Mail Server, the following services will be running: SMTP, IMAP, POP3, WebMail and WebAdmin. Use the Start, Stop and Restart action buttons in the to specify what services should be run by AXIGEN Mail Server. AXIGEN can run with any number of these services inhibited SMTP Receiving Tab The SMTP Receiving tab allows you to configure parameters relative to this specific service's configuration, to add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listener and rule configuration, see the Listeners chapter. Through Service Configuration system administrators can manage logging, looping, error and thread control parameters. 241

242 Logging You can select several types of messages to be logged for the SMTP Receiving service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Loop Protection A looping message is an sent from one mail server to another, without reaching its destination. Whenever it is received by a mail server, the message will have a received header added. To prevent such from increasing your mail server's traffic, check the Loop Protection option and set a number of maximum received headers for all received s. Values range from 1 to 1000, however the default 30 value is recommended. Error Control To set a maximum number of errors caused by invalid commands received from clients or by failed authentication attempts, check the respective options in the Error Control area. Use the up and down arrows corresponding to each of these options to set a specific number of errors. 242

243 Thread Management Thread management allows you to set different numbers of processing threads for the SMTP Receiving service, depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the SMTP Receiving service is started. To have a different number of threads for peak periods, check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes SMTP Sending Tab The SMTP Sending tab allows you to configure parameters relative to the log service and thread control. Logging You can select several types of messages to be logged for the SMTP Sending service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Thread Management 243

244 Thread management allows you to set different numbers of processing threads for the SMTP Sending service, depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the SMTP Sending service is started. To have a different number of threads for peak periods, check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes IMAP Tab The IMAP tab allows you to configure parameters relative to this specific service's configuration, to add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listener and rule configuration, see the Listeners chapter. Through Service Configuration system administrators can manage logging, authentication and encryption, error and thread control parameters. Logging You can select several types of messages to be logged for the IMAP service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Encryption and Authentication 244

245 By checking the Allow StartTLS, you allow sending the STARTTLS command for encrypting the connection if the server supports this command. Select the allowed authentication types the AXIGEN Mail Server should use for its IMAP secure connections (SSL/TSL) in the SECURE connections check list. Possible options are: normal login, plain, login, cram-md5, digest-md5 and gssapi. By default, all these methods are selected (all types of authentication are allowed on a secure connection). The methods are further divided into two categories: secure and unsecure. Select the allowed authentication types the AXIGEN Mail Server should use for its IMAP unsecure connections in the UNSECURE connections check list. Possible options are: normal login, plain, login, cram-md5, digest-md5 and gssapi. By default, all these methods are selected (all types of authentication are allowed on an unsecure connection). The methods are further divided into two categories: secure and unsecure. Error Control To set a maximum number of errors caused by invalid commands received from clients or by failed authentication attempts, check the respective options in the Error Control area. Use the up and down arrows corresponding to each of these options to set a specific number of errors. Thread Management Thread management allows you to set different numbers of processing threads for the IMAP service, depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the IMAP service is started. To have a different number of threads for peak periods, check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes POP3 Tab The POP3 tab allows you to configure parameters relative to this specific service's configuration, to add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listener and rule configuration, see the Listeners chapter. 245

246 Through Service Configuration system administrators can manage logging, authentication and encryption, error and thread control parameters. Logging You can select several types of messages to be logged for the POP3 service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Encryption and Authentication By checking the Allow StartTLS, you allow sending the STARTTLS command for encrypting the connection if the server supports this command. Select the allowed authentication types the AXIGEN Mail Server should use for its POP3 secure connections (SSL/TSL) in the SECURE connections check list. Possible options are: normal login, plain, login, cram-md5, digest-md5 and gssapi. By default, all these methods are selected (all types of authentication are allowed on a secure connection). The methods are further divided into two categories: secure and unsecure. 246

247 Select the allowed authentication types the AXIGEN Mail Server should use for its POP3 unsecure connections in the UNSECURE connections check list. Possible options are: normal login, plain, login, cram-md5, digest-md5 and gssapi. By default, all these methods are selected (all types of authentication are allowed on an unsecure connection). The methods are further divided into two categories: secure and unsecure. Error Control To set a maximum number of errors caused by invalid commands received from clients or by failed authentication attempts, check the respective options in the Error Control area of the POP3 service. Use the up and down arrows corresponding to each of these options to set a specific number of errors. Thread Management Thread management allows you to set different numbers of processing threads for the POP3 service, depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the POP3 service is started. To have a different number of threads for peak periods, check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes WebMail Tab The WebMail Tab allows you to configure parameters relative to this specific service's configuration, to add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listener and rule configuration, see the Listeners chapter. Through Service Configuration system administrators can manage logging, HTTP protocol, WebMail session and thread management parameters. 247

248 Logging You can select several types of messages to be logged for the WebMail service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. HTTP Protocol Options By checking the Allow HTTP Keep-Alive option, you allow permanent HTTP connections for the WebMail service. Next, you can set the HTTP limits for WebMail requests. Use the Limit HTTP Request header to option in order to specify the maximum allowed size for incoming HTTP headers, and the Limit HTTP Request body to option in order to specify the maximum allowed size for incoming HTTP body. The third option, Limit file uploads, can be used to set the maximum allowed size for incoming upload data. It applies to attachments, mail body and contact import operations. All size values can be set by using the up and down arrows, in KB or MB. 248

249 Select the appropriate action to be taken when the incoming data is over the set limits by using the If any of the above limits is exceeded option. Use the drop-down menu in order to choose between closing the connection immediately or allowing all data to be sent. Webmail Options Use the Allow domain selection on login option in order to display or not the domain list when logging in to WebMail. Enable it by just checking the box in front of the option. Set the parameters for WebMail sessions by using the two options under Session. You can specify after how many seconds an inactive (idle) WebMail session is closed, and specify after how many seconds a WebMail session is closed, even if activity exists. Values for these parameters can be entered only in seconds, by using the up and down arrows. Thread Management Thread management allows you to set different numbers of processing threads for the SMTP Receiving service, depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the SMTP Receiving service is started. To have a different number of threads for peak periods, check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes WebAdmin Tab The WebAdmin Tab allows you to configure parameters relative to this specific service's configuration, to add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listener and rule configuration, see the Listeners chapter. Through Service Configuration system administrators can manage logging, HTTP protocol, WebAdmin session and thread management parameters. 249

250 Logging You can select several types of messages to be logged for the WebMail service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. HTTP Protocol Options By checking the Allow HTTP Keep-Alive option, you allow permanent HTTP connections for the WebAdmin service. Next, you can set the HTTP limits for WebMail requests. Use the Limit HTTP Request header to option in order to specify the maximum allowed size for incoming HTTP headers, and the Limit HTTP Request body to option in order to specify the maximum allowed size for incoming HTTP body. The third option, Limit file uploads, can be used to set the maximum allowed size for incoming upload data. It applies to attachments, mail body and contact import operations. All size values can be set by using the up and down arrows, in KB or MB. 250

251 Select the appropriate action to be taken when the incoming data is over the set limits by using the If any of the above limits is exceeded option. Use the drop-down menu in order to choose between closing the connection immediately or allowing all data to be sent. WebAdmin Options Set the parameters for WebAdmin sessions by using the two options under Session. You can specify after how many seconds an inactive (idle) WebAdmin session is closed, and specify after how many seconds a WebAdmin session is closed, even if activity exists. Values for these parameters can be entered only in seconds, by using the up and down arrows. Thread Management Thread management allows you to set different numbers of processing threads for the SMTP Receiving service, depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the SMTP Receiving service is started. To have a different number of threads for peak periods, check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes DNR Tab The DNR tab allows you to configure parameters relative to logging, DNR Options and Nameservers. Logging 251

252 You can select several types of messages to be logged for the POP3 service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. DNR Options This section allows you to configure the general parameters relative to the DNR service. Use the First Query Timeout option in order to specify after how many seconds the first DNR query is closed by AXIGEN Mail Server. The values for these parameters can be entered by using the up and down arrows, and are only expressed in seconds, ranging from 1 to 120 seconds. NOTE: After each retry, the set timeout is doubled. In the Max. number of retries field you can specify the maximum number of DNR queries retries to be executed by AXIGEN Mail Server. Use the up and down arrows to enter the values of the parameter. The No. of cached results option enables you to specify the number of results (IP addresses) cached for each DNR query type to be executed by AXIGEN Mail Server. The default value is 1000 IPs. Nameservers You can edit the list of known name (DNS) servers (specified in the operating system configuration) used by AXIGEN Mail Server when performing DNR searches. To edit one of the defined name servers, just change the values of the corresponding fields and then save the configuration. In the Address field, specify the IP address of the name 252

253 server. The parameters corresponding to the Query Timeout and Retries fields can be configured according using the guidelines in the DNR Options section, available above. To add a new name server, hit the Add Nameserver button displayed in the upper right corner of the Nameservers section. Type the nameserver address in the text box then click on Quick Add. The Query Timeout and number of Retries can be set when adding the nameserver or later. The Actions field allows you to specify the priority level for the defined name servers. Use the available up and down arrows in order to set the order in which name servers are searched (the ones with higher priority, to the top of the list, will be queried first). When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Remote POP Tab The Remote POP tab allows you to configure parameters relative to logging and thread management. Logging You can select several types of messages to be logged for the CLI service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. 253

254 Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Thread Management Thread management allows you to set different numbers of processing threads for the RPOP service, depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the RPOP service is started. To have a different number of threads for peak periods, check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes CLI Tab The CLI tab allows you to configure parameters relative to this specific service's configuration, to add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listener and rule configuration, see the Listeners chapter. Through Service Configuration system administrators can manage logging, authentication and encryption, error and thread control parameters. Logging You can select several types of messages to be logged for the CLI service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. 254

255 CLI Options To set a limit for the number of commands allowed to be issued before having authenticated on CLI, check the respective option under CLI Options and use the up and down arrows to choose the desired numbers. The default value is of 20 commands. Error Control To set a maximum number of errors caused by invalid commands received from clients or by failed authentication attempts, check the respective options in the Error Control area. Use the up and down arrows corresponding to each of these options to set a specific number of errors. Thread Management Thread management allows you to set different numbers of processing threads for the CLI service, depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the CLI service is started. To have a different number of threads for peak periods, check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 255

256 9.3. Domains and Accounts The Domains and Accounts section gives access to managing and configuring domains, accounts, mailing lists, groups, public folders and account classes The Manage Domains Tab When first entering the Domains tab, a list of the previously defined domains is displayed. If you have defined a large number of domains, you can quickly locate a certain one using the Domain Search option. The domain list is filtered as you type. To edit an already defined domain, hit the Edit button on the right side of its name. To delete it, hit its respective Delete button. Should you like to add a new domain, hit the Add Domain button displayed in the upper right corner of the Domain list. 256

257 To add a new domain first type the name of your domain in the Domain Name text box and set the Postmaster Password in its respective text area or click the Set Random button to select a random password combination. When using this button the password randomly assigned is displayed under it. Check the Enable MACL Support option so users belonging to this domain will be able to set different permission levels on their folders in order to share them. Only on domain creation you have the option to configure storage location details by clicking the Show button. Detailed information on storage is available in the corresponding Mail Server Architecture chapter. Use the Quick Add button to create the domain using the default settings or hit the Advanced Config link to further fine tune it. When pressing the Edit button for an existing domain or the Advanced Config link, you access the five pages shown in the below screenshot. The name of the configured domain is listed in the upper section of the screen at all times Domains General Configuration The Manage Domains > General tab allows system administrators to set the running services for a specific domain and other domain related parameters. Use the Domain name text field to edit the name of the domain you are currently modifying or creating. To edit the IP dedicated to a specific domain, use the Assigned IP text field. 257

258 Should you like to have the accounts created for a specific domain included in AXIGEN's public address book, make sure to have the corresponding option checked. To have the domain included in the WebMail interface domain selection list, check the respective option. Check the Automatically create LDAP authenticated users option so the LDAP defined users are created when they login to a service that requests authentication. To further have a specific login page displayed for certain requests, you will have to add a host header. To do so, type a name for your host header and hit the Add button. To delete one of the host header, use its assigned Delete button. The services section displays the list of domain services and their current status. To enable or disable a service, use the respective buttons corresponding to that service's name. Please note that at domain level, only services affecting domain behavior are displayed - SMTP Receiving, SMTP Sending, POP3, IMAP, Remote POP and WebMail. System administrators can further decide how to treat s sent to users that do not exist in the edited domain within the Catch-all section. The available option in the selection box are to have them rejected, to redirect them to one of the existing public folders or to redirect them to a catch-all account. If the s are redirected to an account, you can also specify a folder for the s to be stored in, using the Change folder button. 258

259 The General page also displays specific details about the currently edited domain in the Info section. The information refers to the MACL Support status, domain creation date and date and time details for the last modification and login. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Defining Domain Aliases The Manage Domains > Domain Aliases page allows system administrators to create a list of aliases for a certain domain. The page displays a list of previously defined aliases. Each can be edited using the text field listed under Address. To delete an alias, use its corresponding Delete button. To add a new alias, type its name in the upper right corner text field and hit the Add Alias button. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Domain Message Filters Page The Manage Domains > Message Filters page helps system administrators create and manage incoming message rules and AntiVirus / AntiSpam filters for a specific domain. Important! Domain level rules for this domain will run after any existing Server level rules (common actions will be overridden) AntiVirus / AntiSpam filters enabled at domain level provide the accounts in this domain with an additional filtering layer. When first accessing the page, a list with the already defined rules and filters is displayed. Both lists can be minimized or maximized by clicking the list name bar. Each message and filter has a Enabled/Disabled status displayed and next to it, the Enabled/Disabled button displays the opposite action of the status. Priorities between enabled Antivirus / Antispam filters or Message rules can be changed using the up and down arrows under the Priority section. 259

260 To add a new rule for the configured domain, click the Add Message Rule button. They can be deleted or further configured using the Delete and Edit buttons. Type a name for the incoming message rule in the Message rule name text filed and check the Enable this incoming rule option to activate it. 260

