FTGateUsersGuide
Transcription
FTGateUsersGuide
FTGateUsersGuide Table Of Contents Introduction.............................................................................................................................................. 1 Introduction .......................................................................................................................................... 1 Welcome to FTGate ......................................................................................................................... 1 Licence Agreement.............................................................................................................................. 1 Copyright ............................................................................................................................................. 4 Copyright © 1996-2009 FTGate Technology Ltd. All rights reserved. ............................................. 5 Trademarks ...................................................................................................................................... 5 Disclaimer ............................................................................................................................................ 5 Main Feature List ................................................................................................................................. 5 Services ........................................................................................................................................... 5 Security ............................................................................................................................................ 6 Domains and Mailboxes................................................................................................................... 6 User Mailboxes ................................................................................................................................ 6 Group Mailboxes .............................................................................................................................. 6 List Mailboxes .................................................................................................................................. 7 Monitoring ........................................................................................................................................ 7 Client Services ................................................................................................................................. 7 Anti-Virus support ............................................................................................................................ 7 Anti-Spam and Message Filtering .................................................................................................... 8 Other Features ................................................................................................................................. 8 WebAdmin ....................................................................................................................................... 8 Groupware Features ............................................................................................................................ 8 Shared Folders ................................................................................................................................ 8 Address Books ................................................................................................................................. 9 Calendars ......................................................................................................................................... 9 Task Lists ......................................................................................................................................... 9 FAQ (Frequently Asked Questions) .................................................................................................... 9 Product support ................................................................................................................................. 10 Product Support ............................................................................................................................. 10 Support FAQ .................................................................................................................................. 10 Upgrade Protection and Support Plan ........................................................................................... 11 Contacting FTGate Technology ..................................................................................................... 12 Installation ............................................................................................................................................. 13 System Requirements ....................................................................................................................... 13 Recommended requirements: ....................................................................................................... 13 Minimum Requirements: ................................................................................................................ 13 Supported Systems........................................................................................................................ 13 Virtual Machines ............................................................................................................................ 13 Web Browsers ................................................................................................................................ 13 Outlook Connector ......................................................................................................................... 14 Browser Compatibility ........................................................................................................................ 14 Browsers offering full support for all features ................................................................................ 14 Browsers offering limited support .................................................................................................. 14 Allowing users to relay through your server ...................................................................................... 14 Forwarding to remote users in the same domain .............................................................................. 14 Problem .......................................................................................................................................... 15 Solution .......................................................................................................................................... 15 Connecting multiple offices with FTGate ........................................................................................... 15 The network ................................................................................................................................... 16 Central Office configuration (ServerA): .......................................................................................... 16 Regional Office configuration (ServerB): ....................................................................................... 16 Completion ..................................................................................................................................... 17 Registration Overview ....................................................................................................................... 17 Licence Types ................................................................................................................................ 17 Mailbox Count ................................................................................................................................ 17 General .............................................................................................................................................. 17 Registering and Activating Licences .............................................................................................. 17 iii FTGateUsersGuide Domains, Mailboxes and delivering mail ....................................................................................... 19 AutoCluster Overview .................................................................................................................... 20 Access from the Internet ................................................................................................................ 22 Firewall ports .................................................................................................................................. 22 Host-name configuration ................................................................................................................ 23 Network Storage and shared drives .............................................................................................. 23 Accessing SolSight Web ................................................................................................................ 24 FTGate behind a NAT router/firewall ............................................................................................. 24 Migration ............................................................................................................................................ 25 Migration ........................................................................................................................................ 25 Migrating Mail from an Existing POP3 server ................................................................................ 25 Moving to a new server .................................................................................................................. 26 Relay.................................................................................................................................................. 27 FTGate as an MX relay .................................................................................................................. 27 FTGate as a DMZ server ............................................................................................................... 27 Upgrade ............................................................................................................................................. 28 Upgrading from a previous version ................................................................................................ 28 Upgrading from FTGateOffice or FTGatePro ................................................................................ 29 Upgrading From FTGate4 .............................................................................................................. 30 Using FTGate ........................................................................................................................................ 31 Common Tasks ................................................................................................................................. 31 General .......................................................................................................................................... 31 Sending/Receiving via the Internet ................................................................................................ 31 Managing Mailboxes and Domains................................................................................................ 31 Managing Filters ............................................................................................................................ 31 Backup and Restore ...................................................................................................................... 31 Trouble shooting ................................................................................................................................ 31 UbeBlock is not blocking the spam emails .................................................................................... 32 I have just upgraded from FTGateOffice/Pro an my users cannot login ....................................... 32 A service will not start and reports "The specified address is already in use." .............................. 32 SSL certificates .............................................................................................................................. 32 I am unable to send to some domains, the mail sits in the outbox. ............................................... 33 My messages to Hotmail are disappearing ................................................................................... 33 My server is having its EHLO command rejected with a syntax error message ........................... 33 How do I move FTGate to another machine .................................................................................. 33 How do I backup FTGate ............................................................................................................... 33 My users are getting a relaying denied error ................................................................................. 33 I cant remember my WebAdmin user name or password ............................................................. 33 What firewall ports do I need to open? .......................................................................................... 33 How do I share folders and keep the mail on the server. .............................................................. 34 SmartPop delivery issues .............................................................................................................. 34 When I try to send mail to an Outlook list I get a Bulk sends not allowed error ............................ 34 My users are getting the message 'Message size exceeds administrative limit' ........................... 34 General .............................................................................................................................................. 34 Logging Into FTGate ...................................................................................................................... 34 Mail Flow ........................................................................................................................................ 35 Undeliverable Mail ......................................................................................................................... 36 Connection Types .......................................................................................................................... 37 IMAP Considerations ..................................................................................................................... 37 Forwarding Messages.................................................................................................................... 38 Macro Expansion ........................................................................................................................... 39 Anti-Spoofing ................................................................................................................................. 39 Send and Receive ............................................................................................................................. 40 Receiving Mail ................................................................................................................................ 40 Outbound SMTP Auth .................................................................................................................... 40 Sending Mail .................................................................................................................................. 41 SmartPop ....................................................................................................................................... 41 Signatures/Disclaimers .................................................................................................................. 41 Remote Domains ........................................................................................................................... 41 Greylisting Delays .......................................................................................................................... 42 iv Table Of Contents Accessing FTGate from the Internet .............................................................................................. 43 Management ...................................................................................................................................... 44 Web Administration ........................................................................................................................ 44 Activating a Licence Key ................................................................................................................ 45 Lost administrator passwords ........................................................................................................ 45 Emergency Recovery..................................................................................................................... 46 Safe Mode ...................................................................................................................................... 46 Database support........................................................................................................................... 47 SQL Based Mailing Lists ................................................................................................................ 47 Permissions/Access rights ............................................................................................................. 47 Customising SolSight Web ............................................................................................................ 48 Security Policies ................................................................................................................................ 48 Security Policies............................................................................................................................. 48 Relay Control and Authentication .................................................................................................. 50 Access Control Lists ...................................................................................................................... 52 Configuring LAN access ................................................................................................................ 52 SSL ................................................................................................................................................ 52 SSL self signed certificates ............................................................................................................ 53 Filtering, Anti-Spam, Anti-Virus ......................................................................................................... 54 Overview ........................................................................................................................................ 54 Setting up junk filtering................................................................................................................... 55 Minimising Junk/UBE mail ............................................................................................................. 60 Greylisting ...................................................................................................................................... 61 Whitelisting ..................................................................................................................................... 63 Whitehosting .................................................................................................................................. 63 Blacklisting ..................................................................................................................................... 63 Filter Rules ..................................................................................................................................... 64 Safe Words .................................................................................................................................... 65 SPF Validation ............................................................................................................................... 65 Anti-Virus Overview ....................................................................................................................... 65 UBEBlock ....................................................................................................................................... 66 Backup and restore ........................................................................................................................... 68 Disaster Planning ........................................................................................................................... 68 Backup and Restore ...................................................................................................................... 70 Utility Applications ............................................................................................................................. 71 FTGateArchive ............................................................................................................................... 71 FTGateIcon .................................................................................................................................... 72 FTGateUpdate ............................................................................................................................... 73 FTGateMonitor ............................................................................................................................... 73 FTGateLog ..................................................................................................................................... 73 AutoCluster ........................................................................................................................................ 74 Configuring AutoCluster ................................................................................................................. 74 Web Admin Interface............................................................................................................................. 75 Web Admin Login .............................................................................................................................. 75 User Interface Guide ......................................................................................................................... 75 Saving changes ............................................................................................................................. 75 Adding an item ............................................................................................................................... 75 Deleting an item ............................................................................................................................. 75 Filtering a list .................................................................................................................................. 75 Selection lists ................................................................................................................................. 76 Start/Stop Enable/Disable .............................................................................................................. 76 Paging control ................................................................................................................................ 76 Menu Bar ........................................................................................................................................... 76 Navigation Panel ............................................................................................................................ 77 Access Control .................................................................................................................................. 77 General .............................................................................................................................................. 77 Information ..................................................................................................................................... 77 Log ................................................................................................................................................. 77 Activity ............................................................................................................................................ 77 Queues .......................................................................................................................................... 78 v FTGateUsersGuide Statistics ......................................................................................................................................... 78 Archive ........................................................................................................................................... 78 Domains............................................................................................................................................. 79 Managing Domains ........................................................................................................................ 79 Local Domains ............................................................................................................................... 80 Remote Domains ........................................................................................................................... 91 Outbox ............................................................................................................................................... 94 Outbox ........................................................................................................................................... 94 Managing the Outbox..................................................................................................................... 95 Services ............................................................................................................................................. 95 Managing Services and Security Policies ...................................................................................... 95 Security Policy ............................................................................................................................... 95 Services ......................................................................................................................................... 98 Clients .............................................................................................................................................. 108 Managing Clients ......................................................................................................................... 108 SmartPop ..................................................................................................................................... 108 AutoCluster .................................................................................................................................. 113 Events .............................................................................................................................................. 114 Events .......................................................................................................................................... 114 Filters ............................................................................................................................................... 115 Greylist ......................................................................................................................................... 115 Routing ......................................................................................................................................... 115 Anti-Virus ..................................................................................................................................... 116 Quarantine ................................................................................................................................... 116 Filter Policies ................................................................................................................................ 116 Filter Policies ................................................................................................................................ 117 Configuration ................................................................................................................................... 119 Registration .................................................................................................................................. 119 System ......................................................................................................................................... 120 Administrators .............................................................................................................................. 120 Messages ..................................................................................................................................... 120 Spooler ......................................................................................................................................... 121 Logging ........................................................................................................................................ 121 Archiving ...................................................................................................................................... 122 DNS Servers ................................................................................................................................ 122 RBL Sites ..................................................................................................................................... 123 Network Profiles ........................................................................................................................... 123 Priority .......................................................................................................................................... 124 Auto Update ................................................................................................................................. 124 Proxy ............................................................................................................................................ 124 Utility ................................................................................................................................................ 124 Utilities ......................................................................................................................................... 124 Mailbox Import ............................................................................................................................. 124 List All Mailboxes ......................................................................................................................... 125 Mailbox Export ............................................................................................................................. 125 Mailbox Import1 ........................................................................................................................... 125 Groupware........................................................................................................................................... 127 Shared Folders ................................................................................................................................ 127 Why Use Shared Folders? ........................................................................................................... 127 Shared Folder Access.................................................................................................................. 127 Uses for Shared Folders .............................................................................................................. 127 Address Books ................................................................................................................................ 128 Mailing an address book: ............................................................................................................. 128 LDAP address book searches: .................................................................................................... 128 Calendar Overview .......................................................................................................................... 129 Shared Folder Overview .................................................................................................................. 129 White Papers ....................................................................................................................................... 131 White Papers ................................................................................................................................... 131 SPAM: Change is coming................................................................................................................ 131 Why is change needed? .............................................................................................................. 131 vi Table Of Contents A shift in approach ....................................................................................................................... 131 Cleaning up the junk .................................................................................................................... 132 White lists ..................................................................................................................................... 133 UbeBlock spam analysis .............................................................................................................. 133 Moving Forward ........................................................................................................................... 133 SmartPop ..................................................................................................................................... 134 The future ..................................................................................................................................... 134 Error Messages ................................................................................................................................... 135 Service Error Messages .................................................................................................................. 135 WebAdmin Login Messages ............................................................................................................ 137 Update History .................................................................................................................................... 139 FTGate History ................................................................................................................................ 139 Historical time line for FTGate: .................................................................................................... 139 FTGate2009 SR1 ............................................................................................................................ 140 Update 6.0.002 ............................................................................................................................ 140 Credits ................................................................................................................................................. 141 Glossary .............................................................................................................................................. 143 Index .................................................................................................................................................... 