blank

Below you will find information on using the Sandbox Service in NoSpamProxy. For general information on how a cloud sandbox works, licensing or data protection, see Informationen zum NoSpamProxy Sandbox-Service (German only).

Note

Since 2018, we strongly recommend NoSpamProxy customers to take a whitelisting approach to content filtering (see our article on email firewalls). This recommendation applies in particular to the use of the NoSpamProxy Sandbox service.

An example: Even if an “executable file for Windows” is supported by the sandbox, the question arises whether one wants to allow this potentially dangerous file type for one’s own company at all. In this case, it makes more sense to generally reject this file type and thus also save the upload to the sandbox.

If a file is classified as unsuspicious by the sandbox service, the respective email will be delivered.

Sandbox-Hashabfrage

Sandbox hash query

The retrieval of the hash values from the sandbox database can be carried out without restriction and without deduction of purchased licences. For this purpose, the corresponding check mark Query the sandbox if the attachments of inbound emails are known to be malicious must be ticked.

NoSpamProxy Sandbox Service - Hash Check
This check can be applied to all file types.

Sandbox upload

File uploads are limited to 20 files per user and month.

This value is the total value of permitted uploads; there is no strict user check. This means, for example, for a 50-user licence that the respective NoSpamProxy installation may upload 1000 files to the sandbox in one month. Costs may be incurred if the limit is exceeded.

To limit the sandbox check to individual file types, an additional content filter action should be created that is only applied to certain file types.
To enable uploading, the option Upload unknown files to the sandbox for analysis must be activated.
NoSpamProxy Sandbox Service - Hash Check an Upload

Supported file types

  • Executable files
    • Executable files for Windows
  • Office – Word
    • <all>
  • Office – Excel
    • <all>
  • Office – PowerPoint
    • <all>
  • Video
    • Adobe Flash (SWF)
    • Adobe Flash Video (FLV)
  • Text
    • Rich Text Format
    • Rich Text Format with OLE objects
    • PDF
    • PDF with URLs
  • Archives and compressed files
    • ZIP-compressed file
    • GZIP-compressed file
    • TAR archive
    • GZIP-compressed TAR archive
    • 7Zip-compressed file
  • Scripts (Configuration via file names)
    • .js
    • .vbs
    • .wsf
    • .ps
    • .py
    • .hta
    • .perl
    • .php
    • .sh

Delivery delay

If a file has to be uploaded to the sandbox (sandbox upload), the email will not be accepted initially and temporarily rejected so that the sending email server delivers it again.

The temporary rejection is applied here because the analysis on the sandbox array takes a certain amount of time, but should be completed after a regular 5 minutes when a new delivery attempt is made.

This will result in a delivery delay for the respective emails which must be taken into account accordingly. We therefore recommend that you check exactly which files should really be sent to the sandbox. Note the following option if time-critical processes or mailboxes exist in your company:

  • Is a sandbox hash query sufficient instead of a complete analysis (sandbox upload)?
  • It is possible to create different actions in the content filter to configure different actions for a content filter entry for “Trusted emails” and “Untrusted emails” between a sandbox upload and a sandbox hash query.
  • Office documents can be converted into a secure PDF document by NoSpamProxy Content Disarming if necessary.
blank

Starting with version 13, NoSpamProxy generates two DKIM keys, one in RSA format and one in EdDSA format (Edwards-Curve Digital Signature Algorithm). The RFC for this can be found here https://tools.ietf.org/html/rfc8463

blank

In the example the “key2018r” is in RSA format, as it was before. The “key2018e” is new as of version 13 and must also be published in the DNS.

Upgrading to NoSpamProxy version 13

After upgrading to version 13, the EdDSA key is automatically generated in addition to the existing keys. The following incident is displayed on the console’s start page:

“The DNS entry dkim.teste._domainkey.dkim.test ( Own domain ) is missing. Please create the DNS entry to solve this issue. We’ll check again in a few minutes.”

blank

Emails are considered valid as long as one of the applied DKIM keys has been successfully validated. It is therefore no problem if the new DKIM key is used in EdDSA format but has not yet been published. However, this should be implemented as soon as possible.

Please note: If the intranet role uses its own internal DNS server that does not perform external queries, all DKIM keys on this DNS server must also be published.

Creating a new key pair

Starting with version 13, improved encryption security (2048bit) is used for the RSA key, making the key larger than the 255 characters allowed in the DNS. To do this, the generated key must be correctly wrapped when it is included in the DNS. To do this, use the double quotation mark (“) and wrap it there so the first part contains less than 255 characters.