261 Further select if the messages filtered should match all or any of the defined criteria set below. You can add as many conditions as you wish by clicking the Add Condition button. Use the Add Action button to define the actions to be taken if an message matches the specified criteria. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Configuring the Message Appender The Manage Domains > Message Appender page allows system administrators to create an appender that will be attached to all messages sent by the respective domains. To have the text you want appended to all sent messages, check the Enable Message Appender for this domain option and edit the text in the available text box. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Managing Account Defaults The Manage Accounts > Account Defaults page defines default values for the parameters that will be automatically inherited by all new accounts and account classes, and can be explicitly set (overridden) in the advanced configuration of the respective account or account class. The page gives access to three different sub-pages: General - allowing system administrators to set running services to be inherited Quotas and Restrictions - enabling admins to set certain limits for mailbox level, folder level, notification, password policy, etc. Message Filters - allowing the creation of message rules 261

262 Account Defaults General Parameters The Account Defaults > General subpage lists the currently enabled or disabled services at domain level. When such a service is stopped or started at domain level, the accounts within the specific domain will inherit this configuration. To enable or disable a service, use the respective buttons corresponding to that service's name. Please note that at domain level, only services affecting domain behavior are displayed - SMTP Receiving, SMTP Sending, POP3, IMAP, Remote POP and WebMail. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Configuring Account Quotas and Restrictions The Quotas and Restrictions subpage contains parameters relative to mailbox and folder level, notifications to be sent to account users and restrictions imposed at domain level for all created accounts. Managing Account Quotas At mailbox level, the total mailbox size, the total number of folders and the total number of messages can be limited by selecting the respective options in the Mailbox area and using the up and down arrows to adjust the limits to the desired value. For the total size limit, use the available drop-down menu to select if you want it calculated in KB, MB or GB. 262

263 At folder level, system administrators can set limits for the size of each folder and the total number of messages per each folder by checking the respective options in the Folders section and using the up and down arrows to adjust the limits to the desired value. For the folder size limit, use the available drop-down menu to select if you want it calculated in KB, MB or GB. To have account users notified when they reach a certain level of their allowed quota through a pop-up displayed when accessing the WebMail interface, check the respective option in the Notifications section and use the up and down arrows to increase or decrease the default percentage of the quota. When this option is checked, the users are also notified at every login. You can set the frequency of these login notifications using the up and down arrows corresponding to this additional option. To select if the respective value is calculated in seconds, minutes, hours or days, check the respective drop-down menu. System administrators can further edit the content of the notification in the Notification content section. To edit the text displayed, use the Subject and Body text fields. To insert more values in the body, use the available buttons - Domain, Account, Full name, Notification threshold percentage, Size quota, Size used, Size used (%), Count Quota, Count Used, Count Used (%). Configuring Restrictions 263

264 Password Policy Enforcement System administrators can define a Password Policy to be enforced when an account is created for a respective domain. First of all, they can set a minimum and maximum number of characters for each password, using the up and down arrows or editing directly the text field of the Password length parameters. They can further select from the Password must include drop-down menu if passwords should include letters, letters and numbers or letters, numbers and special characters. Session restrictions The number of POP3, IMAP and WebMail sessions can be limited for all accounts of a certain domain. To select the desired value, use the up and down arrows or directly edit the text fields pertaining to each type of session. POP3 and IMAP sessions take values from 1 to 16, while WebMail sessions take values from 1 to WebMail Restrictions To limit the size of message attachments, check the respective option in the WebMail section and use the up and down arrows to select the desired size. To have the size measured in KB, MB or GB use the available drop-down menu. Use the up and down arrows of the Limit number of attachments per message option or edit its corresponding text field to set a maximum number of attachments allowed to messages sent or received from any account using the WebMail interface. Check the Limit message size option to set a maximum size for sent and received messages through the WebMail interface. To do so, use the up and down arrows to select the desired size or edit the corresponding text field. The Limit number of recipients option allows you to configure a maximum number of recipients for WebMail messages using the up and down arrow to select the desired size or editing the corresponding text field. To set the HTML Body Filtering Level for all domain accounts when connected via WebMail, use the available slider. The HTML filtering levels stand for the following: No Filtering 264

265 Low level filtering - converts the message to standard XHTML Medium level filtering - generates the body based on a list of known/allowed attributes and tags. Anything that is not on this 'allowed list' is removed. This level removes java script, styles, etc. High level filtering - generates the body based only on text components. This means that only plain text components remain in the message. This forth level is the strictest and may actually damage some formatting, but it is also the safest. Message Sending Restrictions Limits imposed to sent messages offer system administrators an easy possibility to prevent account users from generating spam. They can thus set a maximum number of messages, their total size and the period in which these are sent using the up and down arrows to select the desired size or editing the corresponding text field. To have message size calculated in KB, GB or MB, use the respective drop-down menu. The time frame for the maximum number of messages can be set to be calculated in seconds, minutes, and hours, using the corresponding drop-down menu. Remote POP Restrictions System administrators can limit the number of remote POP accounts defined by account users. To do so, use the up and down arrows to select the desired size or edit the corresponding text field. Additionally, you can specify a minimum interval between two retrievals for each RPOP connection. Use the Minimum message retrieval interval dropdown menu to have it calculated in seconds, minutes or hours. Temporary Addresses Restrictions The administrator can set some limits on the usage of temporary addresses. A user may request maximum 16 temporary addresses (aliases). If the limit is set to '0' the 'Add' button in WebMail (in the 'Temporary Addresses' section) will be disabled but old temporary address will still be available until they expire or are deleted. The time 265

266 period from the creation of a temporary address to its automatic deletion can be set between 10 minutes and 1 year. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Managing Account Filters The Manage Account Defaults > Message Filters sub-page enables system administrators to create and manage incoming message rules at account level. Important! Account level rules will run after any existing Domain level rules and Server level rules (common actions will be overridden). When first accessing the sub-page, a list with the already defined rules is displayed. Each message rule can be deleted or further configured using the Delete and Edit buttons. Each message rule has a Enabled/Disabled status displayed and next to it, the Enabled/Disabled button displays the opposite action of the status. Priorities between message rules can be changed using the up and down arrows under the Priority section. To add a new rule for all domain accounts, click the Add Message Rule button. Type a name for the incoming message rule, use the Message rule name and check the Enable this incoming rule option to activate it. 266

267 Further select if the messages filtered should match all or any of the defined criteria set below. You can add as many conditions as you wish by clicking the Add Condition button. Use the Add Action button to define the actions to be taken if an message matches the specified criteria. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Manage Accounts Tab When first accessing the Manage Accounts tab a list of existing domains is displayed. To be able to manage the accounts first select one of the existing domains. After selecting a certain domain, the list of previously created accounts is displayed. To run a search for a specific account use the Account Search field. To edit an existing account use its corresponding Edit button, to delete it hit the Delete button. In order to create a new account, hit the Add Account button. 267

268 The domain you are creating the account in is displayed in the Domain name field if you have already selected a certain domain. If you press the Add Account button prior to the domain selection you will have to type the desired domain. Specify a name for the account you are creating in the Account Name text field. Type a password of choice in the Account password text field or click the Set Random button to select a random password combination. When using this button the randomly assigned password is displayed under it. If you are done configuring the account hit the Quick Add button. Alternatively, should you prefer to further fine tune it click the Advanced Config link. This link and the Edit button of already configured link gives access to four configuration pages, General, Quotas and Restrictions, WebMail Options and Message Filters Accounts General Page The Manage Accounts >General page allows system administrators to configure basic account settings such as the account name, password and also displays general information regarding the account in question. Use the First name and Last name text fields to modify the name of the person the account is created for. The account name can also be edited in its respective text field. To change an account's password, either type another one in the Account password text field or click the Set Random button to select a random password combination. When using this button the password randomly assigned is displayed under it. To select whether the default settings established at domain level should be inherited by the account you are currently managing or if the account should be associated with an already defined account class use the Inherit configuration details drop-down menu. 268

269 The services section displays the list of account services and their current status. To enable or disable a service, use the respective buttons corresponding to that service's name. Please note that at account level only services affecting account behavior are displayed - SMTP Receiving, SMTP Sending, POP3, IMAP, Remote POP and WebMail. The Info section of the account displays details referring to the creation date of the account, used quota and time, date and IP coordinates of the last logins to the respective accounts through IMAP, POP3 and WebMail. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 269

270 Account Aliases The Manage Accounts > Account Aliases page allows system administrators to create a list of aliases for a certain user account. Account Aliases Management An account alias is a secondary account pointing to the account you are editing. For example, if you are currently editing the account test@mycompany.com previously created and you add alias@mycompany.com as an alias, all s sent to alias@mycompany.com will be delivered to test@mycompany.com. Each of the previously defined account aliases can be edited in the text filed or deleted using their corresponding Delete buttons. To add a new alias, type its name in the upper right corner text field and hit the Add Alias button. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Configuring Quotas and Restrictions The Manage Accounts > Quotas and Restrictions page contains parameters relative to mailbox and folder level, notifications to be sent to account users and restrictions imposed to the account being edited. Managing Account Quotas At mailbox level, the total mailbox size, the total number of folders and the total number of messages can be limited by selecting the respective options in the Mailbox area and using the up and down arrows to adjust the limits to the desired value. For the total size limit, use the available drop-down menu to select if you want it calculated in KB, MB or GB. At folder level, system administrators can set limits for the size of each folder and the total number of messages per each folder by checking the respective options in the Folders section and using the up and down arrows to adjust the limits to the desired value. For the folder size limit, use the available drop-down menu to select if you want it calculated in KB, MB or GB. 270

271 To have account user notified when reaching a certain level of their allowed quota through a pop-up displayed when accessing the WebMail interface, check the respective option in the Notifications section and use the up and down arrows to increase or decrease the default percentage of the quota. When this option is checked, the users are also notified at every login. You can set the frequency of these login notifications using the up and down arrows corresponding to this additional option. To select if the respective value is calculated in seconds, minutes, hours or days use the respective drop-down menu. System administrators can further edit the notification content in the Notification content section. Edit the text displayed using the Subject and Body text fields. To insert more values in the body, use the available buttons - Domain, Account, Full name, Notification threshold percentage, Size quota, Size used, Size used (%), Count Quota, Count Used, Count Used (%). Configuring Restrictions 271

272 Password Policy Enforcement System administrators can define a Password Policy to be enforced for the currently created account. First of all, a minimum and maximum number of characters for each password can be set using the up and down arrows or directly editing the Password length parameters text field. Further select from the Password must include drop-down menu if passwords should include letters, letters and numbers or letters, numbers and special characters. Session restrictions The number of POP3, IMAP and WebMail sessions can be limited for the respective account. To do so select the desired value, use the up and down arrows or directly edit the text fields pertaining to each type of session. POP3 and IMAP sessions take values from 1 to 16, while WebMail sessions take values from 1 to WebMail Restrictions To limit the size of message attachments, check the respective option in the WebMail section and use the up and down arrow to select the desired size. To have the size measured in KB, MB or GB use the available drop-down menu. Use the up and down arrows of the Limit number of attachments per message option or edit its corresponding text field to set a maximum number of attachments allowed to messages sent or received using the WebMail interface Check the Limit message size option to set a maximum size for sent and received messages through the WebMail interface. To do so either use the up and down arrows to select the desired size or edit the corresponding text field. The Limit number of recipients option allows you to configure a maximum number of recipients for WebMail messages using the up and down arrows to select the desired size or editing the corresponding text field. To set the HTML Body Filtering Level for this specific account when connected via WebMail use the available slider. The HTML filtering levels stand for the following: No Filtering Low level filtering - converts the message to standard XHTML Medium level filtering - generates the body based on a list of known/allowed attributes and tags. Anything that is not on this 'allowed list' is removed. This level removes java script, styles, etc. 272

273 High level filtering - generates the body based only on text components. This means that only plain text components remain in the message. This forth level is the strictest and may actually damage some formatting, but it is also the safest. Message Sending Restrictions Limits imposed to sent messages offer system administrators an easy possibility to prevent account users from generating spam. They can thus set a maximum number of messages, their total size and the period in which these are sent using the up and down arrows to select the desired size or editing the corresponding text field. To have the message size calculated in KB, GB or MB use the respective drop-down menu. The time frame for the maximum number of messages can be set to be calculated in seconds, minutes, and hours using the corresponding drop-down menu. Remote POP Restrictions System administrators can limit the number of remote POP accounts defined by a certain user. To do so, use the up and down arrows to select the desired size or edit the corresponding text field. Additionally, a minimum interval between two retrievals for each RPOP connection can be specified. Use the Minimum message retrieval interval drop-down menu to have it calculated in seconds, minutes or hours. Temporary Addresses Restrictions The administrator can set some limits on the usage of temporary addresses. A user may request maximum 16 temporary addresses (aliases), if the limit is set to '0' the 'Add' button in WebMail (in the 'Temporary Addresses' section) will be disabled but old temporary address will still be available until they expire or are deleted. The time period from the creation of a temporary address to its automatic deletion can be set between 10 minutes and 1 year. Parameter inheritance Parameters or parameter groups that are inherited from the domain's account defaults are automatically marked with the icon, while the ones inherited from an account class are 273

274 marked with the icon. When explicitly setting the value of an inherited parameter it will be marked with the icon. Moreover, any further changes at parent level (domain's account defaults or account class) will only affect inherited parameters, while explicitly set ones will keep their value. You can, at any time, revert the explicit parameters to their inherited value, by clicking the 'Inherit' link related to the explicitly set parameter (orange) icon. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Account WebMail Options The Manage Accounts > WebMail Options page allows you to configure an account's appearance, preferences, contact details and signature. These options can also be set by each account user from the WebMail Interface. Appearance Options Use the WebMail Skin name drop-down menu to select the WebMail skin that should be used for this account. To configure the WebMail language settings for the respective account use the WebMail Language drop-down menu. The available options are English, German, Romanian, Spanish, Portuguese, Italian, Dutch, Swedish, Norwegian, Polish, Russian, Czech, Greek, Chinese and Persian. The default selected language is English. You can specify the number of messages to be displayed on a WebMail page for the currently edited mailbox using the Display...messages per page drop-down menu. Account Preferences 274