145 vii Introduction Introduction Welcome to FTGate FTGate is the result of over ten years experience in the mail server market and represents the pinnacle of mail server performance and features. With extensive security, filtering, user management features, customer resource management and a comprehensive set of groupware features we feel that FTGate offers the best value possible. This manual is written to answer your questions regarding how to complete specific tasks and achieve different goals with FTGate. The main topics are listed below. Installation • • • • • • • • • System Requirements Setting up domains and mailboxes Registering and Activating Licences Accessing SolSight Web Access from the Internet Migration FTGate as an MX relay FTGate as a DMZ server Upgrading from a previous version Web Administration • • • • • • • • • Web Admin Login User Interface Guide Menu Bar Access Control Managing Domains Outbox Managing Services and Security Policies Managing Clients (SmartPop/Auto-Cluster) Events Using FTGate • • • • • • • • • • Logging Into FTGate Forwarding Messages Receiving Mail Sending Mail Greylisting Delays Web Administration Lost administrator passwords Security Policies Backup and Restore Service failed to start Utilities • • • • • FTGateArchive FTGateIcon FTGateUpdate FTGateMonitor FTGateLog Filtering and Anti-spam • • • • • • • • • • • Overview Filter Policies Setting up junk filtering Minimising Spam Greylisting Whitelisting Whitehosting Filter Rules Blacklisting UbeBlock Training Quarantine Further Information • • • Common Management Tasks FTGate Website FTGate Training Videos Licence Agreement 1 FTGateUsersGuide THIS IS YOUR LICENCE AGREEMENT PLEASE READ IT AS YOU WILL BE BOUND BY ITS TERMS. ACKNOWLEDGMENT: By using FTGate Technology products you acknowledge that you have read this licence agreement, understand it, and agree to be bound by its terms and conditions. You also agree that the licence agreement is the complete and exclusive statement of agreement between the parties and supersedes all proposals or prior agreements, oral or written, and any other communications between the parties relating to the subject matter of the limited warranty. SOFTWARE LICENCE AGREEMENT SUBJECT OF AGREEMENT FTGate Technology hereby grants to the CUSTOMER in consideration of licence fees paid by the CUSTOMER, (and during any trial period in consideration of the CUSTOMER agreeing to try the product) a non-assignable, non-transferable, non-exclusive licence to use FTGate and other FTGate Technology products ("the Product") on a single network server accessed by multiple computers subject to the Terms and Conditions below. FTGate Technology reserve the right to enforce these licence conditions through specific software features. Copyright and other intellectual property rights in the Product shall at all times remain vested in FTGate Technology and the CUSTOMER's rights in the Product shall be limited to those of a user licensed under the terms of this Agreement, such use to be limited to the CUSTOMER's internal business purposes only. The CUSTOMER agrees not to use the Product beyond the trial licence period without paying the relevant fees thereupon arising. The Product contains a timing device which ensures that no such use can be made after such trial/demonstration period without payment. Where the CUSTOMER is supplied the Product via a distributor of FTGate Technology these terms and conditions of licence of the Product shall still apply as between FTGate Technology and the customer and are in addition to any contract terms between the distributor and the CUSTOMER. These terms may be modified by us from time to time and are in addition to any general terms about use of the Product on our web site, including without limitation information about email support and other matters. TERMS AND CONDITIONS (1) LIMITED WARRANTY The Product and accompanying written materials (including instructions for use and manuals and CD Roms, if any) are provided "as is" without warranty of any kind, to the fullest extent permitted by law. All terms implied by law, including without limitation as to satisfactory quality and fitness for purpose, which may by law be excluded or limited and liability in tort including without limitation for negligence and misrepresentation, are hereby excluded. Further, FTGate Technology does not warrant, guarantee, or make any representations regarding the use, or the results of use, of the Product in terms of correctness, accuracy, reliability, currentness, or otherwise. No oral or written information or advice given by FTGate Technology or its employees shall create a warranty or be otherwise actionable and the CUSTOMER may not rely on any such information or advice. If the Product is defective, FTGate Technology will not be responsible for any or all costs of necessary servicing, repair or correction. Neither FTGate Technology nor anyone else who has been involved in the creation, production or delivery of the Product shall be liable for any direct, indirect, consequential or incidental damages (including damages for loss of business profits, business interruption, loss of business information, and the like) arising out of the use or inability to use the Product even if FTGate Technology has been advised of the possibility of such damages. FTGate Technology shall in no circumstances be liable in any way for the content of any message or transmission sent using or made in connection with the Product. In any event FTGate Technology's liability to the CUSTOMER shall be limited to the value of the cost of the Product in relation to which a claim has arisen, or £250 if higher. The parties acknowledge that the Product is a low value product which will be used for crucial business functions and that the limitations and exclusions on liability in this Agreement reflect the 2 Introduction price. The parties accept such limits are reasonable. The CUSTOMER shall indemnify and hold FTGate Technology harmless against all loss and liability, costs and damages, including legal fees on an indemnity basis, arising from any breach by the CUSTOMER of the terms of this Agreement or the licence of the Products or from any act or default of the CUSTOMER in relation to the Products which leads to loss or liability on the part of FTGate Technology. (2) COPYRIGHT AND TRADE MARKS The CUSTOMER shall not: a) use, copy, modify, merge, or transfer copies of the Product except as provided in this Agreement, b) reverse-assemble or reverse-compile the Product, save to the extent permitted by law, c) sub-license, loan, rent, lease, or assign the Product or any copy thereof, d) use the Product except as provided in this Agreement. The Product is the copyright of FTGate Technology. All intellectual property rights in the Product remain with FTGate Technology. FTGate Technology warrants that it has full rights to grant the licences contained in this Agreement and full authority to license the Product. Nothing in this Agreement shall give the CUSTOMER any intellectual property right in the Product. If any infringement of such copyright or other intellectual property rights in the Product or the Marks defined below, comes to the attention of the CUSTOMER it shall forthwith notify FTGate Technology by email. Should any portion of the Product be de-compiled, reverse-engineered, copied or duplicated, in breach of this clause, the CUSTOMER shall immediately notify FTGate Technology of the circumstances surrounding such event and shall assist FTGate Technology in enforcing its rights against any parties who are in violation of this Agreement. Permitted exceptions to the above are for normal back up or archival purposes. FTGate® is a registered trade mark of FTGate Technology FTGate Technology has also built up substantial goodwill in FTGate®, FTGate Technology™, Floosietek™, FTGateLite™, FTGateOffice™, FTGatePro™, FTGateRelay™, UbeBlock™, SolSight™ and their logos ("the Marks"). The CUSTOMER shall not use the Marks in any other colour or in combination with any material which (a) is not a Product or a description of a Product of FTGate Technology or (b) in any manner which may bring FTGate Technology into disrepute or damage its reputation or cause it to be legally liable in any way. (3) TERMINATION FTGate Technology may terminate this Agreement upon thirty days written notice if the CUSTOMER fails to comply with any of the terms and conditions of this Agreement. In the event of termination, the CUSTOMER shall immediately cease use of the Product and at its own expense, remove from its computers all copies (including on-line, back-up and archival) of the Product and destroy them. (4) NON-TRANSFERABLE LICENCE The CUSTOMER acknowledges that the Products are the sole property of FTGate Technology and agrees not to assign, sub-license or otherwise transfer the Products in any manner without prior written consent of FTGate Technology (5) BINDING AGREEMENT Upon acceptance of this Agreement by both parties, this Agreement shall constitute the entire Agreement between the parties and shall supersede all other oral or written agreements or communications between the parties. FTGate Technology shall not be bound by additional provisions or provisions at variance herewith that may appear in the CUSTOMER's acknowledgement, purchase order, or in any other communication between the CUSTOMER and FTGate Technology. (6) MODIFICATION/WAIVER 3 FTGateUsersGuide FTGate Technology may modify the terms of this Agreement by email to the CUSTOMER or by posting a notice on its web site www.ftgate.com. No term or provision shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party claimed to have waived or consented. (7) ASSIGNMENT The CUSTOMER shall not assign, sublicense, or otherwise transfer to any other party all or any part of this Agreement, any interest herein or any rights hereunder. (8) NOTICES All notices and other communications provided for or permitted under this Agreement shall be sufficient if contained in writing delivered by hand or registered certified mail or by facsimile addressed to the parties as set forth in this Agreement. Notification of critical errors concerning the Product should be communicated in writing to FTGate Technology by the other party. All such notices or communications shall be deemed received 2 working days after being sent. FTGate Technology reserves the right to communicate amendments to this agreement or all notices and other communications provided for or permitted under this Agreement by email to the other party. (9) SURVIVAL The CUSTOMER's obligations under paragraph (2) shall survive the termination of this Agreement. (10) SEVERABILITY If any provision of this Agreement shall be held void or unenforceable or contrary to English Law, such provision shall be deemed to have been excluded from this Agreement ab initio and shall not affect any other provision of this Agreement, the remainder of which shall be construed as if the excluded provision had never formed part of it. (11) DATA PROTECTION The CUSTOMER consents to its personal data being exported for processing abroad under the control of FTGate Technology and so that marketing emails on subjects of interest to the CUSTOMER being solely software products offered by FTGate Technology can be sent to the CUSTOMER. The CUSTOMER can notify FTGate Technology at any time to ensure such mailings are ceased. (12) THIRD PARTY RIGHTS No enforceable right is given or intended to be given by the parties to any third party, under this Agreement and the Contracts (Rights of Third Parties) Act 1999 shall not apply. (13) GOVERNING LAW This agreement will be governed by and construed in accordance with the laws of England and the parties hereby submit to the exclusive jurisdiction of the English courts. The place of performance is England. ACKNOWLEDGMENT By using the Product you acknowledge that you have read this licence agreement, understand it, and agree to be bound by its' terms and conditions. You also agree that the licence agreement is the complete and exclusive statement of agreement between the parties and supersedes all proposals or prior agreements, oral or written, and any other communications between the parties relating to the subject matter of the limited warranty Copyright 4 Introduction Copyright © 1996-2009 FTGate Technology Ltd. All rights reserved. Information in this document is subject to change without notice. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use, without the written permission of FTGate Technology Ltd. FTGate Technology Ltd Abbey Lodge Station Road West Dereham Kings Lynn Norfolk PE33 9RR United Kingdom http://www.ftgate.com Trademarks FTGate®, FTGateOffice™, FTGatePro™ , FTGateLite™, FTGateRelay™ , UbeBlock™, SolSight™, Floosietek™ and FTGate Technology™ and their logos are trademarks or registered trademarks of FTGate Technology Ltd. in the UK, USA, the EC and other countries. Microsoft and Windows are registered trademarks of Microsoft corporation. Other brands and their products are trademarks of their respective holders and should be noted as such. Disclaimer The information in this document is subject to change without notice and is correct to the best of our knowledge at the time of publication. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose other than as part of the FTGate product, without express written consent of FTGate Technology Ltd. You are granted permission to print one copy of this document as part of the FTGate Product licence agreement. Main Feature List See Also • Groupware Features Services Feature SMTP / ESMTP POP3 / APOP IMAP4 LDAP Proxy Groupware Connector PE ISP Relay * WebMail WebAdmin Monitor Port * Replication only 5 FTGateUsersGuide Security Security Multiple IP based security policies Share security policies among services SSL / TLS SMTP Authentication PE ISP * Comprehensive user based access controls * Global setting only Domains and Mailboxes Feature Local user domains Remote Relay Domains User Mailboxes Group Mailboxes List Mailboxes Domain Aliases PE ISP Relay * Mailbox Aliases Mailbox Rules Active Directory Support User privilege options User Mailboxes Feature Multiple Folders WebMail access 3 types of logon authentication Loop protection Hidden BCC control Out of office automated message User privilege control Multiple shared folders (via IMAP/Web Mail) Trashcan (via IMAP/WebMail) Maximum message age controls Mailbox quota controls Message Tracking Extensive mailbox rule/action controls PE ISP Relay PE ISP Relay Group Mailboxes Feature Round robin delivery option Automatic message tracking options Extensive mailbox rule controls Privilege controls 6 Relay Introduction List Mailboxes Feature Automated member management Archiving Moderation Distribution list or BCC list Reply address control Distribution to external SQL database lists Configuration notification messages Configuration message signatures Extensive mailbox rules PE ISP Relay PE ISP Relay PE ISP Relay PE ISP Relay PE ISP Relay Monitoring Feature 3 Logging levels Searchable Log Compressed Archive Searchable Archive Remote Monitor (activity + history) Status Monitor Queue Status Server Statistics Client Services Feature SmartPop AutoCluster Outbox / Remote Domain Feature LAN/Broadband and Dialup Support 4 types of delivery scheduling Outbound connection limit controls Custom Host name option ISP or MX delivery options Access to outbox queue for viewing/deletion Flagged message delivery hold Anti-Virus support Feature Support for most 3rd party scanners Scans inside Zip files Scan and Quarantine or Scan and Delete 7 FTGateUsersGuide Custom notification messages (or no notifications) Purge Scripts from HTML messages Anti-Spam and Message Filtering Feature Multiple shared domain filter policies One policy per domain or multiple domains per policy Whitelist (Specific list and Contact Database) Whitehost Blacklist Safe Word List Filter content by word Filter content by phrase Filter attachments (Purge/Quarantine/Delete) UBEBlock2 Filter UBEBlock+ Filter* Comprehensive Filter Rules and actions Grey Listing RBL Scanning * Requires valid UPSP subscription PE ISP Relay PE ISP Relay PE ISP Relay Other Features Feature User configurable system messages Extensive scripting support Call external applications from within FTGate Multiple DNS servers Auto Update Dynamic address routing Delivery piping support WebAdmin Feature Comprehensive server administration Multiple administrators SSL support IP based access controls Groupware Features FTGate Groupware edition has comprehensive groupware and customer resource management features. Access to its groupware features is available through WebMail, the Outlook Connector and other utilities. Shared Folders 8 Introduction Feature Multiple shared folders per user or group User and group based permissions (read/write/create/delete/manage) Accessed through WebMail and IMAP PE ISP Relay PE ISP Relay PE ISP Relay PE ISP Relay Address Books Feature Multiple Address Books per user or Group Share options for each address book User and group based permissions (read/write/create/delete/manage) Customer Tracking Options (Manual and Automatic) Contact Notes Calendars Feature Multiple Calendars per user or group Share options for each Calendar User and group based permissions (read/write/create/delete/manage) Events and Appointments Recurrent Events and Appointments Mailed Reminders (self or specific address) Instant Notifications (via SolSight Chat) Task Lists Feature Multiple Task Lists per user or group Share options for each Task List User and group based permissions (read/write/create/delete/manage) Recurrent Events and Appointments Mailed Reminders (self or specific address) Instant Notifications (via SolSight Chat) FAQ (Frequently Asked Questions) The FTGate FAQ is located in the support forums section of the FTGate website. Users are encouraged to view the forum topics and post any questions for which they are unable to find an answer. FTGate Forums and FAQ 9 FTGateUsersGuide Product support Product Support As a valued customer of FTGate Technology we will endeavour to give you the best possible product support service. FTGate Technology as an outstanding reputation for product support and pride ourselves in the speed and accuracy of our support responses. Included with the purchase of FTGate is 12 months Upgrade Protection and Support Plan (UPSP)to ensure that your system will always have the latest updates available. Members of the UPSP are eligible for unlimited email support. Supported Versions Customers who have a valid UPSP and therefore are entitled to high quality support are also able to obtain the latest versions of the software without charge. Therefore FTGate Technology only support the latest version of FTGate available at the time of requesting support. UPSP support options FTGate users with a current UPSP can obtain support in the following manner: Email: support@ftgate.com Online: http://www.ftgate.com/support/main.htm Please read the Support FAQ before contacting support Support FAQ The following guidelines will help us to give you the best possible service when you request support from the FTGate Technology team, and will result in your problem being resolved in the shortest time. If the problem is reproducible then please describe the method you use to reproduce it and please include a debug log file showing the problem. By following these guidelines you will make it easier for us to give you a fast solution to your issues. UPSP Status Before contacting support please check that your Upgrade Protection and Support Plan is up to date and that you have installed any current version updates and patches. Users who require support but do not have a valid UPSP will be required to renew their UPSP before support will be made available. Support Forums General issues will be dealt with most quickly by posting to the appropriate section of the support forum. The support forum is tied into our email support system and your postings will receive the same speed of response through the forums as they will through email. Please don't post to the forums and also send the same request by email. You can visit the forums here http://members.ftgate.com/forum/index.php. Email support 10 Introduction When contacting support you will receive an automated response that includes useful information and a tracking code [e.g. [FST0412001]]. Please use the tracking code when replying to messages from support as it will help us to track your issue. Failure to do so will result in a fresh code and will most likely end up with a different support specialist who will ask you for information you may already have supplied. Support requests should be emailed to support@ftgate.com Debug Logging Before sending messages to support please make sure you have set your logging level to debug (In Configuration click Logging, then in Details to log select Debug). If we ask for a log file then please locate the folder containing the logs (In Configuration click Logging, then find the path in Log path), then locate the file for the day of the incident [e.g. 20040101.ftlog] and then send the file to us. It is preferable to zip the file as it may contain content that will be rejected by our content filters and may be very large. Sample Emails If we ask for examples of an email then ideally we would like the message source file [e.g. f04030115595401C3.txt (zipped)] The reason for this is that forwarding a message with your mail client will often remove items from the header, or even reformat the message completely. This makes it difficult to give advice. When sending log files and messages please make sure that the log file actually contains the time period for which the messages or incident occurred. If the log and messages are mismatched there is no way that we will be able to help. Screen shots If you are asked for a screen shot, please follow this procedure. Go to the page that is requested. Press the Print Screen/SysRq key on the keyboard (this is the third from the right on the top row of most keyboards) Open Windows Paint. Click Edit/Paste Save the image to a file. Attach that file to the message that you send us. (You can zip the file if you wish). Upgrade Protection and Support Plan At FTGate Technology, we aim to provide the most secure, most advanced and feature-packed mail server available today. We constantly update FTGate and release new versions with the latest security features every few months. The internet is constantly evolving and consequently the Internet Standards are updated and changing all the time. New email security issues arise all the time, and FTGate evolves to deal with these developments, in order to give you the best protection for your network. The FTGate Upgrade Protection and Support Plan (UPSP) has been developed in response to customer requests for an inexpensive annual payment Plan which will keep their organisation always up to date with the latest version and enable them to continue to receive the highest possible quality of support.. Advantages of the UPSP: 11 FTGateUsersGuide • • • • • • Continuous product support Ability to keep pace with changes in internet standards No unexpected costs when new versions are released Access to new features without price restrictions Maintaining the latest anti-virus, anti-spam and other security updates Access to UBEBlock+ anti-spam Enhancements If you maintain your FTGate UPSP, you will ensure that your organisation will always have the latest version of FTGate without any additional cost during the term. You will never again have to worry about unexpected costs of keeping your mail server up to date. With the initial purchase of your FTGate starter license, you will receive a full year of upgrade protection and support free of charge. Lapsed UPSP The Upgrade Protection Plan runs from 1 year from the date of the initial purchase of FTGate or renewal. If at the end of the UPSP period you decide not to renew the plan then you will no longer be eligible for technical support or any updates or patches. You will also be unable to use the UBEBlock+ anti-spam enhancements. After the renewal period has expired, a normal upgrade charge will apply. UPSP renewals will run from the expiry date of the original UPSP. Contacting FTGate Technology You can contact FTGate Technology in the following ways: • • • Online Support pages. http://www.ftgate.com/main/support/ email: sales@ftgate.com Address: FTGate Technology Limited. Abbey Lodge, Station Road, West Dereham, Kings Lynn, Norfolk. PE33 9RR. United Kingdom • FAX: +44 01366 500560 • UK Company number: 02919324 12 Installation System Requirements The exact system requirements for FTGate will depend on your application. A simple server handling low volumes of traffic and only being used as a POP3 server will need a much less demanding PC that one for 10,000 users with IMAP, WebMail and large volumes of mail. Thus, you should test FTGate on any particular system to see if will be capable of handling your specific requirements. Recommended requirements: Suitable for running very large number of users with IMAP and WebMail Windows 2000 SP4 Server or Windows 2003 SP2 Server Internet Explorer 6 or better Dual Intel Xeon 2.4 Ghz processors 1GB Ram 32 GB HD (depends on the volume of mail you have ) Minimum Requirements: Suitable for POP3 access, IMAP, no WebMail, limited numbers of users. Windows 2000 SP4 Internet Explorer 6 or better Single PIII CPU 500Mhz 256MB Ram Supported Systems Windows 2000 Workstation Windows 2000 Server (all editions) Windows XP Pro/ (Home not recommended) Windows 2003 Server (All editions) Virtual Machines While FTGate has undergone some testing on virtual machine installations we cannot possibly test all versions of Windows with all possible virtual machines. For this reason we do not list any virtual machines as supported for any operating system. However, if you wish to test on a virtual machine we would recommend using the 30day trial version to verify that your particular instance works correctly. If your chosen combination of operating system and virtual machine does not work correctly then we recommend that you run FTGate on real hardware. Web Browsers FTGate requires use of a Web Browser that supports JavaScript and CSS2. We recommend: Internet Explorer 7 or later Firefox 13 FTGateUsersGuide Safari Outlook Connector The FTGate Outlook connector will install in all versions of Outlook. However, only Outlook 2007 is recommended by FTGate Technology for use with the Outlook connector. On rare occasions users with Outlook 2003 and older may experience problems with the Outlook connector and we would recommend under those circumstances that you upgrade to Outlook 2007. Browser Compatibility FTGate uses Web2.0 technology to give its Web Mail and Web Administration users the best environment possible in which to work. This means that some older browsers are not supported and some a features will not be available on some browsers. Below is a list of browsers that have been tested and what features are available. Browsers offering full support for all features Internet Explorer V7.0+ Firefox V2.0+ Netscape V8.1.3 (IE rendering mode) Opera V9.2 Avant V10.0 Browsers offering limited support Safari V2.0.4 - no Day/Week/Month view in calendaring Allowing users to relay through your server In order to relay through FTGate the users must be Authenticated , either using SMTP authentication or by being from an address that has been granted Automatic Authentication (AA flag) in the appropriate Security Policies. Thus you have two options: 1. Enable the users mail client to use SMTP authentication. With this set the default configuration of the Global Security Policy will allow relay. 2. Enter the users IP address or range into the Global Security Policy and set the PA (Permit Access), AA (Automatic Authentication) , AS (Authenticate by SMTP) and AR (Authenticated Relaying) flags. Forwarding to remote users in the same domain This topic discusses the solution to the following problem. 14 Installation Company A has 3 POP3 mailboxes at their ISP. Two of the POP3 mailboxes are for specific users while the third is for all the other addresses in the domain. Thus the 3 mailboxes are called 1. user1@a.com 2. user2@a.com 3. anyone@a.com Company A wants to have all mail for user1 and user2 delivered from their FTGate to the Internet so that their ISP can place the mail is the user1 or user2 mailbox. So they go to the options for domain a.com and set the undeliverable mail option to forward the mail to the internet (Domain List/a.com/undeliverable). They then configure SmartPop to collect mail from the anyone@a.com mailbox and deliver to the appropriate mailboxes. Problem An outside user sends a message to noone@a.com and there is no mailbox for that address. SmartPop collect the message and delivers it to the domain, the domain sees it as being to an unknown address and sends it back to the internet which puts it back in the anyone@a.com mailbox thus causing a loop. This has two consequences, the message will go round in a loop until the ISP stops it, and if the mail were important but mis-addresses it would be lost. Solution The cause of the problem is that the domain is passing responsibility for the validity of the addresses to the ISP which does not have any way to know the validity of the addresses. The solution is for the administrator of FTGate to take responsibility and set the domain handling to either reject badly addressed mail or deliver it to a nominated local mailbox (Domain List/a.com/undeliverable).. However, that leaves the problem of local users being able to email user1@a.com and user2@domain.com, there is no local mailbox in the domain and their mail must be somehow given to the ISP for delivery. This is solved in the following manner. The administrator creates a new remote domain in FTGate called remote.users He sets the delivery options to be the same as for the Outbox settings. In Filter/Routes he creates the following routes from: * to: user1@a.com route to: user1@a.com|remote.users from: * to: user2@a.com route to: user2@a.com|remote.users This tells FTGate to handle mail for those users differently and any mail for them will go into the remote.users remote domain and will be sent to the ISP. Mail for unknown users will go into the local domain and be handled by the domain settings. This method prevents loops and allows the administrator to explicitly define which addresses are to be controlled locally and which remotely. Remote users can be added and removed by modifying the Filter/Route list. Connecting multiple offices with FTGate 15 FTGateUsersGuide This article will explain how to connect two (or more) offices together using FTGate products. This example assumes that both sites have broadband access. Joe Dobbit runs an Estate agency (dobbit.com) with offices in two towns. The central office is in London (ServerA) and a regional office is in Norfolk (ServerB). Joe wants to be able to have all his staff members email each other without having to set up sub-domains or remember where each staff member is located. He wants his email scanned for viruses and be able to archive all mail sent in and out of the offices. The network Joe has selected FTGate for both sites. The central office has 50 staff members and the regional office has 5, Helen, Steve, Sam, Michael and Graeme. Central Office configuration (ServerA): After configuring ServerA with the basic settings needed to send and receive email the following changes were made. • • • • • • • • • A new mailbox called Serverb was created with a password of ServerB_pwd The users at the regional office were added as aliases for Serverb. i.e. Helan, Steve, Sam, Michael and Graeme A new POP3 service was created on port 111 called pop_server_b. The pop_server_b security policy was altered to the Default Global Security Policy The pop_server_b access control was set to limit access to serverb@dobbit.com Domain List/Dobbit.com/Undeliverable was set to Reject A suitable virus scanner was installed and anti-virus options were enabled. Firewall access was granted on port 111 with a restriction that only the IP address of ServerB can connect Firewall access was granted on port 25 with a restiction that only the IP address of ServerB can connect (if you already allow port 25 (SMTP) access from the Internet then this step can be omitted). Regional Office configuration (ServerB): After configuring the regional server to connect to the internet using a suitable schedule, the following changes were made: Sending Mail Outbox/Connection/Network Profile set to LAN Outbox/Connection/Delivery Mode set to Immediate Outbox/Delivery/Host1 set to ServerA;serverb@dobbit.com;ServerB_pwd (where ServerA is the IP address of ServerA) Outbox/Delivery/Delivery Route set to SMTP Hosts Domain List/Dobbit.com/Undeliverable was set to Forward to Internet Receiving mail In Server/Clients/Clients a new SmartPop account was created in the name of ServerA In the SmartPop options pages: Connection/Network Profile was set to LAN Connection/Host Name was set to the IP address of ServerA 16 Installation Connection/Port was set to 111 Connection/Login was set to serverb@dobbit.com Connection/Password was set to ServerB_pwd Settings/When online check every was set to 5m Delivery/Delivery Control was set to Automatic Completion With the above changes made the two offices were able to send email back and forth between them with the only delay being between the 5 minute collection period at the Regional Office. Further offices could be added in the same way as the first Regional Office. Now all the mail sent to and from the company are archived and scanned and Joe is very happy with his efficient mail system. Registration Overview In order to use FTGate beyond the 30 day trial period you are required to purchase and register a registration licence key. The licence key defines the number of mailboxes that can be used on the server. Licence Types The licence keys come in two types: • Starter Packs These licence keys enable all the server functionality and set the number of mailboxes initially available on the system • Additional Mailbox packs These licence keys add additional mailboxes to a server. However, a starter pack must already be installed on the server Mailbox Count When deciding on the number of mailboxes you will need you should add up the number of User and List mailboxes and also the number of remote domains. The total will be the licence size you require. e.g. • 1 domain with 45 user mailboxes and 5 lists ( =50) Total = 50 mailboxes • 1 domain with 10 mailboxes and 1 list (=11) 1 domain with 35 mailboxes and 3 lists (=38) 3 remote domains (=3) Total = 52 mailboxes Tip: To see how many mailboxes you are currently using 1. In Configuration, click Registration 2. In Allocated, read the current number of mailboxes used See Also • Registering and Activating Licences General Registering and Activating Licences 17 FTGateUsersGuide Auto-activation In order to activate your new licence for the first time you should do the following: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Login to WebAdmin Click Configuration Click Registration If you have not already done so, enter your registration key into the box provided and click add Now click the Auto-Activate button You are now presented with the activation page. If this is the first time you have activated an FTGate product then you should enter your email address and desired password for registration. If you have previously registered or activated an FTGate product you should use the existing details. You should enter a server name and location, for example "mail server" and "main office". These are simply to act as a reference should you ever have more than one licence. Finally click the Activate now over the internet button The process should now be complete. If you are unable to activate automatically this may be due to a firewall blocking access to our servers. In which case it is necessary to activate FTGate manually. Manual-Activation If you have previously registered an FTGate product then in order to activate Manually you must do the following. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Log into WebAdmin Click Configuration Click Registration If you have not already done so, enter your registration key into the box provided and click add Note down the "Server serial number " SSN Log into the members website ( https://members.ftgate.com ) Click the Activate button and enter the SSN into the appropriate field Press the OK button. Copy the activation code from the members website Go back to the WebAdmin/Configuration/Registration page Put the activation code into the box to the right of the registration key Click Add Manual Registration and activation If you have never previously registered an FTGate product and your FTGate server is unable to access our website for activation then you should do the following: 1. Log into WebAdmin and go to the Configuration/Registration page 2. If you have not already done so, enter your registration key into the box provided and click add 3. Note down the "Server serial number" SSN 4. Go to https://members.ftgate.com/newaccount.asp and create a new account 5. After signing into the members website click on Add Licence 6. Enter the registration licence code (2 above) and add a description and location for your ease of reference 7. Click Register server 8. Click Licences 9. Click Activate button and enter the SSN into the appropriate field and then press the ok button 18 Installation 10. Note down or copy the activation code from the members website 11. Return to the WebAdmin/Configuration/Registration Page and put the activation code into Activation Key box next to your licence key and click Add 12. Your licence should now be activated correctly. Further Problems These steps should allow full activation of our products. However, if you have any problems with activation, please contact FTGate support for further help. Domains, Mailboxes and delivering mail FTGate is primarily a mail server. Its task is to deliver mail between mailboxes and to send and receive email over the Internet. See the Mail Flow diagram for a graphical view of mail flow. Local Mailboxes eMail is sent between mailboxes using an address which consists of two parts, the local part which describes the users mailbox, and the domain part which describes the collection of mailboxes. Thus an email address of bob@mydomain.com has a local part (mailbox name) of bob and a domain part of mydomain.com. FTGate organises its mailboxes in the same way. To store mail for Bob you would create a new Local Domain called mydomain.com (See Creating Domains). This will store all the mailboxes for the domain. Then you would create a User Mailbox called bob into which all Bob's mail would be delivered (See Mailbox Overview, Creating a new User). Sending Mail Mail is sent to the internet through the Outbox , just as in a mail client. Normally you configure your mail client (Outlook, Eudora, Firebird etc) to send mail to FTGate. When you compose a message it goes into your mail clients outbox, which sends it to FTGate. FTGate then either delivers it to a local address or places it in its own outbox. Mail from the FTGate outbox is then sent to the internet so that the recipients mail server can deliver it to their own mailbox. The settings for the outbox will vary between ISP's and you should check with your ISP for the appropriate settings. See Sending Mail Receiving Mail FTGate can either receive mail using a protocol called SMTP or using a SmartPop client. SMTP is used when sending mail from your mail client to FTGate, and by FTGate when sending to the Internet. It can also be used by other servers to send mail directly to your server. However, this feature is dependent on your ISP and you should check with them to see if this feature is available. If your ISP does not support sending mail to you using SMTP, then you must use SmartPop to collect mail from the ISP's pop3 mailbox. FTGate can then deliver the mail to the local mailboxes. See Receiving Mail 19 FTGateUsersGuide AutoCluster Overview AutoCluster is a new feature in FTGate that expands the previously named Replication client. This advanced feature allows for the automatic configuration of a network of servers while allowing a pooled front end server array to manage the marshalling of connections between the servers. FTGate AutoCluster offers a powerful way in which an ISP can optimize their network and protect against the potential disaster of having a single point of failure disable their whole network. In an AutoClustered distributed cluster system no single failure will disable the whole network and you can be confident that you customers will see the best possible service that can be offered. This feature will be primary interest to ISPs or multi-domain corporate networks. How AutoCluster works Let us assume that an ISP has 3 servers that they are using to host the accounts for domain1.com, domain2.com and domain3.com. In a non AutoCluster network each member of each domain must configure their mail clients to connect to the specific IP address, as shown below. Diagram 1 - Non-AutoCluster network. In this scenario all the filtering and processing of mail for a domain is performed by the specific server for that domain. If for some reason the IP of the server needs to change, or the mailboxes need to be moved to a different server with more capacity, then each client connecting to the server must update their mail client settings. If the server suffers a hardware failure then it will not be possible to replace it without network reconfiguration and customer disruption. Also if there is a requirement for backup MX servers then these must be configured for each server and if spam is to be reduced the filtering for each MX server configured individually. 20 Installation If we replace the network above with an AutoCluster front end, things change considerably as shown in diagram 2. Diagram 2 - AutoCluster network In an AutoCluster network each of the Relay Edition servers takes a duel role. Its primary role is to act as an MX relay for all the domains on the network and the secondary role is to act as a POP Proxy. This means that all the clients are configured to connect to a fixed IP list regardless of the server on which their mail is hosted. For example: A DNS entry could be made for mx.someisp.com with the IP addresses 195.224.16.148 and 195.224.16.149 Each mail client would then be configured to send and receive via mx.someisp.com, while the actual connections to the back end servers are controlled by the Relay Edition front end servers through the AutoCluster system. AutoCluster is further enhanced by a unique feature by which it can automatically configure itself for all the users in the network pool. Thus adding a new domain or user to any back end server causes all the relays to be updated with the user lists for each machine. This allows the Relay Edition servers to dynamically reject email for addresses that are not valid on the back end servers and thus protect against network overload caused by dictionary attacks and reduce the amount of spam that is accepted by the whole network. An additional advantage of the AutoCluster system is that the main process load of virus scanning can be performed on the front end servers thus adding another layer of protection to the back end servers. Advantages of AutoCluster • Distributed Clustering 21 FTGateUsersGuide • • • • • • • Trivial installation Dynamic auto configuration Load sharing Transparent to customer Distributed spam reduction No single point of failure Low cost - 2 Relay Edition servers free with each ISP edition server Access from the Internet SMTP By default SMTP is configured for non relay access from the Internet. External users can connect to FTGate and send to local users but will be unable to send back to the Internet. Thus by default FTGate cannot be used as an open relay by Spammers. POP3/IMAP/LDAP In order to allow Internet access to these services, change the service security policy for the service form the Default LAN Security Policy to the Global Security Policy. WebMail In order to allow access to WebMail for Internet users there are 3 choices. 1. You can create a new security policy for WebMail with the WAN address range set with only the PA flag. This will allows Internet access to WebMail while restricting access to POP3 and IMAP. This is the recommended option. 2. Change the WebMail security policy to "Global Security Policy". This will allow all machines on the Internet to access WebMail. However, if you have the global policy set to verify addresses using RBL then each page access will have an RBL test performed on it. This can slow down access. 