1 IceWarp Server Mail Service Reference Version 10 Printed on 12 August, 2009
3 i Contents Mail Service 1 V10 New Features... 2 SmartAttach... 2 IMAP Integrated Mail Archive... 2 IMAP ACL, GroupWare compliant... 2 Load-Balanced IMAP Server File Locking... 2 Load-Balancing for XMPP and SIP... 2 GroupWare Centralized Storage... 2 SPF SRS - Backscatter Protection... 3 Domain Clusters GB RAM on x SMTP Service... 6 General... 6 Delivery... 8 Routing Header / Footer Security General DNS Intrusion Prevention Advanced Filters Content Filters... 22
4 ii Contents Adding a new Filter Filter Conditions Filter Actions Filter Description Editing a filter Deleting a filter Exporting filters Importing filters Bypassing filters Understanding the SMTP protocol and message headers Rules External Filters Archive New in Version Mail Archive ETRN Download Index 57
5 1 C H A P T E R 1 Mail Service The Mail Service node contains four sub-nodes: SMTP Service - various settings for the SMTP service Security - comprehensive set of options for stopping unwanted use of your server. Filters - allows you to define Content Filters, Rules Filters (Black & White lists) and External filters. ETRN Download - allows you to define ETRN (or ATRN) collection options. In This Chapter V10 New Features... 2 SMTP Service... 6 Security Filters Archive ETRN Download... 54
6 2 C H A P T E R 2 V10 New Features SmartAttach Attachments replaced with WebDAV URL, file saved to user's mailbox files folder. Gives user the power to delete, swap and update attachments after the message has been sent. Customization includes account, folder name, expiration, custom header/footer, anonymous or authenticated mode. Variables for attachment file size, expiration time, textual expiration date, message index, download URL. Supports Unicode filenames. Supported by WebMail Pro and Content Filters. IMAP Integrated Mail Archive Mail Archive can now be categorized by user account, divided into subfolders by timeline, and depending on administrator settings, it can contain all history of received and sent messages from all folders, including SMS. Mail Archive is integrated with IMAP and accessible in read-only mode from any client or WebMail, and each user can have it subscribed by default. Taking advantage of ACL and Public folders, administrator can create an Archivist user role, granting a person access to the whole server archive, archive folder of selected domains, groups or users for e-discovery. Supports IMAP flags. 4 new archive modes. IMAP ACL, GroupWare compliant Account sharing, folder sharing, extensive bit rights, inherited permissions. IMAP ACL RFC 4314 compliant, obsolete rights of RFC 2086 supported exactly as in RFC. Load-Balanced IMAP Server File Locking LB environment is automatically detected if ServerID is used. Load-Balancing for XMPP and SIP Master host option, slave server requests processed by master, requires proper settings of Master, Master Host and Slave Hosts. GroupWare Centralized Storage GroupWare attachments (to contacts, events), user's File folder, extracted SmartAttach attachments are stored in mailbox/~gw/attachments/ to enforce mailbox/domain quota and archivation along with s. Original storage calendar/attachments/ is automatically converted when the mailbox attachments storage accessed for the first time.
7 V10 New Features 3 SPF SRS - Backscatter Protection Protects the server from being flooded by bouncebacks with forged From. If Use SRS NDR (Non-Deliverable Reports) Validation option is on and a bounce back is received without valid hash or SRS message, it will be rejected. Domain Clusters Splits a domain into logical parts with distinct settings and users. A set of domains is grouped into a cluster with one domain defined as a master domain. The master domain then serves as a "dynamic alias" for all the other domains. Makes sure it is not possible to create the same account within the cluster. 4 GB RAM on x64 The server is still 32-bit application but can take advantage of the whole 4 GB of user addressing space on 64-bit systems. DB and FS Health Monitoring Checks DB health in multiple connections and availability of config, mail and temp paths every minute and if down, SMTP, POP3 and IMAP socket servers are paused and no more incoming connections are processed ( client reports a server error instead of failed user authentication). Intrusion prevention Failed Logins New option to Block IP address that exceeded number of failed login attempts (if Login policy is enabled). LDAP/Active Directory Synchronization- SASL Plain text authentication for LDAP/AD users updates the local password so SASL authentication works all the time, auto updates after WebMail login (RSA protected plain text authentication to IMAP). LDAP/Active Directory Synchronization- FROM New internal XML options (LDAPUSERFROMDN, USERNAMEFROMCN) for user's mailbox and LDAP authentication. LDAP/Active Directory Synchronization- Filters Introduces custom filters what account/groups to synchronize (<objectclass>[":"<filter>]). SIZELIMIT_EXCEEDED error logged if query size limit is exceeded. LDAP/Active Directory Synchronization- Local Groups Synchronization always preserves manually created users and groups, even if missing on directory server, using the Personalized bit flag 0x10.
