In most cases, the support team needs files to analyze a problem. This article describes how to simplify and speed up the analysis of problems.

The following information can be collected in advance and made directly available to support:

  • The NoSpamProxy version installed
    Th version number can be found on the start page of the console on the right side of the screen.
  • Description of the problem
    Brief description of the problem and how it manifests itself. The following information is useful for analysis (if available):

      • Warnings and/or errors that occurred at the time of the problem and was displayed in the NoSpamProxy console under Monitoring > Event Viewer.
      • Message Tracking Details (Message Track)
        If there are delivery problems, these can be exported as follows:
      1. Go to Monitoring > Message tracking.
      2. Double-click the relevant entry.
      3. On the bottom-left of the new window, click Export message track.
      4. Save the JSON file.
  • Information from Monitoring > Email queues and/or Monitoring > Emails on hold in the NoSpamProxy console.
  • Other information and/or screenshots describing the problem.
  • For unrecognized emails that clearly contain spam or viruses, please refer to the Knowledge Base article Recognition of emails by the Cyren AntiSpam filter

Email delivery issues

In most cases, the above information is sufficient to identify the reason for delivery problems. In individual cases, however, it is necessary to create a log file of the communication. To do this, the problem must be reproducible.

Please note: Logging should not be permanently activated, since log files are only written, but not automatically deleted. This must be monitored by the administrator himself.

To create a log file, proceed as follows:

  1. Go to  Troubleshooting > Log settings.
  2. Select a gateway role and click Modify.
  3. On the tab Log settings, enable logging, specify the location of the log file and activate the following protocols:
    • AntiSpam service
    • Mailvalidation
    • DNS Service
    • Proxy System
  4. Repeat step 3 for each gateway role if multiple gateway roles are licensed and active.
  5. Replicate the problem.
  6. Wait 5 minutes until you go to step 7.
  7. Undo steps 3 and 4 (disable logging).
  8. Collect the generated log files from the location of the log file from the gateway roles (ideally compress as a ZIP file) and make them available to support at ticket creation or after opening.

In NoSpamProxy it is possible to request and revoke certificates via a managed PKI of an external certificate provider. In addition, certificates can be promoted to a domain certificate – also called gateway certificate – for your own domains or for partner domains. With a domain certificate, all emails are encrypted/decrypted or signed, depending on the certificate and direction, if there is no separate certificate for the recipient/sender.

Requirements:

  • The Encryption module is licensed.
  • Certificate provider is set up (for requesting and revoking).
  • Certificate can be used by the entire company (upgrade for certificate).

Request certificates (manually via user)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact.
  3. Click Request cryptographic keys for selected users and follow the instructions in the dialog.

 

Request certificates (automatically via a user group)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Click Automatic user import.
  3. Highlight the relevant Active Directory import and click Modify.
  4. On the Groups tab, highlight the Active Directory group and klick Add.
  5. In the dialog Automatic key request, select the relevant provider and confirm.

Each time an Active Directory import (scheduled or manual) is performed, the system checks whether a new certificate is required for a user in the group.

 

Revoking certificates

  1. Go to People and identities > domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be revoked.
  5. Click Revoke.
  6. Follow the indstructions from the dialog.

The following two descriptions lead to one certificate being used for an entire company.

Please note: The other end must always support this and allow the certificate to be used for it. If you have any questions about the certificate, please contact the issuing authority.

 

Promoting certificates for a partner domain 

  1. Go to People and identities > Partners.
  2. Select the partner domain and click Modify.
  3. On the User entries tab, select the user with the domain certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted and click Promote to domain certificates.
  5. Follow the instructions from the dialog.

Please note: The certificate is no longer available in the user entry, but on the Domain entry tab under End-to-end encryption > Modify on the Certificates tab.

 

Promoting certificates for owned domains

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email Addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted.
  5. Click Promote to domain certificates.
  6. Follow the instructions from the dialog.

Please note: The certificate is no longer available in the contact, but under Owned domains in the relevant domain on the Certificates tab.

It is possible that in cloud-based systems – for example in Microsoft Azure – port 25 is blocked by the provider. However, port 25 is required to send emails, which prevents the operation of NoSpamProxy on such a system. We offer an alternative to use such systems anyway: our “TCP Proxy”. This system can be activated in NoSpamProxy as described below. Then the emails are sent from the server via port 443 to the TCP Proxy and from there via port 25 to the recipient system.

General information on using the TCP proxy

  • If the TCP proxy is implemented, it appears as the sending system. Therefore, the TCP proxy must also be included in your SPF record using a:proxy.nospamproxy.de
  • You must download the certificate mentioned below and import it into the Microsoft certificate management system of the computer account on the system with the NoSpamProxy gateway role as a “Trusted Root Certificate”.