3. You can change the LAN security policy and check the PA checkbox for the WAN range. This will make ALL your services using this policy (POP3 and IMAP) available to all Internet users. This is not recommended if you wish to protect your POP3 and IMAP services. WebAmin. Change the WebAdmin security policy so that the PA flag is set in the WAN range. Note: For each of the above remember that for access to the Web Services to be available you will need the PA flag set, the BL flag clear and the HTTP service to be enabled in the security policy. In order to access any features of FTGate from the Internet you will require open ports in any firewall protecting your network. See Firewall ports Firewall ports To determine the ports you need open in your fire wall, review the service list in FTGate. This list shows the ports of all the service currently configured in FTGate. By default the main services are: 22 Installation Service SMTP POP3 SolSight WebMail WebAdmin LDAP IMAP Port 25 110 80 8089 389 143 See Also: Service failed to start Host-name configuration The Outbox or Remote domain host-name is set in either the Outbox/Connection or the Remote Domain/Connection page. Your host-name should be the name that will be resolved by a reverse lookup for your ip address, or at the very least a valid name used in a DNS which resolves to your IP. For example : EHLO mx0.ftgate.com lookup mx0.ftgate.com = 195.224.16.225 lookup 195.224.16.225 = 225.128-255.16.224.195.in-addr.arpa = mx0.ftgate.com So it resolves to the same address both ways. This is the correct way to have a host defined when sending out using MX records. If both paths are not there then some servers will reject. To configure this in your DNS server you will have to contact your ISP/DNS hosting company. Some servers will not allow the host-name to be set to the IP address. In this case, if you have no valid reverse lookup host-name, you should use your domain name. Network Storage and shared drives In order to access network storage you will need to edit the FTGate service to run under a user account as follows: 1. Create a new network user account in the name of FTGATE_SERVER 2. On the network machine providing the storage create a network share for the files called FTGATE_SPOOL 3. Go to the Service control panel on the FTGate machine and open the services control 4. Open the FTGate mail server service and change the startup details to specify the account FTGATE_SERVER as specified in 1 5. The service control panel will then modify the account settings to allow appropriate access 6. Start the FTGate Service and open WebAdmin 7. In Configuration, click System 8. In Safe Mode, click Safe Mode 9. In Configuration, click Spooler 10. In Spool Path, enter \\computername\ftgate_spool 11. To move a domain onto the network drive go to the domains info page and click the change button. Then specify the new storage path. Be sure to maintain the domain name. e.g. 23 FTGateUsersGuide change c:\spool\mydomain.com to \\computername\ftgate_spool\mydomain.com 12. restart FTGate Stopping and starting FTGate through the FTGate icon will not disrupt the use of the network drive. In the event of the network drive going off line FTGate will suspend itself to prevent incorrect operation and will require an administrator to restart it. It is STRONGLY recommended that the spool\folder remain on the same machine as FTGate. The spool\inbox, spool\ outbox and subfolders are heavily used during mail processing as there will be a significant drop in performance associated if these folders are stored remotely. Domain storage can be safely moved to a different drive. Accessing SolSight Web In order to access SolSight Web you should first make sure that the SolSight Web Mail service is started in the Services page of FTGate. You should then start your Web browser and enter the IP address of your server into the address box. This will take you to SolSight Web. Accessing SolSight Web from the Internet. If your server does not have a real internet address but is actually behind a NAT router then must configure the router to connect incoming connection to the FTGate machine on port 80 and open any Firewall ports that are needed. Please see your router users guide for details on how to do this. You must also alter the security policies to allow access to FTGate from the Internet. You should then enter the IP address of either you FTGate machine, or Router/Firewall into the browser in order to connect to SolSight Web. FTGate behind a NAT router/firewall When running FTGate behind a NAT router or firewall and has an IP address that is either 192.168.x.x or 10.x.x.x, then NAT device will appear to FTGate to be part of the local network address space. This will cause it to be granted automatic authentication rights, and hence it will be able to relay through the server. The solution to this problem is to simply go to the Global Security Policy and add the address of the router with only the PA flag set. e.g. If the NAT router has a local address of 192.168.1.15 we would enter: Address Mask Flags 192.168.1.15 255.255.255.255 PA This will prevent relaying though your server. See Also: 24 Installation • • Security Policies Relay Control and Authentication Migration Migration In order to make it easier for an administrator to integrate FTGate into their network, FTGate offers two options for creating users without administrator interaction. Active Directory Migration The first option allows FTGate to create mailboxes automatically if the users login details match an entry in an Active Directory (AD) or NT SAM database. If the users login matches the AD entry then FTGate will create a mailbox and let the user have access to it. POP3 Migration This option allows FTGate to create and migrate user mailboxes from an existing POP3 server on your network, while permitting users to continue using mail in their normal way. See also • Migrating Mail from an Existing POP3 server Migrating Mail from an Existing POP3 server FTGate offers a seamless way to transfer mail from your old mail server to your new FTGate mail server. How it works When a user connects to either the POP3 or IMAP port of FTGate, FTGate will connect to the old POP3 server and try to log into the server using the supplied username and password. If the login is successful then FTGate will create a new mailbox with that username and set the password and other options appropriately. The mailbox will have a Migration message added to it so that the user will see a friendly message telling them that their mail is being transferred. FTGate will then start a separate process which will download the mail from the users mailbox on their old system to the new mailbox in FTGate. Mail for non migrated users Mail arriving at FTGate for mailboxes that have been migrated will be delivered to the local mailbox as normal. However, mail for mailboxes that have not yet been migrated must be sent to the old server. To allow this the administrator must create a remote domain that will send the undeliverable mail to the old server. This domain should be called something like "migrate.domain". The local domain should then be configured such that mail for unknown users is piped to this domain. During Migration If the old mail server receives mail for a migrated user the user will not receive their mail. Thus it is recommended that periodically, during the migration period, the "Check Mailboxes" button is clicked. This will pull over any mail that is in the old system. Finishing Migration 25 FTGateUsersGuide When all the mailboxes have been migrated from the old system, the remote domain that delivers to the old system can be removed, the undeliverable options in the local domain can be set to reject mail and the Migration option can be disabled. Migration Example: A company (big-company.com) has an old POP3 mail server on an old PC that they wish to replace. They have purchased a new server PC and a copy of FTGate and wish to migrate their old mail to the new mail system. The following steps should be followed: Server Configuration 1. Install FTGate on the new machine 2. Create a local domain big-company.com (Creating Domains) 3. Create a remote domain big-company.old set its delivery mode to deliver immediately and set the delivery host to be the IP address of the old server. 4. In the big-company.com domain set the mail for unknown users to deliver to the following email address *@big-company.com|big-company.old 5. In the big-company.com set the migration options to POP3 migration and enter the IP address of the old server and a Migration message. Client Configuration 1. Change the users inbound and outbound mail settings to be the new server address. Completing Migration When all the users mailboxes have been transferred the final stages of Migration can be completed. 1. In the big-company.com domain, undeliverable mail options set the mail for unknown users to reject mail. 2. In the big-company.com domain, click the "Check mailboxes" button. This will pull over any mail that arrived in the old system between the start of migration and completion of migration 3. In the big-company.com domain turn off migration 4. Delete the big-company.old domain Migration is now complete and the mailbox and mail have been moved to the new FTGate system Moving to a new server To migrate, or move, FTGate to another machine without losing any mail or needing to re-configure, follow these steps: Old Machine 1. Go to Configuration/System, note where FTGate stores the backup files. This is where you will find your latest backup file (.fdb) 2. Go to Configuration/Spooler, note where the Spool Path is located. This is where mail messages are stored. 3. Stop FTGate 4. Backup the Spool folder This information is the Configuration (database) of FTGate as well as the mail, log and archive folders. 26 Installation New Machine 1. 2. 3. 4. 5. Copy the latest backup database file from the old machine to the new Run the latest installer and select to restore a backup Select the backup from step 1 and finish the wizard After FTGate starts, stop it again Copy the spool folder from the old machine to the new machine Note that if the drives differ then the spool location will be different. 6. Start FTGate Log in to Web Admin and check that the settings are OK. Relay FTGate as an MX relay The Internet DNS system allows mail servers to designate which servers will accept mail for a particular domain. Often it is desirable for an administrator to configure additional machines that will accept mail and hold the mail for later delivery to the main server. This permits the administrator to shut down the main server without the loss of incoming mail or in the event of a network problem, store mail until the problem can be resolved. FTGate permits two methods for configuring backup MX relays. Administrator managed MX relay In this type of relay the administrator manually configures FTGate with the domain names that will be stored and relayed, and the location to which messages will be delivered. Configuring a manual MX relay 1. Install FTGate onto the relay server 2. Create a Remote Domain in the name of the Domain to be relayed (Creating Domains) 3. Configure the new domain to deliver mail to the primary server (Remote Domains) Auto-Cluster Managed MX Relay This relay configuration allows the relay server to download its settings directly from the primary FTGate server. Thus any changes to the primary server are reflected onto the relay server. This is especially useful for hosting companies or ISP's who have many domains to manage and many relay servers to configure. See Also: • AutoCluster Overview FTGate as a DMZ server Many organizations use a firewall configured with a DMZ to act as a connection point between the LAN and the Internet. The DMZ allows services that must be available for connection to the Internet to be seperated from the LAN portion of the network and thus prevent direct access from the Internet to LAN machines. 27 FTGateUsersGuide The use of the DMZ does raise the issue of how traffic will pass from the Internet to the LAN. Using FTGate as a DMZ relay FTGate can be placed in the DMZ and used to relay incoming mail from the Internet to a mail server (FTGate or otherwise) in the LAN. In this configuration the SMTP filters ( PTR , SPF , RBL , HELO/ELHO ) and Anti-Virus can be used to verify the source of the messages before they are passed to the LAN server. When used in this way there is no requirement for a direct connection between the Internet and the LAN mail server. To configure FTGate as a DMZ relay 1. Install FTGate on a machine in the DMZ 2. Configure external mail systems to send to the FTGate machine (either from your ISP or via your MX DNS records) 3. Create a new Remote Domain in the name of your domain (Creating Domains) 4. Configure the new Domain to send to the LAN based server (Remote Domains) 5. Configure the LAN based server to send its outbound mail to FTGate 6. Configure the IP Security for the SMTP server to automatically authenticate the LAN server (Relay Control and Authentication) Diagram Upgrade Upgrading from a previous version Please select the version you wish to upgrade from • • 28 Upgrading from FTGateOffice or FTGatePro Upgrading From FTGate4 Installation Upgrading from older versions The differences between the current version of FTGate and versions older than those listed above is not supported. Your options should be set manually. Upgrading from FTGateOffice or FTGatePro This guide will take you through the steps required to upgrade your FTGateOffice/FTGatePro system to FTGate2009. We recommend that in order to make your upgrade experience as easy as possible you read this guide carefully and watch the tutorial videos. Watch the upgrade video Pre-Installation Notes FTGate has a completely new UBEBlock system. Your old training settings and filters WILL NOT be imported. You should refer to the Filter Policies section for details on setting up and training your new system. FTGate will install a default filter policy. After installation you should check that the policy is suitable and make any required changes. FTGate has a completely new service security system based on security policies. See Security Policies FTGate requires that there be at least one local domain with one mailbox. This is used to control login to the server. You may have multiple administrators over different accounts but you MUST have at least one administrator. The system administrator login is the full email address of a user on the FTGate server. You need to make sure you have a valid username and password AND be a member of the System Administrators group in order to access WebAdmin (see Web Administration). If you delete all local accounts, or all administrator mailboxes, FTGate will enter safe mode and report the error "Any Admin override active". This allows any user to log in to the admin interface and configure a new administrator for the system. Robot mailboxes and Autoresponders have been removed and replaced by user mailboxes with mailbox rules (see Mailbox Rules) User Mailbox features for AutoResponse, Forwarding, Scripts and External Programs have been moved to Mailbox Rules. If you are installing on a Windows2000 server or Windows2003 servers you should stop the FTGate LDAP service as it will conflict with the Windows LDAP service. See LDAP If you are installing in Windows 2000 or Windows 2003 server then you will need to stop the Windows "Simple Mail Transport Protocol" in the Windows Service Manager. Review the client sign in change information: Logging Into FTGate Upgrade Procedure To perform the upgrade you should run the FTGate installer and when prompted select and FTGateOffice or FTGatePro backup database and allow the wizard to complete. Watch the upgrade video 29 FTGateUsersGuide Post-Installation The following items should be checked post installation 1. FTGate will reboot after the install and will begin to function. Should you wish to review all the new settings with FTGate disabled you should go to Configuration/System and click the Safe Mode button. FTGate can be restarted by click the Restart button which will return FTGate to a functioning mode. 2. Security Policies: Check that the 3 security policies contain the correct IP address ranges for your network and that the options enabled are correct for your needs. 3. Filter Policies: Check that the settings are acceptable and define UBEBlock training users. Seed the training database with good messages. See UbeBlock Training UbeBlock Training Notes 4. The root.login domain is only used to configure an administrator for log in purposes, it uses one mailbox and can either be deleted or renamed. If it is to be deleted then a new administrator should be added to the Configuration/Administrators section. 5. User Mail clients: In FTGate all Sign In names are the full email address. Thus your users will have to alter their account settings in their mail clients and add the domain name to the end of their login name. This is required to enforce security privileges. 6. All User Accounts except the administrator will all be using the Default User Privileges. You may wish to alter the privilege settings to control various access rights. 7. Check the Outbox configuration. Specifically check: Outbox/Connection/Hostname is set to either your host name or domain name (Hostname configuration) Outbox/Delivery/HOST 1 includes your ISP login if required (Outbound SMTP Authentication) At this stage you should have a functioning server with all the new features of FTGate. Upgrading From FTGate4 The upgrade from FTGate4 is very simple: Watch the setup video After installation you should: 1. Add a new filter rule to your filter policy to trigger on UBEBlock+ spam detection 2. Add a new filter rule to your filter policy to trigger on Stock Spam detection 30 Using FTGate Common Tasks Also see: Troubleshooting General • • • Understanding Domains, Mailboxes and delivering mail Mail Flow diagram Problems logging into FTGate: See Logging Into FTGate (password errors) Sending/Receiving via the Internet • • • • Configuring FTGate to allow access from the Internet See Access from the Internet Configuring FTGate to collect mail from an ISP POP3 mailbox. See SmartPop Configuring FTGate to send mail to the Internet. See Sending Mail Configuring FTGate to Authenticate with your ISP. See Outbound SMTP Authentication Managing Mailboxes and Domains • • • Creating new mailboxes. See Mailbox Overview Adding an alias for a mailbox. See Creating a Mailbox Alias Creating a new Domain. See Domain Overview Managing Filters • • • • • • • • Configuring the FTGate spam filters: See UbeBlock Training Bypassing the filter for good addresses: See White List Bypassing the filters for known good words: See Safe Words Banning addresses: See Black List Banning words/Phrases from messages: See Word Filter, Phrase Filter Banning attachment types: See Attachment Filter Handling spam: See Filter Rules, UbeBlock Rating, UbeBlock Training, UbeBlock Training Notes Blocking Viruses: See Anti-Virus Overview Backup and Restore • • Backup and Restore Moving to a new server Trouble shooting This page lists some of the common user problems and their resolution. If the problem is not listed on this page then please check the index for any relevant material. This document also has a search function. 31 FTGateUsersGuide If you have still been unable to find the answer then please visit the support forums or send an email to FTGate Support. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. UbeBlock is not blocking spam emails I have upgraded from FTGateOffice/Pro and my users cannot login A service will not start and reports "The specified address is already in use" SSL Certificates Unable to send to some domains Messages to Hotmail and other domains are disappearing Server EHLO message rejected with syntax error How do I move FTGate to another machine How do I backup FTGate My users are getting a relaying denied error I cant remember my WebAdmin user name or password, or I have deleted the admin account What firewall ports do I need to open How do I share folders SmartPop delivery issues "Bulk sends not allowed" error "Message size exceeds administrative limit" error UbeBlock is not blocking the spam emails At installation the UBEBlock processor is disabled. This is because the basic training of UBEBlock must be performed before it will work correctly and many users were not training it at all. To enable UBEBlock rating of the messages perform the initial UbeBlock Training and then enable the filtering in the filter policy options page. I have just upgraded from FTGateOffice/Pro an my users cannot login See: Logging Into FTGate (password errors) A service will not start and reports "The specified address is already in use." This is usually seen in the SMTP , LDAP or WebMail service but can be seen occasionally in the other services. It is caused by another program running and using those ports. To resolve the issue the running program must be located and stopped or the service moved to another port. • SMTP: The usual cause is the Microsoft Simple Mail Transport Service. To resolve this error open the windows service control panel, stop the service and set its startup mode to disabled. • WebMail: This is usually cause by IIS. If you are not using the PC as a web server then you should open the windows service control panel and then stop and disable the Web Publishing Service. Additional information is available here. • LDAP: This is usually a problem on Windows 2003 servers because the Active Directory service uses LDAP. In this case you must change the port used by the FTGate LDAP service and alter the mail clients to use the new port. SSL certificates See: SSL self signed certificates 32 Using FTGate I am unable to send to some domains, the mail sits in the outbox. Many service providers will not accept mail from servers that have an invalid or incorrect hostname configured for the HELO/EHLO SMTP command (Outbox/Connection). Your hostname should be the name that will be resolved by a reverse lookup for your ip address, or at the very least a valid name used in a DNS which resolves to your IP. For example : EHLO mx0.ftgate.com lookup mx0.ftgate.com = 195.224.16.225 lookup 195.224.16.225 = 225.128-255.16.224.195.in-addr.arpa = mx0.ftgate.com So it resolves to the same address both ways. This is the correct way to have a host defined when sending out using MX records. If both paths are not there then some servers will reject. To configure this you will have to contact your ISP/DNS hosting company. My messages to Hotmail are disappearing This is the same cause as 3 above, however, Hotmail simply delete the messages without notification to the server or recipient. My server is having its EHLO command rejected with a syntax error message Users of AVG anti-virus and Cisco PIX firewalls may have problems as these two products can be configured to modify the EHLO/HELO message. They replace the EHLO command with XXXX which causes the error. You must reconfigure these devices to allow the command through correctly. How do I move FTGate to another machine See: Moving to a new server How do I backup FTGate See: Backup and Restore My users are getting a relaying denied error See: Allowing users to relay through your server I cant remember my WebAdmin user name or password See: Lost administrator passwords What firewall ports do I need to open? See: Firewall ports 33 FTGateUsersGuide How do I share folders and keep the mail on the server. In order to share mail folders you must reconfigure your client application to connect to FTGate using the IMAP protocol. The IMAP protocol stores the messages on the server with the client being used to read/create messages but not to remove them from the server. The protocol allows for multiple folders and access to shared folders. This also allows Outlook users to stop using PST files on the local PC and allows an administrator to centralise the backup of mail. SmartPop delivery issues If you are having problems with SmartPop deliveries please check the following before requesting support: 1. SmartPop overview: SmartPop 2. Reasons why problems may exist: SmartPop limitations 3. Duplicate delivery of messages: SmartPop Duplicate Delivery 4. General delivery problems: SmartPop delivery problems When I try to send mail to an Outlook list I get a Bulk sends not allowed error This is caused by the number of addresses in the messages header exceeding the limit set by the administrator. You can change this in the SMTP tab of the global security policy together with the settings for the maximum number of recipients for a message. The bulk sends rejection relates specifically to the number of addresses appearing the in To, and CC lines of the message header. If you get this message it is because the email address of everyone you are sending to is in the message header. Thus if you send to 35 people, every person who receives the message gets the email address of the other 34. If you are in the UK or Europe we would strongly recommend that you do not change this setting. Unless you have permission from each of them to distribute their details you will be breaking the UK/EU data protection act and could face a heavy fine. We would recommend moving the addresses into an FTGate mailing list, or contact list. These will send the message as a BCC so none of the recipients get the details of any of the others. My users are getting the message 'Message size exceeds administrative limit' This limit is set in the security policy being used by the SMTP service in the SMTP tab (Services/SMTP Service/Security, click on the Edit Service Policy Settings link). General Logging Into FTGate In order to protect your valuable data from brute force sign in attacks FTGate requires that all sign in attempts use the full email address of the user. Failure to do this will result in mail clients reporting password errors. Tip: If you previously signed in using the name "fred" and your domain is "mydomain.com" you will now be required to sign in using "fred@mydomain.com" Tip: If your email client cannot use the @ character for SMTP and POP3 login then you should 34 Using FTGate use the # character instead. POP3 Low security option You can maintain user login with just the username by enabling the "Low Security" option in the POP3 service settings. This option is available if there is only one local domain configured. Thus users with a "root.login" domain must delete that domain before "low security" login can be performed. With the "low security" option selected users can still use the high security login described in the above paragraph. This allows users to be transferred to the new high security login before the option is disabled. Tip: If you delete the root.login domain that was created by the installer then you will need to define a new administrator. See Web Administration Mail Flow Mail is received by FTGate via either SMTP or SmartPop. It is then processed through the spooler, virus and spam filters before being passed to either a local domain and mailbox (awaiting user collection), the Outbox (to be sent to the internet), or a Remote Domain (to be sent to a different private server). This diagram shows how mail flows through FTGate. 35 FTGateUsersGuide Undeliverable Mail It is common for mail to be sent to a domain that is either incorrectly addressed or deliberately sent to a random user name. Local Domains allow the administrator to determine what action should be taken with incorrectly addressed mail. Available options 1. 2. 3. 4. 5. Reject the message and send a customised response Send the message to the postmaster Send the message to the postmaster as an attachment Forward the message to the internet Forward the message to another address Note: Forward the message to the internet (Option 4) will return the message to the internet as if it were being sent from your server. This has the potential to cause a loop as your ISP may deliver the message back to FTGate. This option should be used with caution. Note: If the Undeliverable Mail action is set to Reject, and mail is delivered to the server using 36 Using FTGate SMTP , then the message will be rejected by the SMTP server and the rejection message will not be sent. The message sent to the originator will depend on the settings of the server sending to FTGate over which you have no control. Connection Types There are three ways that FTGate can be connected to the Internet: 1. [LAN] Via a permanent LAN based connection (Broadband, Leased Line, Fibre etc) 2. [Proxy/Router] Via an external Router Modem or Proxy device 3. Profile Via a dial up modem installed in the PC Each of these options is supported through the selection of the appropriate profile in the Configuration/Network page. See also: • Dialling the Internet • Sending Mail • Receiving Mail IMAP Considerations FTGate has been tested with the following IMAP clients: Client IDLE Outlook Express X Outlook 2002/XP KMail Ximian Evolution The Bat! Eudora Thunderbird Mulberry X Handles NIL messages (i) Deleted notification Deleted Notification X Error dialog X X X X NOOP Updates N/A XTRASH (ii) N/A X X X X X X X X Error Dialog N/A X X Nil messages (i) Handling of Nil Messages The IMAP protocol requires that a server does not delete any message from the server until all connected clients have been notified of its removal. This is to permit clients to request the message contents of deleted messages. There is no facility in IMAP to tell a client that a message has been deleted and thus the request cannot be honoured. Thus the following is correct using the IMAP protocol: 1. Client A connects to a folder, there are 200 messages 2. Client B and C connect to the same folder All clients see 200 messages 3. All clients use FETCH and STORE but never do an operation that allows notification of expunged messages, or at least not often enough to count. 4. Client A deletes the first 100 messages 5. Client B deletes the second 100 messages 6. Now client B, after expunging, gets told that the first 100 AND the second 100 are deleted 37 FTGateUsersGuide 7. So the three clients now see the following: Client C sees 200 messages and can access them all Client A Sees 100 messages and can access those 100 Client B sees no messages and cannot access any 8. This can persist for an indefinite period of time FTGate Technology believe that this is contrary to the whole concept of shared folders, and that there is little point in sharing a folder if all the clients can potentially have different views of it. Thus FTGate will remove messages from the server at the time that the FIRST client EXPUNGEs the message. This may result in clients that do not synchronize frequently showing either blank content or an error message (see table for handling). Clients that support the IDLE command will not suffer from any of these problems and all views of the folder should remain concurrently correct. (ii) Handling of XTRASH FTGate supports an XTRASH IMAP extension that is an experimental FTGate only extension. Configuration of this option is only available through WebAdmin , WebMail and SolSight. There is no third party support for this extension expected. This extension modified the standard IMAP handling such that rather than "flag as delete and then expunge", FTGate will move messages that are marked as deleted in to a specified trash folder. It will then Expunge the folder, removing the messages. All connected clients will be notified of the changes when possible, see (i) above. Limitations: Mail in shared folder will not be subjected to trash can operation, these messages will default to the IMAP delete/expunge model as there is no shared trash can. (iia) The XTRASH command The XTRASH command will be announced by the text XTRASH on the CAPABILITY line of the IMAP server response. C: CAPABILITY S: OK CAPABILITY .... XTRASH ... Obtaining the current trash folder C: XTRASH S: * XTRASH "current trash folder" S: OK XTRASH COMPLETED Setting/disabling the current trash folder C: XSETTRASH "new trash folder" S: * XTRASH "current trash folder" S: OK XSETTRASH COMPLETED Setting the new trash folder to a blank string will disable trashcan operation. Forwarding Messages When messages arrive in a users mailbox it is often required that the message is sent or copied to another address. This is performed with mailbox Inbox Rules. The following steps are used to create a forwarding rule. 38 Using FTGate 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Open the users mailbox in WebAdmin or WebMail Go to the Inbox Rules page Type the name of the new rule e.g. forwarding to joe Click add Click on the new rule Check the apply to all messages box Change to the Actions tab Check Forward to the following address Enter the required address e.g. joe@soap.com If you want to have the message deleted after forwarding, check the delete message option Check the Rule Enabled option Click Save This rule will forward all mail arriving in the mailbox to joes email address. Macro Expansion FTGate includes some expandable macros that can be used to make the message body specific to a particular message condition or mailbox as follows: Details from the original message: $SUBJECT$ $FROMADDRESS$ $TOADDRESS$" $FROMNAME$" $TONAME$" $RCPTADDR$" $SUBJECT$" $HEADER$" Virus message: $FILE$ $VIRUS$ Mailbox $MAILBOX$ $NAME$ $ADDRESS$ $COMMONNAME$ Group mailbox tracking message: $TRACKING$ List mailbox messages when in distribution list mode $NAME$ $ADDRESS$ Anti-Spoofing FTGate implements strong anti-spoofing features. This means that it will not accept mail from any address that it hosts unless the connection is authenticated by SMTP or the Security Policy AA flag. 450 4.7.1 Please authenticate and try again (#3.21) If a user gets this error then they must enable SMTP authentication in their mail client. 39 FTGateUsersGuide If an automated machine causes this error then add the address of the sending machine to the Global Security Policy with the following options: Address: whatever Mask: 255.255.255.255 Flags: PA and AA If neither of the above are appropriate then you must enable spoofing in the security policy options. See Also: • Security Policy Options Send and Receive Receiving Mail Mail is received by FTGate in one of two ways; SMTP or SmartPop . SMTP SMTP is used to send mail from your mail client to the mail server and then from the mail server to the ISP or the rest of the internet. It is a protocol designed for sending messages between two servers and as such, if you can have your mail delivered to your server using SMTP, this will offer the best performance and reliability. The SMTP service can also be used to filter mail to prevent UBE mail entering your server. See Also: • Managing Services and Security Policies • Outbox • Remote Domains • RBL Sites • SPF SmartPop SmartPop is a POP3 client that can connect to a remote ISP POP3 mailbox and then download and deliver mail. See Also: • SmartPop Outbound SMTP Auth Outbound SMTP authentication is achieved by extending the ISP SMTP host entry in either the Outbox /Delivery page or a Remote Domain /Delivery page. Outbound authentication is not available when using MX delivery options. The format is: host address[:host port][; login id;password] e.g. mail.isp.com:25;fred;mypassword bracketed items are optional. 40 Using FTGate Sending Mail FTGate sends outbound mail using SMTP /ESMTP. Mail that is intended to be delivered to general recipients on the internet is sent through the Outbox . Mail for specific domains that are not hosted can be sent through a Remote Domain . See Also: • Outbox • Remote Domains • Outbound SMTP Authentication SmartPop FTGate includes SmartPop which is a technology which allows FTGate to collect mail from an ISP's POP3 mailbox and be able to correctly deliver almost any message without the user needing to make any configuration choices beyond turning SmartPop on. When delivering messages in its automatic mode SmartPop can do the following: 1. Deliver messages for users who have mailboxes directly to them and prevent duplicates from being delivered. 2. Deliver mail for unknown users of a local domain in accordance with the configured domain settings which includes bouncing the email with an undeliverable report. 3. Return incorrectly addressed email as undeliverable or send it to a special recipient. FTGate also includes the option to bounce mail that is too large, thus preventing FTGate from using up too much bandwidth and telling the original sender why their message was not delivered. These changes now give SmartPop the same flexibility of delivery as SMTP . See Also • Configuring SmartPop • Delivering SmartPop mail to a single user • Delivering SmartPop mail to domain users • SmartPop limitations Signatures/Disclaimers A domain wide signature can be added to all outgoing mail. To configure the signature you should go to the Domain/Signature property page, enter a signature and enable the signature. Signatures will be attached to the first text and first HTML section in a message. Signatures will only be applied to messages that go through the outbox . Messages to other local domains or remote domains will not have the signatures applied. See:Domains/General Remote Domains A Remote Domain functions as an Outbox but contains mail only for a specific domain. To create a remote domain see Creating Domains. 41 FTGateUsersGuide To configure a Remote Domain for direct delivery to an IP Address If a dial up profile is to be used see Dialling the Internet 1. In Domain List, click Domains 2. In Hosted Domains, click on the appropriate Domain Name 3. In Connection Options / Network Profile, select the required profile, [LAN] or [Proxy/Router] 4. In Delivery Mode, select Immediately 5. In Host name, enter your Domain Name 6. Click Apply 7. Click Delivery 8. In Delivery Route, select SMTP Hosts 9. In SMTP Hosts / Host1, enter the IP address of the remote host 10. Click Apply Tip: The host name can consist of several parts, some of which are optional: host address[:port][; login id;password] This shows that you must specify the host address and that you can optionally supply a port and login information. e.g. If you wished to connect to a server called mail.me.com on port 345 you would specify a host name of mail.me.com:345 To connect to the same server and login as 'bob@mail.me.com' with a password of 'eggs' you would specify mail.me.com:345;bob@mail.me.com;eggs To configure Remote Domain for direct delivery via MX Records MX delivery is not recommended over dial up connections (*). A suitable DNS server will be required for correct delivery of mail (DNS). 1. 2. 3. 4. 5. 6. 7. 8. 9. Select a domain In Connection Options / Network Profile, select [LAN] or [Proxy/Router] In Delivery Mode, select Immediately In Host name, enter your Domain Name (**) Click Apply Click Delivery In Delivery Route, select MX Hosts In If delivery fails, select Hold mail in queue for later delivery Click Apply NOTES * MANY ISPS WILL NOT PERMIT MX DELIVERY THROUGH THEIR NETWORK DUE TO MISUSE AS A SOURCE OF SPAM. ** MANY SERVERS WILL NOT ACCEPT MAIL FROM SERVERS WITH AN INCORRECT HOST NAME. Greylisting Delays If you have reached this page due to an error return on a message that you have sent then you should contact your hosting server, or network advisor and request that they fix their mail system. 42 Using FTGate Your message has been bounced in error by your outbound mail server which should have, in accordance with RFC2821, queued your message for retry. The response code 450-4.7.1 Server busy please try again later is an instruction to your outbound mail system that there is no error in transmission but the receiving server is currently unable to process the request and it should try again after a short delay, typically around 30 minutes (as recommended by RFC2821). This response in not an error code (which would start with a 5) but a temporary delay caused by Greylisting. THIS IS NOT AN ERROR OF THE RECEIVING SERVER. Additional references: Greylisting in FTGate For the original Greylisting whitepaper please see this whitepaper by Evan Harris: http://projects.puremagic.com/greylisting/whitepaper.html Additional information is available here: http://www.greylisting.org/ Wiki: http://en.wikipedia.org/wiki/Greylisting Accessing FTGate from the Internet FTGate is by default configured to allow SMTP access from the internet. There are two ways that FTGate can be connected to the Internet: FTGate has a fixed valid internet address In this case you should be able to access FTGate from the internet using either the IP address of FTGate or its name. e.g. 195.124.124.189 or myserver.mydomain.com If external servers are unable to access FTGate on port 25 then you should check the following: 1. Your network firewall is open on port 25 for external connections 2. Your Windows firewall is open on port 25 (it is better to add an exclusion for FTGate on all ports). Note: Each security policy has a dedicated address range for the internet that is listed as WAN. This contains the settings used when FTGate is accessed by any machine whose IP address is not listed in any other range. FTGate is behind a NAT router If your FTGate machine is behind a NAT router, and has an IP address that is either 192.168.x.x or 10.x.x.x, then you then you should check the following: 43 FTGateUsersGuide 1. Your NAT router has port forwarding enabled on port 25 from the Internet to the LAN address of FTGate. 2. Your Network Router/firewall is open on port 25 for external connections 3. Your Windows firewall is open on port 25 (it is better to add an exclusion for FTGate on all ports). If you are behind a NAT firewall then there are additional steps you should take with FTGate to prevent your server becoming an open relay. You should determine the NAT IP address of your NAT router (which has the port forwarding) and add it to the "Global Security Policy" with only the PA flag set. e.g. 192.168.1.124/255.255.255.255 with PA flag set See Also: • FTGate behind a NAT router/firewall Accessing other services from the Internet If you wish to access POP3/IMAP/WebMail from the internet then you must change the security policy used by the appropriate service to be the "Global security Policy" Getting the mail to FTGate After you have configured FTGate and your network to allow connections to FTGate you must then arrange for mail to be delivered to FTGate directly from other servers: 1. You must verify with your ISP that they allow delivery of mail from the Internet to your address, some ISP's do not permit mail to be delivered directly to your server. 2. Your ISP will deliver all the mail that is for your domain to your address or 3. You must update your DNS server to include MX records specifying the IP address of FTGate is to handle mail for your domain. You should contact you DNS hosting company or ISP regarding this. Note: If your ISP is delivering mail from their machines directly to your machine then you cannot use the options for Greylisting, SPF Validation, or PTR validation. Management Web Administration In order to use Web Administration a user must have an account in FTGate and that account must be a member of the system administrators. The system administrators are defined on the Configuration/Administrators page Tip: If you enter a group User ID , then all members of that group will also have access to the WebAdmin Interface. Tip: If you delete an administrators mailbox they lose all access rights and will no longer be an 44 Using FTGate administrator. Creating a new mailbox in the name of the old administrator will not restore their rights as the mailbox will have a different security id. See Also: Access Control Lists (ACL) • Activating a Licence Key NOTE: ACTIVATING A LICENCE KEY ON TWO SERVERS IS A VIOLATION OF THE EULA AND FTGATE TECHNOLOGY RESERVE THE RIGHT TO DISABLE A SERVER SHOULD ITS LICENCE BE ACTIVATED ON A DIFFERENT SERVER. Activation of FTGate is a requirement of using this software. The procedure is simple using a Wizard. If there are any problems during activation, then please contact support@ftgate.com describing your problem and including a copy of your log file and your registration licence key. See Also: • Registering and Activating Licences Activation FAQ • • • • • • When do I need to activate? You need to activate an FTGate server when you install it for the first time, move FTGate to a different machine or re-install the operating system. How do I reactivate after moving the server? To reactivate your server on the new hardware you should follow the original activation procedure. Can I reactivate under a different account/email address? No once a licence has been activated it cannot be moved to a different registered user. However, you can alter your registration settings including the email address and password from the members wesbite. Do I need to contact FTGate Technology in order to reactivate? There is no limit to the number of auto activations you can make. However, You can only reactivate manually 3 times without having to contact FTGate Technology. This allows a system admin to create a new server in the event of a severe failure. However, after the third activation you will have to contact us to reset the system for you. What can I do if I have lost my members account password? If you visit the members website there is a link for lost passwords. Following this link will cause the password to be emailed to your account. My server has stopped what can I do? If you stop and restart FTGate it will run for one hour before stopping, this will allow you to continue while you activate the server. Lost administrator passwords When the software was installed one of the email accounts created on the server was set to be the administrator. In order to log into the WebAdmin service you need to use the email address and password of the account that was set as the administrator. In the event that the none of the administrators can remember their passwords it is necessary to override the login protection of WebAdmin. In order to prevent this being a trivial action, and thus rendering the use of the user account and password meaningless it is necessary to have the user 45 FTGateUsersGuide take an action that only a system administrator can perform, thus ensuring that the person making the changes is actually authorised to do so. Login Security Override To override the security in FTGate you should: 1. 