NoSpamProxy 12.1 Operation Manual. Protection Large Files

Size: px

Start display at page:

Download "NoSpamProxy 12.1 Operation Manual. Protection Large Files"

Stephen Welch
6 years ago
Views:

1 NoSpamProxy 12.1 Operation Manual Protection Large Files

2 Imprint All rights reserved. The manual and the depicted programs are copyrighted products of Net at Work GmbH, Paderborn, Germany. Subject to change without notice. No part of the publication may be reproduced without the prior written permission of Net at Work GmbH. Copyright 2017 Net at Work GmbH Net at Work GmbH Am Hoppenhof 32a D Paderborn Trademarks Microsoft, Windows, Windows Server 2008, Windows Server 2012, Windows Server 2012 R2 und Windows Server 2016 are registered trademarks of Microsoft Corporation. NoSpamProxy is a registered trademark of Net at Work GmbH. All other used trademarks belong to their companies / owners

3 Inhalt 1. NoSpamProxy... 9 NoSpamProxy Protection... 9 Spam and spam protection... 9 Rejection instead of sorting... 9 How can I report a False Positive as a user?... 9 Proxy instead of relay Advantages of proxy Protective function NoSpamProxy Large Files NoSpamProxy Disclaimer Advantages of NoSpamProxy Encryption Help and support The roles of NoSpamProxy Gateway Role Intranet Role Web Portal Functioning and integration into the infrastructure Firewall SMTP Mail Server SQL Database Domain Name System (DNS) Directory Service, Active Directory Examples for the implementation Basic Information on the Deployment of NoSpamProxy Upstream NoSpamProxy NoSpamProxy on the Mail Server NoSpamProxy with NAT router NoSpamProxy with firewall and DMZ NoSpamProxy and SMTP virus scanner Installation of the roles on different servers Negative example: Wrong configuration Mails to external addresses NoSpamProxy management console Change the language of the client Establish a connection to the Intranet Role Dashboard List of the roles Area for actions View server performance Data traffic System Start configuration wizard Net at Work GmbH

4 Download manual... Import licence... Compare editions... Download update... Choose update channel... Incidents... Latest announcements Monitoring... Message tracking... Checking the details... Mail queues... Mails on hold... Large Files... Reports... Data traffic and spam report... Most wanted... Licence report... Event view People and identities... Domains and users... Owned domains... Add owned domains... DomainKeys Identified Mail... Corporate users... Add user... Additional user fields... New address rewriting... Default settings for users... Automatic user import... New user import... Active Directory... Generic LDAP... Additional user fields... Text file... Partner... Partner topic... Default settings for partners... Partner domains... New partner domain... Edit partner domain... User entry of a partner domain... Additional user fields Mail routing... Net at Work GmbH

5 Local mail servers Multiple used settings of connectors Name Connection to Gateway Roles Costs Connection security SMTP Security settings Server or client identity DNS routing restrictions through connector namespaces Smarthost: Mail delivery via dedicated server Inbound send connectors Delivery via queues General settings SMTP connections of a Smarthost DNS routing restrictions Direct delivery Outbound send connectors SMTP General settings Delivery - Direct delivery (DNS) Delivery - Dedicated servers (Smarthosts) DNS routing restrictions D via Telekom D via Mentana-Claimsoft GmbH Assignment of owned domains E-Postbrief connector Deutschland-Online - Infrastruktur connector Receive connectors SMTP connectors SMTP settings Invalid requests Connection security Rules Filters Actions Actions for spam check How NoSpamProxy Protection classifies a mail as spam of rules Create new rule Reorder rules Filters in NoSpamProxy CYREN IP Reputation CYREN AntiSpam Net at Work GmbH

6 Allowed Unicode language planes... Realtime block lists... Spam URI Realtime blocklists... SpamAssassin connector... Reputation filters... Word matching... Actions in NoSpamProxy... Actions can change mails... Receiver rewriter... CYREN Premium AntiVirus... CSA-Whitelist... File based virus scanner... Greylisting... Hide corporate topology... Automatic reply... Reroute mail... Apply DKIM signature... Apply disclaimers... Calculating the Spam Confidence Level... Presettings... Colour theme... Realtime block lists... Add new blocklist... Word matching... Add new word group... Content filter... Content filter sets... Upload hints... Content filter actions... NoSpamProxy components... Gateway Roles... Server identity... Establish a connection to a Gateway Role... Web Portal... Web Portal connections... Web Portal - Settings... Databases... Connected systems... DNS servers... Archive connectors... D providers... Telekom D connections... Mentana-Claimsoft connection... CSA-Whitelist... Net at Work GmbH

7 User notifications... Administrative notification addresses... Mail notifications... Advanced settings... Sensitive data protection... Monitoring... Subject flags... Level of Trust configuration... General... Stop words... Smart DSN handling... Subject prefixes... SMTP protocol settings... Behaviours... Protocol timeouts... Status messages... SSL/TLS configuration Troubleshooting... Log settings... Blocked IP addresses... Fix permissions... Web Portal security Web Portal... Large Files... Secure mails via the Web Portal without invitation Disclaimer... Providing placeholder... Additional user fields in manually entered users... Additional user fields in the user import... Using the fields in the disclaimer Appendix... Multiple used settings in the configuration... Passwords... Selection of certificates... Backup and recovery... Operating system, driver and software... NoSpamProxy licence... files of roles... Databases of NoSpamProxy... Troubleshooting... Support by mail... Check NoSpamProxy... Test NoSpamProxy... TELNET... Net at Work GmbH

8 NSLOOKUP... Frequent errors and their causes... NoSpamProxy Protection does not filter... NoSpamProxy rejects all mails to local addresses... SQL database is not available... NoSpamProxy Protection does not find any viruses... Smart card cannot be administered via RDP... Exchange management console no longer starts... Checking the connections... Performance counters... Settings via the configuration file... Activate the option 'Delivering invalid mails'... SMTP RFCs... SMTP Error codes... SMTP Time-outs... Glossary... Net at Work GmbH

9 NoSpamProxy 1. NoSpamProxy NoSpamProxy Protection Spam and spam protection With increasingly elaborate methods, spammers try to leverage existing protection systems and send their messages to recipients. Unfortunately, daily cleaning of the inbox often does not suffice. By now, spam means a serious economic burden to many companies. Spam interferes with business processes and binds employees as well as system resources. Moreover, unwanted mails can considerably interfere with your mail servers and, in an extreme case, even cripple them. They may have contents and attachments which attack or spy out your system and thus pose a threat to your company. Furthermore, spammers often try to misuse your system as a relay. If this is possible, mails are send "on your behalf" - and at the cost of your capacity. A possible consequence may be that reliable mail partners classify your domain as spam sender and important connections are suddenly blocked. The scenarios of the attacks are not only different and complex, but one spam is not like another. As diverse as the interests of companies, the classification of a mail can turn out similarly diverse. You should be able to define yourself whether you classify a junk mail, a newsletter or a mail with Chinese characters as spam. This is precisely what NoSpamProxy Protection enables you to do. Rejection instead of sorting Many spammers react increasingly faster and more adept to new protection measures. This implies that static spam filters might work successfully for a short period of time - and nevertheless be useless the next day already. In order to be really effective, a spam protection must be intelligent, flexible and adaptive. It should not just protect from unwanted mails. It is at least as important that it classifies "good" mails correctly. A quota of 99 % blocked spam mails may sound good but it creates more damage than good if important good mails are accidentally blocked or end up in the wrong folder as well. Additionally, the protection should be as individual and versatile as the requirements of your business processes. It makes no difference whether your company employs 25 or 5,000 employees. In the end, a protection should not only protect your system and the business processes from spam but also from unnecessary burdening of the system - as the conservation of your resources is central. The fulfilment of these requirements by an intelligent spam protection were our incentive to develop NoSpamProxy Protection. The basic idea is simple: In contrast to other filters, NoSpamProxy Protection rejects spam mails before they enter your system. Strictly according to the motto: Rejection instead of sorting. How can I report a False Positive as a user? False Positives are good mails which are accidentally classified as suspicious and rejected. As mentioned above already, this is one of the greatest threats of a filter solution: The more spam you need Page 9

10 NoSpamProxy to sort out, the more probable it is that you accidentally remove a good mail. The consequences might be fatal. Assuming you receive the information by a customer via phone that their mail to you did not get through but was classified as spam and rejected. You can solve this unpleasant situation in a simple way with NoSpamProxy Protection. You need not be an administrator or implement settings in the system or changes at NoSpamProxy Protection; just send a mail to the customer. The next mail from the customer will then automatically be classified by NoSpamProxy as good and desirable because it is a reaction to your mail even if the sender does not use the "Reply" function. This means that a second try usually gets through without any problems and no further False Positives are created. The mail address of the sender is classified as trustworthy by NoSpamProxy Protection. Proxy instead of relay NoSpamProxy is, as its name suggests, designed as proxy. In simplified terms, a proxy is an interstation between the Internet and your system. Similar to a firewall, your internal network is protected from unfiltered contact with the Internet. For mails to owned domains, an external connection to NoSpamProxy is established initially. Subsequently, NoSpamProxy establishes a second connection to your mail server. NoSpamProxy collects the data, extracts the relevant SMTP information and reconstructs the mail on this basis. This mail is then presented to the configured filters for a check. If a mail is identified as spam, NoSpamProxy Protection rejects the mail. This forces the incoming mail server to send a non delivery report to the sender. A proxy is eminently suited for realising early spam rejection. Advantages of proxy Many functions of the internal mail server remain usable. For instance, the internal mail server will still reject a mail due to a full or no longer existing inbox. In turn, NoSpamProxy Protection rejects the connection externally. Your system will not be loaded with unnecessary data volume. Many connections can be identified as spam at a very early stage and do not burden the internal mail server. Protective function You server is not externally available. Thus, 'Denial of Service'-attacks do not interfere the internal communication. NoSpamProxy Large Files With Large Files, users can transmit files of any size to recipients via their familiar Outlook client without having to burden the mail system. Instead of sending the file itself, a link is attached to the mail via which the recipient/s of the mail can safely download the files via TLS. Additionally, you can also send the invitation link for the Web Portal of the Large Files to external recipients so that they can send you large files in turn. Page 10

11 NoSpamProxy Please do not hesitate to contact us at if you are interested in Large Files. We will be willingly offering you advice and support in extending your existing licence. NoSpamProxy Disclaimer By using the disclaimer function, templates for mail disclaimers can be automatically integrated into your sent mails according to predefined rules. The configuration is divided between the NoSpamProxy administrator that prepares values and settings for the disclaimers and the administrators for the disclaimer creation that can use these values and settings on the disclaimer website in their created templates and rules. The configuration of the values is described in chapter Disclaimer in more detail. Advantages of NoSpamProxy Encryption Since NoSpamProxy Encryption is based on the technologies of the proven AntiSpam gateway NoSpamProxy, its functions can easily be activated through a licence extension. In this way, the confidential communication with partners can be realised on one gateway only and with a consistent administration. If you want to connect NoSpamProxy with systems not based on SMTP such as D , the EPostbrief, the Deutschland-Online infrastructure and POP3 inboxes, you can implement this by installing an extended licence with NoSpamProxy Encryption. Page 11

12 Help and support 2. Help and support Net at Work offers many forms of help and support for the installation and the operation of NoSpamProxy. Training videos The Training videos provide an overview of different areas and show configurations, step by step, in the concrete application case. Blog The Blog provides daily updated references to new product versions, suggested changes for your configuration, warnings of compatibility issues and more advice which supports you. To make sure you do not miss any important advice, you can also find the latest news from the blog on the start page of the NoSpamProxy configuration console. Knowledge Base The Knowledge Base contains additional information on specific issues. Support If you require further support, please visit our support website. Page 12

13 The roles of NoSpamProxy 3. The roles of NoSpamProxy NoSpamProxy comprises several roles which are described in the following. Gateway Role The actual core of NoSpamProxy is concealed behind the Gateway Role. Depending on your environment, this role can either be installed in a demilitarised zone (DMZ) or the intranet. In order to set up a high-available system, this role can be installed on several servers. NoSpamProxy receives the mails on port 25, checks them for spam and rejects them if necessary. Intranet Role As the name suggest already, the Intranet Role is usually installed in the intranet of your company. Web Portal If you have activated Large Files, users can transmit large files via the Web Portal. In order to set up a high-available system, this role can be installed on several servers. Page 13

14 Functioning and integration into the infrastructure 4. Functioning and integration into the infrastructure NoSpamProxy cooperates with the other components of your infrastructure in your environment (Picture 1). All components of the system can be operated on the same server. In small environments, NoSpamProxy can be installed along with a firewall and your mail server on one single server. In addition to the individual components, the TCP Ports which are used between the components are documented as well (Picture 2). Picture 1: Components of NoSpamProxy Page 14

15 Functioning and integration into the infrastructure Picture 2: Communication of NoSpamProxy among each other and with other components Firewall To ensure the functioning of NoSpamProxy, it is required that the network does not prevent the necessary network connections. Basically, this concerns the protocol SMTP on port 25/TCP and DNS on port 53 TCP/UDP. If the roles of NoSpamProxy are installed in different network segments, the communication for TCP on port 6060 and for HTTPS on 6061 must be allowed on the firewall. Both the management console as well as the Intranet Role use port 443/HTTPS to access the Web Portal. SMTP Mail Server All mails to external addresses should be sent via NoSpamProxy as well so that the Level of Trust system can learn the communication relations of your organization. Page 15

16 Functioning and integration into the infrastructure SQL Database NoSpamProxy saves the data required for the operation in a Microsoft SQL database. In so doing, it supports the Microsoft SQL Server 2008 or more recent ones. The free Express Edition can be used as well. Domain Name System (DNS) Your system should feature a Domain Name System (DNS) lookup. It is common courtesy that the DNS name which a mail server reports can also be resolved via DNS. If a server reports as "mail.netatwork.de", it should also be resolvable as "mail.netatwork.de" in the DNS. If it is not resolvable, the domain name is either incorrect, which suggests a misconfiguration of the DNS server, or the DNS name is not maintained in the DNS. Directory Service, Active Directory NoSpamProxy can reject mails to non-existent or non-entitled recipients upon receipt already. For doing so, a list with the valid SMTP addresses must be maintained in the gateway. For instance, this can be realised via an automatic synchronization with the data from the Active Directory or Lotus Domino. If you wish to use another procedure, the users can also be maintained manually. Examples for the implementation Basic Information on the Deployment of NoSpamProxy Whether the mail comes from a provider or directly from the sender: NoSpamProxy is "at the front line" before the first mail server or relay of the recipient. If this is not the case, the IP address of the incoming gateway cannot be checked and the connection cannot be terminated by an error message either. The incoming gateway would send a non delivery report. The fundamental NoSpamProxy advantage of rejecting mails and saving data volume would not be effective. Upstream NoSpamProxy The simplest design is to locate the NoSpamProxy as an individual system upstream to the own mail server (Picture 3). Page 16

Functioning and integration into the infrastructure Picture 3: NoSpamProxy upstream to the own mail server NoSpamProxy on the Mail Server It might be too lavish to provide a separate server for

17 Functioning and integration into the infrastructure Picture 3: NoSpamProxy upstream to the own mail server NoSpamProxy on the Mail Server It might be too lavish to provide a separate server for NoSpamProxy in small environments. In this case, the gateway can be installed on an existing mail server. In this case, you change the configuration of the existing mail server as follows: Instead of receiving mails on port 25, you configure another port for doing so (e.g. 2525). Subsequently, you configure a smarthost in NoSpamProxy for mails to local addresses for host 'localhost', port '2525'. Picture 4: NoSpamProxy on the mail server NoSpamProxy now receives the connections on port 25 and transfers them to the mail server via 'localhost:2525'. NoSpamProxy with NAT router If the server itself does not have an own official IP address, a system in front of the server is responsible for the implementation. With smaller installations, this is mostly a router with Network Address Translation (NAT). Page 17

Functioning and integration into the infrastructure Picture 5: NoSpamProxy with NAT router It must be configured for the deployment with NoSpamProxy in such a way that it transfers all connections

NoSpamProxy with firewall and DMZ Larger installations often use a multi-level firewall or a so-called "demilitarised zone" (DMZ) to better control the data traffic between the systems.

18 Functioning and integration into the infrastructure Picture 5: NoSpamProxy with NAT router It must be configured for the deployment with NoSpamProxy in such a way that it transfers all connections which are received on the official IP address at port 25 to NoSpamProxy. Here, the configuration of NoSpamProxy corresponds to one of the two previous examples. NoSpamProxy with firewall and DMZ Larger installations often use a multi-level firewall or a so-called "demilitarised zone" (DMZ) to better control the data traffic between the systems. Picture 6: NoSpamProxy with firewall In this case, NoSpamProxy is installed on an own server in the DMZ. The firewall allows connections from the outside to the server, to port 25 of NoSpamProxy. For this constellation, you should only install the Gateway Role in the DMZ. The Intranet Role should be installed in the intranet. NoSpamProxy and SMTP virus scanner NoSpamProxy can identify viruses in several ways. They are described in the following list. CYREN AntiSpam Mails can be checked for viruses and malware through the CYREN AntiSpam service. This service is automatically installed along with NoSpamProxy. On-access virus scanner on the NoSpamProxy server A virus scanner additionally installed on NoSpamProxy can check mails with the help of the action File based virus scanner. Page 18

Functioning and integration into the infrastructure SMTP virus scanner as SMTP relay An SMTP virus scanner usually works as an SMTP relay and must therefore be installed between NoSpamProxy and your

19 Functioning and integration into the infrastructure SMTP virus scanner as SMTP relay An SMTP virus scanner usually works as an SMTP relay and must therefore be installed between NoSpamProxy and your intranet Picture 7: NoSpamProxy with virus scanner An SMTP virus scanner usually works as an SMTP relay and must not be integrated between the Internet and NoSpamProxy. Installation of the roles on different servers In very small environments, it is recommended to install all roles on one server. NoSpamProxy also runs on a Small Business Server without restrictions. In larger environments with a DMZ, a possible distribution of the roles could look as in the following chart (Picture 8). Page 19

Functioning and integration into the infrastructure Picture 8: Installation of NoSpamProxy in the DMZ A server with the installed Gateway Role is located in the demilitarised zone (DMZ).

