blank

In NoSpamProxy it is possible to request and revoke certificates via a managed PKI of an external certificate provider. In addition, certificates can be promoted to a domain certificate – also called gateway certificate – for your own domains or for partner domains. With a domain certificate, all emails are encrypted/decrypted or signed, depending on the certificate and direction, if there is no separate certificate for the recipient/sender.

Requirements:

  • The Encryption module is licensed.
  • Certificate provider is set up (for requesting and revoking).
  • Certificate can be used by the entire company (upgrade for certificate).

Request certificates (manually via user)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact.
  3. Click Request cryptographic keys for selected users and follow the instructions in the dialog.

blank

Request certificates (automatically via a user group)

  1. Go to People and identities > Domains and users > Corporate users.
  2. Click Automatic user import.
  3. Highlight the relevant Active Directory import and click Modify.
    blank
  4. On the Groups tab, highlight the Active Directory group and klick Add.
  5. In the dialog Automatic key request, select the relevant provider and confirm.

Each time an Active Directory import (scheduled or manual) is performed, the system checks whether a new certificate is required for a user in the group.

Revoking certificates

  1. Go to People and identities > domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be revoked.
  5. Click Revoke.
  6. Follow the indstructions from the dialog.

blank

The following two descriptions lead to one certificate being used for an entire company.

Please note: The other end must always support this and allow the certificate to be used for it. If you have any questions about the certificate, please contact the issuing authority.

Promoting certificates for a partner domain 

  1. Go to People and identities > Partners.
  2. Select the partner domain and click Modify.
  3. On the User entries tab, select the user with the domain certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted and click Promote to domain certificates.
  5. Follow the instructions from the dialog.

blank

Please note: The certificate is no longer available in the user entry, but on the Domain entry tab under End-to-end encryption > Modify on the Certificates tab.

Promoting certificates for owned domains

  1. Go to People and identities > Domains and users > Corporate users.
  2. Highlight the contact and click Modify.
  3. On the Email Addresses tab, select the email address with the certificate and click Modify.
  4. On the Certificates tab, select the certificate to be promoted.
  5. Click Promote to domain certificates.
  6. Follow the instructions from the dialog.

blank

Please note: The certificate is no longer available in the contact, but under Owned domains in the relevant domain on the Certificates tab.

blank

Note: As part of changes in the infrastructure, new IP addresses and a new FQDN come into effect. This article has been extended so that you can continue to use the TCP Proxy for NoSpamProxy. Make sure that you make all necessary changes.

With some cloud-based systems, for instance in Microsoft Azure, it is possible that port 25 outbound is blocked by the provider. However, port 25 is needed to send emails, which prevents NoSpamProxy from running on such a system.

For this purpose, we offer an alternative to use such systems in form of our TCP proxy. This system can be activated in NoSpamProxy in the way described below. In doing so, every outbound connection to a routable IPv4 address on TCP level is routed through the TCP Proxy for NoSpamProxy. The emails are then sent from the server to the TCP proxy via port 443 and then routed from there to the recipient system via port 25.

How to integrate the TCP proxy

  1. Stop the Gateway Role service via the NoSpamProxy Management Console or the Windows services.
  2. As administrator, open a text editor on the system on which the Gateway Role is installed.
  3. Open the configuration file Gateway Role.config from the directory C:\ProgramData\Net at Work Mail Gateway\Configuration\.
  4. In the file, search for <smtpServicePointConfigurationand change/add the values isProxyTunnelEnabled="true" proxyTunnelAddress="outboundproxy.nospamproxy.com as attributes. Alternatively, if <smtpServicePointConfiguration cannot be found, search for <netatwork.nospamproxy.proxyconfiguration and add the following line directly below this value: <smtpServicePointConfiguration isProxyTunnelEnabled="true" proxyTunnelAddress="outboundproxy.nospamproxy.com" />.
  5. Save the file and close the editor.
  6. Place the Root CA certificate in the Microsoft certificate store in the computer account under Trusted Root Certification Authorities > Certificates on the server on which the Gateway Role is installed.
  7. In the NoSpamProxy Management Console, under Configuration > NoSpamProxy Components > Gateway Roles, edit the corresponding Gateway Role and change the value for SMTP Server Name to the value outboundproxy.nospamproxy.com.
  8. Start the Gateway Role service.
  9. Open the Gateway Role.config file and check that the value has been retained.