8 4 Mail Service Reference IceWarp Server Remote Client Deployment From server directory /install available remotely at (option in Setup). setupinstall.dat package added, contains client applications, installed to /install directory. Mailing Lists Message ID Mailing Lists display original message ID in the client sessions logs. Mailing Lists BATV SRV Mailing list authentication works correctly with BATV SRV encoded sender addresses. Mailing Lists Dedupe SMTP Service Delivery Dedupe messages option now also works for mailing lists. If user is subscribed to mailing list under multiple aliases, IceWarp Server will check for duplicate message to the same user and only deliver one of them. Rules Move To Folder Move To Folder support for non-user accounts added, useful in Groups and direct delivery to a specific folder (instead of Inbox). Rules Date/Time Criteria The rules engine has been extended with ability to define user rules based on time conditions, same as already available for content filters. Users might want to forward incoming s or SMS messages only on weekends for instance. Content Filters RegEx Rewrite Lets create new results using part of the search pattern. Content Filters DNSBL RegEx is used instead of string match which was capable of wildcards only, now allows direct server match, RegEx field added in Administration GUI. Content Filters Edit Message Headers Support for RegEx and RegEx rewrite, even for Delete action (must match the header value) Content Filters SmartAttach Perform SmartAttach action based on any condition, such as attachment size, sender, domain etc. Content Filters Recipient, Cc, To, Attachment Conditions Beside the previous global string match (which converts multiple addresses to string and matches that string), it's now possible to choose whether to match all items, or match at least one item from the string, to apply the condition "per item".
9 V10 New Features 5 Content Filters Unicode Filenames Support for Unicode filenames when extracting attachments to directories (for SmartAttach and others, Anti-Virus remains AnsiString because external filters could not handle Unicode). Content Filters Apply Before Copy Incoming/Outgoing Possibility to apply content filters before the copy operation in Management user Mailbox - Copy incoming mail, Copy outgoing mail actions. Original recipients are saved during Copy incoming/outgoing mail actions and can be used in new %%bcc_recipients%% server variable. Address Extension address extension supported again, e.g. to will be delivered to folder MyFolder. Only works for s not tagged as spam, trusted hosts, whitelisted or otherwise bypassed recipients. SMTP Traffic Limits SMTP outgoing queue processing is delayed for low user licenses and high traffic, receiving works normally. Considers amount of incoming and outgoing s to non-local accounts per day with relation to the number of licensed users. If the number of outgoing exceeds a threshold, sending out will be postponed for some time, until the levels balance or 12 AM. The limitation never occurs for 200+ user license, very seldom occurs for 100+ user license, and mostly occurs for less than 50 user licenses. Prevents using low user licenses as filtering gateway and for large mailing lists.