275 You can have a confirmation requested before deleting a message via WebMail from the currently edited account by checking the Ask for confirmation on deletion option. Check the Ask for confirmation on empty folder option to request a confirmation on emptying a folder in WebMail for the currently edited account. To have messages deleted through the WebMail interface sent to Trash check the Move deleted s to Trash option. If left unchecked messages will be permanently deleted. Allow the WebMail interface to check for new s automatically for the configured account by checking the Automatically check for new s option. Use the available text field or its up and down arrows to define the time frame and the drop-down menu to have the period measured in minutes, hours or days. Check the Display notification when new arrives option so the user receives a pop-up warning when a new arrives. To set the HTML Body Filtering Level for this specific account when connected via WebMail use the available slider. The HTML filtering levels stand for the following: No Filtering Low level filtering - converts the message to standard XHTML Medium level filtering - generates the body based on a list of known/allowed attributes and tags. Anything that is not on this 'allowed list' is removed. This level removes java script, styles, etc. High level filtering - generates the body based only on text components. This means that only plain text components remain in the message. This forth level is the strictest and may actually damage some formatting, but it is also the safest. Contacts Settings System administrators can select which contacts to be used for the account they are currently editing. They can either use contacts from the public address-book and/or employ domain contacts. To do so please choose from (or both) available options: Use contacts from public address-book and Use contacts from domain. 275

276 Defining a Signature To have a signature defined for all messages sent from the configured account via WebMail type it in the Message Signature text field. The text you define will then be appended to all outgoing sent from the WebMail interface. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Managing Message Filters The Manage Domains > Message Filters page enables system administrators to configure a set of rules to be applied to messages received by specific accounts, as well as to view and change any of the similar rules created by the users themselves. The page gives access to other 2 sub-pages: Admin Filters - containing the parameters relative to incoming message rules and filters. User Filters - containing the parameters relative to incoming message rules and filters set by users in WebMail > Settings > Filters page. 276

277 Admin Filters The Message Filters > Admin Filters sub-page enables system administrators to configure incoming message rules and filters for specific user accounts. Important: The Rules and Filters configured in this page replace the ones inherited from account defaults. For a direct access to the account defaults parameters, click on the underlined account defaults option available right under the Admin Filters sub-page name. Incoming Message Rules Important! When first accessing this tab to be able to add filters for this account click the Define explicit link. To configure a new message rule, hit the Add Message Rule button and then fill in the specific parameters in the new sub-page, New Message Rule. Each message rule has an Enabled/Disabled status displayed, the action displayed by the button next to it is the opposite of the status. Each rule can be deleted or further configured using the Delete and Edit buttons. To set the order in which defined rules should apply, use their corresponding up and down arrows available under the Priority section. Important: All message rules available in this section will run after any existing Server Level Rules and Domain Level Rules (common actions will be overridden) 277

278 General Settings for the New Message Rule Use the text box under General Settings in order to specify the name of the new rule then enable the new rule by checking the box in front of the option called Enable this incoming rule. New Message Rule Conditions In the Matches section, first decide the incoming messages for which you want the rule to apply. Next, choose the conditions you want to apply to those messages (e.g. for messages from Use the drop-down menu to select the type of the new condition. Available options include setting conditions relative to the subject, sender, receiver, Cc, To or Cc, size of the , as well as a customization option, accessible by clicking on Custom. To delete one of the newly-added criteria hit its corresponding trash-bin shaped like button. New Message Rule Actions By editing the Actions section you can decide what you want to do with the messages that match the above conditions. Use the drop-down menu to specify the actions corresponding to the mail message i.e. moving, copying, deleting, or redirecting it to a certain address etc. To add a new action, click on the Add Action button and then fill in all the corresponding details in the newly-displayed menus. To delete an action hit the trash-bin shaped like button displayed on the right hand side of the action in question. 278

279 When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes User Filters The Message Filters > User Filters sub-page enables system administrators to configure incoming message rules and filters for specific user accounts. Important: The User Filters subcategory, in particular, gives you access to the rules defined by the user for this account using the WebMail interface. Editing these rules will actually edit the user-defined filters, and the changes will be seen by the user in the WebMail interface. Access to these rules has been introduced in order to allow the administrator to correct potential problems in user-generated rules through shared access. Incoming Messages Rules To configure a new message rule hit the Add Message Rule button and then fill in the specific parameters in the new sub-page, New Message Rule. Each message rule has an Enabled/Disabled status displayed, the action displayed by the button next to it is the opposite of the status. Each rule can be deleted or further configured using the Delete and Edit buttons. To set the order in which defined rules should apply use their corresponding up and down arrows available under the Priority section. Important: The message rules below will run after any existing Server level rules and Domain level rules (common actions will be overridden). General Settings of the New Message Rule 279

280 Use the text box under General Settings in order to specify the name of the new rule, then enable the new rule by checking the box in front of the option called Enable this incoming rule. New Message Rule Conditions In the Matches section first decide the incoming messages for which you want the rule to apply. Next, choose the conditions you want to apply to those messages. Use the drop-down menu to select the type of the new condition. Available options include setting conditions relative to the subject, sender, receiver, Cc, To or Cc, size of the , as well as a customization option accessible by clicking on Custom. To delete one of the newly-added criteria hit its corresponding trash-bin shaped button. New message rules can be set to match all or just part of the specified conditions according to your choice. New Message Rule Actions By editing the Actions section you can decide what you want to do with the messages that match the above conditions. Use the drop-down menu to specify the actions corresponding to the mail message i.e. moving, copying, deleting, or redirecting it to a certain address etc. To add a new action click on the Add action button and then fill in all the corresponding details in the newly-displayed menus. To delete an action hit the trash-bin shaped like button displayed on the right hand of the action in question. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 280

281 Groups Tab When first accessing the Groups tab, a list of the existing domains is displayed. To be able to manage the groups you have to first select one of the existing domains. After selecting a certain domain the list of previously created groups is displayed. To run a search for a specific group use the Group Search field. To edit an existing group use its corresponding Edit button, to delete it hit the Delete button. In order to create a new group press the Add Group button. The domain you are creating the group in is displayed in the Domain name field if you have already selected a certain domain. If you press the Add Group button prior to the domain selection you will have to type the desired domain. Specify a name for the group you are creating in the Group Name text field. After specifying these two parameters the groups address will be displayed (generic address is Groupname@Domainname). Check the Enable this group option if you want to render the group active. If you are done configuring the group hit the Quick Add button. Alternatively, should you prefer to further fine tune it, click the Advanced Config link. This link and the Edit button of already configured link gives access to two configuration pages: General and Message Filters. 281

282 Group General Configuration The Groups > General page allows you to add and delete group members and also provides information on the group currently edited. Use the Group Name text field to edit the name you have previously assigned to your group. To add a group member type his/her address in the Group members text field. To add more than one member hit the Add member button which will generate additional text fields for addresses. To delete an already added member use the Delete button. Check the Enable this group option if you want to render the group active. The Info section displays details referring to the creation and last modification date and time of the group. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Groups Message Filters The Groups > Message Filters page enables system administrators to create and manage incoming message rules for a specific group. Important! Group level rules will run after any existing Domain level rules and Server level rules (common actions will be overridden). When first accessing the page a list with the already defined rules and filters is displayed. Both lists can be minimized or maximized by clicking the list name bar. 282

283 Each message rule has an Enabled/Disabled status displayed, the action displayed by the button next to it is the opposite of the status. Each rule can be deleted or further configured using the Delete and Edit buttons. To set the order in which defined rules should apply use their corresponding up and down arrows available under the Priority section. To configure a new message rule hit the Add Message Rule button and then fill in the specific parameters in the new sub-page, New Message Rule. Use the text box under General Settings in order to specify the name of the new rule, then enable the new rule by checking the box in front of the option called Enable this incoming rule. In the Matches section first decide the incoming messages for which you want the rule to apply. Next, choose the conditions you want to apply to those messages. Use the drop-down menu to select the type of the new condition. Available options include setting conditions relative to the subject, sender, receiver, Cc, To or Cc, size of the , as well as a customization option accessible by clicking on Custom. To delete one of the newly-added criteria hit its corresponding trash-bin shaped button. New message rules can be set to match all or just part of the specified conditions according to your choice. 283

284 By editing the Actions section you can decide what you want to do with the messages that match the above conditions. Use the drop-down menu to specify the actions corresponding to the mail message i.e. moving, copying, deleting, or redirecting it to a certain address etc. To add a new action click on the Add action button and then fill in all the corresponding details in the newly-displayed menus. To delete an action hit the trash-bin shaped button displayed on the right hand side of the action in question. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Mailing Lists Use the WebAdmin Mailing Lists tab to manage the mail lists in AXIGEN Mail Server. When selecting this tab the currently existing mailing lists are displayed. If you have defined a large number of mailing lists you can quickly locate a certain one by using the Mailing list Search available in the upper right corner. This field enables you to search by the name of the mailing list, on a filter as you type basis. You can also search for a mailing list by using the Domain search menu available on the left of the screen. Just fill in the domain name in order to see all the corresponding mailing lists and they will be filtered out as you type. Clicking directly on one of the listed domains will result again in displaying all the mailing lists defined for that specific domain. To edit an already defined mailing list hit the Edit button on the right side of its name, to delete it hit its respective Delete button. Should you like to add a new mailing list click the Add mailing list button. 284

285 Fill in the requested details: domain name, list name, list full name, administrator , then specify a password for the mailing list you wish to create. Hit the Quick Add button in order to create the list using the default settings or the Advanced Config link to further fine tune it. When pressing the Edit button for an existing mailing list or the Advanced Config link you access the six pages shown in the screen-shot below. The name of the configured mailing list is displayed in the upper section of the screen at all times Mailing Lists General Configuration The Manage Lists > General tab allows system administrators to set the running services for a specific domain and other domain related parameters. Settings 285

286 Use the List name and List Full Name fields in order to edit the name of the mailing list. The complete name will appear as displayed under these fields. In this example, "Mailing List 1" Use the Account Password text area to manually specify the password for accessing the mailbox of this list, or generate one randomly by hitting the Set Random button. The new randomly generated password will be displayed in the field below: 55Op3tqa, in this case. Subscription and unsubscription confirmations are automatically accepted for the mailing list displayed under Account Password. Leave blank in the text box if you wish these requests to be confirmed by the administrator. Services Use the Services field to specify what services are enabled for this mailing list. To enable or disable a service use the respective buttons corresponding to that service's name. Greyed out options are the ones active. Info The General page also displays specific details about the currently edited mailing list in the Info section. The information refers to the account creation date, as well as time details for the last modification and login. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 286

287 Members The Mailing Lists > Members page allows system administrators to specify the parameters regarding the members of the mailing lists. The members list is displayed alphabetically taking into account the first letters of the members' address. You can also use the searching field in order to create a filter and thus be able to locate a certain account faster. To edit the details of a member address click the Edit button on the right side of its name, to delete it hit its respective Delete button. Should you like to add a new mailing list member hit the Add Member button. Adding and editing a member address is done by filling in the requested details: the members' and full name, and then clicking on the Quick Add button. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Subscription and Posting The Mailing Lists > Subscription and Posting page allows system administrators to set rules regarding subscriptions and unsubscriptions, posting rights, define message headers and templates for mailing lists. Subscription/Unsubscription In this section, you can set the rules regarding subscriptions and unsubscriptions from a defined mailing list. When checking the Allow subscription/unsubscription via option you can also decide whether the administrator needs to approve subscriptions and set special addresses to be used especially for subscribing or unsubscribing. 287

288 Message posting Use the drop-down menu from the Messages can be posted by field in order to select who has the right to post messages. Choose one from the three available options: Anyone, Subscribers and Moderator, Moderator Only. Check the Require moderation for option to choose what messages should be moderated: all or those from non subscribers. Use the content slider available in this section in order to define the type of content a message can have. Move the slider to the left or to the right, in order to make the selection. Enabled types of messages will then change color from whiter to gray. Message Headers 288

289 Here you can list or modify the headers you wish to remove from each message. To edit a header hit the Edit button on the right side of its name, to delete it click its respective Delete button. Should you like to add a new header to be removed hit the Define button. Whether editing or adding a new header for removal you will need to fill in the name of the header, then hit the Quick Add button. Message Templates This section enables you to edit the message templates. You can edit headers, footers, error messages and confirmation requests, as well as any automatic messages. Click the button corresponding to the template you are interested in and make the change. Should you like to insert a text at the beginning of each message fill it in the text box available under template types. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 289

290 Configuring Quotas and Restrictions The Mailing Lists > Quotas and Restrictions page contains parameters relative to parameters at mailbox and folder level, notifications to be sent to the list members and restrictions imposed to the mailing list being edited. Managing Mailing List Quotas At mailbox level, the total mailbox size, the total number of folders and the total number of messages can be limited by selecting the respective options in the Mailbox Level area and using the up and down arrows to adjust the limits to the desired value. For the total size limit use the available drop-down menu to select if you want it calculated in KB, MB or GB. At folder level system administrators can set limits for the size of each folder and the total number of messages per each folder by checking the respective options in the Folder Level section and using the up and down arrows to adjust the limits to the desired value. For the folder size limit use the available drop-down menu to select if you want it calculated in KB, MB or GB. To have the account user notified when reaching a certain level of their allowed quota, through a pop-up displayed when accessing the WebMail interface, check the respective option in the Notifications section and use the up and down arrows to increase or decrease the default percentage of the quota. Session Restrictions 290