20 Functioning and integration into the infrastructure Picture 8: Installation of NoSpamProxy in the DMZ A server with the installed Gateway Role is located in the demilitarised zone (DMZ). Here, the mails are processed, filtered and subsequently forwarded to the internal mail server. A server on which the Intranet Roles are installed could run in the LAN. The advantage of this procedure is due to the security aspects. On the firewall, only the port 6060 for TCP and port 6061 for HTTPS must be opened from the LAN into the DMZ for the data transfer between the Gateway Role and the other two roles. The only mandatory connection from the DMZ to the LAN is port 25 for the mail communication. In larger environments with high mail volume, you have the possibility to install several servers with the Gateway Role in the DMZ. This facilitates to set up a high-available system. The NoSpamProxy management console can be installed on the PC of the administrator and thus administer all other roles in the LAN and the DMZ from one PC (Picture 9). Page 20

Functioning and integration into the infrastructure Picture 9: Roles of NoSpamProxy on distributed servers Negative example: Wrong configuration

Picture 10: Wrong configuration - NoSpamProxy cannot function As mentioned already, a mail is already received completely by the relay before it

21 Functioning and integration into the infrastructure Picture 9: Roles of NoSpamProxy on distributed servers Negative example: Wrong configuration For clarification, this figure shows a non-permissible installation. Picture 10: Wrong configuration - NoSpamProxy cannot function As mentioned already, a mail is already received completely by the relay before it is sent to NoSpamProxy. Result: NoSpamProxy cannot work reasonably. Neither is data volume saved nor can NoSpamProxy reject an existing connection. It would be impossible to check the IP address of the incoming gateways. Page 21

22 Functioning and integration into the infrastructure Mails to external addresses The success of the Level of Trust system greatly depends on the circumstance that mails are sent to external addresses via NoSpamProxy. For outbound mails, NoSpamProxy can use an external smarthost or deliver mails directly. If you send via a smarthost, you can, for instance, use the smarthost of your provider or a mail relay especially installed for this purpose. Which option is used is left to you. If you do not have a static IP address, you should send mails to external addresses via your provider. Dynamic IP addresses are steadfastly refused by many companies and mail providers. Page 22

23 NoSpamProxy management console 5. NoSpamProxy management console NoSpamProxy is administered via a Microsoft Management Console (MMC). The installation of the console is described in the NoSpamProxy installation manual. Please pay attention to the advice given in this manual before activating NoSpamProxy. The management console of NoSpamProxy divides into the following areas: The dashboard Beneath the top node of the management console named NoSpamProxy lies the dashboard. It provides a quick overview of the entire gateway with all connected roles. Moreover, you can also start different actions on this site which are described in the chapter of the dashboard. Monitoring The monitoring provides an overview of the receipt and the delivery of mails. Additionally, you can also view the event viewer of all connected roles. Peoples and identities The area Peoples and identities manages your owned domains and corporate users but also external communication partners. You can determine settings regarding confidence and security for these identities. The nodes beneath serve the configuration of NoSpamProxy. Here, you define send and receive connectors for mails, your rules and messages but also the connections to components of NoSpamProxy or components of third party providers. Troubleshooting The area Troubleshooting is available to you for diagnosis of NoSpamProxy. Create log files of the individual NoSpamProxy components or have settings corrected automatically. Change the language of the client The client of NoSpamProxy is set to the system language per default. If you want to change the language, click on the node NoSpamProxy and select in the menu Aktion / Sprache ändern or Action / Change language. Alternatively, you can access this function by right-click on the node NoSpamProxy. You need to close and restart the client so that the change becomes effective. Establish a connection to the Intranet Role After installation, the connection of the management console to the Intranet Role is on localhost. For installation of the console on a computer other than the computer with the Intranet Role, you need to adjust the connection. Please select in the menu Aktion / Server ändern or Action / Change server. Enter the name of the server (for example: "mail.example.com") and the port (usually "6060"). Alternatively, you can also access this function by right-click on the node NoSpamProxy. You need to close and restart the client so that the change becomes effective. Page 23

24 NoSpamProxy management console If the gateway is operated in a DMZ and you want to remotely control the service from the LAN with the NoSpamProxy MMC, you just need to activate the TCP port 6060 and for HTTPS the port 6061 on the firewall. This connection is encrypted based on the certificate. Page 24

25 Dashboard 6. Dashboard The page beneath the node NoSpamProxy (Picture 11) provides you with a quick overview. Here, you receive an overview of the status of the installed roles. Picture 11: The overview of the configuration of the Gateway Role On the initial activation, NoSpamProxy is largely unconfigured. The missing configuration options appear in the list Incidents. Instead of working on each incident individually, we recommend the use of the configuration wizard. The wizard supports you in quickly and completely activating NoSpamProxy in most of the environments. It identifies and creates the recommended configuration based on the licenced functions in your licence. List of the roles All connected roles are directly listed beneath the heading NoSpamProxy. The list indicates for each role whether it is started or stopped. Additionally, you can also start, stop and restart the roles manually. After installing the licence, a summary of the licence is shown beneath the list Page 25

26 Dashboard Area for actions The currently possible actions are shown at the top right corner. The action open disclaimer website leads you to the templates and rules for the Disclaimer. The installed version of NoSpamProxy appears beneath the list with the actions. View server performance The action View server performance offers you a quick overview of the current processing of mails and the currently available resources. Data traffic The page Data traffic shows a moving average of the processed mails of the last minute or hour. The page is updated automatically and thus shows whether NoSpamProxy is currently receiving mails (Picture 12). Picture 12: The currently processed messages System The page System shows the installed services for each system with intranet or Gateway Roles, their status and the used resources (Picture 12). Page 26

27 Dashboard Picture 13: The used and available resources In addition to this view, the Performance counters are also available to you on the server. Start configuration wizard The entry Start configuration wizard guides you through all fundamental steps of the NoSpamProxy configuration to ensure proper functioning. The configuration wizard guides you through the following configurations: Licence Install a licence or change the existing one Licence. If you have not yet created any rules, you can have fitting Standard rules created dependent on your licenced functions. Connection to the Gateway Role If no Gateway Role has yet been connected, you can connect your Gateway Role here. After adding the role, please also determine the DNS name for the Server identity of this Gateway Role. Owned domains of Owned Domains. If the gateway has not yet entered owned domains during the implementation of the wizard, the primary domain of the licence is added to the list of the owned domains in this step. Local mail servers of the local mail servers. Local delivery of the inbound delivery of mails to corporate mail servers. External delivery Page 27

Dashboard of the outbound delivery of mails to external mail servers. Administrative notification addresses Configure the administrative mail addresses.

28 Dashboard of the outbound delivery of mails to external mail servers. Administrative notification addresses Configure the administrative mail addresses. Sensitive data protection Determine a password to protect your sensitive data. After the completion of the wizard, please perform a check: Check the configuration of the Receive connectors. The implementation of these steps ensures the function of NoSpamProxy. Download manual Via this action, you download the current user manual. If you have installed your licence in NoSpamProxy already, the version of the manual corresponding to your licence is downloaded. Import licence The action opens the dialogue for the licence currently used. It shows you all relevant data of your licence and warns you if issues with the licence occur (Picture 14). Picture 14: The currently installed licence Here, you see your C number, domain as well as all licenced functions and their validity period. Via the link Change you can load another licence file and use it in NoSpamProxy provided that the expiration Page 28

29 Dashboard date of the software maintenance is at least dated as late or later in the future as that of the currently used licence. Compare editions The link opens the page with the Comparison of the licence features. Each feature is briefly explained here. Download update If a later version of NoSpamProxy was published on the server of Net at Work, this action is shown. That way, you download the installation file of NoSpamProxy. You can initiate the installation manually afterwards. Choose update channel Updates for NoSpamProxy are distributed via two update channels. The regular channel and the fast channel (Picture 15). The regular channel is the default setting and will deliver updates with a long test history and the highest stability for NoSpamProxy. The fast channel will deliver updates sooner. They have also passed all automatic test and were already successfully installed but all in all the whole test cycle in production environments was much shorter. Picture 15: The settings for the update channel If you change your update channel from fast to regular, you only get updates, if the version of the offered update is bigger than the already installed one. This can take some time. Incidents The list of the Incidents shows you if settings which are relevant for the operation of NoSpamProxy are missing or incorrect. If, for instance, the route for mails to external addresses has not yet been defined, you are informed about this on this page. Page 29

30 Dashboard Latest announcements These announcements inform you about product updates or general suggested improvements for the configuration of NoSpamProxy. By clicking on the headings, you can read the corresponding article in the NoSpamProxy blog. Page 30

31 Monitoring 7. Monitoring The nodes beneath Monitoring (Picture 16) inform you about the receipt and dispatch of your mails. Moreover, status information on the system and the mail traffic are shown. Picture 16: Overview of the areas of the monitoring Message tracking The message tracking allows you to find out which mails are blocked or passed through at which time (Picture 17). You can determine the search based on certain sender and receiver criteria, the subject as well as concrete time intervals and the "mail status". Furthermore, you can see details on what happened with the mail and the respective time. As a result, you can very easily reproduce the actions of NoSpamProxy and the functioning of the rules. Page 31

32 Monitoring Picture 17: The search of the message tracking datasets For tracking a mail, you have different search criteria that you can use individually or in combination. However, a time frame during which the mail or mails were received must be indicated in every case. Usually, the start time is set to the current system time - 1 hour and the end time to today, 11:59 pm. You can filter the search based on the following characteristics. When entering a text, you can always enter the entire text to be searched for or just parts of it. Time period of dispatch: Via the option time frames searches that are often required can be selected quickly. Sender and receiver address: the mail addresses of the communication partners. The filter can be set to local and external addresses. The search type can be 'exact match' for complete addresses or 'contains' for address fragments. The search for exact matches is much faster. Subject: The content of the subject line. Message ID: Internal ID of the mail. Delivery results: The status of delivery. SCL value: Restriction to the calculated SCL value. Rule: The name of the rule which processed the message. Page 32

33 Monitoring All mails corresponding to the search criteria appear in the list of the message tracking datasets. They are displayed with the indications Direction, Security, Connection start time, Transfer duration, Status, Sender, Recipient, Subject, Message ID and Gateway Role. The latest mails ale listed on top. Checking the details The details provide you with detailed information on the delivery status of a mail. Moreover, it is displayed here whether and how a mail was signed or encrypted. Click on the dataset whose details you want to view. Now select the action Message details or realise a double-click. The dialogue Message tracking appears. (Picture 18). From the start to the termination of the connection, you can find all processing steps and details distributed to tabs listed in a detailed way. You can see at a glance, whether the connection was encrypted and which certificate was used by the SMTP server or the SMTP client. The other tabs show you the filter results and general processing errors of NoSpamProxy that you can precisely find out anytime whether the mail delivery functions properly or not. Picture 18: The result of the mail delivery in detail Page 33

34 Monitoring You can also simply save the datasets of the message tracking on your local hard drive or re-open saved datasets with all details. This function is very helpful if you need support in analysing a dataset. For the export, select the link Export message tracking at the left bottom corner of the detail dialogue. In order to re-open the details, select the link Load message tracking file in the list of all found datasets. Mail queues Mails to external addresses are enqueued in queues according on their domain. There is one queue per domain. All active mail queues are shown to you beneath the menu item Mail queues. (Picture 19). Here, you can see at a glance to which domains mails need to be sent. You also have the possibility to deliberately pause the transfer to one or more specific domains. Picture 19: All unsent mails are situated in queues grouped according to the domain name You can also filter your search for specific domains. Enter the domain name or fragments of the name in the corresponding search box to filter all queues of the next search for the given name. The column Active shows whether mails are currently delivered for this domain. The Domain name corresponds to the name of the target domain. Page 34

Monitoring The Queue length corresponds to the number of the mails waiting. The column Active connections shows the currently open SMTP connections to the target domain.

Via the action Activate selected queues and Deactivate selected queues, you can start or pause the delivery of mails to the respective domains.

35 Monitoring The Queue length corresponds to the number of the mails waiting. The column Active connections shows the currently open SMTP connections to the target domain. This is especially of interest in case of a mass mail dispatch where several mails are sent to the same domain. Via the action Activate selected queues and Deactivate selected queues, you can start or pause the delivery of mails to the respective domains. You can also directly create a deactivated queue to prevent the connection to a specific domain beforehand. To do so, select Create deactivated queue. The dialogue (Picture 20) opens. Picture 20: Domains to which no mails should be sent can be created as "deactivated queues" State the domain name (e.g. "netatwork.de") beneath Domain name for queue and save the setting afterwards to create the deactivated queue. Afterwards, all mails to "netatwork.de" in the queues of NoSpamProxy are paused until you reactivate the queue. A queue can also be deleted. During the deletion, you can decide whether a non delivery report (NDR) is sent or not. Picture 21: Deleting queues Page 35

36 Monitoring Mails on hold If you use NoSpamProxy Protection without NoSpamProxy Encryption, the node is only displayed if Large Files is also licenced. Under certain conditions, mails can also be put on hold. This means that the mail is neither delivered nor rejected for the time being but rather waits for the receipt of certain conditions. Mails on hold emerge due to missing encryption keys, incidents due to file attachments and incidents of the qualified signature or D . All these mails are listed in the node 'Mails on hold' (Picture 22). Picture 22: The list of all mails on hold You can search and filter mails on hold. The direction, the sender and receiver address, the subject line and the status of the mail are available as filters. For the addresses and the subject line, only parts of the text to be searched for must be entered. It is automatically searched for all addresses and subject lines in which the entered parts are included. If you have licenced Large Files, files where uploading failed are shown in this list. Page 36

37 Monitoring You can initiate a renewed processing of selected mails by clicking on Try again. Should further incidents occur, the affected mails are re-entered into the list. You can download and save the complete mail with all corresponding documents also on the computer on which the user client runs. To do so, select an incident and choose Download. Moreover, you can delete mails on hold. You can choose here whether the sender is notified or not. Large Files The node is available if Large Files is licenced. The tab Files on the Web Portal (Picture 23) shows all files which are currently saved on the Web Portal. You can delete files which are no longer required here. Files which require release by an administrator can be released for download. Files which have not yet been released can be downloaded here by the administrator to check their content if they are marked as Examinable in the list. Examinable files can be scanned for malware via the function Check again. If malware is found, the file is deleted and the recipient informed about the result. The column Malware check shows the point in time of the last check. Page 37

38 Monitoring Picture 23: The file on the Web Portal You can filter the search based on the following properties. File name Provide the file name or parts of it. Sender or receiver address Provide a mail address or parts of it. The overview of the receiver addresses only shows the first receiver address but all addresses are searched for. Dispatch period The time period can be limited. If it should remain open, deactivate the check box in front of From and Until. Via the option Timeframes often required searches can be selected quickly. File size Restrict the file size with the sliders. Deactivate the restriction with the check boxes in front of the sliders. Status Select here all files or files with certain properties, such as never or partially downloaded or downloaded by all recipients. It can also be searched for files which have not yet been approved or were errors occurred during the malware scan. Page 38

39 Monitoring The link Details displays further recipients of the selected file and details if some error occurred during the malware scan. Reports The reports of NoSpamProxy provide you with an overview of the history of your mail correspondence (Picture 24). With a few clicks, you can see how the amount of spam has changed over the months and which mail addresses or domains had the highest spam appearance. Picture 24: Evaluation of the data of the message tracking Data traffic and spam report The paragraph "Data traffic and spam report" offers you the possibility to have created a report which shows you the history of the mail correspondence. The report not only shows the history of the number of mails but also the history of the data volume. To create the report, initially select a time period for Page 39

40 Monitoring which you wish to create the report. Subsequently, you determine the scope of the reports. For doing so, click on the link for the entire organisation. Picture 25: The scope of the data traffic and spam reports In the appearing dialogue (Picture 25), you can decide whether you want to create the report for the entire organisation, only for a specific domain or only for a specific mail address. You can only select domains and mail addresses which received mails already and thus appear in the message tracking database. No access to the configuration of the Gateway Role is effected. Click on Select and save, to save the settings. Then click on Show report, to create the report. Most wanted In the paragraph Most wanted, NoSpamProxy offers you four reports which, for example, contain the mail addresses or domains with the highest spam ratio. Furthermore, there are reports showing you which mail addresses or domains created the most data volume (Picture 26) As in the paragraph Data traffic & Spam report, you can determine the time period and the scope of the respective report. Page 40

Monitoring Picture 26: The addresses with the highest spam ratio the available reports are the following: Show mail addresses which receive the most spam mails.

41 Monitoring Picture 26: The addresses with the highest spam ratio the available reports are the following: Show mail addresses which receive the most spam mails. Show mail addresses which create the largest data volume. Show the domains which receive the most spam mails. Show the domains which create the largest data volume. you can decide whether you want to create the report for the entire organisation, only for a specific domain or only for a specific mail address Subsequently, click on the desired report to generate it. Licence report The licence report is a means to optimally adjust the licenced users of the individual features, such as "NoSpamProxy Protection" or "NoSpamProxy Encryption", to the effectively required licences ( BILDREFERENZ: Licence report). Page 41

42 Monitoring Picture 27: The report of the effectively used licences The licence report adds up all users who have received more than 10 mails during the last 90 days. The user numbers from this report offer you the possibility to adjust the licences of NoSpamProxy to the growth of your company. If you have questions, please do not hesitate to contact our team at Event view The server events relevant for NoSpamProxy are available in the client beneath the node "Event view" (Picture 28). Page 42

43 Monitoring Picture 28: The event view shows the events of all roles of NoSpamProxy On the one hand, you can filter the entries shown here according to the roles or services, on the other hand, you can also restrict the type of the displayed events. The selectable categories Errors, Information and Warnings. In order to view older entries, you can browse through the search result by using the functions Back and Next. To view the details of an entry, you just need to select it with the mouse. The details are displayed in the bottom part of the page. Page 43

44 People and identities 8. People and identities The node People and identities contains all external and internal companies and persons as well as their mail addresses (Picture 29). Picture 29: The areas beneath the node People and identities Domains and users In the node for Domains and users, you can maintain your owned domains and a list with valid mail recipients and the corresponding addresses (Picture 30). This list is used if you filter the rules to "Local addresses" instead of "Owned domains". Additionally, you can configure the automatic import of user data here. Page 44

45 People and identities Picture 30: The list of the owned domains and the corporate users Owned domains You should enter all domains for which you wish to receive mails into the list of the owned domains. You can also use this list in the rules later. Otherwise, NoSpamProxy would classify such connections as relay misuse and reject these mails. All owned domains must be entered. Only thus, all local mails can securely be identified as such and not rejected as relay misuse. Add owned domains The action Add open the entry dialogue (Picture 31). Page 45

46 People and identities Picture 31: Dialogue for new owned domains Enter all your owned domains here. When deleting owned domains, all mail addresses of this domain are deleted from the corporate users as well. If the user does not own any mail addresses afterwards, it is deleted as well. DomainKeys Identified Mail DomainKeys Identified Mail (DKIM) secures outbound mails with an digital signature. By evaluating this signature, the recipient can recognise whether the mail was sent from the correct domain (ensuring the authenticity) and whether it was changed during the transport (ensuring the integrity). DKIM-signed mails can also be read by mail recipients who cannot evaluate the DKIM signature. To those recipients, DKIMsigned mails appear similar to mails without DKIM signature. You can yourself create the keys required for this process on the node DKIM keys. The secret private part of the asymmetric keys is securely saved in the NoSpamProxy settings and is thus only known to you. Page 46

People and identities Picture 32: The selection of a DKIM key for the current owned domain On the tab DomainKeys Identified Mail, the already created keys can be assigned to the domain (Picture 32).

47 People and identities Picture 32: The selection of a DKIM key for the current owned domain On the tab DomainKeys Identified Mail, the already created keys can be assigned to the domain (Picture 32). To do so, activate DKIM for the domain and select one of the already created keys from the list of the DKIM keys. If the domain of the DKIM key is equivalent to the domain configured now, the DNS entry which you published on the creation of the key suffices. If the domains differ from each other, the configuration page shows another necessary DNS entry (Picture 33). If you need to publish further DNS entries, NoSpamProxy prepares the required entry so that you can copy it into the clipboard to publish it in the DNS zone. Afterwards, the DKIM configuration for this domain must be interrupted for the time being. You only need to interrupt the configuration if DNS entries are missing. Otherwise, you can proceed with the configuration without interruption. Page 47

People and identities Picture 33: The selection of a DKIM key of another domain If all necessary DNS entries are published and known in the internet, please restart the selection of the DKIM key.

48 People and identities Picture 33: The selection of a DKIM key of another domain If all necessary DNS entries are published and known in the internet, please restart the selection of the DKIM key. Select the key for which you published the DNS entries. During saving, the DNS configuration is checked. If this validation fails, discrepancies are shown. Please pay attention to the following advice. After a successful validation you have to assign this DKIM key to one of your owned domains to use it. It takes some time with the publication of DNS entries until all DNS server in the Internet received these changes. Thus, wait until one day after the change of your DNS entries before you check and apply the entries. If you activate DKIM and your DNS configuration is incorrect, mails to recipient who evaluate DKIM signatures can no longer be delivered. The DKIM signature mandatorily requires the action Apply DKIM signature in its rule. Differently configured rules enable you to deploy DKIM for one part of your mails and suppress DKIM for another part. Corporate users Analogous to the "Owned domains", NoSpamProxy can also check the individual recipients and directly reject mails to non-existent recipients. For doing so, however, it is required that the gateway knows all internal recipients. If you use an Active Directory, you can import the corporate users in a simple way. Page 48

49 People and identities The list of the Corporate users is used if you filter the rules to Corporate mail addresses instead of Owned domains. In order that NoSpamProxy uses the Corporate users list, in the respective Rules for mail correspondence on the tab Recipient the radio button for the Recipient type must be set from Owned domains to Corporate users. Only then the gateway uses the list of the corporate users for the determination of valid mail addresses. The list of the corporate users can contain two different Types of users: Manually entered user You can manage all features in NoSpamProxy in manually entered users. These users can be changed and deleted at discretion. Replicated user Replicated users are imported from a directory service such as the Active Directory. The features of the user must be changed in the original source since NoSpamProxy only makes available a read only view of most of the features for replicated users. All changes are applied during the new run of the User imports. In replicated users, you can not only change the activity status of the entire user but also the activity status of single mail addresses. Search for users by having searched for words or parts of words in name, description or mail addresses. Additionally, you can also differentiate between activated and deactivated users during the search. Add user If you add a new user, you are supported by a wizard. Enter the name (Picture 34) first. The name is a mandatory field. The optional details are required for the certificate requests. Pay attention to the maximum length of the entries; the wizard will guide you through each tab and validate all entries when concluding the step. Page 49

50 People and identities Picture 34: The name and the dates of the user In the next step, all mail addresses of the user are entered (Picture 35). Page 50

51 People and identities Picture 35: All mail addresses assigned to the user Enter the local part of the mail address and select the domain from the drop down list of your already entered owned domains. Via the Status, the address can also be deactivated (Picture 36) The first entered address is marked as the primary one. You can change this in the list of the mail addresses via the action Set as primary address. The primary address is used for other functions, such as D . Page 51

52 People and identities Picture 36: Entry of a new mail address As for licenced NoSpamProxy Large Files or NoSpamProxy Protection, you can now select a content filter. If no specific content filters should be assigned to the user, you can also use the Default settings for users. The content filters are defined on the node Content filter. The last step (Picture 37) determines all Address rewriting for this mail address. Page 52

53 People and identities Picture 37: The list of all address rewritings Additional user fields The Additional user fields can be filled with values by the administrator. Read in the chapter on the Disclaimer how you configure Additional user fields for a user. As for licenced NoSpamProxy Large Files or NoSpamProxy Protection, you can select the used content filters on the following page. You can either use the superordinate settings, allow all attachments, or select a configured content filter on the node Presettings. Page 53

54 People and identities Picture 38: of the content filters for the user On the page D (Picture 39) you determine which D functions are available for this manually created user. First, set whether the user is generally permitted to send D s and, if required, configure all confirmations and delivery options this user can request afterwards. Page 54

55 People and identities Picture 39: Available D functions for the user New address rewriting The address rewriting rewrites the mail address of a corporate user to another mail address. As a result, a corporate user can contact an external mail recipient by using another mail address than their own. The mail thus appears to have been sent from the rewritten address. In the case of mails sent to corporate mail addresses, however, the list is consulted for checking whether the recipient is an entry from the external addresses of the address rewriting. Then, the address is sent to the corporate mail address of the entry. Another use case are the so-called group mailboxes. In this case, different corporate mail addresses are rewritten to one address (e.g. info@example.com). For an address rewriting, determine the External address first which is used if the mail address is rewritten (Picture 40). Select afterwards how mails to corporate mail addresses should be dealt with. Page 55

If the recipient address does not correspond to your selection, the address rewriting is not implemented.