10 6 C H A P T E R 3 SMTP Service The SMTP (Simple Mail Transfer Protocol) Service is the core of IceWarp Server's functionality, as it is the protocol used for sending messages from one server to another. In This Chapter General... 6 Delivery... 8 Routing Header / Footer General Field Mailserver hostname Use DNS lookup Use relay server Description This specifies the name of the IceWarp Server computer. This field must not be left blank as it is used when the IceWarp Server authenticates or introduces itself to another mail server. This should be the hostname of your IceWarp Server which is registered on DNS. You may also want to ensure your IceWarp Server's IP address has a PTR record registered as this is a spam-fighting requirement that some receiving mail servers require. Select this option if your server is going to send messages directly. When sending a message, IceWarp Server will query DNS servers to locate the receiving server's IP address. DNS servers can be specified in the Internet Connection node. Select this option if you wish IceWarp Server to use a relay server to send messages. This is useful when your domain has no public IP address or you are on a slow dial-up
11 SMTP Service 7 connection via an ISP that allows you to use their server to send messages. Connections to your ISP's mail server tend to be faster than other servers on the internet so your messages may be delivered more quickly, keeping your connection costs down. You should enter the hostname or IP address of the relay server. If your relay server requires authentication this can be achieved by using one of the following 'full URL' forms of the hostname: or <MyISPhostname> The second option should be used if your username is a full address. Example: You can specify multiple relay servers here, separated by semicolons. If IceWarp Server cannot connect to the first relay server, it will try to the second etc.. Deliver messages via relay server when direct delivery fail Checking this option only has an effect if you have selected Use DNS lookup and you have defined a relay server (or servers) in the Use relay server text box, IceWarp Server will attempt delivery to via these server(s) if all direct delivery attempts fail. NOTE This option overrides the SMTP retry interval settings. Field Max message size Description Check this box and enter a value to limit the size of messages that can be sent or received via the IceWarp Server (in the above screenshot 10MB). If a user tries to send a message larger than the specified size it will be rejected. NOTE that this limit will be overridden by any non-zero Domain-specific limits or User-specific limits if Override global limits is checked within Global Settings - Domains. Maximum SMTP hop count Maximum SMTP server Sometime a message can get into a 'relay loop', where it is being passed between servers trying to find a delivery point. A hop is defined as one pass of the message to a server. Specifying a value here instructs IceWarp Server to count the number of servers the message has been through, compare it with this value, and reject the message if the number of hops exceeds the specified value. Specify the maximum number of Server session recipients allowed in an outgoing message.
12 8 Mail Service Reference IceWarp Server recipients Maximum SMTP client recipients Exceptions This can be used to protect your server from overload. Specify the maximum number of Client session recipients allowed in an outgoing message. If the number is exceeded the message will be split into multiple sessions. Here you can override "Maximum SMTP client recipients" for specific target domains. Press the button to open a dialog allowing you enter the target domain and the override value. Delivery Field Undeliverable after Undeliverable warning after Report alias / Report name Bad mail Return truncated message Send information to administrator Description If IceWarp Server cannot contact a server to deliver a message it will queue the message and retry delivery at regular intervals. Specify a value and time unit.. If IceWarp Server cannot contact a server for the specified number of hours the sender is informed. This message is only a warning, IceWarp Server will continue trying to deliver the message. Specify a Value and time unit. The report alias and name are used to generate the From: header in any system generated report messages (for example the undeliverable report, disk space monitor report etc.). If the sender of a message cannot be ascertained (e.g. there is no From: header) and an undeliverable message report is generated it will be sent to the recipient(s) listed here. Multiple addresses can be specified, separated by semicolons. Check this option and only message headers are returned if the message cannot be delivered. Check this option and if the message cannot be delivered, approximately 4 KB of the original message are returned as an attachment. This includes the message headers and in some cases also part of the original message body. Check this option and all undeliverable messages will be copied to the administrator.
13 SMTP Service 9 Bounce back messages Choose a process option for bounce back messages. All senders - Process bounce back messages for all senders. Local senders only - Process only for Local Senders. Disabled - do not process bounce back messages. NOTE - In MDA mode a message is accepted and then processed by other filters at a later time. If a message is then refused a bounce back is sent to the sender. If the sender's address is spoofed than an innocent recipient could get the bounce back which would be considered as spamming - because of this the recommended bounce back level in MDA mode is "local senders" Retry Intervals Press this button to open a dialog allowing you to specify retry intervals for failed deliveries: Use the Add button to add a new retry time. Use the Edit and Delete buttons to modify or remove a retry time. Use the Up and Down arrows to move a retry time in the list. Field Maximum number of simultaneous threads Description Specify the maximum number of threads to use for processing incoming messages. This can help alleviate problems on high-load servers where the sending server times out, but IceWarp Server still processes and delivers the message. The Sending Server then tries again, and a duplicate message is received. If you enter a non-zero value here then any incoming messages are stored immediately to an incoming folder, for later processing, and the session is closed so there are no timeouts.
