Administrator's Manual. Version

Transcription

1 Administrator's Manual Version 2030

2 Copyright 2013 by REDDOXX GmbH REDDOXX GmbH Neue Weilheimer Str. 14 D Kirchheim Fon: +49 (0) Fax: +49 (0) Internet: Support: Revision number 2.8 Approved & published This manual was prepared with great care. However, REDDOXX GmbH and the author cannot assume any legal or other liability for possible errors and their consequences. No responsibility is taken for the details contained in this manual. Subject to alternation without notice. REDDOXX GmbH does not enter into any responsibility in this respect. The hardware and software described in this manual is provided on the basis of a license agreement. This manual is protected by copyright law. REDDOXX GmbH reserves all rights, especially for translation into foreign languages. No part of this manual may be reproduced in any way (photocopies, microfilm or other methods) or transformed into machine-readable language without the prior written permission of REDDOXX GmbH. The latter especially applies for data processing systems. REDDOXX GmbH also reserves all communication rights (lectures, radio and television). The hardware and software names mentioned in this manual are most often the registered trademarks of the respective manufacturers and as such are subject to the statutory regulations. Product and brand names are the property of REDDOXX GmbH. This issue replaces all earlier ones and orients itself on the appliance with respect to naming.

3 Table of Contents 1 REDDOXX Manual Symbolism and Highlights General Warning and Safety Notices General Function Scope The REDDOXX Appliance Information about the REDDOXX Appliances Hardware variants Virtual Appliance (VA) Product information REDDOXX general REDDOXX Spamfinder REDDOXX MailDepot REDDOXX MailSealer The REDDOXX Appliance RX The REDDOXX Appliance RX The REDDOXX Appliance RX The REDDOXX Appliance RX The REDDOXX Appliance RX Technical Data Delivery Scope Receipt First Steps General Information Function Description Integration and Commissioning Firewall - Port List Brief Instructions for the Basic Configuration Connection and Network Configuration Login Basic Configuration Options in the Menu Bar File: System Login/Logout Logging in (Connect) Logging off (disconnect) Exiting the Program (exit) View Search Log Status Statistic Starting the Log Viewer iii

4 Table of Contents CISS Manager Configuring CISS - Creating Themes Configuring CISS - Adding Images Configuring CISS - Adding Languages Configuring CISS - Adding Domains Cluster Manager Setup of a cluster operation Takeover operation of a cluster node Release a cluster Release a cluster if one node has a failure Licenses in a cluster operation Diagnostic Center Language Appliance Restarting the REDDOXX Appliance Turning the REDDOXX Appliance off Setting the Time/Date Help License Information Online Help REDDOXX Support Start Remote Support Appliance Configuration Network Settings Network Settings - General Network Settings - Network Network Settings - Routing Network Settings - Time Server Cluster Bridge Policies Settings Settings - General Settings - SMTP Settings - POP Settings - Limits Settings - Queues Settings - Advanced Settings - BATV Settings - Notification Settings - Monitoring SNMP Configuration SNMP Object IDs MIBs and Templates Demo Monitoring System Settings - Log SMTP Configuration Local Internet Domains Creating new Internet Domains Editing Local Internet Domains Copy Local Internet Domain Delete Local Internet Domain Local Networks transport Allowed IP Addresses Blocked IP Addresses Appliance Administration...98 iv

5 Table of Contents Mail Queues Incoming Mails Outgoing Mails User Administration Users Groups Aliases Realm Policies Group Policies Notification Logs Filtering the live log Sessions Services Overview Mail Flow SMTP Server Service SMTP Client Service Control Server Service Message Validation Service Task Scheduler Service Portal Communication Service Remote Support Service Starting, Stopping and Restarting Services REDDOXX Spamfinder Spamfinder Queues Filters White list Filters Blacklist Filters Content Filters Global Filters CISS Filter Settings Common Filter Configuration Realtime Blacklist Filter Configuration Auto White list Adjustment Configuration Virus Scanner Configuration CISS Filter Configuration Bayes Filter Fuzzy-Filter Filter Profiles Blocking and Admitting REDDOXX MailDepot REDDOXX MailSealer Ad hoc encryption with MailSealer Light Permanent encryption with MailSealer Light MailSealer Light Gateways Asymmetric encryption with PGP keys and S/MIME Encryption with PGP keys Encryption with S/MIME certificates Encryption with gateway certificates (S/MIME) Configuration of the MailSealer Configuration Policies Certificates v

6 Table of Contents Private certificates Public certificates Certificate authorities REDDOXX CA The Appliance Manager Logon Home Page The Menu bar File Logout Exit Settings Archive Configuration Change SSL Certificate Help Online Help Appliance Configuration External Storages Local Disc Storage Add a local Disc Storage Format a local Disc Storage Extend a local Disc Storage Remove a local Disc Storage Mount a local Disc Storage Unmount a local Disc Storage iscsi Data Storage Add an external iscsi Data Storage Rename an external iscsi Data Storage Remove an external iscsi Data Storage Mount an external iscsi Data Storage Unmount an external iscsi Data Storage Format an external iscsi Data Storage Extend an external iscsi Data Storage Change the iscsi Initiator Name NFS Storage Add an external NFS Storage Modify a NFS Storage Remove a NFS Storage Mount a NFS Storage Unmount a NFS Storage CIFS Data Storage Add an external CIFS Data Storage Modify a CIFS Data Storage Remove a CIFS Data Storage Mount a CIFS Data Storage Unmount a CIFS Data Storage Data Protection (Backup) Backup Settings Backup Records Delete a Backup Record Archive Container Backup Restore a backup vi

7 Table of Contents Updates Request Updates Install updates Delete Updates Show release notes REDDOXX Diagnostics Center System Health Status (FAQ) Mail Round Trip (FAQ) Process list (FAQ) Consistency Backup Verification (FAQ) Container Consistency (FAQ) Report Certificates (FAQ) Compliance Audit (FAQ) Licenses (FAQ) MailSealer Policies (FAQ) Cluster Tests Cluster Sync Status (FAQ) Cluster time difference (FAQ) Default gateway (FAQ) Heartbeat link (FAQ) Node status (FAQ) Network DNS Lookup (FAQ) DNS Server (FAQ) Fuzzy Filter (FAQ) HTTP (FAQ) LDAP Connectivity (FAQ) LDAP Query (FAQ) Network Time (FAQ) Ping (FAQ) SMTP (FAQ) Tcpdump (FAQ) Traceroute (FAQ) Hardware Disk space (FAQ) Hard disk (FAQ) Memory (FAQ) Raid (FAQ) Virtual SCSI Controller (FAQ) Storage Filesystem (FAQ) Storage Performance (FAQ) Storages (FAQ) Services MailDepot Connector Queue (FAQ) MailDepot Service (Version 2030 SP1 and higher) (FAQ) MailDepot Spooler Queue (FAQ) REDDOXX MailDepot vii

8 Table of Contents Overview Features of MailDepot Licenses and Limitations Migration from Maildepot 1.0 to Offline Reader Administration Archive Container Features and Advantages of an Archive Container Examples of Archive Container Application and Best Practice Archive Container List Create an Archive Container Archive Container Properties Add Container to Inventory Mount Container Unmount Container Remove Container from Inventory Optimize Container Index Backup Container Metadata Move Container to a different storage device Archive Policies Add an Archive Policy Archive Categories Add a Folder Delete a folder Add a category Properties of a Category Access Control Policies Controllers Voting policies Rename a category Delete a category Policies Overview Archive Tasks Archive Task vs. Archive Category Policy Archive Tasklist System Tasks Add an Archive Task Change an Archive Task Copy an Archive Task MailDepot Connectors SMTP Connector SMTP Connector Configuration POP3 Connector Principle Archiving internal mails from the MS Exchange Server POP3 Accounts Troubleshooting Directory Watcher Directory Watcher Settings Additional Access Rights per ACL Files Troubleshooting Audit Sessions Overview Add an Audit Session Archive Spooler viii

9 Table of Contents 6 The Appliance Console Appliance Settings Network Settings Time Server Settings Timezone Backup and Restore Settings IP-Aliases Backup and Restore Backup and Restore Settings Start an Appliance Backup Start an Appliance Restore Restore Settings Reboot Advanced Options Database Maintenance Database Check Database Maintenance Database Repair Rebuild the full text index of the MailDepot Set Appliance Settings to Factory Defaults CleanDatabaseOnly Keep Network Settings Complete Cluster Options Show size of data partition Leave Cluster Start and Stop Services Start REDDOXX Engine Start REDDOXX Remote Support Appliance Reboot Appliance Shutdown Change Admin Password FAQ - Frequently Asked Questions Appendix Contact and Support Deinstallation and Disposal License Agreements Glossary Index ix

10 1 REDDOXX Manual 1.1 Symbolism and Highlights This manual is geared towards the administrator of the REDDOXX Appliance. For better legibility, please note that the term "Administrator" refers to both male and female administrators. Please read the entire manual carefully to ensure professional application of the REDDOXX Appliance. This is the only way we can ease your work with the REDDOXX Appliance. In the glossary, you will find a compilation of the terminology used in this documentation together with its respective explanations The typography used in this manual has the following meaning: DANGER/WARNING All warning and safety notices in this manual are marked this way. Always observe the instructions so there will be no damage to persons and/or objects. NOTICE A notice or tip points out especially important and helpful information about the REDDOXX Appliance. The REDDOXX Appliance can only function correctly and error-free when it is transported, stored, installed, operated and maintained in line with the manufacturer's instructions. HIGHLIGHT EXAMPLE Tab Field name Buttons Selection list List entry in list view "Name of the tab" Name of the field BUTTON List entry 'Entry' Also see: Refers to a chapter. Names Explanation of the respective name 10

11 REDDOXX Manual 1.2 General Warning and Safety Notices This manual contains warning and safety notices, which serve for your own protection but also for the protection of the REDDOXX Appliance. In order not to endanger your safety, you have to observe the following basic conditions for the installation, use and operation of the REDDOXX Appliance. The notices in this manual hare highlighted as follows: DANGER Omitting precautions and safety measures may lead to severe health damage, injury to persons or even death. WARNING Only expert personnel are allowed to operate the appliance or remedy possible errors in the hardware. Expert personnel are qualified persons authorized to commission and maintain the device, program the control, operate the hardware according to the safety instructions pursuant to the valid standards and have a corresponding qualification. NOTICE Observe the settings you perform in the REDDOXX Appliance. All setting you make is saved by the REDDOXX Appliance, not the REDDOXX Console. The Console is only the input mask. You will find these notices exclusively in the content of the manual. Read the warning and safety instructions carefully before commissioning the REDDOXX Appliance. DANGER/WARNING Observe all instructions attached to the REDDOXX Appliance and listed in this manual. Prior to cleaning the REDDOXX Appliance, pull the mains plug. Do not use any liquid cleaning agents or agents containing aerosols. Only use a damp cloth for cleaning. Do not use the REDDOXX Appliance near water. Do not spill any liquid on or into the REDDOXX Appliance. Place the REDDOXX Appliance on a stable surface. There are ventilation openings in the casing. These openings may not be obstructed or covered. Do not place the REDDOXX Appliance next to or on top of a radiator. Only use the power source stated at the mains connection. If you are not sure about the kind of power source you have, contact your local energy supply company. Do not walk on the cable and do not put anything on it. If you are using an extension cord for the REDDOXX Appliance, make sure that the total amperage or all devices connected to this extension cord does not exceed the admissible amperage for the extension cord. Do not insert any objects into the ventilation slots of the REDDOXX Appliance. 11

12 REDDOXX Manual Do not attempt to service your REDDOXX Appliance yourself with the exception of the cases explained in this manual. Only use the controls mentioned in these instructions. If you open covers with the notice "Warranty void if broken", you may expose yourself to high voltage or other risks. Leave the maintenance of these parts up to expert personnel. In the following cases, pull the mains plug of the REDDOXX Appliance out of the outlet and let expert personnel service the REDDOXX Appliance. - The cables or the plug are damaged. - Liquid was poured into the REDDOXX Appliance. Despite following the instructions, the REDDOXX Appliance does not work properly. The REDDOXX Appliance was dropped or the casing is damaged. - The REDDOXX Appliance shows substantial performance changes. Always transport the REDDOXX Appliance carefully. Impact stress or dropping can also damage the inside of the device. Do not operate damaged devices! 12

13 REDDOXX Manual 1.3 General Function Scope Thank you for purchasing the REDDOXX Appliance and the corresponding appliance console. The REDDOXX Appliance is an innovative product for the reliable, active and individual prevention of spam problems and legally conform archiving. In addition, you can also send critical business data and sensitive information in encrypted form to your business partners, so that unauthorized persons cannot read even intercepted mails. With the REDDOXX Appliance, you protect your company from technical and economic damage as well as image damage. The REDDOXX Appliance filters undesired mail out right from the start. You save a lot of time, because viruses, worms and Trojans cannot penetrate your active network. The REDDOXX Appliance is simply switched before the server and geared exactly towards the individual requirements of your company. Our solution is just as unusual as it is successful: Contrary to the standard approach "filtering out what is not desired", the REDDOXX Appliance pursues the proactive way: "pre-define what you want!" The REDDOXX Appliance is an optimally coordinated software and hardware unit, which only selects and forwards desired s immediately. It is installed between the firewall and the server and therefore only requires a minimum interference with your company's IT. The REDDOXX Appliance immediately solves four major problems: 1. What's spam for one is a relevant mail for the other. This is why the REDDOXX Appliance selects the desired mails and determines the relevance of the mail with the authorization of the sender in case of doubt. 2. With pre-definition, additional filters and the interactive authorization of the sender, the REDDOXX Appliance offers the highest chances for success in spam combating and achieves the highest degree of satisfaction for the applicant. 3. Archiving of all s through MailDepot: 1. Organizational transparency and increased productivity. 2. Prevention of accidental or intentional deletion of relevant mails. 3. Increased time resources for administrators and users through user-defined access options to archived s. 4. Encrypted transmission with MailSealer 13

14 The REDDOXX Appliance 2 The REDDOXX Appliance 2.1 Information about the REDDOXX Appliances We offer you the custom-tailored solution for your company. In doing so, we consider your individual requirements ranging from the current number of workplaces up to the further development of your company. The different versions ensure that the REDDOXX Appliance meets all the requirements of small, medium and large-sized companies. The REDDOXX Appliance has a modular structure: It consists of the products REDDOXX Spamfinder REDDOXX MailDepot REDDOXX MailSealer 2.2 Hardware variants The REDDOXX Appliance is available in the following hardware variants: RX-50 RX-100 RX-250 RX-750 RX-2500 NOTICE For the hardware data, refer to the chapter "REDDOXX Appliance - Technical Data" in the documentation of your REDDOXX Appliance. 14

15 The REDDOXX Appliance 2.3 Virtual Appliance (VA) The REDDOXX Appliance also can run in a virtual machine. Further informations you can get from the document Installation Guide for a REDDOXX Virtual Appliance from the Reddoxx Support Center - Manuals under Product information REDDOXX general Simple structure for fast application within minutes; at the same time compatible with all standardized servers. Secure, hardened Linux kernel. Powerful virus protection through open source technology with ClamAV REDDOXX Spamfinder Powerful spam filtering including CISS technology, which provides a spam reduction rate of almost 100%. Innovative Advanced Realtime Blacklist Filter, White list Filter as well as additional statistic filters and further content filters as well as Blacklist Filter technologies. Possibility to generate automated and external backups REDDOXX MailDepot Automatic audit and manipulation-proof archiving of all s Organizational transparency and increased productivity. The REDDOXX Appliance is installed between the firewall and the server and therefore only requires a minimum interference with your company's IT REDDOXX MailSealer Fast encryption and signing of s compatible with all standard programs supports S/MIME automatic PKI linkup 15

16 The REDDOXX Appliance 2.5 The REDDOXX Appliance RX-50 The REDDOXX Appliance RX-50 is suited for the demands of small and medium-sized companies up to 50 User. Illustration: REDDOXX Appliance - RX-50 Illustration: Backside of the REDDOXX RX-50 Appliance COMPONENTS HOW TO CONNECT THE REDDOXX APPLIANCE CORRECTLY 1. REDDOXX Appliance 2. Network cable Connect the REDDOXX Appliance with the power plug. Insert the main plug (1) into a suitable outlet. Connect your network cable into LAN-1 (2). A Power switch Turn the REDDOXX Appliance on. (backside) B Monitor connection Only for maintenance purposes. C USB Only for maintenance purposes. ATTENTION Observe all warning and safety notices as well as all other relevant information about the proper handling of the REDDOXX Appliance. 16

17 The REDDOXX Appliance 2.6 The REDDOXX Appliance RX-100 The REDDOXX Appliance RX-100 is suited for the demands of medium-sized companies up to 100 User. Illustration: REDDOXX Appliance - RX-100 with front cover Illustration: Backside of the REDDOXX RX-100 Appliance COMPONENTS HOW TO CONNECT THE REDDOXX APPLIANCE CORRECTLY 1. REDDOXX Appliance 2. Network cable Connect the REDDOXX Appliance with the main plug. Insert the power plug (1) into a suitable outlet Plug your network cable into LAN-1 (2). A Power switch Turn the REDDOXX Appliance on. (front side behind the shield) B Monitor connection Only for maintenance purposes. C USB Only for maintenance purposes. ATTENTION Observe all warning and safety notices as well as all other relevant information about the proper handling of the REDDOXX Appliance. 17

18 The REDDOXX Appliance 2.7 The REDDOXX Appliance RX-250 The REDDOXX Appliance RX-250 is suited for the demands of large medium-sized companies up to 250 User. Illustration: REDDOXX Appliance - RX-250 with front cover Illustration: Backside of the REDDOXX RX-250 Appliance COMPONENTS HOW TO CONNECT THE REDDOXX APPLIANCE CORRECTLY 1. REDDOXX Appliance 2. Network cable Connect the REDDOXX Appliance with the main plug. Insert the power plug (1) into a suitable outlet Plug your network cable into LAN-1 (2). A Power switch Turn the REDDOXX Appliance on. (front side behind the shield) B Monitor connection Only for maintenance purposes. C USB Only for maintenance purposes. ATTENTION Observe all warning and safety notices as well as all other relevant information about the proper handling of the REDDOXX Appliance. 18

19 The REDDOXX Appliance 2.8 The REDDOXX Appliance RX-750 The REDDOXX Appliance RX-750 is suited for the demands of large-sized companies up to 750 User. Illustration: REDDOXX Appliance - RX-750 with front cover Illustration: Backside of the REDDOXX RX-750 Appliance COMPONENTS HOW TO CONNECT THE REDDOXX APPLIANCE CORRECTLY 1. REDDOXX Appliance 2. Network cable Connect the REDDOXX Appliance with the main plug. Insert the power plug (1) into a suitable outlet Plug your network cable into LAN-1 (2). A Power switch Turn the REDDOXX Appliance on. (front side behind the shield) B Monitor connection Only for maintenance purposes. C USB Only for maintenance purposes. ATTENTION Observe all warning and safety notices as well as all other relevant information about the proper handling of the REDDOXX Appliance. 19

20 The REDDOXX Appliance 2.9 The REDDOXX Appliance RX-2500 The REDDOXX Appliance RX-2500 is suited for the demands of enterprise-sized companies up to 2500 User. Illustration: REDDOXX Appliance - RX-2500 with front cover Illustration: Backside of the REDDOXX RX-2500 Appliance COMPONENTS HOW TO CONNECT THE REDDOXX APPLIANCE CORRECTLY 1. REDDOXX Appliance 2. Network cable Connect the REDDOXX Appliance with the main plug. Insert the power plug (1) into a suitable outlet Plug your network cable into LAN-1 (2). A Power switch Turn the REDDOXX Appliance on. (front side behind the shield) B Monitor connection Only for maintenance purposes. C USB Only for maintenance purposes. ATTENTION Observe all warning and safety notices as well as all other relevant information about the proper handling of the REDDOXX Appliance. 20