291 The number of POP3, IMAP and WebMail sessions can be limited using the up and down arrows or directly editing the text fields pertaining to each type of session. POP3 and IMAP sessions take values from 1 to 16, while WebMail sessions take values from 1 to WebMail Restrictions To limit the attachment and message size check the respective options in the WebMail section and use the up and down arrows to select the desired size. To have the size measured in KB, MB or GB use the available drop-down menu. Use the up and down arrows of the Limit number of attachments per message and Limit number of recipients options or edit their corresponding text field to set the maximum number of attachments and recipients in an message. Message Sending Restrictions Limits imposed to sent messages offer system administrators an easy possibility to prevent account users from generating spam. They can thus limit the total number of messages to be sent and their size in a time interval. Use the up and down arrows to select the desired size or edit the corresponding text field. To have message size calculated in KB, GB or MB use the respective drop-down menu. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Mailing Lists WebMail Options The Mailing Lists > WebMail Options page allows setting up of the mailing list's appearance, preferences, contact details and signature. Appearance Options 291

292 Use the WebMail Skin name drop-down menu to select the WebMail skin to be used for this account. To configure the WebMail language settings for the respective account use the WebMail Language drop-down menu. The available options are English, German, Romanian, Spanish, Portuguese, Italian, Dutch, Swedish, Norwegian, Polish, Russian, Czech, Creek, Chinese and Persian. The default selected language is English. You can specify the number of messages to be displayed on a WebMail page for the currently edited mailbox using the Display...messages per page drop-down menu. Preferences You can have a confirmation requested before deleting a message via WebMail from the currently edited mailing list by checking the Ask for confirmation on deletion option. Check the Ask for confirmation on empty folder option to request a confirmation on emptying a folder in WebMail. To have messages deleted through the WebMail interface sent to Trash by check the Move deleted s to Trash option. If left unchecked, messages will be permanently deleted. Allow the WebMail interface to check for new s automatically for the configured mailing list check the Automatically check for new s option. Use the available text field or its up and down arrows to define the time frame and the drop-down menu to have the period measured in minutes, hours or days. To set the HTML Body Filtering Level for this specific account when connected to via WebMail, use the available slider. The HTML filtering levels stand for the following: No Filtering Low level filtering - converts the message to standard XHTML 292

293 Medium level filtering - generates the body based on a list of known/allowed attributes and tags. Thorough filtering - generates the body To have a signature defined for all messages sent from the configured mailing list via WebMail type it in the Message Signature text field. The text you define will then be appended to all outgoing sent from the WebMail interface. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Mailing Lists Message Filters The Mailing Lists > Message Filters page enables system administrators to create and manage incoming message rules for a mailing list. Important! Account level rules will run after any existing Domain level rules and Server level rules (common actions will be overridden). When first accessing the sub-page a list with the already defined rules is displayed. Each message rule can be deleted or further configured using the Delete and Edit buttons. Each message rule has a Enabled/Disabled status displayed and next to it, the Enabled/Disabled button displays the opposite action of the status. To set the order in which defined rules should apply use their corresponding up and down arrows available under the Priority section. 293

294 To add a new rule for all domain accounts, click the Add Message Rule button. In the new window type a name for the incoming message rule in the Message rule name field and check the Enable this incoming rule option to activate it. In the Matches section first decide the incoming messages for which you want the rule to apply. Next, choose the conditions you want to apply to those messages (e.g. for messages from 'abc@domain.com'). Use the drop-down menu to select the type of the new condition. Available options include setting conditions relative to the subject, sender, receiver, Cc, To or Cc, size of the , as well as a customization option accessible by clicking on Custom. To delete one of the newlyadded criteria hit its corresponding trash-bin shaped button. New message rule can be set to match all or just part of the specified conditions according to your choice. By editing the Actions section you can decide what you want to do with the messages that match the above conditions. Use the drop-down menu to specify the actions corresponding to the mail message i.e. moving, copying, deleting, or redirecting it to a certain address etc. To add a new action click on the Add action button and then fill in all the corresponding details in the newly-displayed menus. To delete an action click the trash-bin shaped button displayed on the right hand side of the action in question. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 294

295 Configuring Public Folders Use the Public Folders tab to manage public folders in AXIGEN Mail Server. When selecting this tab the currently existing public folders and sub-folders are displayed. If you have defined a large number of public folders, you can quickly locate a certain one by using the Domain search menu available on the left of the screen. Just fill in the domain name in order to see all the corresponding public folders and they will be filtered out as you type. Clicking directly on one of the listed domains will also result in displaying all the public folders defined for that specific domain. To add a new public folder click on the desired parent in the list and hit the Add Public Folder button at the top. If you don't select a parent the new public folder will be added in the public folder root. To delete an already defined public folder click its respective Delete button. Fill in the folder name, select the parent folder from the drop-down menu and specify the address for this public folder. You can insert multiple addresses: fill in the address and then click on the Add Address button. Should you like to delete one of the listed addresses, click on the trash bin icon available on the right of the address. Hit the Quick Add button in order to complete the creation of the public folder with these settings or use the Advanced Config link to further fine tune it. 295

296 When pressing the Edit button for an existing public folder or the Advanced Config link when creating it, you will be able to make more settings in the General and Quotas configuration pages. The name of the configured public folder will be displayed in the upper section of the screen at all times Public Folders General Configuration The Public Folders > General page allows system administrators to begin the configuration of a public folder. Settings The system administrator can specify here the address for this public folder. Multiple addresses can be defined: fill in the address and then click on the Add button. Should you like to delete one of the listed addresses, click the Delete button available on the right of the address Configuring Public Folders Quotas The Public Folders > Quotas page contains parameters relative to the mailbox and folder levels of the public folder being edited. 296

297 System administrators can set limits for the size of each folder and the total number of messages per each folder by checking the respective options and using the up and down arrows to adjust the limits to the desired value. For the folder size limit, use the available drop-down menu to select if you want it calculated in KB, MB or GB. Important! The values set will be used by any new public folder you create for this domain. You can override them by editing the Quotas section of any specific public folder. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Account Classes Tab Use the Account Classes tab to manage the account classes in AXIGEN Mail Server. When selecting this tab the currently existing account classes are displayed. If you have defined a large number of account classes you can quickly locate a certain one by using the Domain search menu available on the left of the screen. Just fill in the domain name in order to see all corresponding account classes, they will be filtered out as you type. Clicking directly on one of the listed domains will also result in displaying all the account classes defined for that specific domain. The above screen-shot displays all the account classes created for the mycompany.com domain: Marketing_Accounts, Management_Accounts and Sales_Accounts. To edit an already defined account class hit the Edit button on the right side of its name, to delete an already defined account class click its corresponding Delete button. Should you like to add a new account class hit the Add Account Class button displayed in the upper right corner of the screen. 297

298 Add a new account class for the currently selected domain, in our case the mycompany.com domain, which is also automatically filled in the Domain Name field and can be edited. For successfully creating a new account class fill in its name in the Account Class Name field, then hit the Quick Add button in order to create it using the default domain inherited parameters or the Advanced Config link to explicitly define account parameters. When pressing the Edit button for an existing account class or the Advanced Config link, you access the three pages shown in the below screenshot. The name of the configured account class is listed in the upper section of the screen at all times Account Classes General Parameters The Account Class > General page displays the list of class services and their current status. To enable or disable a service use the respective buttons corresponding to that service's name. Please note that at account class level only services affecting account class behavior are displayed - SMTP Receiving, SMTP Sending, POP3, IMAP, Remote POP and WebMail. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 298

299 Configuring Quotas and Restrictions The Account Classes > Quotas and Restrictions page contains parameters relative to mailbox and folder level, notifications to be sent to users and restrictions imposed for all created account classes. Important! Changing the parameters below will affect the account classes that have inherited parameters. Explicitly set parameters will not be affected. Managing Account Quotas The total mailbox size, the total number of folders and the total number of messages can be limited by selecting the respective options in the Mailbox level area and using the up and down arrows to adjust the limits to the desired value. For the total size limit use the available drop-down menu to select if you want it calculated in KB, MB or GB. System administrators can set limits for the size of each folder and the total number of messages per each folder by checking the respective options in the Folder level section and using the up and down arrows to adjust the limits to the desired value. For the folder size limit use the available drop-down menu to select if you want it calculated in KB, MB or GB. To have account users notified when they reach a certain level of their allowed quota, through a pop-up displayed when accessing the WebMail interface, check the respective option in the Notifications section and use the up and down arrows to increase or decrease the default percentage of the quota. When this option is checked the users are also notified at every login. You can set the frequency of these login notifications using the up and down arrows corresponding to this additional option. To select if the respective value is calculated in seconds, minutes, hours or days check the respective drop-down menu. 299

300 System administrators can further edit the content of the notification in the Notification content section. To edit the text displayed use the Subject and Body text fields. To insert more values in the body use the available buttons - Domain, Account, Full name, Notification threshold percentage, Size quota, Size used, Size used (%), Count Quota, Count Used, Count Used (%). Configuring Restrictions Password Policy Enforcement System administrators can define a Password Policy to be enforced when an account is created for a respective account class. First of all, a minimum and maximum number of characters for each password can be set using the up and down arrows or directly editing the Password length parameters. Further select from the Password must include dropdown menu if passwords should include letters, letters and numbers or letters, numbers and special characters. Session restrictions The number of POP3, IMAP and WebMail sessions can be limited for all accounts in a certain account class. To do so select the desired value, use the up and down arrows or directly edit the text fields pertaining to each type of session. POP3 and IMAP sessions take values from 1 to 16, while WebMail sessions take values from 1 to

301 WebMail Restrictions To limit the size of message attachments check the respective option in the WebMail section and use the up and down arrows to select the desired size. To have the size measured in KB, MB or GB use the available drop-down menu. Use the up and down arrows of the Limit number of attachments per message option or edit its corresponding text field to set a maximum number of attachments allowed to messages sent or received from any account using the WebMail interface. Check the Limit message size option to set a maximum size for sent and received messages through the WebMail interface. To do so, use the up and down arrow to select the desired size or edit the corresponding text field. The Limit number of recipients option allows you to configure a maximum number of recipients for WebMail messages using the up and down arrow to select the desired size or editing the corresponding text field. To set the HTML Body Filtering Level for this specific account when connected to via WebMail, use the available slider. he HTML filtering level stand for the following: No Filtering Low level filtering - converts the message to standard XHTML Medium level filtering - generates the body based on a list of known/allowed attributes and tags. Anything that is not on this 'allowed list' is removed. This level removes java script, styles, etc. High level filtering - generates the body based only on text components. This means that only plain text components remain in the message. This forth level is the strictest and may actually damage some formatting, but it is also the safest. Message Sending Restrictions 301

302 Limits imposed to sent messages offer system administrators an easy possibility to prevent account users from generating spam. They can thus set a maximum number of messages, their total size and the period in which these are sent using the up and down arrows to select the desired size or editing the corresponding text field. To have the message size calculated in KB, GB or MB use the respective drop-down menu. The time frame for the maximum number of messages can be set to be calculated in seconds, minutes, and hours using the corresponding drop-down menu. Remote POP Restrictions System administrators can limit the number of remote POP accounts for account classes. To do so use the up and down arrows to select the desired size or edit the corresponding text field. Additionally you can specify a minimum interval between two retrievals for each RPOP connection. Use the Minimum message retrieval interval drop-down menu to have it calculated in seconds, minutes or hours. Temporary Addresses Restrictions The administrator can set some limits on the usage of temporary addresses. A user may request maximum 16 temporary addresses (aliases), if the limit is set to '0' the 'Add' button in WebMail (in the 'Temporary Addresses' section) will be disabled but old temporary address will still be available until they expire or are deleted. The time period from the creation of a temporary address to its automatic deletion can be set between 10 minutes and 1 year. Parameter inheritance Parameters or parameter groups that are inherited from the domain's account defaults are automatically marked with the icon. When explicitly setting the value of an inherited parameter it will be marked with the icon. Moreover, any further changes at parent level (domain's account defaults) will only affect inherited parameters, while explicitly set ones will keep their value. You can, at any time, revert the explicit parameters to their inherited value, by clicking the 'Inherit' link related to the explicitly set parameter (orange) icon. Any parameter change in this account class will propagate on all the accounts that are set to inherit this class. The inherited values can be overridden (set explicitly) at account level, thus allowing you to create exceptions from the account class. Please note that if you explicitly 302

303 set a parameter at account level, further changes of that parameter (in the parent account class) will not affect the respective account. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Managing Message Filters The Account Classes > Message Filters page enables system administrators to create and manage incoming message rules for an account class. Important! Changing the parameters below will affect the account classes that have inherited parameters. Explicitly set parameters will not be affected. Account level rules will run after any existing Domain level rules and Server level rules (common actions will be overridden). Important! When first accessing this tab to be able to add filters for this account class click the Define explicit link. Each message rule has a Enabled/Disabled status displayed and next to it, the Enabled/Disabled button displays the opposite action of the status. To set the order in which defined rules should apply use their corresponding up and down arrows available under the Priority section. Message rules can be deleted or further configured using the Delete and Edit buttons. To add a new message rule click the Add Message Rule button. In the new window type a name for the incoming message rule in the Message rule name field and check the Enable this incoming rule option to activate it. In the Matches section first decide the incoming messages for which you want the rule to apply. Next, choose the conditions you want to apply to those messages (e.g. for messages greater than 5000kb). 303

304 By editing the Actions section, you can decide what you want to do with the messages that match the above conditions. Use the drop-down menu to specify the actions corresponding to the mail message, i.e. moving, copying, deleting, or redirecting it to a certain address etc. Several actions to be performed can be added, click on the Add action button and fill in all the corresponding details in the newly-displayed menus. To delete an action click the trashbin shaped button displayed on the right hand side of the action in question. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 304

305 9.4. Security & Filtering The "Security & Filtering" section comprises tabs relative to AXIGEN Mail Server's integration with antivirus/antispam applications, as well as the management of its global access control, acceptance and routing policies, Sieve filtering and message rules. The comprised configuration options allow you to define and maintain a comprehensive security policy by employing Antivirus and AntiSpam applications, the incoming message rules wizard, custom blacklists and other filtering tools AntiVirus and AntiSpam Tab The Security & Filtering >AntiVirus and AntiSpam tab allows system administrators to view and configure the AntiVirus and AntiSpam applications supported by AXIGEN Mail Server. Accessing this tab leads to the following 3 sub-pages: Supported Applications AntiVirus Actions AntiSpam Configuration 305

