Info Icon

It is possible that the Cyren engines used generate error messages that are not traceable to the engines themselves, but to communication problems with Cyren data centers. This article shows you ways to test the communication and function.

Details about the three Cyren engines in NoSpamProxy

NoSpamProxy currently has three Cyren engines that are active, depending on the configuration and licensed modules.

Cyren AntiSpam and Cyren Premium AntiVirus (ctasd)

  • Program folder: C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service
  • Program file: ctasd.exe
  • Configuration folder: C:\ProgramData\Net at Work Mail Gateway\Cyren
  • Configuration file: ctasd.conf
  • Service name: NetatworkMailGatewayCyrenService
  • Service display name: NoSpamProxy – CYREN Service
  • Definitions folder: C:\ProgramData\Net at Work Mail Gateway\Cyren\Definitions
  • Definitions files: aivsecon-v2.def, antivir-v2.def, antivir-v2.ini, antivir-v2-hit.ini
    • these four files should always be in the directory
    • The file “antivir-v2-hit.ini” should never be older than 2 hours
    • To re-update,restart the service
  • External access: resolver1.netat.ctmail.com, resolver [2…5] .netat.ctmail.com
  • Licensed Module: NoSpamProxy Server Protection, NoSpamProxy Server Suite

Cyren IP Reputation (ctipd)

  • Program folder: C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service
  • Program file: ctipd.exe
  • Configuration folder: C:\ProgramData\Net at Work Mail Gateway\Cyren
  • Configuration file: ctipd.conf
  • Service Name: NetatworkMailGatewayCyrenIpReputationService
  • Service Display Name: NoSpamProxy – CYREN IP Reputation Service
  • External access: Iprep1.t.ctmail.com,Iprep[2… 5]. t.ctmail.com
  • Licensed Module: NoSpamProxy Server Protection, NoSpamProxy Server Suite

Cyren URL Categorization (ctwsd)

  • Program folder: C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service
  • Program file: ctwsd.exe
  • Configuration folder: C:\ProgramData\Net at Work Mail Gateway\Cyren
  • Configuration file: ctwsd.conf
  • Service Name: NetatworkMailGatewayCyrenUrlService
  • Service Display Name: NoSpamProxy – CYREN URL Categorization Service
  • External access: webres1.t.ctmail.com,webres[2… 5]. t.ctmail.com
  • Licensed Module: NoSpamProxy Server Protection, NoSpamProxy Server Suite

Note: All paths are the default paths and may differ from your installation.

Troubleshooting

In the following section you will find a small checklist, which you should always check before the first request to the support

  • Is the necessary module licensed in NoSpamProxy? If not, you don’t need the services and can disable them on the system in the Windows services.
  • Has the Knowledge Base article How to configure on-access virus scanners been applied to all systems with the appropriate services?
  • Is a web proxy required for Internet communication in your company and is it registered according to the knowledge base article How to configure CYREN services?
    • This must be checked and re-entered after each NoSpamProxy Update/Upgrade.
    • Always edit the newly created file, never overwrite it with an old version of the file.
  • Is it possible to communicate with and/or without web proxy to all mentioned external systems of Cyren?
  • Are there any exceptions on the firewall to access all sub-domains from ctmail.com? These connections must not be used for virus scanning, content filtering, or other checks!
  • Are there any error messages when the services are running interactively via the command prompt (CMD)? To run interactively, please follow these steps aus and attach a screenshot of the request’s communication to support.
    1. Stop each service from Microsoft Windows services.
    2. Open a prompt with administrator privileges.
    3. Run the command for the service, to be tested. Use the path to the corresponding executable if you do not have NoSpamProxy installed in the default directory
      • Ctasd
        CMD > “C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service\ctasd.exe” -c “C:\ProgramData\Net at Work Mail Gateway\Cyren-ctasd.conf” -i
      • Ctipd
        CMD > “C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service\ctipd.exe” -c “C:\ProgramData\Net at Work Mail Gateway\Cyren-ctipd.conf” -i
      • Ctwsd
        CMD > “C:\Program Files”Net at Work Mail Gateway\Cyren Integration Service\ctwsd.exe” -c “C:\ProgramData\Net at Work Mail Gateway\Cyren-ctwsd.conf” -i
    4. Copy the output or take a screenshot of the output.