Integrating the TCP Proxy

  1. Stop the service of the gateway role via the NoSpamProxy console or the Windows services.
  2. Open as administrator a text editor on the system on which the gateway role is installed..
  3. Open the configuration file “Gateway Role.config” from the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration\”.
  4. Look for <smtpServicePointConfiguration in the file. If you cannot find <smtpServicePointConfiguration, alternatively search for <netatwork.nospamproxy.proxyconfiguration and add the following line directly below: <smtpServicePointConfiguration isProxyTunnelEnabled="true" />
  5. Save the file and close the editor.
  6. Place the root CA certificate in the Microsoft certificate store in the computer account under “Trusted Root Certification Authorities > Certificates” on the server where the gateway role is located.
  7. Edit the corresponding gateway role in the NoSpamProxy console under “Configuration > NoSpamProxy components > Gateway roles” and change the value for “SMTP server name” to the “proxy.nospamproxy.de”.
  8. Start the gateway role service again.
  9. Open the file “Gateway Role.config” again and check whether the value was retained at startup.

It is common that not only the user who originally performed the installation needs to perform updates, but also other administrator accounts. To do this, it is necessary to set up the appropriate permissions for these additional users. The corresponding steps are described below:

  1. Notes
      • All steps apply to all roles of NoSpamProxy; they differ only in the database names.
        • Database Intranet Role: NoSpamProxyAddressSynchronization
        • Database Gateway Role: NoSpamProxyDB
        • Database Web Portal: enQsigPortal
      • Users and user groups (local or in the domain) can be registered.
    • Log on with the user with which the installation was performed.
  2. Install the SQL Management Studio.
  3. Open SQL Management Studio and log on to the local instance  that contains the NoSpamProxy database(s), using Windows authentication.
  4. Expand the Security folder and the Logins folder.
  5. Right-click on the “Logins” folder and select “New Login” from the context menu.
  6. Under “General”, select the user to be added, but keep the “Windows Authentication” item.
    Database Rights - General
  7. Under “Server Roles” tick the checkbox for “sysadmin”.
    Database Rights - Server Roles
  8. Under “User Mapping”, check the corresponding database and additionally activate the role “db_owner”.
    Database Rights - User Mapping
  9. All other settings are optional.
  10. Save the new login and close SQL Management Studio.

To verify access, log on to the system with the added user, open SQL Management Studio, and check whether you can view the database tables. If this works, access is set up.

To move version 12.x to another computer, proceed as follows:

  1. If necessary, export existing DKIM keys on the source server.
  2. Copy the files Intranet Role.config and license.xml from the directory C:\ProgramData\Net at Work Mail Gateway\Configuration to the new computer.
  3. Create the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration” on the target server and copy Intranet Role.config and license.xml into it.
  4. Customize the Intranet Role.config.
  5. Install the SQL server.
  6. Stop the Intranet Role service.
  7. a) Back up the database files and restore them to the target SQL server.
    OR
    b) Move the database files to the new directory and mount them in the SQL server.
  8. Execute the NoSpamProxy Setup on the target server.
  9. Connect the Intranet role to the Gateway role.
  10. Then check all previously set passwords and certificates and reassign the connectors.
  11. Import the DKIM keys exported in step 1) to the target server.

The steps in detail

  1. If necessary, export existing DKIM keys on the source server.
  2. Copy the Intranet Role.config and license.xml to the new computer.
    First stop all NoSpamProxy services on the source computer and then stop the SQL database instance. This is usually found under the Windows services under the name “SQL Server (NOSPAMPROXY)”.
    Now copy the Intranet Role.config and license.xml from the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration” to the target computer.
    Please copy ONLY the mentioned files from the directories, otherwise problems could occur during installation.
  3. Create the directory “C:\ProgramData\Net at Work Mail Gateway\Configuration” on the target server and copy Intranet Role.config and license.xml into it.
  4. Customize the Intranet Role.config
    Open the file with an editor, such as Notepad, and search for the following entry:<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
    <CipherData>
    <CipherValue>AQAAANCMnd...==</CipherValue>
    </CipherData>
    </EncryptedData>
    </connectionStrings>
    Change it so that it looks like this at the end:

    <connectionStrings>
    </connectionStrings>

    Search the entire file for

    encryptedPassword=

    and change the occurrences that look similar to

    encryptedPassword="AQAAANCM...W9b17"

    in

    encryptedPassword="""

    Go analogously for all occurrences of

    &lt;font color="#ffff00"&gt;-==- proudly presents

    and

    &lt;font color="AQAAANCM...W9b17"

    as well as

    password="AQAAANCM...W9b17"

    in front of you.

    If De-Mail was configured, please search for

    certificatePin="AQKLM....D87W"

    and change the entry in

    certifcatePin="""

    off.

    Finally, search for any DKIM keys that may be available. Search for the following entry:

    <dkimKeys>
    <key domain="example.com" selector="key1" privateKey="AAAAcVARJk3pG0SsnJkmR2FK..." />
    </dkimKeys>

    Change the entry so that it looks like this:

    <dkimKeys>
    </dkimKeys>

    Now save the file.