306 Supported AV/AS Applications The AntiVirus and AntiSpam > Supported Applications page allows you to view and enable the AntiVirus and AntiSpam applications that you wish to run with AXIGEN Mail Server. Under Supported Applications choose which of the available AntiVirus and AntiSpam applications should run by simply clicking on their corresponding Enable or Disable buttons. Consider the following: SpamAssassin does not modify headers, no matter how SpamAssassin is configured; AXIGEN integrates X-AXIGEN-SpamLevel depending on the SpamAssassin score and can be used within spamtest and virustest SIEVE filters. Also, Bundled SpamAssassin is the same with the SpamAssassin option, just that it is integrated (bundled) within the AXIGEN kit. To set the order in which enabled Antivirus and AntiSpam filters should apply, use the up and down arrows available under Actions. To update the AntiVirus and AntiSpam detection status refresh the current page by hitting the click here option. Enabled applications will run simultaneously and act according to the general settings made in the next pages: AntiVirus Actions and AntiSpam Configuration. Additional antivirus/antispam protection can be granted for specific resources such as a domain or account, by enabling one or more extra applications only for that resource in its Message Filters section Setting the AntiVirus Actions The AntiVirus and AntiSpam > AntiVirus Actions page enables system administrators to set the actions to be taken by enabled AntiVirus applications in AXIGEN Mail Server. 306

307 Use the drop-down menus in this section to set the specific actions that enabled antivirus applications should take when detecting a suspicious or one that cannot be cleaned. Choose between allowing the to be delivered, discarding it or moving it to the Trash folder. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes AntiSpam Configuration The AntiVirus and AntiSpam > AntiSpam Configuration page allows system administrators to configure lists of safe addresses (whitelists) and spam threshholds. Setting a WhiteList Use this section in order to configure the WhiteList, the list of addresses from which s should always be accepted. To edit the details of an already set address, hit the Edit button on the right side of its name, to delete it hit its respective Delete button. Should you like to add a new address hit the Add button, type it and then click Quick Add. The asterisk symbol ( * ) can be used as a substitution of any characters in an address (e.g.: *sale*@mycompany.com, *@mycompany.com, etc.). For example setting *@mycompany.com, will result in delivering all s received from any address in mycompany.com domain. Spam Thresholds Use the sliders or the up and down arrows to set the maximum value for the Spam Thresholds. Available values range between 1 to 10, according to the SpamAssasin score, where 1 is associated to legitimate s (Not Spam) and 10 to clearly spam s (Spam). Exceeding the set values will result in moving the respective to the Spam folder, respectively in deleting the

308 When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Additional AntiSpam Methods The Additional AntiSpam Methods tab gives access to system administrators to additional antispam filters such as and DNS blacklists, Sender Policy Filters and Domain Keys filters, lists of safe IPs and DNS checks. BlackList Use this section in order to configure the BlackList, the list of addresses from which s should always be rejected. To edit the details of an already set address hit the Edit button on the right side of its name, to delete it click its respective Delete button. Should you like to add a new address, hit the Add button and then Quick Add. The asterisk symbol ( * ) can be used as a substitution of any characters in an address (e.g.: *sale*@example.com, *@example.com, etc.). For example setting *@example.com, will result in rejecting all s received from any address in example.com domain. 308

309 Sender Policy Framework Enable the SPF (Sender Policy Framework) authentication method by checking the box in front of it, then use the drop-down menus in order to select the actions to be taken if no SPF records are published and if SPF records cannot be checked. Choose between allowing to deliver the message or deleting the message. Domain Keys authentication Enable the DK (Domain Keys) authentication by checking the box in front of it, then use the drop-down menus in order to select the actions to be taken when no DK records are published and if DK records cannot be checked. Choose between allowing to deliver the message, deleting the message or moving the message to the SPAM folder. DNSBL (DNS BlackList) Use the options in this section in order to configure the DNS blacklist. To edit the details of an already added DNS Blacklist, hit its corresponding Edit button, to delete it click its respective Delete button. Available DNS BlackLists can be enabled or disabled by simply clicking on their corresponding Enable or Disable buttons. Should you like to add a new DNS Blacklist press the Add DNS BlackList button, fill in the Operator Name and DNS BlackList text boxes, then check the Enable this Blacklist option and hit the Quick Add button. 309

310 Safe IPs/IP Ranges Configure the list of IPs or IP ranges to be skipped by the DNS BlackList lookup by adding the respective IPs in this section. To edit the details of an already added IP or IP range hit its corresponding Edit button, to delete it click its respective Delete button. Should you like to add a new safe IP or IP range, hit the Add IP/Range button, select one of the available options: Network/Mask, IP Range or Single IP and fill in its corresponding details in the displayed text box. DNS Check Available actions for this section include rejecting s received from domains with no MX entry or s from originating IP with no reverse DNS entry. Just check the box in front of the option that you want to enable in order to activate it. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 310

311 Global Access Control The Security & Filtering > Global Access Control tab allows system administrators to configure the parameters relative to the global access control such as access restrictions and others. Access Restriction Use the options in this section to configure the IP/IP Ranges for which all services are to be denied access. To edit the details of an already set IP/IP Range hit its corresponding Edit button, to delete it click its respective Delete button. Should you like to add a IP/IP Range hit the Add IP/Range button, select one of the available options: Network/Mask, IP Range or Single IP and fill in its corresponding details in the displayed text box, then hit the Quick Add button. Important! Global Access Restrictions will be automatically applied to all the services and their respective listeners. You can also set individual permissions for each service and each existing listener from the specific service configuration sections found under the Services tab. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Acceptance & Routing Tab The Security & Filtering > Acceptance & Routing tab allows system administrators to configure the message acceptance settings and routing rules. This tab gives access to three pages: Acceptance Basic Settings - containing the basic policies for s acceptance. Routing Basic Settings - containing the basic policies for s routing. Advanced Settings - containing the advanced policies for s acceptance and routing. 311

312 Acceptance Basic Settings The Acceptance & Routing > Acceptance Basic Settings page allows system administrator to configure a set of basic acceptance policies at SMTP-connection level such as the maximum size for received s, the allowed ESMTP commands, rules for local delivery and settings relative to the default SMTP banner. Incoming connections established via SMTP and the message flow can be easily managed using the established policies. Moreover, they allow adding headers, changing addresses and other such actions. Received messages Check the Limit message size option and then use the up and down arrows in order to specify the maximum size for received messages. Then use the drop-down menu to select one of the available options: bytes, KB, MB or GB as necessary. Maximum value: 4096 MB. Use the up and down arrows or fill in the text box in order to specify the maximum number of received headers. This will result in denying looping s when the number of received headers exceeds the specified value (30 in this example). Available values range from 1 to 999. Check the Limit no. of recipients per message option in order to specify the maximum number of recipients for received s. Fill in the text box or use the corresponding up and down arrows in order to set the specific value, between 1 and Allowed ESMTP Commands Specify the allowed ESMTP Commands using the options in this section. Enable the StartTLS, 8-bit MIME, binary or pipelining extensions by simply checking their corresponding boxes. 312

313 Allow/Disallow local delivery Set the parameters for local delivery using the options under Allow/Disallow local delivery. Here you can choose to enable/disable the local delivery and mandatory authentication. Check the box for the option that you want to activate. Override default SMTP banner Should you like to set a new SMTP banner check the box in front of the Override default SMTP banner option and then fill in the details of the new SMTP banner in the corresponding text box. The newly-added SMTP banner will automatically override the parameters of the default one. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Routing Basic Settings The Acceptance & Routing > Routing Basic Settings page allows system administrators to configure a set of basic policies for message routing and thus customize SMTP Outgoing actions for all or part of the relayed communication: specifying a smart host, outgoing connections settings, enabling remote delivery or setting a new SMTP connection timeout. Setting a Smart Host Check the box in front of the Enable smart host delivery option and fill in the requested details in the Host and Port text-boxes. As a result the smart host delivery will be enabled and all outgoing messages will be sent to the specified host. Should you like to enable username/password authentication before relaying s to a certain address check the box in front of the option called Authenticate using and then fill in the username and password details in the available text boxes. You can also use a SSL connection by checking the box in front of the corresponding option, Use SSL connection. 313

314 Remote delivery Enable remote delivery and mandatory authentication using the options under the Allow/Disallow remote delivery section. Just check the box in front of the option that you want to activate. Outgoing connection settings To allow the use of the StartTLS extension check the Use StartTLS if available option. Should you like to have messages sent through a specific network interface check the box in front of the option called Send messages through network interface, then use the dropdown menu to select between using the system default network interface or using a custom one. In the latter case also specify the corresponding IP in the available text box. Should you like to set a new SMTP connection timeout for outgoing messages check the box in front of the option called Override default outgoing SMTP connection timeout, then use the up and down arrows to specify the parameter of the new timeout. Use the drop-down menu to select the value of the timeout (seconds, minutes or hours). When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Advanced Settings The Acceptance & Routing > Advanced Settings page allows system administrators to configure a set of advanced message acceptance and routing policies for incoming and outgoing SMTP modules. Advanced Settings 314

315 Use the options under Advanced Settings to further tune any of the already set SMFL filters. Advanced acceptance rules will override the basic acceptance policy settings for the specified conditions. To edit or delete a specific acceptance/routing rule, just use the Edit or the Delete buttons available on the right side of the filter in question. To set the order in which available rules will be applied use the up and down arrows under Priority. Adding a new acceptance or routing rule Hitting the Add Acceptance/Routing Rule button will lead you to another page called New Acceptance/Routing rule. Use the text box under General in order to specify the name of the new rule, then enable the new rule by checking the box in front of the Enabled option. New rule conditions Use the options under Conditions in order to specify the type of the new condition you wish to create, then hit the Add condition button and use the available text boxes and menus to configure the parameters of the newly-added condition. To delete one of the newly-added conditions click the recycle bin shaped icon on its right. Created conditions can match all or just part of the specified criteria according to your choice. 315

316 Use the options under Conditions in order to specify the type of the new action that you wish to add, then hit the Add action button and use the available text boxes and menus to configure the parameters of the newly-added condition. To delete one of the newly-added conditions, hit the x button. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Incoming Message Rules Tab The Security & Filtering > Incoming Message Rules tab allows system administrators to configure a set of message rules instructing the AXIGEN Mail Server to take certain actions on processed messages based on pieces of information contained by the message headers. Important! Server level message rules can be overridden by specific domain/account/mail list/group level rules. To edit or delete any of the available rules just use the Edit or the Delete buttons, available on the right side of the rules in question. To add a new message rule click the Add Message Rule button and fill in the requested details. To set the order in which available rules will be applied use the up and down arrows under the Priority section. 316

317 When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes New Message Rule Page The Incoming Message Rules > New Message Rules tab allows system administrators to specify a new rule for incoming messages. Use the text box under General in order to specify the name of the new rule, then enable the new rule by checking the box in front of the Enabled option. New rule conditions Use the drop-down menu to select the type of new condition. Available options include setting criteria relative to the connection, local address, remote address, recipient, sender, DNS checks, session, extensions and delivery. To delete one of the newly-added conditions hit its corresponding recycle bin shaped icon on its right. New message rule can be set to match all or just part of the specified criteria according to your choice. Further configure the rule by using one of the options displayed by the drop-down menu and then fill in the text box with the corresponding details. 317

318 Actions Message rules extract information from the mail header and take actions according to the pre-defined rules. Use the drop-down menu available under Actions to set the actions corresponding to the conditions set above. To add a new action click on the Add action option and then fill in all the corresponding details in the newly-displayed menus. When you are done configuring these parameters remember to hit the Save Configuration button to preserve your changes Queue The Queue section gives access to settings, defining, processing and viewing options for messages within the queue and also allows system administrators to take specific actions on certain s. 318

319 Processing Tab The Processing tab allows you to adjust mail scheduling parameters according to your needs. Logging You can select several types of messages to be logged: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Delivery Use the options in the Delivery area in order to set the parameters for rescheduling s in case of a non-critical delivery error in AXIGEN Mail Server. The First delivery retry timeout for an field allows you to specify the time interval for rescheduling a message in case of a non-critical delivery error in AXIGEN Mail Server. The default value corresponds to 5 minutes, this means that the queue is rechecked after 5 minutes in order to attempt sending the message. The value for this parameter can be entered in seconds, minutes or hours. For each subsequent retry this timeout is doubled. You can also specify the maximum time interval when the retry timeout is no longer doubled. This option is available in the Stop doubling retry timeout when it reaches field. The 319

320 default value corresponds to 8 hours, meaning that once the retry timeout reaches 8 hours all subsequent retries will still be made after 8 hours and not after 16. The value for this parameter can be entered in seconds, minutes or hours. Use the Max. number of retries field to specify the number of times AXIGEN server should try to deliver a mail message in case of a non-critical delivery error in AXIGEN Mail Server. The Temporary delivery error reports area enables you to specify when you should first be notified about the failed attempts to deliver a message. The default value is 4. Change this value by using the up and down arrows or by simply entering the new parameter in the text box available after the Send notification after field. The notification format can also be defined by filling in the Notification Sender, Notification Subject, Notification Body begins with, Append this text for each failed recipient and Notification body ends with text fields. Check the Also attach to notification option so the notification will include either entire original message or just its header. In the Permanent delivery error reports area, you can also define the the NDR (Non- Delivery Receipt) text and the conditions when such a message is returned. As an example, NDR responses are sent when the specified recipient of an message is invalid. 320

