Starting with version 13, NoSpamProxy generates two DKIM keys, one in RSA format and one in EdDSA format (Edwards-Curve Digital Signature Algorithm). The RFC for this can be found here https://tools.ietf.org/html/rfc8463

In the example the “key2018r” is in RSA format, as it was before. The “key2018e” is new as of version 13 and must also be published in the DNS.

Upgrading to NoSpamProxy version 13

After upgrading to version 13, the EdDSA key is automatically generated in addition to the existing keys. The following incident is displayed on the console’s start page:

“The DNS entry dkim.teste._domainkey.dkim.test ( Own domain ) is missing. Please create the DNS entry to solve this issue. We’ll check again in a few minutes.”

Emails are considered valid as long as one of the applied DKIM keys has been successfully validated. It is therefore no problem if the new DKIM key is used in EdDSA format but has not yet been published. However, this should be implemented as soon as possible.

Please note: If the intranet role uses its own internal DNS server that does not perform external queries, all DKIM keys on this DNS server must also be published.

Creating a new key pair

Starting with version 13, improved encryption security (2048bit) is used for the RSA key, making the key larger than the 255 characters allowed in the DNS. To do this, the generated key must be correctly wrapped when it is included in the DNS. To do this, use the double quotation mark (“) and wrap it there so the first part contains less than 255 characters.

Generated key in NoSpamProxy (unwrapped)

dkimr._domainkey IN TXT ("v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ
EAzvf5N0hu8i4wM5quF3e5otVwN/IhKeoEEbkstlIgGY
XSZQ+Tc7tJmkn/QyD8rvTWhAdmrLPfsDt2GwCkKBlupw
P7mtyQYR8bzw2fPCiUMW+Y7FyfRJSAFhRwykkrG1JbCy
J5Phn8qRYH4Rq1lo8BavEr7+/MeEf/CR1gdXH6kQ+SEc
a0M/2OJjoHOLdmvsyb9qnBa5HB58DQr6FpneHXCfAY6m
OI6vykmkVfb/MAr9CZFKrWY+17dPHDhKJDEwsQymCGUu
GwzLwlPcjLVbMSQGXrtdWy8cJbeOa+iO2Gwp4yS2urmT
/k8aK4256GhSQbBH3HOCxRgNL3Yb4G1mo92QIDAQAB")

Key to use in DNS (wrapped)
dkimr._domainkey IN TXT ("v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ
EAzvf5N0hu8i4wM5quF3e5otVwN/IhKeoEEbkstlIgGY
XSZQ+Tc7tJmkn/QyD8rvTWhAdmrLPfsDt2GwCkKBlupw
P7mtyQYR8bzw2fPCiUMW+Y7FyfRJSAFhRwykkrG1JbCy
J5Phn8qRYH4Rq1lo8BavEr7+/MeEf/CR1gdXH"
"6kQ+SEca0M/2OJjoHOLdmvsyb9qnBa5HB58DQr6Fpne
HXCfAY6mOI6vykmkVfb/MAr9CZFKrWY+17dPHDhKJDEw
sQymCGUuGwzLwlPcjLVbMSQGXrtdWy8cJbeOa+iO2Gwp
4yS2urmT/k8aK4256GhSQbBH3HOCxRgNL3Yb4G1mo92Q
IDAQAB")

Backing up DKIM keys

Before upgrading NoSpamProxy to a new version, or for regular backups, the current DKIM key should be exported and backed up. The key can be exported under “People and Identities > DKIM Keys” and imported again if the system is restored.

Note

Some DKIM validation tools do not accept DKIM keys in the new EdDSA format, because they only expect RSA formats. Tools such as MXToolBox will accept the EdDSA format: https://mxtoolbox.com/dkim.aspx

It is possible that in cloud-based systems – for example in Microsoft Azure – port 25 is blocked by the provider. However, port 25 is required to send emails, which prevents the operation of NoSpamProxy on such a system. We offer an alternative to use such systems anyway: our “TCP Proxy”. This system can be activated in NoSpamProxy as described below. Then the emails are sent from the server via port 443 to the TCP Proxy and from there via port 25 to the recipient system.

General information on using the TCP proxy

  • If the TCP proxy is implemented, it appears as the sending system. Therefore, the TCP proxy must also be included in your SPF record using a:proxy.nospamproxy.de
  • You must download the certificate mentioned below and import it into the Microsoft certificate management system of the computer account on the system with the NoSpamProxy gateway role as a “Trusted Root Certificate”.