21 The REDDOXX Appliance 2.10 Technical Data Hardware Appliance RX-50 RX-100 RX-250 RX-750 RX-2500 Queue capacity Recommended number of users Raid-Level 160 GB 250 GB 150 GB 300 GB 300 GB 50 n.v Intel Atom N GHz 1 GB Desktop 5,5 cm x 27 cm x 16 cm 2,15 kg 100 n.v. 250 RAID RAID RAID 1 Intel Xeon 2.4 GHZ Quad Core 8 GB 19", 1HE 8,7 cm x 45,1 cm x 83,8 cm 33,75 kg 750 W (redundant) V Processor Memory (RAM) Enclosure Measures (W x H x D) Weight Power supply Voltage Input power / frequency Operating temperature Relative humidity Certification Intel Dual Intel Core i3 Intel Core i5 Core 2.8 GHz 3.06 GHz 3.33 GHz 1 GB 2 GB 4 GB 19", 1HE 19", 1HE 19", 1HE 4,3 cm x 43 4,3 cm x 43 cm 4,3 cm x 43 cm x 50,8 cm x 50,8 cm cm x 50,8 cm 14,15 kg 14,15 kg 14,15 kg 30 W (extern) V 350 W V 350 W V 5-3A / Hz 5-3A / Hz 5-3A / Hz % % % CE, TÜV GS, ISO 9001: W V 5-3A / Hz 5-3A / Hz % CE, TÜV GS, CE, TÜV GS, ISO CE, TÜV GS, ISO 9001:2008 ISO 9001: : % CE, TÜV GS, ISO 9001:2008 Virtual Appliance RX-50 RX-100 RX-250 RX-750 RX-2500 Recommended number of users Required memory (RAM) Number of processors MB GB GB GB GB 4 Virtual Appliance RX-5000 RX-7500 Recommended number of users Required memory (RAM) Number of processors GB GB 8 21

22 The REDDOXX Appliance 2.11 Delivery Scope Prior to the installation, check your delivery for completeness. The delivery contains the following products: REDDOXX Appliance Software for the REDDOXX consoles on CD Administrator console User console "Manual for Administrators" and "Manual for Users" as PDF files. NOTICE The latest version of the REDDOXX software as well as the manuals can be downloaded in the support section at Receipt Check the product for damages upon receipt. If you notice any apparent damage upon delivery or when unpacking the merchandise, contact your retailer. WARNING Always transport the device carefully. Impact stress or dropping can also damage the inside of the device. Do not operate damaged devices! 22

23 First Steps 3 First Steps 3.1 General Information This chapter is supposed to help you with putting the REDDOXX Appliance into operation and contains all steps required to ready the REDDOXX Appliance for operation. First we will show you in a diagram where to install the REDDOXX Appliance. The additional chapters then deal with the connection, registration, basic configuration and operation of your REDDOXX Appliance Function Description The REDDOXX Appliance behaves like a server vis-à-vis the sender. The first filters already become active while the connection between the sending server and the REDDOXX Appliance is being established. Depending on the filter settings, the REDDOXX Appliance may already reject s at this stage. Also see: "Filters" The REDDOXX Appliance can manage several domains and forward the respective s to the different servers in your company Integration and Commissioning The standard system consists of one or several servers and the REDDOXX Appliance, which is installed between the servers and your firewall, if available. Illustration: Function diagram of the REDDOXX Appliance 23

24 First Steps You only need a few steps to put the REDDOXX Appliance into operation. Connect the REDDOXX Appliance with the network, assign an IP address and adjust the routing of the traffic in such a way that incoming mails are forwarded to the REDDOXX Appliance as early as possible so that it can then take care of the subsequent forwarding. For more information, refer to the following brief instructions. TIP For efficiently combating spam, we recommend installing the REDDOXX Appliance directly behind your firewall as a so-called first mail hop. Then the sender establishes the connection directly with the REDDOXX Appliance. As the REDDOXX Appliance is capable of learning from your actions, we recommend you also direct the outgoing traffic through the REDDOXX Appliance. 24

25 First Steps Firewall - Port List These ports must be opened for perfect operation of the REDDOXX Appliance: SMTP/25 TCP in/out For incoming / outgoing s DNS/53 UDP/TCP out For domain name service requests to your DNS server. HTTP/80 TCP out For communication with the REDDOXX portal. This is where the license information is checked. For the REMOTE SUPPORT SERVICE. It is possible to activate a remote access for REDDOXX's technical support via the REMOTE SUPPORT SERVICE, port 80 on the REDDOXX switching computer (RDXCALL). For Software- and pattern updates, spam validations. NTP/123 UDP out For time leveling with a time server SMB 137,138 UDP out, 139 TCP out, CIFS 445 TCP out for backup and archiving (mail depot) on a remote Windows/Samba share. LDAP/389 TCP out, LDAP/636 out for SSL For user authentication and recipient check via Active Directory, OpenLDAP, Novell edircetory, Lotus Notes Domino. LDAP/3268 TCP out For higher-performance LDAP queries against a Global Catalog Server. REDDOXX/4010 TCP in For the user and administrator console of the REDDOXX Appliance. REDDOXX/4011 TCP in For communication between admin console and the control service port of the appliance, required for the cluster manager, diagnostic utilities and the remote support service. REDDOXX/55555 TCP out For communication with the fuzzy filter remote service for spam detection. NOTICE You should especially pay attention to these ports when the REDDOXX Appliance is included in another network segment, e.g. a DMZ, and separated from the internal LAN through a firewall. 25

26 First Steps 3.2 Brief Instructions for the Basic Configuration Connection and Network Configuration Connecting the REDDOXX Appliance Proceed as follows to integrate the REDDOXX Appliance into your system. Requirements: Read the warning and safety instructions. 1. Connect the Spamfinder Appliance to the power supply. 2. Connect a monitor and a keyboard. 3. Turn the REDDOXX Appliance on. The IP address is Login as user "admin" with the password "AppAdmin". The administration menu appears. For further details and screenshots, refer to chapter 5 - Appliance Console. 5. Select the item Settings 6. Select the item Network 7. Enter the network data. (host name, domain, IP address, netmask, gateway, 1st DNS, 2nd DNS) 8. Press the TAB key to reach OK and press ENTER. Now the network interface is re-initialized. 9. Select BACK to access the main menu. 10. Select EXIT to exit the console program. 11. Connect a network cable (RJ45) and then connect the appliance with your network. 12. Proceed with the configuration of the admin console as described in the following chapter. NOTICE For function descriptions and the exact connections of the REDDOXX Appliance, refer to the main chapter 2 and there to the different model variants. 26

27 First Steps Login Performing the Login For safety reasons, the REDDOXX Appliance is only accessible via login. Therefore you have to authenticate yourself as follows with your user name and password: Requirements: Purchase of the REDDOXX Appliance with the valid licenses. 1. Copy the content of the REDDOXX CD onto your computer. The files may be copied to any directory of your choice. 2. Double-click on the file rdxadmin.exe. The login window opens. Illustration: Login window 3. Enter the corresponding hostname. 4. Enter your user name. 5. Enter your password. NOTICE The following standard values are set upon delivery of the REDDOXX Appliance: User name: sf-admin and password: admin 6. In realm, select the option "local". A realm is a section similar to a domain where you authenticate yourself. 27

28 First Steps 7. Select the desired language in the selection list, which you want to use to display your program. The selection contains the currently installed languages. 8. Click on the button LOGIN. The welcome window opens. Illustration: Welcome mask 9. Click on the button Setup assistant" to start the assistant for the first configuration of the REDDOXX Appliance. NOTICE Only perform the setup assistant once. 28

29 First Steps Basic Configuration Making the Network Settings To help you with the basic configuration, the setup assistant takes you through all relevant settings. Requirements: The window for the network settings is active. NOTICE If the network settings of the appliance were previously configured via the Appliance Console (chapter 3.2.1), you can simply take over the data listed there. Illustration: Basic configuration network settings Enter the host name. Enter a/your domain. Enter the IP address of the REDDOXX Appliance. Enter the corresponding subnet mask. 29

30 First Steps 5. Enter the standard gateway for the Internet connection. 6. Enter at least one DNS server. NOTICE Ensure that the DNS server is accessible, especially if the REDDOXX Appliance is located in a DMZ. 7. To continue the basic configuration, Click on the button NEXT. CANCEL: Reject changes and exit the basic configuration. Adding Domains Via the domains, you have the possibility to add all domains for which the REDDOXX Appliance is supposed to receive s. Illustration: Basic configuration domains 1. Enter all domains for which you want to receive s. 2. Click on the button ADD. The entered domains are listed in the field domains. NOTICE Observe the correct spelling of the domains. The REDDOXX Appliance cannot receive any s for other domains. 30

31 First Steps 3. To continue the basic configuration, Click on the button NEXT. BACK: Goes back to the previous window. CANCEL: Reject changes and exit the basic configuration. NOTICE In order to delete an added domain again, mark the corresponding entry with a mouse and delete it with the DEL button on your keyboard. This action cannot be undone. Add Local Networks Via the local networks, you can add all local networks for which the REDDOXX Appliance is supposed to function as relay. This way, the REDDOXX Appliance cannot be abused as open relay when s are sent from the inside to the outside via the REDDOXX Appliance. Illustration: Basic configuration local networks 1. Enter the IP network which may send mails to the REDDOXX Appliance. 2. Enter the subnet mask. With the subnet mask , you enter a single host (e.g ). NOTICE Instead of an entire network, you can also state individual IP addresses, e.g. that of your mail server. Individual IP addresses must be masked with

32 First Steps 3. Click on the button ADD. The entered local networks are listed in the field Local Networks. If you have several servers in various IP networks, please also add these networks or hosts. 4. To continue the basic configuration, Click on the button NEXT. BACK: Goes back to the previous window. CANCEL: Reject changes and exit the basic configuration. NOTICE In order to delete an added network again, mark the corresponding entry with a mouse and delete it with the DEL button on your keyboard. This action cannot be undone. Configuring Forwarding Via Forwarding, you can state where the REDDOXX Appliance is supposed to forward the s to. Illustration: Basic configuration forwarding 32

33 First Steps 1. Outgoing s: Enter the FQDN (host name). If necessary, activate the option Forwarding via DNS if the s are supposed to be delivered via DNS. 2. Activate the option Authentication required if the relay server demands authentication. 3. Enter the user name and password if you have activated this option in step Incoming s: If necessary, activate the option Forwarding via DNS if the s are supposed to be delivered via DNS. 5. Enter an internal server at internal server. NOTICE If you have several internal servers, you can configure these later per domain. 7. To continue the basic configuration, Click on the button NEXT. BACK: Goes back to the previous window. CANCEL: Reject changes and exit the basic configuration. Defining Addresses Here is where the address of the administrator and the REDDOXX Appliance are managed, which the REDDOXX Appliance requires for the forwarding of system messages. The REDDOXX Appliance uses the administrator's address to communicate with the administrator. The REDDOXX Appliance's address is used to communicate with the REDDOXX Portal. 33

34 First Steps Illustration: Basic configuration addresses 1. In the field Administrator address enter the administrator's address. The administrator address must exist on one of your servers. At this address, you receive messages concerning innovations (release notes) and updates of the REDDOXX Appliance. 2. In the field REDDOXX address, enter the address of the REDDOXX Appliance. NOTICE The address of the REDDOXX Appliance is required for internal operation and may not be used otherwise. Make sure that this address does not exist on your mail server and that it is forwarded by possible upstream firewalls or relays. 3. To finish the basic configuration, Click on the button FINISH. BACK: Goes back to the previous window. CANCEL: Reject changes and exit the basic configuration. 34

35 4 Information about the Administrator Console This chapter explains the exact handling of the administrator console. The administrator console was developed to ease the handling of the REDDOXX Appliance. You can supplement or change all settings of the REDDOXX Appliance via the console at any time. Before you access the actual application window of the REDDOXX Appliance console, you have to log in. Performing the Login For safety reasons, the REDDOXX Appliance is only accessible via login. Therefore you have to authenticate yourself as follows with your user name and password: 1. Copy the content of the REDDOXX CD onto your computer. The files may be copied to any directory of your choice. 2. Double-click on the file rdxadmin.exe. The login window opens. Illustration: Login window 3. Select the corresponding hostname. 4. Enter your user name. 5. Enter your password. NOTICE The following standard values are set upon delivery of the REDDOXX Appliance: User name: sf-admin and password: admin 35

36 6. In realm, select the option "local". 7. Select the desired language in the selection list, which you want to use to display your program. The selection contains the currently installed languages. 8. Click on the button LOGIN. The application window for the basic configuration is now active. The following application window contains the sections of the administrator console numbered and named: Illustration: Application window after login 36

37 Legend Menu bar Tree view List view Status view Log view 37

38 4.1 Options in the Menu Bar The main menu consists of the sections File, View, Language, Appliance and Help. Illustration: Main menu In the title bar the console software version is showed. Please mind, that you always use the latest software version. Download under File: System Login/Logout For safety reasons, the REDDOXX Appliance is only accessible via login. Therefore you have to authenticate yourself with your user name and password. Illustration: Menu File Logging in (Connect) Requirements: The administrator console (the program sf-admin.exe) must be started. There is no current connection to the system (logged out). 1. In the main menu File, click on Connect. The following dialog is displayed: Illustration: Login window 38

39 2. Host name: Enter the host name to which you want to connect or select it from a list. The list contains the entries you already made so far. 3. User name: Enter sf-admin. 4. Enter the password. NOTICE The following standard values are set upon delivery of the REDDOXX Appliance: User name: sf-admin and password: admin 2. In realm, select the option "local". 7. Select the desired language in the selection list, which you want to use to display your program. The selection contains the currently installed languages. 8. Click on the button LOGIN. The application window for the basic configuration is now active Logging off (disconnect) If you want to login to another REDDOXX Appliance, you first have to disconnect the current connection. 1. In the menu bar, click on Disconnect. 2. Close the application (exit) or login again Exiting the Program (exit) To exit the administrator console, select the menu point Exit. Any connections that are still established are closed as well. 39

40 4.1.2 View Illustration: Menu View Search With the option SEARCH, you show or hide the search field in the top right part of the window. This way, you can search the entries in all queues according to sender or receiver. Requirement: The content of a queue or the archive list is displayed. Illustration: Search entry field 1. Search term: Enter the criterion for which you want to search. NOTICE Per default the view is limited up to 1000 entries. Fill in if you want to see all entries. 2. Search in: Select the desired field type in the selection list. You can select between "Sender" (pre-selection) and "Recipient". 3. Search: Search to start the search. 40

41 Log Via the option Log (also F7 key), you can turn the live log on or off. In deactivated mode, you therefore have more room for the above list view Status Via the option Status (also F8 key), you can turn the appliance status display on the bottom left of the window on and off. In deactivated mode, you therefore have more room for the above navigation tree Statistic Via "Statistic", you can create diagrams about the filter behavior of the REDDOXX Appliance, print and save them. Requirement: Logs must be available. 1. In the menu bar, click on View. 2. In the selection list open the context menu with a right-click The following view appears: Illustration: Statistic context menu 3. ADD Series adds a new graph onto the diagram. 41

42 The following view appears Illustration: Add line 4. Make your desired selections 5. Add the desired statistic by Clicking on OK. Following view appears: Illustration: Statistics chart 6. Right click on a graph to open the context menu. 7. Change Color of the selected graph 8. Remove the selected graph from the chart Starting the Log Viewer The Log Viewer lets you view logs. This corresponds to the same function as described in chapter 4.3.4, but you can also view logs that were already saved locally or logs of other REDDOXX Appliances (e.g. subsidiaries). To do so, open the dialog file and load the desired log file. 42

43 CISS Manager Configuring CISS - Creating Themes Here you define the appearance (layout) of your CISS portal page. If you wish to have different layouts for separate domains, you need to create multiple themes and then assign a domain to your prepared themes. Illustration: CISS manager In the tree, right-click on CISS themes. In the selection list, click on Add theme and assign a name of your choice. Select a desired layout for your CISS page. 5 different layouts are available. Then select the individual areas to define the corresponding layout. In order to integrate a logo, Click on the button LOAD in the Logo preview. The supported image formats are GIF and JPG. NOTICE Image size: 400px width. Larger images are automatically scaled down, smaller images are not enlarged. 43

44 6. In order to integrate a background image, Click on the button LOAD in Background image. The supported image formats are GIF and JPG. NOTICE You can constantly see a preview of your generated CISS page. To do so, Click on the button Preview Configuring CISS - Adding Images Here you can add and configure images for use by CISS. 1. In the tree, click on your created theme and then right-click on Images. Then click on Add image and select the desired image. The following view appears: Illustration: CISS manager - images 2. Select the grid size for generating the interaction fields via the option Grid size. Now define the interaction fields by clicking on the desired image area. NOTICE Interactive fields are shaded. Clicking again on a shaded field cancels the interaction again. 3. To be able to configure instructions, you first have to add languages. 44

45 Configuring CISS - Adding Languages Here you can add and configure different languages for use by CISS. 1. In the CISS navigation tree, click on your created theme and then right-click on Languages. Then click on Add language in the selection list and select the desired language. The following view appears: Illustration: CISS manager languages 2. For each language, you can now define separate text versions for the parameters "error page, thank you page, top text, back button and close window". 3. To define these texts, double-click on the corresponding parameters (e.g. error page). The text editor is displayed: 45

46 Illustration: CISS manager - languages - text editor 4. You can define your own texts in the text editor. NOTICE You can obtain a selection of German and English sample texts from the REDDOXX Support Center at: in the column REDDOXX Spamfinder CISS - Text samples Configuring CISS - Adding Domains Here you can assign a theme to an domain, which is then active for the use of CISS. Requirement: A local Internet domain must already be configured. 1. In the tree, click on your created theme and then right-click on Domains. Then click on Add domain in the selection list and select the desired domain. The following view appears: 46

47 Illustration: CISS manager - domains NOTICE All domains entered in Domains are activated for use by CISS. However, in order for CISS to kick in, the CISS filter must be assigned for the respective filter profile. 2. Click OK to add the domain to the theme. 3. To save the entire CISS configuration, click on Save. With a click on CANCEL, you close the CISS Manager and cancel the configuration. 47

48 Cluster Manager The cluster manager enables the setup of a failover cluster with 2 appliances. Within one failover cluster the active node additionally takes over the IP address on its network interface card. If, due to a malfunction, the active node fails, the secondary node will take over the failover IP address, thereby turning into the active node and staying accessible for the other network components, e.g. firewall and mail server, under the same IP address. Functional Diagram Illustration: Cluster functional diagram INFORMATION The heartbeat network gets installed using the two secondary LAN interfaces (LAN 2) of the appliances and a crossed patch cable. Both appliances are controlling with the help of a regular impulse (heartbeat) whether the other appliance is still working properly. If the primary appliance does not react anymore, the secondary appliance will assume all data resources and start the required services (engine and data base). In case of a failover or an appliance breakdown the administrator will be advised by an . 48

49 Requirements - Two Reddoxx appliances of the same product line. - A subscription license fitting to the product line (maintenance license). One Ethernet cross over cable. A cluster license fitting to the product line (license for the operating of the cluster). Restrictions - During the test period the cluster cannot be installed on virtual appliances. Before operating the cluster, a virtual appliance must get licensed. In bridge mode an operating of the cluster is not possible. Preparation of the Appliances - Both appliances require a complete network setup. - The data partition of the secondary appliance has to be as large or larger as the data partition of the primary appliance. - During the installation of the cluster internet access is required for both appliances. The password for the sf-admin has to be identical at both appliances. The system time must be equal on both appliances. Allow the IP addresses of both appliances on your firewall for outbound mail traffic. 49