Adjusting the SPF entry

  • If the TCP proxy is implemented, it acts as the sending system. Therefore, the TCP proxy must also be included in your SPF entry. We strongly recommend adding the following entry to your SPF entry:

include:_spf.proxy.nospamproxy.com

Importing the Root CA Certificate

  • Download the above certificate and import it to the system with the NoSpamProxy Gateway Role as “Trusted Root Certificate” in the Microsoft Certificate Management of the computer account.

Changing the SMTP server name in the properties of the Gateway Role

  1. In the NoSpamProxy Management Console, go to Configuration > NoSpamProxy Components.
  2. Under Gateway Roles, edit all Gateway Roles that are operated in Microsoft Azure as follows:
    1. Double-click the corresponding entry for the Gateway Role.
    2. Under SMTP Server Name, enter the value outboundproxy.nospamproxy.com.
  3. Click Save and close.

Adjusting the firewall (if necessary)

  • If you specifically block outbound connections, you should adjust the exception for the TCP proxy so that connections to the IP network 193.37.132.0/24 are allowed.

 

blank

It is common that not only the user who originally performed the installation needs to perform updates, but also other administrator accounts. To do this, it is necessary to set up the appropriate permissions for these additional users. The corresponding steps are described below:

  1. Notes
      • All steps apply to all roles of NoSpamProxy; they differ only in the database names.
        • Database Intranet Role: NoSpamProxyAddressSynchronization
        • Database Gateway Role: NoSpamProxyDB
        • Database Web Portal: enQsigPortal
      • Users and user groups (local or in the domain) can be registered.
    • Log on with the user with which the installation was performed.
  2. Install the SQL Management Studio.
  3. Open SQL Management Studio and log on to the local instance  that contains the NoSpamProxy database(s), using Windows authentication.
  4. Expand the Security folder and the Logins folder.
  5. Right-click on the “Logins” folder and select “New Login” from the context menu.
  6. Under “General”, select the user to be added, but keep the “Windows Authentication” item.
    Database Rights - General
  7. Under “Server Roles” tick the checkbox for “sysadmin”.
    Database Rights - Server Roles
  8. Under “User Mapping”, check the corresponding database and additionally activate the role “db_owner”.
    Database Rights - User Mapping
  9. All other settings are optional.
  10. Save the new login and close SQL Management Studio.

To verify access, log on to the system with the added user, open SQL Management Studio, and check whether you can view the database tables. If this works, access is set up.

blank

Below you will find a number of popular key servers operated by established manufacturers, along with the corresponding settings for the integration in NoSpamProxy.

These directories are automatically queried via the Open Keys server.

Provider: A trust
Hostname: ldap.a-trust.at:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Arbeitsagentur (For further information about this LDAP server please contact us: IT-Systemhaus.Vertrauensdienste@arbeitsagentur.de)
Hostname: cert-download.arbeitsagentur.de:389
Registration: CN=Username,OU=BA,O=Bundesagentur für Arbeit,C=de
LDAP search: In container OU=BA,O=Bundesagentur für Arbeit,C=de on (mail=%e)
LDAP fields: userCertificate;binary

Supplier: Federal Office for IT Security
Hostname: x500.bund.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: D-TRUST
Hostname: directory.d-trust.net:389
Registration: Anonymous
LDAP search: In container c=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Datev
Hostname: ldap.crl.esecure.datev.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DFN
Hostname: ldap.pca.dfn.de:389
Registration: Anonymous
LDAP search: In the container with the base DN: o=DFN-Verein,c=DE search for (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: S Trust
Hostname: directory.s-trust.de:389
Registration: Anonymous
LDAP search: In container dc=s-trust,dc=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Siemens PKI
Hostname: cl.siemens.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: T-Systems Mailpass
Hostname: ldap.t-mailpass.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DigiCert, Inc
Hostname: ldap://directory.pki.digicert.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: SwissSign AG
Hostname: directory.swisssign.net:389
Registration: Anonymous
LDAP search: In container o=SwissSign,c=CH on (mail=%e)
LDAP Fields: userCertificate;binary

blank

This article describes how you can use the debugging tools to create log files for the analysis of high processor loads, which can then be evaluated by NoSpamProxy Support.

First install the Windows debugging tools on the server under high processor load. You can download them at https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/

Then, enter the following command into the command line:

cdb.exe -pv -pn NetatWorkMailGatewayGatewayRole.exe -c ".load C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS.dll;!EEStack -ee;qd" > NoSpamProxyStack_%date:~-4.4%%date:~-7.2%%date:~-10.2%_%time:~0.2%%time:~3.2%%time:~6.2%.log


If necessary, replace the NetatWorkMailGatewayGatewayRole.exe process with the process that causes the high processor load. Execute the command several times and then send the resulting log files in zipped form to NoSpamProxy Support.

blank

When integrating the WebPortal into the configuration, the following settings must be observed for various scenarios. These settings are outside the NoSpamProxy but are mandatory for integration.