If you have checked all these points, please open a support ticket with the information attached so that more logs can be created for analysis.

information thumbnail social media

Configuring the CYREN Services for use with a Web Proxy

This article describes how to configure a proxy server for the CYREN services with the Protection module in all NoSpamProxy versions from version 9.2 onwards. To do this you have to download the files

  • ctasd.conf
  • ctipd.conf (additionally available from version 12.x)
  • ctwsd.conf (additionally available as of version 13.x)

from the directory “C:\ProgramData\Net at Work Mail Gateway\CYREN\”.

The following section is responsible for this:

#   If you connect to the Internet through a proxy server, you
#   should uncomment the following parameters and assign appropriate
#   values.
#ProxyPort = 80
#ProxyServerAddress = myproxy
#ProxyAuth = NoAuth
#ProxyUserName = user@proxy
#ProxyPassword = 1234
#ProxyAccess = 1

If you are using a proxy server without authentication, remove the # character before the lines “ProxyPort”, “ProxyServerAddress”, “ProxyAuth” and “ProxyAccess”. Enter the corresponding port of your proxy server in ” ProxyPort”. Behind the entry “ProxyServerAddress” you configure either the IP address or the FQDN of your proxy server. For “ProxyAuth” leave the entry at “NoAuth”.

If you are using a proxy server with authentication, you must additionally configure the options “ProxyUserName” and “ProxyPassword”. Enter the corresponding logon information for “ProxyUserName” and “ProxyPassword”. Additionally, you must change the value “ProxyAuth” to “Basic”.

After you have saved the file, you must restart the services NoSpamProxy – CYREN Service (ctasd.conf), NoSpamProxy – CYREN IP Reputation Service (ctipd.conf) and NoSpamProxy – CYREN URL Categorization Service (ctwsd.conf) in order for the changes to take effect.

Note

In order for all Cyren services to function properly, unrestricted access to *.ctmail.com must be given. Also a virus scan on these connections must not be done, because the definitions for the Cyren Premium AntiVirus are downloaded there as well!

blank

To set a reverse DNS entry (RDNS entry) in Microsoft Azure, do the following:

  1. Open portal.azure.com.
  2. Go to Dashboard > Resource groups > [YourVirtualComputer] > Configuration.
  3. Enter a name for the public IP address.
    DNS-Namensbezeichnung
  4. Open Azure Shell.
    Oeffnen der Azure Shell
  5. Enter the following command:
    az network public-ip update –[NameOfTheResourceGroupWhereTheComputerIsLocated] –[NameOfTheResourceGroupThatCorrespondsToThePublicIP] –[MXName, for example mail.netatwork.de] –[TheDNSName].

 

blank

In most cases, the support team needs files to analyze a problem. This article describes how to simplify and speed up the analysis of problems.

The following information can be collected in advance and made directly available to support:

  • The NoSpamProxy version installed
    Th version number can be found on the start page of the console on the right side of the screen.
    blank
  • Description of the problem
    Brief description of the problem and how it manifests itself. The following information is useful for analysis (if available):

      • Warnings and/or errors that occurred at the time of the problem and was displayed in the NoSpamProxy console under Monitoring > Event Viewer.
      • Message Tracking Details (Message Track)
        If there are delivery problems, these can be exported as follows:
      1. Go to Monitoring > Message tracking.
      2. Double-click the relevant entry.
      3. On the bottom-left of the new window, click Export message track.
      4. Save the JSON file.
  • Information from Monitoring > Email queues and/or Monitoring > Emails on hold in the NoSpamProxy console.
  • Other information and/or screenshots describing the problem.
  • For unrecognized emails that clearly contain spam or viruses, please refer to the Knowledge Base article Recognition of emails by the Cyren AntiSpam filter

Email delivery issues

In most cases, the above information is sufficient to identify the reason for delivery problems. In individual cases, however, it is necessary to create a log file of the communication. To do this, the problem must be reproducible.