50 Setup of a cluster operation 1. Select Cluster Manager from the menu View. Following dialog appears: Illustration: Cluster connect 2. Primary Appliance: The input field Primary Appliance is preset with the hostname or IP address used by the login. 3. Secondary Appliance: Fill in the hostname or the IP address of the secondary appliance you want to build the cluster with. If there is an IP address preset in the field primary appliance, the IP address of that field will be used but without the last octet. 4. Click on Connect. Following dialog appears: Illustration: Cluster Manager 50

51 5. Click on Create cluster. Following dialog appears: Illustration: Create cluster 6. Failover IP-Address: The failover IP address is the common IP address the cluster is connected from the internal network e.g. firewall and mail server. NOTICE After the cluster setup the primary appliance (node) is active. The active node additionally has assigned the failover IP address to its network interface card. If the primary node fails, the secondary node take over the failover IP address and starts all required services (Engine, Database). So the cluster is herby available still under the same common IP address as before, independent of which node currently is active. All data are synchronized permanently during normal operations and are secured on a transaction base. Heartbeat network 7. Node 1 IP: Default: Node 2 IP: Default: NOTICE The heartbeat network is preset on defaults. Change the values if the presets do not fit within your internal network environment. 51

52 9. Click on OK to continue. Following security warning appears: Illustration: Security warning dialog on create cluster 10. Confirm the security warning with Yes to create the cluster now. The cluster creation now starts. Status messages of each single step are shown inside the action log below. This process takes only some minutes. Illustration: Log view during the cluster setup process 52

53 11. At the end of the cluster setup process following message box returns the status of the process. Confirm with OK. Illustration: Status message after creating the cluster 12. Now the synchronizing of both appliances starts. This is indicated by the yellow cluster status. After successful synchronization the cluster status turns into green. NOTICE For the next login at the admin console the hostname or the IP address is replaced by the failover hostname or IP address. Therefore you can login independently from whether which appliance currently is active. 13. Now insert a cluster subscription license. NOTICE If the cluster is not available (e.g. offline) the status Service failure in indicated as red. At the end of the cluster setup the appliance engine is restarted so the status also turns red for a moment. Do not worry about this. If on the cluster nodes is offline or has an operation failure the cluster status is indicated as orange. During the data synchronization after the cluster setup the cluster is already operational, but not protected against appliance failures (*). The cluster status is indicated as yellow. After successful synchronization the cluster is fully operational and prepared against a node failure (*). The cluster status is indicated as green. (*) protected against failures means, that if one appliance fails, the other node take over the control and continue operation. This does cot cover any other kind of failures regarding to e.g. completely power loss inside the operation centre. 53

54 Takeover operation of a cluster node If case you want to put the control of the cluster to the passive cluster node (e.g. hardware maintenance) you can switch the cluster state of the cluster nodes. The current active node turns to passive, the current passive one to the active node. - Select Cluster Manager in the View menu. - Click on the button Takeover to transfer the control to the other appliance cluster node. Following message box appears: Illustration: Message box when initiating a Takeover Release a cluster - Select Cluster Manager in the View menu. Click on Leave cluster. Following message box appears: Illustration: Security warning before releasing a cluster - Confirm the security message with Yes. During the cluster release you can see status messages to the single process steps. - If the cluster release is finished, the following message appears: 54

55 Illustration: Message box after releasing the cluster NOTICE After releasing the cluster both appliances have the same data set. Therefore only one appliance should be used for continuing operation, because otherwise s can get sent twice. That appliance you want to continue with must be rebooted. The other appliance should be powered off. Consider to reset this appliance to default settings before shut down Notice that the network settings of the appliance have to be reset to your network requirements, so that the firewall and the mail server can connect to it Release a cluster if one node has a failure If one node of the cluster failes (Status Node failure),the cluster cannot be released via the admin console in a proper way. To release the cluster and set the active node to a single node, follow the description in chapter Login to the appliance console. 2. Select Cluster, then Leave Cluster 3. Confirm the security message with Yes. 4. Reboot the appliance. 55

56 Licenses in a cluster operation With the setup of the cluster all licenses of the primary appliance are assigned to the cluster. If the cluster gets released later on, all licenses that have been added during cluster operation gets assigned to the primary appliance. NOTICE For running a failover cluster, 1 cluster license is required Diagnostic Center The diagnostic center gives the possibility to check the appliance for current or for upcoming problems. You can choose the full diagnostic check or a single diagnostic check. NOTICE With appliance version 2027 there is a new Diagnostic Center in the Appliance Manager. Please see chapter Language At present, you can select between 2 different languages: English and German. In the menu LANGUAGE, select the desired language. All views are immediately displayed in the new language. Illustration: Menu item "Language" 56

57 4.1.4 Appliance In the Appliance section, you can restart and turn the REDDOXX Appliance off, set the time and date as well as save and restore the configuration. Illustration: Menu Appliance Restarting the REDDOXX Appliance You can comfortably restart the REDDOXX Appliance via the REDDOXX console. Requirement: Login to the REDDOXX Appliance. 1. In the menu bar, click on Appliance. 2. In the selection list, choose the entry Restart. The REDDOXX is ready for operation again in approx. 1 minute Turning the REDDOXX Appliance off You can comfortably turn the REDDOXX Appliance off via the REDDOXX console. Requirement: Login to the REDDOXX Appliance. 1. In the menu bar, click on Appliance. 2. In the selection list, choose the entry Shutdown Setting the Time/Date Here you can match the date and the time of the REDDOXX Appliance with the current settings of the computer. Requirement: Right settings on the computer (BIOS). 1. In the menu bar, click on Appliance. 2. In the selection list, choose the entry Set date / time. 57

58 4.1.5 Help The HELP menu consists of the license information, Online Help, a link to the REDDOXX Support Center and the Start Remote Support. Illustration: Menu Help License Information Adapting the License Information Here you can manage the licenses for the REDDOXX Appliance. Requirement: Purchase of the REDDOXX Appliance. 1. In the menu bar, click on Info. 2. In the selection list, choose the entry License information. The following view appears: Illustration: License Information - license summary 58

59 3. In the selection in the license summary, you obtain information about the licensee, the number of licenses and the expiration of the subscription. By clicking on Update license, the license summary is updated. Customer Address Here you can manage and update your address data. Requirement: Purchase of the REDDOXX Appliance. 1. In the menu bar, click on Info. 2. In the selection list, choose the entry License information. 3. Click on the tab "Customer address" The following fields are displayed: Illustration: License Information - customer address 4. Fill in all fields properly and click on click on Select Reseller. Following dialog appears: Illustration: License information Select reseller 59

60 5. Select your reseller. You have to fill out 4 characters for minimum. 6. Click finally on update address. 7. CLOSE the window License Numbers This is where your REDDOXX licenses and subscriptions are managed. 1. Click on the tab "License numbers" The following fields are displayed: 2. You see an overview of all entered licenses with activation and expiration information. To enter a new license number, enter the number of the purchased license in the field License number. 3. To register the entered license number on the REDDOXX Appliance, click on the button ADD LICENSE Online Help By pressing the online Help (F1) key your browser will be launched and the context sensitive help pages of the manual will be loaded. 60

61 REDDOXX Support If you have questions to the configuration of the appliance or if you have troubles with the appliance, you call open up a support request by selecting REDDOXX Support from the help menu. Then your browser launches and will b redirected to the following page: Illustration: REDDOXX Support Start Remote Support In case of problems you can start the Reddoxx Remote Support Service to enable remote access to a Reddoxx Support agent. The appliance will establish a connection via TCP Port 80 to the Reddoxx Support Server. Over this connection the Reddoxx Support agent can log into your appliance to start further diagnostics. 1. Select from the menu Help the option Start Remote Support. Now the Remote Support service starts and the following dialog appears. Confirm with OK. 2. To Stop the Remote Support Service, select from the menu Help the option Stop Remote Support. The Remote Support Service now will be stopped. Confirm the dialog with OK. 61

62 4.2 Appliance Configuration Network Settings Open network settings Requirements: The REDDOXX Appliance must be connected and in operation. 1. In the navigation tree, double-click on Appliance configuration. 2. In the tree, double-click on the branch Network settings. ATTENTION You should make a backup before each change and archive this. Also see: "Options in the Menu Bar" Network Settings - General Making the Network Configuration Via the General Configuration, you can set up the hostname and the DNS servers. Requirement: Opening the Appliance Configuration 1. Click on the tab "General" The following fields are displayed: Illustration: General configuration of the REDDOXX Appliance 62

63 2. Hostname - Hostname: Enter any name for the REDDOXX Appliance in the network. The standard value can be exchanged for any name. 3. DNS Domain: If applicable, enter the name of the domain belonging to the REDDOXX Appliance. 4. DNS 1st DNS-Server: Enter the corresponding IP address of your network's DNS server. NOTICE This entry is mandatory! At least one DNS server must be stated. Ensure that the DNS server is accessible, also if the REDDOXX Appliance is operated in a DMZ. 5. DNS 2nd DNS-Server: Enter the IP address of another DNS server. 6. For additional configurations, change to the next tab. OK: Saves the settings and closes the network Configuration. CANCEL: Cancels the settings and closes the network Configuration Network Settings - Network Making the Network Configuration You can set up the primary network card via the network configuration. This consists of an IP address and a network mask each. The second network card is currently not yet supported. NOTICE The configuration of the second network interface is currently not supported. Requirement: Opening the network configuration 1. Click on the tab "Network" The following fields are displayed: 63

64 Illustration: Network configuration of the REDDOXX Appliance LAN 1 2. IP address: Enter the IP address of the REDDOXX Appliance. The standard values were taken over from the first settings. 3. Net mask: Enter the respective network mask of the REDDOXX Appliance. The standard values were taken over from the first settings. LAN 2 4. IP address: If you want to use the appliance in a failover cluster, you need to set the 2nd LAN interface s IP address. 5. Net mask: Enter the respective network mask of the REDDOXX Appliance. The standard values were taken over from the first settings. Bridge mode 6. Enable Bridge mode: Activate the checkbox if you want to drive the box in bridge mode. You can find a detailed documentation inside the manual Pop3 and Bridge mode configuration in chapter For additional configurations, change to the next tab. OK: Saves the settings and closes the network configuration. CANCEL: Cancels the settings and closes the network configuration Network Settings - Routing Default Gateway and Routing 64

65 You can set up the default gateway via the routing configuration. Requirement: Opening the network configuration 1. Click on the tab "Routing".The following fields are displayed: Illustration: Routing configuration of the REDDOXX Appliance 2. Default gateway: Enter the IP address of the default gateway here. 3. If you want to add static routes, you can do so via the button ADD. Illustration: Routing configuration of the REDDOXX Appliance 4. Enter a target network, the corresponding subnet mask and a corresponding gateway. Add route by clicking on OK. 5. For additional configurations, change to the next tab. OK: Saves the settings and closes the network configuration. CANCEL: Cancels the settings and closes the network configuration. 65

66 Network Settings - Time Server Making the Timeserver Configuration Via the timeserver configuration, you can enter the timeservers and choose the applicable time zone via the selection list. Requirement: Opening the network configuration 1. Click on the tab "Timeserver" The following fields are displayed: Illustration: Timeserver configuration of the REDDOXX Appliance 2. Timeserver 1st Timeserver: Enter the name of the timeserver to be used. NOTICE This entry is mandatory! We recommend entering at least one timeserver that supports NTP (Network Time Protocol), as the correct time is important for the functioning of the REDDOXX Appliance. Make sure that the port 123 UDP on your firewall is opened. 3. Timeserver 2nd and 3rd Timeserver If necessary, repeat step Timezone - Time zone: Via the selection list, select the corresponding time zone. 66

67 OK: Saves the settings and closes the network configuration. CANCEL: Cancels the settings and closes the network configuration Cluster You can check your cluster settings here but you can t make any changes here. Changes are only via the cluster manager possible. Illustration: Cluster Settings Cluster enabled: Primary node: Primary ip-address: Secondary node: Secondary ip-address: Failover ip-address: shows if the cluster is setup and enabled Hostname of the primary appliance IP address of the primary appliance Hostname of the secondary appliance IP address of the secondary appliance IP address of the cluster. Click on OK or Cancel to close the dialog Bridge Policies In the appliance configuration there is the point bridge policies. Here you can define rules to bypass IP-based stations like PC or servers. That means, the internet traffic of that specific station still goes through the appliance, but leaves untouched. 67

68 . 1. Double-Click on Bridge Policies. Following dialog is displayed: Illustration: Bridge Policies 2. Source: is a client inside the internal network 3. Destination: is the destination IP address 4. Action: Bypass Mails are not collected by the REDDOXX appliance. The POP3 poll request is sent directly to the provider (Destination IP). Proxy Mails are collected by the appliance. NOTICE With the policies you have the possibility to combine various rules. The processing of the rules goes from top to bottom. As far as a rule matches the condition, this rule will be applied. Further rules will be ignored. Modified rule settings gets applied only after pressing the APPLY button bar. in the menu Settings Opening the Settings Requirements: The REDDOXX Appliance must be connected and in operation. 1. In the navigation tree, double-click on Appliance configuration. 2. In the tree, double-click on the branch Settings Settings - General Making General Settings Via the General Settings, you can enter and administer the hostname and the addresses of the REDDOXX Appliance. This way, the REDDOXX Appliance can send system messages to itself or the system administrator at any time. To let the Appliance load current updates for the fuzzy filter and current virus updates, it must be able to 68

69 establish HTTP connections to the Internet. If a proxy server is supposed to be used for this purpose, you can also configure this here. Requirement: Opening the Settings. 1. Click on the tab "General".The following fields are displayed: Illustration: Settings General addresses 2. Appliance address: Enter the address of the REDDOXX Appliance. NOTICE The address of the REDDOXX Appliance must be an address of a valid domain and also received by the REDDOXX Appliance. This address may not be used for other purposes. 3. Administrator Address: Enter the address of the administrator. To this address the administrator receives messages von the appliance, e.g. when the backup was not finished correctly. HTTP-Proxy 69

70 4. Use HTTP proxy: If there is no direct internet connection in your network, you need to use a HTTP proxy. Then activate the checkbox. 5. Proxy address: Enter the name or IP address of your proxy server that enables HTTP communication. 6. Proxy port: Enter the TCP port of your proxy server. 7. For additional configurations, change to the next tab. OK: Saves the settings and closes the Appliance Configuration. CANCEL: Cancels the settings and closes the Appliance Configuration. SOCKS-Proxy 8. Use SOCKS-Proxy: You also can use a SOCKS-proxy, if there is no direct internet connection available. Then activate the checkbox. A SOCKS proxy is protocol independent and so more flexible. 9. Proxy address: Enter the name or IP address of your SOCKS proxy server that enables Internet communication. 10. Proxy port: Enter the TCP port of your SOCKS proxy server. 11. Proxy user: Enter the username to authenticate against your SOCKS proxy server, if authentication is required. 12. Proxy password: Enter the user s password for authentication against your SOCKS proxy server Settings - SMTP Making the Basic SMTP Settings Adjustments for the hostname, the SMTP server and the SMTP client services. Requirement: Opening the Settings. 1. Click on the tab "SMTP" The following fields are displayed: 70

71 Illustration: Settings SMTP Common 2. Hostname: Enter the corresponding hostname which the REDDOXX Appliance uses to identify itself at the beginning of the SMTP dialogue. This hostname consists of the hostname and the domain of the Appliance Configuration. NOTICE Enter the hostname in FQDN format (Fully Qualified Domain Name). We urgently recommend using a host name which can be resolved via a reverse DNS query (PTR entry), if no smart host (mail relay) is used. SMTP Server 3. TCP Port: If required, adapt the TCP port for the SMTP connections of the REDDOXX Appliance. The default standard value is "25". 4. Enable TLS: If activated, the appliance is able to receive encrypted transmissions from other mail servers. On the beginning of a mail transmission the appliance gets the decrypting key automatically from the mail sending host. 71

72 5. Enable SMTP-Auth: If enabled, mails that coming from the internet can be treated as outbound mails if the connection to the appliance was authenticated with a username and password. That means, a home office co-worker can send mails via the company s common mail server (this appliance) but without being inside the company s network, via VPN. 6. SMTP-Auth over TLS only: If enabled, the appliance forces that the SMTP-Auth connection (mentioned above) must be encrypted via TLS for security reasons. 7. Max. invalid Recipients: The appliance disconnects the SMTP transmission if a peer has tried to deliver to unknown repicients, as many times as this value (threshold) is set. A 0 value disables the function. NOTICE You must restart the SMTP-Server service to activate your changed settings. SMTP Client 8. Enable TLS if enabled, the appliance tries to send the mail encrypted with TLS first. If the other side do not understand TLS encryption, the appliances sends unencrypted. 9. Relay host: Enter the relay for sending outbound s, if you have to use one. s then are not delivered directly but via this relay. Prefer direct delivery if you can, but this requires a fixed IP address and a corresponding PTR record in the DNS. 10. User Name: Enter the user name to authenticate against the relay host Password: Enter the corresponding password. NOTICE Username and password must only be entered if authentication is required. Obtain the access data for login from your provider.notice You must restart the SMTP-Client service to activate your changed settings. 12. For additional configurations, change to the next tab. OK: Saves the settings and closes the Appliance Configuration. CANCEL: Cancels the settings and closes the Appliance Configuration Settings - POP3 Activate POP3 services 1. Click on the tab "POP3". Following window appears: 72

73 Illustration POP3 Pop3 Settings Further detailed information to POP3 and Bridge-Mode you can find inside the brief introduction under 1. Enable POP3 Proxy: Enable the POP3 proxy service, if the REDDOXX appliance should answer to POP3- requests from the internal network. The appliance listens on TCP-Port Enable POP3 ProxyS (SSL): Enable the Secure POP3 service, if the REDDOXX Appliance answers to secured POP3 requests from the internal network. The appliance listens on TCP-Port Settings - Limits Making Limit Settings Via the limit settings, you can set the maximum SMTP connections for incoming and outgoing s. Additional options are timeouts for connection and sending as well as the maximum size. You can also set the maximum number of consoles, which may connect to the REDDOXX Appliance at the same time here. Requirement: Opening the Settings. 73

74 3. Click on the tab "Limits" The following fields are displayed: Illustration: Settings Limits NOTICE For the following settings, take over the respective valid settings in the standard value table as these depend on the variant of the REDDOXX Appliance you have purchased. 1. SMTP - Max. Connections (incoming): Set the limit value of simultaneously incoming s. This value defines how many incoming SMTP connections are managed and maintained at the same time. Connections coming from the internal network (trusted network) have no limitations anymore since version Reject new connections if the limit was reached: New connections will be discared without invoking an SMTP Process. 3. SMTP Max. Connections (outgoing): Set the limit value of simultaneously outgoing s. This value defines how many SMTP connections to other servers are managed and maintained at the same time. 4. SMTP Connection Timeout (outgoing): Set the desired connection timeout for outgoing s in seconds. This time 74

75 defines after how many seconds TCP communication without response the connection is closed. SMTP Timeout (outgoing): Set the desired timeout for outgoing s. This time defines after how many seconds outgoing SMTP communication without response the connection is closed. SMTP Timeout (incoming): Set the desired timeout for incoming s in seconds. This time defines after how many seconds incoming SMTP communication without response the connection is closed. SMTP - Max. Size (MB): Set the desired size. Because of that during the data transmission a validation of the mail size cannot be done, the data always gets transferred completely. After that, the size gets limit proofed and then declined if the size limit has reached. Thereby the sender gets a negative acknowledgement during the SMTP dialogue. The was not accepted. Console - Max. Connections: Set the maximum number of consoles that can connect simultaneously to the REDDOXX Appliance. In this process, admin as well as user connections are counted. For additional configurations, change to the next tab. OK: Saves the settings and closes the Appliance Configuration. CANCEL: Cancels the settings and closes the Appliance Configuration. Standard Value (Recommendation): Max. connections (incoming): Max. connections (outgoing): Connection timeout (outgoing): Timeout (outgoing): Timeout (incoming) Max. size Max. console connections RX-50 RX-100 RX-250 RX-750 RX Sec. 30 Sec. 30 Sec. 30 Sec. 30 Sec. 180 Sec. 180 Sec. 180 Sec. 180 Sec. 180 Sec. 180 Sec. 180 Sec. 180 Sec. 180 Sec. 180 Sec. 100 MB 100 MB 100 MB 100 MB 100 MB