Integrating the TCP Proxy

  1. Stop the service of the gateway role via the NoSpamProxy console or the Windows services.
  2. Open as administrator a text editor on the system on which the gateway role is installed..
  3. Open the configuration file “Gateway Role.config” from the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration\”.
  4. Look for <smtpServicePointConfiguration in the file. If you cannot find <smtpServicePointConfiguration, alternatively search for <netatwork.nospamproxy.proxyconfiguration and add the following line directly below: <smtpServicePointConfiguration isProxyTunnelEnabled="true" />
  5. Save the file and close the editor.
  6. Place the root CA certificate in the Microsoft certificate store in the computer account under “Trusted Root Certification Authorities > Certificates” on the server where the gateway role is located.
  7. Edit the corresponding gateway role in the NoSpamProxy console under “Configuration > NoSpamProxy components > Gateway roles” and change the value for “SMTP server name” to the “proxy.nospamproxy.de”.
  8. Start the gateway role service again.
  9. Open the file “Gateway Role.config” again and check whether the value was retained at startup.

Configuration option 1

You can define multiple content filter entries within a single content filter. These content filter entries are OR-linked. These entries are processed one after the other from top to bottom and as soon as the first entry takes effect, the following entries are no longer processed.

Example:

A content filter entry of the file type “Office – Word” and a content filter entry of the file name “*.doc”.

Inhaltsfilter mit Dateiname Bedingungen im Inhaltsfiltereintrag  Inhaltsfilter mit MIME Type Bedingungen im Inhaltsfiltereintrag

In this case, the file type is checked first and if this entry is skipped because the file type does not match, all files that have an Office Word file extension are rejected by the next entry. Thus no renamed file with an Office Word extension can be delivered.

Configuration option 2

You can define several conditions within one filter entry. These conditions are AND-linked. Therefore, both conditions must apply to a file for it to be processed by the content filter entry.

Example:

Content filter entry for file type “Office – Word” AND filename “*.doc” (English: file name)

Inhaltsfilter mit zwei Bedingungen im Inhaltsfiltereintrag

In this case, this entry will only take effect if the file is of Office Word file type and also ends with “.doc”. Otherwise this entry will be skipped and the attachment may not be processed correctly.

Due to the increasing requirement of the Delivery via queues mode within the incoming send connectors of NoSpamProxy we will discontinue the direct delivery.

What is Delivery via queues?

In this mode, emails are received by NoSpamProxy, checked and then committed directly to the sending server. Only then will emails be forwarded to the downstream systems.
This procedure is particularly important for content filtering and forwarding to Office 365 tenants. It also offers the advantage that of keeping the incoming mails in the queue if the following system is not reachable and forwarding them directly if they can be reached again.

How can it be configured?

Please go to “Configuration > Email routing > Inbound send connectors” and click  “Switch to Delivery via queue”.

 

Below you will find a number of popular key servers operated by established manufacturers, along with the corresponding settings for the integration in NoSpamProxy.

These directories are automatically queried via the Open Keys server.

Provider: A trust
Hostname: ldap.a-trust.at:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Arbeitsagentur (For further information about this LDAP server please contact us: IT-Systemhaus.Zertifizierungsdienst@arbeitsagentur.de)
Hostname: cert-download.arbeitsagentur.de:389
Registration: CN=Username,OU=BA,O=Bundesagentur für Arbeit,C=de
LDAP search: In container OU=BA,O=Bundesagentur für Arbeit,C=de on (mail=%e)
LDAP fields: userCertificate;binary

Supplier: Federal Office for IT Security
Hostname: x500.bund.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: D-TRUST
Hostname: directory.d-trust.net:389
Registration: Anonymous
LDAP search: In container c=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Datev
Hostname: ldap.crl.esecure.datev.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DFN
Hostname: ldap.pca.dfn.de:389
Registration: Anonymous
LDAP search: In the container with the base DN: o=DFN-Verein,c=DE search for (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: S Trust
Hostname: directory.s-trust.de:389
Registration: Anonymous
LDAP search: In container dc=s-trust,dc=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Siemens PKI
Hostname: cl.siemens.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: T-Systems Mailpass
Hostname: ldap.t-mailpass.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DigiCert, Inc
Hostname: ldap://directory.pki.digicert.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: SwissSign AG
Hostname: directory.swisssign.net:389
Registration: Anonymous
LDAP search: In container o=SwissSign,c=CH on (mail=%e)
LDAP Fields: userCertificate;binary

 

Office 365-relevant IP addresses

All IP addresses relevant for Office 365 integration in NoSpamProxy can be found at https://support.office.com/de-de/article/URLs-und-IP-Adressbereiche-von-Office-365-8548a211-3fe7-47cb-abb1-355ea5aa88a2

Learn how to set up Office 365 in NoSpamProxy in our blog post NoSpamProxy integration in Office 365.