Please note: Logging should not be permanently activated, since log files are only written, but not automatically deleted. This must be monitored by the administrator himself.

To create a log file, proceed as follows:

  1. Go to  Troubleshooting > Log settings.
  2. Select a gateway role and click Modify.
  3. On the tab Log settings, enable logging, specify the location of the log file and activate the following protocols:
    • AntiSpam service
    • Mailvalidation
    • DNS Service
    • Proxy System
      blank
  4. Repeat step 3 for each gateway role if multiple gateway roles are licensed and active.
  5. Replicate the problem.
  6. Wait 5 minutes until you go to step 7.
  7. Undo steps 3 and 4 (disable logging).
  8. Collect the generated log files from the location of the log file from the gateway roles (ideally compress as a ZIP file) and make them available to support at ticket creation or after opening.
blank

In NoSpamProxy it is possible to request and revoke certificates via a managed PKI of an external certificate provider. In addition, certificates can be promoted to a domain certificate – also called gateway certificate – for your own domains or for partner domains. With a domain certificate, all emails are encrypted/decrypted or signed, depending on the certificate and direction, if there is no separate certificate for the recipient/sender.

Requirements:

  • The Encryption module is licensed.
  • Certificate provider is set up (for requesting and revoking).
  • Certificate can be used by the entire company (upgrade for certificate).

Request certificates (manually via user)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact.
  3. Click Request cryptographic keys for selected users and follow the instructions in the dialog.

blank

Request certificates (automatically via a user group)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Click Automatic user import.
  3. Highlight the relevant Active Directory import and click Modify.
    blank
  4. On the Groups tab, highlight the Active Directory group and klick Add.
  5. In the dialog Automatic key request, select the relevant provider and confirm.

Each time an Active Directory import (scheduled or manual) is performed, the system checks whether a new certificate is required for a user in the group.

Revoking certificates

  1. Go to People and identities > domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be revoked.
  5. Click Revoke.
  6. Follow the indstructions from the dialog.

blank

The following two descriptions lead to one certificate being used for an entire company.

Please note: The other end must always support this and allow the certificate to be used for it. If you have any questions about the certificate, please contact the issuing authority.

Promoting certificates for a partner domain 

  1. Go to People and identities > Partners.
  2. Select the partner domain and click Modify.
  3. On the User entries tab, select the user with the domain certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted and click Promote to domain certificates.
  5. Follow the instructions from the dialog.

blank

Please note: The certificate is no longer available in the user entry, but on the Domain entry tab under End-to-end encryption > Modify on the Certificates tab.

Promoting certificates for owned domains

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email Addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted.
  5. Click Promote to domain certificates.
  6. Follow the instructions from the dialog.

blank

Please note: The certificate is no longer available in the contact, but under Owned domains in the relevant domain on the Certificates tab.

blank

It is possible that in cloud-based systems – for example in Microsoft Azure – port 25 is blocked by the provider. However, port 25 is required to send emails, which prevents the operation of NoSpamProxy on such a system. We offer an alternative to use such systems anyway: our “TCP Proxy”. This system can be activated in NoSpamProxy as described below. Then the emails are sent from the server via port 443 to the TCP Proxy and from there via port 25 to the recipient system.

General information on using the TCP proxy

  • If the TCP proxy is implemented, it appears as the sending system. Therefore, the TCP proxy must also be included in your SPF record using a:proxy.nospamproxy.de
  • You must download the certificate mentioned below and import it into the Microsoft certificate management system of the computer account on the system with the NoSpamProxy gateway role as a “Trusted Root Certificate”.