76 ATTENTION Standard values are already pre-defined in the REDDOXX Appliance. These standard values should not be changed. Only expert personnel or support may make changes here Settings - Queues Making REDDOXX Appliance Settings via Queues Via the queue settings, you can define the save and forwarding time of the outgoing queues, the CISS queues, the spam queues and the virus queues in days. Requirement: Opening the Settings. 1. Click on the tab "Queues" The following fields are displayed: Illustration: Settings Queues 2. Outgoing Queue - Max. Delivery Time (Days): Enter the maximum delivery time of the s in the outgoing queues in days. During this time, the system attempts to send the mail. If the mail server that is 76

77 supposed to receive the mail is still not available after this defined time, REDDOXX sends the sender a corresponding message with SMTP error code and cancels the send process. CISS - Max. Save Time (Days): Enter the maximum save time of the s in the CISS queues in days. If a CISS prompt is not executed after a defined period, the mail is deleted on the appliance and not delivered. Spam - Max. Save Time (Days): Enter the maximum save time of the s in the spam queues in days. If the mail is not delivered manually until the expiration of the set time, it is deleted. Virus - Max. Save Time (Days): Enter the maximum save time of the s in the virus queues in days. Queue Report: If this field is activated, a queue report is generated each day at the defined reporting time for each user whose spam or CISS queue has increased. In the user console, the user can define whether this function is desired and in which format this message is to be sent (html/text). NOTICE Queue Report changes will be processed after an engine restart or appliance reboot. 7. For additional configurations, change to the next tab. OK: Saves the settings and closes the Appliance Configuration. CANCEL: Cancels the settings and closes the Appliance Configuration. NOTICE The stated standard values are our recommendations, which you may change at any time. Check your entries from time to time and reduce the times if applicable. ATTENTION After expiration of the set times, the s are deleted irrevocably from the respective queues. The parameters set in "Appliance Configuration Timeserver" are decisive here, above all the set time zone. 77

78 Settings - Advanced Making Advanced Settings Via the Advanced Settings, you can configure the Validator, the diplay period and the dynamic blacklist filter.. Requirement: Opening the Settings. 1. Click on the tab "Advanced" The following fields are displayed: Illustration: Settings Advanced Validator 2. Use built-in profile: If this field is activated, the appliance uses the built-in profile, if a filter profile was not (yet) assigned to the alias, or if licenses are not (or no longer) available. For further details, see chapter Filter Profiles Max. Threads: This value indicates how many validations aredo ne at the same time. The value is permanently assigned and cannot be changed. Default display period 4. Spamfinder list: This value determines how many days the initial list of the spam queue goes back 78

79 into the past. The default value is 30 days. That means, all entries of that queue from the last 30 days are shown. Choose a lower value to accelerate the initial listing of a queue. Use the search function to get listed entries behind that limitation. 5. MailDepot list: This value determines how many days the initial list of the maildepot goes back into the past. The default value is 30 days. That means, all entries of that queue from the last 30 days are shown. Choose a lower value to accelerate the initial listing of a queue. Use the search function to get listed entries behind that limitation. Dynamic IP-Blacklist 6. Enable dynamic IP-Blacklist: If enabled, the gets validated already during the SMTP link connection, if the sending IP address is blacklisted. Hereby all black list servers are used, which are referenced in the RBL filter configuration. If the sending IP address is on a black list, the connection will disconnect immediately. The advantage of this function is, that in case of massive spam attacks the appliance is not even more that under heavy load as before. A requirement for this is, that the mails gets delivered directly and not via your relay. The RBL black list queries are cached and viewable under BLOCKED IP ADDRESSES (SMTP SETTINGS). These entries are valid for 7 days. NOTICE For using the dynamic IP-Blacklist-Function a valid Spamfinder license is required. Detected spam is not queued. If this function is disabled, the mails still can be filtered by the RBL filter during the validation process. 7. OK: Saves the settings and closes the Appliance Configuration. CANCEL: Cancels the settings and closes the Appliance Configuration. 79

80 Settings - BATV Bounce Address Tag Validation Another method to send spam is called bounce address spoofing. Hereby an with a spoofed sending address (e.g. your address) is sent to a mail server with an unknown recipient. The mail server first takes over the mail and proofs the deliverability. If the recipient does not exist, the mails server bounces back the . Due to that the sender had used your address you will get this bounce mail which includes beside the error message the original spam. The BATV-Function proofs an incoming , if a corresponding was sent out before. If not, the mail will not be accepted during the SMTP connection and also will not be queued. NOTICE: The BATV filter does not work properbly anymore together with MS Exchange Server since version 2007 because the Exchange Server do not reply anymore a Message Disposition Notification (MDN, e.g. out-of-office) to the envelope sender address (Mail From) but to the Return Path from the Mail Header, which does no contain a BATV signature at all. At the receiving side (original sender) a Reddoxx will catch this MDN with the BATV filter. 1. Click on the tab "BATV". Following window appears: Illustration: Settings BATV 80

81 Bounce Address tag Validation 2. ENABLE BATV: Activate this checkbox if spoofed bounce mails have to be filtered. A valid spamfinder license is required. 3. BATV ADDRESS EXCEPTIONS: If some local recipients do not get s because they have been described as bounce mails accidentally, (e.g. newsletters oder mails from shop systems) exclude them here in the exception list. Enter that address in the field and click on the button ADD. Delete this entry by marking it and then press the DEL-Key. 4. OK: Saves the settings and closes the Appliance Configuration. Changes are effective immediately. CANCEL: Cancels the settings and closes the Appliance Configuration. NOTICE For using the BATV function a valid Spamfinder license is required. Detected mails are not queued inside the spam queue. Important! Iit is required that all outgoing mails are sent via the REDDOXX appliance Settings - Notification In case of problems e.g. a failed backup or detected hardware failure the appliance can send an to the administrator. You can configure here how the appliance should send that notification. 1. Click on the tab "Notification". Following window appears: 81

82 Illustration: SMTP-Notification SMTP Notification 1. SEND NOTIFICATION: Enable this to activate sending notifications in case of problems. This service is enabled by default. 2. SMTP TARGET HOST: The mail server the appliance sends the notification to. If you do not use a remote SMTP server, the appliance will send a notification via its own engine. In case the appliance will have a problem with its own engine, the notification fails. 3. SMTP TARGET PORT: The mail server TCP port the appliance is connecting to the mail server. 4. USERNAME: The user name the appliance authenticates at the mail server, if required. 5. Password: The password for the user name above, if authentication is required. NOTICE: Especially when running a failover cluster you should activate the SMTP Notification service and provide a SMTP target host to get informed if a node fails. 82

83 Settings - Monitoring The REDDOXX appliance supports system network monitoring based on the Simple Network Management Protocol (SNMP). You can use any kind of monitoring tools unless it supports SNMP. For an example, the administrator can monitor the queue length of the incoming mails and if the value reaches a specified limit (say 500) the monitoring system sends an alert to the admin. Then the admin can for e.g. upgrade the hardware performance so that the mails are processed faster. NOTICE: When running a failover cluster, the failoveradress should be used for snmp monitoring. A direct monitoring of active and passive node would produce errors especially on the passive node. 83

84 SNMP Configuration 1. Click on the tab "Monitoring". Following window appears: Illustration: Monitoring with SNMP SNMP 2. Enable SNMP Monitoring: If activated, you can collect SNMP based monitoring data from the appliance. 3. SNMP community: The authentication string to allow access to the appliance for data collection. System information 4. System location: Some informational data for the monitoring software, were this appliance is located. 5. System contact: Some informational data for the monitoring software, who is responsible for this appliance. 84

85 SNMP Object IDs To monitor the REDDOXX appliance and watch for its values the administrator of the network monitoring system needs the Object-IDs. The Root Object-ID for REDDOXX is The single messure point values (Keys) are addressed via the Object-IDs as listed in the following table. Object-ID Key Description Reddoxx SMTP Server Inbound Connections Reddoxx SMTP Client Outbound Connections Reddoxx Amount of inbound messages received Reddoxx Amount of outbound messages received Reddoxx Amount of bytes received inbound Reddoxx Amount of bytes received outbound Reddoxx Number of active SMTP connections Reddoxx Amount of inbound SMTP-Client connections Reddoxx Amount of outbound SMTPClient connections Reddoxx Amount of inbound messages sent Reddoxx Amount of outbound messages sent enterprises rdxsmtpserverconnectionsin enterprises rdxsmtpserverconnectionsout enterprises rdxsmtpservermsgrecvin enterprises rdxsmtpservermsgrecvout enterprises rdxsmtpserverbytesrecvin enterprises rdxsmtpserverbytesrecvout enterprises rdxsmtpserveractivesessions enterprises rdxsmtpclientconnectionsin enterprises rdxsmtpclientconnectionsout enterprises rdxsmtpclientmsgsentin enterprises rdxsmtpclientmsgsentout enterprises rdxsmtpclientbytessentin Reddoxx Amount of bytes sent inbound enterprises rdxsmtpclientbytessentout Reddoxx Amount of bytes sent outbound enterprises rdxsmtpclientsessions Reddoxx Current number of outgoing SMTP connections enterprises rdxsmtpclientqueuelength Reddoxx Messages to be sent enterprises rdxvalidatorsessions Reddoxx Validation Sessions enterprises rdxvalidatorqueuelength Reddoxx Validation Queue Length enterprises rdxarchivemsgcount Reddoxx Archived Messages enterprises rdxspamfinderrecjects Reddoxx Rejected Messages enterprises rdxspamfindertagmessages Reddoxx Tagged Messages enterprises rdxspamfindercissquarantine Reddoxx CISS Quarantined Messages enterprises rdxspamfinderspamquarantine Reddoxx Quarantined Messages enterprises rdxspamfinderspambounced Reddoxx Bounced Messages enterprises rdxspamfindervirusesdetected Reddoxx Viruses Detection 85

86 enterprises rdxspamfinderbatvhits Reddoxx BATV Filter Drops enterprises rdxspamfinderaddedipblacklistentries Reddoxx IP-Blacklist Entries enterprises rdxspamfinderrecipientverificationhits Reddoxx Rejected Recipient Addresses General Linux-Object-IDs Object-ID Key Description Linux_System_Load.1 1 Minute System Load cpuidletimeinpercent CPU idle time % rdxsmtpservermsgrecvin CPU system time % CPU user time % cpuusertimeinpercent FreeDiskSpaceDataPartition Free Disk Space Data Partition FreeDiskSpaceDataPartitionCluster Free Disk Space Data Partition Cluster UsedDiskSpaceDataPartition Used Disk Space Data Partition UsedDiskSpaceDataPartitionCluster Used Disk Space Data Partition Cluster MIBs and Templates Reddoxx provides a MIB file on its Support Center download page. This MIB file can be imported into different kind of monitoring systems. This helps in saving time for configuring every single key. Furthermore we provide a template for the monitoring system called ZABBIX. This template consists beside the declaration of the keys and object ids already some graphical components (graphs). All keys are configured with the community string public Demo Monitoring System REDDOXX provides a demo monitoring system based on ZABBIX, which monitors the REDDOXX Demo-Appliance. The public access goes via the Demo Center, which is linked in the Support Center. Visit the following internet addresses in the table with your browser. REDDOXX Support Center REDDOXX Demo Center REDDOXX System Monitoring x/ Settings - Log The log files are saved for a specific period of time. 86

87 1. Click on the tab "Log". Following window appears: Illustration: Log options Log options 8. LOG FILE RETENTION TIME: Amount of days the log files will reside at the appliance before they will be deleted. 9. BACKUP BEFORE DELETION: With this option you can force that the log files must have been backed up before they will be deleted. The appliance will use the same remote share as used in the common backup 10. Click on OK to save the settings and close the dialog. 87

88 4.2.4 SMTP Configuration Local Internet Domains Creating new Internet Domains Via the Local Internet Domains, you can create new internal domains for which the REDDOXX Appliance is to receive s. Requirements: Login on the administrator console of the REDDOXX Appliance 1. In the tree view at SMTP Configuration select Local Internet domains. 2. Right-click in the list view. 3. In the selection list, choose the entry Add. 4. Click on the tab "Local Internet domain" The following fields are displayed: Illustration: Local Internet Domains 5. Settings - Domain: Enter the desired Domain for that you want to receive s. 6. Settings - Activate anti-spoofing: Here you can activate or deactivate AntiSpoofing for the respective domain. NOTICE 88

89 To activate AntiSpoofing, the AntiSpoofing filter must be additionally allocated to the respective filter profiles. The function principle and how to edit filters is described in the chapter Filter profiles. 7. REDDOXX Mail Depot Deactivating archiving: If this field is set, no s are archived in the MailDepot. 8. For additional configurations, change to the next tab. LDAP OK: Saves the settings and closes the Appliance Configuration. CANCEL: Cancels the settings and closes the Appliance Configuration. LDAP Settings One of the most essential parts of the REDDOXX filter technology is the recipient check (RVC = Recipient Verify Check). Here you can set whether s are only sent to existing recipient addresses or rejected. For the authentication method, you can select between a company-wide directory service and the local database of the REDDOXX Appliance. Requirements: Select local Internet domains and double-click on the domain to be configured. 1. Click on the tab "LDAP" The following fields are displayed: Illustration: Local Internet domains - LDAP LDAP settings 2. LDAP server: Enter the IP address of the LDAP server. 89

90 NOTICE In addition to the IP address, you can also state a port separated by a colon (example: :3268). If the LDAP server also has a GLOBAL CATALOG server (e.g. Microsoft Domain Controller), we recommend stating this as preference because it responds up to 10 x faster. The default for the Global Catalog is TCP port LDAP type: Enter the LDAP type. Available for selection are: Active Directory, Exchange 5.5, Lotus Notes Domino and OpenLDAP. 4. LDAP Basis: Enter the LDAP basis. Example: dc=company, dc=com 5. LDAP user: Enter the user in UPN format for authentication on the LDAP server. 6. LDAP password: Enter the password for authentication on the LDAP server. Recipient Check 7. Activate Recipient Authentication: If this field is activated, the addresses are checked according to the configured LDAP interface or the locally entered addresses. This way, the REDDOXX Appliance only accepts mails that are listed in the respective directory (Active Directory, Lotus Domino, etc.) or locally. NOTICE After the recipient check was activated, the service "SMTP server" must be restarted on the REDDOXX Appliance. The service is located in the directory tree under "Appliance administration". Further information about the LDAP configuration is available at the REDDOXX Support Center at in the section MANUALS. 8. Test method: You can select either LDAP or LOCAL as test method. Autocreate user: 9. Autocreate user: If this field is activated, users are automatically created upon the first receipt of an . Here the system first checks whether a user is available in LDAP for the address of the recipient. If this user exists in the LDAP, it is automatically created on the Appliance with all assigned addresses. Each address automatically receives the default filter profile in this process. 10. Realm: Select the realm to be used for user authentication. You define the realm in the user administration at "Login configuration". 11. Address collect user: Click on the blue field named disabled. 90

91 Following dialogue appears: Illustration: Local Internet domains User address collection 12. Disable address collection: Empty the checkbox and the selection box User will be released. 13. User: Select a user from the selection list to whom you want assign all aliases, which are not assigned to somebody right now. Especially this is helpful for all public folders and distribution list addresses. Now on all incoming s to a public folder address this alias will be assigned to the selected user. After that the filter profile will be assigned to that alias and the will be validated. The selected user has access to his queues and can maintain the filtered mails. 14. OK: Saves the settings and closes the configuration. CANCEL: Cancels the settings and closes the configuration. CISS Signature This optional signature is attached to the automatic , which the REDDOXX Appliance sends for notification. This signature must be entered separately for each domain. Requirements: Select local Internet domains and double-click on the domain to be configured. 1. Click on the tab "CISS" The following fields are displayed: 91

92 Illustration: Local Internet domains CISS 2. Enter any domain-specific signature. This optional signature is attached to the message text which the REDDOXX Appliance sends to the sender in case of a CISS challenge. It can be entered separately for each domain. NOTICE Also see: For further information about automatically generated s, please refer to the chapter "Notifications". 3. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration Editing Local Internet Domains Proceed as follows to edit an existing Internet domain. Requirements: Internet domain is available in the list view. 1. In the tree view at SMTP Configuration select Local Internet domains. 2. Double-click on the domain to be edited. The configuration window opens. 3. Make the desired changes. 4. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. 92

93 Copy Local Internet Domain Copying a lokal Internet domain will result in a new name that is created with the prefix copy + the provided internet domain. You may adjust this later. Exiting and clicking OK will save the settings Delete Local Internet Domain Proceed as follows to delete an existing Internet domain. Requirements: Internet domain is available in the list view In the tree view at SMTP Configuration select Local Internet domains. Right-click on the list entry to be deleted. In the selection list, choose the entry Delete. Confirm the prompting message with YES to delete the Internet domain. No: Realm is not deleted. * NOTICE INFORMATION ABOUT RECIPIENT AUTHENTICATION With the recipient authentication, the REDDOXX Appliance tries to determine whether the recipient of the mail is being serviced by the internal server, already before forwarding the mail. At present, the following systems are supported for this function: Microsoft Exchange 5.5, Microsoft Exchange 2000 and newer, Lotus Notes Domino Server Configuration: BACKEND EXCHANGE 5.5 TYPE Test method LDAP Server LDAP type LDAP basis LDAP user LDAP password EXCHANGE 2000 LOTUS NOTES OPENLDAP AND NEWER LDAP LDAP LDAP LDAP IP/hostname of the exchange server Exchange 5.5 IP/hostname of a domain controller IP/hostname of a domain controller Lotus Domino IP/hostname of a domain controller OpenLDAP dc=company,dc =com (example) Active Directory dc=company, dc=com (Example) UPN of the LDAP user Password of the LDAP user UPN = User Principal Name e.g. ldap-proxy@company.com The user is used for the Active Directory or Lotus Domino query and must be authorized to read the attributes of the address. 93

94 IMPORTANT Exchange 5.5 Neither the basis nor the user are entered here (anonymous login). addresses must be published in the address book Local Networks Creating new Local Networks Via the local networks you define from which host or networks s may be sent via the REDDOXX Appliance. Requirements: Login on the administrator console of the REDDOXX Appliance 13. In the tree view at SMTP Configuration select Local Networks. 2. Right-click in the list view. 3. In the selection list, choose the entry New. The following fields are displayed: Illustration: Local networks local network 4. Enter the local network or a single host. 5. Single hosts, e.g. the internal mail server, require the mask Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. NOTICE If there is a mail relay or a firewall with an SMTP server service or a POP3 collector service before your REDDOXX Appliance, which receives the s first, this may NOT be listed in the local networks. Edit Local Networks Proceed as follows to edit existing networks. Requirements: Entries are available in the list view. 1. In the tree view at SMTP Configuration select Local Networks. 2. Double-click on the network to be edited. The configuration window opens. 3. Make the desired changes. 4. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. 94

95 Deleting local networks Proceed as follows to delete existing networks. Requirements: Networks are available in the list view. 1. In the tree view at SMTP Configuration select Local Networks. 2. Right-click on the list entry to be deleted. 3. In the selection list, choose the entry Delete. 4. Confirm the prompting message with YES to delete the profile. No: Profile is not deleted. NOTICE Changes to the local networks require the restart of the SMPT server service. The restart of a service is described in this document in Appliance Administration/Services transport Creating new Transport Via the transport, you can define to server the s of the registered domain are to be forwarded. Requirements: Login on the administrator console of the REDDOXX Appliance 1. In the tree view at SMTP Configuration select Transport. 2. Right-click in the list view. 3. In the selection list, choose the entry New. The following fields are displayed: Illustration: transport 4. Enter the desired Domain. 5. Enter the corresponding target server. 6. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. NOTICE If the domain of an is not registered here, the target server is determined via a DNS lookup on the DNS server entered in the configuration. Edit Transport Proceed as follows to edit existing transports. Requirements: transport is available in the list view. 1. In the tree view at SMTP Configuration select Transport. 95