14 10 Mail Service Reference IceWarp Server You should only consider using this option on high-traffic servers or servers that have major AntiSpam and/or IceWarp Anti Virus processing. NOTE - In MDA mode a message is accepted and then processed by other filters at a later time. If a message is then refused a bounce back is sent to the sender. If the sender's address is spoofed than an innocent recipient could get the bounce back which would be considered as spamming - because of this the recommended bounce back level in MDA mode is "local senders" Processing incoming messages in MDA queue Use MDA queue for internal message delivery Check this option to have the MDA queue used. Check this option to have all internal messages processed via the MDA queues. This means that any internal message (bounce back, server generated message, Account Forwarder message etc.) will be processed via an MDA queue and all filter, rule, AntiSpam, IceWarp Anti Virus etc. processing will be performed on the message. Field Use TLS/SSL Hide IP address from Received: header for all messages Add rdns result to Received: header for all messages Add Return-Path header for all messages Dedupe messages Description Check this box and IceWarp Server will connect to remote servers using TLS/SSL, if the remote server is capable of this. Checking this option tells IceWarp Server not to put the IP address in a messages Received: header. This effectively stops people from being able to work out your local network configuration. Check this option and a reverse DNS lookup will be performed for each incoming message and the result added to the message headers. NOTE - Using this option improves security but can severely impact performance on high-load Servers. Check this option and IceWarp Server will add a Return-Path header to the . This can be useful for debugging and checking where an came from. If a User has multiple aliases and a message is sent to more than one of the aliases the end User will receive multiple copies. Check this option and IceWarp Server will check for duplicate message to the same end user and only deliver one of them.
15 SMTP Service 11 Routing The SMTP Routing feature allows you to redirect messages based on the recipient address. A list of routing rules is displayed: The Source column shows the original recipient. The Destination column shows where the message will be redirected. The Hostname column shows the hostname that messages will be forwarded through. Press the Delete button to delete a selected routing rule. Pressing the Add or Edit button will open the Route dialog, where you can add or modify a routing rule.
16 12 Mail Service Reference IceWarp Server Field Source Destination Hostname Description The address or domain which should be replaced and redirected. You can use the '...' button to select accounts, domains or groups through Select Account Dialog. The address or domain by which the source one is replaced and redirected. You can use the '...' button to select accounts, domains or groups through Select Account Dialog. Syntax: address domain You can use IceWarp Server Variables in this field e.g. %%var_name%% Authentication with a full address example: A hostname, with an optional port, that will be used for extended routing, using the following syntax: Example: This says that all messages for will be routed to relay.isp.com. Local recipients only Skip rules Sender must be authenticated Check this box and routing will only be performed for local recipients. Check this box and rules will not be processed for routed messages. Check this box and all senders of messages processed by this routing must be properly authenticated Pressing the Edit button will open the simple text file containing the rules. You can edit this file directly, examples are given in the editor Header / Footer IceWarp Server can automatically insert a header and/or footer to messages using this option. This will affect all domains within your server. If you want to specify different headers and footers for different domains you should use the domain-based Header/Footer button in Domain - Options - but you must enable the facility in this panel. Check the Active option to enable Header/Footer processing
17 SMTP Service 13 Pressing the Header / Footer button opens the Header/Footer dialog: Field Header text file Header HTML file Description A fully qualified path to a text file which will be inserted as a header to text format messages. A fully qualified path to an HTML file which will be inserted as a header to HTML format messages. NOTE - that the extension of this file must be htm or html for this function to work correctly. Footer text file Footer HTML file A fully qualified path to a text file which will be inserted as a footer to text format messages. A fully qualified path to an HTML file which will be inserted as a footer to HTML format messages. NOTE - that the extension of this file must be htm or html for this function to work correctly. Local to local Remote to local Local to remote Remote to remote Header and Footer will be inserted in a message if the sender and recipient are local. Header and Footer will be inserted in a message if the sender is remote and recipient is local. Header and Footer will be inserted in a message if the sender is local and recipient is remote. Header and Footer will be inserted in a message if the sender is remote and recipient is remote. NOTE - If you are using HTML headers or footers you should only use HTML found within the <BODY> tag.