  5. Install the SQL Server.
    Now install the SQL Server in the version you want starting with SQL Server 2008 R2.
    Do not forget to install the administration tools, in particular SQL Management Studio.
  6. Stop the Intranet Role Service
    Stop the Intranet roles service via the NoSpamProxy console or via the Windows services to exclude access to the database and entries in the database of the Intranet role.
  7. a) Back up the database files and restore them to the target SQL server.
    With the help of SQL Management Studio you first create a backup of the SQL database “NoSpamProxyAddressSynchronization” on the source server.
    Right-click on the database and select “Task / Backup”. A dialog opens. Leave everything there as it is in the standard system and simply add a “disk” and the corresponding path to the backup file in the lower section.
    Then start the backup.
    Copy the resulting backup file to the target server and restore it.
    To do this, right-click on “Databases” in the SQL Management Studio of the target server and select “Restore Database”. A dialog opens.
    First select “Device” and add a new “File” in the dialog that appears. This file is the currently copied backup file.
    Now start the recovery.OR

    b) Move the database files to the new directory and mount them in the SQL server.
    The SQL database files are usually located in the path “C:\Program Files (x86)\Microsoft SQL Server\MSSQL.XXXX\MSSQL\Data” or “C:\Program Files\Microsoft SQL Server\MSSQL.XXXX\MSSQL\Data”. You can recognize them by the name that begins with NoSpamProxy.
    Copy both the NoSpamProxyAddressSynchronization.mdf and NoSpamProxyAddressSynchronization.ldf files to the target computer and move the database files to the desired directory. This does not necessarily have to be the default directory of the SQL server.
    Then open SQL Management Studio. After logging on to the server, right-click Databases and select Add (or Databases and Attach).
    In the following dialog, add the first database file from the desired directory. The associated log file is automatically recognized.

  8. Execute the NoSpamProxy Setup.
    Now start the setup of the NoSpamProxy. Select the Advanced Installation CONDITIONALLY.
    In the query which SQL Server is used, select that a SQL Server is already installed and set the corresponding connection parameters. The setup then recognizes all further configuration files and adapts them.
  9. Connect the Intranet role to the Gateway role.
    As soon as the setup has been completed successfully, reconnect the intranet role under Gateway Components with the gateway role and, if necessary, the web portal.
    To do this, delete the existing connections, then restart the Intranet role and reconnect it.
  10. Then check all previously set passwords and certificates and reassign the connectors.
    With the conversion, the device-dependent encrypted passwords were deleted or can no longer be decrypted. This applies in particular to the password for protecting sensitive data, with which the private keys of S/MIME and PGP are protected.
    In the interface, set the old password again to restore access.
    The same applies to any SSL certificates configured in the receive connector.
    Therefore, check all passwords and SSL certificates that were previously stored and reset them.
    In addition, the send and receive connectors must be reassigned to corresponding gateway roles.
  11. Import the DKIM keys exported in step 1) to the target server.

Tips

  • The gateway role and the web portal get all information from the intranet role. Therefore they are simply reinstalled during an upcoming migration.
  • If template adjustments were made manually, you must copy the changed templates to the target system.
  • If the disclaimer is licensed and configured, please note the following Knowledge Base article http://kb.nospamproxy.de/Wiki-Seiten/DisclaimerSSLCert.aspx and copy the templates for the disclaimer from the directory “C:\ProgramData\Net at Work Mail Gateway\Intranet\Templates” to the target system.

Please follow the instructions in the installation manual and the general update instructions here in the Knowledge Base.

Before updating make sure to install .NET Framework version 4.7.2 and SQL Server version 2008 R2 or later.

Important note for update version 12.2.18253.1152 and later

As of version 12.2.18253.1152 (Fast Channel), a script for cleaning up message tracking is included. This script deletes orphaned entries in the database. It causes an increased disk space requirement on the drive with the database NoSpamProxyAddressSynchronization (Intranet roles database). Please check beforehand if there is at least five times as much storage space available on the drive as the current database.

The database file can be found in the installation folder of the Microsoft SQL Server. The default directory is “C:\Program Files\Microsoft SQL Server\<<<SQL Version.SQL Instance>>MSSQL\DATA\”.

This may also result in the setup not responding for a long time. The setup must not be aborted and must run until it is completed. Please allow a longer update period for this.

Upgrade from version 11.1

When updating from version 11.1 to version 12.2, consider the Knowledge Base article “What to consider when updating to version 12”.

Upgrade NSP

When updating from version 12.x to version 12.2, all settings and user information are retained. Only the proxy settings and content adjustments of the template files must be saved as usual and reinstalled after the update. This procedure is described in the general update notes.

Outlook Add-In

The update of the gateway and the Web Portal also requires an update of the Outlook Add-In; otherwise the communication with the Web Portal is no longer possible.