56 People and identities Picture 40: External and corporate mail addresses In the next step, it is selected for which recipient addresses this rewriting is used (Picture 41). If the recipient address does not correspond to your selection, the address rewriting is not implemented. In the selection An address with the pattern you can use the placeholders ('*' and '?'). Picture 41: Selected recipient addresses of this rewriting Page 56

57 People and identities The deletion of users is not available for replicated users. Default settings for users As for licenced NoSpamProxy Large Files or NoSpamProxy Protection, you can select a content filter in the default settings. It is always applied if the corporate user does not have deviating settings. The content filters are defined on the node Content filter. Automatic user import Via the link Configure automatic user import, you have the possibility to automate the import of user data. (Picture 42). Picture 42: The list of all arranged user imports You can establish several user imports in the intranet role. This enables you to individually keep the corporate users in the Gateway Role of NoSpamProxy up to date. In doing so, you can, for example, establish an import which imports all active users from the Active Directory into the corporate users. You can thus ensure automatically that only the desired addresses are available from the Internet. Page 57

58 People and identities New user import In a user import, you determine which mail addresses should be imported. You can either provide an Active Directory or a text file as source. Moreover, you determine the point in time or the intervals in which a run should be realised. In the first step of adding a new user import, you determine the type. (Picture 43). You can import from the Active Directory, a generic LDAP source, such as Lotus Notes, or a text file. Picture 43: Type of the user import In the step General (Picture 44), you give a clear name for the user import. Then, determine at Update interval when the user import is scheduled. Via Status, you can furthermore deactivate the import without deleting it. Page 58

59 People and identities Picture 44: General settings Please continue reading, according to your selected type, in chapters Active Directory, Generic LDAP or Text file. Active Directory In the Active Directory connection, you establish the connection to your domain controller (Picture 45). For doing so, select the type of the server and the user who is allowed to access it. If you want to enter a specific domain controller, you can enter an IP address or a server name. When selecting the integrated Windows authentication, NoSpamProxy uses the network service if it was installed on a domain controller; otherwise, the computer account is used for the authentication. Page 59

60 People and identities Picture 45: The directory connection The Active Directory search selects the users who are imported. Here, you can filter to certain containers, e.g.: OU=Sales,OU=User,DC=domain,DC=DE. When using the example "Sales", replace "User", "domain" and "DE" with the respective values. In most cases, you will probably wish to import all mail addresses of the users. However, you can also restrict the import to the primary address by selecting the option available at this page. Page 60

61 People and identities Picture 46: The selection of the Active Directory users to be imported Moreover, you can also indicate an additional LDAP filter to import only those users who have filled a certain attribute with a certain value. In the Groups (Picture 47), you state which functions may be used by each imported corporate user. The functions depend on the user's group membership. Page 61

62 People and identities Picture 47: Authorised groups for D Generic LDAP The LDAP connection (Picture 48) establishes the connection to your server. Enter the server and the credentials to be used. Page 62

63 People and identities Picture 48: LDAP connection In the LDAP search (Picture 49) you can restrict the search in the directory to certain containers. Please provide class names where the groups can be found. Additionally, you can restrict the search to users with specific features by using a filter. Page 63

64 People and identities Picture 49: Customize your LDAP search on the page of the LDAP address fields you can provide further LDAP fields in which mail addresses are searched for (Picture 50). This is required if your system does not save the mail addresses in the standard fields 'mail' or 'othermailbox'. Page 64

65 People and identities Picture 50: of additional address fields In the Groups, you state which functions may be used by each imported corporate user (Picture 51). The functions depend on the user's group membership. Picture 51: Authorised groups for D Page 65

66 People and identities Additional user fields The Additional user fields of a user can directly be filled with values through the user import. Consult the chapter Disclaimer to receive further information on how to configure Additional user fields within an automatic user import. Text file Please state the path to the file with the user addresses in the settings for the user import through text files (Picture 52). Picture 52: The specification of the path to the text file The text file does not require any specific format. All mail addresses in any formatted text are found and imported. As for licenced NoSpamProxy Large Files or NoSpamProxy Protection, you can select a content filter for all users to be imported. The content filters are defined on the node Content filter. Mail addresses are imported only if the domain is also deposited in the Owned domains of NoSpamProxy. All the others are not imported. Page 66

People and identities Partner Partner topic A partner entry defines how mails are supposed to be exchanged with external communication partners.

67 People and identities Partner Partner topic A partner entry defines how mails are supposed to be exchanged with external communication partners. These settings can be made for all partners, on a partner domain as well as for a mail address of a partner. Here, the settings for a mail address have priority over the settings on a domain and the settings on a domain have priority over the setting for all partners. Default settings for partners On the Default settings for partners, the domain settings and the mail addresses, one content filter (Picture 53) can be selected for mail attachments. Content filters are defined on the node Content filter. NoSpamProxy Protection or NoSpamProxy Large Files must be licenced to use content filters. Picture 53: Default setting of content filters For the use of 'DNS-based Authentication of Named Entities' (DANE), the use of a DNSSEC-enabled DNS server must be configured in the Default setting for partners (Picture 54). Through the use of DANE, the TLS certificates of the transport encryption are checked so that only those certificates are accepted which were classified as trustworthy by the recipient of the mail. The concepts of DANE can be consulted at Page 67

People and identities To achieve securing of the TLS certificates via DANE, you must configure a DNSSECenabled DNS server on the node Connected systems in the section DNS server.

68 People and identities To achieve securing of the TLS certificates via DANE, you must configure a DNSSECenabled DNS server on the node Connected systems in the section DNS server. Picture 54: Setting for DANE with TLS certificate Partner domains The list of the partners is grouped based on domains (Picture 55). Each domain contains settings for content filters as well as the required transport security and the trust between the domains. Page 68

69 People and identities Picture 55: The overview of all partners The settings on domain level apply to all partners that have not configured deviating settings on their mail address in the User entries. The settings in a user entry have priority over the settings of the domain. When creating a new partner domain, the default settings for partners are pre-set for the whole domain. Thus, you will only configure the settings to be applied to most partners once. Different settings on a partner address have priority over settings on the partner domain. The Required transport security determines whether mails must be encrypted during their transport from server to server. You can additionally impose requirements for the used certificate and deposit additional allowed certificates. The required transport security is always determined for the entire domain. Through NoSpamProxy Protection you can configure the Trust in this domain. Trust is automatically built through the current mail communication with a partner. Trust is determined for the entire domain. Page 69

70 People and identities New partner domain When adding a partner domain, give the domain name first (Picture 56). The domain name must be written in US-ASCII characters. Picture 56: The domain name As for licenced NoSpamProxy Large Files or NoSpamProxy Protection, you can select the used content filters on the following page. The content filters are defined on the node Content filter. Page 70

71 People and identities Picture 57: of the content filters The transport security determines whether the communication to the servers of the partner domains must be implemented in encrypted forms and, if so, which certificates are trusted (Picture 58). You can also deposit further certificates here which can be deployed for the transport encryption to the target server. For deactivating the transport security, you must deactivate all check boxes. If you have selected Delivery via a special server in the Mail routing as delivery method for external addresses for SMTP and Require encryption in the settings of the partner domains, the dispatch to this domain will fail. In this case, NoSpamProxy cannot ensure that the communication is encrypted all the way to the mail server of the recipient. Page 71

72 People and identities Picture 58: Transport security The Trust in a domain (Picture 59) becomes stronger through mails sent to the domain and gradually approximates the value "0" without further mail communication. You can also set the trust to a fixed value. In this case, a positive value represents trust (bonus points), and a negative value mistrust (minus points). Page 72

73 People and identities Picture 59: The trust in a domain Edit partner domain When editing a partner, the settings from the Domain can be adjusted. Additional areas are available when editing a partner. User entry of a partner domain Creating a user entry is analogous to creating a Domain. A user entry is assigned to a mail address and overrides the settings on the domain if communication with this mail address is realised. First, the mail address is entered (Picture 60). Please enter the local part (prior to sign) of the mail address in the field Partner address. The domain part is shown next to the input field already. Page 73

74 People and identities Picture 60: Adding a mail address of a partner In the next step, you determine a content filter. Additional user fields To use the "Additional user fields" you have to licence the Disclaimer feature. You can extend the data of your corporate users by additional fields. Afterwards, you can insert these fields in your disclaimer templates as placeholder. When attaching the disclaimer to a mail, these placeholders are then replaced by the data of the sender. For manually created users, you can edit the fields which were defined here directly on the user object. If you import your users from a removed system, you can determine how these fields are filled via the Automatic user import If you wish, you can define a default value for each field. This value is used if no value is set on the user itself. Page 74

75 People and identities Picture 61: List of all custom fields Page 75

76 9. Under the node of the Intranet Role, you can find the settings for the connection to other roles, settings of the database as well as notification addresses. (Picture 62). Picture 62: Settings of the Intranet Role Mail routing Under the node Mail routing (Picture 63), you can find the connectors for the delivery of inbound as well as outbound mails. Under Receive connectors, you can configure how NoSpamProxy receives mails. Additionally, you configure the local servers here. Page 76

77 Picture 63: Overview of all corporate mail servers and send connectors Local mail servers Here, you list all mail servers which are allowed to use owned domains as senders for mails. Local servers are identified through different ways: IP address A server is regarded as local if it sends from the given IP address (Picture 65). Subnetwork A server is regarded as local if it sends from an address in the given subnet. A subnet is provided in the CIDR representation, e.g /24 (Picture 65). DNS domain name A server is regarded as local if the DNS host name which was configured here references to the address of the server (Picture 65). TLS certificate Page 77

78 A server is regarded as local if it implements a TLS authentication with client certificate during the connection. If it is entered in root or intermediate certificate, the server must report with a certificate which contains the configured certificate in its certificate chain. If an end certificate is entered, the server must report with the exact same certificate (Picture 66). Office 365 Here, you can enter Office 365 as local server. A server is regarded as local if it is an official "Office 365" server (Picture 67). If you configure Office 365 as local server, the delivery of local messages is automatically shifted to the Delivery via queues since direct delivery is not possible. Moreover, a send connector is configured for Office 365. When adding new local mail servers, select the type of the server first (Picture 64). In the second step, you configure the specific settings specific for this type. Subsequently, you can select whether the connector is only responsible for specific domains or for all (Picture 69). Afterwards, you can also write a comment (Picture 70). Picture 64: The selection of the server type Page 78

79 Picture 65: Authentication via IP address, subnet membership or DNS host name Picture 66: Authentication via TLS certificate Page 79

80 Picture 67: Authentication via Office-365 tenant ID Picture 68: Authentication via a specific mail address Page 80

81 Picture 69: Indicate with which owned domains the server is allowed to send mails Picture 70: Optionally, you can write a comment Multiple used settings of connectors Some settings are multiple used in different connectors. They are explained in the following chapters. Page 81

82 Name Via the field Name, you need to give each connector an unique name. The name must distinguish itself from those of other connectors of the same area. The name ensures that you can distinguish the different connectors and can be used to briefly describe the function of the connector. Connection to Gateway Roles Depending on the type of the connector, it can either be used on several Gateway Roles simultaneously or on one single role only. Select the Gateway Roles on which you wish to operate the connector. Costs The Costs are used if several send connectors can be used for the delivery of a mail. In such a case, the connector with the lowest costs is used. Should the mail not be delivered via this connector, the mail delivery ultimately failed. In this case, no further connectors with higher costs are used. Connection security The connection security (Picture 71) determines the encryption of the transport connection. The dialogue described here is used several times for the different connectors. In some connectors, individual configuration options are masked out. This concerns the encryption on the transport route. This does not refer to an end-to-end security. Page 82

83 Picture 71: Settings for the connection security SMTP Security settings In the section Security settings, you can determine the security level for the transfer of mails to local addresses. The following settings are possible: Allow connection security through StartTLS (recommended) In this mode, encryption of the connections is possible but not obligatory. The encryption of the connection via StartTLS is optional for the inbound server. In this mode, you must provide a certificate in the area Server identity for receive connectors. You can optionally provide a certificate in the area Client identity for send connectors to ensure the identity of the sending server for the receiving server. Demand connection security through StartTLS If you want to make sure that all connections via the corresponding receive connector are encrypted, you must select this option. Now, NoSpamProxy mandatorily demands an encrypted connection from the inbound server via StartTLS. In this mode as well, you need to provide the gateway with a certificate in the section Server identity. Use TLS as connection security With this setting, an SMTP connector expects a connection establishment via SMTPS. A POP3 connector expects POP3S. Use this setting only if reasons render it obligatory. The StartTLS procedure is the most modern and by now common procedure for connection encryption. Usually, a separate port (normally 465) is used for SMTPS since the connection is automatically expected in encrypted form similar to HTTPS via the port 443. Page 83

84 Deactivate connection security With this setting, connections are never encrypted. Thus, NoSpamProxy does not offer connection security to inbound servers. SMTPS on port 25 is not conform to RFC. Use an own receive connector which you locate on port 465 instead. The necessary encryption level for the connection with StartTLS or SMTPS amounts to at least 128 Bit. Connections with a smaller encryption level are not accepted. Moreover, only TLS connections are accepted. SSL connections are not supported since they are no longer considered as safe. Server or client identity SSL certificates are required for the encryption of the transport connection. The receiving mail server mandatorily requires a certificate as server identity to enable the encryption of the connection. The sending mail client can prove its own client identity with a certificate. Server identity An SSL certificate in the receive connector is used to be able to provide connection security. With the help of the certificate as server identity for the receiving mail server, the encryption via StartTLS or TLS is enabled. Without certificate, the encryption for connections must be deactivated. Client identity An SSL certificate in SMTP send connectors is used to ensure the identity of the sending mail server. Since the certificate of the server identity of the receiving server suffices for the encryption of the transport connection, the connection security via StartTLS or TLS can be used even without a certificate as client identity. When adding a certificate for the transport encryption via StartTLS, the Gateway Role requires read access to the private key. Accesses to this role are granted automatically. However, you must stop and restart the Gateway Role once in order that the change becomes effective and the Gateway Role receives read access on the private key of the used certificate. A corresponding warning message also appears in the client. After the selection of the certificate, you might possibly need to enter a PIN code into the field Certificate PIN (optional) if the certificate store has protected the certificates with such a PIN. Please check the PIN you entered very thoroughly since many of the certificates protected by PIN codes are irrevocably destroyed by entering a wrong PIN code three times. Page 84

85 If SSL is forced for connections, you can restrict which clients are permitted to connect in the section Required client identity by only allowing access if the counter device authenticates with a corresponding certificate (Picture 72): Allow connections of every server Every server may connect. Require certificate The certificate to be provided by the counter device depends on the certificate selected here: As for intermediate or root certificates, the counter device must authenticate itself with a certificate which contains the selected certificate in the certificate chain. As for end certificates, the counter device must authenticate itself with the exact same certificate. Require trusted certificate The certificate chain of the presented certificate must be terminable via the certificates of the Windows certificate store. Picture 72: Determination of required client identity DNS routing restrictions through connector namespaces A send connector can also be configured in such a way that it delivers mails for a partial area of the available DNS namespaces only. Should several connectors be applicable to one mail, the connector with the lowest costs is used. Per default, a namespace of "*" as sender domain and "*" as recipient domain is automatically created in a new connector. Thus, a new connector has no restrictions in the DNS namespace since the placeholder "*" corresponds to any possible name. If the connector created by you should not administer all domains, you need to delete the default namespace and replace it by another. Page 85

86 Picture 73: The connector namespaces determine which sender or recipient domains are administered by one connector A connector namespace (Picture 74) consists of a pattern for the "sender domain" as well as the "target domain". This pattern may also contain placeholders ('*' and '?'). Page 86

87 Picture 74: A definition of a DNS namespace Example: To build a send connector for external addresses which only sends mails from the domain "example.com" to the domain "netatwork.de", you must realise the following settings. Sender domain pattern Target domain pattern example.com netatwork.de Smarthost: Mail delivery via dedicated server A Smarthost is a dedicated server for the mail delivery. Smarthosts are, for example, located at your internet provider or in the owned company network if mails may only sent via this server. Enter the IP address or the server name and the port of the dedicated server into the page Dedicated server (Picture 75). As a rule, this is the IP address or server name of the next mail system. Page 87

88 Picture 75: Connection settings for the dedicated server We recommend to enter addresses not as IP addresses but rather with server names if possible. For external Smarthosts, such as that of your provider, user name and password are often required for the authentication. You can provide them on the tab Authentication (Picture 76). Page 88

89 Picture 76: If required, you can deposit login information for the dedicated server here NoSpamProxy supports as authentication procedure the method "Basic". As for this method, user name and password are transmitted via the internet without encryption. If your provider supports this, you should activate the connection security for the connections. The options for the connection security to Smarthosts should be configured as described in the chapter Connection security (Picture 77). SMTP send connectors for mails to external addresses use the certificate-based identity as Client identity. Page 89

90 Picture 77: Connection security of an SMTP Smarthost If you send mails to external addresses via another Smarthost and enforce the encryption in the domain trusts of a domain, the dispatch to this domain will fail, if the Smarthost for the mails does not support encryption. Thus, you must ensure that the Smarthost always supports StartTLS for the mails. Inbound send connectors Under the section Inbound send connectors, you determine to which servers mails to local addresses are forwarded. The delivery of inbound mails can either ensue via the Queue system or - as with a proxy - directly to the local mail server. It must be regarded that the delivery via queues supports several Smarthosts while the direct delivery only supports one Smarthost. The differences are explained in more detail in the following chapters. Delivery via queues In this mode, NoSpamProxy will initially locate the mail in a queue after receipt and only then forward it to the configured Smarthost or Smarthosts. It is irrelevant for the successful receipt of the mail whether the next Smarthost is available or not. Page 90