96 2. Double- the transport to be edited. The configuration window opens. 3. Make the desired changes. 4. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Delete Transport Proceed as follows to delete existing networks. Requirements: transports are available in the list view In the tree view at SMTP Configuration select Transport. Right-click on the list entry to be deleted. In the selection list, choose the entry Delete. Confirm the prompting message with YES to delete the profile. No: Profile is not deleted Allowed IP Addresses If a sending mail server is on a black list, but you still want to receive mails from that address, you can add its IP address. Add an allowed IP Address 1. Choose from the navigation tree view under SMTP Configuration Allowed IP-Addresses. 2. Click in the list view the right mouse. 3. Choose ADD from the context menu Following dialogue appears: Illustration: Allowed IP address Enter the network address or a single IP address, which you want to white list Enter the corresponding subnet mask. Enter a date until this entry is valid. After that date this entry will be ignored. Enter a describing reason optionally. OK: save the entry and exit. CANCEL: Reject changes and exit the configuration. NOTICE 96

97 If the dynamic IP Blacklist function is enabled, all allowed IP addresses which matches the sending IP address gets deleted. To avoid this, you must disable the dynamic IP Blacklist function, delete the IP address from the Blocked IP Addresses list, add the IP address under Allowed IP Addresses and restart the SMTP server Blocked IP Addresses To explicitly prohibit the establishment of SMTP connections for IP addresses or complete network sections, you can enter add manually entries here. Furthermore, if the dynamic IP Blacklist function is enabled, all blacklisted mail server IP addresses gets listed here. These automatically inserted entries are valid for 7 days. Creating blocked IP Addresses Requirements: Login on the administrator console of the REDDOXX Appliance 1. In the tree view, select SMTP configuration - Blocked IP addresses. 2. Right-click in the list view. 3. In the selection list, choose the entry Add. The following fields are displayed: Illustration: Blocked IP address Enter the network to be blocked. Enter the corresponding subnet mask. Optionally, you can enter the reason for blocking in the field "Description". OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. 97

98 4.3 Appliance Administration Mail Queues Information about Queues In the queues, the s wait for further processing by the REDDOXX Appliance. Mode of Function Also see: "Information about the services in chapter Services 4.3.6". The Incoming and Outgoing Messages are the basic queues of the REDDOXX Appliance Incoming Mails s accepted by the SMTP server of the REDDOXX Appliance sent internally or externally are temporarily saved in the Incoming Messages queue. Here the REDDOXX Appliance checks the s and places them in the queues Spam, CISS, Virus or Outgoing Messages, depending on the result of the check. You can look for s manually in this queue and delete them. The list view shows the ID, the time received, the sender and the recipient, the size of the s, the forwarding time as well as the result of the s. Sorting via attributes is also possible here Outgoing Mails All s sent internally or externally by the SMTP client of the REDDOXX Appliance are placed in the queue Outgoing Messages. For further information, see Incoming queues. Searching for s You can search for s in the respective queues. Restrictions: None, searching for s is possible in all queues Select with a double- in the tree view Mail queues or Spamfinder queues. Select the desired queue. In the menu view, click on the icon with the magnifying glass. The following fields are displayed above the list: 5. In Search term, Sender and Recipient enter the data you know. 98

99 6. Sorting via attributes is also possible here. To do so, click on the column header. Another reverses the direction. 7. Search to start the search. Deleting s You can delete s in the respective queues. Restrictions: None. Deleting s is possible in all queues. 1. In the tree view, select Queues with a double-. 2. Select the desired queue. 3. Right-click on the to be deleted. 4. In the selection list, choose the entry Delete. 5. Confirm the prompting message with YES to delete the profile. No: Profile is not deleted User Administration Information about User Administration In the user administration, you can manage users, local addresses, the login configuration as well as groups and policies Users In the column USER, you can add, edit, delete, search and import users, as well as assign or revoke licenses and change the password. The list view offers the following data at a glance: o List with names of the created users o Primary address o Realm o Spamfinder licenses o MailDepot licenses o MailSealer licenses 99

100 Illustration: User administration - users Adding Users 1. In the selection list, choose the entry Add. The following fields are displayed: Illustration: User Administration User data 2. Enter the desired user name. 3. Enter a password. 4. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Edit Users Proceed as follows to import an existing user. 1. Double-click on the user to be edited. The configuration window opens. 2. Make the desired changes. 3. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. 100

101 Delete Users Proceed as follows to delete an existing user. 1. Right-click on the user to be deleted. 2. In the selection list, choose the entry Delete. 3. Confirm the prompt with Yes to delete the selected user. No: User is not deleted. Adjusting the Password To change the password of a user do the following steps. 1. Right-click on a user from the selection list. 2. Choose the option: Set Password. The following windows appears: Illustration: User administration Adjusting the Password 3. Insert the new password. 4. Confirm the new password. 5. Click on OK. The new password is set and the dialogue is closed. Select cancel if you do not wish to change the password. Assign License To assign a license to a user, do the following: 1. Mark in the selection list one or more user, click right and choose Assign License. The following window appears: Illustration: User administration Assign License 101

102 2. Select from the drop down list the option Spamfinder license or Archive license and click OK. The license is assigned and the window gets closed. This change is immediately effective without a restart. Remove License To remove a license from a user, do the same steps as before, but select in the context menu remove license. You can also use multi user selection. NOTICE Licenses get automatically assigned if the Spamfinder or the MailDepot is used inside the user console. Since version 1021 all licenses gets validated. If licenses have been assigned versions before, it may happen that you run out of valid licenses after a firmware version update. You will get an error message showing Invalid license count or no valid license. (See also the FAQ). Here you can remove already assigned licenses. Import User Proceed as follows to import a user from a list. 4. Right-click in the list view. 5. In the selection list, choose the entry User import. The following window appears: Illustration: User administration user import 6. In the menu Import, select the option Read user from file. 7. Select the import file and click on Open. Then the following list appears. Illustration: User administration user import - Import list NOTICE 102

103 The import file must have the following structure: User name,password,realm, address1, addressn If you do not see any user on the list, check out this constrains: - Fields must be separated by a comma. - All fields must not be empty. (Even not the password!). - User must be unique. 8. In the menu Import, select save user. The following dialog appears: Illustration: User administration user import - filter selection 9. Select the realm and the profile to be used for the users to be imported. 10. Once the users were successfully imported, you can close the window. The users appear in the list view Groups Groups are required to control user policies. One or several users are assigned to a group. In the list view, you see the columns Group name and Description. You can add, edit and delete groups. Illustration: User administration groups Adding Groups 103

104 1. In the selection list, choose the entry Add. The following dialog appears: Illustration: User administration add groups 2. Enter a group name. 3. Enter a description. 4. Click on ADD to assign users to this group.the following dialog appears 104

105 Illustration: User administration add users to groups 5. Select one or several users from the list. 6. Click on OK to apply the user group assignment. 7. Now Click on OK to establish the group. Edit Group 1. Double-click on the group to be edited. 2. Make the desired changes. 3. Click on OK. Delete Group 1. Right-click on the group to be deleted. 2. In the selection list, choose the entry Delete. Confirm the prompt with Yes to delete the selected group. No: The group is not deleted. 105

106 Aliases aliases are assigned to a user. You can add, edit or delete aliases, change the filter profile and deactivate archiving for several aliases at the same time. In the list view, you see the columns address, filter profile, user and disable archiving. Illustration: User administration - aliases Adding Aliases 1. In the selection list, choose the entry Add. The following fields are displayed: Illustration: User administration - add alias Enter the desired address. Select the user allowed to manage this address. Select the desired filter profile. activate the checkbox Disable archiving if you want to avoid archiving those s 6. Now Click on OK to create the alias. Editing Aliases 1. Double- the address to be edited. 106

107 The following dialog appears: Illustration: User Administration - address User: You can assign another user to the alias. Profile: Choose another profile if necessary. Disable archiving: enable this checkbox if all s to this alias are not archived Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Deleting Aliases 1. Right-click on the alias to be deleted. 2. In the selection list, choose the entry Delete. 3. Confirm the prompting message with YES to delete the selected address. No: The alias is not deleted. Changing Filter Profiles 1. Mark all addresses for which you want to change the filter profile simultaneously. 2. Click on the list selection (right). The following dialog opens: Illustration: User administration changing filter profiles 3. Select the desired filter profile. 4. OK: All previously selected aliases receive the newly entered filter profile. 107

108 Create certificates Requirement: The REDDOXX CA Root-Certificate must exist. 1. Mark all aliases for which you want to create a certificate. 2. Right-click on the selection. Following context menu is displayed: 3. Choose Create certificate. You can watch the live log viewer for whom a certificate was created. Already existing certificates gets overwritten Realm The Realm defines, which user database is used to authenticate the users. You can define several realms to enable users to login from different systems. The standard realm "local" uses the local user database of the REDDOXX Appliance. It cannot be changed or deleted. You can add, edit and delete realms. In the list view, you see the columns Name and Authentication type. Illustration: User administration realm 108

109 Creating a new Realm Illustration: User Administration - Realm 1. Enter the realm name. 2. Via the selection list, select the authentication type. The authentication type "local" refers to the local user database of the REDDOXX Appliance. 3. Enter the authentication server. The following are supported: local, Windows2000, Windows2003, Netware5, Netware6 Active Directory, Lotus Domino, and OpenLDAP. 4. Enter the TCP port. The default port for LDAP is 389. You must enter a valid value here. 5. If desired, activate the option Secure transmission SSL. Please note that the default port for LDAP via SSL is Enter the active directory domain. 7. Enter the BaseDN. 8. Importing addresses If necessary, activate the option Import addresses in order to match the addresses for the user with the authentication server at each login. 9. Setting primary addresses If necessary, activate the option Set primary address in order to match the primary addresses for the user with the authentication server at each login. 13. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Edit Realm 109

110 1. Double- Click on the REALM to be edited. The configuration window opens. 2. Make the desired changes. 3. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Delete Realm 1. Right-click on the realm to be deleted. 2. In the selection list, choose the entry Delete. 3. Confirm the prompt with YES to delete the selected realm. No: Realm is not deleted. NOTICE INFORMATION ABOUT REALMS The Realm defines, which user database is used to authenticate the users. 110

111 The following table indicates the supported systems and the respective function scope: LDAP SERVER USER AUTHENTICATION RECIPIENT CHECK USER AUTO CREATION ADDRESS IMPORT Microsoft Active Directory with Exchange Yes yes yes yes Exchange 5.5 No yes no no Lotus Notes Domino 6+ Yes yes² yes yes² Novell edirectory Yes no no no OpenLDAP Yes yes yes yes ² The following restrictions apply for Lotus Notes Domino: Only the following addresses are rated as valid: - Internet address - Shortname/UserID - User name The stated addresses must be clear in Lotus Domino! Double entries lead to the rejection of the mail! With Shortname/UserID, you can skip the Internet domain. Then all Internet domains defined in the Domino server are accepted. When importing during user login, at first only the Internet address is created as alias in the REDDOXX Appliance. The additional addresses are then generated upon receipt. 111

112 Configuration: WINDOWS 2000 Authentication type Authentication server TCP port Secure transmission Active Directory Domain BaseDN Authentication server TCP port Secure transmission Active Directory Domain BaseDN NETWARE 5.X NETWARE 6.X Windows Windows 2003 Netware 5 Netware IP/hostname of a Windows IP/hostname of a Netware server domain controller with LDAP service TCP port of the LDAP service, standard: 389 OR for Secure LDAP: 636 Activate Secure LDAP here if your system supports Secure LDAP. AD domain e.g. company.com Not required dc=company, dc=com LOTUS DOMINO Authentication type WINDOWS OPENLDAP e.g. o=context OPENEXCHANGE Windows Windows 2003 OXAE 2000 IP/hostname of the server with LDAP service 389 / SecureLDAP 636 Activate Secure LDAP here if your system supports Secure LDAP. o=reddoxx,dc=company, dc=com NOTICE For LDAP linkup to Novell Netware, it must be possible to read the following user attributes with an anonymous LDAP bind: dn, cn, objectclass. Further LDAP settings are available at the REDDOXX Support Center at - Manuals 112

113 Policies Group Policies Illustration: User administration policies Function Overview and Terminology The policies help you to create rules that define the function scope of the user console. Rules are always applies on groups. This is why you must have already assigned users to groups (see chapter ). The policies define whether select functions are allowed or prohibited for one or several groups. Examples: - Add/delete white list entries - Delete s from queues A policy contains so-called rule sets, a summary of individual functions to an umbrella term. Rule Sets The following rule sets are available: - General rules - Spamfinder rules - Spamfinder filter list rules - MailDepot rules - MailSealer rules - Deputy groups A rule set can have 3 different statuses: 1. Not configured 2. Deactivated 3. Activated 113

114 To 1.) This set of rules is not evaluated. It is ignored in this policy. The status of the individual functions remain unchanged. To 2.) All functions of this rule set are deactivated. The following policies are no longer considered for this rule set. To 3.) The functions of the rule set are considered individually. The following policies are no longer considered for this rule set. Operation Sequence If there are no policies yet or if all rule sets are not configured, the default of the options applies initially and no deputies are defined. When a user logs on to the user console, all available policies are processed in sequence from top to bottom. If a user is included in the group that was assigned to the policy, the rule set is no longer considered on the following policies, unless the rule set previously had the status not configured. You can set the sequence of the policies via the context menu (higher, lower). Configuration of the Rule Sets 1. Open the window for processing the configuration by right-clicking on a policy in the tree menu. The following window appears: The following window appears: Illustration: Policy configuration 114

115 2. Select the desired rules set and activate it. 3. Select the option you wish to activate. Group Assignment 4. Assign this policy to a group. NOTICE Policies only always apply for the users contained in the user groups stated here. Illustration: Policy configuration 5. The checkbox Apply policy to all users assigns this policy to all users. This omits the configuration and administration of a group containing all users. Input Section Apply Policy to: 6. ADD adds a group from a group selection list (see chapter ). The rule set of this policy is applied to users contained in this group. 7. DELETE removes a marked group from this policy. Input Section Reject Policy to: ADD adds a group to the group exemption list. The rule set of this policy is NOT applied to users contained in this group. 8. Click on OK to save the settings. NOTICE Example: A rule set of a policy applies to all users (Apply policy to all users) with the exception of the group of administrators (reject Policy for). 115

116 116

117 Deputies A peculiarity of the rule sets is the deputy group rule set. Here, the administrator can assign deputies for users on holiday, for example. This gives the deputy access to the s of the user he is supposed to substitute. In the rule set Deputy groups, you define, which addresses can be deputized. NOTICE Deputy groups merely serve for clarity and are not connected to the user groups. In the user group assignment of the policy, you define who may represent this address (deputy groups). Configuration of the Deputy Groups Illustration: Deputy Configuration 1. Right-click on the deputy groups. 2. Select Add deputy group. 3. Assign a name to the new deputy group. With a right mouse click on the new deputy group, you can: 3.1 Delete deputy group again. 3.2 Renaming the deputy group. 3.3 Adding a deputy address. By right-clicking on the address, you can delete it from the group again. NOTICE - EXCEPTION TO OTHER RULE SETS The list of all addresses a user may represent is compiled from ALL policies for the user group the user is assigned to. 117

118 4.3.3 Notification Information about Notifications Via Notifications, you can edit the standard texts of the s sent in the respective situation. The following standard texts can be configured: CISS Address verification Virus warning to the administrator Virus warning to the recipient Virus warning to the sender Edit CISS Notifications With CISS notifications, you can adapt the language, the subject and the content of the . Restrictions: None. 4. Select Messages in the tree view. 5. In the list view, right-click on 'CISS'. 6. In the selection list, choose the entry Edit. The following fields are displayed: Illustration: CISS Message 118

119 4. Via the selection list, select the desired language. The standard setting contains the text in German and English. 5. Activate the option Field to activate the language. 6. Change the at wish. NOTICE The texts with the percent signs are wildcards and may not be changed or deleted. 7. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. CISS Message Wildcards: WILDCARD EXPLANATION %SUBJECT% %CHALLENGE_URL% Subject of the received URL to the REDDOXX portal Edit Messages for Address Verification With address verification messages, you can adapt the subject and the content of the . Restrictions: None. 1. Select Messages in the tree view. 2. In the list view, right-click on 'Address Verification'. 3. In the selection list, choose the entry Edit. The following fields are displayed: Illustration: Message for address verification 4. Change the at wish. NOTICE 119

120 The texts in percent signs are wildcards. 5. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Wildcards for Address Verification Messages: WILDCARD EXPLANATION %VerifyMail% %VerifyID% address to be verified ID (number) that has to be entered for verification of the address. Edit Virus Alarm Messages With virus alarm messages, you can adapt the subject and the content of the . You can send these messages to the administrator, the recipient and the sender. Restrictions: None. 1. Select Messages in the tree view. 2. In the list view, right-click on 'Virus alarm to administrator'. 3. In the selection list, choose the entry Edit. The following fields are displayed: Illustration: Virus alarm message to the administrator 4. Change the at wish. NOTICE 120

121 The texts in percent signs are wildcards. 5. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. NOTICE Proceed the same way with messages to the recipient and the sender. Wildcards for virus alarm messages: WILDCARD EXPLANATION %VIRUSNAME% %SENDER% %RECIPIENTS% %SUBJECT% Name of the detected virus Sender of the Recipient of the subject 121

122 4.3.4 Logs The REDDOXX Appliance generates a log file for each day. These are displayed in the list view Logs in the menu tree. These have the following file name format: Appliance-yyyy-mm-dd_HH:MM.log (yyyy=year, mm=month, dd=day, HH=hour, MM=minute). If the log exceeds a file size of 50 MB, a new log file is generated. The logs can be displayed and analyzed with a special log analysis. There are the following options to analyze logs: Entire log in the viewer Filter acc. to process ID Smart Filter Save log in local system Entire Log To view the log of a specific day with the viewer, click on "Logs" in the tree view and then double-click on the desired log in the list. The following log viewer appears: 122

123 Illustration: Log view Process ID It is possible to filter the log information of a certain process. To do so, you have to select a specific Process ID in the viewer. The Process ID is indicated by square brackets. Smart Filter Due to the fact that it is often desired to filter the progress of an associated action, e.g. the mail flow of an , but this passes through different processes, you can filter the process with the help of the Smart ID. The Smart ID is enclosed in round brackets. Function of the Filtering Process (Process/Smart) 1. In the Log Viewer, right-click on a desired ID (Smart or Process ID). The following menu appears: 123

124 2. Select the desired filter type. 3. Now the Log Viewer only displays the corresponding data. 4. To deactivate filtering, right-click on the option "Delete filters" Filtering the live log With version 1025 now you can filter the live log. Right click in the log window. Following context menu appears: Illustration: Live log filtering Set filter Illustration: Live log filtering settings Process: Enter a filter pattern. The pattern is case insensitive. Available filter items are: ABL-Filter, AWL-Filter, Advanced-RBL-Filter, AntiSpoofing, Archive, AutoWLAdjustment, Backup, Bayes, Bayes-Filter, Bounc , CISS, CleanUp, Cleanup, ControlServer, DBLFilter, DWL-Filter, Fuzzy-Filter, FuzzyStore, RBL-Filter, RVC-Filter, Report, SBL-Filter, 124

125 SMTPClient, SMTPServer, SRC-Filter, SWL-Filter, SendMail, Stats, System, Validator, VirusScanner, permanently Log text: Insert a log text you want to filer for in the column Log. Smart Filter: As in Log Viewer described. Filter process ID: As in Log Viewer described Sessions Information about Sessions Via the sessions, you can view all users logged into the REDDOXX Appliance. Illustration: Sessions Services Overview Via the services administration, you can view and control the individual services. 125

