information thumbnail social media

Configuring the CYREN Services for use with a Web Proxy

This article describes how to configure a proxy server for the CYREN services with the Protection module in all NoSpamProxy versions from version 9.2 onwards. To do this you have to download the files

  • ctasd.conf
  • ctipd.conf (additionally available from version 12.x)
  • ctwsd.conf (additionally available as of version 13.x)

from the directory “C:\ProgramData\Net at Work Mail Gateway\CYREN\”.

The following section is responsible for this:

#   If you connect to the Internet through a proxy server, you
#   should uncomment the following parameters and assign appropriate
#   values.
#ProxyPort = 80
#ProxyServerAddress = myproxy
#ProxyAuth = NoAuth
#ProxyUserName = user@proxy
#ProxyPassword = 1234
#ProxyAccess = 1

If you are using a proxy server without authentication, remove the # character before the lines “ProxyPort”, “ProxyServerAddress”, “ProxyAuth” and “ProxyAccess”. Enter the corresponding port of your proxy server in ” ProxyPort”. Behind the entry “ProxyServerAddress” you configure either the IP address or the FQDN of your proxy server. For “ProxyAuth” leave the entry at “NoAuth”.

If you are using a proxy server with authentication, you must additionally configure the options “ProxyUserName” and “ProxyPassword”. Enter the corresponding logon information for “ProxyUserName” and “ProxyPassword”. Additionally, you must change the value “ProxyAuth” to “Basic”.

After you have saved the file, you must restart the services NoSpamProxy – CYREN Service (ctasd.conf), NoSpamProxy – CYREN IP Reputation Service (ctipd.conf) and NoSpamProxy – CYREN URL Categorization Service (ctwsd.conf) in order for the changes to take effect.

blank

Here you can find all versions that are required to upgrade to the current version. When upgrading, be sure to follow the installation and upgrade instructions for the respective version, as you may need to make manual changes. Also note that changes that you must make when upgrading from version 7.6 to 8.0, for example, are also required for a direct upgrade from 7.6 to 8.5.

The current version is available under Software Download.

12.2 (Fast Channel)

12.1 (Fast Channel)

12.1 (Regular Channel)

12.0

11.1

11.0

10.1

9.2

8.5

 

 

 

 

 

 

blank

Below you will find a number of popular key servers operated by established manufacturers, along with the corresponding settings for the integration in NoSpamProxy.

These directories are automatically queried via the Open Keys server.

Provider: A trust
Hostname: ldap.a-trust.at:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Arbeitsagentur (For further information about this LDAP server please contact us: IT-Systemhaus.Vertrauensdienste@arbeitsagentur.de)
Hostname: cert-download.arbeitsagentur.de:389
Registration: CN=Username,OU=BA,O=Bundesagentur für Arbeit,C=de
LDAP search: In container OU=BA,O=Bundesagentur für Arbeit,C=de on (mail=%e)
LDAP fields: userCertificate;binary

Supplier: Federal Office for IT Security
Hostname: x500.bund.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: D-TRUST
Hostname: directory.d-trust.net:389
Registration: Anonymous
LDAP search: In container c=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Datev
Hostname: ldap.crl.esecure.datev.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DFN
Hostname: ldap.pca.dfn.de:389
Registration: Anonymous
LDAP search: In the container with the base DN: o=DFN-Verein,c=DE search for (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: S Trust
Hostname: directory.s-trust.de:389
Registration: Anonymous
LDAP search: In container dc=s-trust,dc=de on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: Siemens PKI
Hostname: cl.siemens.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: T-Systems Mailpass
Hostname: ldap.t-mailpass.de:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: DigiCert, Inc
Hostname: ldap://directory.pki.digicert.com:389
Registration: Anonymous
LDAP Search: Unlimited search on (mail=%e)
LDAP Fields: userCertificate;binary

Supplier: SwissSign AG
Hostname: directory.swisssign.net:389
Registration: Anonymous
LDAP search: In container o=SwissSign,c=CH on (mail=%e)
LDAP Fields: userCertificate;binary

blank

Error:

When receiving and decrypting a 5MB email, the email is rejected and the error “ASN1 not enough memory” is displayed. The same error is also displayed in message tracking.

Status:

This problem occurs because a buffer size is not properly increased by the .NET framework. This problem is known to Microsoft and can be fixed with the hotfix below.

Solution:

To resolve this problem, install the following Microsoft hotfix: http://support.microsoft.com/kb/2480994/de

http://support.microsoft.com/kb/2480994/de

blank

How to set the number of concurrent connections manually

This article describes how to change the number of outbound connections of the Gateway role.

The corresponding settings are specified in the file “Gateway Role.config” in “C:\ProgramData\Net at Work Mail Gateway\Configuration\” on the respective gateway role. To edit the file, first stop the gateway role.