321 You can further define the content of the error notification by inserting a number of variables covering the recipient address, failure reason, sender address, size, as well as the text to be added to the end of the notification body. Use the drop-down menu to also select whether to include the header of the original message or the entire original message. Queue Parameters The Queue path field allows you to specify the path to the internal server queue. If the string does not represent a valid path the queue will not be stored. By default the AXIGEN server queue is stored in /var/opt/axigen/queue. Changing the already set path will take effect only after restarting the server. Use the Max. number of queue subdirectories field in order to specify the upper limit for the number of subdirectories in the internal queue. The default value is 64, the maximum is 256. In the Processing queue size field specify the size of the internal processing queue. When too many messages have to be processed and this queue is full the next messages will be rescheduled. 321

322 Use the Local delivery threads field to specify the number of threads handling the local SMTP delivery. Thus you can fine tune the server behavior to your usage scenario. If you want to use your server mainly for local delivery you can set a higher number of delivery threads, top limit is 128. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes View Queue The Queue > View Queue tab allows you to view the processing queue with extensive information relative to the s in the queue. Viewing the Queue When first accessing this tab a list of s in the queue is displayed. filtering options include searching the queued s depending on their sender, receiver, size, sending date, retry data, status. Next Retry field has the following format: dd mmm yyyy (ie. 1 Jan 1970). Use the drop-down menus and text boxes to specify the filtering parameters, then hit the Go button to activate them. As a result all s meeting the specified criteria will be displayed. To view all s in the queue again or set different filters click the Reset Filter button and then fill in your new searching criteria. Detailed message information For details related to a specific in the queue hit the Info button on the right hand of the in question and check the fields of the displayed text box. 322

323 Actions to be taken for selected items Several actions can be applied to a specific or number of s. These include retrying their delivery on the spot, deleting them or sending NDRs (non-delivery receipts) for the selected items. Hitting the Force Queue button will result in forcing the delivery of all s in the queue no matter their retry schedules. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Status & Monitoring The Status & Monitoring section gives access to configuring the reporting service, viewing charts reflecting different server parameters and extensive details on overall and domainspecific storage. Reporting Service - for configuring the AXIGEN Mail Server logging service, including the logging levels and logging types. Charts - containing the basic policies for s routing. Storage Charts - containing the advanced policies for s acceptance and routing Reporting Service Tab The Status & Monitoring > Reporting Service tab allows system administrators to configure the AXIGEN Mail Server logging service including the logging levels and logging types. 323

324 SNMP is a networking management protocol used to monitor network-attached devices. SNMP allows messages (called protocol data units) to be sent to various parts of a network. Upon receiving these messages SNMP-compatible devices (called agents) return data specific to certain parameters that are monitored to the SNMP manager. To access SNMP listener configuration in WebAdmin, go to the Status&Monitoring module >Reporting Service tab. A list of the already configured listeners (if any) will be displayed, sorted by their IP addresses (lowest first). To enable/disable any of the existing listeners just click on the corresponding button under Status. To edit/delete any of them click on the corresponding Edit or Delete buttons under Actions. To add a new listener hit the Add Listener button and then fill in the text boxes with the IP address and port details. Should you like the new listener to have the Enabled status check the box in front of the Enable this listener option. To finalize the adding of the new listener click on Quick Add. For a detailed view of listeners usage in AXIGEN see the Listeners section. Logging The log level can be set in the Logging section with the use of the slider, by moving it to the left or to the right, depending on how much detailed the logging information should be. The selected types of messages will change color from transparent to gray. Please note that the log level values are cumulative (i.e. setting the log level to Warning messages will also log Critical messages and Error messages). 324

325 Log types Use the drop-down menu under Log to select one of the available logging types. You can log (internally, remotely or using the system log) the activity of all services available in AXIGEN. Use remote log option: AXIGEN Log Service can log internal data coming from other AXIGEN modules/services or data coming from the UDP port 2000 (default option). Use the drop-down menu to select the custom option if you wish to specify another port. Data Collection The Reporting Service is responsible with collecting events relevant for the System Administrator. Use the up and down arrows in order to specify the time interval when the logging information should be collected. The collected samples will be aggregated and stored according to each chart's configuration. SNMP Parameters In this section SNMP can be enabled by checking the box in front of it. Version 6.0 of AXIGEN now supports SNMP Traps that can be set either for connected managers or specific IPs by checking the SNMP Send Traps To All Managers option or defining a SNMP Community and adding IP:Port combinations to it. To add a new trap destination fill the details in the corresponding text field and click the Add button. Trap Destinations can be edited directly in the field they are displayed in or deleted by clicking their corresponding Delete button. Download AXIGEN MIB File to see all parameters monitored by the reporting service, their description and other relevant details. 325

326 When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Charts Tab The Status & Monitoring > Charts tab allows system administrators to configure sets of parameters to be monitored and view their corresponding graphical activity charts. Defined charts When accessing the Charts tab a list of the already configured graphics is displayed, if none has been previously created the list will be empty. To edit or delete any of the already defined charts use the options under the Actions section: to edit the details of an already defined chart hit the Edit hit its button on the right side of its name, to delete it click the corresponding Delete button. Should you like to add a chart hit the Add Chart button and fill in the requested details. 326

327 Use the drop-down menu to select one of the available chart groups or create a new one by filling in its name in the corresponding text box. Then specify the desired name for your chart and hit the Next step button. This will result in displaying two new pages: Chart Parameters and Display Settings. The same pages will also appear when wishing to edit the parameters of an already defined chart. Available Chart Groups The defined Chart Groups allow quick and comprehensive browsing through all the displayed graphs: clicking on one of the available groups will result in displaying all the charts defined for that specific group to ease the search and configuration. Refresh options For an accurate representation an automatic refresh option is available alongside a manual refresh button Chart Parameters Configuration The Charts > Chart Parameters page allows system administrators to specify the parameters relative to a new or an already defined chart. General settings Use the options under the General Settings section in order to configure the parameters relative to the Chart Group and Chart Name. Use the drop-down menu on the right side of the Chart Group option in order to specify the name of the group within which the new chart will be created. Choose one of the already defined charts or use the Custom group option. The latter option will allow you to create a new chart group and fill in its name in the accompanying text-box on the right. 327

328 Data Aggregation Use the options under the Data Aggregation section in order to specify the parameters to be collected, the aggregation function and interval, as well as the database storage details. Use the drop-down menu available on the right hand side of the Parameter to collect option in order to select the new parameter to be monitored. Use the drop-down menu to select one of the available Aggregation Functions: average, maximum, minimum or total. Use the drop-down menu to specify the Aggregation Interval. You can set the aggregation to be made every minute, hour or day, or choose the custom option in order to specify another interval ranging from 60 seconds to 60 days. A rotation criterion can be enforced on the database by using the up and down arrows on the right side of the option called Rotate database after storing. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 328

329 Display Settings The Charts > Display Settings page allows system administrators to specify the parameters relative to a new or an already defined chart. Predefined styles To choose one of the predefined graphic types use the Chart Type drop-down box. Available options are bars, discrete dots, discrete lines, fill, fill with outline, and outline types. You can further customize the colors of your defined graphic using the Fill color and Outline color drop-down menus. Available options include black and white, gray, as well as red, orange, blue, magenta and green and their darker and lighter nuances. Live Preview Preview the display of the selected chart type by checking the Live Preview section. In this case, for example, you can view the Discrete lines chart type. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 329

330 Storage Charts The Status & Monitoring > Storing Charts tab allows system administrators to view graphical charts of the AXIGEN Mail Server space usage for both overall storage and per domain storage. Overall Storage Check this chart to view the aggregated disk storage and space usage information. Storage values will be displayed in KB and percentages. Per Domain Storage This section displays the space usage information for each of the domains hosted by AXIGEN. To ease the search use the Domain Search option and fill in the name of the domain that you want to check. The information available for that specific domain will be displayed on a filter as you type basis. Check the graphical bars to view the total storage information and space usage percentage for the selected domain. Should you like to view additional storage information click the Detailed Info button on the right side of the domain in question, in the Actions section. This will result in accessing another page with Detailed Storage Info, meaning the storage charts for the selected domain (such as localdomain.com in this example). Important! The storage size on disk will automatically grow to its maximum configured expandable size, provided the disk has enough free space Detailed Storage Info The Storage Charts > Detailed Storage Info page allows system administrators to view the storage information for the selected domain: the total storage files as well as details relative to the domain, object and message storages. 330

331 All Storage Files & Domain Storage To view the information related to all the storage files for the selected domain check the details under the All Storage Files section. Should you like some detailed information about the domain storage only look in the Domain Storage section. You will thus be able to see the location of the domain storage files as well as the maximum number and size of domain storage files. The Domain Storage and Overall Usage Information are also available as a graphical bar with the corresponding values in KB and percentages. For additional information about the location and name of the domain storage files hit the Show domain storage files button. To hide this option click the Hide domain storage files button. Object Storage & Message Storage 331

332 For detailed information about the object and message storage check the details available under the corresponding sections: Object Storage and Message Storage. Again you will be able to see the location of the corresponding storage files as well as the maximum number and size allowed for such files. The Domain Storage and Overall Usage Information are also available as a graphical bar with the corresponding values in KB and percentages. For more information about the location and name of the corresponding storage files with the use of the Show button. To get back to the previous page, Storage Charts, use the Back to: Storage Charts button available at the top of the current page Logging The Logging section gives access to viewing, deleting, downloading log information for each AXIGEN Mail Server module and adding or configuring log collection rules. 332

333 Local Services Log The Logging > Local Services Log tab allows systems administrators to view the log information for each of the AXIGEN Mail Server modules. Local Services Log Overview Check the options under the Local Services Log Overview section to view the AXIGEN modules and their logging levels and files. Displayed Log Levels are the ones configured into the Reporting Service tab from the Status & Monitoring section. For each AXIGEN module information messages related to the processed data and connections are stored by default under the 'default.txt' file. To change the implicit location of the file click the Change button, then fill in the new file name and click on Save Log Collection Rules The Logging > Log Collection Rules tab allows system administrators to view or add log collection rules. Log Collection Rules When accessing this page, a list of the already defined log collection rules will be displayed. To edit one of the rules use the Edit button available on the right side of the rule in question, to delete it use its corresponding Delete button. 333

334 To set the order in which the defined log collection rules will be applied use the up and down arrows displayed on the right hand of the Delete option. The default rule found in this context will store the data logged from all the AXIGEN modules into the default.txt file. For specific logging needs additional collection rules can added by clicking on the Add Rule option. Adding or editing a log collection rule implies configuring the same set of parameters available in a new page that will be displayed: Configure Log Collection Rule Log Collection Rule Configuration The Log Collection Rules > Configure Log Collection Rule page contains the parameters relative to the configuration of new log collection rules including the services for which logs are to be created, log levels and rotation criteria. Settings section Use the drop-down menu under the Collect messages from option in order to select the general type of services for which logs are to be kept. Available options include local services and remote host. When choosing the latter option you will also have to specify the remote host details in an additional text box. 334

335 The Collect logs from service option enables you to select the specific service for which logs are to be created. Use the drop-down menu to make your choice. Use the in file option to view or change the file that will store all the information messages related to the processed data and connections. To change it just fill in the new details in available the text box. Logging The log level can be set in the Logging section with the use of the slider, by moving it to the left or to the right, based on how detailed the logged information should be. The selected types of messages will change color from transparent to gray. Rotation Parameters In the Rotation parameters section options such as destination file size, maximum lifetime for the destination file and also the limit number of old log files kept can be defined. To enable any of these options check the boxes in front of them, then use the up and down arrows to set their specific values. Note that that the default setting for the Limit no. of old log files kept to option indicates that all old rotated log files will be kept. Important: When selecting a predefined rotation interval (Daily/ Weekly /Monthly) the rotation will be performed at midnight, when the rotation interval ends. When you are done configuring these parameters remember to hit the Save Configuration button to preserve your changes. To go back to the Log Collection Rules tab hit the Back to: Log Collection Rules option available in the top left corner of this page. 335

336 View Log Files The Logging > View Log Files tab enables system administrators to view, delete or download all the log files storing the information for defined log collection rules. Log files When accessing this tab a list of all the available log files will be displayed. To change the number of displayed logs use the drop-down menu available for the Show...files per page option. To view another page of logs click on its corresponding number or on the Next option. Viewing, deleting or downloading a log file To see the contents of a log file click the View option available on its left side. A new section with the logged information will appear and useful scrolling options to be used for viewing the entire content of the log file. To delete a specific log file click on its corresponding Delete button. To download a certain log file hit the button available on the right side of its Delete option. A helpful note will also appear to announce you that you can use this button with the purpose to Download the log file in question. 336

337 Log Server Settings The Logging > Log Server Settings page allows you to configure parameters relative to this specific service's configuration, to add listeners and further manage and define logging parameters. Listeners Currently, UDP listeners are only available for the Logging service, the only AXIGEN UDP Service. A list of the already configured listeners (if any) will be displayed, sorted by their IP addresses (lowest first). They are used to specify the socket to listen to for connecting to the Log service. To enable/disable any of the existing listeners just click on the corresponding button under Status. To edit/delete any of them hit the corresponding Edit or Delete buttons under Actions. To define a new listener, use the Add Listener button and fill in the text boxes with the IP address and port details.. The default value for this parameter is :2000. Should you like the new listener to have the Enabled status check the box in front of the Enable this listener option. To finalize the adding of the new listener click on Quick Add. For a more detailed view see the Listeners section. Logging Settings To set the Log Level click the slider and move it to the left or to the right. The selected types of messages will change color from transparent to gray. Please note that the log level values 337

338 are cumulative (i.e. setting the log level to Informational Messages will also log Critical messages, Error messages and Warning Messages.) Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Backup and Restore Tab The FTP Backup & Restore tab allows you to configure parameters relative to this specific service's configuration, add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listeners and rule configuration, see TCP Listeners and Control Rules chapter. Through Service Configuration system administrators can manage logging, error and thread control parameters. Logging You can select several types of messages to be logged for the Backup & Restore service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged click the Log Level slider and move it to the left or to the right, the selected types of messages will change color from whiter to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Error Control 338

