In NoSpamProxy it is possible to request and revoke certificates via a managed PKI of an external certificate provider. In addition, certificates can be promoted to a domain certificate – also called gateway certificate – for your own domains or for partner domains. With a domain certificate, all emails are encrypted/decrypted or signed, depending on the certificate and direction, if there is no separate certificate for the recipient/sender.


  • The Encryption module is licensed.
  • Certificate provider is set up (for requesting and revoking).
  • Certificate can be used by the entire company (upgrade for certificate).

Request certificates (manually via user)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact.
  3. Click Request cryptographic keys for selected users and follow the instructions in the dialog.


Request certificates (automatically via a user group)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Click Automatic user import.
  3. Highlight the relevant Active Directory import and click Modify.
  4. On the Groups tab, highlight the Active Directory group and klick Add.
  5. In the dialog Automatic key request, select the relevant provider and confirm.

Each time an Active Directory import (scheduled or manual) is performed, the system checks whether a new certificate is required for a user in the group.

Revoking certificates

  1. Go to People and identities > domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be revoked.
  5. Click Revoke.
  6. Follow the indstructions from the dialog.


The following two descriptions lead to one certificate being used for an entire company.

Please note: The other end must always support this and allow the certificate to be used for it. If you have any questions about the certificate, please contact the issuing authority.

Promoting certificates for a partner domain 

  1. Go to People and identities > Partners.
  2. Select the partner domain and click Modify.
  3. On the User entries tab, select the user with the domain certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted and click Promote to domain certificates.
  5. Follow the instructions from the dialog.


Please note: The certificate is no longer available in the user entry, but on the Domain entry tab under End-to-end encryption > Modify on the Certificates tab.

Promoting certificates for owned domains

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email Addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted.
  5. Click Promote to domain certificates.
  6. Follow the instructions from the dialog.


Please note: The certificate is no longer available in the contact, but under Owned domains in the relevant domain on the Certificates tab.


Starting with NoSpamProxy version 13, NoSpamProxy informs about the fill level of the database if a Microsoft SQL Express version (max. 10GB per database) is filled by more than 70 percent.

In the following you will find some hints on how to react to a corresponding message in the console.

Warning Levels

NoSpamProxy warns you about a full database in two stages:

When the database is 70% full
  • a message is added to the event log,
  • a message is displayed under Incidents on the NoSpamProxy console start page, and
  • a notification is sent to the set administrator email address.
When the database is 90% full
  • a message is added to the event log,
  • a warning is displayed on the NoSpamProxy console start page under Incidents, and
  • a notification is sent to the set administrator email address.

What are possible reasons for a full database?

  • The configured period of message tracking and its details (monitoring) is too long.
  • There are problems with communication between two or more NoSpamProxy roles.
  • Expired data has not been properly deleted from the database.

How to analyse the database

To find out why the database has reached the respective size, proceed as follows:

  1. Install Microsoft SQL Management Studio on the system on which the affected database is installed.
    Microsoft SQL Management Studio is available free of charge from the Microsoft website.
  2. Start SQL Management Studio.
  3. Log on to the SQL instance where the database is located.
    These instances are usually called (local)\SQLEXPRESS or (local)\NOSPAMPROXY.
  4. After successfully logging on, execute the following SQL queries (depending on the NoSpamProxy role involved); to do this, you only need to change the first row to the following databases:

Intranet Role:
USE [NoSpamProxyAddressSynchronization]

Gateway Role:
USE [NoSpamProxyDB]

Web Portal:
USE [enQsigPortal]

USE [NoSpamProxyAddressSynchronization]
isnull(t.NAME, 'Total') AS TableName, as SchemaName,
p.rows AS RowCounts,
CAST(ROUND(((SUM(a.used_pages) * 8) / 1024.00), 2) AS NUMERIC(36, 2)) AS SizeInMB
sys.tables t
sys.indexes i ON t.OBJECT_ID = i.object_id
sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id
sys.allocation_units a ON p.partition_id = a.container_id
sys.schemas s ON t.schema_id = s.schema_id
AND t.is_ms_shipped = 0
ROLLUP(t.Name, s.Name, p.Rows)
HAVING p.rows is not null or (p.rows is null and is null)
sum(a.used_pages) desc

How can the results be interpreted and solved?