126 Illustration: Services Mail Flow The following diagram shows the mail flow of an Mail reception (SMTP server) - validation (Validator) - delivery (SMTP client): Illustration: Mail flow diagram SMTP Server Service The SMTP server receives s from other servers and saves the s in the queue "Incoming Messages". The phase 1 filters are checked before the mails are accepted SMTP Client Service The SMTP Client Service sends s waiting for forwarding in the queue "Outgoing Messages" Control Server Service The Control Server services the connections of the administrator consoles as well as of the user console and serves to configure and administer the REDDOXX Appliance. 126

127 Message Validation Service The Message Validation Service checks all s in the queue "Incoming Messages". Here the s are checked with the phase 2 filters and for viruses. Depending on the result of the verification, the s are then moved to one of the following queues: viruses, spam or CISS Task Scheduler Service The Task Scheduler Service starts cyclic processes, e.g. the cleanup of the queues and the update of spam and virus patterns Portal Communication Service The Portal Communication Service processes s sent by the REDDOXX portal, e.g. CISS. By encoding or decoding the s, it takes care of safe communication with the REDDOXX portal Remote Support Service The REDDOXX Remote Support Service enables better remote maintenance for the REDDOXX support without you having to change your firewall rules. The REDDOXX Remote Support Service is always deactivated and should only be started after consulting a REDDOXX support member Starting, Stopping and Restarting Services Start Service Via Services, you can start a service that is not running. Requirements: Current status 'false'. 1. Select Services in the tree view. 2. Right-click on the service to be started. 3. In the selection list, choose the entry Start. End Service Via Services, you can stop a running service. Requirements: Current status 'true'. 1. Select Services in the tree view. 2. Right-click on the service to be stopped. 3. In the selection list, choose the entry Stop. 127

128 Restart Service Via Services, you can restart a running service. Requirements: Current status 'true'. 1. Select Services in the tree view. 2. Right-click on the service you want to restart. 3. In the selection list, choose the entry Restart. 128

129 4.4 REDDOXX Spamfinder In the Spamfinder section, you make the presets for managing filter settings and the spam queues Spamfinder Queues You will find s that were not sent yet in one of the following queues. In all queues, you can send or delete one of the mails listed there by right-clicking. To sort the list entries, click on the desired column header. Another reverses the sorting direction. The content of an cannot be viewed due to legal regulations. Also keep in mind that s, which you cannot find here, are already in the outgoing queue. Spam queue s listed in the Spam queue were classified as spam by the REDDOXX Appliance. In the 7th column "Filter", you see which anti-spam filter kicked in. NOTICE The is only listed in the spam queue if the action "QUARANTENE" is set for the filter. CISS Queue s whose senders are still unknown to the Spamfinder (=> not yet entered in the address or domain white list), are set to the CISS queue with activated CISS filter. NOTICE Make sure that OVERSTEERING of the negative filter CISS is activated for the filters AWL and DWL. For more details about the CISS filter technology, refer to the chapter Filter - CISS. Viruses and prohibited File Extensions s with viruses in attachments or attachments with prohibited file extensions are sent to the virus queue. Zipped file extensions are also checked for viruses if they are not encrypted. NOTICE Only the administrator can view and manage the virus queue. The queues can be searched and deleted. Also see: "Appliance Administration - Mail Queues". 129

130 Send You can send s to the recipient in the respective queues. Restrictions: forwarding is only possible in the queues Spam, CISS and Viruses. 1. In the tree view, select Queues with a double-click. 2. Select the desired queue. 3. Right-click on the to be sent. 4. In the selection list, choose the entry Send. Send (White list) In the respective queues, you can send s to the recipient and enter him in the White list at the same time. Restrictions: forwarding is only possible in the queues Spam and CISS. 1. In the tree view, select Queues with a double-click. 2. Select the desired queue. 3. Right-click on the to be sent. 4. In the selection list, choose the entry Send (white list). Sorting s In the respective queues, you can sort s via the column head in the list view. Requirement: s available in the list. 1. In the tree view, select Queues with a double-click. 2. Select the desired queue. 3. Double-click on the column head according to which you wish to sort your s. Sorting takes place alphabetically. 130

131 4.4.2 Filters Information about Filters Contrary to concentrating on what's not desired, the REDDOXX Appliance filters out the s the user wants to receive. Therefore the technology is based on the most modern and innovative filter techniques. The sequence of different filter technologies can be configured individually and also be made available individually to the users via different profiles. How s are filtered Illustration: Filter scheme 131

132 White list Filters Whitelists are so-called friendly lists, and inasmuch as certain criteria are fulfilled, the s are forwarded directly without delay. These lists vary from individual addresses up to general domain addresses. They may contain individual IP addresses or IP address ranges or simply certain subject contents that classify an as "desired". In the REDDOXX Spamfinder, these lists were implemented as follows: AWL: Addresses White list DWL: Domain White list NWL: Network White list SWL: Subject White list These filter lists are available to all users of a system on a general basis but also for individual users in order to perfect the accuracy of the REDDOXX Spamfinder. White list Auto-Add Adjustment The Whitelists are automatically supplemented as soon as a user sends an . This happens so that the answers to these s are classified as "desired" and therefore forwarded. NOTICE To use the auto white list function, the outgoing mail traffic must also be routed via the REDDOXX Appliance Blacklist Filters s from certain domains, IP ranges, addresses or with certain subject content can be filtered out by the integrated Blacklist technologies. The administrator can create these lists company-wide and users can additionally maintain them. However, the Blacklist filters of the REDDOXX Spamfinder are also based on external, public lists. A general problem of these filter techniques is the risk of wrong detection (socalled false positives). The integrated user quarantine function of the REDDOXX Spamfinder reduces the risk of false-positives, because each user has the possibility to access his quarantine section and make sure that it does not contain s, which don't belong there. This also reduces the administrators' efforts to look for important s among the spam. The Blacklist filters integrated in the REDDOXX Spamfinder are: ABL (address blacklist): Checking the sender's address against an address blacklist maintained in the REDDOXX Spamfinder DBL (domain blacklist): Checking the sender's domain against an address blacklist maintained in the REDDOXX Spamfinder NBL (network blacklist): Checking the IP address of a sending server against a network blacklist maintained in the REDDOXX Spamfinder. SBL (subject blacklist): Checking the 's subject line against a subject blacklist maintained in the REDDOXX Spamfinder 132

133 On the basis of external servers, the following filters are also available: RBL (Realtime blacklist): Realtime check of the sending mail server against public blacklist servers. Dynamic IP-Blacklist: While establishing a SMTP Connection for a new mail, the senders IP Address is checked with the RBL Blacklist Server that are provided in RBL Filter. If the senders IP Address is Blacklisted, the Connection is terminated. This results in a performance gain for spam attacks. This Szenario needs the mails to receive directly and not through a relay. Blacklist Addresses are saved for 7 Days under Appliance Configuration->SMTP Settings-> Blocked IP Addresses. ARBL (advanced Realtime blacklist): The advanced Realtime blacklist filter checks the last mail server in the mail flow, meaning the one who sends the to the Spamfinder. If you obtain your s via an own relay, this must be excluded in the configuration. Fuzzy filter: Filter developed by REDDOXX, which compares the content of the with already identified spam mails. Port UDP outgoing is required. The Fuzzy works fine, if the logfile shows a result behind the given tests: Fuzzy-Filter (64B44D65FB1) phase 1 (ex) 3248ms result: Major=clean Minor=normal Fallback=clean Virus= SRC (sender receive check): The sender receive check filter is used to determine whether an is sent from an existing account. This account would then in turn accept a response to the corresponding . If not, the SRC filter kicks in. In order to prevent that s without a valid sender, e.g. some newsletters or order systems, are not delivered by accident, we recommend setting the filter action with the SRC to MARK. In addition, you can maintain your desired newsletters in the Whitelists. Antispoofing: The Filter checks, if sender and recipient mailaddresses are from different networks but belong to the same domain. This would be a spoofing attack with faked senderdomain and is filtered when antispoofing is enabled Content Filters SWL: Subject White list, SBL: Subject Blacklist and Bayes Filter Content filters like the Bayes Filter are adapted to each user and also adapt to changes in spam. In order to detect s as spam, these filters use Bayesian check sums to check the words and sentences of an with respect to their frequency for spam probability. Previous s serve as comparison (spam and desired mails). The architecture of the REDDOXX Spamfinder's content filters refers to the CISS method, which first takes over the information of the content filters into the database when the CISS was passed successfully Global Filters Antivirus Filter 133

134 As a comprehensive security system for s, the REDDOXX Spamfinder Appliance also contains an integrated virus protection for your server. In order to highlight the quality standards of the filters, we use ClamAV which is open source software. RVC: Recipient Verify Check The RVC filter already checks upon acceptance of the (SMTP server dialog), whether the recipient address is known at all on the target system. If not, receipt is already denied during the send attempt. This prevents spam attacks on non-existent mailboxes without impairing the performance of your servers. The acknowledgement is: 550 Recipient not accepted (Unknown recipient: <xxxx@domain.tld>) CISS The Innovation of the REDDOXX Spamfinder Appliance is called CISS CISS (Confirmation Interactive Site Server), is a unique, several stage control process, which ensures the permanent exchange of wanted mails between sender and recipient. Stage 1: receipt, check for viruses through anti-spam filter and temporary saving. Dispatch of a response to the sender with the request for authentication at the stated link. Stage 2: Request to perform a certain action on the Internet page, which can only be performed by a person, not by spam robots. Stage 3: Feedback from the portal to the REDDOXX Spamfinder about the successful authorization and automatic forwarding of the to the recipient. How does CISS work? 134

135 Illustration: CISS diagram Known sender sends 1. A customer or business partner sends you an The REDDOXX Appliance checks this with respect to viruses, worms, Trojans and of course, also whether this is a spam mail. 3. After this check, the is forwarded to you immediately. Unknown sender sends 1. An unknown person writes you an The REDDOXX Appliance checks this with respect to viruses, worms, Trojans and of course, also whether this is a spam mail. Because the sender is unknown, the is saved temporarily. The Spamfinder generates an to the sender with the request for the one-off authentication at the stated link. 3. On this Internet page, the sender is asked to perform a certain action, e.g. click on a certain part of an image. 4. Such actions can only be performed by persons and not automatically. 5. This action generates a reply to the REDDOXX Appliance about the successful authentication of the sender. 6. The saved is directly sent to you and now there is nothing in the way of your new business transaction! Filter Settings You can configure the individual filters via the filter configuration. 135

136 Illustration: Navigation Tree Filter settings Common Filter Configuration In the tree view, double-click on Filters - Filter settings. The following fields are displayed: Illustration: Common filter settings 1. Disable non-delivery report: Usually a NDR report sends back an to inform the sender about that issue. Tricky spammers use this method to transport spam. Disable this option, if you do NOT want to inform a sending mail server that an was classified as Spam. This also prevents floating your outgoing mail queue with undeliverable NDRs. This Option refers exclusively to the filter action Reject. More informations about filter actions are available in chapter

137 Realtime Blacklist Filter Configuration The Realtime Blacklist Filter is a DNS Blacklist Filter. The Advanced Realtime Blacklist Filter is an Extended DNS Blacklist Filter. You can configure the Advanced Realtime Blacklist Filter as follows. Change to the TAB RBL-Filters The following fields are displayed: Illustration: Filter configuration - Realtime Blacklist Filter Enter a blacklist which the corresponding filter is supposed to query. With the button Add, add the blacklist to the list. With the button Add, add the relays you trust within your mail flow. You can obtain the name of the relay e.g. from the header of a mail (e.g. mail.company.net). Illustration: Header of an 4. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration Auto White list Adjustment Configuration 137

138 This filter adds the recipient of the outgoing s to the sender's Address White list. 1. Select the tab Auto white list adjustment. The following fields are displayed: Illustration: Filter configuration Auto white list adjustment 3. If required, activate this filter. 4. Enter the desired validity in days. NOTICE Whitelists should be valid for at least 90 days. 5. To prevent that the sender address of a spam sender is entered in the white list due to an automatic response of your mailbox, you can deny the white listing of any subjects, e.g. holiday, absence (out of office), etc. To do so, enter a part or the entire subject into the subject exclusion field. This setting applies globally for all users. NOTICE The recipient of the outgoing s cannot be configured for AutoResponder; use the exception function for this purpose. 6. With the button ADD, add the exception to the list. With the button DEL, you can delete any exception already entered again. 7. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration Virus Scanner Configuration 138

139 In the configuration of the virus scanner, you can set to whom the notifications are sent. Here you can also state file extensions for attachments that are not allowed to pass. Restrictions: Only the Virus Scanner can be configured the following way. 2. Select the tab Virus scanner. The following fields are displayed: Illustration: Filter configuration Virus Scanner 3. Activate the target person(s) that are supposed to receive a notification (Administrator, Sender, Received). 4. Denied File extension: Enter the file extension to be blocked (e.g..exe ) and click on Add. Please make sure that the entry of the file extension starts with a dot.. 5. Check archives: Enable this option if denied file extensions should be blocked also in archive( e.g. ZIP) files. 6. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration CISS Filter Configuration With the CISS filter configuration, you can set the validity of the white list in days and the maximum challenges per sender. Challenges are the attempts of the sender to 139

140 send an to the recipient for the x-th time (here: 3 times) without receiving a response from the recipient. Restrictions: Only the CISS Filter can be configured the following way. 1. Select the tab CISS filter. The following fields are displayed: Illustration: Filter configuration CISS Filter 3. State the desired validity of the CISS Filter white list in days. The default value is 365 days. 4. Enter the maximum challenges per sender. The default is Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. 140

141 Bayes Filter In the Bayes filter configuration, you can delete the Bayes database and activate/deactivate the automatic training of the filter. NOTE The use of Bayes Filter is not recommended anymore, as the Fuzzy Filter is more efficient and accurate without consuming high cpu load. 1. Select the tab Bayes filter. The following fields are displayed: Illustration: Filter configuration Bayes filter 2. The status contains the number of mails that serve as basis for the Bayes filter. The system distinguishes between spam and undesired mails. The physical size of these mails is additionally displayed in the database. 3. Activate automatic training: Before you apply the Bayes filter, you should train it for approx. 1 week first. In doing so, the filter learns which mails are desired or undesired by using Whitelists and blacklists and constructs its database accordingly using the contents. For details about the functioning of the Bayes filter, see the chapter "Filter settings". 4. Emptying the Bayes database: Due to initial configuration errors of the REDDOXX Appliance or wrong entries in the blacklists and Whitelists, it may happen that the Bayes filter classifies contents as SPAM and takes them over into its database and therefore reports 141

142 desired mails as spam or does not detect undesired s. In this case, you should check the configuration of the REDDOXX and the blacklists/whitelists. Then you can empty the database and re-establish it (= training). NOTICE After one week of training the Bayes filter, both values for the spam s or the number of desired mails should show positive figures. The larger the two values are, the more exact the filter is going to work. Should the database become too large at one point (depends on the hardware equipment of your REDDOXX Appliance), this may impair the processing speed. In such a case, you can empty the database and retrain it. You should first train the filter before you using as an active filter Fuzzy-Filter The Fuzzy Filter mostly works full automatically. Only when sending massively s like newsletters (=bulk), it can results in so called False Positives. 1. Choose the tab Fuzzy Filter. Following fields are displayed: Illustration: Filter configuration - Fuzzy Filter 2. Disable bulk detection: Enable this checkbox if massively s (e.g. newsletters) were detected as spam by accident. 3. Disable dangerous attachment detection: Disable this option, if some attachments are detected as false postives. In some cases we noticed that attached java script code was filtered. 142

143 Filter Profiles The core of the Spamfinder is its filter profiles. Here you can enter filter rules according to your spam frequency. You can also create new profiles, change available profiles, copy and also delete them. Here you define which filters are allocated to a profile and which profiles are to be available to the user for selection. Both the administrator as well as the user (if authorized) can add filter profiles to aliases. Illustration: Filter Profiles Pre-defined Filter Profiles The REDDOXX has 4 pre-defined filter profiles. In the basic configuration, they always contain the positive filters DWL, AWL and SWL. Default Filter Profile Initially, the default profile contains the filters FUZZY, RBL, ARBL, DBL, ABL, SBL, SRC. With automatic user and alias creation, the default profile is always assigned first. Set this profile in such a way that it meets the requirements of most users in your company. The automatic alias generation with automatic assignment to the default filter profile significantly reduces the administration extent. Quarantine Filter Profile Initially, the quarantine profile contains the filters FUZZY, RBL, ARBL, DBL, ABL, SBL, SRC and BAYES. You can adapt this profile in such a way that it corresponds to the requirements deviating from the default profile. The actions of most of these filters are set to quarantine. Bayes and SRC are set to "Mark". Strong Filter Profile The strong filter profile contains the filters FUZZY, RBL, ARBL, DBL, ABL, SBL, SRC and CISS. This profile is intended for users that want an immediate and reliable spam protection. This is ensured by the CISS filter. 143

144 Built-In Profile The built-in profile is used if no filter profile was assigned to the alias yet. Prerequisite is the general activation of the profile (see chapter ). It cannot be changed. It signals the administrator that the REDDOXX is in operation but not sufficiently configured, or that there are generally no licenses or not for this user. The built-in profile only contains the filters RBL, ARBL and FUZZY. Detected SPAM s are marked with the tag [REDDOXX Spamfinder]. A deviating tag is not possible. Creating a new Filter Profile Requirement: None. 1. Select Filter Profiles in the tree view. 2. Right-click in the list view. 3. In the selection list, choose the entry Add. The following fields are displayed: Illustration: Filter profiles Tab "General" NOTICE The profile name is displayed alphabetically in the list view. You can define your own sorting sequence by prefixing numbers or group codes. 4. Enter the name of the profile in the profile options. 144

145 5. Activate the option Available to user, if you also want to make the filter profile available to the users. Then the users can select this filter profile for their addresses in the user console. 6. Import or export filter profiles, if applicable. Export your desired filter profiles to be able to import it to another REDDOXX Appliance (e.g. at a subsidiary). Filters Different filters can be selected and compiled according to priority. Requirement: None. 1. Click on the tab "Filter" The following fields are displayed: Illustration: Filter profiles Tab "Filter" 2. Positive filter -Selected: All active positive filters are listed in the field Selected. You can change the sequence of the filters with the vertical arrows. To do so, mark the desired filter and click on the corresponding button. You can change the sequence of the filters with the vertical arrows. Sequence: from top to bottom, top first. 145

146 3. Positive filter -available: All available positive filters are listed in the field Available. Via the horizontal arrows, you can add the available filters to the list of selected filters and vice versa. To do so, mark the desired filter and click on the corresponding button. You can change the sequence of the filters with the vertical arrows. Sequence: from top to bottom, top first. 4. Negative Filters: The same as for the positive filters (point 2-3) applies for the fields "Selected" and "Available". In addition, you can assign 3 different actions to the individual negative filters. To assign or change an action, double-click on a filter. The following window appears: Illustration: Filter profiles Tab "Filter" action 5. Tag: A tag is a text that is prefixed to an in the subject field if the desired action MARK is selected. Other actions do not change the subject. 6. Action: In this selection list, you can choose between 3 actions: 1. Mark: Marks the in the subject field with the entered tag. The tag is prefixed to the subject and the is sent. 2. Quarantine: The is shifted to the protected quarantine directory and not sent to the recipient. All s in quarantine are located in the Spamfinder queues. 3. Reject: The is rejected and not sent to the recipient. The sender receives a bounce . NOTICE If several negative filters kick in, the action with the strongest weighting is triggered. Weighting sequence: MARK (light) - QUARANTINE (medium) - REJECT (strong). With the anti-spoofing filter, make sure that the marking is not set to REJECT. Otherwise a bounce is generated that may be sent to you because your address was stated as sender. Filter Sequence The filter sequence is defined by the performance relevance and the false positive rate of the filter. The selected negative filters are applied from top to bottom. If the action REJECT is triggered with a filter, no other filters are processed: 146