339 To set a maximum number of errors caused by invalid commands received from clients or by failed authentication attempts check the respective options in the Error Control area of the Backup & Restore service. Use the up and down arrows corresponding to each of these options to set a specific number of errors. Thread Management Thread management allows you to set different numbers of processing threads for the Backup & Restore service depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the Backup & Restore service is started. To have a different number of threads for peak periods check the overload option and use the up and down arrows to choose the thread number. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes Automatic Migration Tab The Automatic Migration tab allows system administrators to enable and configure the automatic migration of domains previously managed with a different mail server to the AXIGEN Mail Server. When first accessing the tab an alphabetical list of existing domains is displayed. The current status of the migration is displayed - Migration Enabled/Disabled - and the opposite action button - Disable/Enable - is available for each domain. If the domain list is quite large and you need to locate a certain domain type its name in the Domain Search text field and hit Enter on your keyboard. Should you like to return to the prior alphabetical list click the Reset Filter button displayed after the search filter has been successfully applied. In order to enable the migration process for a certain domain you have to first configure its parameters. To do so, first hit the Configure button corresponding to each domain name. The options in the below screen capture will appear: 339

340 To turn on the migration process please check the Enable automatic migration for this domain option. For the migration process to work you should also configure the connection to the old mail server. Therefore please specify the IP/Hostname of the priorly used server and its SMTP and IMAP Ports in the corresponding text fields. To preserve these connection details please hit the Quick Save button. Important! Some mail servers allow you to create folder names containing the "/" character. AXIGEN cannot migrate folders whose names contain this specific character, therefore you need to rename them before migrating so that the process is completed successfully Clustering Section The Clustering section allows system administrators to setup the AXIGEN Mail Server clustering support. Clustering support is based on OpenLDAP integration with AXIGEN and allows routing for the POP3 Proxy and IMAP proxy services. This new feature enables system administrators to spread mailboxes on several AXIGEN servers and have a separate machine that routes POP3/IMAP connections to the appropriate mailbox server. It also supports the LDAP Authentication mechanism for the AXIGEN Mail Server. For further details on the Clustering Support features and functionalities, please see the corresponding section in the Architecture chapter Clustering Setup The Clustering Setup tab gives access to three different pages: LDAP Connectors - allows system administrator to create and manage LDAP Connectors and to also set some general parameters relative to logging and connection threads. User Maps - the page gives access to creating, editing and deleting user maps. Routing and Authentication - containing parameters relative to routing possibilities through POP3 Proxy, IMAP Proxy and SMTP. 340

341 LDAP Connectors Page The LDAP Connectors Page allows system administrators to manage existing LDAP connectors and to create new ones as well as to configure some general parameters that direct logging and threading behavior for the connectors. When first accessing the LDAP Connectors Page a list of already defined connectors is displayed. To change the settings for an already defined LDAP connector hit its corresponding Edit button, to delete it use the Delete button. To create a new LDAP connector click the Add Connector button. Whether adding or editing a connector the same configuration window pops up. 341

342 To specify a name for you newly defined connector use the LDAP Connector name text field. Proceed with specifying a combination of IP/Hostname and port for your connector using the dedicated fields in the LDAP Server Parameters section. Under these fields the generated LDAP host URL will be displayed. This URL follows the ldap://ip/hostname:port pattern. The next step in configuring the LDAP connector is to select if an anonymous bind or an administrative DN is to be used. Should you check the Use administrative DN option you will also have to specify in the same LDAP Search Parameters section your selected values for four other fields: Admin DN, Admin DN Password, Search Base and Search Filter. Should you like an error to be returned when more entries match a search filter check the respective option in the LDAP Search Parameters section. If this option is left unchecked the first entry matching the search filter will be used. The final step is to specify a Password Attribute and a Hostname attribute for the currently configured connector in the LDAP Attributes Mapping section. After completing this step press the Quick Add button to save your settings. Logging Parameters You can select several types of messages to be logged for the LDAP Connectors: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from transparent to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Thread Management Thread management allows you to set different numbers of processing threads for the LDAP Connectors depending on your traffic load. Set a number of threads to be allotted when the LDAP Connectors are started using the up and down arrows. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 342

343 User Maps Page Through the User Maps page system administrators can manage existing user maps and also add new ones. When first accessing this page a list of already defined user maps is displayed. To modify an existing user map use the corresponding Edit button, to delete it click the Delete button. To add a new one simply hit the Add User Map button. Whether adding a new map or editing and existing one the same configuration window pops up. Specify a name for the map you are currently configuring in the User Map name text field. Then select a type for your user map using the User Map type drop-down menu. Available options are local file, LDAP Password and LDAP Bind. Should you choose local file you have to specify the path to the respective file's location in the second text field of this parameter. For LDAP Password and LDAP Bind the text field turns into a second drop-down menu used to select one of the LDAP connectors defined on the LDAP Connectors page. After configuring these parameters, hit the Quick Add button (if adding a new user map) or the Update button (if editing an existing one) to save your settings Routing and Authentication Page The Routing and Authentication page allows system administrators to select the authentication type performed for all services of the AXIGEN Mail Server and to also set parameters managing routing behavior at POP3 Proxy, IMAP Proxy and SMTP level. The authentication can be of three types (available in a drop-down menu) - internal, LDAP Password and LDAP Bind. When selecting internal the authentication will be performed 343

344 through the internal user database. If LDAP Password or LDAP Bind is selected one of the LDAP connectors defined on the LDAP Connectors page must be selected. Routing and proxy redirect requests are performed through one of the user maps previously defined. Therefore, please select one of the existing user maps using the corresponding drop-down menu from the Routing configuration section. In some cases no match will be found for a certain request within the selected user maps. For these particular cases please specify an IP/port combination to redirect POP3 requests to and one for IMAP requests to be redirected to. To have routing at SMTP level enabled check the respective option in the Routing configuration section and select an existing user map in the dedicated drop-down menu. In some cases no match will be found for a certain request within the selected user maps. For these particular cases please specify an IP/port combination to redirect SMTP requests to. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes POP3 Proxy Tab The POP3 Proxy tab allows you to configure parameters relative to this specific service's configuration, add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listener and rule configuration see the TCP Listeners and Control Rules chapter. Through Service Configuration system administrators can manage logging, authentication and encryption, error and thread control parameters and backend server connection settings. Logging 344

345 You can select several types of messages to be logged for the POP3 Proxy service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from transparent to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Encryption and Authentication The POP3 Proxy service allows only one authentication method which is PLAIN. Therefore as it is recommended to use StartTLS or SSL to enhance connection security, please check the Allow StartTLS option in the Encryption and Authentication section. Should you like your proxy to handle the authentication, check the Perform authentication on proxy option. Alternatively, the authentication will be performed on the back-end server. Error Control To set a maximum number of errors caused by invalid commands received from clients or by failed authentication attempts check the respective options in the Error Control area of the POP3 Proxy service. Use the up and down arrows corresponding to each of these options to set a specific number of errors. Thread Management 345

346 Thread management allows you to set different numbers of processing threads for the POP3 Proxy service depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the POP3 Proxy service is started. To have a different number of threads for peak periods check the overload option and use the up and down arrows to choose the thread number. Back-end Server Connection Settings To set a specific sending and receiving timeout first check the respective option in the Backend Server Connection Settings section. The timeout is computed in miliseconds (use the up and down arrows or edit the respective text field to increase or decrease the default value) and ranges between 10 and The total number of connections established on the back-end server can be limited by checking the corresponding option. Use the up and down arrows or edit the respective text field to increase or decrease the default value - possible values range between 1 and connections. In order to overwrite the default local network interface used for back-end server connections check the corresponding option and type the respective interface in the Local network interface IP address field. Use a secure (SSL enabled) connection when accessing the back-end server by checking the corresponding option in the Back-end Server Connection Settings section. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes IMAP Proxy Tab The IMAP Proxy tab allows you to configure parameters relative to this specific service's configuration, add listeners and manage access to the service by adding rules applicable to all existing listeners. For details on listener and rule configuration, see TCP Listeners and Control Rules chapter. Through Service Configuration system administrators can manage logging, authentication and encryption, error and thread control parameters and backend server connection settings. 346

347 Logging You can select several types of messages to be logged for the IMAP Proxy service: critical messages, error messages, warning messages, informational messages and protocol communication. To select which of these are to be logged, click the Log Level slider and move it to the left or to the right. The selected types of messages will change color from transparent to gray. Log files can be stored using your internal log files, your system's log files or within the log files located on a remote system. Use the Log drop-down menu to select where to have your log files saved. Encryption and Authentication The IMAP Proxy service allows only one authentication method which is PLAIN. Therefore, as it is recommended to use StartTLS or SSL to enhance connection security check the Allow StartTLS option in the Encryption and Authentication section. Should you like your proxy to handle the authentication check the Perform authentication on proxy option, alternatively the authentication will be performed on the back-end server. Error Control To set a maximum number of errors caused by invalid commands received from clients or by failed authentication attempts check the respective options in the Error Control area of the 347

348 IMAP Proxy service. Use the up and down arrows corresponding to each of these options to set a specific number of errors. Thread Management Thread management allows you to set different numbers of processing threads for the IMAP Proxy service depending on your traffic load. First, using the up and down arrows, set a number of threads to be allotted when the IMAP Proxy service is started. To have a different number of threads for peak periods check the overload option and use the up and down arrows to choose the thread number. Back-end Server Connection Settings To set a specific sending and receiving timeout first check the respective option in the Backend Server Connection Settings section. The timeout is computed in milliseconds (use the up and down arrows or edit the respective text field to increase or decrease the default value) and ranges between 10 and You can limit the total number of connections established on the back-end server by checking the corresponding option. Use the up and down arrows or edit the respective text field to increase or decrease the default value - possible values range between 1 and connections. In order to overwrite the default local network interface used for back-end server connections check the corresponding option and type the respective interface in the Local network interface IP address field. To use a secure (SSL enabled) connection when accessing the back-end server, please check the corresponding option in the Back-end Server Connection Settings section. When you are done configuring these parameters, remember to hit the Save Configuration button to preserve your changes. 348

349 9.11. Administration Rights Section Starting with version 5.0, the AXIGEN Mail Server features Delegated Administration options which enable the easy creation of administrative groups, with predetermined membership hierarchies and permissions, assigned to specific domains. The Administration Rights section gives access to parameters configuring the behavior of such administrative users or imposing the limitations for each type of administrative user created Administrative Groups Tab The Administration Rights > Administrative Groups tab allows system administrators to create administrative groups and further define their attributes and specific permissions. Administrative Groups When first accessing this tab a list of the already defined administrative groups is displayed. Groups are listed in alphabetical order to ease the search and editing of a specific group. To edit/delete an existing administrative group use the Edit and Delete options available under Actions, on the right hand side of the group in question. To define a new administrative group hit the Add administrative group button, then fill in the group name and display name in the corresponding text boxes. Use the Quick Add option to save the details directly or click on Advanced config to further tune it: choose its membership hierarchy and assign the permissions you want the group to have. Whether editing an already defined administrative group or trying to create a new one you will make use of the same options available in three sub-pages called General, Membership, respectively Permissions General The Administrative Groups > General sub-page allows system administrators to specify the name and display name of the configured administrative group. 349

350 General parameters Whether creating a new administrative group or editing an already created one use the available text boxes under the Settings section to specify the Administrative groupname and Display name. When you are done configuring these parameters remember to hit the Save Configuration button to preserve your changes Membership The Administrative Groups > Membership sub-page allows system administrators to further configure administrative groups by specifying their hierarchy among the other existing groups. Membership hierarchy Use the options under Membership hierarchy to set the hierarchy of the configured administrative group (AccountAdministrators in this example). Thus, the configured group can an be assigned as a member of the existing available groups or removed from an already existing group member list by using the two arrows. Example: check the box in front of the CustomPermissions group and then click on the green arrow; as a result, the AccountAdministrators group will be moved to the list of administrative groups to which this group belongs to, as a member. Members of the configured group 350

351 The Members of this group section gives you an overview of this childs (both administrative groups and users which inherit permissions from the current group). Parents of the configured group Check the Parents of this group section in order to view the groups from which the currently configured group, AccountAdministrators, inherits permissions. Click the '+' sign corresponding to the group that interests you in order see further details relative to its child groups and their hierarchy. Important! Please note that cyclic inclusion is not permitted (i.e. if group A is a member of group B and group B is a member of group C, then group C will not be allowed as a member of group A). When you are done configuring these parameters remember to hit the Save Configuration button to preserve your changes Permissions The Administrative Groups>Permissions sub-page allows system administrators to specify the parameters relative to server and domain permissions for the configured administrative group. Explicit Permissions Two classes of permissions can be delegated to an administrative group: server permissions allow administrative users based on this group to modify certain server modules; domain management permissions include management rights on all domains or on any specific domain (previously created). Setting explicit permissions at server level Check the Explicit server permissions section for a list of the already defined server permissions for the configured administrative group. Should you like to edit or delete any of the existing permissions use the corresponding Change and Remove options. 351

352 Should you like to delete all permissions relative to a certain service just hit the Remove all button. To add new server permissions for the configured administrative group, click on the Add server permission button and fill in the requested details. Adding server permissions Click on the Add server permission button, then use the available drop-down menus to configure the new permission by choosing the service and action to be taken relative to the selected module. Available actions are: Allow and Deny. Hit the Quick Add button to finalize the adding of the new configuration. Setting explicit permissions at domain level Check the Explicit domain permissions section for a list of the already defined server domain permissions for the configured administrative group. Should you like to edit or delete any of the existing permissions use the corresponding Change and Remove options. To delete all permissions relative to a certain service just hit the Remove all button. To add new server permissions for the configured administrative group click the Add domain permission button and fill in the requested details. 352

353 Adding domain permissions Click on the Add domain permission button and use the available drop-down menus to configure the new permission by choosing the service and action relative to the selected module. Available actions are: Allow and Deny. Hit the Quick Add button to finalize the adding of the new configuration. Effective permissions Check the Effective Permissions section for complete information about the permissions available for the configured administrative group at different levels (resources): server, any domain, a specific domain. Displayed information will include all information for a certain resource as they result from the inheritance of its parents' permissions combined with the permissions assigned directly to this group. 353