18 14 C H A P T E R 4 Security One of the more important areas of IceWarp Server, the SMTP Security options are designed to protect your server from unwanted access and use. In This Chapter General DNS Intrusion Prevention Advanced General Field Relay Description Close relay - The recommended option. Choosing this option will require users to be authenticated on your server, unless they are from a trusted Relay IP (see below). Authentication can be done via a user/password combination or by selecting POP before SMTP (see below). Open relay Choose Open relay if you want to allow anyone to use your SMTP server to send messages. This is not a recommended option as it leaves your server open to abuse by spammers and hackers. POP before SMTP Reject if originator's domain is local and not authorized Check this option and IceWarp Server will remember the IP address of any POP or IMAP connections (which are always authenticated) for the number of minutes specified. If an SMTP session is initiated from one of the cached IP addresses it will be allowed. If the sender of the message is a local user (claims to be from your local domain) they have to authorize themselves. Authorization can be done using the SMTP authentication, relaying from IP address or the POP before SMTP feature.
19 Security 15 This option can reject also local users if they authenticate against different SMTP server, e.g. their ISP SMTP server. NOTE that whitelist and blacklist are skipped if the remote side tells us the sender is local, but the session is not authenticated nor comes from a trusted IP. The is then processed as usually other rules are applied. It can be turned off only by editing the spam.dat file SpamSkipBypassLocalUntrusted line. Bypass reason code H. The Trusted IPs list show the IP address ranges you consider trustworthy. SMTP connections from these IP addresses will be allowed without authentication. NOTE - that this list of trusted IPs %& Hosts is also use by the AntiSpam Engine's Whitelist as a bypass list, if the "Whitelist trusted IPs and authenticated sessions" option is checked in Antispam/Whitelist/General. Using the Add or Edit buttons opens the IP Address dialog: You can use masks, as shown above, and ranges, for example Hostnames are also allowed here Use the Delete button to delete a selected IP range Use the arrow buttons to move ranges up and down the list Use the Edit File button to open the simple text file containing the IP ranges. Examples are given. NOTE - that you can use Host names as well as IP addresses
20 16 Mail Service Reference IceWarp Server DNS A DNSBL is basically a DNS server which only lists IP addresses of known spammers. If you query an address against a DSNBL server and get a positive result then the address is most likely that of a known spammer. This can be used as an AntiSpam technique. Field Use DNSBL Close connections for DNSBL sessions Host List Description Check this option to use DSNBL checking. Use the B button to specify a list of Ip addresses, Domains and address that you will not perform the DSNBL check for (effectively a list of trusted addresses). Check this option and any connections from IP addresses which are listed on the blacklist will be closed immediately. Here you must define a list of DSNBL server(s) you wish to query. Use the Add and Delete buttons to populate and de-populate the list. You can use as many DSNBLs as you wish but you should be aware that each query will add some processing time. Reject if sender's IP has no rdns Reject if originator's domain does not exist Check this option to enable rdns (reverse DNS) checking. Any connection from a server that does not have an rdns record (PTR record) will be rejected. Check this option to check for the existence of a DNS A record for an incoming message senders domain. If the senders domain has no A record the message is rejected.