91 Even in the queue mode, the mail is scanned for viruses and spam contents by NoSpamProxy Protection already during the transfer and rejected if required. If you select the queue mode for the send connector, a possibly existing configuration is replaced by the newly configured queue mode. If you change to the queue mode, the first SMTP-connector is configured immediately. If you have added Office 365 to the local servers, you see an "Office 365" connector here. It is responsible for the delivery of local mails to Office 365. Except for the binding to certain Gateway Roles, you cannot modify or delete this connector. General settings Enter a Name and select the Gateway Roles. Subsequently, determine the Costs of the connector. SMTP connections You can configure several Smarthosts under the SMTP connections. It is tried to successively deliver the mail to one of the configured Smarthosts. The order cannot be configured or determined by the user. As soon as a Smarthost receives the mail, the mail is considered to have successfully been sent. of a Smarthost The configuration of a Smarthost for the inbound mail delivery proceeds as described in chapter Smarthost: Mail delivery via dedicated server. In the Connection security, the send connector for local addresses uses a Client identity. DNS routing restrictions You define the restrictions for the namespace administered by the connector under DNS routing restrictions. The configuration of the restrictions for the local delivery proceeds as described in chapter DNS routing restrictions through connector name spaces. Direct delivery Via the "Direct delivery", you configure that NoSpamProxy acts as an SMTP proxy with mails to local addresses. With this setting, it must be regarded that the configured Smarthost is always available to accept the mails. If this is not the case, NoSpamProxy will not accept the mail. The inbound Smarthost will retry to deliver the mail at a later point in time. Moreover, it is only possible to indicate one local mail server in this mode. The configuration of direct local delivery proceeds as described in chapter Smarthost: Mail delivery via dedicated server. If you have added Office 365 to the corporate mail servers, direct delivery is not available. Page 91

92 Outbound send connectors Under the section Outbound send connectors, you determine how mails are sent to an external server. SMTP The SMTP connectors are deployed for the delivery to external SMTP servers. Via these, you can either configure a direct delivery to the target SMTP server or a delivery via a dedicated server (Smarthost) which accepts all mails of the connector to forward them for delivery. General settings Enter a Name and select the Gateway Roles. Subsequently, determine the Costs of the connector. Subsequently, as for the Routing method, either choose the Direct delivery (DNS) or the Delivery via a dedicated server (Smarthosts) (Picture 78). Picture 78: Names, costs and delivery method of an SMTP send connector Page 92

93 Delivery - Direct delivery (DNS) The direct delivery via DNS servers attempts to deliver the mails directly to their target servers. Determine the required Connection security for this connector. Additionally, you can deposit a specific Client identity in order that NoSpamProxy can authenticate to other servers (Picture 79). Picture 79: Connection security of the SMTP send connector Delivery - Dedicated servers (Smarthosts) The configuration of a Smarthost for the local delivery proceeds as described in chapter Smarthost: Mail delivery via a dedicated server. The connection security for the connection to the respective Smarthost features the same options and restrictions as described in chapter Delivery - Direct delivery (DNS). DNS routing restrictions You configure the restrictions for the namespace administered by the connector under DNS routing restrictions. The configuration of the restrictions for the local delivery proceeds as described in chapter DNS routing restrictions through connector namespaces. Page 93

94 D via Telekom For the connection to Telekom D , you initially need to establish a D provider for a Telekom D connection on the node Connected systems. Use this connector if you wish to send D s via Telekom. First, provide the Name and the status of the connector. Second, select the already configured provider from the list. The providers are described in the list along with their names, the target system (T-Deutschland / T-Systems) and the Gateway Role where they are located (Picture 80). Next, you configure, as with all D send connectors, the Assignment of owned domains. Picture 80: Settings of a Telekom D connector Page 94

95 D via Mentana-Claimsoft GmbH For the connection to Mentana-Claimsoft D , you must initially establish a D provider for a connection to Mentana-Claimsoft on the node Connected systems. Select a clear Name for this connector and determine to which Gateway Roles it should be assigned (Picture 81). Select the owned domains which can send mails with this D connector in the next step. Picture 81: Mentana-Claimsoft D connector Assignment of owned domains The assignment of owned domains to certain D connectors serves for establishing respectively separate D connectors for different owned domains. If you configure one D send connector only, please assign all owned domains to it. As for several D send connectors, you must assign Page 95

96 the corresponding owned domains to the respective connector in order that NoSpamProxy can decide via which D connector a mail is sent. Picture 82: Assignment of owned domains to D send connector E-Postbrief connector With the E-Postbrief, Deutsche Post offers mandatory, confidential and reliable communication. For more details see Companies are offered the possibility of a direct connection to the infrastructure of the Deutsche Post via a so-called individual communication gateway (IKG). The IKG is installed in your company and functions as SMTP endpoint for mail routing to the network of Deutsche Post. The E-Postbrief connector undertakes the automatic routing of mails to an IKG. Moreover, it ensures that E-Postbriefe are only accepted from the IKG. This prevents that any regular mail received from the Internet can be passed off as an E-Postbrief. After the selection of the E-Postbrief connector, you can determine for different internal domains to which IKG E-Postbriefe from this domain are sent on the following page. (Picture 83). Page 96

97 Picture 83: The configuration for the delivery of E-Postbrief The assignment of the owned domains to the IKGs is realised via a separate dialogue (Picture 84). Page 97

98 Picture 84: The assignment of an owned domain to an IKG Deutschland-Online - Infrastruktur connector The Deutschland-Online - Infrastruktur (DOI) project is, among others, used by municipalities for secure transfer of messages. If you are no member of the DOI project, you have no use for this connector and can skip this chapter. The DOI connector automatically downloads the current routing table of all participants and routes mails to other participants via the secure DOI network. To activate the delivery to the DOI network, you create a new connector in the node mail routing in the section Outbound send connectors. In the following dialogue, select Deutschland-Online Infrastruktur (DOI) as type and click on Next. In the next step, you must enter the FTP- or web address from where you obtain the mailer table. Enter your user name and password under Authentication. To conclude, you select a value for the costs which is below that provided for the standard connector for mails to external addresses. By doing this, it is ensured that the standard routing connector does not undertake the routing for these mails. Click on Next when you have entered everything (Picture 85). Page 98

99 Picture 85: The configuration for the delivery to the network of Deutschland-Online - Infrastruktur On the page DOI delivery, you can configure the properties for invalid senders (Picture 86). Sender are always considered invalid if the sender domain is not part of the DOI network. These mails must not be delivered via the DOI network. You can now select whether these mails should be returned to the sender or whether they are send via another connector with higher costs. Furthermore, you can determine on this page how mails should be delivered. On the one hand, mails can be delivered directly. On the other hand, and this is the recommended option, a Smarthost can be used. Such a Smarthost is provided by the DOI network. Page 99

100 Picture 86: Extended delivery options for the DOI network With delivery via the DOI network, the delivered mail is described as "not encrypted" in the message tracking. In this case, the mail is encrypted via the DOI network and is thus bug-proof. This type of securing is not listed under transport security. Receive connectors In order to receive mails on different network interface cards but also to meet different security requirements for mail traffic, several receive connectors can be configured. Page 100

Picture 87: Overview of receive connectors SMTP connectors The SMTP receive connector defines on which IP address and on which port mails are received by NoSpamProxy.

101 Picture 87: Overview of receive connectors SMTP connectors The SMTP receive connector defines on which IP address and on which port mails are received by NoSpamProxy. It also determines how invalid requests from external mail servers are dealt with and which connection security should be applied during the transport of the mail. SMTP settings Determine the Gateway Roles of the receive connector as well as the IP address and the port of the connector (Picture 88). In the input field Binding on IP address it is defined on which address the connections should be accepted. With the selection All, you select all existing IP addresses. Instead, you can also select certain addresses out of all available assigned IP addresses. For doing so, click on the arrow symbol and select the desired IP address from the drop down list. If you have selected several Gateway Roles, you cannot implement a binding on individual IP addresses. In this case, select All or Loopback. Via Port, you can configure the port on which NoSpamProxy should receive mails. Page 101

102 Picture 88: The connection security of an SMTP receive connector Invalid requests Some participants in the internet attempt to utilize other mail servers by sending invalid requests, the so-called 'Denial of Service' attacks, or exploit security gaps to break into this server. To minimise these attacks, you can deliberately outmanoeuvre such requests (e.g. through so-called "tarpitting"). The tab Invalid requests (Picture 89) shows the configuration settings for these invalid requests. Page 102

103 Picture 89: Determine the properties on the receipt of invalid SMTP commands The Blocking of IP addresses serves for deliberately outmanoeuvring servers already identified as spam senders. If a server sends a mail to your NoSpamProxy and classifies it as spam, subsequent mails from the same sending server are blocked for the given time period. A normal mail sender will retry to deliver the mail after this time period, while a spam sender will probably cancel the delivery and concentrate on unsecured mail recipients. Via the radio button Blocking for suspicious IP addresses, you activate or deactivate the option for blocking. With the slider for the Blocking period, you can determine the duration of the blocking starting from 5 minutes up to one day (1440 minutes). "Tarpitting" is a method to outmanoeuvre mail relays which do not correspond to the RFC with regard to the SMTP command rules and/or their correct order. As soon as an SMTP command is transferred incorrectly or at the wrong point, NoSpamProxy waits for 5 seconds with its response to every further command. The transfer of the commands is thus artificially aggravated as if you would take the route through a tar pit, consequently the name tarpitting. You can activate or deactivate Allow retarding of bad connections (Tarpitting) via the radio buttons Activated and Deactivated. With the slider for the Tarpitting level, you can set by how many seconds NoSpamProxy Protection retards the response time. If you set the slider to 'low', the gateway waits 2 seconds. In the setting 'medium' 5 seconds and in the position 'high' 10 seconds. Page 103

104 Connection security In the Connection security, the SMTP receive connector uses a Server identity. If you demand StartTLS or SMTPS as connection security, you can additionally ensure the identity of the inbound server (Picture 90). The following settings are possible: Allow connections from each server The identity of the inbound server is not restricted here. Mails from all servers are accepted. Require a certificate The certificate to be selected here can either be an end certificate or an intermediate or root certificate. If you select an end certificate, the inbound server must prove its identity with it. If you select an intermediate or root certificate, it must prove its identity with a certificate which has the given certificate in its certificate chain as intermediate or root certificate. Require a trusted certificate The inbound server must prove its identity with a certificate which is deposited as trustworthy in the certificate store of the local computer. Picture 90: The connection security of an SMTP receive connector Rules To process a mail, NoSpamProxy applies rules which you can configure individually. Page 104

105 After the installation of NoSpamProxy, you can create a set of standard rules after the installation of the licence. They help you to ensure that the gateway can take up the function as quickly as possible and with minimum administration effort. Nevertheless, you should check these rules and, if necessary, adjust them depending on your needs. The rules of NoSpamProxy are set up modularly. You can create your own rules and change already existing ones. This is realised by selecting the desired filters from the available ones for each single rule. Within each rule, you can weight it with a multiplier and, if needed, configure it. The filters take up the actual work during the check of the mail: They assess to what extent the mail meets a specific filter criterion and assign points accordingly. How this point distribution is precisely implemented is explained below. Thus, you can set up your own set of rules with different filter combinations and restrict the rules to certain senders and recipients. This offers several advantages as you can react to spam attacks very individually and flexible. Not each suspicious mail is spam for each company in every situation. If you, for instance, apply a word filter, the term "Viagra" certainly is on your "black" list; you wish to block mails with "Viagra" advertisements. For a pharmaceutical company, however, this term only is a spam criterion to a limited extent. With NoSpamProxy Protection, you can decide yourself whether you add "Viagra" to the word filter; or whether you deploy a word filter at all and if so, to what extent you weight it with the multiplier. If, apart from that, a mail appears reliable or comes from a known mail sender, the occurrence of the suspicious word might be acceptable under certain circumstances. You can also determine that the rule with the word filter only applies to specific IP addresses or recipients; for example, only to senders with a specific TLD (Top Level Domain) or IP addresses from a specific subnet. The order of the rules is important. If a rule is responsible for a mail to be checked, it is used. If several rules apply to a mail, the rule at the very top of the list is deployed. Pos. Rule name From To 1 "General" * john.smith@example.com 2 "Japan" *.jp john.smith@example.com Action Rule 1, which is called "General" here, is defined for all mails addressed to john.smith@example.com. Rule 2 named "Japan" on position 2 is also defined for the recipient john.smith@example.com but only considers senders from Japan. To a mail from Japan to "john.smith", both rules apply. However, only the rule "General" is used for assessment since it is at the top of the list. Even if the Japan rule would actually be "more precise" here, the order is the decisive criterion. To use the rule for "Japan" you have to reorder the rules as shown below. In that case the more special rule is applied first. Page 105

106 Pos. Rule name From To 1 "Japan" *.jp john.smith@example.com 2 "General" * john.smith@example.com Action Filters The individual filters of the corresponding rule are applied to each mail. The filters assess the mail to be checked and assign minus and bonus points. These points are weighted with the multiplier of the filters and added to a total value. If this value exceeds the set threshold value (SCL) of the rule, the mail is rejected. You can individually set the threshold value for each rule. Which filters are available and how they exactly function can be obtained from chapter Filters in NoSpamProxy. Actions Actions for spam check After having determined whether the mail is rejected or passed through based on the filters, the configured actions are invoked. Actions can, among other things, change mails in order to, for instance, add a footer or delete undesired attachments. However, actions can also reject mails although they would have actually been passed through after the assessment by the filters. Thus, a virus scanner can, for example, reject a mail nevertheless although it had not been identified as spam. This means that actions are superordinate settings with which filters might be overruled. All actions are described in detail in the chapter Actions in NoSpamProxy. How NoSpamProxy Protection classifies a mail as spam In the rules, you can configure different filters and actions. The filters within a rule are the checkpoints which assess the spam character of a mail according to certain criteria. The higher the probability for spam, the higher the point result for this mail becomes. If a mail is, however, assessed as rather trustworthy, the result can also become negative. The range of values is between -10 and +10 points. You can differently weight the filters within the rules with the multiplier. The assessment of the filter is applied against the multiplier. In doing so, you can increase the influence (=point share) of an important filter within a rule. Based on the calculated total score, a "Spam Confidence Level" (SCL) is determined. An SCL of 0 means that the mail was classified neutrally. The higher the value, the more the mail was classified as spam. If the value is below 0, the mail was classified as trustworthy. If this total weight reaches the threshold value of the rule, the mail is treated as spam and rejected. The following example illustrates the procedure: You created a rule with an active filter: the word filter. Moreover, the Level of Trust system for this rule is activated. The word filter checks a mail for undesired terms. Page 106

107 Assuming that a mail contains a large number of undesired terms, the word filter will thus raise the alarm and assign a high minus value for this mail, for example, 6. If the word filter was the only filter in this rule, the mail would now have a total value of 6. If you had set, the threshold value 4, for example, this mail would now be blocked and rejected. The sender would receive a non delivery report. Moreover, the Level of Trust system is activated in this rule. The mail comes from a very reliable mail partner with whom you already exchanged many mails. The Level of Trust system assesses this mail with -4 SCL points. The Level of Trust system always has a multiplier which equals the sum of all multipliers of all activated filters in the rule plus 1. This amounts to a factor of 2 in our example. The SCL value thus arises from 6+2*-4. Thus, an SCL of -2 emerges. The mail would pass NoSpamProxy Protection. This example already hints at the possibilities offered by the modular setup of the rules and how important the filter weighting with multipliers can be. SCL calculations are described in detail in chapter Calculating the Spam Confidence Level. Another informative example is the following case: A mail comes from a system which is on a blocklist (RBL). Most filter products would categorically reject such a connection without closer analysis. With NoSpamProxy Protection, however, you can relativise this decision. If the mail is, for example, a reply, the Level of Trust filter can overrule the assessment. Result: The mail from this provider is not blocked but rather, as desired, delivered. However, mails from another unknown sender which misuses this unsafe server cannot pass. of rules The rules how mails should be processed are maintained in the node Rules (Picture 91). Picture 91: The overview of all rules which determine the processing of mails Page 107

As for a fresh installation of NoSpamProxy, the list with the rules is empty. In this case, you can have created the default rules by using the link Generate default rules (Picture 92).

108 As for a fresh installation of NoSpamProxy, the list with the rules is empty. In this case, you can have created the default rules by using the link Generate default rules (Picture 92). The function for generating default rules is also available to you at a later point if you wish to supplement or replace your own rules with/by the default ones. When supplementing, the default rules are located behind the existing ones and their order can be changed afterwards, see Reorder rules. Picture 92: Generate default rules Create new rule A rule has the following settings: General, Mail flow, IP filtering, Filters, Actions and Reject behaviour. Which rule is applied to a mail is determined by the settings in the tabs Mail flow and IP filtering. The other tabs determine how the mails are processed. The first tab (Picture 93) comprises important parameters with which you determine basic settings. Page 108

109 Picture 93: General settings of the rule First, give a clear name for the rule in order that you do not lose track in the rule summary. Under Status, you can state whether the rule is activated or deactivated. With the Index of the rule, you enter the hierarchy of the respective rule. With the option Level of Trust system, you can activate or deactivate the Level of Trust system for this rule. With the option Content filter, you can enable or disable the Content filter for this rule. Under Comments, you can add a comment to the rule to facilitate the identification of the rule. The comments have no impact on the definition or function of a rule. They only serve for documentation purposes. In the tab Mail flow, you restrict the rule to certain senders and receivers (Picture 94). Page 109

110 Picture 94: Define to which addresses this rule should be applied. Under Scope, you initially select to which senders and receivers this rule should be applied. Moreover, you can further restrict the rules by adding one or more Filter entries. Here, you can alternatively use address patterns or user groups (Picture 95). To receive groups from a user directory, you must configure an automatic user import from LDAP or Active Directory users on the node 'Domains and users'. Groups are available after the first synchronisation has been realised. Page 110

111 Picture 95: Configuring a filter entry within a rule You can restrict the rule to certain inbound servers in the tab IP filtering (Picture 96). Picture 96: Define the validity of the rule with regard to the inbound server Page 111

112 In the tab Filters, you activate the desired filters for a rule (Picture 97). The filters, however, can be weighted differently with multipliers and thus increase or decrease their effect. Picture 97: Determine the filter settings of the rule Set the Filter setting to Reject, if all mails which are processed by this rule should be rejected without being checked. Select Accept, if all mails of this rule should be delivered without being checked. With Check, the Spam Confidence Level (SCL) of each mail is checked and rejected as spam when reaching the set value. An SCL value of "1" means that mails are already rejected on slight spam indications. An SCL value of "10" only rejects mails with extremely high spam indications. Only if you have selected the filter method Check, you can select those filters which you wish to deploy. This can be done via the area Active filters. To activate one or more filters for a rule, click on the link Add filter. A dialogue opens in which you can select the desired filter from the available ones (Picture 98). Depending on the filter, another specific configuration dialogue opens in which you can realise the filter configuration. To the left of the filter name, you find one slider respectively via which you can set the multiplier. The value "5" means that the filter is weighted five times as much as a filter with the value "1". Some filters are not functional for the sender selected in the rule. At this point, the text Cannot be applied to rules for local (or external) senders is entered into the column Status. Such filters cannot be added and a rule with invalid filters is not saved either. Page 112

113 The addition of a filter to a rule due to the direction is only prevented if it does not show any function for this direction. This restriction does not always constitute the recommended deployment. This means that filters which are intended for a certain direction but also function in the opposite direction are thus configurable for both directions. The recommended direction, however, is sometimes indicated in the name of the filter. Picture 98: Add an available filter to your rule Actions are executed on each delivered mail whether checked or not. You can decide in this tab which actions should be executed in the rule and how these actions are configured in the rule. Actions are always executed even if the mails are not checked by filters. The active actions in the rule are shown in the list Active actions (Picture 99). Page 113

114 Picture 99: The actions of a mail Via the link Add, you can add further actions to the rule. Depending on the selected action, you must configure it before it is added to the list of actions. (Picture 100). Some actions are not functional for the sender selected in the rule. If so, the column Status contains the text Local (or external) senders supported only. Such actions cannot be added and a rule with invalid actions cannot be saved either. The addition of an action to a rule due to the sender is only prevented if it does not show any function for this direction. This restriction does not always constitute the recommended deployment. This means that actions which are intended for a certain direction but also function in the opposite direction are thus configurable for both directions. The recommended direction, however, is sometimes indicated in the name of the action. Page 114

115 Picture 100: Actions from this list can be added to a rule On the next tab you can configure settings for the Reject behaviour. If a mail does not meet the rules set by you for dispatch or receipt, the properties configured here are applied. Rule violations emerge, for instance, if a mail could not have been encrypted or invalid attachments to mails were found. Picture 101: Properties for Reject behaviour The following options are available to you. To Reject a mail means that the server rejects acceptance (SMTP prompt 5xx). Thus, the inbound server needs to generate a non delivery report (NDR). To Page 115

116 Drop means a positive acknowledgement by the receiving server to the inbound server (SMTP prompt 200) but without any further processing of the received mail. Since the mail is directly deleted after the acceptance, NoSpamProxy will generate a non delivery report and send it to the sender of the mail. Reorder rules After completing the rule editor, the new rule appears in the rule list. The position in the list corresponds to the index you determined in the tab General of the rule editor. To change such a position of a rule, open the configuration of the rule and set the new position via the setting Rule index. Picture 102: Via the slider for the "Rule index", you can change the position of the rule Alternatively, you can click on Reorder rules below the list with the rules (Picture 103). Page 116

Picture 103: Here, the order of all rules can be changed simultaneously Filters in NoSpamProxy Filters assess mails and thus influence the Spam Confidence Level (SCL) of mails.