2. 3. 4. 5. 6. Click Start Click Run Type RegEdit Click Enter Open the tree HKEY_LOCAL_MACHINE/SOFTWARE/FTGate Technology/FTGate Right click in the right hand pane and create a new DWORD entry called "AnyLogin" with the value of 1 7. Exit RegEdit 8. Restart FTGate FTGate will then start up in suspended mode with the Admin login security disabled, you can click sign in and you will be allowed in. We recommend that the first priority is to go to the Configuration/Administration page and enter the email address of a new administrator into the list. The new administrator will then be able to log into WebAdmin using their normal email address and password. The new key will be removed at login, so the next time FTGate is restarted the administration override will be removed. See Also: Web Administration Emergency Recovery Suspended mode. You can force FTGate into a suspended mode with the following script placed in the startup.fts file in the scriptlib folder <% var s= new server.system s.suspend() %> Safe Mode When in Safe-Mode FTGate will stop all processing all services except for WebAdmin . This can be useful when trying to resolve issues that are preventing FTGate from running correctly. You can also force FTGate into suspended mode using a startup script or the registry (see Emergency Recovery) 46 Using FTGate Database support FTGate supports data storage in either its own database or in an ODBC database. [currently tested with MySql and MSSql] To configure FTGate for ODBC database operation you need to do the following: 1. 2. 3. 4. 5. 6. 7. 8. Install the database software on the machine that is to host the database Create a database called FTGate Open the ODBC database configuration tool in the windows control panel Create a new SYSTEM DSN called FTGate and attach it to the database provider and set it to select the FTGate Database (from step 2 above).. Remove the contents of the FTGate Config folder. Create a text file called ftgatedb.dat Edit the file to contain the following <dbconfig> <provider> DBTYPE </provider> <dsn> ftgate </dsn> <password> database_password </password> <username> database_access_username </username> </dbconfig> Set DBTYPE to be either MySql or MsSql depending on the database type you are using. SQL Based Mailing Lists FTGate allows administrators to create a database from an external database of addresses held in an SQL database. To use an external SQL list you need to configure a DSN connection and an SQL statement that will retrieve the addresses for the message. The DSN MUST be a system DSN. The SQL query results must contain the columns 'Name' and 'Address'. Thus if the database does not contain these columns the SQL statement should create them in the returned data set. See: Members Permissions/Access rights Various objects in FTGate can be shared among users. These are: • User Folders • Address Books • Calendars • Tasks These level of access to these objects can be restricted by giving the users permissions. There are five levels of access: Access Level Description 47 FTGateUsersGuide Read/Write All: Users can see the contents of the object In addition to the above: Read/Write/Create Folder: Users can set message flags. Other: modify the details. In addition to the above: Read/Write/Create/Delete Folder: Users can move messages into the folder Other: Users can create contacts/events/tasks in the object In addition to the above: Read/Write/Create/Delete/Manage All: Users can delete the contents of the object In addition to the above: Read All: Users can share the object with others. There are also some administration level access rights for: • Quarantine folder • Local domain UbeBlock training folders • Access to Web Admin (System Administrators) Customising SolSight Web FTGate2009 allows for a very simple method of customising the initial welcome screens and logos used in the user interface. Process 1. Locate the folder Webs5/assets 2. Copy the contents to a new folder (this is to prevent your logos being overwritten if we update our logos) 3. Replace the logo files with your own matching files. Keep the names and dimensions the same. 4. In the Services/WebMail Interface/virtuals add a new entry url: /assets path: the path to your files (e.g. c:\program files\ftgate2009\myassets) 5. test your changes Security Policies Security Policies Each service in FTGate is controlled by a security policy. The policy specifies the top level control of the service. In the Policy you can specify, by IP address and range, the authentication and relay options available to users of your server. 48 Using FTGate By default there are three policies, users can create further policies as required: • LAN security Policy By default this policy is used by all services that are normally accessed by the LAN users ( POP3 IMAP4 LDAP WebMail Connector ) which can be considered to be trusted connections. • WebAdmin Policy By default this is used by the WebAdmin . A separate policy is used for WebAdmin to reduce the possibility that a configuration mistake will lock the administrator out of the WebAdmin interface. Extreme caution should be used when changing this policy. • Global Security Policy By default this policy is used by all SMTP services, it contains settings that are suitable for machines connecting from the internet and are not from trusted sources. Each service that uses a policy has the same security settings. Thus an address banned in a specific policy is banned in all services that use that policy. Each service may only use one policy but a policy can be shared among more than one service. A policy consists of two parts; An address list, that specifies how different IP addresses should be handled, and a group of settings for each service type. The addresses are selected in order of priority, the priority is simply the number of bits set in the mask field. Thus if an address matches two entries, the one with the most bits set in the mask will be used. The following describes the flags used in the Address fields: Flag PA Name Permit Access AA Automatic Authentication AS Permit SMTP Autentication AM Permit Authentication by mailbox access AR Allow Relaying RBL Reject connections with RBL entries. BAN Allow Addresses to be blacklisted. Limit login attempts/ SMTP Errors LL Function If this flag is set an IP address has access, otherwise it is rejected. If this flag is set the connection is assumed to be authenticated. For SMTP it is the equivalent of a successful AUTH command sequence having been completed. It will not effect service that require a login . ote that setting this flag on the WAN address range of the Global security policy will make your server an Open Relay This flag permits machines in this address range to issue SMTP AUTH commands and authenticate against the server. If the flag is clear NO machines in this range can authenticate. This flag checks to see if any valid logins to either POP3/IMAP have occurred in the last 5 minutes, if so the connection is assumed to be authenticated. This flag enables authenticated users to relay mail through the server. If this flag is clear then machines in this address range will NEVER relay. This flag causes all connections from within the specified address range to be validated against the RBL server list specified elsewhere. If the address is found the connection will be rejected. If this flag is set, any connections that attempt a detectable DOS attack will be auto banned If this flag is set IP addresses will be prevented from trying multiple login attempts (default 5). This protects against attempts at brute force password breaking. Each bad login is counted from each specific address regardless of the service type. So if I do bad login's for 49 FTGateUsersGuide BL Blacklisted Address PTR Reject connection with invalid DNS PTR records Validate HELO command is valid Use greylist Validate senders address against domains SPF data HE GL SPF 2xPOP3, 2xIMAP and 1xSMTP I get banned. This option also triggers protection against SMTP bad addresses. If this option is enabled the sending client/server will be banned after the specified number of bad recipients. The ban period is defined elsewhere in the policy. If this flag is set the address is considered aggressively blacklisted. This flag is usually only set by the autoban option (above). Connections from blacklisted addresses are automatically denied. This option will check that the IP address of the connected computer has a valid PTR record. This option validates the HELO domain and ensures that it is correctly formatted and it is not an IP address. See: Greylisting This option will validate the senders email address against the SPF records for the domain of the sender. If the address is not in the valid range then the message will be rejected. If a domain does not publish SPF data then the message will be accepted. Relay Control and Authentication In order to prevent unauthorized use of your mail server, FTGate has a series of controls that can be used to limit both the amount of access and the relay abilities of those that access your SMTP Server. Relaying is the condition in which the recipient of the message is not hosted on your server and usually only occurs if either one of your users sends an outbound message (authorised use) or a spammer is trying to use your server to hide the original source of their unwanted messages (unauthorized use). Security Policy IP Options To control access to the SMTP server you need to configure the following flags for the address range you wish to control. PA (Permit Access) AA (Auto Authenticate) AS (Authenticate by SMTP) AM (Authenticate by Mailbox) AR (Authenticated Relaying) Setting this flag will allow an address within the address range to connect to the server This setting will consider all connections from within the address range to be authenticated, however access to facilities that require specific mailbox privileges will NOT be granted without further authentication. This flag will cause the SMTP server to permit access to the SMTP authentication protocol functions. If this flag is cleared then no mailbox authentication will be possible. This flag will cause the connection to be considered authenticated if a recent mailbox access was made from the connected IP address. This does not give access to facilities that require specific mailbox privileges. This flag will enable authenticated users to relay though the server. If the AR flag is cleared , then no relaying is possible. If the AR flag is set but the AA, AS and AM flags are cleared then again no relaying is possible. 50 Using FTGate NOTE: SETTING THE AR AND AA FLAGS ON AN ADDRESS RANGE WILL GRANT THAT ADDRESS RANGE UNRESTRICTED RELAYING AND SHOULD BE AVOIDED UNLESS THE IP RANGE IS TRUSTED NOT TO ABUSE THE PRIVILEGE. Authentication Controls The security policy has a section specifically for the SMTP server. In the SMTP Authentication section the administrator can specify whether the authentication mechanism should check the attempted authentication against a hosted mailbox or against the explicitly specified entries. If the explicit entries method is used then users will have to match the details entered in the policy. However, while the users will be able to relay they will not be able to access any facilities that require specific mailbox authentication. Service access control Each service has an access control list available. If this list is enabled then the service can only be used by users who authenticate with a specific mailbox and password, other users will be rejected. Thus if the access control list is enabled, and the AS flag is not set, no users will be able to access the system. Senders MAIL FROM Address control In most circumstances administrators will desire that the senders from address of a message matches the authenticated address for the connection. This ensures that an account is not hijacked because of poor password choice. The domain privileges offer control over the permitted from address of a message and can be set such that: 1. The from address must match the authenticated address 2. The from address must be from the same domain as the authenticated address (note that it does not have to be a valid mailbox name). 3. The from address can be any address and does not have to match any part of the authenticated address. If the connection is authenticated with either the AM, AS or the explicit authentication options then there are no checks made on the from address. Note that the from address in the message is not checked as there are many legitimate reasons why the message header might have a different from address. However, it is desirable for the SMTP session "MAIL FROM" address to match the authenticated address. Summary FTGate offers a wide range of flexible options for authentication and relay control. In its default configuration it is not possible for unauthorized users to relay though the server. It is recommended that administrators carefully consider the possible consequences before changing the authentication and relay options. See: • • • • Security Policies Security Policy Management Policy Access Rights Configuring LAN access 51 FTGateUsersGuide Access Control Lists Access to all the resources in FTGate are controlled by Access Control Lists (ACL). An ACL consists of a set of one or more local account Id's (email addresses) and some access rights associated with them. If an email address is a member of an ACL then it may access the resource which is controlled by the ACL. For example the WebAdmin interface can only be accessed by members of the System Admin ACL, or a shared folder can only be accessed by users who are in the shared folders ACL. Some ACL lists do not have any options to limit their access. For example all members of the System Admin ACL can access WebAdmin with no restrictions, while a folder user may only have read access to a folder, in which case they will be unable to delete or otherwise change the folders contents. If a group address is added to an ACL then all members of that group have access with the rights associated to that group. Thus if the sales group has read access to the sales contact list then all members of the sales group also have read access to the contact list. ACL conflicts ACL conflicts occur if a user who is a member has access to a resource via more than one ACL entry, for example if they are in two groups that are both listed in the ACL. In this case the user is assigned the highest access rights for the resource. Configuring LAN access By default FTGate creates a LAN security policy which it assigns to all the services that are usually used by LAN users rather than WAN users. Thus this policy is by default selected for POP3 , IMAP4 , LDAP , WebMail , and the Connector . Should a service require WAN access, it is recommended that the policy for that service be changed to the Global policy rather than modifying the LAN policy. This will prevent confusion over which addresses can access which service. SSL SSL Description SSL is a protocol that permits secure communication between two computers. The servers use certificates to identify themselves and verify that they are who they say they are. This protocol is widely used in web pages to allow secure banking and shopping over the Internet. TLS is essentially the same as SSL, the only difference is that it is a mechanism by which a connection can be transferred from being insecure to secure at the request of the connected computer. For example: a mail client can be connected in a none secure mode to port 25 of a server and then start a TLS session which will then encrypt the rest of the data using SSL. SSL Support in FTGate FTGate supports SSL and TLS on the following. 52 Using FTGate Feature SMTP Server SMTP Send HTML Server POP3 Server SmartPop Connector Server Replication Client SSL X X X X X X X TLS X X X X Services that support TLS have the option of requiring that TLS be selected. If the client does not switch to TLS then the connection is rejected. Installing a self signed certificate See: SSL self signed certificates Configuring SSL After installing a certificate, configuration of the service or client is simple. 1. Go to the Service or client page 2. Select the encryption type and select the certificate 3. Stop and start the service or client. Internet Explorer and SSL attachment problems Some users experience problems when attempting to download attachments from FTGate when using SSL. These problems are due to the security options set in Internet Explorer. To resolve the problem open Internet Explorer and in Tools/internet options/advanced, under the security section, clear the check the box Do not save encrypted pages to disk. SSL self signed certificates In order to use SSL or TLS for any service you must install a server certificate. This can be done by purchasing a certificate from a trusted certificate vendor or by installing a self signed certificate. 53 FTGateUsersGuide A self signed certificate allows secure communication without the cost of purchasing a certificate. However, the certificate cannot be verified by a users client or browser and will display a warning. The user must then select to continue with the certificate despite the trust warning. Creating a self signed certificate We have often been asked why we do not supply a certificate that can be installed on your PC to run WebMail etc. There are various reasons but the main one is that you should use a real certificate that is unique to your installation. It is simple to do this and to make life easier we have put the required files into a self extracting zip file and included a batch file to run in order to create and install a self signed certificate. You can then use this certificate in FTGate. Please note that using SSL does slow down all services that use it due to the overhead of encryption. So if you only use a service over the LAN there is no point in using SSL. You can download the zip from here: Download the file and run it, store the files in a known location. Then use the DOS command box to run the batch file with a single argument with the server domain name you wish to use. e.g. cert www.myserver.com This will create and install a certificate called www.myserver.com You should make this name the hostname of your computer as typed in your browser. Filtering, Anti-Spam, Anti-Virus Overview FTGate has comprehensive filtering tools to help you combat spam, viruses and other malicious messages. These policies allow each domain to have either its own or a shared policy that will control how mail for the domain is handled. This allows filtering on a variety of options including: • email address • message content • attachments Filters may be applied to one or more domains. Each domain that shares a filter will share the settings, filtering options and the result of any UBEBlock training that may occur. A Filter can also be applied to SMTP, in which case the filter options will be used to accept or reject the message: • Black list • White list • Prohibited Words • Prohibited Phrases See Also: • Setting up spam filtering • Minimising Spam 54 Using FTGate • • • • • • • • • • • • Whitelisting Greylisting Whitehosting Blacklisting Filter Rules Safe Words SPF Validation SPF UBEBlock Rating UbeBlock Training UbeBlock Training Notes Anti-Virus Overview Setting up junk filtering [This document is based on V5.1] [Note examples use mycompany.com as the domain, please replace with your own domain name and not just copy the examples!] In order to achieve the best possible filtering of junk, viruses and spam, from mail, FTGate has a layered approach to the problem of identifying junk messages. Layer 1 - SMTP SMTP is the way that mail should be moved around the internet (its how you mail client sends mail to FTGate and how FTGate sends mail to the internet). When mail arrives using SMTP there are various pieces of information available to FTGate for it to determine whether the message is from a real sender or is likely to be from a source of junk: • • • • IP address: Are they a known spammer (RBL list) Do they have a correct retry policy or are they a trojan infected machine (greylisting) Do they have a valid reverse pointer (PTR) all real servers should have this. Hostname (HELO): Did they sign on using a valid host name which is correct for their IP address Senders address: Is the IP address listed as a valid address for the domain (SPF Lists) Header data: Is the header valid These tests usually give a very definite indicator of junk. While it is simple for a real sender to set these items to be correct, senders of junk mail and trojans find it very hard to get these things correct, and in the case of SPF, if the records are configured correctly it is not possible for a fake the authenticity of messages being sent. Layer 2 - Text based filtering The layer one filtering can eliminate 99% of all junk mail. The remaining mail can be filtered fairly simply using the remaining filter options. At this stage the message has been received and it looks like its a valid message in that there is nothing suspect about the sender, so we now have to perform analysis of the text. FTGate performs several levels of text analysis on the messages: 55 FTGateUsersGuide • • • UBEBlock+ Message URL's - does the message link to any known junk sites Is the header suspect Does the message have any known pattern that looks like junk Stock Filter Does the message match a standard stock option advert Content Analysis Does the message violate any rules that may indicate it is junk Layer 2 based filtering is never as effective as layer one because it is not difficult to create a junk mail message that looks like a real message to a computer program. Valid mailing lists that users often want to read look very like junk. If it were sent to a user other than the intended recipient it would be classed as junk. Thus filtering at this level will always be less effective than filtering at level 1. Note: Layer 2 filtering can remove all the junk. However, the more effective it becomes at removing junk, the higher the chance that a valid message will get blocked. Mail delivery Many users when they start using the filtering are surprised when we ask whether they collect their mail using SmartPop or have it delivered using SMTP. You can see from the above two layers that it is an important question. If you have your mail sent directly to your server from the internet, then the chances of correctly identifying and blocking junk are very high. However, if you collect you mail using SmartPop from a POP3 mailbox at your ISP you have effectively given the Layer 1 filtering to your ISP, if they do not perform any filtering then you just have to do the best you can at layer 2. Setting it up So you have just set up your server and want to eliminate the junk. What do you have to do? Level 1 If you get your mail delivered using SMTP directly from the Internet then you need to go to the Global Security Policy so you can set the SMTP filtering. Go to Services/Global Security Policy/Addresses and in the WAN range set the HDR, SPF, HE, PTR, GL and RBL flags. Then go to the Configuration/DNS page and make sure you have a valid DNS server (see DNS Servers). Then on the Configuration/RBL page make sure you enter at least one RBL site (see RBL Sites). Your now set for level one filtering. That's 99% of the junk blocked. Level 2 This is where it gets a little more complicated as the content analysis part of the filter needs to know what good and bad messages look like for your domain. To do this we go through a process of training and then we monitor the results making changes as we go. Accessing the training folders To get the best results and make life easier for yourself as an administrator you should at this stage connect your mail client ot FTGate using the IMAP protocol. This is configured in your email client in the same way as POP3 only you select IMAP rather than POP3 as the client. When connected to FTGate using IMAP you will find that the mail client shows you a list of the folders available in your mailbox and possibly some shared mailboxes from other mailboxes. The shared mailboxes are shown under a folder shared. To gain access to the FTGate folders used for setting up the junk filters and performing filtering you should go to the local domain setting for your domain in WebAdmin (Domains/MyCompany.com) and click the Filters tab. You will then see options for selecting a filter policy (more on that later) and the mailboxes that can perform training. 56 Using FTGate By default the filter policy should be "Default Domain" and the training should list "system@mycompany.com" and "administrators@mycomany.com". This means that the system mailbox can access the training folders and anyone in the administrators group can access them. If these options are not set, then set them. Now if you go into your mail client IMAP folder or SolSight Web you will see that the new folders are available. 57 FTGateUsersGuide It is now possible to access the training folders. First time training To give FTGate an idea of what messages are treated as good in your network it helps to perform an initial training set by taking a selection of 30 typical messages that are not junk and using your mail client to drag and drop them onto the "UbeTrainingNotSpam" folder. The messages will sit in the folder for a while and then will be deleted as FTGate processes them. Setting the filter options In WebAdmin, click on Filters/Default domain. You can now see the options that provide the level 2 filtering. Now we want to filter the mail, but we probably don't want to filter mail from users in our address books. We also want to use UBEBlock+ as it is very good at filtering advertising junk. Click Options and set the Filter Control to Do not filter messages from authenticated and whitelisted addresses, and check the UBEBlock+ option. Then click the UbeBlock tab and set the UbeBlock option to "Generate UbeBlock rating and apply UbeBlock rating adjustments". Now we want to include our address books in the Whitelist. Click Whitelist and check the "Include addressbooks". Now click the button. Setting the rules In order to actually filter the messages and allow control over what happens to a message the filtering is actually performed by a set of configurable filter rules. Click Filter Rules to see the default. The default rules are set to allow messages through that should be let through, delete those that are from blacklisted senders (senders who we can identify as being bad), and tag the rest. We can ignore those that let the mail though by default as you most likely will never need to change them. What you are most likely to want to change are those being tagged. The process of tagging causes the subject of the mail to be altered with a text tag, so that when the message arrives in the users mailbox they can see that it has been tagged and thus identified as being suspect. As an administrator you may want to change this behaviour so that users don't see suspect messages unless they have been approved. Setting a special recipient 58 Using FTGate In order to make life easier for the administrator FTGate has the option of delivering all suspect mail to a specified mailbox where it can be reviewed. This mailbox may be the administrators own mailbox, or preferably it can be a different mailbox. Lets set this up. First we need to create the junk handling mailbox. Go to Domains/MyCompany.com/Mailboxes and create a new user mailbox "junk". Now open, in WebAdmin, the junk mailbox and go to the folders page. Click the share button next to Inbox, and set the Read/Write/Create and Delete options for the "Administrators" mailbox. Then click Update, then close the window. Now if you go back to your mail client and check the folders you will see that the new junk mailbox has its inbox shared with your mailbox. So you can now read anything in the junk mailbox and, if training is required, you can copy the messages from the junk inbox to the training folders. Note: If its in the junk folder and it is junk, dont copy it to the UbeTraining Spam folder. Sending the junk to the junk user So now we want to send the suspect mail to the junk mailbox. Go back to the WebAdmin/Filters/Default domain/Filter rules page. Select the rule that you want to redirect to the junk user and click the rule name to open up the rule properties. Click the action tab and from the action drop down box select SR, then enter the email address of the junk mailbox junk@mydomain.com into the Special recipient box. Save the changes and repeat for any other rules you want to send to the special recipient. We are now all set up for handling the junk. If you wish to add more administrators for junk handling you can simply add them to the administrators group and they will have access to training and the junk folder. False positives The number of false positives you get will be dependent on how harsh and how well trained your system is. See UBEBlock Training and UBEBlock Training Notes. Generally it is better to train false positives than false negatives. When you have a false positive you need to be able to get it to the original recipient as quickly as possible. Unfortunately most mail clients don't have a facility for redirecting mail without altering it as a 59 FTGateUsersGuide forward. Some allow forwarding as an attachment, which the correct recipient can then open and reply. SolSight Web has the ability to redirect messages without altering the message. This is the best way to redirect incorrectly trapped mail. SolSight Web can also be used to train the system in the same way as IMAP and offers the same views as IMAP. Reducing the number of false positives can be achieved through the correct training of the system (don't let you general users train junk unless they know what they are doing (see UbeBlock Training Notes). Minimising Junk/UBE mail FTGate has a powerful set of features that can be used to eliminate most of the UBE mail before it reaches the users mailbox. The most effective way to eliminate UBE is to not let it onto your system. If it does reach your system then you need to use the Filtering facilities to filter out the UBE. Stopping the UBE before it gets into the system The best solution to filtering UBE is to reject it before it is received by your server. This is best achieved by filtering the messages as they are sent to FTGate. Recommendations: 1. Have your ISP send your mail to you using an SMTP feed. It is much harder to filter spam once your ISP has accepted it for you. If possible bypass your ISP and have your mail delivered directly to your PC. 2. Turn on PTR record checking This will verify that the PC sending you mail has published its details on the Internet. Most legitimate machines do this, most UBE sources do not. 3. Turn on HELO checking Only mail clients should use a dotted IP address as their HELO, mail server should use their domain name. 4. Turn on SPF This will require that the server sending you mail is authorised to handle mail for the specified domain. UBE rarely comes from the domain it pretends to use, and thus it will usually fail an SPF check. (See SPF) 5. Turn on RBL This will stop all servers that are known to be sources of UBE (See RBL) 6. Turn on GL This will prevent practically all Spam and Virus messages from being accepted and the cost of a small delay in mail delivery to your system for unknown senders. See Greylisting Using Filtering Once the mail reaches your system, the only way to block UBE is to filter it. FTGate includes a powerful set of filters that can eliminate practically all of the UBE received. To obtain the best filtering the following should be considered: 60 Using FTGate Filter Policy/UbeBlock • Adjustment if recipient's mailbox is in the Subject Many UBE sources place the mailbox name in the subject line. For example if "Great news fred@somedomain" is received the rating could be increased by 25 • Adjustment if there are three or more consecutive spaces in the Subject Adjust the rating for messages that have a sequence of spaces in the subject. For example if "New offer HKQOF" is received the rating could be increased by 25 • Acceptable proportion of unknown words against known words (Unknown ratio). This detects how many garbage words there are. Often SPAM is padded with garbage to try to confuse bayesian filtering and hit any safe word detectors. Detecting that a message is padded in this way can simplify filtering. The ratio is calculated as the number of unknown words/known words. Thus if there are 25 unknown words and 5 known words the ratio is 25/5 = 5 • Adjustment when message exceeds Unknown ratio threshold This adjustment is applied when the above ratio is exceeded. Thus if the ratio were 5 and there were 25 junk words and 5 known words the specified adjustment would be made. • Weighting for images This weighting is applied for each image in a message. e.g. if the weighting were 5 and 5 images were in the message, the rating would be increased by 25 • Weighting for external images This weighting is applied for each image in a message that is a link to an external image on the Web. This is often used by Spammers to track emails. Your address is verified by them when you view the message and the image is downloaded from their server. e.g. if the weighting were 5 and 5 images were in the message, the rating would be increased by 25 • Weighting for web links This weighting is applied for links to the internet. UBE often has links, while normal mail usually does not. e.g. if the weighting were 5 and 5 links were in the message, the rating would be increased by 25 • Weighting for unknown words This is a simple weighting applied for the number of words in the message that are unrecognised e.g. if the weighting were 2 and 50 unrecognised were in the message, the rating would be increased by 100. In addition the main UbeBlock filter will obtain a rating which will be modified by the above values. All of these settings result in an overall UBE rating which can then be used with the Filter rules to filter messages. It is recommended that all filtered mail be directed to a mailbox which can be examined by an administrator, this will allow the administrator to verify that the filtering is operating as expected and that any false positive messages can be retrieved and delivered to the correct user. Greylisting One of the new features in FTGate is the option of SMTP Greylisting. Greylisting is a way of filtering out the large majority of spam and virus sources on the net. In order to understand how it works we 61 FTGateUsersGuide need to look at how mail is normally passed around the internet and how we can use this mechanism to help us filter the mail. Mail is passed between machines on the net using SMTP, and the SMTP protocol is designed to be resilient to failures of both the net and of individual servers. A mail server that complies to the SMTP RFC’s will try to send a message to a destination a number of times before giving up and returning a failure. The exception to this is if the destination rejects the message, in which case the sender will bounce it immediately. Part of the protocol allows a destination to tell a sender that it is currently busy and the sender should try again later, when this occurs the sender should hold the message in its queue and try again after a time delay. This allows the destination to delay mail when its load it too high or there is a server problem. How does this help us to filter out the spam and viruses? The main source of spam and viruses are zombie relays that are not true SMTP mail servers, they are designed to try an address and then move onto the next address. If an address fails then they don’t retry. Thus if we reject the connection with a busy signal, they will never retry and we will never get the spam or virus message. So how does it work? When a server tries to send a message to FTGate it makes a note of the senders IP, senders address and the recipient address. If it has never seen these three before, it rejects the connection with a busy message telling the sender to try again later. When the sender retries it will accept the message. There are a few modifications to this simple approach to make sure that the sender is really a true mail relay and not just a slightly smarter zombie. A slightly smarter zombie might retry the same connection immediately after a failure, in which case it would get through, so we add a little dead time to the Greylist entry so that any retry within the dead period is also rejected. This means that if a spam or virus zombie author wants to send the mail to us they have to make their software quite a bit more sophisticated. The other problem that we face is what to do with the thousands of bad connections that we reject. In one 4 day period the FTGate main server rejected 3500 connections with Greylisting. These were connections that never retried. Obviously if we never clean out these connections from the Greylist it will get very large indeed. So FTGate has two timeout periods for Greylist entries. The first is for those connections that never try again, this is a short timeout period that drops the zombies from the list. The second is a longer timeout for connections that did try again and have been passed. This ensures that the list doesn't grow too large and that good connections are saved to prevent delays. Any greylist system will require the ability to add whitelist entries. FTGate allows you to add both whitelist and blacklist entries by IP, sender, recipient and HELO address of the sending server. In addition each filter policy has the option of bypassing the greylist if the sender has been SPF Validated. What are the disadvantages of Greylisting? As with any system that is so good at wiping out spam there is going to be some problems. 1. The sender doesn’t retry! There are some mail servers that are simply badly written. They don’t care about internet RFC’s and assume that any send error is a complete failure and simply bounce the message. These servers are broken must be explicitly whitelisted. 2. The sender retry is longer than the zombie timeout! While not broken, these servers don’t put much value on trying to send the message through. The default for the zombie period is 24hrs and any real server that doesn’t retry a message within 24hrs is very poorly configured. Again, these servers must be explicitly whitelisted. 3. The sender is part of a server farm! Some servers try to send a message and then, when it fails, punt it to another server, which will then retry later. Obviously, if the time taken to go round all the punt servers is longer than the zombie timeout, the message will never be accepted. Thus the timeout must be chosen appropriately or the sender must be whitelisted. 4. I have MX relays! If you have MX relays then they should all implement greylisting. While most zombies will not 62 Using FTGate retry after a given time a large number are designed to automatically try the MX backup for a domain in the event of a failure. Thus if you do not greylist on the relays the spam will simply flow in through them instead. In addition, you don’t want mail that comes in through a relay to be delayed so you must also whitelist your own relays. 5. My mail will be delayed! The first time someone sends to you there will be a delay, and the period is under control of their mail system administrator. Thus if their administrator sets their mail system to retry every 8 hours there will be an 8 hour delay. Subsequent ends will be instant. This is the price of cutting the spam and viruses, the rate at which you get the first email depends on how important the senders administrator thinks their mail is. However, in real terms it is irrelevant for most of the time. If you have a contact that you know will send you messages, such a supplier, you can whitelist them. If it is another source then immediate response is probably not an issue as many things can occur to delay a message, even with no whitelisting, and most users are aware of this. If you really must accept all mail immediately, then you would just turn off greylisting and except that you will get more spam. Greylisting is a powerful tool new tool in fighting spam and viruses but it also has some potential issues that should be considered before using it on your system. You should review the above points and decide if their impact is acceptable to your needs before implementing greylisting on your server. For the original Greylisting whitepaper please see this whitepaper by Evan Harris: http://projects.puremagic.com/greylisting/whitepaper.html Additional information is available here: http://www.greylisting.org/ Whitelisting A whitelist is a list of addresses that are from known contacts. The whitelist is usually used to bypass all content filtering. The addresses to be whitelisted can be entered into the filter policy using Pattern matching characters . To enable more flexible processing of messages it is possible to either include or exclude whitelisted addresses from filtering. See: Filter Whitelist, Filter options Whitehosting Whitehosting is a method of whitelisting that uses the sending servers hostname to define the messages as being whitelisted. Any message from a whitehosted server will be treated as if its sender is whitelisted. The hostname applies only to messages received via SMTP and uses the text string sent in the EHLO/HELO command. The string is entered into the filter whitelist using Pattern matching characters . See: Whitelisting, Filter Whitelist Blacklisting Blacklisting is the name given to a list of email addresses from which you specifically do not want to receive messages. Each blacklist entry can be either a complete email address or a partial email address with Pattern matching characters . 