Generated key in NoSpamProxy (unwrapped)

dkimr._domainkey IN TXT ("v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ
EAzvf5N0hu8i4wM5quF3e5otVwN/IhKeoEEbkstlIgGY
XSZQ+Tc7tJmkn/QyD8rvTWhAdmrLPfsDt2GwCkKBlupw
P7mtyQYR8bzw2fPCiUMW+Y7FyfRJSAFhRwykkrG1JbCy
J5Phn8qRYH4Rq1lo8BavEr7+/MeEf/CR1gdXH6kQ+SEc
a0M/2OJjoHOLdmvsyb9qnBa5HB58DQr6FpneHXCfAY6m
OI6vykmkVfb/MAr9CZFKrWY+17dPHDhKJDEwsQymCGUu
GwzLwlPcjLVbMSQGXrtdWy8cJbeOa+iO2Gwp4yS2urmT
/k8aK4256GhSQbBH3HOCxRgNL3Yb4G1mo92QIDAQAB")

Key to use in DNS (wrapped)
dkimr._domainkey IN TXT ("v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ
EAzvf5N0hu8i4wM5quF3e5otVwN/IhKeoEEbkstlIgGY
XSZQ+Tc7tJmkn/QyD8rvTWhAdmrLPfsDt2GwCkKBlupw
P7mtyQYR8bzw2fPCiUMW+Y7FyfRJSAFhRwykkrG1JbCy
J5Phn8qRYH4Rq1lo8BavEr7+/MeEf/CR1gdXH"
"6kQ+SEca0M/2OJjoHOLdmvsyb9qnBa5HB58DQr6Fpne
HXCfAY6mOI6vykmkVfb/MAr9CZFKrWY+17dPHDhKJDEw
sQymCGUuGwzLwlPcjLVbMSQGXrtdWy8cJbeOa+iO2Gwp
4yS2urmT/k8aK4256GhSQbBH3HOCxRgNL3Yb4G1mo92Q
IDAQAB")

Backing up DKIM keys

Before upgrading NoSpamProxy to a new version, or for regular backups, the current DKIM key should be exported and backed up. The key can be exported under “People and Identities > DKIM Keys” and imported again if the system is restored.

Note

Some DKIM validation tools do not accept DKIM keys in the new EdDSA format, because they only expect RSA formats. Tools such as MXToolBox will accept the EdDSA format: https://mxtoolbox.com/dkim.aspx

blank

Note: As part of changes in the infrastructure, new IP addresses and a new FQDN come into effect. This article has been extended so that you can continue to use the TCP Proxy for NoSpamProxy. Make sure that you make all necessary changes.

With some cloud-based systems, for instance in Microsoft Azure, it is possible that port 25 outbound is blocked by the provider. However, port 25 is needed to send emails, which prevents NoSpamProxy from running on such a system.

For this purpose, we offer an alternative to use such systems in form of our TCP proxy. This system can be activated in NoSpamProxy in the way described below. In doing so, every outbound connection to a routable IPv4 address on TCP level is routed through the TCP Proxy for NoSpamProxy. The emails are then sent from the server to the TCP proxy via port 443 and then routed from there to the recipient system via port 25.

How to integrate the TCP proxy

  1. Stop the Gateway Role service via the NoSpamProxy Management Console or the Windows services.
  2. As administrator, open a text editor on the system on which the Gateway Role is installed.
  3. Open the configuration file Gateway Role.config from the directory C:\ProgramData\Net at Work Mail Gateway\Configuration\.
  4. In the file, search for <smtpServicePointConfigurationand change/add the values isProxyTunnelEnabled="true" proxyTunnelAddress="outboundproxy.nospamproxy.com as attributes. Alternatively, if <smtpServicePointConfiguration cannot be found, search for <netatwork.nospamproxy.proxyconfiguration and add the following line directly below this value: <smtpServicePointConfiguration isProxyTunnelEnabled="true" proxyTunnelAddress="outboundproxy.nospamproxy.com" />.
  5. Save the file and close the editor.
  6. Place the Root CA certificate in the Microsoft certificate store in the computer account under Trusted Root Certification Authorities > Certificates on the server on which the Gateway Role is installed.
  7. In the NoSpamProxy Management Console, under Configuration > NoSpamProxy Components > Gateway Roles, edit the corresponding Gateway Role and change the value for SMTP Server Name to the value outboundproxy.nospamproxy.com.
  8. Start the Gateway Role service.
  9. Open the Gateway Role.config file and check that the value has been retained.