354 Administrative Users Tab The Administration Rights > Administrative Users tab enables system administrators to configure the parameters relative to administrative users. Administrative users' list When first accessing the Administrative Users tab a list of the already defined administrative users is displayed, in alphabetical order to ease the search of a specific user. Should you like to edit or delete any of the existing administrative users hit the Edit and/or Delete buttons corresponding to the users in question. Adding a new administrative user Should you like to add a new user click the Add administrative user option and fill in the available text-boxes with the requested information: Administrative username, Password and Display name. Set a password manually by simply entering the desired password combination in the Password text box or hit the Set Random button in order for AXIGEN to automatically assign a password to the configured administrative user. The automatically generated password will also be displayed for informative purposes. Should you like to add the new administrative user with the newly-configured details click on the Quick Add button, to further fine tune its parameters hit the Advanced Config option. 354

355 You will then be able to access three new pages: General, Membership and Permissions. The same three pages will also appear when editing an already existing administrative user by hitting the above-mentioned Edit button General The Administrative Users > General sub-page allows system administrators to configure general data regarding administrative users such as username, password and display name details. General settings Whether creating a new administrative user or editing an already created one use the text boxes in the Settings section to specify the Administrative username and Display name. The password can be either typed in the corresponding field or automatically assigned by AXIGEN when hitting the Set Random button. When you are done configuring these parameters remember to hit the Save Configuration button to preserve your changes Membership The Administrative Users >Membership page allows system administrators to set the membership hierarchy of the configured administrative users. Membership hierarchy 355

356 Use the options under Membership hierarchy to set the hierarchy of the configured administrative user (DomainAdministrator1 in this example). Thus, the configured user can an be assigned as a member of the existing available administrative groups or removed from an already existing group list, by using the two arrows. Example: check the box in front of the Server Administrators and then click on the green arrow; as a result the Server Administrators group will be moved to the list of administrative groups to which the DomainAdministrator1 user will belong to, as a member. When you are done configuring these parameters remember to hit the Save Configuration button to preserve your changes Permissions The Administrative Users>Permissions page allows system administrators to specify the parameters relative to the server and domain permissions for the configured administrative user. Explicit Permissions Two classes of permissions can be delegated to an administrative user: server permissions allow administrative users to modify certain server modules; domain management permissions can include management rights on all domains or a specific domain. Setting explicit permissions at server level Check the Explicit server permissions section for a list of the already defined server permissions for the configured administrative group user. Should you like to edit or delete any of the existing permissions, use the corresponding Change and Remove options. Clicking on the Change button will result in changing the permission from Allow to Deny or back, as the case may be. Should you like to delete all permissions relative to a certain service just hit the Remove all button. To add new server permissions for the configured administrative user click on the Add server permission button and fill in the requested details. Adding server permissions Click on the Add server permission button, then use the available drop-down menus to configure the new permission by choosing the service and action to be taken relative to the selected module. Available actions are: Allow and Deny. Hit the Quick Add button to finalize the adding of the new configuration. 356

357 Setting explicit permissions at domain level Check the Explicit domain permissions section for a list of the already defined domain permissions for the configured administrative user. Should you like to edit or delete any of the existing permissions, use the corresponding Change and Remove options. Clicking on the Change button will result in changing the permission from Allow to Deny or back, as the case may be. Should you like to delete all permissions relative to a certain service just hit the Remove all button. To add new server permissions for the configured administrative user click on the Add server permission button and fill in the requested details. 357

358 Adding domain permissions Click on the Add domain permission button, then use the available drop-down menus to configure the new permission by choosing the service and action relative to the selected module. Available actions are: Allow and Deny. Hit the Quick Add button to finalize the adding of the new configuration. Effective permissions Check the Effective Permissions section for complete information about the permissions available for the configured administrative user at different levels (resources): server, any domain, a specific domain. 358

359 Domain Admin Limits Configuration The Administration Rights > Domain Admin Limits tab allows you to set the domain level limits or restrictions to be applied to the administrative users with permissions on the respective domain. Domain Admin Limits When first accessing this tab a list of the available domains is displayed, in alphabetical order. To quickly locate a certain domain use the Domain Search option available in the upper right corner. This field enables you to search by the name of the domain, on a filter as you type basis. To configure the parameters relative to the limits and restrictions set at domain level for specific administrative users hit the Configure button. This will lead you to a new page, Configure Admin Limits, with several fields to be filled in with the corresponding parameters. The Configure Domain Admin Limits sub-page Services In the Services section you can limit the list of services that can be allowed by delegated administrators for this domain. To allow or deny any of the listed services hit the corresponding options available on the right hand of the screen: Allowed, respectively Denied. In the displayed example delegated admins for the configured domain have administration rights for all corresponding services except IMAP. 359

360 Accounts and Account Classes Use the options under the Accounts/Account Classes section to restrict the value ranges within which the delegated administrators of this domain can operate at account/account class level. You can set limits for the following: total number of accounts and account classes, total number of folders, total number of messages in all folders, total mailbox size limitation, total number of messages per folder, as well as a maximum ranges for each folder size. Use the up and down arrows to configure the necessary values and, where needed, the drop-down menu to select the corresponding measurements, KB, MB or GB, for the specified limitations. Groups To restrict the number of groups an admin of this domain can create check the box in front of the option under Groups, then use the up and down arrows to specify the desired values. 360

361 Mailing Lists Use the options under the Mailing Lists section to restrict the value ranges in which the delegated administrators of this domain can operate at mailing list level. Check the boxes in front of the displayed options and then use the up and down arrows to specify the parameters relative to the number of mailing lists, total number of folders, total number of messages in all folders, total mailbox size, total number of messages per folder, as well as the maximum size for each folder. Public Folders 361

362 Use the options under Public Folders section to restrict the value ranges in which the delegated administrators of this domain can operate at public folder level. Check the boxes in front of the displayed options and then use the up and down arrows to specify the parameters relative to the maximum number of addresses per public folder, total number of folders, total number of messages in all folders, the total mailbox size and total number of messages per folder, as well as the maximum size for each public folder. When you are done configuring these parameters hit the Save Configuration button to preserve the newly-specified values TCP Listeners and Control Rules AXIGEN Mail Server can use different Listeners for its TCP services (SMTP Receiving, POP3, IMAP, WebMail, WebAdmin, CLI and FTP Backup& Restore) and UDP services (Log and Reporting). Listeners are network points of entry associated with an interface address and port number that grant access to a specific TCP or UDP service. Listeners add extra flexibility and configurability to each AXIGEN service as they can be used to grant differentiated access to the same services for different categories of users (e.g users within a specific domain). Moreover, listeners can be associated with a variety of rules that allow defining specific limitations for connections coming from IPs within specified IP sets. Listeners can be defined, using various parameters corresponding to that TCP service, from the configuration file (as of type "TcpListener" OBJECT-SET) or through WebAdmin (the web configuration interface). UDP service listeners have fewer parameters associated as connection related parameters do not apply to them. For more information, please check the following pages: Listeners Access and Flow Control Rules 362

363 Listeners In AXIGEN, it is possible to configure TCP listeners for all TCP services: SMTP Receiving, POP3, IMAP, WebMail, WebAdmin, FTP Back-up&Restore, and CLI. To access listener configuration in WebAdmin, first click on the service tab (SMTP Receiving, POP3, IMAP, WebMail, WebAdmin, FTP Back-up&Restore or CLI). A list of the already defined listeners (if any) will be displayed under the dedicated section Listeners, sorted by their IP addresses. Editing one of the existing listeners will result in accessing two configuration pages: General and SSL Settings. The same pages will also be displayed when hitting the Add Listener button and choosing the Advanced Config option. Example: SMTP Receiving listeners No matter if you are adding or editing a listener, no matter on what service tab you are on, the same parameters are available in two dedicated pages: General and SSL Settings Configuring General Parameters The General page enables system administrators to set a list of general parameters relative to the listener being configured such as the listener bind address, connection parameters, access control rules. General settings 363

364 To enable the currently configured listener check the box in front of the Enable this listener option. To edit or specify the listener address use the IP related text boxes. Listeners are uniquely identified by their address attribute. Two or more listeners cannot have the same address value - only the first object correctly defined is considered. This will be the IP address followed by a colon and the port number. Flow control Within the Flow Control section you can enforce global access limitations to this listener by setting the maximum number of: simultaneous connections, concurrent connections from each remote IP address, new connections made in a defined time interval and connections from each remote IP address in a defined time interval. The default time interval is set to 1 minute. Use the up and down arrows and drop-drown menus to specify the necessary parameters and time values. Note: You can also set up Flow Control for specific IP sets by creating Access Rules for this listener. Access Control Under Access Control you can define simple access lists to restrict the access to this service trough the defined listener. By clicking the Add Rule button addresses can be entered in a Network/Mask, Single IP address or IP Range format and the actions that can be taken are Allow and Deny. Further use the up and down arrows (next to the Delete button) to set priorities between the rules and click the Flow Control button in order to enforce global access limitations to the rule, using the same options as the ones described in the above section. All defined listeners 364

365 have created by default a rule allowing any IP address if no other rules match Service Rules. Note: Listener level access rules will override for this listener any existing global access rules and service access rules. Other settings An inactivity period threshold can be defined for connections made to this listener to ensure that unused resources will be free and used to provide access for other clients. Check the box in front of the option under Other and then use the up and down arrows and drop-down menu to specify the time limit. For a general description of listeners and their usage in AXIGEN see the Listeners subsection in the Architecture chapter SSL Parameters for Listeners For each TCP listener created you can enable SSL support and further configure SSL settings using the SSL Settings page. AXIGEN implements OpenSSL compliant SSL settings for all TCP listeners. SSL configuration This context allows you to configure the SSL settings for this listener. To enable the SSL on the configured listener check the box in front of the Enable SSL for this listener option. Use the checkboxes available under the Allow the following SSL versions section to specify the SSL versions to be used by AXIGEN Mail Server. Possible values are: SSL2, SSL3 and TLS1. While SSL 3 and TLS1 are the most recent versions you can use any combination of these you may find useful. All three versions are enabled by default. Path to certificate file/authorities For all SSL / TLS connections a certificate file (containing the certificate chain used for the current listener) is a mandatory field that must be addressed with the use of the Path to certificate file attribute. The certificate chain refers to a chain of intermediate certificate issuers, that is, Certificate Authority certificates that are followed while verifying the remote server certificate. 365

366 By default, on all supported operating systems and platforms AXIGEN's initscript will create, at first run, a self-signed certificate automatically saved in the data directory with the axigen_cert.pem name. If you have another certificate file, provided by an authority, you can enter the path to this certificate and also provide the Path to certificate authorities. AXIGEN must be able to access these locations. Additional attributes such as the Path to DH (Diffie-Hellman) parameter, Max chain verification depth, Cipher suite, Ephemeral Key and certificate-based authentication requests can be used for more specific implementations. Use the Path to DH (Diffie-Hellman) parameter file to specify the path in local file system to the file containing the (OpenSSL) Diffie-Hellman parameter used by this listener. If keyword value "none" is used no file will be used. The Diffie-Hellman key agreement protocol (also called exponential key agreement) allows two users to exchange a secret key over an insecure medium without any prior secrets. Find more information about this protocol and how to configure this protocol, on the RSA Laboratories website. Use the Max. chain verification depth field to specify the depth of verification for the certificate chain. The depth refers the maximum number of intermediate certificate issuers i.e. the maximum number of CA certificates which are allowed to be followed when verifying the remote server certificate. For instance, a depth of 1 means the remote server certificate can be self-signed or has to be signed by a CA which is directly known to the server. The default value of 4 means that 4 intermediate certificate issuers are accepted. AXIGEN implements cipher suites active in OpenSSL, except for idea, rc5 and mdc2. Click here to see the corresponding OpenSSL documentation file listing ciphers and their OpenSSL equivalents. Tick the Use ephemeral key check-box to specify whether ephemeral keys should be used or not. This option allows generating ephemeral keys which actually transform all keys exchanged during one connection session into ephemeral keys (valid only for the current connection). Use the Request certificate-based authentication from client option to specify if client certificate-based authentication should be requested or not. When you are done configuring these parameters remember to hit the Save Configuration button to preserve your changes. 366

367 Access and Flow Control Rules For each TCP service you can define Access and Flow Control rules to impose limitations on accepted connections. Configuration parameters are identical for all TCP services. Example: Access Control rules for the SMTP Receiving module Service Level Use the options under Service Level to specify a set of rules for allowing specific IP addresses on the currently configured service. To edit/delete any of the already defined rules hit their corresponding Edit or Delete buttons, on the right hand side of the listener. To add a new rule use the Add Rule button. Editing or adding a new rule will result in displaying the same configuration fields: the action to be taken for connections made through the configured parameter (choose between allowing or denying them the access) and the type of the connections the specified action will apply to (connections from single IP, an entire IP range, or Network/Mask). Use the drop-down menus to select the allowed/denied connections and fill in the corresponding IP values. To enable the newly-configured rule check the box in front of the Enable this rule option, then hit the Save rule button. Further use the up and down arrows (next to the Delete button) to set priorities between the rules and click the Flow Control button in order to enforce global access limitations to the rule, using the same options as the ones described in the section below. All TCP services have created by default a rule allowing any IP address. 367

368 Flow Control Within the Flow Control section you can enforce global access limitations to this listener by setting the maximum number of: simultaneous connections, concurrent connections from each remote IP address, new connections to the listener made in a defined time period and maximum connections from each remote IP address in a defined time interval. The default time interval is set to 1 minute. Use the up and down arrows and drop-down menus to specify the desired parameters and values. Note: You can also find the same configuration options in the Access Control section of the Configuring General Parameters page; the first out of the two pages available when wishing to make the editing or the advanced configuration of a listener. After making the configurations hit the Save Configuration button to preserve your changes. 368