63 FTGateUsersGuide The action taken when detecting a blacklisted address depends on whether the filter is being applied at the SMTP or domain level. • • SMTP The senders address and entire message will be rejected. Any bounce operations are handled by the sending server. Domain The filter policy specifies the action taken using the filter rules. See: Filter Rules See: Filter Blacklist, Filter Rules Filter rules provide a mechanism for the administrator to define the handling of messages that meet certain criteria. A filter rule can be configured to trigger on a variety of information including: • • • • • • • • • • • • Message sender Message recipient The message UBE rating The message contains a safe word The message is from a white listed address The message is from a black listed address The message is from an SPF validated source Note, this option requires that either FTGate or your ISP added an SPF V1 header to the message The message contains a prohibited word The message contains a prohibited phrase The message passed through an RBL listed server The message is from an authenticated sender The message contains a specific word or words By default all non-alpha characters are removed from strings that are entered into this list, in order to enter a string with non-alpha characters you must enclose the string in quotes. i.e. "the-string". The filter can take one of the following actions depending on the above options: • • • • • • • • 64 Deliver normally The message will be delivered normally. Deliver normally and send a tagged copy to the Special Recipient The message will be delivered normally but a copy will be sent to the Special Recipient with the subject line appropriately tagged. Deliver normally and send the Special Recipient an attached copy. The message will be delivered normally but a copy will also be sent to the Special Recipient as an attachment. Deliver normally but tag the subject line . The message will be delivered but the subject line will have the appropriate tag added Deliver as an attachment in a tagged message The message will be delivered but as an attachment to a message with a suitably tagged subject line. Deliver to the Special Recipient The message will be redirected to the Special Recipient Deliver as an attachment to a tagged message to the Special Recipient The message will be sent to the Special Recipient but as an attachment in the message with a suitably tagged subject line. Delete the message and send the rejection message The message will be deleted and the rejection message will be send to the original sender Using FTGate • Delete message The message will be deleted and no further action taken Safe Words Safe words are used to detect messages that have content that should be accepted regardless of other considerations. For example you may add your product names to the safe word list, so that any messages that refer to your products by name can be intercepted and handles separately. The safe word list is part of a filter policy and it should be noted that its behaviour is dependent of the filtering level being applied. • • SMTP At the SMTP level the detection of a safe word will prevent other content dependent filters from rejecting the message. For example a message that contains a safe word and also contains a bad phrase or bad word will be accepted. Domain At the domain level the detection of a safe word will set the safe word flag for subsequent filter rule processing. See: Overview, Filter Safe Words SPF Validation The SPF (Sender Policy Framework) a DNS based system that allows mail server to check that the IP address of a source of mail is authorised to send mail for a given domain. When a mail message is received, FTGate retrieves the SPF records for the senders email address and verifies that it incudes the IP address of the sending server. SPF checking is enabled in the Security Policy of an SMTP. The result of the SPF check can also be used in the Filter Policy Rules and used to bypass Greylisting SPF checks will not be performed for authenticated users (See Relay Control and Authentication) External References: http://spf.pobox.com/ Anti-Virus Overview FTGate offers various levels of support for different anti-virus products. • Full support This level of support is offered where the Anti-Virus vendors have given FTGate Technology access to their anti-virus API. At the time of writing these are AVG, Sophos and Panda. • Partial support This level of support applies to products whose vendors have not supplied an API with which to access their product. In this mode the level of scanning and error reporting will depend on the basic features of the scanner. Scanners supported in this mode include Norton, McAfee et al How it works 65 FTGateUsersGuide When a message is received it is parsed to determine if their are any attachments in the message. If there are any attachments then FTGate extracts each attachment into a folder on the hard disk. It then attempts to either scan the file (if there is full support) or open the file to read back its contents. If the file was infected the virus scanner will either report an error or prevent access to the file, delete or quarantine the file, in which case the attempt to read the file would fail and FTGate would know the attachment was infected. It would then move the whole message to a quarantine folder and notify the postmaster. Will it work with my Anti-Virus product There is a simple way to determine if FTGate scanner interface will work with your anti-virus product. The following steps will determine compatibility: NOTE: THIS TEST USES THE STANDARD EICAR ANTI-VIRUS TEST SIGNATURE. IT IS NOT A VIRUS. IT IS USED TO TEST THAT ANTI-VIRUS PACKAGES ARE CORRECTLY INSTALLED AND WORKING. Create a new text file on your desktop called eicar.txt (right click the desktop and select "New | Text Document" Cut the following line from this document and past it into eicar.txt X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Save the file Rename the file eicar.com Make sure that your anti-virus product is enabled double click on eicar.com to execute the program If your anti-virus package prevented access to the file by either denying access, deleting or quarantining the file, then your scanning package is compatible with FTGate. If it allowed the program to run then your anti-virus package is not compatible and virus scanning is not an option on your system. NOTE: YOU SHOULD NOT SET YOUR ANTI-VIRUS SCANNER TO REPAIR INFECTED FILES. IF YOU DO THIS FTGATE, WILL BE ALLOWED TO ACCESS THE FILE AND IT WILL APPEAR THAT THE FILE IS NOT INFECTED. FTGATE WILL THEN PERMIT THE ORIGINAL MESSAGE CONTAINING THE INFECTED ATTACHMENT TO BE DELIVERED, IT WILL NOT REPLACE THE OLD ATTACHMENT WITH THE DISINFECTED VERSION. NOTE: YOU ARE RESPONSIBLE FOR ENSURING THAT YOUR USE OF AN ANTI-VIRUS PACKAGE WITH THIS MAIL SERVER, AND IN THIS MANNER, DOES NOT VIOLATE ANY LICENCES YOU MAY HAVE WITH YOUR ANTI-VIRUS VENDOR. IF YOU ARE IN ANY WAY UNSURE ABOUT THE LICENSING OF YOUR ANTI-VIRUS PRODUCT AND WHETHER IT MAY BE USED IN THIS MANNER YOU SHOULD CLARIFY THE SITUATION WITH YOUR ANTI-VIRUS VENDOR BEFORE ENABLING ANTI-VIRUS SUPPORT. FTGATE TECHNOLOGY AND ITS AGENTS WILL NOT BE HELD RESPONSIBLE FOR ANY LICENCE VIOLATIONS THAT OCCUR. ALTERNATIVE SCANNER SUPPORT FROM TIME TO TIME FTGATE TECHNOLOGY WILL RELEASE ADDITIONAL MODULES THAT WILL ALLOW FTGATE TO ACCESS DIFFERENT ANTI-VIRUS PACKAGES. CHECK OUR WEB SITE FOR ADDITIONAL MODULES THAT MIGHT BE AVAILABLE. UBEBlock UbeBlock Rating UbeBlock normally calculates a spam rating based upon the content of a message. The rating adjustments page provides a set of modifiers that will adjust the UbeBlock rating for certain message features. This can greatly aid the identification of Spam. 66 Using FTGate See Also • Minimising Junk/UBE mail Suggested Settings The following rating adjustments are used on the FTGate Technology servers. We have found them to be effective. Adjustment if recipient's mailbox is in the Subject: Adjustment if there are three or more consecutive spaces in the Subject: Acceptable proportion of unknown words against known words (Unknown ratio) Adjustment when message exceeds Unknown ratio threshold Weighting for images Weighting for external images Weighting for web links Weighting for unknown words 50 50 20 40 30 75 20 10 UbeBlock Training How to configure for first use By default FTGate creates a Default Domain filter policy. This filter policy has a set of rules preconfigured but its is untrained. We recommend that the following method be used for the initial configuration of the UbeBlock ratings. 1. Connect your mail client to the IMAP port 2. Open the shared folders and find the UbeTrainingNotSpam folder 3. Go into your sent items folder and find 30 messages that cover a broad spectrum of the type of emails that you send and receive. 4. Copy them into the UbeTrainingNotSpam folder Now UbeBlock is primed with a base set of the language used in your messages. Messages that do not fall into this category will be marked as spam. Messages that get through can be dropped into the UbeTrainingSpam folder to improve detection rates. How to train Two training methods: b) By dropping the message into the appropriate IMAP shared folder . Access to the shared folders can be configured in the Local domain options. This is the recommended training option. b) By sending a message to the system mailbox e.g. system@mydomain.com 1. The message sender must be i) authenticated by IP or AUTH ii) have access rights to the spam training system 2. The message must have a subject of "spam" to train as spam 3. The message must have a subject of "notspam" to train as not spam 67 FTGateUsersGuide UbeBlock Training Notes Whitelist Bypass If you use the option to bypass whitelisted addresses from the filtering option then you bypass all of the analysis and reduce the processing required considerably. Normally whitelisted mail is delivered without filtering so the default is correct. Clearing the option may result in mail from whitelisted addresses being bounced or deleted depending on the rules you define. Thus care should be taken when adjusting the whitelist settings. Automated Self Training It is inadvisable to use the spam or RBL messages detected by UBEBlock to train UBEBlock. Automated training in general is not advised for the following reason: 1. RBL lists are not proof of spam. Messages can come though an RBL server that are not spam. If you train just one of these it will ruin your training. 2. Many spam messages are seeded with hundreds of innocent words that would appear as legitimate (they are used to try to fool statistical filtering. Thus you seriously reduce the margin between the good and the bad. In the worst case this make it practically impossible to get good training because the RBL spam is swamping any attempts to train good messages. Eventually all mail looks the same and you will have to delete the training and start again. 3. Training a good message as spam by accident will undermine the whole training process and may result in your having to start again. So please be careful. Bounce or Delete In general it is better to bounce mail rather than delete. Nearly all spam comes from invalid addresses, and in such cases a bounce will just get deleted. If any real mail is bounced it will reach a real user and will tell them to try again. Bouncing mail, even for legitimate addresses, does not confirm to spammers that the address is real. Who should train All training should be done by a person who understands the nature of spam and has been told the issues below. 1. Always make sure that you train in the right way. Mixing the spam and not spam training will result in very poor performance. 2. Don't train all the messages. Take a look at the message first if it has many real words included in the message, do not train it as spam, you will only make it easier for the next one to come in. 3. Use the unknown word weightings (UBEBlock Rating) to improve spam detection. It is easier to train UBEBlock with real messages and have it reject anything it does not recognise. Backup and restore Disaster Planning 68 Using FTGate No matter how good your server software, sooner or later the worst will happen and a hardware failure will occur. When this happens it is usually considered a major catastrophe as all communication in your organisation will stop. The problem becomes even more pronounced with groupware and IMAP because all of the essential information and company mail is stored on the server, preventing anyone from looking at any mail they have received. This can completely cripple an organisation. Because of this it is worth considering what steps are appropriate to return mail handling to normal in the shortest time possible. There are a number of measures that can be taken to provide various levels of protection and differing costs. This paper will look at some possible configurations that offer different recovery times at different costs. All of these considerations will focus only on the single point of failure problem. This is the scenario in which only one failure occurs, such as the motherboard of the Mail Server fails, rather than the multiple failure scenario, such as a lightning strike that blows up every computer on the network. Single Point of Failure The mail server can be considered as three main parts: 1. The mail server software FTGate in our case 2. The Mail server Configuration The options in use and mailboxes configured etc 3. The mail store The computers hard drive The disaster recovery plan should consider how each part should be recovered or protected. Basic Protection In the simplest scenario the administrator will take a backup each day using a tape drive or other system. This protects both the server software, the configuration and the mail store. In the event of a server failure the backup will be restored to either another server or the repaired server. While this approach is low cost it can also result in extensive system down time, which may prove expensive in other ways. It also relies on the backup system not being damaged by the failure and that another PC is available or the original can be repaired quickly. In addition, any mail received since the last backup will be lost. While this is the most common approach it is not considered to be a suitable solution. Minimal Downtime Any viable solution for disaster recovery should allow the administrator to recover normal operation in the shortest possible time. Thus it is important that the system in use is protected against the failure of a single server or component of the server. This implies that we should separate those parts onto different machines. Dual Machines At this stage it becomes obvious that the minimal downtime can be created by running two servers which are connected. At various times of the day the entire mail store and configuration are copied from the main server to the backup server. This results in a machine being available which can, at short notice, be used to replace the original. 69 FTGateUsersGuide In the event of a failure, the IP address of the backup PC will be changed to match the original and the mail server software will be started. This is required otherwise the mail client software of the users will not be able to connect to the new server. The physical changes needed will be quite small and can be made in as little as 15 minutes. However, the issues with this type of system are that any mail received or configuration changes made between the copy interval will be lost and the IP addresses of the PC will need to be altered. Also, while the time taken to switch between machines can be low, if the failure occurs during unmanned hours, the actual outage could be very long. Thus in addition to the backup machine an MX relay should also be incorporated to hold inbound mail in the event of a failure. Segmented Cluster This solution is the most complex and expensive but offers a system that can result in any single failure affecting only a small number of users. In this system the user accounts are separated over different machines and the failure of any one machine only effects the accounts of those on that machine. This also has the advantage that high bandwidth users can be handled by the faster machines. Full discussion of this will be made in a separate White Paper. Backup and Restore All system administrators should take care to perform regular backups of their mail system. The mail system rapidly becomes the heart of any organisation and loss of the system, even for a few hours, can be very costly. See also • Disaster Planning Internal Backup FTGate makes regular backup files of all its system settings and mailbox configurations (including groupware features). This allows an administrator to recover from human errors such as accidental deletion of accounts or domains. These files are stored in the ConfigBackup folder and can be used to restore FTGate to its configuration for the date of the backup. Internal Restore This method is used when an administrator has made an undesirable change to FTGate or the database needs to be restored to an earlier snapshot. This will restore the domains mailboxes, groupware items and all other options held in the main database. To perform an Internal restore the administrator should: 1. Stop FTGate using the FTGateIcon utility 2. Rename the FTGate/config folder 3. Restart FTGate 4. When the wizard starts, choose to restore an FTGate backup 5. Browse to the FTGate/ConfigBackup folder and select the appropriate file 70 Using FTGate 6. Complete the restore wizard and allow FTGate to restart Full Backup It is recommended that the administrator uses an external backup device to ensure that in the event of a disaster the system can be recovered in the shortest possible time. The following items should be committed to an external backup device: • The FTGate/ConfigBackup Folder • The FTGate/Config Folder (and subfolders) • The Spool and all subfolders • All domain folders and mailbox folders (that are not part of the spool folder) Full Restore To restore FTGate after the loss of a hard drive or other disaster: 1. Install FTGate 2. Stop FTGate 3. Restore the following from the external backup The FTGate/ConfigBackup Folder The FTGate/Config Folder (and subfolders) The Spool and all subfolders All domain folders and mailbox folders (that are not part of the spool folder) Tip: All folder paths should remain the same. Changing the folder paths can result in loss of functionality or data. Utility Applications FTGateArchive The FTGateArchive utility is a Windows application that gives searchable access to all the messages in the archive. In addition the archive tool can be used to search messages that have been moved to offline storage, e.g. a DVD drive. Starting FTGateArchive FTGateArchive can either be started by using the Start Menu option in Windows or by locating the FTGateArchive.exe file in the FTGate program folder on the server. The application can also be run on a desktop machine by copying the executable program to the required machine. Configuring FTGateArchive The archive utility is configured by selecting Tools/Options from the FTGateArchive menu and selecting the appropriate paths: • Location of Archive Files This is either the archive folder for FTGate or the backup medium location. 71 FTGateUsersGuide e.g. c:\spool\archive or d:\ • Location of Spool/Inbox This is the location of the Spool/Inbox folder on the FTGate server. In order to forward messages from the archive you will need to specify this directory and make sure that you have write/create privileges on the server. If using a share to access this folder then ensure that the share has the correct privileges. Accessing an Archive After starting an configuring FTGateArchive it is possible to search the archive for specific data or view all the data. Searching: To search for a specific message or group of messages enter the data or part of the data you wish to search for. For example: • To find all messages to/from fred@domain.com you would enter fred@domain.com in both the From and To fields, select Apply Filter, select Match Any, then click Refresh. • To find all the messages to/from all users at domain.com you would enter domain.com in both the From and To fields, select Apply Filter, select Match Any, then click Refresh. • To find messages from fred@domain.com to any user at domain.com you would enter fred@domain.com in the From field, domain.com in the To field, select Apply Filter, Select Match All, then click Refresh. Archive Actions FTGateArchive permits the selection of one or more messages. It is then possible to take the following actions with a right mouse click on the selected items: • • • • Copy to clipboard View the source text of message Forward the message to a specific address bypassing all FTGate filters Save the message to a .eml file that can be opened by Outlook Express or other applications. FTGateIcon The FTGateIcon runs in the tray area of the server PC and supplies the administrator with a rapid method to do the following: 1. See the running state of FTGate - FTGate is running normally - FTGate is suspended and requires attention - FTGate is not running 2. Start and Stop FTGate Right click on the Icon (shown above) and select Start FTGate or Stop FTGate 72 Using FTGate 3. Open the Status Windows The status window shows and warning or critical events that have occurred since FTGateIcon was started. To show the status windows right click on the Icon and select Show Status 4. Run the Monitor Right click on the Icon and select FTGateMonitor to start the monitor 5. Start WebAdmin Right click on the Icon and select WebAdmin to launch a browser window and access WebAdmin FTGateUpdate The FTGateUpdate tool is used by FTGate when in auto and manual update mode. Applying Manual Updates If an update (.fau) file is supplied by FTGate Technology, the update can be applied by double clicking the update file, in which case FTGateUpdate will automatically run and apply the update. To perform a manual update please download this the .fau to your server desktop: Make sure that it has not been renamed and still has the .fau extension, then double click on it. FTGate will then apply the update and restart. FTGateMonitor The FTGateMonitor allows the administrator to monitor the activity of FTGate from any machine on the network. Starting FTGateMonitor To start FTGateMonitor from the server console, right click on the FTGateIcon in the tray area and select FTGateMonitor. To start FTGateMonitor from a remote machine, copy the FTGateMonitor.exe file from the server to the required machine, then double click on the file. Connecting to the server To connect the monitor to the server, click Server/Connect, type in the server IP-address or name, an administrator email address and password, then click connect. FTGateLog The FTGateLog file is a utility for reading the log (.ftlog) files created by FTGate. It allows searching and flagging of entries in the log, together with the ability to copy selected lines to the clipboard for pasting elsewhere. 73 FTGateUsersGuide AutoCluster Configuring AutoCluster AutoCluster is a very simple system to configure and manage. The basic components are: • • AutoCluster Client AutoCluster POP3 Proxy AutoCluster Client The AutoCluster client is responsible for connecting to the Groupware connector of an ISP Edition or Professional Edition FTGate master server. It will then dynamically configure the server with domain and account information from the master server. See AutoCluster Client A Relay Edition server can support multiple AutoCluster clients for the dynamic configuration of multiple servers. Additional Clients can be configure from the Clients page of the Web Administration interface. AutoCluster POP3 Proxy The AutoCluster POP3 Proxy Service is automatically created when the Relay Edition is installed. There is nothing to manually configure as its settings are all set by the AutoCluster Client(s). 74 Web Admin Interface Web Admin Login Type topic text here. User Interface Guide The FTGate user interface has been designed to provide the simplest possible way to achieve a given task. In addition to changing values and selecting options, users will also have to perform the following common operations. Where possible the user interface has been designed to use the same sequence of operations to achieve common tasks. Saving changes Any changes to page content should be saved by clicking the save button before switching to another page. Failure to do so will result in those changes being lost. Adding an item Adding a new item to a list of items is simply a matter of selecting any options for a new item, typing its name and/or any other required details and clicking the Add button. Deleting an item Deleting an item from a list is simply a matter of selecting the check box next to the item(s) to be deleted and clicking the delete button Filtering a list In order to more efficiently display some lists, the filter bar will be displayed. Clicking on a letter in the filter will cause the list to be refreshed showing only the items that match the selected letter. The filter box may be used to filter for precisely when dealing with large lists, for example filtering on bo* would display only items that started with bo and filtering on *bo would only show those items ending in bo. 75 FTGateUsersGuide Selection lists If the purpose of a list is to select some elements rather than others, then the desired items should be selected by setting the checkbox to the selected or unselected state and clicking the save button. Start/Stop Enable/Disable The start/stop and enable/disable system uses standard stop go buttons. The dark raised button can be pressed to change the items state. Thus, in the above example, the first item is currently started and may be stopped, while the second is stopped and may be started. Paging control Some lists may be of sufficient length that they cannot be displayed on a single page without an unacceptable delay. In these circumstances a paging control will be visible. This allows navigation to the first page , last page and any specific page by direct selection in the page list previous and next buttons allow for stepping through the pages in sequence. . The Menu Bar The menu bar is located at the top of the page and allows rapid access to the different sections of the FTGate interface. This interface is available from all pages of the interface. The main sections are: • General Contains functions to access the log files, statistics and archiving information • Domains Allows access to the domain and mailbox management functions • Outbox Controls how mail is sent from FTGate to the Internet and allows access to the outbound mail queue 76 Web Admin Interface • • • • • • Services Lists and allows configuration of the available services (e.g. SMTP, POP3) and the security policies which control them Clients Allows management of the collection of POP3 email from a different server using SmartPop or the configuration of the replication client in FTGate Relay Edition servers Events Manages the triggering of timed server events. for example dial up connections and autoupdate checking Filters Contains the options for Anti-virus, Greylisting, Spam filtering, Routing and access to quarantined messages Configuration Allows access to system wide configuration options Utility Contains general utilities that do not logically belong anywhere else Navigation Panel In addition to the menu bar the individual sections are also presented on the main navigation panel of the home page. In addition to the titles this offers a handy reminder as to the function of each section. Access Control In many places it is required to share items between users in a domain or across the system. In these cases, accessed by clicking the Share button, the Access control list will be displayed. Altering the access rights of users in the domain is a matter of changing the selected options and clicking update. To add a non-domain address to the list, it should be typed in the address box and the add button clicked. See User Interface Guide To remove access rights for an address clear all the options and click update. General Information This page identifies which version of FTGate you are running and any services that are not currently enabled. Log This page allows you to view and search a given dates log contents. Activity This page shows you the current activities being processed by the server. 77 FTGateUsersGuide In addition to the status of any active connections there are three entries that are always listed: • • • Connections This displays the current number of connections for each service type DNS resolver This shows the number of queries currently being serviced Spooler This shows the number of message currently awaiting filtering and delivery Queues This page displays the number of message waiting for delivery in the outbox and any remote domains. There are three headings: 1. New These are messages awaiting delivery 2. Active These are messages that are currently being delivered 3. Queued These are messages that have failed delivery and have been queued for late retires The "Connect Now" button causes all the messages in the queued column to be moved to the New column for immediate retry. If the connection is over dial up link, it will also cause the connection to be dialled. Statistics This page shows statistical information regarding the performance of FTGate. Archive This page gives access to the message archive in FTGate and allows messages from the archive to be forwarded to other addresses. This can be used to locate messages between given time periods for specific address or with specific entries in the subject. The page also contains a preview page which will display the first 2KB of the message. There are more features available in the stand alone archive tool FTGate Archive. Messages in the list may be selected and then redirected to a mailbox. This will cause the message to be delivered without any filtering being applied. Finding archived messages To locate a message select the start and end dates for the search and then enter text for the from, to and subject, then click find. When searching for a message a partial match system is used. e.g. to find messages from bob@ftgate.com you could search with the from line set to: bob bob@ftgate.com ftgate.com but NOT *@ftgate.com 78 Web Admin Interface Selecting Messages There are a number of options to select messages for forwarding or resending. Clicking on a message will select the specific message and deselect any other selected messages. Clicking on a message, then holding down SHIFT and clicking on another will select both messages and the messages between them. Clicking on a message, then holding down CTRL and clicking another message will add the message to the selection Pressing CTRL-A will select all the messages. Domains Managing Domains All mailboxes in FTGate are arranged into domains. There are two types of domain which provide different domain level functions. Local Domains A local domain contains mailboxes and all their associated settings. Each mailbox can be individually accessed by a user. The mailbox count for this type of domain is the total count of user and list mailboxes hosted by that domain. See: Local Domians/Overview Remote Domains A remote domain is a mailbox that stores all mail for that domain to delivered to a different server in a single mailbox. This is usually used in a store and forward environment for either a hosting company or in the DMZ section of a firewall. The mail can be collected using POP3 or forwarded via SMTP to another server. The mailbox count for this type of domain is 1 regardless of the number of actual addresses used by this domain. A remote domain may also include a virtual address list to prevents the server from accepting badly addressed messages. When in virtual address mode FTGate will consume 1 mailbox count per address. See:RemoteDomains/General Alias Domains Alias domains allow all mail for the named domain to be processed by another domain. e.g. Many companies have multiple domain names in order to protect their corporate identity. If you company had the domains mydomain.com and mydomain.org you would create a Local Domain or Remote Domain called mydomain.com and then create an alias called mydomain.org. All mail for user@mydomain.org will then be delivered to user@mydomain.com. Alias domains do not use any mailboxes. 79 FTGateUsersGuide Local Domains Overview A local domain contains all of the mailboxes for a domain and the options that are global to the domain. See Also: • Mailboxes • General • Filters • Active Directory • Migration • Privilege Sets Mailboxes The local domain Mailbox tab displays a list of the mailboxes hosted by a domain. Clicking on a mailbox name will open a new window allowing access to the mailbox options. Clicking the Alias button allows the creation of a mailbox alias. Mailbox Types There are 7 types of mailbox in FTGate and each has a specific function: • • • • • • • User Mailboxes These mailboxes are accessed using the POP3 , IMAP or SolSight Web . They can also be used, through the use of the mailbox rules to provide file Library functions and Robot functions. List Mailboxes These mailboxes are used to manage mailing lists and to distribute messages between a large groups of users on the Internet. They offer various control options and the ability, if required, to take their address list from an external SQL database. Group Mailboxes These mailboxes hold a collection of local addresses into a group. Messages to the group will be received by each member of the group. In addition any access rights granted to the group mailbox A list of mailboxes that are part of a domain. Messages to a group mailbox will be delivered to all members of the group. A group can also be used when assigning permissions causing all of the members of a group to inherit those permissions. are inherited by all members of the group. Null Mailbox This is a system mailbox that deletes all messages sent to it System Mailbox This mailbox handles internal system messages and UBEBlock training requests DSN Mailbox This mailbox handles error returns from the internet for all List Mailboxes that are set to auto manage their members Alias Mailbox This represent another name for one of the other mailboxes. Mail addressed to an alias mailbox will be delivered to the mailbox that the alias represents. Only User and List Mailboxes count to the total number of mailboxes used in FTGate. Default Mailboxes 80 Web Admin Interface When a domain is created a default set of mailboxes are created as follows: • Admin (or the name specified when defining the root.login name in the configuration wizard) This is the default administrator for the domain • Administrators This is a group mailbox containing all the administrators of the domain. Members of this group are only granted access to WebAdmin if the mailbox itself is granted administrator access. See Web Administration • dsn A special mailbox for handling list mailbox delivery status notifications • everyone A group mailbox into which FTGate adds all new user mailboxes created. Mailboxes can be removed from the group to hide them from other users. • null A mailbox that deletes all mail sent to it. • postmaster An alias for administrators. Internet RFC's require that a postmaster be defined. • system A mailbox that processes system commands. See Mailbox Overview General To local domain General tab allows for the configuration of the general settings: Path to outbox This specifies the location on the hard disk where the mailbox messages are stored. Each mailbox has a folder in this location named after the mailbox. Limit number of mailboxes in this domain This allows the administrator to limit the number of mailboxes that can be created in this domain. This is used to limit the number of mailboxes that can be created when a domain has a local administrator. Mail for Unknown Users This section states the action that FTGate takes when this domain receives messages that do not have a local mailbox. • • • • • Reject message and send a notification Send to the Postmaster Send to the Postmaster as an attachment Forward to the Internet Forward to an email address Signature This signature is added to all outbound messages. • None Do not add the signature to messages • Start Add the signature to the beginning of the message 81 FTGateUsersGuide • End Add the signature to the end of the message Signature Message If you leave the Plain text box empty a text version of the html entry will be added. If you leave the HTML text box empty an HTML version of the Plain text entry will be added Filters This page specifies which filter policy is used by this domain and which domain members may train the UBEBlock spam filtering system. Filter Policy This is the filter policy that FTGate uses to filter messages arriving into this domain UBEBlock Training Only those addresses listed here (or contained within a group listed here) are allowed to train UBEBlock. Active Directory This page lists the active directory accounts that are available on the server. To add mailboxes from active directory simply select the accounts to be added and click the Add button. Automatic active directory account creation is available from the Migration tab. Migration The Migration tab provides configuration options that control the automatic creation of mailboxes in the domain. When Migration is enabled and an unknown user attempts to log into POP3, IMAP or SolSight Web, FTGate will use the migration options to verify the users details, and if the verification passes a mailbox will be created for the user. Migration options No migration All mailbox management is controlled directly by the administrator Active Directory Create account using Active Directory details. FTGate will verify the users mailbox name and password against the listed active directory domain. If the account exists then a mailbox will be created and the password authentication options set to verify with the active directory account. POP3 Create account and get mail from a POP3 server, if a successful login occurs. FTGate will attempt a POP3 login on the specified server. If the login is successful then the account will be created and the password stored. Any mail on the other server will then be downloaded to FTGate and placed in the new mailbox. Migration message Insert this temporary migration notification into mailbox during migration process. 