Scenarios

  • NoSpamProxy WebPortal is operated parallel to the gateway role and/or intranet role on the same system
    The Microsoft KB926642 article must be applied. Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request is recommended, especially for production environments. Method 2: Disable the authentication loopback check should only be applied to test environments!
    Note: The articles at Microsoft swap the methods in the English and German versions. Always check the exact description!
  • NoSpamProxy WebPortal is operated on a system in the DMZ / on computer(s) outside the domain
    The Microsoft KB951016 article must be applied

blank

This article describes how you can customize the templates for the design of the system emails of NoSpamProxy (including the PDF mails) starting with NoSpamProxy 11.x so that different designs are used based on the sender domain. NoSpamProxy uses the template engine for .NET “Razor” as basis for the dynamic change.

The CSHTML files to be edited are located in the directory %Program Files%\Net at Work Mail Gateway\Intranet Role\Templates. After the change, the files are automatically replicated to all connected gateway roles.

IMPORTANT
You need at least rudimentary HTML knowledge in order to make the adjustments.

Adaptation of the template files

You are welcome to request prefabricated sample files with different designs from NoSpamProxy Support. This file can only be used as of NoSpamProxy 11.0. In this example two different designs are used for the sender domains netatwork.de and nospamproxy.de. You can extend or reduce the number of domains at any time.

After downloading, unpack the ZIP file into a temporary folder. It contains the following files:

  • CommonMailTemplate.cshtml
  • CommonMailTemplateNaw.cshtml
  • CommonMailTemplateNsp.cshtml
  • ConvertMailContentToPdfAttachmentActionPdfHeader.cshtml
  • ConvertMailContentToPdfAttachmentActionTeaser.cshtml
  • EncryptedMailNotificationTemplate.cshtml

Start with the files that begin with “CommonMailTemplate”. Here you determine the appearance of all emails that are required for the PDF Mail. Make sure that you store the standard design in the CommonMailTemplate.cshtml. Customize the style sheets in the respective files according to your needs. The corresponding logos will also be included in these files. In later live operation, the logo files with the correct name must also be available in the Templates folder.

Then adjust the file “ConvertMailContentToPdfAttachmentActionPdfHeader.cshtml”. This file determines the layout of the PDF file as such. In contrast to the CommonMail template files, you only need one file here to define the exceptions. The adjustments take place in the upper part. An example for three different designs is included. What is important is that you specify the design for the different domains. If NoSpamProxy does not find the corresponding sender domain during live operation, it uses the default design, which you can define with the template editor in the admin GUI.

When all files are adjusted, copy all CSHTML files into the Templates folder of your program version. Make a backup of all contained files beforehand!
Please note that the files will be overwritten when patching or upgrading. After a version upgrade, please do not copy the older, modified files over the newer ones, but modify them again. Otherwise there is a risk that new, necessary information will be missing in the template files.

Overview of available template files

The following list provides an overview of the function of the individual files:

ApplySymmetricEncryptionPasswordNotice.cshtml

If a user sends an email as PDF Mail, he will receive a notification of the password used, or information that the password was sent to the recipient by SMS or that the creation of the PDF Mail failed. The text of the respective notification is in this file. The appearance regarding colors and logo is defined via the CommonMailTemplate.

AttachmentManager.cshtml

If a file is removed from an email using the content filter rules, the recipient receives information about it. The attachment can either be removed and deleted, it can be uploaded to the Web Portal, and it can be uploaded to the Web Portal and assigned an admin share. A separate text is available for each of the three actions, which can be edited in this file. The appearance regarding colors and logo is defined via the CommonMailTemplate.

AttachmentManagerNotificationForBlockedAttachmentsModel.cshtml

If emails with certain file attachments are rejected via the content filter rules, the sender receives information about the rejection. The content of this message can be defined in this file. The appearance regarding colors and logo is defined via the CommonMailTemplate.

AttachmentQuarantine.cshtml

If a file is moved to the Web Portal using the content filter rules and assigned an admin share, the administrator receives an info mail about it. The content of this email is defined in this file. The appearance with regard to colors and logo is determined via the CommonMail template.

AttachmentQuarantineApproval.cshtml

If a file is moved to the Web Portal using the content filter rules, assigned an admin release, and then released by the administrator, the actual recipient of the file receives information about the release. The content of this email is defined in this file. The appearance with regard to colors and logo is determined by the CommonMail template.