117 Picture 103: Here, the order of all rules can be changed simultaneously Filters in NoSpamProxy Filters assess mails and thus influence the Spam Confidence Level (SCL) of mails. Consequently, the decision can be made whether the mail is rejected if the examination result exceeds a certain SCL value. CYREN IP Reputation Valid for the following senders: External. Default SCL value for a multiplier of one is 3 for a "bad" reputation and 1 for an "unknown Sender". This filter checks the reputation of the sending IP address by using the service of Cyren to boost the spam detection rate of NoSpamProxy further. Greylisting is skipped if Cyren reports the IP address as "good". If the reputation is "bad" or the sender is unknown the SCL points, as stated above, are given. The filter has no settings of its own but you can adjust the filter result be using the multipliers. CYREN AntiSpam Valid for the following senders External and Local. Standard SCL value with single multiplier is 4. The "CYREN AntiSpam" filter creates a fingerprint of the mail to be checked based on defined criteria and compares it to fingerprints known to the Cyren Detection Center in the Internet. If it is recognised as known, this means that Cyren classifies the mail as a spam mail. The "Cyren AntiSpam" filter will Page 117

118 consequently assign 4 SCL points. The filter itself does not dispose of any further possible settings. The administrator can only exert further influence on the filter result via the weighting with multipliers. The Cyren service supports malware scans with a file size up to 50MB. Archives, for example ZIP archives, are decompressed if possible and all of the files are scanned individually. The limit of 50MB is in archive applicable to the size of each decompressed file. Allowed Unicode language planes Valid for the following senders: External and Local. Standard SCL value with single multiplier is 4. Mails containing spam sometimes come from language areas with which one does not communicate usually. For example, incoming spam might contain Chinese characters. This filter can block mails by analysing all character sets contained and only letting pass the mail if all character sets contained have been explicitly allowed by you. Add the filter Allowed Unicode language planes to your rule. The dialogue for the configuration opens (Picture 104). Picture 104: The list of the allowed Unicode language planes Now, add all language planes which can be used in incoming mails to the allowed language planes. To do so, select Add allowed language planes. A dialogue with all language planes which have not yet been allowed appears (Picture 105). Page 118

Picture 105: The list of the available Unicode language planes If you only communicate with Western Europe or America, the language plane for western European languages usually suffices.

119 Picture 105: The list of the available Unicode language planes If you only communicate with Western Europe or America, the language plane for western European languages usually suffices. You can add it, if it is not yet contained in the list of the allowed languages, via Add default western European language plane to the list. Realtime block lists Valid for the following senders: External. Standard SCL value with single multiplier depends on the lists selected in the filter. The SCL points set in the list are assigned per hit. The filter "Realtime block lists" checks whether an address entry is available in realtime block lists. You can select several different block lists. Since even the best lists might contain false positives, you should always use several lists. As each hit is evaluated as a minus point, the risk for a mail to be immediately blocked through a "false positive" based on a single blocklist is minimised. Add the filter Realtime block lists to your rule. The dialogue for the configuration opens (Picture 106). As for the filter Realtime block lists, you can set which block lists should be used. Similar to the filter Word matching, the individual lists are globally preconfigured in the menu Presettings and must only be selected in the filter. Via the link Replace with default set, you can replace the currently selected lists by lists recommended by Net at Work. Page 119

Picture 106: Add all blocklists which should check the IP addresses of incoming mails Click on Add, to select the blocklists which NoSpamProxy Protection should scan during the filtering.

120 Picture 106: Add all blocklists which should check the IP addresses of incoming mails Click on Add, to select the blocklists which NoSpamProxy Protection should scan during the filtering. The dialogue Realtime block lists opens. (Picture 107). Select the desired blocklist/s and click on Add. The previously selected lists appear in the overview of the realtime block lists. Picture 107: You can select from all defined blocklists To remove one or more lists, select the entries to be deleted and click on Remove. Page 120

121 Please keep in mind that the removed lists are only removed from the rule just edited. The lists still appear in the Presettings. In order that the DNS requests function correctly, you must properly configure the DNS settings of the operating system. The server must be able to resolve external domains. It can be useful to install an own DNS server as forwarder. Spam URI Realtime blocklists Valid for the following senders: External and Local. Standard SCL values with single multiplier depends on the lists selected in the filter. 2 SCL points are assigned per hit of a list. Spam URI Realtime blocklists administer lists with suspicious spam URLs. It is possible to check via the internet whether a URL is possibly contained in this list or not. The "Spam URI Realtime blocklists filter" isolates the domain from the links in a mail and checks whether a corresponding entry is available in these lists. Moreover, it searches for addresses which start with " and do not appear as link in the mail. Picture 108: Configure the spam URI Realtime blocklists filter You can select several different blocklists (Picture 108). Similar to the realtime blocklist filter, DNS requests must function correctly. The server must be able to resolve the given service. It can be useful to install an own DNS server as forwarder. SpamAssassin connector Valid for the following senders: External and Local. Standard SCL value with single multiplier depends on the Return value of the SpamAssassin Daemon. Page 121

122 SpamAssassin is a free spam filter which contains different pre-defined tests to classify messages. Many of these tests, such as RBL, are executed by NoSpamProxy Protection itself at an earlier point in time already and more effectively. However, it might be interesting to integrate the remaining rules of the filter. SpamAssassin assesses a message and writes the result into the header of the message. It consists of server (SpamD) and client (SpamC). The filter of NoSpamProxy Protection acts as SpamAssassin client (SpamC) and functions only in connection with a SpamAssassin Daemon (SpamD). You can install the SpamAssassin daemon on a system of your choice. This can be a UNIX or Windows system. The operation on the same server as NoSpamProxy is also possible. Add the filter SpamAssassin connector to your rule. The dialogue for the configuration opens (Picture 109). Picture 109: Define the connection to the SpamD server As for the SpamAssassin connector, you can set the IP address or the Full Qualified Domain Name (FQDN) of the SpamD server. The standard port of the SpamD server is "783" and can be changed if your SpamD accepts on connections on another port. With the setting SpamD server name, you can initially determine whether the SpamD server is located on the same client or on a remote client. Under SpamD server, you can give the IP address or the DNS name of the SpamD server. Under SpamD port, you can give the port number of the SpamD server. By default, the SpamD server accepts the connections on the port number "783". Please ensure that NoSpamProxy can actually connect to the requested system. Often, port filters, IP routing and firewalls need to be configured in order that NoSpamProxy Protection can actually reach the SpamD server. Page 122

123 Reputation filters Valid for the following senders: External. This filter executes different tests on the mail envelope and the content of the mail (Picture 110). Through some of the tests, DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework), and, based on that, DMARC (Domain-based Message Authentication, Reporting, and Conformance) are analysed as well. (Picture 111). To each test, individual SCL points can be assigned in order that you can adapt the assessments of the requirements of your company. Picture 110: Test on the mail envelope Page 123

124 Picture 111: Test on the mail body Word matching Valid for the following senders: External and Local. Standard SCL value with single multiplier depends on the word groups selected in the filter. The SCL points set in the word group are assigned per hit. With this filter, you can identify pre-defined words and terms in the subject line as well as in the mail body and evaluate them with positive or negative SCL points. Each occurrence or, depending on the setting, each lack of such a term in a mail is evaluated only one time with the points set in the filter. If one or more word/s is found in the configured word groups, an optional mail with a notification can be sent to a local mailbox. This mail contains the sender of the mail, the recipient, subject and the words found. Page 124

125 The word groups available in this filter are previously defined under the node Presettings. Add the filter Word matching to your rule. The dialogue for the configuration opens (Picture 112). Picture 112: Add your defined word groups to the filter of the word matches Now, you have the possibility to add previously created word groups via the link Add word group. Several word groups are already preconfigured. Select the desired word group/s and click on Add. In the overview of the dialogue for the word matches, you now see the selected word groups. Actions in NoSpamProxy Actions can change mails An action contains information on the filter result and can subsequently execute further tasks. In contrast to the filters, actions can change the mails; for example, sort out attachments due to a detected virus. Moreover, actions can overrule filter results. Examples for this are virus scanners and a greylisting action. To activate an action, you must select the tab Actions in the rule that should contain this action. Click on Add. The dialogue Add appears in which you select the action to be added and click on Select and close. Now, the action is added or, if it has to be configured, the configuration of the action opens and the action is added to your rule afterwards. Page 125

Receiver rewriter Valid for the following senders: External and Local. This action enables you to change the target address during the receipt of a mail.

126 Receiver rewriter Valid for the following senders: External and Local. This action enables you to change the target address during the receipt of a mail. In doing so, you can, for instance, after a change of name of the company, have rewritten all mails addressed to the former address to the new one. A second application case is the definition of a "secret address". For example, you can thus determine that all mails with an entry *secret* in the address field are classified as desired and thus delivered without a check. A rule could be as follows: Pos. From To Decision Action 1 *@* *secret@example.com Pass Receiver rewriter The receiver rewriter removes the "code" word and forwards this mail to your correct mail address. The "code" word in the address can of course be set by you and can be changed again if required. Add the action Receiver rewriter to your rule. The dialogue for the configuration opens (Picture 113). Picture 113: Configure the replacements on the recipients' addresses of the mails You can set which part of a "Code" word address should be replaced by a part of the correct address. In the settings of the Receiver rewriter, you enter the string from the "secret" address which is to be replaced and for which the address manipulation should become active under Match. Under Replace with, you enter by which text the text from the field Match should be replaced. Page 126

127 It is thus reasonable, for instance, to replace the string "topsecret" in the "secret" address by an empty string for the correct address CYREN Premium AntiVirus Valid for the following senders: External and Local. Regardless of the filter results, the "CYREN Premium AntiVirus" action creates a fingerprint of the mail to be checked based on determined criteria and compares it to the fingerprints of the CYREN Detection Center in the Internet. Should the fingerprint be known, this means that CYREN classifies the mail as virus mail. Additionally, the entire mail is checked with locally available pattern files on all known viruses. The Cyren service supports malware scans with a file size up to 50MB. Archives, for example ZIP archives, are decompressed if possible and all of the files are scanned individually. The limit of 50MB is in archive applicable to the size of each decompressed file. CSA-Whitelist Valid for the following senders: External. Many newsletters are desired as their contents are delivered with the recipient's consent. The problem with such newsletters is that their receipt cannot be ensured since no Level of Trust entry has so far been created automatically and entering all trustworthy newsletter senders as trusted Partners constitutes excessive effort. This gap is bridged by the CSA-Whitelist. It is a positive list where a control committee monitors the legitimacy of the newsletters sent. As a result, newsletters from senders which are on the CSA-Whitelist can be delivered safely. If the sender of a received mail is on the CSA-Whitelist, the CSA-Whitelist action marks the mail as trustworthy. Thus, all filters of the applied rules are skipped. Add the action CSA-Whitelist to your rule. Afterwards, it appears in the action overview of the rule. The configuration of the action is realised in the node Connected systems. File based virus scanner Valid for the following senders: External and Local. Viruses are, along with spam, a huge threat and should also be sorted out as soon as possible. During the search for viruses, it might also happen that overeager filters mistakenly remove a desired mail. Most products delete such mails without notifying the recipient or sender. The difficulty is comparable to a quarantine directory of a conventional solution. NoSpamProxy Protection, in contrast, works differently. The action "File based virus scanner" stores attachments of mails coming through into a specific directory. If you have installed any OnAccess virus scanner, this scanner will deny read access to possibly infested attachments. NoSpamProxy Protection checks whether access is possible or not Page 127

128 immediately after the storage of the attachments into the directory. Attachments which can be accessed are considered virus-free. NoSpamProxy Protection can cooperate with any other virus scanner which monitors file accesses in real-time. This scan method is already installed on many servers and is very performant and reliable. The directory to temporarily save the files is in current installations %ProgramData%\"Net at Work Mail Gateway\Temporary Files \Netatwork.NospamProxy.Addins.Core.Actions.FileVirusScanAction". In older installations the file may be saved in the installation directory of NoSpamProxy in the folder "\AntiSpam Role\Temporary Files \Netatwork.NospamProxy.Addins.Core.Actions.FileVirusScanAction". You can set yourself whether infested attachments are only deleted or whether the corresponding mail should automatically be blocked. If a mail is rejected, the sender is notified by the inbound server. In case of a deleted attachment, neither the sender nor the recipient are informed. Add the action File based virus scanner to your rule. The dialogue for the configuration opens (Picture 114). Picture 114: Configure the action for the file based virus scanner If you reject these types of mails, similar to an identified spam mail, the inbound mail server will send a non delivery report. The risk for a misidentification is dropped. Page 128

129 In the file based virus scanner action, you can determine how infected attachments and the corresponding mail are handled. Select whether infected attachments are removed from the mail or whether mail with infected attachments should be rejected. The action is now shown in the overview of the actions in the rule. As for all virus scanners, password-protected ZIP files are not checked. Greylisting Valid for the following senders: External. Greylisting is a precaution against "suspicious" mails. If a mail remains below the spam threshold value you defined, this mail would be evaluated without greylisting as sufficiently positive. The greylisting action does not let the mail pass immediately but rather rejects it temporarily. The inbound server receives an error message which enforces that it sends the mail again after some time. In the second attempt, the mail is delivered. It can be set accordingly when the inbound server can start a second attempt. This action is based on the following principle: Usually, a spammer avoids the effort to send a second mail. A usual sender, however, will retry delivery after some time. In the second attempt, this connection is now assessed more positive so that the mail can pass. You can set the maximum threshold for minus points which classifies an actually passing mail as "suspicious". Add the action Greylisting to your rule. The dialogue for the configuration opens (Picture 115). Page 129

Picture 115: Configure the options of greylisting You can define from which threshold greylisting starts to become active and set the delay time after which the Level of Trust entry should ensue.

130 Picture 115: Configure the options of greylisting You can define from which threshold greylisting starts to become active and set the delay time after which the Level of Trust entry should ensue. With the slider Block threshold is, you can define from which threshold (SCL) mails should de temporarily blocked. This threshold value must be lower than the spam threshold value, otherwise greylisting would not be effective. Moreover, you can change the Activation delay. With this function, you determine the time after which the mail is assessed more positive. Hide corporate topology Valid for the following senders: Local. The action Hide corporate topology removes the "Received" mail header of a mail from a local sender. Otherwise, conclusions on the local topology can be made through these Received entries. Automatic reply Valid for the following senders: External and Local. The action Automatic reply sends an automatic reply to the sender of a mail (Picture 116). The text of the mail is created via a template from the Templates folder of the Intranet Role. The setup copies an exemplary template (SampleAutoReply.cshtml) into the folder. On the basis of this template, you can create copies and adjust them to your needs. Page 130

131 Changes in templates are replicated within a few minutes from the Intranet Role to all Gateway Roles. The roles need not be restarted to do so. Picture 116: Create automatic reply Reroute mail Valid for the following senders: External and Local. This action offers the possibility to add or completely replace the recipients of a mail. Depending on the settings, mails are either delivered additionally or to the recipients deposited in the action only. (Picture 117). Picture 117: for rerouting mails Page 131

132 At least one recipient's address must be deposited in the list to enable the use of the action. Apply DKIM signature To use Disclaimer you have to licence it separately. Valid for the following senders: Local. This action places a DKIM signature (DomainKeys Identified Mail) on outgoing mails. In doing so, the recipient can ensure that the mail was actually sent by your company. To create the signature, a DKIM key is required. How such a key is created and published can be obtained from chapter DomainKeys Identified Mail. Apply disclaimers Valid for the following sender: Local. This action adds a disclaimer to outgoing messages. For doing so, the disclaimer rules and templates are evaluated and attached to the respective positions in the mail. In chapter Disclaimer, you learn how you can configure the disclaimers. Calculating the Spam Confidence Level NoSpamProxy Protection rejects all mails whose Spam Confidence Level (SCL) exceeds a certain threshold. As the administrator, you can set this threshold in the individual rules. The following paragraph explains the procedure of NoSpamProxy Protection for the calculation of the SCL. In the following, a very simple example explains how the filters work without the Level of Trust system. The following filter configuration is given (Picture 118). Picture 118: The exemplary configuration for the calculation of the SCL values In this example, mails should be checked and rejected as soon as the SCL is higher as or equal to 4. Three filters are activated: Realtime block lists, Spam URI Realtime blocklists and word matches. The filter word matches is configured in such a way that it should search for the words sex, Viagra, Cialis etc. and assign two minus points per hit. The two blocklist filters should assign two points per hit. The Level of Trust system is deactivated. Now, a mail is processed which contains eight forbidden words and one forbidden link. The link is included in a blacklist. Moreover, the inbound IP address is available on two blacklists. The preliminary result of the filters is as follows: Page 132

133 Filter SCL evaluation of filter Realtime block lists 4 (Two hits X two minus points per hit) Spam URI Realtime blocklists 2 (One hit X two minus points per hit) Word matches 16 (Eight hits X two minus points per hit) Basically, it applies to all filters, the Level of Trust system as well, that the calculated value is always reduced to 10 if it exceeds "10". Negative values smaller than "-10" are adjusted to the value -10. The net value of the filters in our example would then be as follows: Filter SCL evaluation of filter Realtime block lists 4 Spam URI Realtime blocklists 2 Word matches 10 (limited since the first value was >10) Subsequently, the multiplier of the individual filters is regarded. The filters Realtime block lists and Spam URI Realtime blocklists have the multiplier "2", the word matches have the multiplier "1". The net value of the filters is now multiplied with the respective multipliers. This results in the following values: Filter SCL evaluation of filter Multiplier SCL Realtime block lists Spam URI Realtime block lists Word matches 10 (limited since the first value was >10) 1 10 Total 22 The mail thus receives an SCL of 22 and is consequently rejected. In the second example, the filter configuration from the first example is only extended by the Level of Trust system. Moreover, this concerns the same mail as in the previous example. However, we assume here that this concerns a desired mail and that an address pair and a domain bonus of the sender and recipient address already exist in the database. Since the last mail contact was four days ago, the address pair bonus of 65 bonus points is no longer that high. The domain, however, is located in the trust settings with static 100 bonus points. The bonus points of the Level of Trust system in the database are not simultaneously the SCL value but rather the so-called trust points. They are only used within the filters. Page 133

134 The Level of Trust system now assesses as follows: Initially, the biggest value of the individual Level of Trust values (Address-, Domain, Subject, MessageId bonus as well as the points of the DSN verification) is used "100". For the calculation of the SCL, this sum is basically divided by the value "-10" and results in this example in an SCL of -10 points. Similar to all other filters, the calculated value is also reduced to 10 or -10. The table with the net values is now as follows: Filter SCL evaluation of filter Realtime block lists 4 Spam URI Realtime blocklists 2 Word matches 10 (limited since the first value was >10) Level of Trust system -10 You can determine the multiplier of the individual filters in the respective rule. The Level of Trust system, however, chooses its multiplier independently. To do so, the multipliers of all other filters are added up and amount to the value "5" in our example. The definite calculation of the SCL with the influence of the Level of Trust system is then as follows: Filter SCL evaluation of filter Multiplier SCL Realtime block lists Spam URI Realtime blocklists Word matches 10 (limited since the first value was >10) 1 10 Level of Trust system (=2+2+1) -50 Total -28 In this example, the mail would have been delivered since the SCL is less than 4. To illustrate the example, the filter "CYREN AntiSpam" with the multiplier "3" is additionally configured. This filter always assigns 4 points per hit and this value is not configurable. (Picture 119) Picture 119: For calculation of the SCL, the "CYREN AntiSpam" filter was added Page 134

135 The "CYREN AntiSpam" filter also assesses the mail negatively. The overall result of the SCL calculation then is as follows: Filter SCL evaluation of filter Multiplier SCL Realtime block lists Spam URI Realtime blocklists Word matches 10 (limited since the first value was >10) 1 10 CYREN AntiSpam Level of Trust system (= ) -80 Total -46 The multiplier of the Level of Trust system has automatically adjusted due to the additional filter and can thus prevail even more crucially. This ensures that desired communication always reaches the recipient regardless of the content of the mail. Presettings This area contains global settings which can be used in other areas of the configuration such as rules, partners or corporate users (Picture 120). Page 135

136 Picture 120: Presettings Changing settings in this area also influences existing rules, partners or corporate users. The settings always apply to all configurations in which they are referenced. Colour theme You can adjust the layout of mails generated by NoSpamProxy as well as that of the Web Portal to your needs via the colour theme (Picture 121) Page 136

137 Picture 121: Dialogue for changing the colour theme. Usually, you only have to adjust the highlight colour and the logo to your Corporate Identity. The colour theme is applied to the following elements: The Web Portal All mail notifications created by NoSpamProxy The substitute attachment for files which are sent via Large Files. Realtime block lists Realtime block lists (RBL) manage lists with suspicious spam IP addresses. Via the Internet, it is now possible to check whether an IP address might be included in the RBL list or not. These blocklists are maintained in the section Realtime block lists and can later be selected individually in the rules. Add new blocklist Under Common settings (Picture 122), you enter the name of the new RBL list in the field Name. In the field Description, you can add personal remarks in order that you remember the purpose of this list at a later point. Both entries are only descriptive details and not further relevant for the function of the list. Page 137

138 Picture 122: Enter the name and and a description of the blocklist In the tab Blocklist target, you indicate whether the RBL list is addressed via DNS or HTTP GET. In the field Address, you either enter the IP address or the server name of the server to be enquired. Page 138

139 Picture 123: The dialogue for the definition of a blocklist reply Possible replies of the requested server and their meaning are defined on the tab Responses (Picture 124). Page 139

140 Picture 124: All replies of the blocklist to be expected and their assessment in SCL points You can add new responses in the dialogue Response details (Picture 125). Determine here how many SCL points this reply weights and a descriptive error text. A negative value equals bonus points, a positive value minus points. The text of the reply might appear in the non delivery report if the creating server supports this. In doing so, senders of rejected mails knows on which blacklist they are included and for what reason. The response can also be deactivated. Page 140

Picture 125: A response of the list Word matching In the paragraph Word matching, you have the possibility to maintain lists with terms to which you either assign bonus or minus points.