82 Web Admin Interface This places the specified message into the users mailbox during a POP3 migration operation so that the user knows that the mail is currently being collected. Privileges Privilege sets are associated to mailboxes. They restrict the amount of allocated storage, the availability times, and feature access. Each privilege set support configuration of the following options: Quota tab These settings restrict the amount of data in each mailbox. Enable quota Control how much mail is permitted in a mailbox Message limit This is the maximum number of messages permitted in the mailbox Allocated storage This is the amount of storage available to this mailbox. (MB) Quota Notification Controls if a notification is sent when the quote is exceeded Max message age Specifies the maximum age of messages permitted in this folder (in days) Time Tab These settings restrict the availability times for mailboxes Enable availability restriction Controls the times and dates for which the mailbox is available Restrict times Only allow access between the following times Restrict days Only allow access on the following days of the week General Tab Passwords must be at least 8 characters long Passwords must be a mixture of letters and digits Allow access to Web Mail Allow access to the connector Allow access to POP3 83 FTGateUsersGuide Allow access to group shared resources Authentication Tab After SMTP authentication These are the relaying options that the SMTP accepts after success authentication of this mailbox's address and password. • • • The sender's address must be the authenticated address The sender's address must from the same domain as the authenticated address The sender's address can be any valid email address Access Tab Options that relate to both WebMail and SolSight Allow modification of personal details Allow modification of password Allow user to create and delete address books Allow access to contact history tracking information Allow modification of Out of Office method Allow access to Calendaring Allow access to message rules • Allow creation of forwarding rules • Allow creation of auto response rules Allow uploading of attachments for auto responses and calendar messages Allow access to Local Admin to manage the local domain Allow local admin to modify the local domain filters Mailboxes General Name Name of the mailbox Folder Location on the hard disk where messages folder attachment and drafts are stored for this mailbox Status Enable/disable the mailbox. Disabled mailboxes cannot send or receive messages. Privilege set : This option select the privilege set that will be used by this mailbox 84 Web Admin Interface Configure this account as a spam trap This option configures this mailbox as a spam trap. All messages which includes the spam trap mailbox as a recipient are rejected by the SMTP server(s). User can only send to local addresses This option prevents the user from sending a message to an external (internet) address. Send Copy This option creates a hidden BCC on all mail sent from bill@test0.ftgate.com and causes it to be sent to the specified address. This can be used for monitoring of outgoing mail form this mailbox. Trashcan This extends the functionality of IMAP and defines the behaviour of message deletion in SolSight Web. When enabled, deleted files are actually copied to the trashcan folder and then deleted and expunged from the original folder. Information This page provides information regarding the mailbox. • • • • • Last Accessed The time of the last POP3/IMAP/SolSight Web login Messages received Number and total size of messages received Messages sent Number and total size of messages sent Peak count The maximum number of message in the mailbox Peak size The maximum size the mailbox has reached. Personal Details This page allows configuration of a mailboxes contact details. These details will be visible to other users in the domain as part of the domain address book. Password Controls the method used to validate login requests Local The password is held (encrypted) in the FTGate database. Active Directory Enter the domain and user ID used to validate the password, or leave this field blank to use the domain setting and mailbox name. WinNT://domain/mailbox. If the domain is to be managed via active directory, and the domain name matches the active directory domain name, then the ID field can be left blank. SQL Database Enter the DSN and SQL command used to validate the password If this option is selected then FTGate will authenticate users against an external SQL database 85 FTGateUsersGuide When using an external ODBC database the SQL statement will be checked to see if any records are returned. If one or more records are returned then the user will be treated as authenticated. There are tokens that can be used in the SQL statement to permit it to be customised to the individual account being tested. $NAME$ = the name of the account (e.g. fred) $ADDRESS$ = the email address of the account e.g. fred@mydomain.com $PASSWORD$ = the password being tested by the login Thus an example would be SELECT * FROM users WHERE name='$NAME$' AND Address='$ADDRESS$' AND password='$PASSWORD$' Signature Add this signature to all outgoing Web Mail messages Out of Office Out of Office Status These are your Out of Office options. • • • Show as Here Show as Out Show as Out and send the following message Groups This page controls the groups to which this mailbox is a member. To join or leave a group change the checkbox states and click the save button. Folders This page lists the folders that are available in the mailbox. New folders can be added and the folders can be shared by clicking the Share button. In order to see the folder in SolSight Web and IMAP the folder must be subscribed otherwise the folder will be hidden. Inbox Rules This page shows a list of mailbox rules that are available. Each rule can be configured to use a combination of fields from the message header to control whether the rule runs, and each rule has a comprehensive set of actions which range from moving a message to a folder through to sending a reply with an attachment or even running a script or external program. Thus with the FTGate rule system it is possible to create versatile customised message handling systems with practically no effort. The introduction of the rules has rendered the Autoresponder and Robot mailboxes of the previous versions obsolete as it is now trivial to implement a far more powerful set of responses and behaviours directly through the rules than the predefined handling that existed in these old mailbox types. 86 Web Admin Interface Each rule can have several actions and more than one rule can trigger on a message. However, if a rule is configured to move or delete the current message, or stop processing, no further rules will be run. Actions that can be taken by a mailbox rules are • Send an Auto-reply • Forward the message to another address • Set a flag for the message (used by IMAP) • Mark the message as seen (used by IMAP) • Run an FTScript • Run an external application (use %FILE% to refer to the email message source) • Copy the message to a folder • Move the message to a folder (prevents message matching any further rules) • Delete the message (prevents message matching any further rules) • Stop processing rules Forwarding type rules Mailbox rules allow various message forwarding systems to be implemented that can be dependent on the sender, recipients, subject and other options. See Also: • Forwarding Messages Autoresponder type rules Creating an Autoresponder mailbox is simply a matter of creating a user mailbox A mailbox which holds mail that will normally be retrieved by a person using WebMail, POP3 or IMAP and then creating a rule for each of the files or messages you wish to return. After creating a rule you set the rule to match a subject line that you wish to respond to and complete the auto-reply action details. This also allows you to configure or upload an attachment that will be sent with the reply. You can by further modifying the rules customize the response by setting different actions for different senders of the message. See Also: Macro Expansion Robot Mailboxes type rules To recreate the robot mailbox functionality you simply create a rule that is set to run for all messages and specify an appropriate action to be taken. This can be further customised by creating different rules and specifying different trigger conditions for the rule. Forwarding Messages When messages arrive in a users mailbox it is often required that the message is sent or copied to another address. This is performed with mailbox Inbox Rules. The following steps are used to create a forwarding rule. 1. Open the users mailbox in WebAdmin or WebMail 2. Go to the Inbox Rules page 3. Type the name of the new rule e.g. forwarding to joe 87 FTGateUsersGuide 4. 5. 6. 7. 8. 9. 10. 11. 12. Click add Click on the new rule Check the apply to all messages box Change to the Actions tab Check Forward to the following address Enter the required address e.g. joe@soap.com If you want to have the message deleted after forwarding, check the delete message option Check the Rule Enabled option Click Save This rule will forward all mail arriving in the mailbox to joes email address. Attachments These files can be used as attachments to mailbox rules and calendar messages. Contents This shows the contents of the users inbox. Address Books This page displays the address books available to the mailbox. New address books can be added and the existing address books shared with other domain members. If the mailbox is a group mailbox then the address books will be visible to all members of the group. Calendars This page displays the calendars available to the mailbox. New address books can be added and the existing calendars shared with other domain members. If the mailbox is a group mailbox then the calendars will be visible to all members of the group. Notes This page displays the note books available to the mailbox. New address books can be added and the existing note books shared with other domain members. If the mailbox is a group mailbox then the note books will be visible to all members of the group. Tasks This page displays the task lists available to the mailbox. New address books can be added and the existing task lists shared with other domain members. If the mailbox is a group mailbox then the task lists will be visible to all members of the group. ui_mbx_tracking1 Type topic text here. Group Mailboxes 88 Web Admin Interface Group Members This page allows for simple selection of the members of the group. Tracking When tracking is enabled, messages arriving in this mailbox have a tracking id inserted into the subject line and a message is returned to the sender informing them that their message has arrived and telling them what tracking number has been assigned to them. This option is useful for tracking a message. It is most relevant when it is important to keep track of a sequence of replies, e.g. for a technical support enquiry, or sales enquiry. When the group mailbox receives a message the Tracking ID is inserted into the subject along with the date and a three digit number (which increments each time a message arrives in the group mailbox that does not have a Tracking ID in its subject). It is possible to include special macros into the message. See Macro Expansion List Mailboxes List Control These options control how the list mailbox will handle messages. General Tab List owner Address of person responsible for list maintenance. Limit postings size Causes messages over this size to be rejected Subject identifier Text to be added to the start of the subject line for each messages distributed out by this list. For example using a Subject identifier of [mylist] would cause all message from the list to have [mylist] prepended to the subject line. Options Allow SUBSCRIBE Enabling this will allow new members to join the list by emailing to the list with "subscribe" (no quotes) in the subject line. Not used in ODBC list sources Log SUBSCRIBE Records in the log who has subscribed/un-subscribed Not used in ODBC list sources Confirm SUBSCRIBE Sends a message to the user who is subscribing for them to confirm they wish to be on the list. This helps prevent other people subscribing addresses "for a laugh". If the user does not reply to the confirmation request, the user is not subscribed Not used in ODBC list sources Send notification to owner for subscribes and unsubscribes 89 FTGateUsersGuide The mailbox sends a notification to the list owner after a successful subscribe or un-subscribe. Maintain archive of postings Keeps the messages in the mailbox folder for that mailbox Moderated The list owner can post to the list when this option is enabled. This forces all messages to the list to be sent to the list owner who can then decide which messages are suitable for publishing. This is useful when the list is a "Customer list" and you only wish the sales manager to be able to send messages to the customers via the list. Only allow list members to post Users must subscribe before posting to the list, if not the messages will be rejected. Not used in ODBC list sources Include Sender in postings Sends a copy of the message to the sender. Function as a distribution list When this option in not checked, one message is generated addressed to all the list members (via BCC), and the To address in the header is shown as the list mailbox name. With the option checked a unique message is created for every list member and the To address is set to the address of the list member Auto-manage members Removes any address from which messages have bounced, after sending a second message and a confirmation request "do you still wish to be on this list?" This keeps the list current, with only valid email addresses on the list. This will have no effect on an SQL based list. Not used in ODBC list sources Reply Reply Address Specifies which return address should be used for messages distributed by this list. • • • Set the reply address to be this list Set the reply address to be the sender Set the reply address to be this address: List Members This page configures the data source used to supply the list addresses. Member Source You can configure this mailbox to use an SQL query to obtain the members list, or to use the explicitly defined members list. • • This mailbox uses the following members list The members are held in the FTGate database and managed through a list display. Members can be imported and exported using the Import export Options on the list page. Use the following ODBC search to obtain the list members The members are held in an SQL database ODBC List FTGate allows administrators to create a database from an external database of addresses held in an SQL database. 90 Web Admin Interface DSN A system DSN that can be used to open the connection to the database SQL The SQL statement used to return the address list from the database. The returned data must include fields named 'name' and 'address'. To use an external SQL list you need to configure a DSN connection and an SQL statement that will retrieve the addresses for the message. The DSN must be a System DSN. The SQL query results must contain the columns 'Name' and 'Address'. Thus if the database does not contain these columns the SQL statement should create them in the returned data set. example: In the DSN box dsn=customers;uid=admin;pwd=kx154 in the Sql box SELECT email as address, customername as name FROM customerlist WHERE wantmailing=1 Notifications These are the messages used by the list mailbox. They include the joining and leaving messages as well as the moderated message and error messages. Messages can be sent for the following reasons: • Subscribe Successful • Subscribe Unsuccessful -- Closed list • Subscribe Unsuccessful -- Already a member • Confirm Subscribe • Unsubscribe Successful • Reject posting -- Not a member • Reject posting -- Message too big • Moderator message Signature List messages can have signature added to all sent messages. The signature is either added to the beginning or end of the message. Available options: • Do not add the signature to messages • Add the signature to the beginning of the message • Add the signature to the end of the message Remote Domains General Path to outbox Location on the hard drive where messages are stored prior to delivery or collection. Authentication 91 FTGateUsersGuide Allow SMTP authentication and POP3 access using the following name and password Password Hold flagged messages This option causes messages that have been flagged by the filter system to be held. Flagged messages will not be delivered by either SMTP or POP3. Virtual address mode Only accept mail for address in the domain address book. Each address entry will use one mailbox licence. Filter Policy This is the filter policy that FTGate uses to filter messages arriving into this domain. Host name : Name used to identify this machine on the Internet (EHLO/HELO name) Fast Expire This option prevents outbound messages that are a result of a bounce or a filter from queueing in the outbox. When enabled, delivery of such messages will be tried once, and any failure results in the message being deleted. Thus the domain or outbox will not fill up with undeliverable spam rejections. However, it is possible that a legitimate bounce could be deleted if the target server is down, although this is very unlikely. Promote 4XX Failures This option causes a 4XX level SMTP send error to be treated as a 5XX error and rejected the message rather than cause it to queue. This option is disabled if MX delivery is enabled and is not compatible when sending to servers that have gray-listing enabled. Its primary use is for ISP's who use remote domains which don't reject bad addresses but issue a 4XX try again later message, causing the domains to fill up with undelivered junk. Debug Logging Create debug log. Additional information will be written to the log file showing the SMTP session used to send the messages. Note, this option has no effect if the system logging level is not set to debug. See Logging Disable access to this domain before Access will be prevented before this time Disable access to this domain after Access will be prevented after this time Throughput Restrictions This sets the maximum size of the mailbox. When this size is reached mail will be temporarily rejected. Connection Network profile : Select the network profile to connect for message delivery. Users of Broadband or other permanent connection should use the LAN network profile Delivery mode : The delivery mode controls when to open a connection for message delivery. • 92 Never Connect Web Admin Interface • • • Immediately ETRN Conditional Conditional When in conditional mode these settings will cause delivery to start • • • Message count Message age Priority message Encryption This setting specifies whether FTGate should send encrypted data • • • • No encryption Encrypt all data using SSL Allow encryption using TLS Require encryption using TLS Maximum concurrent sends Specifies the maximum number of concurrent sends permitted SMTP inactivity timeout The period after the last data transfer when it is assumed the link has been lost and the connection should be closed Delivery Specifies how FTGate will send mail to its intended recipients. SMTP Hosts : Deliver mail to SMTP hosts listed in the order shown MX Hosts : Deliver messages using DNS/MX records If delivery fails: • Deliver mail to SMTP hosts • Hold mail in queue for later delivery Queue Options : Specifies how long FTGate will hold undelivered mail in the delivery queue. Delivery Optimisation : Disable delivery optimisation and send each message in a separate SMTP session Addresses This page allows the configuration of the virtual addresses that will be used to prevent badly addressed mail being delivered to the domain. When in virtual address mode (See General) each entry will use 1 mailbox licence. Contents 93 FTGateUsersGuide This page allows access to the remote domains mail queue. Overview Type topic text here. Outbox Outbox The Outbox is the location where outbound mail is stored before it is sent to the Internet. If you send your outbound mail to your ISP for delivery then you will need to configure the Outbox with your ISP's details. If you deliver the mail directly using MX records, then you must also configure a DNS server. See Also: • DNS To configure the Outbox for direct delivery to an ISP In order to configure delivery to the ISP you will need to know your ISP's SMTP server name or IP address and if using a dialup connection, the Profile used to connect to the Internet. If a dial up profile is to be used see Dialling the Internet 1. In Outbox, click Connection 2. In Connection Options / Network Profile, select the required profile, [LAN] or [Proxy/Router] 3. In Delivery Mode, select Immediately 4. In Host name, enter your Domain Name 5. Click Apply 6. In Outbox, click Delivery 7. In Delivery Route, select SMTP Hosts 8. In SMTP Hosts / Host1, enter the IP address or name of the ISP's SMTP server (see Remote Domains) 9. (Optional) In SMTP Hosts / Host2, enter the IP address or name of the ISP's backup SMTP server 10. (Optional) In SMTP Hosts / Host3, enter the IP address or name of the ISP's backup SMTP server 11. Click Apply To configure the Outbox for direct delivery via MX Records MX delivery is not recommended over dial up connections (*). A suitable DNS server will be required for correct delivery of mail (DNS). 1. 2. 3. 4. 5. 6. 7. 8. 9. NOTES 94 In Outbox, click Connection In Connection Options / Network Profile, select [LAN] or [Proxy/Router] In Delivery Mode, select Immediately In Host name, enter your Domain Name (**) Click Apply In Outbox, click Delivery In Delivery Route, select MX Hosts In If delivery fails, select Hold mail in queue for later delivery Click Apply Web Admin Interface * MANY ISPS WILL NOT PERMIT MX DELIVERY THROUGH THEIR NETWORK DUE TO MISUSE AS A SOURCE OF SPAM. ** MANY SERVERS WILL NOT ACCEPT MAIL FROM SERVERS WITH AN INCORRECT HOST NAME. Managing the Outbox The Outbox controls outbound mail to the Internet. For the various setting options please see the remote domain options. General Connection Delivery Contents Services Managing Services and Security Policies Service and Security Policies are managed through the Services section with a separate tab for Services and Security Policies. Services Tab This tab displays the service list. New services can be added and removed. In the event that a service was not able to start it will be highlighted in red. The cause of the problem can be determined by placing the cursor over the ! character, or opening the service. See: • Service Types Policies Tab This tab displays the available security policies. The default policies cannot be deleted. However, any new policies added may be deleted. See: • • • Security Policy Management Policy Access Rights Configuring LAN access Security Policy Overview In order to control how a service responds to connections from different IP addresses FTGate implements a system of security policies. A security policy specifies what access rights are granted to connections from various IP addresses. A server will typically have multiple security policies that specify different types of access. Each service allows the selection of one security policy, and the options selected in that policy will control the access to that service. See Also: 95 FTGateUsersGuide • • • • • • Options Addresses SMTP POP3 HTTP LDAP Options The security policy tab allows for the configuration of the specific security policy features that will be used all services using the policy. Enabled If the policy is enabled, all services that use the policy may run depending on their specific options. When the policy is disabled ALL services using the policy will be stopped. Policy Service Control Services that use this policy will only be available if their service type is enabled Any service that uses this policy must have its service type enabled in the policy. If the service type is disabled in the policy then that service will not run. See also: • Security Policies • Relay Control and Authentication • Access Control Lists (ACL) • Configuring LAN access • Addresses • SMTP • POP3 • HTTP • LDAP Login attempts This option defines how many POP3/IMAP login and SMTP authentication attempts that can be made before an IP address gets a temporary or permanent ban. This option is controlled by the LL flags. Ban Period This option specifies how FTGate should handle automatic bans. The period of a ban maybe 5 minutes or permanent. Greylist SPF Bypass This option causes an IP address that has been validated by SPF to bypass the greylisting process. SPF Softfail Promote This option causes any SPF check that results in a softfail, indicating that the domain administrators dont care if its valid or not, should be treated as fails and rejected. Permit Spoofing This option disables the anti-spoofing measures in FTGate. When this option enabled FTGate will allow any un-authorised connection to send mail using a locally hosted email address. See Also: 96 Web Admin Interface • Anti-Spoofing Addresses This tab defines the security features that will be applied to each address in the policy. See: • Security Policies SMTP The SMTP tab controls options that apply to SMTP servers using this policy. SMTP Welcome Text The first line that is sent in response to a connection SMTP host name : The name used by the SMTP service to identify itself to incoming connections in response to HELO/EHLO Message Limits These options restrict the maximum size of a message, number of recipients for a message and the number of servers a message can pass though. messages that exceed these limits are rejected. Maximum message size (authenticated) This limits the message size for users which are authenticated by IP address or SMTP authentication KB Maximum message size (other) This limits the message size for non-authenticated users KB Maximum recipients (Authenticated) This sets the maximum number of recipients that a message can be sent to by authenticated senders Maximum recipients (Other) This sets the maximum number of recipients that a message can be sent to by non-authenicated senders Max Recipients (header) Specifies the maximum number of recipients in header. Maximum hops Specifies the total number of servers that a message can pass through before it is assumed a loop has occurred and the message is rejected SMTP authentication This option specifies what FTGate validates against when authenticating. • Mailboxes • Specific settings 97 FTGateUsersGuide Inactivity timeout The period of time from the last communication until the connection will be closed. Sender validation Validate that the sender's domain exists Hosted senders only Only allow delivery from hosted email addresses Allow EXPN and VRFY SMTP commands Permit the server to respond to EXPN and VRFY commands. This may result in a drop in server security. Local header addresses Include local IP address in message headers received lines POP3 The POP3 tab defines POP3 options that apply to all POP3 services using this policy. Inactivity timeout The period of time from the last communication until the connection will be closed. HTTP The HTTP tab defines HTTP options that apply to all HTTP services using this policy. Inactivity timeout The period of time from the last communication until the connection will be closed. Script timeout The period of time after which a running script will be terminated Session timeout The period since the last web access before the session is discarded LDAP The LDAP tab defines options that apply to all LDAP services using this policy. Inactivity timeout The period of time from the last communication until the connection will be closed. Services Service Types FTGate support the following service types SMTP 98 Web Admin Interface The SMTP protocol is the method used when a mail client (such as Thunderbird or Outlook ™ ) or a mail server sends a message to a server. It is the primary method used to transfer mail around the Internet. POP3 This is the most common method used by mail clients to retrieve mail from a server. It is a very basic protocol and it is not intended for use as a mail store for more than one email address. However, ISP's often see this a cheaper alternative than an SMTP feed and thus often use it in this way. See SmartPop HTTP This protocol is used to supply web (HTML) pages to Web browsers. This protocol is used to power both the SolSight Web interface and Web Admin. LDAP This protocol is used to provide LDAP directory access to mail clients. It is search based and a common confusion is that, when first connecting to an LDAP service, no results are shown until a search is performed. Proxy This protocol allows Web browsers to access pages on the Internet through FTGate without their having a direct connection to the Internet. IMAP This protocol is a more advanced protocool that POP3 and allows a mail client to access mail stored in a mail store. The mail remains on the server where it can be backed up. This protocol allows sharing of folders with some restrictions on behaviour depending on the mail client used. See IMAP considerations Monitor This protocol is used by the FTGateMonitor utility Groupware Connector This protocol is used by the FTGate Outlook Connector and the Replicator client. Service failed to start When FTGate is first installed it is possible for their to be port conflicts between FTGate and other software. This can prevent FTGate being able to start all of its services. In the event of this problem it is necessary to determine which application is using which port so that the problem application can be disabled or reconfigured. You can determine which application is using which port by opening a command prompt and typing netstat -o You will then see a series of lines similar to this: 99 FTGateUsersGuide netstat -o Active Connections Proto Local Address TCP THOR:1110 Foreign Address THOR.ftgate.lan:3407 State ESTABLISHED PID 1688 You can then look for the line for the problem port and look at the PID. So we can see that on the local machine (THOR) port 1110 is being used by the application with PID 1688 You can then open the task manager (right click on the task bar and select task manager) and locate the task with the indicated PID. If the PID column is not being displayed in the task manager, Click View/Select Columns and check the PID box. This will tell you what application is using the port so you can shut it off. See Also: Firewall ports POP3 General Tab Name The name of this item Status Controls if the service will respond to connections Address The address on which the server will listen for incoming connections. Port The port on which the service will listen for incoming connections. Only one service can listen on any given address:port combination. Options Tab Low security Allow low security login (username without domain) for single domain systems Log access Create an entry in the log when a user signs in Create debug log This option causes additional log information for this particular service to be included in the log file Encryption Tab Require encrypted authentication Encryption Specifies the level of encryption required when communicating with this service (requires a valid encryption certificate) 100 Web Admin Interface • • • • No encryption Encrypt all data using SSL Allow encryption using TLS Require encryption using TLS Encryption certificate This encryption certificate will be used when encoding data using SSL and TLS Security Policy Tab Security Policy Selects the security policy that is to be used by this service. All other options in this section are shared between POP3 services See Security Policy, POP3 Access Tab Access restriction Controls who can access the service • Allow access to everyone • Restrict access to the following addresses Service Access List Lists the users who are permitted access to this service. These addresses must be for mailboxes hosted on this server. SMTP General Tab Name The name of this item Status Controls if the service will respond to connections Address The address on which the server will listen for incoming connections. Port The port on which the service will listen for incoming connections. Only one service can listen on any given address:port combination. Options Tab Filter Policy This is the filter policy that FTGate uses to filter messages arriving into this server. Create debug log This option causes additional log information for this particular service to be included in the log file Encryption Tab 101 FTGateUsersGuide Require encrypted authentication Encryption Specifies the level of encryption required when communicating with this service (requires a valid encryption certificate) • • • • No encryption Encrypt all data using SSL Allow encryption using TLS Require encryption using TLS Encryption certificate This encryption certificate will be used when encoding data using SSL and TLS Security Policy Tab Security Policy Selects the security policy that is to be used by this service. All other options in this section are shared between POP3 services See Security Policy, SMTP Access Tab Access restriction Controls who can access the service • Allow access to everyone • Restrict access to the following addresses Service Access List Lists the users who are permitted access to this service. These addresses must be for mailboxes hosted on this server. HTTP (SolSight Web and WebAdmin) General Tab Name The name of this item Status Controls if the service will respond to connections Address The address on which the server will listen for incoming connections. Port The port on which the service will listen for incoming connections. Only one service can listen on any given address:port combination. Options Tab Location of Files This is the root path for the files to be served by this server. 102 Web Admin Interface Default Language This defines the initial language that will be used when displaying the web pages (Web Admin and SolSight Web only) Encryption Tab Require encrypted authentication Encryption Specifies the level of encryption required when communicating with this service (requires a valid encryption certificate) • • • • No encryption Encrypt all data using SSL Allow encryption using TLS Require encryption using TLS Encryption certificate This encryption certificate will be used when encoding data using SSL and TLS Security Policy Tab Security Policy Selects the security policy that is to be used by this service. All other options in this section are shared between POP3 services See Security Policy, HTTP Access Tab Access restriction Controls who can access the service. This is only appropriate to SolSight Web and WebAdmin • Allow access to everyone • Restrict access to the following addresses Service Access List Lists the users who are permitted access to this service. These addresses must be for mailboxes hosted on this server. Scripts Tab Script Folders The server runs these scripts when the associated folder is requested in a URL. Virtuals Tab Virtual Folders The server accesses the files in the folders corresponding to the requested URLs. LDAP General Tab Name 103 FTGateUsersGuide The name of this item Status Controls if the service will respond to connections Address The address on which the server will listen for incoming connections. Note: On Windows 2003 servers you MUST select an address for the LDAP service or it will not start. Port The port on which the service will listen for incoming connections. Only one service can listen on any given address:port combination. Options Tab None. Encryption Tab Not applicable Security Policy Tab Security Policy Selects the security policy that is to be used by this service. All other options in this section are shared between POP3 services See Security Policy, LDAP Access Tab Access restriction Controls who can access the service • Allow access to everyone • Restrict access to the following addresses Service Access List Lists the users who are permitted access to this service. These addresses must be for mailboxes hosted on this server. Proxy General Tab Name The name of this item Status Controls if the service will respond to connections Address The address on which the server will listen for incoming connections. 104 Web Admin Interface Port The port on which the service will listen for incoming connections. Only one service can listen on any given address:port combination. Options Tab Proxy Type : The proxy can either function as a web browser (i.e. access web pages using the HTTP and HTTPS protocols), or communicate directly to a specific address/port. • This is a Web proxy • This is a Point to Point proxy. Encryption Tab Not applicable Security Policy Tab Security Policy Selects the security policy that is to be used by this service. All other options in this section are shared between POP3 services See Security Policy Access Tab Access restriction Controls who can access the service • Allow access to everyone • Restrict access to the following addresses Service Access List Lists the users who are permitted access to this service. These addresses must be for mailboxes hosted on this server. IMAP General Tab Name The name of this item Status Controls if the service will respond to connections Address The address on which the server will listen for incoming connections. Port The port on which the service will listen for incoming connections. Only one service can listen on any given address:port combination. Options Tab Log access 105 FTGateUsersGuide Create an entry in the log when a user signs in Create debug log This option causes additional log information for this particular service to be included in the log file Encryption Tab Require encrypted authentication Encryption Specifies the level of encryption required when communicating with this service (requires a valid encryption certificate) • • • • No encryption Encrypt all data using SSL Allow encryption using TLS Require encryption using TLS Encryption certificate This encryption certificate will be used when encoding data using SSL and TLS Security Policy Tab Security Policy Selects the security policy that is to be used by this service. All other options in this section are shared between POP3 services See Security Policy Access Tab Access restriction Controls who can access the service • Allow access to everyone • Restrict access to the following addresses Service Access List Lists the users who are permitted access to this service. These addresses must be for mailboxes hosted on this server. Monitor General Tab Name The name of this item Status Controls if the service will respond to connections Address The address on which the server will listen for incoming connections. Port 106 Web Admin Interface The port on which the service will listen for incoming connections. Only one service can listen on any given address:port combination. Options Tab None Encryption Tab Not applicable Security Policy Tab Security Policy Selects the security policy that is to be used by this service. All other options in this section are shared between POP3 services See Security Policy Access Tab Access restriction Controls who can access the service • Allow access to everyone • Restrict access to the following addresses Service Access List Lists the users who are permitted access to this service. These addresses must be for mailboxes hosted on this server. Groupware Connector General Tab Name The name of this item Status Controls if the service will respond to connections Address The address on which the server will listen for incoming connections. Port The port on which the service will listen for incoming connections. Only one service can listen on any given address:port combination. Options Tab None Encryption Tab Require encrypted authentication 107 FTGateUsersGuide Encryption Specifies the level of encryption required when communicating with this service (requires a valid encryption certificate) • • No encryption Encrypt all data using SSL Encryption certificate This encryption certificate will be used when encoding data using SSL and TLS Security Policy Tab Security Policy Selects the security policy that is to be used by this service. All other options in this section are shared between POP3 services See Security Policy Access Tab Access restriction Controls who can access the service • Allow access to everyone • Restrict access to the following addresses Service Access List Lists the users who are permitted access to this service. These addresses must be for mailboxes hosted on this server. Clients Managing Clients The clients section allows the configuration of either SmartPop accounts (Professional and ISP Editions) or Replicator accounts (Relay Edition). See • • SmartPop AutoCluster SmartPop SmartPop FTGate includes SmartPop which is a technology which allows FTGate to collect mail from an ISP's POP3 mailbox and be able to correctly deliver almost any message without the user needing to make any configuration choices beyond turning SmartPop on. When delivering messages in its automatic mode SmartPop can do the following: 1. Deliver messages for users who have mailboxes directly to them and prevent duplicates from being delivered. 2. Deliver mail for unknown users of a local domain in accordance with the configured domain settings which includes bouncing the email with an undeliverable report. 3. Return incorrectly addressed email as undeliverable or send it to a special recipient. 108 Web Admin Interface FTGate also includes the option to bounce mail that is too large, thus preventing FTGate from using up too much bandwidth and telling the original sender why their message was not delivered. These changes now give SmartPop the same flexibility of delivery as SMTP . See Also • Configuring SmartPop • Delivering SmartPop mail to a single user • Delivering SmartPop mail to domain users • SmartPop limitations SmartPop limitations SmartPop mail delivery problems We are often asked "Why do I get the message ' SmartPop Mail Delivery Failure?". This article will explain why it happens and what can be done about it. History of SmartPop. Many ISP's offer multiple mail addresses with their mail accounts, but place all the messages in a single mailbox. So for example you might have the email addresses user1@domain.com, user2@domain.com and user3@domain.com, and all the mail might be placed in a mailbox domain@mail.isp.com. This type of mailbox is commonly known as a domain or multi-drop mailbox . The problem with a multi-drop mailbox is that the first person to connect to it gets all the mail regardless of who it was sent to. SmartPop solves this problem by retrieving the mail messages and then delivering to the appropriate local mailbox. To deliver the mail from the example above, the administrator would install FTGate, create three mailboxes (user1, user2 and user3) in the domain "domain.com", then create a SmartPop account for domain@mail.isp.com. SmartPop would then collect the mail and deliver it to the appropriate user. What is a message An Internet mail message consists of two parts, the header and the body. The header contains information such as who the message is from, who it is to, the subject, when it was sent etc. The body is the text of the message. How is mail transferred around the Internet. Most mail is transferred from point to point using a protocol called SMTP (Simple Mail Transfer Protocol). This protocol transfers a message by making a connection to a destination computer, sending the Envelope of the message and then sending the message. The Envelope of the message contains the senders email address and one or more recipients addresses. By the time the message reaches your ISP's machine the envelope will usually consist of the sender and one recipient. It is this recipient address that the ISP uses to determine which mailbox should be used for storing the message. In the above example a message to user1, user2 or user3 would be written to a single mailbox (domain@mail.isp.com). After the mail is placed in a mailbox it can be retrieved using a protocol called POP3 (Post Office Protocol version 3). This protocol transfers the body of the message. The problem with this protocol is that it was only designed to access mailboxes that had mail for a single user. What can go wrong to cause delivery failures ? 