21 Security 17 Field Enable SRS (Sender Rewriting Scheme) SRS secret key The 'B' button Description Activates the SRS technology fixing the SPF forwarding mail issue, by forcing the agent to change the "mail from" address The secret key is any arbitrary string you can make up - it is your own passphrase. The secret key will be used for ciphering the data (for hash creation). This field must not be left blank. Use this button to open and edit the SRS bypass file srsbypass.dat. See the example in the bypass file for the correct syntax. Intrusion Prevention Intrusion Prevention enables you to block any IP addresses performing suspicious activities. When activated the Server will monitor all unsuccessful remote server attempts to deliver to unknown recipients. If the number of attempts from one server exceeds the threshold setting then that IP address will be blocked (denied access) for a specified amount of time. This option serves as protection against spammers who are trying to spam your IceWarp Server accounts based on address dictionary attacks. There is an option to create a "bypass list" of IP addresses which will never be blocked. Field Active Description Enables the feature. The "B' for Bypass button Click here to edit the standard Bypass file. If the session is authenticated or comes from trusted IP, it is automatically bypassed even if bypass file is empty. NOTE that most of the conditions are evaluated in early stadium of the SMTP session,
22 18 Mail Service Reference IceWarp Server when not enough information about the session is present. E.g.: the condition Local Sender can not bypass Block IP address that establishes number of connections in one minute, because sender is not known immediately after the connection was made. But IP/Patterrn or DNS A condition can be used here. Block IP address that exceeds unknown user delivery count Block IP address that gets denied for relaying Block IP address that establishes number of connections in one minute Block IP address that exceeds RSET session count Block IP address that exceeds message spam score Block IP address that gets listed on DNSBL Block IP address that exceeds message size Block IP address that exceeded number of failed login attempts Check this option and specify a value. In the above screenshot an address will be blocked after it attempts to deliver 5 messages to unknown users. Check this option to automatically block addresses that attempt to relay through IceWarp Server more than the number of times specified in the "unknown user delivery count". Check this option and specify a value. In the above example an IP address that establishes 100 connections in one minute will be automatically blocked. Check this option and specify a value. In the above example any connection that issues 5 RSET commands in one session will be blocked. Check this option and specify a value. In the above example any IP address that delivers a message with a spam score higher than 8.5 will be automatically blocked Check this option and any connection that is refused because it is on a DNSBL will also be blocked. Check this option to have the IP address blocked for any connection that attempts to deliver a message greater than the specified size. Specify a value and choose Kilobytes, Megabytes or Gigabytes from the drop-down box. This option can be enabled only if login policy is enabled (Domains and Accounts Policies Login Policy Block user login for accounts that exceed a number of failed login attempts). IP address will be added to blocked list after unsuccessful login attempt which reaches or exceeds the number of failed attempts specified in Policies/ Login Policy. Hence all failed login attempts need not to come from one IP address. NOTE - this check differs from the standard SMTP "maximum message size" check in that the connection is closed as soon as the size threshold is reached and the IP address blocked. This is useful for stopping potential bandwidth abusers who send large messages. For example with the settings shown above, someone sends a 1GB message to one of your users. As soon as the system has received the first 100MB it will close the connection and block the IP address for 4 hours. The sending SMTP server may try to re-send the message but it will be denied access until the 4 hours is up, at which point the first 100MB will be accepted then the block happens again. Eventually the sending SMTP server will give up trying to send the message.
23 Security 19 The effect on your server is that instead of having a high bandwidth usage for a 1GB duration it will have high bandwidth usage every 4 hours for a 100MB duration until the sending server gives up, freeing your bandwidth for other send/receive operations in the meantime. Field Amount of time for IP address to be blocked Refuse blocked IP address Close blocked connection Cross session processing Blocked IPs Description Specify here how many minutes an IP address should be blocked for Checking this option will store the blocked IP in a database and refuse any further connection attempts. Be aware that this could cause large growth of the database with performance degradation. The unchecked state lets you use the blocking feature and the IP DB is not used. If checked then any IP address that is blocked will also have any open connection(s) closed immediately. Check this option to have IceWarp Server collect Intrusion Prevention stats across multiple sessions (connections) from the same server. Stats are accumulated over the time selected in "Amount of time for IP address to be blocked". In the above example connections from HostA would be collected and acted upon for 30 minutes. Press this button to jump to the Intrusion Prevention queue, where you can manage your Blocked IP addresses. Intrusion Prevention Reason Codes Reason Code C I M R D A P Y S Explanation Tarpitting invoked via Content Filters IP blocked for exceeding connections in one minute IP blocked for delivering oversized message IP blocked for exceeding RSET command count IP blocked for being listed on DNSBL The account that this message was sent to was a "tarpit" account so the sending IP is tarpitted IP block for exceeding unknown User delivery count IP blocked for Relaying IP blocked for exceeding Spam score in a message