141 Picture 125: A response of the list Word matching In the paragraph Word matching, you have the possibility to maintain lists with terms to which you either assign bonus or minus points. The terms are summarised in separate word groups that you can use in the individual rules later. You determine per word group whether bonus or minus points should be assigned to the terms. This provides you with the possibility to create groups with desired terms and undesired terms. Add new word group When adding a word group, the dialogue Word filter details opens (Picture 126). Page 141

142 Picture 126: Definition of the word group Choose an unique Name. You can determine for each word group which part of the mail should be searched for the configured terms. You have three choices. Select the Subject if NoSpamProxy Protection should search for the terms of this group in the subject line of one mail only. If you wish to have searched the body of the mail for the terms, select Body here. Alternatively, you can have searched both parts of the mail for the terms. To do so, select Subject and body. Simultaneously, this is the recommended setting. Additionally, you can set whether you wish to distribute points for each occurrence of a word or whether you only distribute points if none of the words is found in the content or the subject. You can use two different types of terms in the word groups. With the setting Type, you determine whether it concerns so-called wildcards or regular expressions. If you simply wish to create a list with usual content such as Viagra, Cialis, etc., select the option Wildcards. Here, you also have the possibility to use wildcards ('*' and '?') so that you can also enter Cialis* to search for all expressions starting with the term Cialis. If you have already prepared regular expressions, you can continue to use them. To do so, select the option Regular expressions in the setting Type. The setting Find obfuscated words too is only available to you if you have selected the option Wildcards in the setting Type. You can determine now whether NoSpamProxy Protection should only search for the exactly stated terms or also for similar words. If you select the option Exact matches only and enter the word Viagra for the matches, NoSpamProxy Protection will only search for the word Viagra. The search does not distinguish between capital and small letters so that you can disregard the Page 142

143 accurate use of capital and small letters. However, NoSpamProxy Protection would not find the variant with this setting. If you select the option Find obfuscated words too, however, NoSpamProxy Protection recognises similar spellings such as Vlagra, or V-I-A-G-R-A as well. With the slider Points, you determine how many minus or bonus points should be assigned per hit. You can set values between -10 and 10. Here, the value -10 corresponds to bonus points. The setting 10 thus means 10 minus points. If you implement changes to the word groups, they influence all rules which use the filter "Word matches" and have configured the respective word group. Content filter This is available if NoSpamProxy Large Files or NoSpamProxy Protection is licenced. Individual functions within the areas depend on your licence. The list of the content filters serves for allowing, blocking or rerouting attachments which correspond to one of the filters defined there (Picture 127). This list serves for central management of the content filters in order that it can be used in the Partners as well as in the corporate users. A content filter can be assigned in the partner node in the Default settings for partners, in a Domain entry of a partner as well as to a partner address. The settings on a mail address have priority over the settings on a domain and the settings on a domain have priority over the default settings for partners. Page 143

144 Picture 127: The list of all content filters Additional to the settings of the content filters on Corporate users and Partners you can enable and disable the content filter on every rule in the section General. Each filter in the list of content filters consists of one or more entries, with conditions like filename, type or size for the mail attachments and the action which must be taken like block, allow or move to Web Portal. All actions are defined in a list of its own and thus they can be used different content filter entries. Content filter sets Please enter a unique Name. Additionally you can restrict the maximum size of mails and attachments. Mails which are bigger than the allowed mail size are blocked. You can select how ZIP files are handled if they are password protected and how many levels of nested ZIP files are analysed. This restriction has the purpose to filter highly to unlimited nested ZIP files (Picture 128). Page 144

145 Picture 128: General settings of a content filter Each content filter can contain one or more entries to configure all needed actions for different attachments. (Picture 129). All entries are processed top-down and can be reordered by the buttons with arrows on the left. If no filter entry of content filter matches the attachment, the attachment is delivered normally. Page 145

146 Picture 129: The list of content filter entries An entry of a content filter contains conditions to select attachments (Picture 130). Multiple criteria in each condition are at your disposal (Picture 131). If the entry has to match all attachments please add a condition with its default settings. Dependent on the assessment and the direction of the mail different actions can be selected. As action for Web Portal mails the already selected action for inbound and outbound SMTP mails can be selected, if so the attachments are processed analogous to the selected SMTP action without configuring an action for Web Portal mails of its own. Page 146

Picture 130: A content filter entry A condition defines the files which are processed by the content filter. You can filter by various properties of the attachments.

147 Picture 130: A content filter entry A condition defines the files which are processed by the content filter. You can filter by various properties of the attachments. The section Area select if files inside of ZIP archives are also analysed. By this your are able to use all analysis functions of the content filter also inside of ZIP files. Page 147

148 Picture 131: A condition for attachments The file type in a condition is even capable to filter by the real content of the file instead of the filename, to detect and process even attachments with renamed file extensions in the intended way (Picture 132). Page 148

149 Picture 132: Dialog to select the file types Upload hints Some users may not recognise immediately if an attachment was removed from a mail and uploaded to the Web Portal. If they forget to download the file, the file is no longer available at some point. To avoid this, you can add a text to incoming and outgoing messages which notifies the recipient that attachments might be relocated to the Web Portal (Picture 133). Picture 133: Upload hints Page 149

150 Content filter actions All content filter actions are configured in a single location to reuse them without the need to create to action with the same content. In a new content filter action you have to choose a unique name and the type of filter first because the processing of SMTP and Web Portal mails differs (Picture 134). Picture 134: The type of action On SMTP mails choose the basic behaviour first, like Allow attachment, Remove attachment and Reject the entire mail on SMTP delivery. If you allow the attachment you can choose the options to upload attachments to the Web Portal, convert documents to PDF as well as the treatment of the original document after the conversion to PDF. (Picture 135). If your selection uses the Web Portal for Large Files, you can also configure treatment of the attachment in the section Web Portal upload settings. Page 150

151 Picture 135: Actions on SMTP mails The Action on Web Portal mails is configured analogous to an Action on SMTP mails. (Picture 136) Page 151

152 Picture 136: Action on Web Portal mails NoSpamProxy components The connections between the individual components of NoSpamProxy are configured under the menu item NoSpamProxy components (Picture 137). Page 152

153 Picture 137: The connections to individual components of NoSpamProxy Gateway Roles The Gateway Role can either be installed on the same server as the Intranet Role or on another server. If you operate more than one Gateway Role, you have to licence it additionally. The installation of the first Gateway Role is already permitted in each licence. Contact us at regarding the subject of high availability with several Gateway Roles. For high availability, you can operate several roles in your company. An overview is provided in The roles of NoSpamProxy. Examples are explained in Functioning and integration into the infrastructure. Page 153

154 The configuration is transferred from the Intranet Role to all connected Gateway Roles. If you operate a DMZ in you company, you should install the Gateway Roles there while installing the Intranet Role in the internal network. You only need to activate the connection from the internal network to the DMZ for the TCP port 6060 and the HTTPS port 6061 in your firewall. In exceptional cases, the configuration of a Gateway Role might deviate from that of the Intranet Role. For this case, you can induce the Intranet Role via the button Synchronise configuration to synchronise the configuration with the marked roles. Server identity As for a connection to external servers, the client introduces itself to the receiving server with the HELO or EHLO command followed by the server name. One possible example: EHLO mail.netatwork.de Some servers check whether this name can be resolved via DNS. The resolvability of this name is prescribed in an RFC. If the name is not resolvable, this is assessed as a spam feature by some other mail servers. The FQDN which is resolvable in the Internet should be entered here. Usually, the MX of the owned mail domain is entered here. To change the said setting, click on Change in the section Server hostname. The dialogue for changing the identity appears (Picture 138). Picture 138: The server identity should correspond to the "MX" entry in your DNS Page 154

155 Provide the name to be used in the field SMTP hostname. You can also have resolved the DNS name for your domain automatically. For doing so, the primary domain of your licence is used. For the automatic resolution, click on the button Discover DNS settings. A dialogue appears which lists all available MX records for your domain sorted by priority. Establish a connection to a Gateway Role Select the option The Intranet Role and the Gateway Role are both running on the same server. in the dialogue for the connection to a Gateway Role if you have installed the roles to be connected on the same server. If the Gateway Role is installed on another server, initially select the option The Intranet Role and the Gateway Role are running on different servers... Provide the name of the Gateway Role under Hostname and the Port where the current role can reach the Gateway Role. If the Management Role can connect to the Gateway Role using the same data, select the option The Management console can connect to the Gateway Role with the server name and port provided above. Otherwise, select The Management console can connect to the Gateway Role with the server name and port provided below and enter the data into the fields Hostname and Port. By default this is port Web Portal To be able to use the Web Portal, you must initially establish a connection from the Intranet Role to the Web Portal. Subsequently, you can configure the individual features. You can operate several Web Portals in your company for high availability. An overview is available in The roles of NoSpamProxy. Examples are explained in Functioning and integration into the infrastructure. The Web Portal is available to you if you have licenced Large Files or Encryption. Web Portal connections In the dialogue for a connection to the Web Portal (Picture 139), you enter the HTTPS address of the Web Portal under Address, for instance: or portal.example.com:1234/ for a connection via the port '1234' under which the Intranet Role can reach the Web Portal. If the Management Role cannot connect to the Gateway Role using the same data, select The Management console needs other connection information to connect to the Web Portal than the Intranet Role and enter the HTTPS address into the field Address under which the Management console can reach the Web Portal. By default this is port 443. Page 155

Picture 139: The settings for a connection to a Web Portal In exceptional cases, the configuration of a Web Portal might deviate from that of the Intranet Role.

156 Picture 139: The settings for a connection to a Web Portal In exceptional cases, the configuration of a Web Portal might deviate from that of the Intranet Role. For this case, you can induce the Intranet Role via the button Synchronise configuration to synchronise the configuration with the marked Web Portals. You can adjust the file storage location of 'Large Files' after the establishment of the connection. The following locations are available (Picture 141). Local file system Provide a path on a local storage to which the account given in the dialogue have the respective rights. Network file share Enter the path for the network share. Select whether you access the share via the computer account of the server or whether a specific user account is deployed (Picture 140). Microsoft Azure BLOB Storage Through the provision of an Azure account name and the corresponding account key, all files are stored in the associated Azure BLOB Storage. Page 156

157 Picture 140: Storage locations for 'Large Files' Depending on the selected storage location, you need to enter storage location and/or user information (Picture 141). Picture 141: The connection to the file storage location of the Web Portal using the example of the network release Web Portal - Settings When using the Web Portal, a link to it might be included in mails. The link contains the address under which the Web Portal is available from the Internet (Picture 142). If you use a different address for the access from the company network, you can enter it into the field Internal Https address. Page 157

158 You can activate the section Secure web mails to enable the usage of the Web Portal without invitation link by the displayed address. If enabled, an external Partner can send a mail to a recipient in your company of a corporate user via the Web Portal. To do this, he has to enter a sender address and a valid recipient address of a corporate user from NoSpamProxy. If NoSpamProxy has no corporate users, the domain of the recipient address will at least be validated against the list of owned domains. Picture 142: General settings If you activate Large Files, you need to configure some further settings on the next page (Picture 143). To secure the communication between the Outlook Add-In and the Web Portal, a Shared Secret ("Shared Secret") is required. Enter a password which at least consists of 12 characters. The 'Large Files' files stored by the Web Portal are encrypted completely. The decryption key is only available to the recipient so that the administrators of the server have no access to the files. If you wish to check the files which are waiting for approval, you must explicitly allow that via the option Allow access to files which are waiting for approval. After the file has been approved in the node 'Large Files', no further access by members of the 'Monitoring Administrators' group is possible. With NoSpamProxy Protection, all files in the Large Files can be checked with the CYREN AntiVirus service. The files of 'Large Files' are removed from the Web Portal after expiration of the Retention duration and are no longer available for download. Page 158

159 Picture 143: Settings for Large Files Databases In the Database area, you can change the connection to the database of the respective role. The database is created during the setup. Changes need only be implemented in the case of a migration of the database to another SQL server. In such a case, you should back up the existing database on the present SQL server and install this backup on the new database server. Change the connection to the new database server via Modify. (Picture 144). The database of each role runs stand-alone and must not be shared between roles. If you use two Gateway Roles you also need two database for these roles. They can reside on the same database server or even the same instance but otherwise they are independent. Independent database improve the stability of NoSpamProxy and they make administrative tasks like upgrades or a move of the database much easier. Page 159

160 Picture 144: The connection to the database of the respective role With the setting Database location, you determine on which server the database is located. If the database is located on the same server as the Gateway Role, select On the local Gateway Role. If the database is established on another server, initially select the option Remote host and enter either the IP address or the fully qualified domain name (FQDN) of the server on which the database is located in the field Remote host. With Instance, you indicate whether the instance in which the database of the Gateway Role is located is the default instance of the SQL server or a named instance. If this concerns the default instance of the SQL server, you select the option Default. Otherwise, click on Named instance and enter the name of the respective instance into the field Named instance. Enter the name of the respective database into the field, or, if several databases are required for the role, into the fields Database name. The following database names are used per standard. Gateway Role NoSpamProxyDb Intranet Role NoSpamProxyAddressSynchronization If you only wish to change the connection parameters, mark the respective field in the lower part of the dialogue. The setting Administrative Authentication (Picture 145) determines with which user account changes to the selected database should be realised. Select the setting Windows if you wish to use a Windows user account. Otherwise, select the option SQL server and enter the respective login data into the fields Username and Password. Page 160

161 Picture 145: The connection to the database of the respective role The setting Service authentication (Picture 146) determines how the Gateway Role should log in to the SQL server. If the SQL authentication on the SQL server is deactivated, the integrated authentication must be used. Otherwise, you can either select integrated or SQL authentication here. (Picture 147). Picture 146: Service connection to the database. Page 161

162 Picture 147: No SQL authentication available. On the page What to do, you now select the desired action. Depending on which database was found by NoSpamProxy, different possibilities are available here. Select the desired action and click on Finish (Picture 148). Picture 148: Select whether the old database should be deleted or retained Page 162

Connected systems The node connected systems comprises connections to products by third party providers which interact with NoSpamProxy.

163 Connected systems The node connected systems comprises connections to products by third party providers which interact with NoSpamProxy. DNS servers When applying DANE, you require a DNS server which supports DNSSEC. Since the DNS servers currently included in the delivery of Windows server operating systems do not support this function, you can establish a connection to such a server here (Picture 149). Picture 149: Connection to a DNSSEC enabled server The configuration dialogue provides the possibility to enter IP addresses of a primary and secondary server with DNSSEC support. With the help of Use Google, you can have entered the publicly accessible DNS server of Google into the configuration (Picture 150). Page 163

Picture 150: of a DNSSEC enabled server DANE is used for the verification of the transport encryption during the delivery of mails to your partners.

Archive connectors Via the archive connectors, mails and qualified signed documents can be transferred to an external archive system (Picture 151).

164 Picture 150: of a DNSSEC enabled server DANE is used for the verification of the transport encryption during the delivery of mails to your partners. You configure it in the Default settings for partners. Archive connectors Via the archive connectors, mails and qualified signed documents can be transferred to an external archive system (Picture 151). Currently supported are the file system, an journalling mailbox as well as d.velop d.3. You can also use several archive systems parallel. Picture 151: The list of the configured archive connectors The configuration consists of two parts: Archive connectors and profiles. Connectors define the interface to an external archive system such as the file system. Within a connector, one or more profiles are created. Within, properties such as the exact storage location for mails and documents can be Page 164

165 determined. Additionally, an assignment of metadata of mails to metadata of the archive system is implemented here if required. To create a new connector, click on Add. Initially, select the connector type and give the connector a new name (Picture 152). Picture 152: General settings of the archive connector The options to be configured in the second step depend on which archive system you selected in the first step. When archiving mails and documents in the File system, you only need to indicate a path. Mails and documents are stored in folders in this path (Picture 153). Page 165

166 Picture 153: Properties for the storage in the file system The connector for the Journaling mailbox does not have any further settings on the connector. The profiles are directly shown. For a connector to a d.velop d.3 system, you only need to indicate a path (Picture 154). Mails and documents are written into this directory and obtained from there by the d.velop d.3 system. Page 166

167 Picture 154: d.velop d.3-specific settings On the next page, you can create profiles for this connector. Profiles enable you, for instance, to distribute mails and documents within an archive system to different folders. Initially, you need to give a new profile a name (Picture 155). Furthermore, you select here which mails are archived by this profile. Page 167

168 Picture 155: Common profile properties The content of the second page depends on the archive system you selected. For the storage in the File system, you can provide a sub folder for the mails which are stored through this profile. Page 168

169 Picture 156: Properties for the storage in the file system As for an Journalling mailbox, the mail address of the target inbox is required (Picture 157). Page 169

170 Picture 157: Properties for the storage in an journalling mailbox As for a connection to a d.velop d.3 system, no further configuration is required. In this case, the dialogue is empty (Picture 158). Page 170

171 Picture 158: Properties for the storage in de.velop d.3 system In the next step, you determine for which local mail addresses this profile is responsible. (Picture 159). When sending mails, the address of the sender is always used to determine which profiles are used for the archiving. As for mails to local addresses, the addresses of the recipients are used. When indicating the mail addresses (Picture 160), you can also use wildcards ('*' and '?') to provide several addresses. Should several profiles correspond to the data provided here during an archiving process, the mail is archived several times. Page 171

172 Picture 159: Assignment of profiles to internal mail addresses Picture 160: Create new assignment In the last step, you define in a profile how metadata of a mail are depicted on metadata in the archive. Among other things, metadata comprise the subject line, signature and encryption options and other mail headers. To create a mapping of the values, initially select a value on the left. Afterwards, select a field from the archive from the list on the right. Depending on the selected archive system, the list with the available field can be very long. You can search for specific fields via the property filter. As soon as you select a field from the list, the mapping is established (Picture 161). Page 172

173 On a profile for an journalling mailbox, no metadata mappings are configured since the mail is completely forwarded to the journalling mailbox and thus all metadata in the mail are retained. Picture 161: Metadata mapping After having created one profile at least, the configuration of the connector is completed. D providers Here, you can configure the connections to the D system (Picture 162). Page 173

Picture 162: The list of the configured De-Mail connections The information entered in this section is immediately available for the De-Mail send connectors as well as for the receive connectors.