In the output of the SQL script you can find an overview of all existing tables of the database as well as information about their size.

Output of Tables Sizes

Output of Tables Sizes

There are two specific tables that should be empty in normal operation or whose entries should change constantly each time they are called:

  • DataReplication.Artefact


    Table Size of DataReplication.Artefact table

  • MessageTracking.LegacyMessageTrackEntry

    Table Size of Table MessageTrack. Legacy´MessageTrackEntry

    Table Size of Table MessageTrack. LegacyMessageTrackEntry

If data accumulates in these tables but does not degrade, this indicates that problems exist. These must be clarified and solved by the NoSpamProxy support. In this case, please contact the partner responsible for you or – if you have purchased manufacturer support – the NoSpamProxy support directly.

All other scenarios indicate that the storage period for message tracking is too long, which you can edit and reduce in the NoSpamProxy console under Configuration > Advanced Settings > Monitoring. The reduction usually takes up to 24 hours, so that a result is usually not visible until the next day.


It is common that not only the user who originally performed the installation needs to perform updates, but also other administrator accounts. To do this, it is necessary to set up the appropriate permissions for these additional users. The corresponding steps are described below:

  1. Notes
      • All steps apply to all roles of NoSpamProxy; they differ only in the database names.
        • Database Intranet Role: NoSpamProxyAddressSynchronization
        • Database Gateway Role: NoSpamProxyDB
        • Database Web Portal: enQsigPortal
      • Users and user groups (local or in the domain) can be registered.
    • Log on with the user with which the installation was performed.
  2. Install the SQL Management Studio.
  3. Open SQL Management Studio and log on to the local instance  that contains the NoSpamProxy database(s), using Windows authentication.
  4. Expand the Security folder and the Logins folder.
  5. Right-click on the “Logins” folder and select “New Login” from the context menu.
  6. Under “General”, select the user to be added, but keep the “Windows Authentication” item.
    Database Rights - General
  7. Under “Server Roles” tick the checkbox for “sysadmin”.
    Database Rights - Server Roles
  8. Under “User Mapping”, check the corresponding database and additionally activate the role “db_owner”.
    Database Rights - User Mapping
  9. All other settings are optional.
  10. Save the new login and close SQL Management Studio.

To verify access, log on to the system with the added user, open SQL Management Studio, and check whether you can view the database tables. If this works, access is set up.


PDF conversion as part of Content Disarm and Reconstruction (CDR), converts Microsoft Word, Microsoft Excel and PDF documents into secure PDF files by removing any active content. The PDF file can then be opened without any concerns, with the original file either left attached to the email or removed. CDR is a feature in NoSpamProxy Protection and in conjunction with NoSpamProxy Large Files provides an optimal way to disarm unsafe documents and retain the original files.

CDR is configured in the “Content filter actions” and then applied to the corresponding emails via the “Content filters”. A training video on the content filters can be found at (German only).

This conversion process is very time-consuming and not all documents can be converted. We have built in a protection mechanism so that the unsafe attachments are not delivered, even if the conversion fails.

  • If only Protection, but not Large Files, is licensed, the email for which the conversion did not work is first stored under “Monitoring > Emails on hold” and the configured administrator is informed. The administrator then has the task of checking the email and can then either download it as an EML file and forward it via Outlook or deactivate/change the content filter for this email for a limited time and force delivery again.
  • If Protection and Large Files are licensed, the original file will be uploaded to the Web Portal if the conversion fails (if desired even if the conversion was successful), but it will be locked there, so that it must also be released by the administrator, deviating from the settings for the successful conversion. The prerequisite for this is the setting “Upload the original document to the Web Portal” in the Content Filter action.
    The email itself is delivered to the recipient, with the corresponding information for downloading, but without the converted PDF file, as this was not possible.

This protective mechanism cannot be changed or influenced.


Since the conversion component is provided by a third-party provider, we have only very limited influence on it. If the conversion cannot be performed to your satisfaction, please send us the file to be converted, if possible. Make sure that the file does not contain any personal data. We will then make this file available to the third party provider for analysis. We would like to point out that a feedback on our part is not possible, as the adaptation process can be very lengthy.