Integrating the TCP Proxy

  1. Stop the service of the gateway role via the NoSpamProxy console or the Windows services.
  2. Open as administrator a text editor on the system on which the gateway role is installed..
  3. Open the configuration file “Gateway Role.config” from the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration\”.
  4. Look for <smtpServicePointConfiguration in the file. If you cannot find <smtpServicePointConfiguration, alternatively search for <netatwork.nospamproxy.proxyconfiguration and add the following line directly below: <smtpServicePointConfiguration isProxyTunnelEnabled="true" />
  5. Save the file and close the editor.
  6. Place the root CA certificate in the Microsoft certificate store in the computer account under “Trusted Root Certification Authorities > Certificates” on the server where the gateway role is located.
  7. Edit the corresponding gateway role in the NoSpamProxy console under “Configuration > NoSpamProxy components > Gateway roles” and change the value for “SMTP server name” to the “proxy.nospamproxy.de”.
  8. Start the gateway role service again.
  9. Open the file “Gateway Role.config” again and check whether the value was retained at startup.
blank

It is common that not only the user who originally performed the installation needs to perform updates, but also other administrator accounts. To do this, it is necessary to set up the appropriate permissions for these additional users. The corresponding steps are described below:

  1. Notes
      • All steps apply to all roles of NoSpamProxy; they differ only in the database names.
        • Database Intranet Role: NoSpamProxyAddressSynchronization
        • Database Gateway Role: NoSpamProxyDB
        • Database Web Portal: enQsigPortal
      • Users and user groups (local or in the domain) can be registered.
    • Log on with the user with which the installation was performed.
  2. Install the SQL Management Studio.
  3. Open SQL Management Studio and log on to the local instance  that contains the NoSpamProxy database(s), using Windows authentication.
  4. Expand the Security folder and the Logins folder.
  5. Right-click on the “Logins” folder and select “New Login” from the context menu.
  6. Under “General”, select the user to be added, but keep the “Windows Authentication” item.
    Database Rights - General
  7. Under “Server Roles” tick the checkbox for “sysadmin”.
    Database Rights - Server Roles
  8. Under “User Mapping”, check the corresponding database and additionally activate the role “db_owner”.
    Database Rights - User Mapping
  9. All other settings are optional.
  10. Save the new login and close SQL Management Studio.

To verify access, log on to the system with the added user, open SQL Management Studio, and check whether you can view the database tables. If this works, access is set up.

blank

Below you will find a number of popular key servers operated by established manufacturers, along with the corresponding settings for the integration in NoSpamProxy.

These directories are automatically queried via the Open Keys server.

Provider: A trust
Hostname: ldap.a-trust.at:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Arbeitsagentur (For further information about this LDAP server please contact us: IT-Systemhaus.Vertrauensdienste@arbeitsagentur.de)
Hostname: cert-download.arbeitsagentur.de:389
Registration: CN=Username,OU=BA,O=Bundesagentur für Arbeit,C=de
LDAP search: In container OU=BA,O=Bundesagentur für Arbeit,C=de on (mail=%e)
LDAP fields: userCertificate;binary

Supplier: Federal Office for IT Security
Hostname: x500.bund.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: D-TRUST
Hostname: directory.d-trust.net:389
Registration: Anonymous
LDAP search: In container c=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Datev
Hostname: ldap.crl.esecure.datev.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DFN
Hostname: ldap.pca.dfn.de:389
Registration: Anonymous
LDAP search: In the container with the base DN: o=DFN-Verein,c=DE search for (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: S Trust
Hostname: directory.s-trust.de:389
Registration: Anonymous
LDAP search: In container dc=s-trust,dc=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Siemens PKI
Hostname: cl.siemens.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: T-Systems Mailpass
Hostname: ldap.t-mailpass.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DigiCert, Inc
Hostname: ldap://directory.pki.digicert.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: SwissSign AG
Hostname: directory.swisssign.net:389
Registration: Anonymous
LDAP search: In container o=SwissSign,c=CH on (mail=%e)
LDAP Fields: userCertificate;binary