CommonMailTemplate.cshtml

This file defines the general appearance of notifications. Here, for example, the colors and the logos to be used are stored as HTML tags. All other files except the “ConvertMailContentToPdfAttachmentActionPdfHeader.cshtml” contain only the text modules.

ConvertMailContentToPdfAttachmentActionPdfHeader.cshtml

The appearance of the PDF file is defined in this file. Colors and logos must be defined here again.

ConvertMailContentToPdfAttachmentActionTeaser.cshtml

This file contains the text for the carrier email of the PDF file. The recipient of a PDF Mail is informed that the actual content of the email is in the attached PDF document. The appearance is defined via the CommonMailTemplate.

ConvertOfficeDocumentToPdfPreface.cshtml

With the “ConvertOfficeDocumentToPDF” action, it is possible to convert Office documents to PDF to provide the recipient with a preview without active content. Information is placed in front of the generated PDF document. The content of this information is defined with this file.

DeliveryNotificationReport.cshtml

This is the content of the send report if a user has requested it in Outlook. The appearance is defined via the CommonMailTemplate.

DeMailConnectorIssueEscalationMail.cshtml

If NoSpamProxy cannot retrieve or send De-Mail repeatedly, an administrator will be notified. The content of this message can be defined here.

EncryptedMailNotificationTemplate.cshtml

If a user marks an email as “Automatically encrypt” and enQsig does not have a cryptographic key, the recipient will be informed. This info mail states which options he has. The content of this email is recorded in this template. The appearance is defined via the CommonMailTemplate.

EncryptionDelayedNotificationForSender.cshtml

If a user marks an email as “Automatically encrypt” and enQsig does not have a cryptographic key, the sender is informed about the delay. The content of the delay message is defined here. The appearance is defined via the CommonMailTemplate.

EncryptionFailureNotificationForSender.cshtml

If a user marks an email as “Automatically encrypt” and an encryption error occurs, the sender is informed. The content of this message can be found here. The appearance is defined via the CommonMailTemplate.

EncryptionSucceededNotificationForSender.cshtml

If a user marks an email as “Automatically encrypt”, he will receive a notification as soon as the email has been encrypted. The appearance is defined via the CommonMailTemplate.

​LargeFileDownloadNotification.cshtml

If the recipient of a file that was previously moved to the Web Portal downloads it, the sender is notified. The content of this information is determined by this file.

MailOnHoldExpired.cshtml

If a user marks an email as “Automatically encrypt” and enQsig has no cryptographic key and the recipient of the email does not deposit a cryptographic key within 5 days, the email will be discarded and the sender informed. The content of this message can be found here. The appearance is defined via the CommonMailTemplate.

MailValidationError.cshtml

If a De-Mail cannot be sent via the De-Mail connector, the sender is notified. The content of this message can be found here. The appearance is defined via the CommonMailTemplate.

PolicyFailureNonDeliveryMessage.cshtml

The sender will be notified if an email violates the policy in the rules. The content of this message can be found here. The appearance is defined via the CommonMailTemplate.

QualifiedSignatureIssueEscalationMail.cshtml

If the verification or creation of a qualified signature fails, a notification is sent to a specified address. The content of this message can be found here. The appearance is defined via the CommonMailTemplate.

SampleAutoReply.cshtml

With the action “AutoReply” it is possible to answer e-mails with an automatically generated email. The content of this reply is defined here.

SymmetricPasswordUpdateNotification.cshtml

If an external recipient has stored a password for the PDF mail on the WebPortal, he will be notified of the change. The content of this message can be found here. The appearance is defined via the CommonMailTemplate.

WordFilterMatchNotification.cshtml

The word filter provides the ability to notify any email address when certain words are found in emails. The content of this notification can be defined here.

blank

How to set the number of concurrent connections manually

This article describes how to change the number of outbound connections of the Gateway role.

The corresponding settings are specified in the file “Gateway Role.config” in “C:\ProgramData\Net at Work Mail Gateway\Configuration\” on the respective gateway role. To edit the file, first stop the gateway role.

Below the tag

<netatwork.nospamproxy.proxyconfiguration ... >

find the tag <queueConfiguration> and add the attributes maxConcurrentConnections="xx" and maxConcurrentConnectionsPerDomain="xx" to it. It should look like this:
<queueConfiguration maxConcurrentConnections="100" maxConcurrentConnectionsPerDomain="10" />

This limits the number of concurrent connections to 100, with a maximum of 10 concurrent connections allowed per domain.