Adjusting the SPF entry

  • If the TCP proxy is implemented, it acts as the sending system. Therefore, the TCP proxy must also be included in your SPF entry. We strongly recommend adding the following entry to your SPF entry:

include:_spf.proxy.nospamproxy.com

Importing the Root CA Certificate

  • Download the above certificate and import it to the system with the NoSpamProxy Gateway Role as “Trusted Root Certificate” in the Microsoft Certificate Management of the computer account.

Changing the SMTP server name in the properties of the Gateway Role

  1. In the NoSpamProxy Management Console, go to Configuration > NoSpamProxy Components.
  2. Under Gateway Roles, edit all Gateway Roles that are operated in Microsoft Azure as follows:
    1. Double-click the corresponding entry for the Gateway Role.
    2. Under SMTP Server Name, enter the value outboundproxy.nospamproxy.com.
  3. Click Save and close.

Adjusting the firewall (if necessary)

  • If you specifically block outbound connections, you should adjust the exception for the TCP proxy so that connections to the IP network 193.37.132.0/24 are allowed.

 

blank

Configuration option 1

You can define multiple content filter entries within a single content filter. These content filter entries are OR-linked. These entries are processed one after the other from top to bottom and as soon as the first entry takes effect, the following entries are no longer processed.

Example:

A content filter entry of the file type “Office – Word” and a content filter entry of the file name “*.doc”.

Inhaltsfilter mit Dateiname Bedingungen im Inhaltsfiltereintrag  Inhaltsfilter mit MIME Type Bedingungen im Inhaltsfiltereintrag

In this case, the file type is checked first and if this entry is skipped because the file type does not match, all files that have an Office Word file extension are rejected by the next entry. Thus no renamed file with an Office Word extension can be delivered.

Configuration option 2

You can define several conditions within one filter entry. These conditions are AND-linked. Therefore, both conditions must apply to a file for it to be processed by the content filter entry.

Example:

Content filter entry for file type “Office – Word” AND filename “*.doc” (English: file name)

Contentfilter AND Releation EN

In this case, this entry will only take effect if the file is of Office Word file type and also ends with “.doc”. Otherwise this entry will be skipped and the attachment may not be processed correctly.

blank

Due to the increasing requirement of the Delivery via queues mode within the incoming send connectors of NoSpamProxy we will discontinue the direct delivery.

What is Delivery via queues?

In this mode, emails are received by NoSpamProxy, checked and then committed directly to the sending server. Only then will emails be forwarded to the downstream systems.
This procedure is particularly important for content filtering and forwarding to Office 365 tenants. It also offers the advantage that of keeping the incoming mails in the queue if the following system is not reachable and forwarding them directly if they can be reached again.

How can it be configured?

Please go to “Configuration > Email routing > Inbound send connectors” and click  “Switch to Delivery via queue”.

blank

Below you will find a number of popular key servers operated by established manufacturers, along with the corresponding settings for the integration in NoSpamProxy.

These directories are automatically queried via the Open Keys server.

Provider: A trust
Hostname: ldap.a-trust.at:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Arbeitsagentur (For further information about this LDAP server please contact us: IT-Systemhaus.Vertrauensdienste@arbeitsagentur.de)
Hostname: cert-download.arbeitsagentur.de:389
Registration: CN=Username,OU=BA,O=Bundesagentur für Arbeit,C=de
LDAP search: In container OU=BA,O=Bundesagentur für Arbeit,C=de on (mail=%e)
LDAP fields: userCertificate;binary

Supplier: Federal Office for IT Security
Hostname: x500.bund.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: D-TRUST
Hostname: directory.d-trust.net:389
Registration: Anonymous
LDAP search: In container c=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Datev
Hostname: ldap.crl.esecure.datev.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DFN
Hostname: ldap.pca.dfn.de:389
Registration: Anonymous
LDAP search: In the container with the base DN: o=DFN-Verein,c=DE search for (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: S Trust
Hostname: directory.s-trust.de:389
Registration: Anonymous
LDAP search: In container dc=s-trust,dc=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Siemens PKI
Hostname: cl.siemens.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: T-Systems Mailpass
Hostname: ldap.t-mailpass.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DigiCert, Inc
Hostname: ldap://directory.pki.digicert.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: SwissSign AG
Hostname: directory.swisssign.net:389
Registration: Anonymous
LDAP search: In container o=SwissSign,c=CH on (mail=%e)
LDAP Fields: userCertificate;binary

blank

Office 365-relevant IP addresses

All IP addresses relevant for Office 365 integration in NoSpamProxy can be found at https://support.office.com/de-de/article/URLs-und-IP-Adressbereiche-von-Office-365-8548a211-3fe7-47cb-abb1-355ea5aa88a2

Learn how to set up Office 365 in NoSpamProxy in our blog post NoSpamProxy integration in Office 365.