109 FTGateUsersGuide A message is in the ISP mailbox for an address that doesn't have a local mailbox. If using the above example a message was in the ISP mailbox addressed to fred@domain.com, SmartPop would not be able to deliver it as there is no mailbox or alias for that name. This can be fixed by creating the mailbox or alias. The message was sent to the ISP mailbox by a mailing list that doesn't include the recipients address (BCC). Many mailing lists do what is known as blind mailing. This is where the message header has a TO: line to say testlist@listserver.com. Obviously there is no mailbox on the local mail system called that, so this causes an error. The second problem is harder to fix and will require your ISP's help. I will describe the problem using an analogy with the postal mail system. A letter is sent inside an envelope (SMTP is the envelope) addressed to Fred Bloggs. The letter inside starts Dear Sir (the message header). The postman (your ISP server) brings the letter to your office but before delivering it takes the letter out of the envelope and puts only the letter through the postbox at the front door (ISP pop3 mailbox). Now when your secretary (FTGate) collects the mail, there is no indication as to who the "Dear Sir" is, so it cannot be delivered. The Solution Many ISP's copy the envelope (SMTP) address into the message header, that way the messages recipient address can always be found. There is no standard for the way that they do this and FTGate has been coded with most of the methods in use. This allows SmartPop to read the message header and deliver to the correct mailbox. If your messages are being delivered as "SmartPop mail delivery failure", you should check the header of the attached message to see if the correct address exists. If it does not, you need to contact your ISP and arrange for them to either add the additional field for the envelope to the message headers or give you an SMTP feed. If they are not prepared to do this then consider changing to another ISP as a multi-drop mailbox will not work correctly without the addition of the extra header information. Example Headers An example of a message (sent to user1@domain.com) that has not had the ISP include the additional envelope data might be: Date: Fri, 26 Jun 1998 08:40:45 -0400 To: ftgug@ftgate.com From: Fred Bloggs <fred@bloggs.com> Subject: Version 2.1.0.5 and "Received... for" Reply-To: ftgug@ftgate.com x-listserver: ftgug@ftgate.com and an example that has had the additional information included might be: X-Recipient: user1@domain.com Date: Fri, 26 Jun 1998 08:40:45 -0400 To: ftgug@ftgate.com From: Fred Bloggs <fred@bloggs.com> Subject: Version 2.1.0.5 and "Received... for" Reply-To: ftgug@ftgate.com x-listserver: ftgug@ftgate.com Note the additional highlighted line. Without this line the ISP has made it impossible to deliver the message correctly. They have discarded the delivery information. If your ISP does not include this 110 Web Admin Interface information you should contact them and ask that they add the information or explain to you how you are supposed to know who the message is for. We hope that this goes some way towards explaining the problem. SmartPop delivery problems Users of SmartPop may find that they have delivery issues after first installing the system. This is often to inappropriate handling of the message headers by the ISP. Please read the following article to put the rest of this discussion in context: SmartPop limitations The problems fall into two types. 1. Modified addresses in the header ISP's that add a delivery line but modify the real address of the message. For example: The message is addressed to bob@mydomain.com but the ISP adds a tag line of xxxbob@mydomain.com In this case the real address is present and a filter can be used to restore the address. In this example a new filter would be added to filter/routes with the entry from: * to: xxx-*@mydomian.com route to: *@mydomain.com This removes the modification and allows the message to be delivered correctly. 2. ISP using the x-recipient for their own purpose Some ISP's use the x-recipient (or equivilent) to provide their internal routing and this can result in SmartPop being unable, in automatic mode, to deliver the mail correctly. Typically, the message header will contain something like x-delivered-to: xxx-maildrop@mydomain.com where maildrop is the account name you have at your ISP. In this case the ISP has decided to use the special received tag for their own purpose, that means that it does not include the name of the original addressee, just the name of the catch all mailbox. The solution to this is to disable the feature in SmartPop and live with the potential loss of BCC mail. You need to switch SmartPop into Manual mode (SmartPop/Delivery). Disable all options except: Filter Ids Scan Message Header (+options 3 and 4, not 1 or 2) Your mail will now be delivered normally with maybe the exception of BCC mail which may or may not get bounced depending on your domain settings and what the email actually has in its header. Please note that any subsequent failure is not the result of FTGate but the result of ISPs using POP3 for a purpose for which it was not designed. SmartPop Duplicate Delivery Under some circumstances it is possible to receive duplicate delivery of messages. 111 FTGateUsersGuide Multiple ISP accounts This usually occurs when a message is sent to two people and arrives at two accounts at the ISP. If you have two SmartPop accounts and they are both set to have FTGate find the recipient from the header, then each message will be delivered twice. If you have more than one mailbox at your ISP and those mailboxes will receive mail for users at your domain, then you must configure each SmartPop account to deliver all of its mail to the specific user to whom the ISP account is intended. For example, if the ISP account is for bob@mydomain.com then you must go into the SmartPop account for bob and make the following changes on the Delivery tab: 1. Set Mode to Manual 2. In Manual Delivery Settings clear the Scan Message Header and the Enable SDPS checkbox 3. In Delivery Failure set Default Recipient to bob@mydomain.com and for Unknown Recipient select Default 4. Click Apply This changes should be made for all SmartPop accounts that are assigned to specific employees and should prevent duplicate delivery. Delivering SmartPop mail to a single user To configure a SmartPop account to deliver all mail to a single mailbox 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Select the client tab Click on the SmartPop name Click on the Delivery tab In Delivery Control, set Mode to manual Click Apply In Associated domain, All Hosted Domains Clear Enable SDPS Clear Enable CAPA Clear Filter ID's Clear Scan Message Header 11. In Delivery Failure, set Default Recipient to the recipients mailbox address and select the option 12. Click Apply Delivering SmartPop mail to domain users SmartPop can collect mail from a single ISP Multi-drop Mailbox and distribute the mail to all addressees of the message. It is recommended that SmartPop is placed in its automatic mode when used with a multi-drop mailbox. In the majority of cases automatic mode will be able to correctly deliver all messages. However, some ISP's do not configure their servers in the most appropriate way for handling multi-drop mail. In this case manual configuration of the options may be required, in which case we would recommend contacting support@ftgate.com for further guidance. To configure SmartPop for automatic mode 1. 2. 3. 4. 112 Select Clients Click on the SmartPop name Click on the Delivery tab In Delivery Control, set Mode to Automatic Web Admin Interface 5. Click Apply 6. In Associated domain, select the required domain 7. In Unknown recipient, select Reject 8. Click Apply AutoCluster The unique FTGate replication service is the ultimate ISP or networked multi server administration tool. It allows a network of FTGate servers to be automatically configured from one or more master servers (either Professional Edition or ISP Edition). Not only will this greatly reduce the time spent configuring servers but it will also lead to greater peace of mind knowing that the management tasks are automated, you only need worry about getting the main server right. This system was developed in close collaboration with a large ISP so that this tool would be perfect for the task. We think that you'll be amazed at how easy you can manage an entire network. AutoClusterSetup The following are the steps needed to configure a network of FTGate servers Choose one server to be the master server 1. Add a groupware connector service to the master server. 2. Enable the service The master server is now ready. For each of the slave servers Create an AutoCluster Client 1. Set the required address of the master server 2. Set the required username and password. This must be the username and password of an administrator on the master server. 3. Set the frequency of checking for updates 4. Enable the client From now on the AutoClusterwill regularly connect to the master, look for any updates and make any configuration changes to itself required to maintain its operating state with respect to the master server. Job Done ! From now on the administrator only needs to manage one server. AutoClusterModes The AutoCluster Client have several modes to allow the administrator maximum configuration flexibility • • Remote Mirror Mode This mode is designed to manage inbound relay servers. The master server has multiple remote domains that are configured to deliver mail to a third party server. The slave servers will all replicate the domains and use the same delivery options. Each domain can have different options and does not need to follow DNS Domain Name Server: A server that answers queries regarding the names and addresses on the internet. MX host routes. MX Relay Mode The master server is configured to host one or more local domains (a domain with mailboxes). Each slave will configure itself to transfer mail for those domains straight to the master server. 113 FTGateUsersGuide Please note that the AutoCluster will NOT copy mailboxes from one system to another. AutoCluster Settings Name Host name : Address of the master server Port : The port on which the client will connect to the master server Login name : Enter the login name for the master server Password : Enter a password, and repeat it as a check, to use for the mailbox. Inactivity timeout : The period of time from the last communication until the connection will be closed. Update interval : The period between connections to the master server. Encryption : This setting specifies whether the master server is set to encrypted mode AutoClusterMode : This mode controls how the AutoCluster will create domains based on the master server. • Remote mirror mode • MX mode Events Events The Events section controls periodic events that the server will execute. Event parameters Trigger Tab Only trigger this timer once : Controls whether the timer will trigger once or multiple times. Trigger Times : • Trigger at this time • Trigger between these times at the specified interval • This timer triggers on the following days of the week : • This timer triggers on the following days of the month : Action Tab 114 Web Admin Interface Shutdown FTGate and restart after given interval Execute enabled tasks (in sequence) : • Network profile • Run the following script • Backup configuration • Start AutoUpdate Filters Greylist For full details on Greylisting please see Greylisting General Tab Greylist quarantine : The period of time after the first connection during which subsequent connection will be rejected minutes Greylist timeout : The period after which unused but validated connections will be purged from the greylist database days Greylist Zombie timeout : The period after which connections that have never been validated will be purged from the database Greylist Entries Tab Greylist entries This list shows the connections that are currently in the greylist database Adding entries It is possible to use the greylist to always allow or permanently block an IP/Sender/Recipient set by adding them to the list manually. Routing Administrators may wish to alter the normal delivery pattern of an email message. The message routing table allows them to do this. Each message will be compared to the route entries and if a message matches a route, the route will be applied and no further tests will be made. Examples The following are some examples of routes that can be applied. From To Route * joe@domain.com fred@domain.com joe@domain.com * fred@domain.com Effect This filter delivers ALL messages addressed TO joe@domain.com to fred@domain.com This filter delivers ALL messages 115 FTGateUsersGuide FROM joe@domain.com to fred@domain.com joe@domain.com * blank This filter deletes all messages FROM joe@domain.com joe@domain.com fred@domain.com blank This filter deletes all messages FROM joe@domain.com TO fred@domain.com * *-domainxxyyzz.com@isp*@domain.com This filter is used to unravel the mailbox.com mailbox mangling used by some ISP's e.g. the ISP may use the address fred-domainxxyyzz.com@ispmailbox.com. This identifies the mail as being for fred@domain.com . The route extracts the "fred" part of the string and creates a new route of fred@domain.com. The exact form of this route will depend on how an ISP mangles their addresses. * *@domain.com *@domain2.com This filter causes all messages for the domain domain.com be delivered to the same named user at domain2.com. e.e. messages for fred@domain.com will be delivered to fred@domain2.com * *@domain.com *@domain.com|domain2.com This filter causes all messages for the domain domain.com be delivered via the remote domain domain2.com. This can be used to route mail for several domains through to another server that is more suited to handling the mail, or settings up specific routers for specific users. After routing the receipient name is unchanged and will still be for the user in domain.com. Anti-Virus Scanner Loaded Specifies which anti-virus scanner module is loaded. Scanning Mode : • Operating mode of the virus scanner Disable Virus Scanning • Scan files and Quarantine infected messages* • Scan files and Delete infected messages* * Requires external Anti-Virus application See also Anti-Virus Overview Quarantine Access Tab These options control who has access to this object Contents Tab This tab contains the messages that have been quarantined. They may be redirected or deleted. Filter Policies 116 Web Admin Interface Type topic text here. Filter Policies Filter options These flags govern which filter elements are enabled. The indented options will not run if the parent option is disabled. Filter Control Which messages are to be filtered • • • • • No filtering Do not filter messages from Whitelisted addresses Do not filter messages from Authenticated addresses Do not filter messages from Authenticated or Whitelisted addresses Filter all messages When filtering Options that are applied to messages that to be filtered Filter message content : The action to be when messages have text or HTML components • • Do not filter message content Apply policy rules Filter attachments : The action to be taken when attachments are included in a message Do not filter attachments • • Apply attachment filter to messages Apply attachment filter and purge HTML scripts from messages Check messages against UBEBlock+ database : This option causes the messages to be checked with UBEBlock+ database. This causes a deeper message scan to occur looking for content that is known to be from spam sources. Filter Attachments The attachment filter defines the actions that should be taken when encountering a message with a specific attachment type. The available actions are: • Allow The message and attachment are unaltered • Purge The attachment is removed and a plain text notification inserted in its place • Quarantine The message is moved into the quarantine folder • Delete The message is deleted. Filter Blacklist 117 FTGateUsersGuide The blacklist contains a list of addresses that are not permitted to send to this domain. Any message from a blacklisted sender will be either rejected by the SMTP server or have the blacklist (BL) flag set for later Filter Rule processing. Filter Whitelist The whitelist is used to identify known sources of messages that you do not want to filter. If a message has a whitelisted sender then all SMTP filtering will be bypassed for that message and the WL flag will be set for the filter rule processing. Note: If the SMTP service uses a different filter policy to the domain, then the whitelisted address must appear in both lists. Include address books When this option is selected then all the address books and mailing lists stored in the FTGate database (not ODBC databases) are included in the whitelist. Filter Words A list of words that if found in a message are used to identify that message as being bad. The presence of one or more of these words in a message will cause it to be rejected at the SMTP filter level or have the illegal word (IW) flag set for later filter rule processing. Note: An illegal word must occur in the message with no separator characters. Filter Phrases A list of phrases that if found in a message are used to identify that message as being bad. The presence of one or more of these phrases in a message will cause it to be rejected at the SMTP filter level or have the illegal word (IP) flag set for later filter rule processing. Note The phrase filter performs a string match. If a single word is entered into the phrase list then it will match and string which contains those letters. For Example using the phrase bad will match against badly Filter Safe Words The safe word list is a list of words which, when occurring in a message, identify the message as being unsuitable for filtering. By default all non-alpha characters are removed from strings that are entered into this list, in order to enter a string with non-alpha characters you must enclose the string in quotes. i.e. "the-string". UbeBlock Rating 118 Web Admin Interface UbeBlock normally calculates a spam rating based upon the content of a message. The rating adjustments page provides a set of modifiers that will adjust the UbeBlock rating for certain message features. This can greatly aid the identification of Spam. See Also • Minimising Junk/UBE mail Suggested Settings The following rating adjustments are used on the FTGate Technology servers. We have found them to be effective. Adjustment if recipient's mailbox is in the Subject: Adjustment if there are three or more consecutive spaces in the Subject: Acceptable proportion of unknown words against known words (Unknown ratio) Adjustment when message exceeds Unknown ratio threshold Weighting for images Weighting for external images Weighting for web links Weighting for unknown words 50 50 20 40 30 75 20 10 Filter Rules Filter Rule Management Type topic text here. Editing Filter Rules Type topic text here. Configuration Registration Server serial number The serial number of the PC generated from the PC's system information Mailbox Limit The maximum number of mailboxes supported by the current licence Mailboxes Used The number of mailboxes used in this installation Mailboxes Remaining The number of mailboxes that can be created Upgrade Protection and Support Plan (UPSP) expiry date The date at which the UPSP will expire 119 FTGateUsersGuide The UPSP expiry date is automatically updated when FTGate checks for new versions. However, in the event that after UPSP renewal, FTGate is unable to contact our servers you may have to update the expiry date manually. In this case you should temporarily remove the registration key from FTGate and then add it back in. Then perform a manual activation. Please note that you must create a new activation key in order for the UPSP expiry date to be updated. Registration Keys These are the registration keys installed on this server. All of the keys need to be activated in order to be functional. See also • Registering and Activating Licences System System Folders : Specifies the location of the system folders. • • • • Configuration folder Cache folder Script library folder Backup folder Safe Mode : If the system is in safe mode then only Web Admin is available. No servers (SMTP, POP, IMAP, etc.) are running. System Restart : Clicking this button will restart FTGate. There will be a pause whilst FTGate restarts and you will be required to go through the Web Admin login to continue administering the system. Administrators This page contains a list of users who may log into the Web Admin interface. See Also: Lost administrator passwords Messages FTGate offers considerable improvement in the facilities offered when sending any pre-configured message such as a system notification, message bounce, mailbox rule message or list server response. The administrator can now specify if a message will be sent, the character set used by the message and the message body. This is further enhanced as the message body can be written in HTML and FTGate will detect the <HTML> tag at the start of the message body and format the email appropriately. Thus a message of This is a test message would be sent as plain text 120 Web Admin Interface while <HTML><HEAD></HEAD> <BODY><B>This is a test message</B></BODY> </HTML> would be sent as an HTML message. Macro Expansion FTGate includes some expandable macros that can be used to make the message body specific to a particular message condition or mailbox as follows: Message that System Message is in response to: $SUBJECT$ $FROMADDRESS$ $TOADDRESS$" $FROMNAME$" $TONAME$" $RCPTADDR$" $SUBJECT$" $HEADER$" Virus message: $FILE$ $VIRUS$ Mailbox that System Message is about: $MAILBOX$ $NAME$ $ADDRESS$ $COMMONNAME$ Group mailbox tracking message: $TRACKING$ List mailbox messages when in distribution list mode $NAME$ $ADDRESS$ See also • Customising Messages Spooler Spool path The spool path defines the location under which all mailbox folders are stored. Move Domains Clicking this button will cause all of the domains in this server to be moved to the new spool path (above). Note that this action will cause FTGate to be suspended during the move and then restarted. Script The spooler runs this script for every message passing through the spooler Logging 121 FTGateUsersGuide Details to log Specifies the level of details to include in the event log. Debug includes the most detail while Critical will have the least NOTE: IT IS UNADVISABLE TO RUN A BUSY SYSTEM WITH DEBUG LOGGING ENABLED UNLESS YOU ARE TRYING TO DIAGNOSE A PROBLEM. DEBUG LOGGING PRODUCES A LARGE AMOUNT OF LOGGING INFORMATION AND THIS MUST BE WRITTEN TO THE LOG FILE. THIS HAS THE EFFECT OF REDUCING MOST TASKS TO THE EQUIVALENT OF A SINGLE THREAD AS ONLY ONE TASK CAN WRITE TO THE LOG AT ANY GIVEN TIME. THUS BUSY SYSTEMS SHOULD NOT BE RUN IN DEBUG MODE WITHOUT GOOD REASON. Log path Specifies the path to be used when creating log files Billing Billing logs create a record in a fixed format of all emails sent and received • Do not create a billing log • Create new billing log each month • Create new billing log each day Notification Send the administrator a message for events of the following level. Billing Log Contents The billing log is a comma separated value file with the following fields: • • • • • • • Date Time In/Out MessageId Sender Recipient Size Archiving Archive Enable Storage of all messages that have be processed by FTGate. The message are placed in a pair of files and can be access through either the Archive Web Admin page or the FTGateArchive utility Archive folder : Create archive files in the following folder. Archive Duration : Period to hold archive for retrieval by Web Admin (days) Enable compression : This option causes the data in the archive to be compressed reducing the archive file sizes by approximately 95% DNS Servers 122 Web Admin Interface A DNS server is used to convert a text server name into its numeric IP address and to return other information required for mail handling. At least one DNS server is required if you intend to use any of the following features: • • • • RBL lists ( SMTP and Filter policy) SMTP PTR record checks SMTP SPF checks MX delivery of outbound mail DNS Servers This contains the list of servers that will be checked. Direct DNS Queries When this option is selected FTGate will not attempt to contact domain name servers directly but will send all traffic to the DNS servers listed DNS Timeout The DNS Timout will determine how log FTGate will wait fro a reply before deciding that the DNS is not going to respond. RBL Sites An RBL list is a list of addresses that an RBL list supplier believes are a source of Spam. They can be used with FTGate to prevent machines that are listed in the RBL from sending mail to your server. They can also be used by the Filter section to allow filtering of messages received by SmartPop which passed through an RBL listed site. Care should be given when selecting which RBL lists should be included because by using a list you are allowing a third party to determine which servers you will allow to send you mail. Many RBL lists contain machines that are called open relays. These relays may or may not be a source of spam but by their inclusion you would block all mail, both legitimate and spam, from that open relay server. FTGate Technology recommend only the use of Spamhaus lists as they, sbl.spamhaus.org and sblxpl.spamhaus.org, do not include open relays. Network Profiles This list shows the available network profiles that can be used when connecting to the Internet. The list will always contain LAN and Proxy/Router entries. Network Profile Options Connection Tab User name Password Connect timeout Login timeout Retry connection after 123 FTGateUsersGuide Attempt limit Start delay Actions Tab ETRN When enabled FTGate sends an ETRN command to the designated address. POP When enabled FTGate connects to the POP3 mailbox at the designated address. This option should be used if your ISP requires you to connect to a mailbox prior to allowing you to relay. Priority Priority Strings : FTGate treats messages with headers lines starting with any of these strings as priority messages. Auto Update FTGate contains an auto update facility that will automatically download any updates that are released. The updates can either be applied automatically or under administrator supervision. • Automatic Update FTGate will download the update, shutdown, apply the update and restart • Manual Update FTGate will download the update and display a message in WebAdmin informing the Administrator that a patch is available. The Administrator may then apply the update. Proxy These settings specify whether, and how, FTGate uses a proxy to connect to the Internet when Activating and running AutoUpdate. Utility Utilities • Mailbox Import Import mailboxes from an XML file into FTGate. Mailbox Import The mailbox import page allows the administrator to create one or more mailboxes by importing their definition from an XML file. The XML file has the following format: <?xml version="1.0" encoding="ISO-8859-1" ?> <mailboxes> <mailbox> <name>mailbox_name</name> <type>7</type> 124 Web Admin Interface <password>password</password> <givenname> firstname</givenname> <sn>lastname</sn> <initials>initials</initials> <cn>nick name</cn> <o>organisation</o> <ou>department</ou> <title>title</title> <postaladdress /> <l>town</l> <st>street</st> <c>country</c> <postalcode>post code</postalcode> <telephonenumber> tel number </telephonenumber> <facsimiletelephonenumber> fax number </facsimiletelephonenumber> <otherpager>mobile number</otherpager> <url> web url</url> <homepostaladdress> home address</homepostaladdress> <homephone>home phone</homephone> <otherfacsimiletelephonenumber> homefax</otherfacsimiletelephonenumber> <mobile> mobile number</mobile> <info> notes</info> </mailbox> </mailboxes> The <mailbox>...</mailbox> can be repeated multiple times with different mailbox data. Any fields that are not required can be omitted. The minimum file for creating a single minimal mailbox would be: <?xml version="1.0" encoding="ISO-8859-1" ?> <mailboxes> <mailbox> <name>mailbox_name</name> <type>7</type> <password>password</password> </mailbox> </mailboxes> If in doubt about the format it is possible to export the existing mailboxes and examine the file created. List All Mailboxes Type topic text here. Mailbox Export Type topic text here. Mailbox Import1 Type topic text here. 125 Groupware Shared Folders FTGate now offers groupware as standard. An important aspect of groupware is the ability to share folders. Shared folders allow users collective access to mail and an effective way to keep informed and share information. FTGate uses Access Control Lists to restrict access to shared folders, for example you can just allow one or two users to be able to put messages into a folder, but allow a broader range of people the ability to read the what is there. Why Use Shared Folders? Put simply, collaboration makes things simpler and more effective. They allow information to be shared in a controlled way. For example, they allow a group of users access to a common mailbox folder so that they can all read and respond to messages within the folder and be able to see what other people have done with messages in that folder, so everyone sees when a message is read, responded to, flagged, etc. Shared folders just make life easier, and the more you use them the more potential you will see. Shared Folder Access The mechanism for sharing folders is IMAP (Internet Messaging Access Protocol). To use it you configure mail client accounts to collect mail via IMAP, rather than POP. Alternatively, you can simply use FTGate's Web Mail. In fact, due to the nature of folder sharing, you can use a mail client and Web Mail and see the same message and folder structure. So if you send a message using Web Mail and have it configured to save sent messages into a sent items folder, you will see the sent message in the appropriate folder in the mail client, i.e. the folders are synchronised. Uses for Shared Folders Shared folders have many uses beyond simply letting others see what's in your inbox: • • • • • • • Collaboration File Distribution Announcements Knowledgebase Address Books Spam Training Quarantine Management Collaboration Groups of people, e.g. sales or support staff, can share a mailbox to keep all relevant material in one place, rather than each individual having their own sent items folder, for example. File Distribution Network Administrators can use them to distribute files to users on the LAN. The administrator posts a message with the relevant files attached, or link to the files, and all of those with access to the folder can make sure that they have the latest drivers, updates, etc. on their machines. 127 FTGateUsersGuide Announcements Administrators, managers, etc. can use them to post announcements to one location, rather than sending messages to every relevant individual. Knowledgebase A folder can accumulate a wealth of information available to all those with access. Here at FTGate Technology we maintain a copy of every support email that we send in a folder that is available for all of the support team to refer to. Address Books FTGate address books can be made available to a mail client so that you can get at contact information easily. Spam Training You can use shared folders to effectively train FTGate to identify Unsolicited Bulk Email (UBE) by the message's content. Quarantine Management The quarantine folder can be accessed as a shared folder so that those who have access to it can look at and recover messages that have been quarantined. Address Books Address books can be shared and accessed either through Web Mail, LDAP and SolSight. You can also send an email to an address book to have it distributed to each of the members of the address book. Each group mailbox also maintains a shared address book that contains and can be accessed by all members of that group. The primary example of this is the everyone group mailbox, that contains all the mailboxes in a domain and has a shared address book called members. Mailing an address book: To send an email for distribution through an address book list you will need to configure your mail client to authenticate against the SMTP server. IP based authentication is not sufficient. Send the message to ABName/mailbox@domain.name If you have access rights for this address book the message will be distributed. LDAP address book searches: You can search all or some of your address books including those shared by other users. You will be required to use LDAP logon in order to use LDAP. In order to search all your address books you should ensure that the search BASE string is blank. In order to search a specific address book you should specify the address book email address as the BASE. 128 Groupware Calendar Overview A calendar event can be for a certain time, between specific times, all day events, or span multiple days. You can designate the type of event, and its priority. You can specify whether the event repeats, and how they repeat. And you can configure FTGate to send a custom notification about the event at a certain time, e.g. as a reminder. Users can have more than one calendar to help organise their events. Shared Folder Overview Shared folders allows users collective access to messages, e.g. when a folder is shared by three users then all three users can see, and respond to, the messages in that folder. To utilize shared folders the users must have their mail clients configured to collect mail via IMAP, or use Web Mail. 129 White Papers White Papers The following white papers are available: • • • • • • • • Configuring SSL Disaster Planning FTGate as a DMZ relay FTGate as an MX relay Minimising Junk/UBE mail Forwarding to remote users in the same domain Customising Web Mail Shared Folders SPAM: Change is coming Why is change needed? When FTGate Technology started supplying mail servers, over ten years ago, there was no such thing as spam. When you received a message you knew that it was most likely to be a genuine message that you should take time to read. The world was a nice place where everyone was trusted to only send you messages if they thought you wanted to get them. eMail was cheap, quick and efficient. The Internet was designed with this in mind, protocols were open, easy to implement and had no security at all. Then things began to change. The low cost of sending an email, essentially nil, made it very cost effective to send millions of emails with a marketing message. At first no one really took any notice, one odd email of spam was not a problem. But it didn't stop there, it grew. Now the problem has escalated to the point where there is more spam on the Internet than real mail, and the open protocols, that assumed trust, offer no means to protect ourselves from the deluge. The problem is exacerbated by viruses. Many of these viruses are sent from machines whose owners do not know they are infected. They use random from addresses and often random to addresses and can come from anywhere on the Internet. They don't require a mail client or mail server to run. Organised crime has also joined the game. They use virus infected machines called zombies to source spam to millions of addresses from machines whose users are unaware that this is happening. They use the machines to probe for addresses, phish for bank account details and launch denial of service attacks on companies. As the problem has grown FTGate Technology have successfully introduced more and more features with which to fight spam; word filters, phrase filters, UbeBlock, blacklists, RBL lists and so on. These are all very effective methods of blocking spam which work on trying to identify which messages contain material that we would rather not receive or identifying sources of messages which are known to be bad. However, the spammers are an ingenious bunch and at every stage they have found a means to obscure their message (html, word soup,etc), hide their IP addresses (zombies, open relays, etc), and this has produced an arms race in trying to identify the messages as being spam. We improve detection, they hide the message more skillfully, and it goes on, and on. A shift in approach 131 FTGateUsersGuide There is a complete shift in approach going on, and FTGate Technology are part of this being the first Mail server company to officially sign the SPF Community Position pledge. The shift is from a world where we try to identify spam to one where we identify legitimate messages, and assume everything else is junk. There are several approaches to this, some of which are already used: • White lists (current) Used to identify addresses that we know are good and always want to receive. • Safe words (current) Words that have special meaning, such as product names, that are unlikely to be part of a junk email • SPF (new in FTGate4 and being deployed throughout the Internet in 2004/2005) SPF This seeks to verify that a machine sending a message is authorised to send mail for that domain. • Encryption/Signing (being deployed throughout the Internet 2005/2006) This seeks to verify that the sender is who they say they are. • Inverse Spam detection. Determine that a message is good rather than it is bad. A combination of these features can result in a world where spam, viruses and other junk are eliminated completely. Cleaning up the junk Once we decide to reverse the problem, assume that most of the mail is junk, and try to find the good stuff we can make some big improvements in the way the mail is handled. SPF At the top level we can have our mail servers check that there are valid SPF records for the senders of email, this allows us to reject mail which the sending domain owner says should not be sent, and prevent your domain being used to send mail which is not from you. It works like this: 1. A spammer connects to your server from address a.b.c.d and sends a junk email to you pretending to be from richard@ftgate.com 2. The server calls the ftgate.com DNS server and asks "Is a.b.c.d a valid sender for domain ftgate.com" 3. The ftgate.com DNS says no 4. The spam message is rejected or 1. FTGate Technology send a message from 195.224.16.245 to your server and says it is from richard@ftgate.com 2. The server calls the ftgate.com DNS server and asks "Is 195.224.16.245 a valid sender for ftgate.com" 3. The FTGate server says yes 4. The message is accepted 5. The message bypasses filtering as it is known to be from a good address or 1. A customer sends a message to your server from address a.b.c.d saying its from bob@a.com 2. The server calls the a.com DSN server and says "Is a.b.c.d a valid sender for a.com" 132 White Papers 3. The server says "I dont know" (either they do not support SPF or they do not know if the address is good for them) 4. The message is accepted 5. The message is passed to the remaining filters for analysis This shows that as SPF is rolled out through the Internet community the level of trust for incoming messages will rise. Zombie machines, and open relays will be blocked immediately, while spammers will be forced to use traceable domains and addresses which can then be blocked using the RBL systems or blacklists currently in place. White lists After the message arrives we can decide if we will filter it or not. A white list tells the server that we trust this address. The server can then deliver the message directly to the users. The problem for an administrator is that they must maintain a white list which for large numbers of users can be very time consuming. FTGate4 has addressed this by allowing the administrator to include the entire server contact address book in the white list, thus allowing users to add their own white list entries through either WebMail or via SolSight. UbeBlock spam analysis The latest version of UbeBlock adds the ability to add a weight to unknown words. This makes training of the system very simple. Rather than trying to find every possible example of spam and train the system to identify it, we simply train it with a good sample of valid messages, which we all have in abundance. From that point on a message that contains words that are not in our normal emails will have a higher rating applied to it. Couple this with rating for HTML content and its overall rating and you can practically eliminate junk mail from your system. Moving Forward These features are effective, however, there is a down-side. If you will only accept messages from addresses that are SPF validated or white listed users, you can expect other administrators to do the same. This means that you will be expected to authenticate your mail clients and vouch that their IP addresses are valid. This is not hard to do. 1. If you have your own domain name, you should publish an SPF record, or have your hosting company do it for you. If you send directly to the Internet you should list your server addresses If you use an ISP or hosting company you should send through their servers and list their server addresses 2. Have all your mail clients authenticate with SMTP and force them to send using the authenticated address. Do not let them authenticate as bob@a.com and send as fred@b.com unless you are sure that they have the right to do this, in which case, they should really authenticate as fred@b.com anyway. (In the security policy set the SA and AR flag, clear the AA flag) 3. Have all your mail clients send ONLY through your server. This will prevent anyone spoofing your domain as SPF will then block all spoofed mail. 4. If you forward mail, you must change the envelope sender address to a local address, otherwise you will fail the SPF checking because your server will not be valid for the original 133 FTGateUsersGuide domain. FTGate has done this for some time . 