The filter “Cyren AntiSpam” is available if NoSpamProxy Protection is licensed. This filter does the main work of checking emails for spam regarding content and structure of the email. It generates a Reference ID, which is sent to Cyren when an email is received and checked against a database. If this check reveals no characteristics of spam emails, the email will be accepted. Otherwise, the filter assigns 4 SCL (Spam Confidence Level) points, which in the default settings already rejects the email.

In order to continuously improve the recognition of emails of this type, we have the option of reporting to Cyren emails that have not been recognised as spam or have been incorrectly recognised as spam as false negatives or false positives. To enable us to do so, please send us the necessary information – as indicated below – to the email address

Please note:

  • Do not keep emails stored and please do not send us ZIP archives.
  • The false positives and false negatives should always be reported promptly so that further delivery attempts are filtered correctly.
  • Reports should not be older than 7 days.
  • Before forwarding, please check whether the unwanted e-mail is really spam or perhaps a newsletter from which you can unsubscribe via a link or possibly comes from a mailing list with which you are registered and from which you can/must be removed

False Negatives

These are unrecognized spam emails that were delivered by NoSpamProxy in spite of all checks.

  • For the analysis of false negatives, please send us the original email as .eml or .msg files, as it arrived at the recipient’s mailbox, as a direct attachment to a newly written email.
  • It must not be an internally forwarded email, since the headers of the email may no longer be complete, or changed.

False Positives

These are desired emails that have been classified as spam and have therefore not been delivered, but rejected.

  • Please send us the exported message track from message tracking. To export it, go to the NoSpamProxy console under “Monitoring > Message Tracking”, double-click on the corresponding entry so that the details of the message open, and then click on “Export message track” in the bottom left corner of the window. This will save a .XML file up to version 11.1 and a .JSON file from version 12.0. Please send us this exported file.
  • If Cyren AntiSpam is the only filter that takes effect and the partner domain has an applicable trust greater than 50, the email will still be delivered because the trust rating is sufficient. As soon as other filters are added, this is no longer possible.
  • Starting with version 13, you also have the option of activating the file directly from the NoSpamProxy console. To do this, go to “Monitoring > Message Tracking” in the console, mark the corresponding entry in the message tracking and then click on the link “Report as ‘False Positive’ to Cyren” below the list.
    The activation can take several hours. If after one day the e-mail is still blocked, please send the exported message track and the original e-mail to

More information


Due to the increasing requirement of the Delivery via queues mode within the incoming send connectors of NoSpamProxy we will discontinue the direct delivery.

What is Delivery via queues?

In this mode, emails are received by NoSpamProxy, checked and then committed directly to the sending server. Only then will emails be forwarded to the downstream systems.
This procedure is particularly important for content filtering and forwarding to Office 365 tenants. It also offers the advantage that of keeping the incoming mails in the queue if the following system is not reachable and forwarding them directly if they can be reached again.

How can it be configured?

Please go to “Configuration > Email routing > Inbound send connectors” and click  “Switch to Delivery via queue”.


This Knowledge Base article describes the integration of the NoSpamProxy Performance Counter in PRTG.

The following performance counters are available on the server with the NoSpamProxy Gateway Role and can be integrated into PRTG.


\NoSpamProxy Queues(_total)\Currently active

\NoSpamProxy Queues(_total)\Delay notifications sent

\NoSpamProxy Queues(_total)\Network failures

\NoSpamProxy Queues(_total)\Non delivery Reports sent

\NoSpamProxy Queues(_total)\Pending mails

\NoSpamProxy Queues(_total)\Relay notifications sent


In PRTG, select the device (Gateway Role Server) and add a “PerfCounter Custom” sensor (right-click).

When searching for the sensor to be created, restrict it via Custom Sensors/Performance Counters.

  • The sensor name can be freely assigned
  • Under “List of Counters” one of the above (cut and paste) must be specified.
  • The interval is inherited from the host by default, but can also be defined (see below).
    Then, click Create.

NoSpamProxy Performance Counter für PRTG


The following list provides only a small selection of apps able to display PDF Mails correctly.


  • Adobe Acrobat Reader (Desktop version, free version available)


  • Foxit (free version available)
  • xodo PDF (free version available)


  • Foxit (free version available)
  • xodo PDF (free version available)