Below the tag

<netatwork.nospamproxy.proxyconfiguration ... >

find the tag <queueConfiguration> and add the attributes maxConcurrentConnections="xx" and maxConcurrentConnectionsPerDomain="xx" to it. It should look like this:
<queueConfiguration maxConcurrentConnections="100" maxConcurrentConnectionsPerDomain="10" />

This limits the number of concurrent connections to 100, with a maximum of 10 concurrent connections allowed per domain.

blank

This article describes how to manually set the number of concurrent connections. Since version 7.0, NoSpamProxy determines this number dynamically by itself. The basis for the decision is the CPU and memory usage. To prevent this behavior, proceed as follows:

First stop the Gateway Role. The corresponding setting is made in the “Gateway Role.config”. This file can be found in “C:\ProgramData\Net at Work Mail Gateway\Configuration\” on the respective Gateway Role.

Look for the line beginning with the following characters:

<netatwork.nospamproxy.proxyconfiguration...

Insert the following value directly below:
<connectionLimits hardUpperConnectionLimit="" minimumNumberOfConcurrentSessions="" />

If the values are not specified as in this example, the dynamic limit applies (depending on the CPU utilisation).

The values are both integer values.

The value hardUpperConnectionLimit setermines the maximum number of connections.
The value minimumNumberOfConcurrentSessions determines the maximum number of concurrent connections.

Example
<connectionLimits hardUpperConnectionLimit="100" minimumNumberOfConcurrentSessions="50" />

Finally, save the configuration file and restart the Gateway Role.

blank

Important information on integrating SwissSign as a certificate provider

The following document was created in collaboration with SwissSign. It contains all relevant information on the integration of a Managed PKI from SwissSign into NoSpamProxy.

FAQNetAtWork.pdf

This document will be updated if necessary.

Last updated 03.09.2015.

SwissSign Silver ID products supported by NoSpamProxy

NoSpamProxy currently supports two out of three Silver ID products offered:

  • Silver certificates without state, organisation and country field
    • Name in the order process: Email ID Silver, email address validated (web interface or partner application)
  • Silver certificates without state field
    • Name in the order process: Email ID Silver, email address validated, organization, country (partner application only)

Products not supported

The following Silver ID product is not supported:

  • Silver certificates with state field
    • Name in the order process: Email ID Silver, email address validated, organization, canton/state, country (partner application only)

Please take note of this information when ordering and make sure to only order the supported products!

If you have ordered the wrong product, you will find the form with which you can request the change from SwissSign under the following link:
https://www.swisssign.com/dam/jcr:85abf68a-1990-47f7-9530-9b1cce0397a7/MPKI_ChangeOrder_DE.pdf

blank

From version 9.0

When updating from version 9.0 to version 9.1 or 9.2, all settings and user information are retained during the update.

From version 8.5

When upgrading to version 9.0, the subdivision into the new areas Monitoring, People and Identities and Configuration is immediately noticeable. For each of these areas, users can be explicitly allowed access via security groups. This means that you can assign the rights to a person in your company, e.g. to only use the Monitoring area. This person would then have no access to People and Identities or Configuration. The installation program of the Net at Work Mail Gateway automatically makes the user logged on during the installation a member of all three groups.

The security groups mentioned above are explained in more detail below.

Mail Gateway Monitoring Administrators

Members of this user group may use the Monitoring area. This area displays email statistics, email queues, or key figures about the performance of your server.

Mail Gateway People and Identities Administrators

Members of this user group may use the People and Identities area. This area manages internal and external communication partners and their cryptographic keys.

Mail Gateway Configuration Administrators

Members of this user group may use the Configuration area. This area contains the settings of the Net at Work Mail Gateway and its gateway roles, such as connectors, rules, notifications, and connections to other systems.

The new structure consistently combines previously redundant configuration settings and enables task-oriented administration. This means that the management console of version 9.0 no longer focuses on the roles of the Net at Work Mail Gateway, but on the task you have to perform.

This allowed many areas to be merged and simplified. An example: The address rewriting area of version 8.5 had to be configured to match the local users and their email addresses. The address transcriptions have now been moved to the email addresses of the local users, so that the assignment between email addresses and address transcriptions is made automatically.

Finally, the Commtouch service has been renamed to CYREN. CYREN continues to provide you with a high level of service.

Warning
An upgrade to version 9.0 is currently only supported by version 8.5.

Some changes of version 9.0 have a strong effect on the installation of the update. This is the replication of all configuration data between the intranet role and the connected gateway roles. In particular, installations with more than one gateway role must be updated to version 9.0 with great care.

Furthermore, the roles “Reporting Role” and “UserManagement Role” have been combined and are now managed as “Intranet Role”. The new Intranet role will continue to work with the previous database of the UserManagement role. This database will be extended by the update by the tables of the previous reporting role.

In the previous versions, a separate certificate with the name of the service was created for each service and used for the connection between the individual roles. Since version 9.0, a certificate with the server name is created in the CN.

Please note
If you use a custom MSC file instead of the Management Console (MSC file) shortcut created by Setup, this file may not work after the upgrade and the interface may display errors. In this case, please delete your custom MSC file and recreate it.

From version 8.0

When updating from version 8.0 to version 8.5, all settings and user information are retained during the update.