174 Picture 162: The list of the configured D connections The information entered in this section is immediately available for the D send connectors as well as for the receive connectors. This means that you only need to configure the connection once and it is directly available in all connectors. Telekom D connections To create connectors for D via Telekom, you must initially configure the connections to the service provider. (Picture 163). Page 174

175 Picture 163: Configure the connection to the Telekom D provider In addition to the name of the profile, you select here whether you wish to establish the connection via TDeutschland or T-Systems. Furthermore, you select the certificate which is used for the protection of the connection to the service provider. Since the certificate is stored on a smart card, you must enter the PIN of the card as well. Through the selection of the certificate, the profile is automatically linked to a Gateway Role. Connectors using the profile are automatically assigned to the Gateway Role on which the certificate is located. Mentana-Claimsoft connection A connection to the web service of this provider must be established for the D connectors of Mentana-Claimsoft (Picture 164). Page 175

The information entered in this dialogue is immediately available for the De-Mail send connectors as well as for the receive connectors.

176 Picture 164: Connect to the Mentana-Claimsoft web service Enter the address via which the web service can be accessed in Service address. In Username and Password, you enter the login information for the successful access to the service. The information entered in this dialogue is immediately available for the D send connectors as well as for the receive connectors. This means that you only need to configure the connection once and it is directly available in all connectors. CSA-Whitelist To use the CSA-Whitelist action, you must configure the download of the list first (Picture 165). to do so, select Modify. The dialogue for configuration opens (Picture 166). Picture 165: Connection to the CSA-Whitelist Page 176

177 Picture 166: Configure the download of the CSA-Whitelist Select Enable daily download of the CSA-Whitelist if you wish to use the CSA-Whitelist action. Otherwise, you can select Disable download. The CSA-Whitelist is downloaded from the domain service.nospamproxy.de. In order that your NoSpamProxy can download this list, it requires access to this address. Please configure your firewall accordingly if required. User notifications In the node user notifications, you can determine which messages are automatically sent to internal and external contacts by NoSpamProxy. Moreover, you can determine which sender addresses are used (Picture 167). Page 177

178 Picture 167: User notifications Administrative notification addresses In this section, addresses for notifications of NoSpamProxy are deposited (Picture 168). NoSpamProxy requires valid sender addresses to be able to send its mail notifications. Depending on whether the recipient is a corporate user or not, different sender addresses can be used. For notifications about certain incidents, a recipient address is required for these notifications. Enter the address in the field Recipient address. In the section Global configuration, you provide the addresses for all domains which have no individual entry or for notifications which are not assigned to a domain. Page 178

Picture 168: The global notification addresses If a domain requires a configuration deviating from the global settings, you can add it in the list Domain specific configuration.

179 Picture 168: The global notification addresses If a domain requires a configuration deviating from the global settings, you can add it in the list Domain specific configuration. The setting dialogue is analogous to the global configuration. Additionally, you need to select one of your owned domains to which this configuration should be applied. Mail notifications The configurable notifications are shown here. You can mark the individual notification and activate or deactivate it. Advanced settings Under the node "Advanced settings", you find the configuration options which need not be adjusted usually. (Picture 169). Page 179

180 Picture 169: Advanced settings of NoSpamProxy Sensitive data protection To protect sensitive data such as cryptographic keys or authentication information from access by third parties, you must have encrypted these data through a password determined by you (Picture 170). You can change the password at a later point but the protection of data is irreversible. Should you forget the password and the configuration with the encrypted password is deleted, there is no other possibility to access the protected data. Thus, please always keep a safe copy of the password. Page 180

Picture 170: The password for protection of your data Monitoring NoSpamProxy can log each connection in the message tracking in order that you can check what happened to certain mails at any time.

181 Picture 170: The password for protection of your data Monitoring NoSpamProxy can log each connection in the message tracking in order that you can check what happened to certain mails at any time. This function can be completely deactivated via the option Monitoring. If this option is activated, you can decide additionally whether the subject lines of the mails should be stored as well or whether they are excluded from message tracking. By default, both options are activated. Please pay attention to the data protection policies prevalent in your company during the configuration of this section. To prevent uncontrolled growth of the database size of the message tracking and the reports, the Intranet Role cleans the database in a regular interval. In doing so, all elements which have exceeded a certain retention period are deleted from the database (Picture 171). Page 181

182 Picture 171: Adjustment of the retention period If all message tracking datasets and the statistical data should be removed, please select the option 'Disable message tracking completely' under the node 'Advanced settings' of the Gateway Role. In this case, no data is gathered at all. If you, for instance, only wish to keep the statistical data, select the option Message tracking datasets are deleted immediately to delete all message tracking datasets at 2 o'clock in the morning. With the slider Store summaries, you set how long you wish to track mails generally. With the message overview information, you can only see in the overview of the message tracking whether and when the respective mail was delivered and whether it was accepted or rejected. The retention period for the corresponding message details is set with the slider Store details. The assessments of the individual filters, where the mail came from, how long the validation took and some other useful information are included in the message details. Since this information constitutes the largest part of the message tracking, it is possible to retain it for a shorter period than the overview information. The slider Store statistics is responsible for the content of the reports. Using it, you can set in which intervals you wish to generally create reports. In order to be able to create a relatively convincing report, we recommend a minimum retention period of 12 months. If you receive tens of thousands of mails or spam mails per day, the limit of the database size of an SQL server in the Express Edition could be exceeded. For so many mails, you should perhaps choose shorter retention periods for message tracking datasets or install an SQL server database without this restriction. Page 182

183 Besides the settings for the message tracking, you can configure in this dialogue how long NoSpamProxy withholds mails for which an encryption key is awaited. Picture 172: Adjustment of the retention period for halted mails Subject flags The subject flags define keywords to control the processing of individual mails. Inserting a keyword into the subject of a mail thus triggers certain actions. These keywords are removed from the subject line by NoSpamProxy before dispatch. Use the subject flags which define your tasks by providing the keywords from the following list in brackets at the beginning or end of the subject line die. Blank spaces and capitalisation are ignored in the keyword. This means that the following examples all show the same result. Alternatively, you can also use the Outlook Add-In of NoSpamProxy. By default, square brackets are used to mark the subject flags. Via the dialogue for editing the mark, you can determine which type of mark should be used (Picture 173). Page 183

184 Picture 173: Configure the markers for subject flags Examples for the use of subject flags in the subject line: [pw:secret4312] I hereby send you the encrypted document [ PW : secret4312 ] I hereby send you the encrypted document Or several simultaneous flags within one bracket [Unencrypted, PDF, PW:secret4312] I hereby send you the encrypted document Or several simultaneous flags within different brackets [Unencrypted] [PDF] [PW:secret4312] I hereby send you the encrypted document Subject flags need to be placed at the beginning or the end of the subject line in order to be processed properly. Depending on the functions licenced by you, other flags than those in the above examples might be available. The above advice is valid for all flags. The following subject flags are available to you: [LFT] This flag is only used by the Outlook Add-In for Large Files. You can adapt the subject flags to your needs (Picture 174) as well as reset them to their default values. Page 184

185 In the Outlook Add-In, you can configure that the subject flags should be used instead of the X-Headers. In this case, do not implement any changes. Otherwise, the Add-In will no longer work. Picture 174: Edit subject flags For automatic dispatch of mails, you can insert additional X-Headers into the message instead of Subject flags to provide this information. The X-Headers are explained in the following. On the client, you can use the corresponding X-Headers next to the subject flag. If you are already using a software which sets subject flags and employs them for the function in NoSpamProxy, you can define an additional XHeaders in the edit dialogue. It is then used in addition to the normal X-Header. Instead of using the 'subject flags', you can install the Outlook Add-In for NoSpamProxy. The Outlook Add-In is used instead of the subject flags with Outlook 2007 and higher. Page 185

Picture 175: Advanced settings of NoSpamProxy Level of Trust configuration The Level of Trust system is a multilevel concept which assesses the trustworthiness of a communication relation or a domain.

186 Picture 175: Advanced settings of NoSpamProxy Level of Trust configuration The Level of Trust system is a multilevel concept which assesses the trustworthiness of a communication relation or a domain. "Trust" must be earned by the sender. The most essential bonus point is a reliable and constant connection history. The system assesses different criteria such as sender addresses and checksums but, above all, the address relations between senders and recipients of mails. As for mails to external addresses, the communication relation (between sender and addressee) is stored in the database with a very high trust bonus. To protect these data, the relation is not stored in clear text but rather as a hash value (checksum) only. Moreover, the relation of sender, subject and domain of the recipient is an interesting perspective. It is reasonable to additionally be able to assess a reply of a colleague or a representative and, if required, an alternative address as "good". Additionally, the trust in the domain of mails by the addressee is increased by a specific value. Thus, reply mails of the addressee to other users of the system receive a bonus as well. If a mail to local addresses is classified as spam, the trust in the domain is reduced. If no communication takes place with a certain sender within a specific time, the Level of Trust reduces automatically. This reduction of the value ensues for bonus as well as minus values. A longer period of "silence" is thus accounted for in the positive as well as in the negative: reliable, constant communication causes growing positive results while repeated spam causes growing negative results. Page 186

187 The Level of Trust system must be activated per rule. The settings are, however, implemented globally in the menu "Level of Trust" (Picture 176). General Picture 176: Define the general settings of the Level of Trust system If the function Skip filters is activated, and mails to local addresses are marked as trustworthy with a sufficiently high Level of Trust assessment, all Filters defined on a rule are thus skipped. Only such actions as the CYREN-Premium-AntiVirus action can still prevent the acceptance of the mail. If the addresses in the mail envelope and in the 'Header-From' field differ, you can configure which address is used by NoSpamProxy for analysis of the mail. If both addresses are validated and the envelope address allows the delivery of the mail, the result from the 'Header-From' address overwrites the prior result. The consequence is that a critical of a validation rejects the mail, regardless if it was detected in the mail envelope or the 'Header-From' address. With the setting Address pairing bonus, you determine by how many points the trust between a sender and a recipient is increased per message (address relation). Using the slider, you can set a value between 0 and 200. One point equals (-0,1) points for the SCL. For each mail to external addresses, not only the so-called address pairing bonus is increased but also a bonus for the respective recipient's domain. Using the slider Domain pairing, you set by how many points the bonus is increased. This value should be less than the bonus for address relations. Here, you can set a value between 0 and 200 with the slider as well. One point similarly equals (-0,1) points for the SCL. Page 187

188 Stop words On the tab Stop words, you define the so-called stop words (Picture 177). Picture 177: The defined stop words which prevent changes of the Level of Trust relations As soon as the Gateway Role detects one of these words in the subject of a mail to external addresses, the address pairing bonus as well as the domain bonus remain the same and are not increased. This setting is especially useful for automatically generated mails such as out-of-office replies. Smart DSN handling Smart DSN handling checks Delivery Status Notifications (DSNs) to local addresses. Since NoSpamProxy knows which mails were sent by the company, the software can also determine whether a corresponding mail for the currently available DSN has left the company (Picture 178). Page 188

Picture 178: Configure the Smart DSN handling An example: A DSN arrives and NoSpamProxy determines that the original message for this DSN was sent from schmidt@example.com to schulze@netatwork.de. The Mail Gateway then checks whether an address pair schmidt@example.

189 Picture 178: Configure the Smart DSN handling An example: A DSN arrives and NoSpamProxy determines that the original message for this DSN was sent from schmidt@example.com to schulze@netatwork.de. The Mail Gateway then checks whether an address pair schmidt@example.com/schulze@netatwork.de exists in the Level of Trust database. If this is not the case, the available DSN is not valid and receives minus points. If an address pair matches, the DSN receives bonus points. In order that these checks can be implemented, two prerequisites must be met: First, an RFC-compliant DSN must be available. This means that the original message is attached to the DSN in order that NoSpamProxy can identify the original address pair. Moreover, it must be ensured that the Mail Gateway really knows all mails to external addresses. Under certain circumstances, this might be a problem in networks with distributed internet connections. With the setting Smart DSN handling, you can influence the Smart DSN handling directly. If the radio button is set to Automatic, NoSpamProxy will initially search the Level of Trust database for elements older than 7 days. Only if this search was successful, the Mail Gateway will assess incoming DSN. This is the default setting. If you set the radio button to Enabled, NoSpamProxy will always assess the DSN even if no datasets are yet available in the Level of Trust database. To disable Smart DSN handling, set the radio button to Disabled. Subject prefixes The Level of Trust system requires partially consistent subject lines of a conversation. Subject prefixes such as 'RE:' or 'FW:' need to be removed. On the tab Subject prefixes, you configure all prefixes used by your mail system (Picture 179). Page 189

Picture 179: Define the subject prefixes which occur in the subject lines of your mails SMTP protocol settings The protocol settings regulate the behaviours for the receipt of mails, SMTP timeouts

190 Picture 179: Define the subject prefixes which occur in the subject lines of your mails SMTP protocol settings The protocol settings regulate the behaviours for the receipt of mails, SMTP timeouts and SMTP status notifications. Behaviours If a mail is sent to several recipients, it can occur that different rules are applied to this mail depending on the recipient. With the corresponding setting, NoSpamProxy can force the inbound system to send a separate mail for each individual recipient. This setting prevents conflicts with multiple addressed mails if a mail is sent via one connection to two recipients which would then cause that two different rules would apply. Through the use of SMTP, it is not possible to provide independent feedback for individual recipients. It is only possible to close the entire connection. Through the configuration of the option Application of rules, you can instruct NoSpamProxy to send the error message "Too many Recipients" to the inbound system if recipients are sent with colliding rules (Picture 180). According to the RFC however, this is only permitted starting from the 101. recipient even if no mail servers which are impaired by this behaviour are yet known. Through this setting, each mail is sent with exactly one recipient. Thus, NoSpamProxy can apply the corresponding rule to each recipient. However, the mails are delivered by the sender several times accordingly. Page 190

191 The activation of this function allows you to manage the mail assessment at the price of a multiple transfer and a not entirely RFC-compliant behaviour. If this option is deactivated, the rule which applies to the first recipient is then applied to all recipients of this mail. The same result applies to all other recipients. NoSpamProxy can recognise if the same mail is received several times. Multiple sending of the same mail usually occurs on incorrect configuration such as mail loops. You can set whether these mails should be discarded or not and how large the time frame for the detection should be. Picture 180: Behaviour for receipt of messages Protocol timeouts Adjusting the timeouts (Picture 181) has great impact on the resources required by your server for high mail traffic. In the section SMTP protocol timeout settings, you can determine when NoSpamProxy starts to disconnect a connection due to idleness. This is determined for two sections within the SMTP protocol. With the setting Envelope timeout is n seconds, you set the timeout for the commands within the so-called envelope part. This applies to all commands up to the DATA command (HELO/EHLO, MAIL FROM, RCPT TO). As soon as the DATA command has been sent, the setting Body timeout is n seconds is effected. A separation of the timeouts is useful since timeouts might occur more often during the transfer of the body part rather than the envelope due to intermediary filters and actions. The envelope is transferred very timely and fluently during normal transfer. A longer waiting period Page 191

192 in this section of the mail transfer more likely indicates a DoS attack or similar. As a result, you have the possibility to reduce the timeout of the envelope part in an emergency case. You can set a value between 30 and 600 seconds with the sliders for the respective setting options. Picture 181: Timeouts Status messages The SMTP status messages (Picture 182) determine which texts the Gateway reports to other servers. The SMTP replies are details in the SMTP handshake which are usually not visible to the normal user. However, it might be useful to adjust the details according to one's own needs. Thus, administrators can analyse mails more easily if they wish to detect any errors. For instance, the notifications "Rejected mail" and "Blacklisted Address" are important details for the sender of a blocked mail. To change a notification, click in the respective input field and change the text. You must not use umlauts for SMTP notifications. Umlauts are not supported by the applied SMTP protocol. Page 192

193 Picture 182: Textual SMTP status notifications by NoSpamProxy to other servers SSL/TLS configuration Using transport encryption, the SMTP connection is secured via SSL or TLS. In doing so, the Gateway Role draws on the operating system and its settings are used for the connections. Lately, some encryption standards have proven to not be safe any longer (e.g. DES or RC4). It is thus useful to deactivate them. Some cipher suites support a feature called Perfect Forward Secrecy. In brief, it prevents that contents of connections can be decrypted by unauthorised third parties even if the private key of the server certificate is known. However, Windows does not preferably use this procedure in the standard setting. Thus, you can apply the settings recommended here (Picture 183). In order that the changes become effective, the server needs to be restarted. You can prompt this directly via the dialogue. This concerns a system-wide change which can also affect other programs. Page 193

Picture 183: Apply recommended settings for SSL/TLS configuration of Windows Furthermore, in this section, you have the possibility to recover the standard values of

194 Picture 183: Apply recommended settings for SSL/TLS configuration of Windows Furthermore, in this section, you have the possibility to recover the standard values of Windows (Picture 184). Again, a restart of the server is necessary which can be prompted via the dialogue. Picture 184: Reset to standard values for SSL/TLS configuration Page 194

195 Troubleshooting 10. Troubleshooting The menu item Troubleshooting provides tools to create logs of the activities or a new database for the individual roles of NoSpamProxy. (Picture 185). If the old database was damaged, it might become necessary to create a new database. Picture 185: Tools for troubleshooting Page 195

196 Troubleshooting Log settings Configure the storage location for the log data in the first tab and select the categories for which you wish to activate logging (Picture 186). Depending on which categories you choose here, the log files can quickly amount to several hundreds of megabytes. Thus, select a drive which offers enough space for the files. Picture 186: Configure the log settings Additionally you can enable logging only for a certain timespan (Picture 187). The logging is automatically stopped when the time elapses and you can use the created log files immediately. Page 196

Troubleshooting Picture 187: Auto disable logging In the tab Debug settings, you can have additionally stored all mails to the hard drive before and after processing by

197 Troubleshooting Picture 187: Auto disable logging In the tab Debug settings, you can have additionally stored all mails to the hard drive before and after processing by NoSpamProxy (Picture 188). This tab is only available for Gateway Roles. You cannot configure this on the Intranet Role. Picture 188: Store mails for troubleshooting Page 197

Troubleshooting Please note that storing all mails on the hard drive might require a high need for space and thus cause a severe impact to the server's performance.

198 Troubleshooting Please note that storing all mails on the hard drive might require a high need for space and thus cause a severe impact to the server's performance. As a result, use this function for troubleshooting only and deactivate it afterwards. Blocked IP addresses As mentioned already, NoSpamProxy by default blocks the inbound gateway for 30 minutes after rejecting a spam mail. If a trusted IP address is mistakenly added to this blacklist, you can delete the list of the blocked gateways here (Picture 189). Picture 189: Delete blocked IP addresses via this dialogue Fix permissions If the file system permissions of your NoSpamProxy were, e.g. by third party programs, changed in such a way that the function is impaired, you can correct this here. You can correct permissions in the file system (Picture 190) as well as on the used database (Picture 191). Picture 190: Have permissions in the file system fixed Page 198

Troubleshooting Picture 191: Have permissions in the database fixed Web Portal security For the security of all installed Web Portals, certain information must be synchronised.