5. If you implement MX forwarding (FTGate remote domains) you should ensure that the receiving server WILL NOT perform SPF checking on the MX relay machines, as this would definitely fail SPF checking. (In the appropriate security policy, add the MX machines IP range and clear the SPF flag). SmartPop SmartPop is the poor relation when it comes to anti-spam handling. Because all the mail has already been accepted by your ISP and the IP address information is most likely lost or obscured it becomes much harder to validate that the message is good. For this reason SmartPop does not have any SPF facilities. However, if your ISP implements SPF filtering and adds the required SPF header to the message, the main filters can be bypassed as if the message had been received and validated directly by FTGate. The future Over the course of the next few years a variety of techniques designed to limit junk and authenticate users will be tested by the Internet community. They vary from Yahoo's DomainKeys, Microsoft's PRA, IIM and others. As the technology stabilises we will continue to integrate their requirements into our systems. You can be sure that, as usual, FTGate mail servers will deliver your mail reliably and limit the junk you see. 134 Error Messages Service Error Messages FTGate categorises all its service error messages by using a reference code at the end of the error line. This code can be used to determine the exact cause of the error message. This section describes those error messages. Code Message Notes ID #1.00 Mailbox Disabled (#1.00) ERR_MAILBOX_DISABLED #1.01 #1.02 #2.01 Mailbox Disabled (#1.01) Allocated mailbox storage exceeded (#1.02) Out of disk space (#1.03) Too many connections from your address (#1.04) 451 4.5.1 [%s] Max concurrent sessions (#1.04) -ERR Too many connections from your address (#1.04) (#2.01) mailbox is disabled in mailbox or privileges mailbox is a spamtrap quota error #2.02 (#2.02) #2.03 #3.01 #3.02 (#2.03) 220 %s (#3.01) 250 2.5.0 Sender <%s> Accepted (#3.02) 235 2.3.5 Auth OK (#3.03) 250 2.5.0 Recipient OK (#3.04) 250 2.5.0 Ok Message queued (#3.05) 220 2.2.0 ready for TLS (#3.06) 250 2.5.0 Ok (#3.07) 221 2.2.1 Service closing transmission channel (#3.08) 250 2.5.0 Mail queue started (#3.09) 354 3.5.4 Start mail input; end with <CRLF>.<CRLF> (#3.10) 334 451 4.9.9 %s Invalid EHLO (#3.12) 451 4.2.1 %s mailbox disabled (#3.13) 451 4.2.2 %s mailbox full (#3.14) 451 4.2.2 %s mailbox access error (#3.15) 451 4.3.1 mail system is full (#3.16) 451 4.3.5 system configuration error (#3.17) 450 4.7.1 Server busy please try again later. See http://tinyurl.com/39pwkl (#3.19) 450 4.7.1 Server busy please try again later. See http://tinyurl.com/39pwkl (#3.20) 450 4.7.1 Please authenticate and try again (#3.21) #1.03 #1.04 #3.03 #3.04 #3.05 #3.06 #3.07 #3.08 #3.09 #3.10 #3.11 #3.12 #3.13 #3.14 #3.15 #3.16 #3.17 #3.19 #3.20 #3.21 #3.22 450 4.3.5 System error, please try again (#3.22) ERR_MAILBOX_SPAMTRAP ERR_MAILBOX_QUOTA ERR_MAILBOX_FREESPACE ERR_MAX_CONCURRENT ERR_SMTP_REJECT_CONCURRENT ERR_POP_CONCURRENT address has been temp blacklisted address has either BL or no PA RBL hit ERR_SECPOL_NO_ACCESS ERR_SECPOL_BLACK ERR_SECPOL_RBL ERR_SMTP_SYSTEM_HELLO ERR_SMTP_SENDEROK ERR_SMTP_AUTHOK ERR_SMTP_RCPTOK ERR_SMTP_MESSAGEOK ERR_SMTP_TLSOK ERR_SMTP_OK ERR_SMTP_CLOSING ERR_SMTP_QUEUESTARTED Authentication continue response ERR_SMTP_DATASTART ERR_SMTP_334 ERR_SMTP_TARPIT ERR_SMTP_MAILBOX_DISABLED ERR_SMTP_MAILBOX_FULL ERR_SMTP_MAILBOX_TOAST ERR_SMTP_SYSTEM_LENGTH ERR_SMTP_SYSTEM_CONFIGERR ERR_SMTP_GLFAILDATA ERR_SMTP_GLFAILRCP See:Managing Services and Security Policies/Options;AntiSpoofing ERR_SMTP_SPOOF ERR_SMTP_HARDERROR 135 FTGateUsersGuide #4.21 #4.22 #4.23 #4.24 #4.25 #4.26 #4.27 #4.28 #4.29 #4.30 #4.31 #4.32 #4.33 #4.34 #4.35 #4.36 #4.37 #4.38 #4.39 #4.40 #4.41 #4.42 #4.43 #4.44 #4.45 #4.46 #4.47 #4.48 #4.49 #4.50 #4.51 #4.52 #4.53 #4.54 #4.55 #4.56 #4.57 #4.58 #4.59 #4.60 136 500 5.5.1 Syntax Error (#4.21) 500 5.5.1 Syntax Error (%s) (#4.22) 500 5.5.1 Bad command (#4.23) 500 5.0.0 Domain Not Found (#4.24) 550 5.1.1 %s bad destination mailbox address (#4.25) 550 5.1.1 %s invalid mailbox address (#4.26) 550 5.1.2 %s invalid domain (#4.27) 550 5.1.1 %s unknown mailbox (#4.28) 550 5.1.1 %s unknown mailbox. You are so booted (#4.29) 550 5.1.3 %s bad address syntax (#4.30) 550 5.1.4 ambiguous address (#4.31) 500 5.0.0 sequence error (#4.32) 516 2.1.6 %s moved (#4.33) 550 5.1.7 %s bad sender's address (#4.34) 550 5.0.0 Sorry too many recipients (#4.35) 550 5.1.8 %s sender's domain does not exist (#4.36) 502 5.5.2 Syntax Error (#4.37) 553 5.5.3 too many recipients (#4.38) 550 5.2.3 message size exceeds administrative limit (#4.39) 554 5.6.0 Malformed message header, require FROM:, TO:, DATE:, SUBJECT: (#4.40) 560 5.6.0 Prohibited Message Content (#4.41) 560 5.6.0 %s (#4.42) 560 5.6.0 Message body not found (#4.43) 500 5.0.0 [%s] DNS Blackhole Rejection (#4.44) 500 5.0.0 [%s] IP rejected (#4.45) 500 5.0.0 [%s] PTR record is blank - reverse DNS lookup failed (#4.46) 500 5.0.0 Sequence Error - zombie terminated (#4.47) 530 5.3.0 Must issue STARTTLS first (#4.48) 550 5.1.8 Sender must be hosted on this server (#4.49): 535 5.3.5 Auth Failed (#4.50) 503 5.0.3 Already Authorised (#4.51) 535 5.3.5 Unrecognised response (#4.52) 504 5.0.4 Unrecognised Authentication type (#4.53)" 530 5.3.0 Authentication required (#4.54) 560 5.6.0 Too many addresses in header (#4.55) 560 5.6.0 Too many hops (#4.56) 500 5.0.0 Channel already secure (#4.57) 500 5.0.0 Cannot switch to secure channel (#4.58) 560 5.6.0 %s (#4.59) 550 5.5.0 Sender rejected (#4.60) ERR_SMTP_SYNTAX ERR_SMTP_SYNTAX2 ERR_SMTP_SYNTAX3 ERR_SMTP_DOMAINNOTFOUND ERR_SMTP_ADDRESS_BAD ERR_SMTP_ADDRESS_INVALID ERR_SMTP_ADDRESS_DOAMIN ERR_SMTP_ADDRESS_UNKNOWN ERR_SMTP_ADDRESS_UNKNOWN2 ERR_SMTP_ADDRESS_SYNTAX ERR_SMTP_ADDRESS_AMBIGUOUS ERR_SMTP_ADDRESS_SEQUENCE ERR_SMTP_ADDRESS_MOVED ERR_SMTP_ADDRESS_SENDER ERR_SMTP_ADDRESS_RCPTCOUNT ERR_SMTP_ADDRESS_SENDERSPOOF ERR_SMTP_ARGUMANT ERR_SMTP_RCPTCOUNT ERR_SMTP_MESSAGE_LENGTH ERR_SMTP_MESSAGE_HEADER ERR_SMTP_MESSAGE_CONTENT ERR_SMTP_MESSAGE_OTHER ERR_SMTP_MESSAGE_BODY ERR_SMTP_REJECT_RBL ERR_SMTP_REJECT_IP ERR_SMTP_REJECT_PTR ERR_SMTP_SYSTEM_ZOMBIE ERR_SMTP_TLSREQUIRED ERR_SMTP_ONLYHOSTED ERR_SMTP_AUTHFAILED ERR_SMTP_AUTHFAILED2 ERR_SMTP_AUTHWTF ERR_SMTP_BADAUTH ERR_SMTP_AUTHREQUIRED ERR_SMTP_BULKFAILED ERR_SMTP_HOPSFAILED ERR_SMTP_SECUREFAILED ERR_SMTP_SECUREFAILED2 ERR_SMTP_SPFFAIL ERR_SMTP_SENDERBLACKLISTED Error Messages #4.61 #4.62 #4.63 #4.64 #4.65 #4.66 #4.67 #4.68 #4.69 #5.00 #5.01 #5.02 #5.03 #5.04 #5.05 #5.06 #5.07 #5.08 #5.09 #5.10 #5.11 #5.12 #5.13 550 5.5.0 The address %s does not match your authenticated address (#4.61) 550 5.5.0 Sender domain could not be confirmed (#4.62) 550 5.5.0 Relaying Denied <%s> (#4.63) 550 5.5.0 Relaying Denied <%s> Again - go away (#4.64) 550 5.5.0 Access Denied <%s> (%s) (#4.65) 550 5.5.0 Access Denied (#4.66) 550 5.5.0 No Route Found (#4.67) 550 5.5.0 String does not match anything (#4.68) 550 5.5.0 No Members (#4.69) -ERR Mailbox Access Error (#5.00) -ERR Access Denied (#5.01) -ERR Syntax Error (#5.02) -ERR TLS Required (#5.03) -ERR Plain text login disabled, use APOP or TLS (#5.04) -ERR <%s> Mailbox Disabled (#5.05) -ERR Login Error (#5.06) -ERR <%s> Mailbox Locked (#5.07) -ERR Login Error (#5.08) -ERR Login Error (#5.09) -ERR invalid message number (#5.10) -ERR message deleted (#5.11) -ERR message unavailable (#5.12) -ERR no such message , only n message in mailbox (#5.13) ERR_SMTP_AUTHMISMATCH ERR_SMTP_SENDERDOMAIN ERR_SMTP_RELAYFAIL ERR_SMTP_RELAYFAIL2 ERR_SMTP_ACCESSDENIED ERR_SMTP_ACCESSDENIED2 ERR_SMTP_GLACCESSDENIED ERR_SMTP_NOMATCH mailbox is broken mailbox has no pop3 privileges ERR_SMTP_NOMEMBERS ERR_POP_ACCESS ERR_POP_ACCESSDENIED ERR_POP_SYNTAX ERR_POP_TLS ERR_POP_SECUREAUTH ERR_POP_DISABLED ERR_POP_LOGIN ERR_POP_LOCKED bad password ERR_POP_LOGIN2 ERR_POP_LOGIN3 ERR_POP_MESSAGENUM ERR_POP_DELETED ERR_POP_MESSAGEFAILURE ERR_POP_MESSAGECOUNT WebAdmin Login Messages After logging onto WebAdmin the following error messages may be displayed Error Code #6.01 #6.02 #6.03 #6.04 #6.05 #6.06 #6.07 #6.08 #6.09 #6.10 #6.11 Meaning The FTGate server is currently running in its 30day trial mode. The number of days of trail remaining are indicated. To remove this licence you should install an existing licence key or purchase a licence key. The FTGate server 30day trial has finished and the server requires that a registration key be installed and activated in order to continue use of the server. The server has been suspended for the indicated reason The FTGate server is licensed but not activated. In order to continue using FTGate it should be restarted and the server activated. The server has one or more un-activated licence keys and will stop working one hour after it was last restarted. The servers UPSP is expiring or has expired. You should renew the UPSP as you no longer have support and upgrade protection. UBEBlock+ is disabled due to UPSP expiry. There is an update available for installation An error occurred while checking for updates The FTGate anti-virus start up test failed. Your anti-virus product is either configured incorrectly or not installed. Your anti-virus product is scanning the spool/inbox. This can cause problems if the 137 FTGateUsersGuide #6.12 138 anti-virus product blocks access to the file that FTGate is using. It is recommended that this folder be excluded from the on demand/access scanning in your anti-virus product. The version you have is a beta test version that will cease to operate on the specified day. Beta version are regularly updated so you should either perform an auto-update or check regularly for manual updates in the support forums. Update History FTGate History FTGate Technology was established in 1994, you can be confident when purchasing FTGate that the product is built on the extensive experience of one of the longest and most respected suppliers in the industry. Historical time line for FTGate: • Jan 2009 FTGate6 released • July 2007 FTGate5 released • June 2005 Company renamed to FTGate Technology Ltd • November 2004 FTGate4 and SolSight released • March 2003 FTGateRelay V1.0 Released (FTGate3.22 engine) • Feb 2003 FTGateUbeBlock V1.0 released • Jan 2003 FTGateOffice/FTGatePro V1.2 Released (FTGate3.2 engine) • Sept 2002 FTGateOffice/FTGatePro V1.1 Released (FTGate3.1 engine) • Dec 2000 FTGate3 released as FTGateOffice and FTGatePro V1.0 • Sept 1998 FTGate V2.0 released • April 1997 First Internet sales of FTGate V1.0 • Jan 1997 RBGate renamed FTGate • June 1995 First sales of RBGate begin • Nov 1994 Work started on First Mail server (RBGate) 139 FTGateUsersGuide FTGate2009 SR1 Updates in this release • • Archive viewing and handling improved Archive SmartPop layout improved • Added support for '&' character in the phrase lists • Modified SMTP so that SMTP AUTH overrides PTR, RBL, HELO and SPF failures. • Customising the sign in has been simplified Customising SolSight Web • New sign in box created • Made Anti-Virus self test at startup an optional action • Added fast expire option to the Outbox and Remote domains General • Added DNS timeout control so users can now set the DNS timeout DNS Servers • Added a 4XX promotion option General • Bug fixes Update 6.0.002 • • • 140 Improved spam detection Added spam fingerprinting and auto-update of fingerprint files Fixed auto-update notification formatting. Credits FTGate is the vision and work on one man, practically everything you see was written by Richard Bang. The following tools an components were used in some parts of the program. DHTMLGoodies - A library of DHTML and AJAX scripts WYZZ - WYSIWYG editor 141 Glossary P Pattern matching characters: The characters * and ? when used in an address or string. e.g. *@domain.com, bob@domian.*, etc U UPSP: Upgrade Protection and Support Plan 143 Index A Access .... 11, 15, 22, 44, 47, 50, 71, 77, 80, 83 Archive .......................................................71 Calendaring ...............................................83 Interface .....................................................44 Local Admin ...............................................83 POP3 .........................................................83 SMTP .........................................................50 UBEBlock...................................................11 Web Admin ................................................47 Web Mail ....................................................83 Web Services ............................................22 WebMail .....................................................22 Access button ..............................................127 Access Control ..............................................77 Access Control Lists ..............................52, 127 Access Level .................................................47 Access mail ..................................................... 8 browser based interface with which ............ 8 Access Tab.. 83, 100, 101, 102, 103, 104, 105, 106, 107, 116 Account .........................................................34 user against ...............................................34 Account/email ................................................45 ACKNOWLEDGMENT .................................... 1 ACL ............................................................... 52 Action Tab ...........................................114, 123 Activating .........................................17, 45, 124 Licence Key ...............................................45 Licences.....................................................17 Activation FAQ ..............................................45 Active Directory .......................... 25, 31, 82, 85 Active Directory Migration .............................25 Active Directory Support ................................. 5 Activity ...........................................................77 Additional Clients ..........................................74 Additional Mailbox .........................................17 Address Books ................... 8, 47, 88, 127, 128 Address/port ................................................104 Administrators .....................................120, 124 informing ..................................................124 Agreement ....................................................... 1 Alias Domains ...............................................79 Alias Mailbox .................................................80 All Hosted Domains .....................................112 Allocated........................................................17 Allow Addresses ............................................48 Allow EXPN ...................................................97 Allow Relaying ...............................................48 Allow SMTP ...................................................91 Allow SUBSCRIBE ........................................89 Alternative Scanner Support .........................65 Anti-spam Enhancements .............................11 Anti-Virus .............................. 5, 27, 65, 76, 116 Anti-Virus Overview.......................................65 AnyLogin .......................................................45 APOP .............................................................. 5 Appointments .................................................. 8 Archive .................................................... 71, 78 Accessing .................................................. 71 Archive Actions ............................................. 71 Archive Duration ......................................... 122 Archive Enable ............................................ 122 Archive Files ................................................. 71 Attachments .................................................. 88 AUTH ...................................................... 48, 67 Authenticate .................................... 27, 31, 117 LAN............................................................ 27 Authenticated Relaying ................................. 50 Authentication ......................................... 50, 65 Authorised .......27, 48, 50, 60, 64, 65, 122, 131 Auto Authenticate.......................................... 50 Auto Update ............................................ 5, 124 Autoban ......................................................... 48 AutoCluster ................................. 5, 20, 74, 113 AutoCluster Overview................................ 20 AutoCluster POP3 Proxy ........................... 74 AutoCluster POP3 Proxy Service .............. 74 AutoCluster Settings................................ 113 AutoClusterMode..................................... 113 Configuring ................................................ 74 Create ...................................................... 113 Automated Self Training ............................... 68 Automatic Authentication ........................ 14, 48 Automatic Update ....................................... 124 Auto-reply ...................................................... 86 Send .......................................................... 86 Autoresponder .............................................. 86 Creating ..................................................... 86 AutoUpdate ................................................. 124 running .................................................... 124 B Backup .......................................................... 70 Banning ......................................................... 31 words/Phrases ........................................... 31 Basic Protection ............................................ 68 Billing........................................................... 121 Log Contents ........................................... 121 Blackhole Lists .................... 27, 48, 60, 64, 122 Blacklisted Address....................................... 48 Block ............................................. 31, 115, 131 IP/Sender/Recipient ................................ 115 spam ........................................................ 131 Viruses ...................................................... 31 Browser Compatibility ................................... 14 Bypassing ............................................... 61, 97 greylist ................................................. 61, 97 C Calendar Overview ..................................... 129 Check Mailboxes ........................................... 25 Cisco PIX firewalls ........................................ 31 Clear Enable CAPA .................................... 112 145 FTGateUsersGuide Clear Enable SDPS .....................................112 Clear Filter ID's ............................................112 Clear Scan Message Header ......................112 Client Configuration .......................................25 Client Services ................................................ 5 Clients ...................................................74, 108 Managing .................................................108 Closed list ......................................................91 Common Tasks .............................................31 Compressed Archive ....................................... 5 ConfigBackup ................................................70 Configuration .............................. 10, 17, 23, 68 Configuring .. 15, 27, 31, 41, 44, 48, 52, 71, 74, 108 AutoCluster ................................................74 FTGate.................................... 31, 44, 48, 52 FTGate spam .............................................31 FTGateArchive ..........................................71 LAN ............................................................ 52 Replication .................................................27 Replicator...................................................27 ServerA ......................................................15 SmartPop ...........................................41, 108 SSL ............................................................ 52 Confirm SUBSCRIBE ..............................89, 91 Connecting ..... 15, 22, 31, 74, 94, 98, 123, 124 FTGate.................................................22, 31 Groupware .................................................74 internet ................................ 15, 94, 123, 124 LDAP .........................................................98 multiple offices ...........................................15 Connection ..............................................92, 94 Connection Options .................................41, 94 Connection Tab ...........................................123 Connection Types .........................................37 Connection/Host Name .................................15 Connection/Login ..........................................15 Connection/Network Profile...........................15 Connection/Password ...................................15 Connection/Port ............................................15 Contact Database ........................................... 5 Contact Notes ................................................. 8 Contacts/events/tasks ...................................47 Contents ..................................................88, 93 Contents Tab ...............................................116 Copyright ......................................................... 4 Creating Domains .........................................41 Customer Tracking Options ............................ 8 Customising Web Mail ................................131 D Database support ..........................................47 Debug Logging ........................................10, 91 Default Global Security Policy .......................15 altered ........................................................15 Default LAN Security Policy ..........................22 form............................................................ 22 Default Language ........................................102 Default Mailboxes ..........................................80 Delivery Control ...........................................112 Delivery Failure ...................................111, 112 146 Delivery Mode ......................................... 41, 94 Delivery Optimisation .................................... 93 Delivery Route ........................................ 41, 94 Delivery/Delivery Control .............................. 15 De-Militarised-Zone....................................... 27 Details ........................................................... 10 Dialup Support ................................................ 5 Disaster Planning .......................................... 68 Disclaimer ....................................................... 5 Distributed Clustering.................................... 20 DMZ ........................................................ 27, 79 DNS.............20, 23, 31, 41, 48, 60, 65, 94, 122 Domain Aliases ............................................... 5 Domain List ................................................... 41 Domain Name Server ......... 27, 41, 48, 94, 122 Domain type ............................................ 27, 41 Domains ....................19, 25, 27, 31, 41, 67, 79 Creating ............................................... 25, 27 Managing ................................................... 79 name.......................................................... 27 Domains, Mailboxes...................................... 19 DSN Mailbox ................................................. 80 E Edit Service Policy Settings .......................... 31 Eicar.com ...................................................... 65 Emergency Recovery.................................... 46 Eml file .......................................................... 71 Enable SDPS .............................................. 111 Encryption Tab ...100, 101, 102, 103, 104, 105, 106, 107 Envelope ..................................................... 109 Error Dialog ................................................... 37 ESMTP ...................................................... 5, 41 ETRN .................................................... 92, 123 Eudora .......................................................... 37 Example Headers ....................................... 109 Expunge ........................................................ 37 F FAQ ................................................................. 9 FAX ............................................................... 12 Fdb file .......................................................... 26 Filter Attachments ....................................... 117 Filter Blacklist .............................................. 117 Filter Control ............................................... 117 Filter Ids ...................................................... 111 Filter options ............................................... 117 Filter Phrases .............................................. 118 Filter Policy ..................................... 82, 91, 101 Filter Policy Rules ......................................... 65 Filter Policy/UbeBlock ................................... 60 Filter Rule Management.............................. 119 Filter Rules .............................. 63, 64, 117, 119 Filter Safe Words ........................................ 118 Filter Whitelist ............................................. 118 Filter Words ................................................. 118 Filter/Routes .......................................... 14, 111 Filtering ...................5, 31, 54, 60, 82, 122, 123 Firewall ports ................................................. 22 Folders .................................................. 86, 127 Forward ..................................... 14, 15, 81, 131 Index Frequently Asked Questions ........................... 9 FTGate Technology Limited ..........................12 FTGate UPSP ...............................................11 FTGateArchive ..............................................71 FTGateIcon .......................................70, 72, 73 FTGateLog ....................................................73 FTGateMonitor ..................................72, 73, 98 Full Backup.................................................... 70 Full Restore ...................................................70 Fully Qualfied Mailbox Name ........................44 G Global Security Policy .......................14, 22, 48 Grey Listing ..................................................... 5 Greylist ............................................61, 97, 115 Greylist Entries Tab .....................................115 Greylist SPF ..................................................97 Greylist Zombie ...........................................115 Greylisting whitepaper ...................................61 Group ......... 8, 19, 25, 41, 47, 67, 86, 108, 127 Group Mailboxes .......................................5, 80 Group Members ............................................89 Groupware.....................................................74 connecting .................................................74 Groupware Connector .......................5, 98, 107 Groupware Features ....................................... 8 H Hosted Domains ............................................41 I IMAP.. 8, 13, 19, 22, 25, 31, 37, 67, 68, 80, 82, 84, 86, 98, 105, 120, 127, 129 Install FTGate ............................. 25, 26, 27, 70 Instant Notifications ......................................... 8 Internal Backup .............................................70 Internal Restore .............................................70 ISP's pop3 .....................................................19 L LDAP ............................ 5, 22, 31, 98, 103, 128 Licence Agreement ......................................... 1 Licence Key .............................................17, 45 Activating ...................................................45 Installing.....................................................17 List Mailboxes ...............................................80 Local Domains ........................................36, 79 Local mailboxes ............. 19, 41, 108, 109, 112 Log Contents ...............................................121 Billing .......................................................121 Login Security Override.................................45 Low Security ..................................................34 M Macro Expansion ..................................39, 120 Mail . 15, 19, 25, 40, 41, 68, 108, 109, 112, 131 downloads......................... 41, 108, 109, 112 Migrating ....................................................25 Receiving .............................................19, 40 Sending..........................................15, 19, 41 Mail Delivery Failure ....................................109 Mail Flow .......................................................35 Mailbox . 5, 25, 31, 39, 41, 47, 50, 80, 108, 120 Mailbox Alias .............................................5, 31 Mailbox Count ...............................................17 Mailbox Limit ............................................... 119 Mailbox Rules ................................................. 5 Mailbox Types ............................................... 80 Mailboxes Remaining.................................. 119 Mailboxes Used .......................................... 119 Mailed Reminders ........................................... 8 Main Feature List ............................................ 5 Manual Delivery Settings ............................ 111 Max Recipients ............................................. 97 Members ....................................................... 90 Message Limits ............................................. 97 Migration ................................................. 25, 82 Minimising Junk/UBE .................................... 60 Minimum Requirements ................................ 13 Monitor Port .................................................... 5 Move Domains ............................................ 121 Multiple Address Books .................................. 8 Multiple Calendars .......................................... 8 Multiple DNS ................................................... 5 Multiple Folders ............................................... 5 Multiple IP ....................................................... 5 Multiple ISP ................................................. 111 Multiple offices .............................................. 15 Multiple Task Lists .......................................... 8 MX ... 5, 20, 23, 27, 31, 40, 41, 61, 68, 94, 113, 122, 131 MX DNS ........................................................ 27 MX Hosts .......................................... 41, 93, 94 MX Mode ....................................................... 27 MX Records ............................................ 41, 94 MX Relay Mode .......................................... 113 MySql ............................................................ 47 N Navigation Panel ........................................... 76 Network Administrators ............................... 127 Network Profile ................................ 41, 94, 123 Network Storage ........................................... 23 New Machine ................................................ 26 New server .................................................... 26 Notes ............................................................. 88 Notifications .................................................. 91 Notspam ........................................................ 67 Null Mailbox .................................................. 80 O ODBC ........................................ 47, 85, 90, 118 Options Tab100, 101, 102, 103, 104, 105, 106, 107 Outbound SMTP Auth ................................... 40 Outbox 5, 14, 19, 23, 35, 76, 78, 81, 91, 94, 95 Outlook .................................................... 31, 98 Outlook 2002/XP ........................................... 37 Outlook Connector .......................................... 8 Outlook Express...................................... 37, 71 P PA ............................................... 14, 22, 48, 50 Password ................................................ 34, 85 Permissions/Access rights ............................ 47 Permit SMTP Autentication ........................... 48 Personal Details ............................................ 85 Phish ........................................................... 131 147 FTGateUsersGuide Phrase Filter ..................................................31 Policies Tab ...................................................95 Policy ............................................................. 48 Policy Access Rights .........................50, 95, 97 Policy Service Control ...................................96 POP ............................................ 120, 123, 127 POP Proxy.....................................................20 POP3 . 5, 13, 14, 15, 19, 22, 25, 34, 40, 76, 79, 80, 82, 83, 86, 91, 98, 100, 101, 102, 103, 104, 105, 106, 107, 111, 123 POP3 Migration .............................................25 Post Office Protocol V3 ...... 13, 25, 48, 52, 109 Postmaster ....................................................81 Priority Strings .............................................124 Privileges .......................................................83 Product Support ............................................10 Proxy .............................................37, 104, 124 Proxy Type ..................................................104 Proxy/Router ............................ 37, 41, 94, 123 Purge Scripts ................................................... 5 Purge/Quarantine/Delete ................................ 5 Q Quarantine...............................................5, 116 Quarantine Management ............................127 Queue Options ..............................................93 Queue Status .................................................. 5 Queues ..........................................................78 Quota Notification ..........................................83 R RBL ............................ 22, 40, 48, 68, 123, 131 Real time Blackhole Lists ............................123 Recurrent Events ............................................ 8 Registration ...........................................17, 119 Registration Keys ........................................119 Registration Overview ...................................17 Relay Control ................................................50 Relay Edition ...................................20, 74, 108 Remote Domain ............................5, 35, 41, 79 Remote Domain/Connection .........................23 Remote Mirror Mode ...................................113 Remote Monitor ............................................... 5 Remote POP3 mailboxes ..... 41, 108, 109, 112 Remote Relay Domains .................................. 5 Remote users ................................................14 Forwarding .................................................14 Restart FTGate .............................................70 Rights ................................................1, 67, 127 Robot Mailboxes ...........................................86 Root.login ................................................34, 80 defining ......................................................80 Router Modem ..............................................37 Routing ..................................................76, 115 Rules ............................................................. 86 S Safe Mode .......................................23, 46, 120 Safe Word List ................................................. 5 Safe Words....................................................65 Safe-Mode FTGate .......................................46 Scan Message Header ................................111 Scanning .................................................5, 116 148 Script Folders .............................................. 102 Scripts Tab .................................................. 102 Searchable Archive ......................................... 5 Searchable Log ............................................... 5 Security Policies .48, 65, 95, 96, 100, 101, 102, 103, 104, 105, 106, 107 Security Policy IP Options ............................ 50 Security Policy Tab .... 100, 101, 102, 103, 104, 105, 106, 107 Segmented Cluster ....................................... 68 Send 15, 19, 27, 31, 36, 41, 48, 64, 81, 86, 109 Send Copy .................................................... 84 Send SMTP mail ........................................... 41 Sender Policy Framework .... 27, 48, 60, 64, 65, 122 Sending/Receiving ........................................ 31 Server Statistics .............................................. 5 Service Access List .... 100, 101, 102, 103, 104, 105, 106, 107 Service Overview .......................................... 40 Service Types ............................................... 98 Services ............................................ 23, 52, 95 Services Tab ................................................. 95 Share button ........................................... 77, 86 Shared ........................................................ 127 Shared Folder Access................................. 127 Shared Folder Overview ............................. 129 Shared Folders ....................................... 8, 127 Shared Folders dialog ................................. 127 Show Status .................................................. 72 Shutdown FTGate ....................................... 114 Sign In .....................25, 40, 41, 44, 45, 48, 128 Signature ................................................. 86, 91 Signatures/Disclaimers ................................. 41 Simple Mail Transfer Protocol .... 27, 36, 40, 41, 48, 50, 52, 60, 94, 108, 109, 122, 128 SmartPop .......5, 14, 15, 19, 31, 35, 40, 41, 76, 108, 109, 111, 112, 123, 131 SmartPop delivery problems ....................... 111 SmartPop Duplicate Delivery ...................... 111 SmartPop/Delivery ...................................... 111 SMTP .5, 14, 15, 19, 22, 25, 27, 31, 34, 35, 36, 40, 41, 48, 50, 54, 61, 63, 65, 76, 79, 83, 84, 91, 92, 93, 94, 97, 98, 101, 109, 117, 118, 120, 122, 131 SMTP Authentication ................................ 5, 50 SMTP Errors ................................................. 48 SMTP Greylisting .......................................... 61 SMTP Hosts ................................ 15, 41, 93, 94 SMTP Send ................................................... 52 SMTP Welcome Text .................................... 97 SOFTWARE LICENCE AGREEMENT ........... 1 SolSight Chat .................................................. 8 SolSight Web ................ 80, 82, 84, 86, 98, 102 SolSight™ ................................................... 1, 4 SPAM .....20, 27, 31, 35, 41, 48, 54, 60, 61, 64, 66, 67, 68, 76, 84, 94, 117, 118, 122, 123, 131 Spam Training ............................................. 127 Special Recipient .......................................... 64 Index SPF .................................... 48, 60, 65, 97, 131 Spool Path ...............................................23, 26 SQL .................................. 5, 47, 80, 85, 89, 90 SQL Based Mailing Lists ...............................47 SQL Database ...............................................85 SQL list ....................................................47, 90 SSL....... 5, 52, 53, 92, 100, 101, 102, 105, 107 SSL self signed certificates ...........................53 SSL Support ..................................................52 Starter Packs .................................................17 Startup.fts file ................................................46 Statistics ........................................................78 Status Monitor ................................................. 5 Support FAQ .................................................10 Support Forums ............................................10 Support Plan .........................................11, 119 Supported Systems .......................................13 Supported Versions .......................................10 System Administrators ..................................47 System Folders ...........................................120 System Mailbox .................................19, 67, 80 System Message .........................................120 System Requirements ...................................13 System Restart ............................................120 T Task Lists ........................................................ 8 Tasks ............................................................. 88 Time Tab .......................................................83 TLS ....... 5, 52, 53, 92, 100, 101, 102, 105, 107 Tools/Options ................................................71 TRACKING ............................................39, 120 Tracking ID .................................................... 89 Training ................................................... 31, 82 Trashcan ............................................. 5, 37, 84 U UBE ........................................... 40, 60, 64, 127 UbeBlock ..5, 11, 31, 47, 54, 60, 66, 67, 68, 80, 82, 117, 118, 131 Unsolicited Bulk Email ................................ 127 Upgrade Protection Plan ............................... 11 UPSP .......................................... 5, 10, 11, 119 UPSP Status ................................................. 10 User Folders ................................................. 47 User Interface Guide ..................................... 75 User Mailboxes ......................................... 5, 80 V Virtual Folders ............................................. 102 Virtuals Tab ................................................. 102 Virus .................................... 31, 39, 60, 65, 120 VRFY............................................................. 97 W WAN .................................................. 22, 48, 52 Web Administration ........................... 14, 44, 74 Web Browsers ............................................... 13 Web Mail ...................14, 83, 86, 127, 128, 129 White Paper .......................................... 68, 131 Whitelisting .............................................. 61, 63 X X-listserver .................................................. 109 X-Recipient ................................................. 109 XTRASH IMAP .............................................. 37 149