147 FILTERS ACTION Anti-spoofing Fuzzy RBL Advanced RBL SBL ABL DBL SRC CISS Quarantine Quarantine Quarantine Quarantine Mark Mark Mark Mark Quarantine Illustration: Recommended filter sequence Overriding Filters If expressively desired s (white list entry) are to be forwarded without further checking for SPAM relevance, the negative filters must be override by the respective positive filters (DWL, AWL, SWL). The ANTISPOOFING filter is an exception here. Requirement: None. 1. Select Filter Profiles in the tree view. 2. Right-click on a profile in the list view. 3. Click on the tab "Override" The following fields are displayed: 147

148 Illustration: Filter profiles Tab "Override" 4. Select, which positive filters overrides the negative filters. If a negative filter is overridden by a positive filter, the negative filter no longer has any relevance. NOTICE Especially with the CISS filter, the AWL filter MUST overrides the negative filter CISS, otherwise the CISS challenge is generated each time. 5. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Edit Filter Profile Here you can edit already created filter profiles. Requirement: Created filter profile is available. 1. Select Filter Profiles in the tree view. 2. Right-click on the filter profile to be deleted. 3. In the selection list, choose the entry Edit. 4. Make the desired changes. 5. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Copy Filter Profile Here you can copy already created filter profiles. 148

149 Requirement: Created filter profile is available Select Filter Profiles in the tree view. Right-click on the filter profile to be copied. In the selection list, choose the entry Copy. Double-click on the filter profile with the addition (copy). In the profile options, enter the name of the new filter profile. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Delete Filt er Profile Here you can delete already created filter profiles. Requirement: Created filter profile is available Select Filter Profiles in the tree view. Right-click on the filter profile to be deleted. In the selection list, choose the entry Delete. Confirm the prompting message with YES to delete the profile. No: Profile is not deleted Blocking and Admitting Blocking and Admitting (Blacklists and Whitelists) The following points apply for all lists described below: - Global or user-related: The settings for the black and Whitelists in the administrator console apply globally, meaning for all users. If there are applicable black/white list entries for the user as well, these take precedence over the global settings. Therefore it may be that a global block is on REJECT, but the user has set the block to MARK. Fact is: The user always wins! The following applies for all blacklists: The action selected for a block applies. The setting in the filter profile itself is of no relevance. - Validity date: Make sure to select a valid date in the future, otherwise the entry will not apply. At present, there are no progress reports. The default date is TODAY days. - Large/Small Caps: addresses, domain names and subject lines are not case sensitive. - Umlauts: Umlauts in subject lines are supported since version NOTICE IP-based blacklists are located in "SMTP settings - Blocked IP addresses. These apply system-wide and are profile-neutral. 149

150 Creating a new DWL Domain White list You can create new Domain Whitelists via the filter lists. Requirement: None. 1. In the tree view, select Blocking and admitting - DWL domain white list. 2. Right-click in the list view. 3. In the selection list, choose the entry New. The following fields are displayed: Illustration: Blocking and admitting - DWL domain white list 4. Enter a Domain. 5. State the validity period of the filter. Click on the calendar page if you need a calendar for the date selection. 6. If required, enter a comment to this filter. 7. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Creating a new DBL Domain Blacklist You can create new Domain Blacklists via the filter lists. Requirement: None. 1. In the tree view, select Blocking and admitting - DBL domain blacklist. 2. Right-click in the list view. 150

151 3. In the selection list, choose the entry New. The following fields are displayed: Illustration: Blocking and admitting - DBL domain blacklist 4. Enter a Domain. 5. State the validity period of the filter. Click on the calendar page if you need a calendar for the date selection. 6. Select the action for the filter via the selection list. The possible settings are mark, quarantine and reject. 7. If required, enter a comment to this filter. 8. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Creating a new AWL Address White list You can create new Address Whitelists via the filter lists. Requirement: None. 1. In the tree view, select Blocking and admitting - AWL address white list. 2. Right-click in the list view. 3. In the selection list, choose the entry New. The following fields are displayed: Illustration: Blocking and admitting - AWL address white list 4. Enter the desired address. 5. State the validity period of the filter. Click on the calendar page if you need a calendar for the date selection. 151

152 6. If required, enter a comment to this filter. 7. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Importing AWL Address White list Serves to import addresses to the address white list: 1. In the tree view, select Block and Accept - AWL address white list. 2. Right-click in the list view. 3. In the selection list, choose the entry Import addresses. The following fields are displayed: Illustration: Blocking and admitting - AWL address import 14. Select "Read addresses from file". 15. Select the file to be imported in the dialog field - File selection. Format: one address per line. The address must be valid (@ sign). The line must be terminated with a CR line feed, also the last line. Invalid addresses, e.g. comments, are skipped. The following list is displayed: Illustration: Blocking and admitting - AWL address import list 152

153 16. Select in the menu Import - Save addresses". Now the addresses are imported to the white list. You receive a control message stating how many addresses were imported. Creating a new ABL Address Blacklist You can create new address blacklists via the filter lists. Requirement: None. 10. In the tree view, select Blocking and admitting - ABL address blacklist. 11. Right-click in the list view. 12. In the selection list, choose the entry New. The following fields are displayed: Illustration: Blocking and admitting - ABL address blacklist 13. Enter the desired address. 14. State the validity period of the filter. Click on the calendar page if you need a calendar for the date selection. 15. Select the action for the filter via the selection list. The possible settings are mark, quarantine and reject. 16. If required, enter a comment to this filter. 17. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Create a new SWL Subject White list You can create new Subject Whitelists via the filter lists. Requirement: None. 1. In the tree view, select Blocking and admitting - SWL subject white list. 2. Right-click in the list view. 3. In the selection list, choose the entry New. The following fields are displayed: 153

154 Illustration: Blocking and admitting - SWL subject white list 4. Enter a character string. 5. State the validity period of the filter. The default is: Today days. Click on the selection list Valid until if you require a calendar for selecting the date. 6. If required, enter a comment to this filter. 7. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Creating a new SBL Subject Blacklist You can create new Subject Blacklists via the filter lists. Requirement: None. 1. In the tree view, select Blocking and admitting - SBL subject blacklist. 2. Right-click in the list view. 3. In the selection list, choose the entry New. The following fields are displayed: Illustration: Blocking and admitting - SBL subject blacklist 4. Enter a character string. 5. State the validity period of the filter. The default is: Today days. Click on the selection list Valid until if you require a calendar for selecting the date. 154

155 6. Select the action for the filter via the selection list. The possible settings are mark, quarantine and reject. 7. If required, enter a comment to this filter. 8. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Edit Filters Proceed as follows to edit an existing filter. Requirements: Filter is available in the list view. 1. In the tree view at Block and admit, select the respective filter list. 2. Double-click on the filter to be edited. The configuration window opens. 3. Make the desired changes. 4. Click on OK to save the configuration and exit. CANCEL: Reject changes and exit the configuration. Delete Filter Proceed as follows to delete an existing filter. Requirements: Filter is available in the list view. 1. In the tree view at Block and Accept, select the respective filter list. 2. Right-click on the filter to be deleted. 3. In the selection list, choose the entry Delete. 4. Confirm the prompting message with YES to delete the Internet domain. No: Realm is not deleted. 4.5 REDDOXX MailDepot The Reddoxx MailDepot was removed from this chapter. You will find the new MailDepot 2.0 (starting with appliance version 2027) inside the chapter 5 155

156 4.6 REDDOXX MailSealer Overview With the MailSealer you can sign and encrypt s for sending. Here you can chose between two different methods divided into 2 product groups. The MailSealer Light encrypts on the basis of a passphrase (symmetric). The MailSealer encrypts and signs according to S/MIME or PGP (PGP is not yet supported by the REDDOXX Appliance) on the basis of X509v3 certificates or key pairs (asymmetric) Ad hoc encryption with MailSealer Light This stands for a quick and easy encryption with a passphrase in the subject line without configuration efforts. To send an encrypted once, enter your passphrase in the subject line. The passphrase is delimited by previously defined characters. The default is (*.*). Application example: Illustration: Subject with statement of a passphrase for ad-hoc encryption with MailSealer Light Upon sending, the first reaches the REDDOXX and is encrypted with the passphrase here. The passphrase is removed from the subject line in this process and the text MailSealer: is prefixed to the subject. Then the is sent. The recipient receives the following notice in the message text: 156

157 Illustration: notice of an encrypted mail The encrypted is enclosed as attachment message.rdxmsl. When double-clicking on the attachment, the reader opens and demands the passphrase. Illustration: MailSealer Light Reader: Entering the passphrase After successful entry, the reader displays the encrypted in plain text. 157

158 Illustration: View of a decoded in the MailSealer Light reader NOTICE If the recipient receives an encrypted mail from REDDOXX for the first time, he must download the MailSealer Light READER once from the stated hyperlink and link this program with the file extension.rdxmsl Permanent encryption with MailSealer Light With permanent encryption, the user deposits the passphrase for each address to which he wants to send encrypted s in the user console. The mail is then sent the same way as with the ad hoc method. Illustration: Passphrase setting in the user console 158

159 Illustration: Passphrase setting in the user console MailSealer Light Gateways This stands for an automatic encryption and decoding of s on the basis of passphrases. If the user also has a REDDOXX Appliance, he can deposit the passphrase for decoding the s in the user console. The is automatically decoded when received and placed in the mailbox. This procedure is totally transparent and does not require any user interaction Asymmetric encryption with PGP keys and S/MIME Asymmetric encryption uses the so-called public key method. Each user (sender) has a unique, clearly allocated pair of keys consisting of a private key and a public key. The mails to the recipient are encrypted with the public key of the recipient and can then only be decoded by the recipient with his private key. Prerequisite is that the public keys are exchanged prior to the first encryption. This is usually done by sending a signed . The policies of the REDDOXX Appliance determine when an is signed or encrypted as well Encryption with PGP keys With the PGP method, the sender can generate the PGP key pairs himself or have them assigned by a corporate-wide public key infrastructure (PKI). However, the REDDOXX Appliance does not yet support the PGP method (Pretty Good Privacy). Instead, use the S/MIME method (see below) Encryption with S/MIME certificates A certificate confirms that the sender of an (ender address in the header) is identical with the address of the certificate. S/MIME certificates (X.509v.3) are usually personal and issued by a trustworthy certificate authority, abbrev. CA. Certificates are available from commercial providers (e.g.: VeriSign, Thawte, CaCert, etc.). After receipt of the certificate, this must be imported to the private certificate memory of the REDDOXX Appliance. However, the REDDOXX Appliance can also generate the certificates for its users automatically if you generate your own, self-signed) root CA certificate. Your partner 159

160 accepts this by saving your self-signed root certificate in his certificate memory for authorities (certificate authorities) Encryption with gateway certificates (S/MIME) With S/MIME gateway certificates (also called company or domain certificates), the is encrypted on a gateway (in this case the REDDOXX Appliance) for all users of this domain with one single certificate. The other side (recipient) then only compares the sender domain of the certificate with the actual sender domain of the , which makes the sender trustworthy if both of them match. The advantage is that you only have to obtain and administer one certificate per domain. It may be of disadvantage if the communication partners do not (yet) comprehend the mail gateway certificates technology. Then the signature is displayed as being invalid Configuration of the MailSealer Illustration: Navigation tree REDDOXX MailSealer Configuration General settings 1. Select the tab "General settings". The following dialogue appears: 160

161 Illustration: MailSealer - general settings 2. Activate the check boxes of the encryption method you would like to use. If both of them are active, the MailSealer first checks whether a corresponding policy is in effect. If yes, the MailSealer Light is no longer executed. The only exception is if the policy has no signature and no encryption activated. 3. Terminate the dialogue with OK. All changes are valid immediately. MailSealer 1. Select the tab "MailSealer". The following dialogue opens: 161

162 Illustration: Mail Sealer - configuration of the MailSealer Certificate settings: 2. Standard validity of the certificate: Validity period of an automatically generated certificate in days (see the following section). The standard value 365 corresponds to exactly one year. 3. Automatic certificate generation: If the REDDOXX CA (certificate authority) is set up, each sender address requiring a certificate automatically receives a certificate upon sending. In this case, the certificate authority (issuer) is your REDDOXX Appliance. The communication partner ( recipient) must trust your REDDOXX root certificate in this case. He does this by importing your selfsigned REDDOXX root certificate into his certificate memory for certificate authorities and sets this to TRUSTED. The advantage of the self-issuing authority is that it is not necessary to obtain commercial certificates for all addresses. All you have to ensure is that your communication partner imports your root certificate. You can simplify this procedure by offering him to download the root certificate via your company homepage. You can prove your identity to your partner with an S/MIME certificate of your web server. 4. Collecting certificates: The public keys of all incoming s are saved in the certificate memory for public keys. This avoids the manual importing of public keys. If an partner already has a public key, it is possible to send him encrypted mails. (Prerequisite is that the sender has an own certificate or key pair). 5. Collecting non-trustworthy certificates: With incoming mails, the certificate may be classified as invalid if the issuer of the certificate is not (yet) available in the certificate memory (certificate 162

163 authorities). By retrospectively entering this root certificate, all certificates previously classified as invalid receive the status valid. However, if this checkmark is not set, no invalid public keys are saved. 6. Activating OCSP: Status query for certificates via the Online Certificate Status Protocol. Each time a certificate is used, its validity is checked online. Due to the fact that only very few issuers offer this service reliably so far, we recommend not using this function yet (status: March 2008), as this would lead to substantial time delays (due to the timeouts of the service provider). 7. Activating CRLs: Requesting the validity of certificates. Usually, certificate issuers offer so-called Certificate Revocation Lists. This allows the issuer of a certificate to mark the certificate as invalid prior to its expiration, e.g. in case of detected misuse. The REDDOXX Appliance checks the CRLs once a day. Signature settings: 8. Plain text signature: If this check mark is set, the signature is added as separate MIME part to the . This way, the can be read with any mail client, even if the mail client does not support S/MIME. The disadvantage is that intermediate mail gateways may modify the mail, e.g. with line breaks or additional text signatures. This makes the signature invalid. If the check mark is not set, the entire mail is Base64 encrypted together with the signature. Only S/MIME-capable mail clients can read the . The advantage is that the coded mail can no longer be modified by intermediate gateways. NOTICE If you cannot ascertain that all your communication partners use an S/MIMEcapable mail client, you should use clear text signatures. 9. Signing prior to encryption: If this checkmark is set, the mail is signed prior to encryption. The advantage here is that the signature cannot be detected using so-called man-in-the-middle attacks. If the check mark is not set, the is signed after encryption. Advantage: Even without a key, the recipient can clearly tell who sent the mail by means of the signature and that it has not been modified. He may install his private key retrospectively and then decode the . Encryption settings 10. Insert sender key: Normally, the is encrypted with the public key of the recipient. Upon 163

164 sending, the is saved in the mail depot if this option was activated. If the sender wants to receive this mail once again later on, the Appliance would not be able to decode the once again without this alternative encryption (with the sender's public key). 11. Finalize the dialogue with OK. All entries are valid immediately. MailSealer Light 1. Select the tab "MailSealer Light". The following dialogue appears: Illustration: REDDOXX MailSealer Light configuration Subject tags for encryption sets 2. Opening tag Enter a character string here, which you use to mark the start of a passphrase in the subject line. 3. Closing tag Enter a character string here, which you use to mark the end of a passphrase in the subject line. 164

165 4. Click Ok to finish the configuration All entries are valid immediately. Advanced 1. Select the tab "Advanced". The following dialogue appears: Illustration: REDDOXX MailSealer Light Advanced configuration 2. Signature method: SHA1 (Secure Hash Algorithm) MD5 (Message-Digest Algorithm 5) Encryption settings 3. Encryption algorithm DES (symmetric encryption algorithm Data Encryption Standard) 3DES (Triple Data Encryption Standard) AES (Advanced Encryption Standard in different key lengths) 4. Click Ok to finish the configuration All entries are valid immediately Policies With policies you can define when an is to be encrypted and/or signed. 165

166 1. In the menu bar on top, click on the plus icon dialogue opens: to create a new policy. The following Illustration: REDDOXX MailSealer - Policies outgoing direction General: 2. Direction: You can define policies for incoming and outgoing mails or deactivate an already existing policy. The following points apply for outgoing mails. 3. Comment: Try to assign the new policy a clear comment. This is displayed in the policy list and serves for differentiation from other policies. In the log you can check whether this policy was applied. 166

167 4. Sender addresses: Enter the sender addresses for which this policy is to apply. "*" stands for "all". You can also use the asterisk (*) for part of the address. Example: 5. Recipient addresses: Enter the recipient addresses for which this policy is to apply. Use the asterisk (*) as explained in point 4. Settings Signature: 6. Force signature: The must be signed in all cases. If there is no signature (public key) for the sender, the is not sent but bounced back to the sender. 7. Sign if possible: If a signature (public key) is available, the is sent with signature. Otherwise it is sent without signature. The sender is not informed in this case. 8. Do not sign: The is sent without signature. Gateway certificate: 9. No gateway certificate A gateway certificate is not used. Alternative certificate If the sender does not have an own certificate, the gateway certificate is used. Gateway certificate requested: Only the gateway certificate is used. 10. Address for gateway certificate Enter the address from the gateway certificate here. 167

168 Illustration: Gateway certificate Encryption: 11. Force encryption: The must be encrypted for all recipients. If encryption is not possible for one or more recipients (e.g. no public key available), the is not send at all but bounced back to the sender. 12. Encrypt if possible send partially with notification (bounce): The is supposed to be sent encrypted. If this is not possible for some recipients, the is not send to them and the sender gets notified. Recipients with a successful encryption receives the encrypted. 13. Encrypt if possible otherwise send in plain text without notification The is supposed to be sent encrypted. If this is not possible for some recipients, the is sent unencrypted, in plain text, to them. Recipients with a successful encryption receives the encrypted. The sender is not informed in this case. 14. Do not encrypt: The is send unencrypted. 168

169 The following points apply for incoming mails. Illustration: Navigation tree REDDOXX MailSealer - Policies incoming direction General: 1. Direction: You can define policies for incoming and outgoing mails or deactivate an already existing policy. The following points apply for incoming mails. 2. Force this policy Activate this checkbox if you want to enforce the execution of this policy in case of several applicable policies. All other policies are then no longer considered. 3. Comment: Try to assign the new policy a clear comment. This is displayed in the policy list and serves for differentiation from other policies. In the log you can check whether this policy was applied. 169

170 4. Sender addresses: Enter the sender addresses for which this policy is to apply. "*" stands for "all". You can also use the asterisk (*) for part of the address. Example: 5. Recipient addresses: Enter the recipient addresses for which this policy is to apply. Use the asterisk (*) as explained in point 4. Settings 6. Forward message unchanged: Example: The is not supposed to be encrypted via the REDDOXX gateway, but instead directly at the client. The is therefore forwarded unchanged. 7. Reject if signature is invalid: If the signature was changed in the process, the e-mal is not accepted but bounced back to the sender. NOTICE The following link shows a table about the processing of the MailSealer policies in detail with all possible combinations of the supplied options

171 Certificates Illustration: REDDOXX MailSealer certificates Private certificates Here you can add, delete, edit, export or change the trust status of private certificates. Illustration: REDDOXX MailSealer certificates - private certificates The following context menu appears for selection when right-clicking on a certificate: Add private certificate 171

172 1. In the menu bar on top, click on the plus icon or right-click in the list view to add a new private certificate. The following dialogue opens: Illustration: MailSealer - add private certificate 2. Select the private certificate to be added and click on "Open". After successful adding, the certificate appears in the list. NOTICE Only the two file formats PEM and PFX are currently supported. 3. Enter the password for the private key. Illustration: Entering the password when adding a private certificate. Editing and exporting private certificates 1. The certificate information is displayed in a new dialogue window when selecting "Edit" in the context menu or double-clicking on the private certificate. 172