199 Troubleshooting Picture 191: Have permissions in the database fixed Web Portal security For the security of all installed Web Portals, certain information must be synchronised. If you employ several Web Portals, the information must be synchronised after the installation of the second Web Portal. Such an incident is shown on the overview page. Additionally, you see here which Portal is concerned. Select the function Fix Web Portal security key for all Portals which show the text The security key is incorrect. As long as the keys are not synchronous, the forms on the Web Portal will display errors and be affected in their functionality. Page 199

200 Web Portal 11. Web Portal The Web Portal enables your communication partners to transmit large files to internal users. For this function, Large Files must be licenced. Large Files If you have licenced Large Files, your users can offer the possibility to external communication partners to transfer files to you which are too large for the delivery via mail. To do so, the internal user sends a response link to the recipient via the Outlook Add-In which can then be used to transfer files. If your communication partner received an invitation for Large Files, he or she can send one or more files to the sender in a secure way via the Web Portal(Picture 192). Picture 192: Transferring files securely via the Web Portal Page 200

201 Web Portal Recipient and subject are predetermined and cannot be changed. The communication partner cannot send a message along with the attached files. Depending on the configuration, files are either attached to the mail directly or provided to the recipients via Large Files. The threshold values as well as the maximum size per attachment can be determined by the administrator. Secure mails via the Web Portal without invitation To enable external communication partner to send secure mails to users of NoSpamProxy at any time, you can use the Web Portal without invitation too. In this case your partner only has to input his mail address, a valid recipient address and when appropriate a CAPTCHA (Picture 193). Picture 193: Dialog for new mails without invitation link After a successful validation of the sender and recipient address as well as the CAPTCHA, the mail can be sent in the same way as described in the previous chapters. Page 201

202 Disclaimer 12. Disclaimer To use the Disclaimer feature you have to licence it separately. NoSpamProxy Disclaimer provides an integrated possibility to include mail disclaimers into mails during their dispatch. The disclaimers are thus created and configured through a website so that the responsible employees neither require direct access to NoSpamProxy, the management console or your mail server, nor have installed a special program. Open the Disclaimer website by clicking Open Disclaimer webseite on the dashboard. After a descriptive entry page, the website splits into the two sections Templates and Rules. A template determines the HTML and Plain Text content of a disclaimer. A rule determines when, how and where a template is added to a mail. Through the flexible combinations of the created templates and rules, it is possible to set up a disclaimer from one or more templates and include it in a mail. You can also add placeholder to the content of a template. These must be provided by the NoSpamProxy administrator in advance. They are then replaced by the value deposited in the user object when the mail is sent. By doing so, values such as names, phone numbers and departments can be added dynamically. Providing placeholder For editing the disclaimers, the administrator must initially create the required Additional user fields which can be included in a template as placeholder for the definite value. To do so, go to the node Additional user fields and create the required fields (Picture 194). Page 202

203 Disclaimer Picture 194: The overview of all available user fields For most application cases, the best way is to select Create default fields. Thus, the fields which are commonly used are directly entered to the list. When creating the fields, the mappings of the user fields to Active-Directory fields can additionally be configured in the already existing Active Directory user imports (Picture 195). Picture 195: Creating frequently used default fields The created fields can optionally be filled with default values at this point. These are always used if no own values are mapped to the user. For instance, the phone number/mail of the head office can be entered into the field for the phone number/mail and so forth. The created fields are immediately available in the manually entered company users as well as in the Active Directory user imports. Page 203

204 Disclaimer Additional user fields in manually entered users Open a manually entered company user on the node Domains and users. On the page Additional user fields, you see the fields previously defined on the node Additional user fields (Picture 196). Picture 196: Additional user fields You can either set a value for each field or apply the default value of the field. Additional user fields in the user import When importing from an Active Directory or a generic LDAP directory, you can fill additional user fields with values from the configured directory. This is useful if you wish to personalise disclaimer templates for your users (Picture 197). Initially, define own fields or create default user fields in the node Additional user fields. Subsequently, you can set for each field in this dialogue from which field of the directory the data should be obtained. Page 204

205 Disclaimer Picture 197: of additional user fields To each field, you can either map a value from the Active Directory or apply the default value of the field. The values you mapped in the Active Directory user import are only available during the next run of the user import. Using the fields in the disclaimer After having created the fields in the node Additional user fields,they can be used in the templates on the disclaimer website. The creator of the templates sees a list with the names of the fields if he/she clicks on Insert placeholder in a template (Picture 198). The names of the fields can be re-named by the administrator even after having been used in templates already in order to, for instance, improve the user experience. Page 205

206 Disclaimer Picture 198: The selection from the list of 'Additional user fields' configured by the administrator Page 206

207 Appendix 13. Appendix Multiple used settings in the configuration Some settings are used in the configuration multiple times. To increase the readability of the manual, they are explained in great detail here and refer to this chapter during the actual use in the different configurations. Thus, recurring explanations can be avoided. Passwords Passwords in the client can be implemented in the following types. Simple password entry The simple password entry is the most commonly used password entry. It offers the function to momentarily show the password by clicking on the eye symbol next to the entry field. The display supports you in entering and checking the password. This entry is used for all entries where the administrator has previously entered the password him/herself. Double password entry As for the double password entry, you must enter exact the same password twice. This entry is required for very sensitive passwords where incorrect entries should be avoided in any case. Similar to the simple password entry, the double password entry can be viewed through a click on the eye symbol. This entry is used, for instance, for protecting the sensitive data of NoSpamProxy. Password entry without subsequent view Here, instead of showing the password in the dialogue, only a hint whether a password had already been entered or not is displayed. The administrator can delete the password if required or set it to a new value. This entry type ensures that passwords entered by third parties cannot be viewed via the client after the entry. To avoid spelling mistakes, the concealed entry is always executed as double password entry. This entry is, for example, used in the encryption passwords of the external partners. Selection of certificates When selecting certificates, the dialogue with the title Select a certificate appears. (Picture 199). Page 207

Appendix Picture 199: The list of available certificates Depending on the section in which you wish to select these certificates, certificates for the following purposes of use are displayed.

208 Appendix Picture 199: The list of available certificates Depending on the section in which you wish to select these certificates, certificates for the following purposes of use are displayed. Mail authentication A certificate that is used to authenticate the sender of a mail. Server authentication A certificate that is used to clearly authenticate a server. Client authentication A certificate that is used to clearly authenticate a computer which tries to connect to a server. Here, all certificates from the certificate store of the local machine, this means the machine on which the role to be configured runs, are shown. Select the desired certificate and click on Select and close in order to use the selected certificate or check all details of the selected certificate by using Show details. It can be difficult to distinguish some certificates, e.g. for D , due to identical entries in the field Issued for. To distinguish these certificates, select the function Show full subject name. Thus, the subject name of each certificate is shown without abbreviations. Backup and recovery To recover NoSpamProxy in case of a system failure, it is required to regularly back up all data relevant for the operation. Page 208

209 Appendix Operating system, driver and software You should implement the backup of the Windows operating system with approved programs. Since NoSpamProxy has very few dependencies on the operating system itself, it is also possible to reinstall the replacement server after a failure. You should thus weigh whether a reinstalling of the operating system with its settings and programs or a recovery is more appropriate. If you want to reinstall the operating system, you should document the programs and settings installed so far and have available the data storage devices. Further information can be found in the online manuals and instructions on Windows Server and NTBACKUP by Microsoft. NoSpamProxy licence Your licence is stored as a file on the server in the directory %ProgramData%\Net at Work Mail Gateway\\License.xml and can be backed up through a normal backup without problems. You can additionally copy the XML file into a safe folder. The file is not blocked during operation and not overwritten. files of roles The configuration of NoSpamProxy is stored in an XML file on the server itself. This file can also be secured with customary backup software without problems. However, the gateway resets this file when the configuration is changed which can result in a conflict in case of a simultaneous backup. During the writing of the configuration, NoSpamProxy creates the new file as temporary file, names the original file, e.g. "GatewayRole.config.backup", and only names the temporary file "GatewayRole.config" afterwards. During a usual file-based backup, you thus always either have backed up the most current copy or the version of the configuration changed shortly before. It is recommended to copy this file before implementing major changes to the configuration as well to be able to easily return to the previous status. The configuration files of all roles in the default configuration are listed below. Should you have installed NoSpamProxy in another path or have updated the program from a former version of NoSpamProxy, the path must be adjusted accordingly. Gateway Role %ProgramData%\Net at Work Mail Gateway\\GatewayRole.config Intranet Role %ProgramData%\Net at Work Mail Gateway\\IntranetRole.config ServerManagement Service %ProgramData%\Net at Work Mail Gateway\ \ManagementService.config Page 209

210 Appendix Databases of NoSpamProxy NoSpamProxy stores most information in several SQL databases which you should back up as well. The roles of NoSpamProxy use the following databases to do so: Gateway Role NoSpamProxyDB Intranet Role NoSpamProxyAddressSynchronization Web Portal enqsigportal If NoSpamProxy uses your existing SQL server in Standard or Enterprise edition, you can configure a periodical backup of all databases with the Enterprise Manager. When using the SQL Server Express Edition, you must back up the database manually with a script and recover it when required. Back up the database via the command line with the following commands: For the database of the Gateway Role: osql -S (local)\nospamproxydb -E -Q "BACKUP DATABASE NoSpamProxyDB TO DISK = 'c:\nospamproxydb.bak'" For the database of the Intranet Role: osql -S (local)\nospamproxyaddresssynchronization -E -Q "BACKUP DATABASE NoSpamProxyAddressSynchronization TO DISK = 'c: \NoSpamProxyAddressSynchronization.bak'" For the database of the Web Portal: osql -S (local)\enqsigportal -E -Q "BACKUP DATABASE enqsigportal TO DISK = 'c:\enqsigportal.bak'" This command backs up the database in a file without shutting down the database. You should thus check whether you plan a correspondingly adjusted invocation with Windows task scheduler as regular task. The recovery is realised with the following lines: For the database of the Gateway Role: osql -S (local)\nospamproxydb -E -Q "RESTORE DATABASE NoSpamProxyDB FROM DISK = 'c:\nospamproxydb.bak' WITH FILE= 1, NOUNLOAD, REPLACE " For the database of the Intranet Role: osql -S (local)\nospamproxyaddresssynchronization -E -Q "RESTORE DATABASE NoSpamProxyAddressSynchronization FROM DISK = 'c: \NoSpamProxyAddressSynchronization.bak' WITH FILE= 1, NOUNLOAD, REPLACE " For the database of the Web Portal: osql -S (local)\enqsigportal -E -Q "RESTORE DATABASE enqsigportal FROM DISK = 'c:\enqsigportal.bak' WITH FILE= 1, NOUNLOAD, REPLACE " As a prerequisite, the database must already exist. Page 210

211 Appendix Since the SQL server itself permanently keeps the databases in use, they cannot be captured through a normal backup of the files such as via NTBACKUP. Troubleshooting NoSpamProxy is based on very simple functioning. Its implementation as SMTP proxy connects the advantages of this principle to the simplicity of the operation. Nevertheless, it can happen that the gateway does not work as you expect it to after the installation. The most common errors and test possibilities are described here. Support by mail You receive support by contacting the following mail address: support@nospamproxy.de Please include the following information in your mail: Your customer ID We gather and maintain all support cases in our ticket system. Your customer ID is the key to clearly map your support request. You received your customer ID after having requested a test licence or having purchased a licence. Should you not have your customer ID at hand, you can look it up in the licence file. The customer ID, "C12345" in our example, is located in an area called "ContactNumber": <field name="contactnumber">c12345</field> You can provide this number as your customer ID as well. The configuration of NoSpamProxy The location of the configuration files is described in the file system in the paragraph files of roles. Please attach it, especially the configuration file of the Gateway Role, to the mail to our support team. Network plan If you have a brief description of your environment, it helps us understanding how you wish to use NoSpamProxy. Of particular interest are your SMTP domains, the IP addresses of the internal mail server and how you receive and send your mails from the internet. Information on firewalls in the transfer routes are helpful as well. Information on your internet connection To apply NoSpamProxy, you must receive your mails via SMTP. Thus, external access to your system must be possible via port 25/TCP. Which components are between the Mail Gateway and the internet? A router with port filter and NAT or a full-featured firewall? Information on the server Which operating system and service packs have you installed? Do you have activated port filters or a firewall on the server? Error description Please describe which error or malfunction you are facing as detailed as possible. Page 211

212 Appendix We try to help you as soon as possible. However, please read the following advice to recognise frequent errors and know how to fix them on your own. Check NoSpamProxy At first, your attention should be directed at the management client of NoSpamProxy. The status screen on the overview page provides you with a very quick overview of your system. Here, you can see immediately whether all settings are entered correctly (Picture 200). Picture 200: The overview shows the complete configuration of NoSpamProxy Please check the following bullet points to find error causes. Are all roles started? All roles should have the status "started". You can also start the roles via the client. Are errors displayed? Errors in the configuration of a role are displayed in the overview on NoSpamProxy (Picture 201). Errors in a completely configured gateway should always be fixed. Are warnings displayed? Warnings are supposed to be considered similar to errors with the difference that warnings can indeed occur under certain circumstances. Please research into warnings as seriously as into Page 212

213 Appendix errors and weigh whether the warning is caused by your deliberate configuration of NoSpamProxy or whether it should better be fixed. IP addresses and ports Check whether the Gateway Role of NoSpamProxy accepts connections on the correct IP addresses and ports. Are mails transferred at all? On the status screen, you see the number of connections and and transferred mails as well as the data volume. If all values are set to 0, NoSpamProxy receives no mails. You can query the same values with the Windows performance counters. Messages in the event protocol NoSpamProxy shows you error messages in the Windows event viewer which impair its function. Picture 201: Errors in the configurations of NoSpamProxy Page 213

214 Appendix Test NoSpamProxy The basic functions of NoSpamProxy can be tested with two programs which are part of Windows: TELNET The dispatch of a mail via SMTP is very simple and can also be tested manually with TELNET. NSLOOKUP This program serves for troubleshooting in case of DNS resolution issues. NoSpamProxy uses DNS intensively, e.g. to request RBL lists or check certificates for validity. TELNET If a mail server sends a mail to another mail server this ensues via TCP/IP via the port 25. You can also implement this communication manually with TELNET and thus test the behaviour of the remote mail server or that of the own NoSpamProxy. You can easily send a mail via SMTP using the program TELNET. To do so, you start the connection establishment with: TELNET name-of-mail-server 25 Afterwards, the mail server should confirm the the establishment of the connection with a 220 message. At this point, you are now connected with your mail server and can send a mail as follows. To do so, enter the following commands, always followed by the Enter key <CR>. Wait for the confirmation of the mail server after each command. HELO name.of.sender server<cr> MAIL FROM: mail address@sender.de<cr> RCPT TO: mail address@target domain.de<cr> DATA<CR> From now, you enter everything without any further response of the server: Subject: This is the subject<cr> <CR> and this the body<cr>. <CR> For conclusion, the last line only contains a "full stop". By doing so, the end of the mail is marked and the mail server confirms the receipt of the mail. Using the command QUIT, the connection to the mail server is disconnected. NSLOOKUP The program NSLOOKUP is the means to check the DNS name resolution. Simply start the NSLOOKUP in a DOS window with the corresponding options. Page 214

215 Appendix Examples: nslookup -q=a You receive the list of the IP addresses which operate the website of Microsoft. nslookup -q=mx netatwork.de You receive the mail servers which accept mails for the domain netatwork.de. nslookup -q=a nslookup -q=a dnsbl.sorbs.net You receive the information from the list "Sorbs" that this server name has the IP address and is thus listed among the dynamic IP addresses. As a result, NSLOOKUP is a useful tool to identify errors in the DNS configuration of the Windows Server. Frequent errors and their causes NoSpamProxy is developed in such a way that only those interfaces are bound and used which were configured. Especially in the case of systems with many network interface cards and IP addresses it is thus important to implement the configuration conscientiously. As a consequence, please check the following settings: Port and IP address Ensure that NoSpamProxy accepts connections on the addresses which you intended for it. Maybe there just are transposed numbers in the configuration? Telnet on port 25 does not work Please keep in mind that NoSpamProxy does not work on the localhost address if you have bound the service to a specific IP address. Firewall Is there a firewall or a port filter on the server which prevent a connection to NoSpamProxy on TCP/IP level? Test the availability of NoSpamProxy on the server itself with a TELNET command on the IP address. By doing so, you exclude an external firewall for test purposes. Other services? NoSpamProxy tries to use the provided interfaces during the start. This is not possible if another program is already using the corresponding resources. The gateway shows this as error messages in the event viewer and in the status page. NoSpamProxy Protection does not filter If NoSpamProxy Protection is installed correctly and mails are passed through but not blocked, please check the following: Licence installed If NoSpamProxy Protection does not find any valid licence, all connections are set to "pass", this means mails are passed without any further consideration of the rules. Page 215

216 Appendix Rules Check whether your rules meet your requirements and whether filters and restrictions are set accordingly. The decision "pass" passes all mails of this rule. The order of the rules is important as well. The rules are processed sequentially. The first matching rule is applied and all others are not regarded. For testing, it is recommended to define, for instance, a rule at the beginning of the rule set which rejects mails to a specific mail address. This could be realised by using the correct setting in the tab "Mail flow", for example. A test mail to this recipient must be rejected by NoSpamProxy Protection. If this happens, the IP address of the test system is added to the blacklist and you know that NoSpamProxy Protection already works in principle. However, you must research into your rules in more detail now. Mail message tracking Message tracking offers you detailed information about the processing of a mail. Each mail processed by NoSpamProxy Protection can be found in the message tracking. There, you can also easily find the rule and the filters or actions applied to a mail including the categorisation. In case of malfunctioning or receipt of a "False Positive" result regarding mail processing through NoSpamProxy Protection, sufficient advice should be found in the message tracking. NoSpamProxy rejects all mails to local addresses NoSpamProxy prevents unauthorised forwarding of mails (Relaying) and is protected against external and internal misuse very well. Similar to a firewall, this means, however, that you have to initially activate the respective functions you require. This mandatorily comprises two settings: Owned domains You need to enter all the domains you expect mails for in the corresponding list in the gateway. Based on the default rules, NoSpamProxy only accepts external mails for this domains. If you have not entered any domains here, the gateway does not accept any external mails. Exception: You have changed the default rules so that this protection is no longer ensured. Corporate mail servers In order that mails to external addresses can be delivered by NoSpamProxy, all mail servers from which the gateway is supposed to forward mails must be entered in the list of the corporate mail servers. If mail servers are missing in the list, it is not possible to forward mails from these servers. If NoSpamProxy rejects external mails, the mail server which tries to deliver the mail creates a non delivery report. You can also transmit an external mail to the gateway yourself by using the TELNET test method and interpret the status message of NoSpamProxy which states the reason for the rejection. Moreover, message tracking offers you a helpful tool for error encirclement. SQL database is not available If you have selected the corporate users as recipient criteria in the rule in order that mails to invalid mail addresses are rejected, NoSpamProxy temporarily rejects the mail as soon as it cannot access the corresponding SQL table. Please ensure that the SQL server service is started properly and the gateway can access the database without errors. Among others, you can find error messages in the event viewer of NoSpamProxy and in the overview page. Page 216

217 Appendix NoSpamProxy Protection does not find any viruses NoSpamProxy Protection can scan all mails for virus-infested attachments and, depending on the setting, reject the entire mail or only remove the attachments. Two prerequisites need to be met in order that NoSpamProxy Protection can scan mails with attachments for viruses: Installed virus scanner Any virus scanner which monitors accesses to the file system in realtime and prevents the attempt to store a virus-infested file must be installed on the server of NoSpamProxy Protection. Action 'File based virus scanner' must be integrated This action is not integrated by default since it only makes sense in combination with an installed virus scanner. Since NoSpamProxy Protection cannot determine whether a virus scanner is installed, we do not wish to provide false security. To use the function of virus protection, you must install a file based virus scanner and integrate the action into the respective rules. You can check the function of the file based virus scanner by installing the EICAR test virus via the page or by having it sent to you. Smart card cannot be administered via RDP If you use certificates that are stored on a smart card, you cannot administer the smart card in an RDP session. It only works in a session directly on the host. In virtual environments based on Hyper-V, for example, the SCVMM admin must be used while in VMware environments, you would use the VMware admin. Exchange management console no longer starts If NoSpamProxy and Exchange 2010 are installed on the same server, the Exchange management console does no longer work properly. The reason for that is the.net Framework The Exchange management console requires.net Framework in version 2.0 while the NoSpamProxy management console works with version exclusively. In order that the correct.net Framework version is used, NoSpamProxy creates an environment variable with the name COMPLUS_ApplicationMigrationRuntimeActivationConfigPath. This variable refers to a path where a configuration file with corresponding settings is stored. When invoking any management console, the respective variable and thus the configuration file are used. Opening the Exchange MMC causes the known problems. To be able to further use the Exchange MMC, only the following workaround is available: The environment variable is deleted permanently and the NoSpamProxy MMC must be invoked via a batch file in which the required environment variables are defined in advance. The advantage is in this case that the environment variable is only applied to programs invoked from the context of the batch file. Open the 'Advanced system properties' via Start -> Execute -> sysdm.cpl (Picture 202). Select the button Environment Variables... in the tab Advanced. Page 217

COMPLUS_ApplicationMigrationRuntimeActivationConfigPath in the section System variables and click on Edit.

218 Appendix Picture 202: Advanced system properties The window with the 'Environment Variables' opens (Picture 203). Picture 203: The environment variables of the systems and user signed in Select the entry COMPLUS_ApplicationMigrationRuntimeActivationConfigPath in the section System variables and click on Edit. Copy the path from the field Value into the clipboard and delete the complete entry afterwards. Close both dialogues by clicking on OK respectively. Open Page 218

NoSpamProxy 12.1 Installation Manual. Protection Encryption Large Files

NoSpamProxy 12.1 Installation Manual Protection Encryption Large Files Imprint All rights reserved. The manual and the depicted programs are copyrighted products of Net at Work GmbH, Paderborn, Germany.