173 Illustration: Certification information 2. Exporting private key: Set the check mark if you also want to export the private key. If the check mark is not set, only the public key is exported. 3. Exporting: The dialogue for exporting the private certificate opens when clicking on the button "Export". 173

174 Illustration: Exporting a private certificate 4. Select a file name t be used for the export of the certificate and click on "Save". NOTICE If you also want to export the private key, select one of the two file formats PEM or PFX. At present, the format CER is not supported with private keys. 5. Enter the password for the private key. If someone accesses the files, this prevents the unauthorized import of the private key. Illustration: Entering the password when exporting a private certificate. NOTICE You must select a password when exporting a private key. Otherwise you will receive an error message when importing to another REDDOXX Appliance and the import is cancelled. 174

175 Illustration: Entering the password when exporting a private certificate. The following confirmation appears upon successful export. NOTICE All already available certificates files are overwritten without prior notice! Deleting private certificates 1. Mark the certificate you wish to delete. Multiple selections are possible. The following prompt for confirmation appears when selecting "Delete" in the context menu or by pressing DEL. Illustration: Prompt for confirmation when deleting a private certificate. 2. By confirming this prompt with "yes", you delete the certificates. Deletion is effective immediately. Revoking private certificates This function is only active if the certificate was issued by the inherent REDDOXX CA (confirmation authority). This allows you to block (revoke) an already issued certificate. 1. Right-click on the certificate and select "revoke". Illustration: Prompt for confirmation when revoking a private certificate. 2. By confirming this prompt with "yes", you block the certificates. Blocking is effective immediately. Press F5 to update the display. Now the status REVOKED is displayed. 175

176 Illustration: Status display after revoking (blocking) a private certificate. Validating private certificates Upon adding, the private certificate is checked for its validity. In addition, it is checked each time it is used for incoming or outgoing mails. The following subjects are checked: - Validity period of the private certificate (is defined upon issuing). - Is the certificate on the revocation list (CRL)? - Is there a valid issuer's certificate in the certificate authority memory? If the issuer's certificate is missing, obtain this and add it to the certificate authority memory. Then select the private certificate which you would like to have checked again and click on "validate". NOTICE You can usually obtain the certificate of an issuer on their homepage to download. Example: Private certificates - trust status Possible settings are: Normal: The certificate is checked for validity/trustworthiness. Trustworthy: The certificate is not checked. It is trustworthy. Not trustworthy: The certificate is not checked. It is not trustworthy Public certificates Here you can add, delete, edit, export or change the trust status of public certificates. If the function for automatic collection of public certificates is activated (see MailSealer configuration 4.6), you will see the already collected certificates here as well. Illustration: REDDOXX MailSealer public certificates The following context menu appears for selection when right-clicking on a certificate: 176

177 Add public certificates 1. In the menu bar on top, click on the plus icon or right-click in the list view to add a new public certificate. The following dialogue opens: Illustration: MailSealer - add public certificate 2. Select the public certificate to be added and click on "Open". After successful adding, the certificate appears in the list. Editing and exporting public certificates 1. The certificate information is displayed in a new dialogue window when selecting "Edit" in the context menu or double-clicking on the public certificate. 177

178 Illustration: Certification information 2. Export private key: Is not possible with public keys and therefore deactivated. 3. Exporting: The dialogue for exporting the public certificate opens when clicking on the button "Export". 178

179 Illustration: Exporting a public certificate 4. Select a file name t be used for the export of the certificate and click on "Save". NOTICE All already available certificates files are overwritten without prior notice! Deleting public certificates 1. Mark the certificate you wish to delete. Multiple selections are possible. The following prompt for confirmation appears when selecting "Delete" in the context menu or by pressing DEL. Illustration: Prompt for confirmation when deleting a public certificate. 2. By confirming this prompt with "yes", you delete the certificates. Deletion is effective immediately. 179

180 Revoking public certificates This function is only active if the certificate was issued by the inherent REDDOXX CA (confirmation authority). This allows you to block (revoke) an already issued certificate. 1. Right-click on the certificate and select "revoke". Illustration: Prompt for confirmation when revoking a public certificate. 2. By confirming this prompt with "yes", you block the certificates. Blocking is effective immediately. Press F5 to update the display. Now the status REVOKED is displayed. Illustration: Status display after revoking (blocking) a public certificate. Validating public certificates Upon adding, the public certificate is checked for its validity. In addition, it is checked each time it is used for incoming or outgoing mails. The following subjects are checked: - Validity period of the public certificate (is defined upon issuing). - Is the certificate on the issuer's revocation list (CRL)? - Is there a valid issuer's certificate in the certificate authority memory? If the issuer's certificate is missing, obtain this and add it to the certificate authority memory. Then select the public certificate which you would like to have checked again and click on "validate". NOTICE You can usually obtain the certificate of an issuer on their homepage to download. Example: Public certificates - trust status Possible settings are: Normal: The certificate is checked for validity/trustworthiness. Trustworthy: The certificate is not checked. It is trustworthy. Not trustworthy: The certificate is not checked. It is not trustworthy. 180

181 Certificate authorities Certificate authorities, also called issuers, issue certificates. There are commercial and cost-free issuers. Certificate authorities need a so-called root certificate to issue certificates. Certificates always refer to an issuer. When checking the validity of a certificate, all issuers in the issue chain are checked upwards. Reddoxx already has the most common certificate authorities installed. However, you have to set the trust status of the root certificate to "Normal" yourself if you trust this issuer. NOTICE The already installed root certificates are set to "not trustworthy" by default. Change the status to "Normal" if you trust an issuer. Multiple selections are possible. Adding a certificate authority 1. In the menu bar on top, click on the plus icon or right-click in the list view to add a new root certificate. The following dialogue opens: Illustration: Adding a root certificate (certificate authority) 2. Select the desired certificate and click on "Open". The certificate is added and displayed in the list. Editing and exporting certificate authorities 1. The certificate information is displayed in a new dialogue window when selecting "Edit" in the context menu or double-clicking on the root certificate. 181

182 Illustration: Certification information 2. Export private key: Is not possible here and therefore deactivated. 3. Export: The dialogue for exporting the root certificate opens when clicking on the button "Export". 182

183 Illustration: Exporting a root certificate 4. Select a file name t be used for the export of the certificate and click on "Save". NOTICE All already available certificates files are overwritten without prior notice! Deleing root certificates 1. Mark the certificate you wish to delete. Multiple selections are possible. The following prompt for confirmation appears when selecting "Delete" in the context menu or by pressing DEL. Illustration: Prompt for confirmation when deleting a root certificate. 2. By confirming this prompt with "yes", you delete the certificates. Deletion is effective immediately. 183

184 Revoking root certificates This function is only active if the certificate was issued by the inherent REDDOXX CA (confirmation authority). This allows you to block (revoke) an already issued certificate. 3. Right-click on the certificate and select "revoke". Illustration: Prompt for confirmation when revoking a root certificate. 4. By confirming this prompt with "yes", you block the certificates. Blocking is effective immediately. Press F5 to update the display. Now the status REVOKED is displayed. Illustration: Status display after revoking (blocking) a root certificate. Validating root certificates Upon adding, the root certificate is checked for its validity. It is also checked each time a mail is received or sent when used for checking the certificates issued by this certificate authority. The following subjects are checked: - Validity period of the root certificate (is defined upon issuing). NOTICE You can usually obtain the root certificate of an issuer on their homepage for download. Example: Root certificates - trust status Possible settings are: Normal: The certificate is checked for validity/trustworthiness. Trustworthy: The certificate is not checked. It is trustworthy. Not trustworthy: The certificate is not checked. It is not trustworthy REDDOXX CA With the inherent REDDOXX certificate authority (CA), you can issue certificates yourself for your aliases or have them created automatically by the Appliance on demand. The advantage is that you save the costs for purchasing certificates as well as for administration. The disadvantage is that the mail recipient must have imported your root certificate once to recognize the validity of your certificates. 184

185 Illustration: MailSealer REDDOXX CA navigation tree TIP To make it easier for your communication partner to exchange your root certificate, you can provide your root certificate on one of your web servers for download. It would be best if your web server is equipped with an SSL certificate, so that your communication partner can trust the root certificate he wants to download there. Creating a REDDOXX root certificate 1. When clicking on "REDDOXX CA" in the navigation tree of the MailSealer, the Appliance checks whether a root certificate is already available. The root certificate is deposited in the certificate authorities. So please do not mistake this with the REDDOXX CA list. This list contains the personal certificates issued with the root certificate. 2. If no root certificate is available yet, the following dialogue appears: Click on "yes" to proceed with the certificate wizard. Illustration: MailSealer REDDOXX CA root certificate generation dialogue The dialogue for the selection of an inherent REDDOXX root (CA) certificate appears. You can chose between a self-signed certificate and a purchased certificate, which you can upload here. 185

186 Illustration: MailSealer REDDOXX CA root certificate generation dialogue Creating a self-signed root (CA) certificate 3. Select "Generate a self-signed certificate for your REDDOXX CA" and click on "Next". The following dialogue appears: 186

187 Illustration: MailSealer REDDOXX CA wizard for the root certificate step 1 4. Public key algorithm and hash type: MD5 with RSA: Message Digest Algorithm 5 as hash function and key exchange with RSA according to Rivest, Shamir and Adleman. SHA1 with RSA: Secure Hash Algorithm and RSA from key exchange procedure. The default setting is: SHA1 with RSA 5. Public key length (bits): Bit length of the public key. The standard is Select between 1024 and 2048 bit. NOTICE The longer the key, the more computation-intensive (performance) is the cryptographic processing (signing and encryption). The longer the key, the higher is the security level. 6. Click on "NEXT" to access the next input mask. 187

188 Subject parameters: - certificate properties These fields only have a descriptive form and no other function. They serve for information purposes and to verify whether the owner of this certificate can be trusted. Illustration: MailSealer REDDOXX CA wizard for the root certificate step 2 1. Common name: Country: etc.) 4. State or province: 5. Locality: 6. Organization: 7. Organization unit: Name of the certificate General address of the company 2-character country code (DE, US, GB, FR, ES, CH, AT, State, federal state or canton. Examples: BW, Baden Württemberg, California, Uri City, locality Organization, unit, subsidiary Unit, department 8. Click on "NEXT" to access the next input mask or on "BACK" to return to the previous input mask. 188

189 Validity period The fields "from" and "to" state the validity period of the root certificate. This period is checked when processing an in which a personal certificate issued by this root certificate is used. Illustration: MailSealer REDDOXX CA wizard for the root certificate step 3 1. From: Start of the validity period 2. To: End of the validity period 3. Click on "NEXT" to access the next input mask or on "BACK" to return to the previous input mask. 4. Certificate generation. The certificate is generated by clicking on "GENERATE". This takes a moment (usually a few seconds). 189

190 Illustration: MailSealer generation of the root certificate Uploading the root (CA) certificate 3. Uploading own certificate for your REDDOXX CA: If you have purchased a CA (root) certificate, you can upload this on your REDDOXX. To do so, select the corresponding checkbox and click on "LOAD". The following dialogue appears: 190

191 Illustration: MailSealer REDDOXX CA load root certificate - file selection 4. Select the desired root certificate and click on "Open". The following dialogue appears: 5. Enter the password for the private key and click on "OK". The following dialogue appears with the confirmation that the certificate was successfully generated (entered). 191

192 Adding self-signed personal certificates 1. In the menu bar on top, click on the plus icon or right-click in the list view, then select "Add" to add a new certificate. The following dialogue opens: Illustration: MailSealer REDDOXX CA generate certificate step 1 2. Select public key algorithm: You have the following selection options: RSA: DSA: DH : Encryption system according to Rivest, Shamir and Adleman. Digital Signature Algorithm. NSA signature method. Key exchange method according to Diffie-Hellman. The default setting is: RSA 3. Public key length (bits): Bit length of the public key. The standard is Select between 1024, 2048 and 4096 bit. NOTICE The longer the key, the more computation-intensive (performance) is the cryptographic processing (signing and encryption). The longer the key, the higher is the security level. 192

193 4. Click on "NEXT" to access the next input mask. Subject parameters - certificate properties These fields only have a descriptive form and no other function. They serve for information purposes and to verify whether the owner of this certificate can be trusted. Illustration: MailSealer REDDOXX CA generate certificate subject parameter - step 2 1. Common name: Country: AU, etc.) 4. State or province: 5. Locality: 6. Organization: 7. Organization unit: Name of the certificate General address of the company 2-character country code (DE, US, GB, FR, ES, CH, AT, GR, State, federal state or canton. Examples: BW, Baden Württemberg, California, Uri City, locality Organization, unit, subsidiary Unit, department 8. Click on "NEXT" to access the next input mask or on "BACK" to return to the previous input mask. Validity period: The fields "from" and "to" state the validity period of the root certificate. This period is checked when processing an in which a personal certificate issued by this root certificate is used. 193

194 Illustration: MailSealer REDDOXX CA certificate wizard - validity period - step 3 1. From: 2. To: Start of the validity period End of the validity period 3. Click on "NEXT" to access the next input mask or on "BACK" to return to the previous input mask. 194

195 4. Certificate generation. The certificate is generated by clicking on "GENERATE". This takes a moment (usually a few seconds). Illustration: MailSealer Generation of a self-signed certificate After successful generation of the certificate, the certificate appears in the list view. Illustration: MailSealer list view of a self-signed certificate Functions in the context menu The functions of the context menu are the same as those of the private and public certificates as described in chapter The function "Revoke" (block) is now possible for self-created certificates in the REDDOXX CA. 195

196 Illustration: MailSealer context menu of a self-signed certificate Exporting REDDOXX CA certificates In order to enable your communication partners to accept your self-created (self-signed) certificates as valid, you must provide them with your root (CA) certificate. The public key in the certificate is sufficient here. You only export the private key if you want to transfer this root certificate to another Appliance to ensure that the personal certificates previously issued with this root certificate remain valid. 1. In the context menu of the list view, select the item "Export REDDOXX CA certificate" or click on the icon further up in the menu bar. The further procedure is identical to the export of a common root certificate as described in chapter

197 The Appliance Manager 5 The Appliance Manager A new administration console has been developed with the release of firmware version The new console will be referred to as the Appliance Manager and is available for download in our download center on the REDDOXX Support web page. The program runs under the name rdxadmin2.exe. The previous administration console has also been redesigned. Download the newest versions at: The Appliance Manager encompasses the following capabilities: - Administration of the external data storage mediums (Local / USB, NFS-, CIFS-, iscsi Storages) - Configuring the security of the data on the appliance - Management of MailDepot Diagnose Center (System, Consistency, Cluster, Network, Hardware, Performance, Health, Services, System Utility NOTICE The new REDDOXX console communicates with the appliance through TCP Port 80. Make sure the communication to the appliance is open, especially if the appliance is found in a DMZ. Also check for possible limitations on the Firewall. 5.1 Logon Start the Appliance Manager and logon to the appliance using the Administrator credentials. 197

198 The Appliance Manager 1. Appliances found After starting the Appliance Manager, the program searches for REDDOXX appliances connected to the local network and lists them in this field. By double-clicking on the correct appliance, the hostname will now be chosen. 2. Hostname The hostname or the IP Address of the appliance of which you would like to logon. 3. Enable SSL By activating this option, the connection from the Appliance Manager to the appliance will be encoded via SSL (HTTPS Port 443). Otherwise, an unsecure connection will be made through Standard HTTP Port Username The preset username is sf-admin. This name cannot be changed. 5. Password Enter the password for the Application Manager in this field. Default is admin.. 6. Realm Choose the realm Local in this field. 7. Language Choose the language you would like to use on the Appliance Manager. You can choose between German, English, Italian, or Dutch. 8. Save password This option is not available and is deactivated. 9. Now click on Logon to finish the logon process. Next you will see the home page with the navigation tree of the Appliance Manager. 198

199 The Appliance Manager 5.2 Home Page After successfully logging on, you will see the home page of the Appliance Manager. Here you will have an overview of the current status of the REDDOXX appliance. The home page is divided into different fields, detailed in the following screenshot. 1. Title Bar Shows which appliance and with which user you are logged on. 2. Menu Here you find basic functions of the appliance, for example, log on or off, settings and how to find help. 3. Navigation Tree Displays the different configuration possibilities and settings available for the appliance. The different functions will be detailed in later sections of this handbook from top to bottom. 4. List or Contents Display Field Displays the list or contents of the setting which has been chosen from the navigation tree. Home page of the Appliance Manager with Navigation Tree 5.3 The Menu bar 199

200 The Appliance Manager File Logout Logs out of the current session. If necessary, you can now log on to a different appliance without closing the program Exit Ends the current session on the appliance. The program will be closed Settings Archive Configuration Through this setting, you can activate the Archiving function and configure the HTTP certificate. You can find more detailed instructions on configuration and administration setting, as well as an in-depth guide to MailDepot 2.0 in Chapter Open the menu under Settings. 6. Choose Archive Configuration 200

201 The Appliance Manager MailDepot Settings 7. Enable Archiving: Activates or deactivates the archiving function of the program. Whenever this function has been changed, a restart of the appliance is necessary. PLEASE NOTE If archiving is activated, all incoming and outgoing mails will be archived. There are possibilities to prevent the archiving of certain mails: - Domain Basis (see Local Internet Domain configuration) - per Address (see Alias configuration) - per Spam Detection (see Filter Settings MailDepot) - through Archive Policies (see Archive Policies MailDepot) 8. Number of days for subsequent archiving: This number determines the number of days to be accounted for when performing a retroactive archive of old mails. The preset number is 3650 days. In this case, all mails found in the last 10 years of a mailbox would be archived. 9. Spam-Filter: Prevent archiving In this field, you can choose which filter(s) should prevent archiving of a mail. If a mail is determined to be spam by a filter which is selected, the mail will not be archived. 201

202 The Appliance Manager Change SSL Certificate 1. Open the menu below Settings. Image: Appliance Settings 2. Select Appliance Settings. Image: SSL Certificate 3. Add SSL Certificate: Select the created and as pfx exported Certificate (needs to have a password) and continue with OK. It is possible to add a number of Certificates by opening a Zip Archiv containing Certificates. In the browse Dialog, a * must be entered to make.zip files visible. A couple of Certificates may be needed if using the REDDOXX Mobile Device App, in case they are connecting via SSL from external networks. 202

203 The Appliance Manager Image: Browse for Certificates 203

204 The Appliance Manager Help Online Help You always have the ability to find help or further instructions with the REDDOXX Online Handbook, as long as you are connected to the internet. Simply push the F1 button and you will automatically be taken to the section of the handbook in which you currently find yourself in the Application Manager. 5.4 Appliance Configuration The Appliance Configuration is divided into Disk Storage, Backup, Updates and Diagnose External Storages In the Storage Manager, you can configure and manage the external storage devices. A storage device medium is used to provide available space for data storage for the appliance. You will be able to choose from a pool of storage devices which data, archive container or backups, to which type of storage device should be saved. At this time, CIFS and iscsi storage mediums are supported. This provides the following possibilities: Storage on different storage devices of different builds Connection from 1.. n File Shares (SMB/CIFS/NFS/USB/Virtual Discs) Connection from 1.. n iscsi Devices Optimized storage through Hierarchical Storage Management (HSM) NTFS Filesystem is supported for local- and iscsi Devices. Using the gpt partitioning format makes iscsi and Local Devices with more than 4 TB size accessible. 204

205 The Appliance Manager An example of storage organization 205

206 The Appliance Manager Local Disc Storage Image: Local Disc Storoage Virtual devices can be scanned and added Add a local Disc Storage 1. Click on the Add button in the context window and Scan for local devices. NOTE Multiple local Devices will get a number at the end of the name if added simultaniously. Further devices will be shown, after a format of the current device and a new rescan for local devices Format a local Disc Storage After creating a new virtual disc in your host system, a format is required. 1. Right click on the storage and choose Extra Format device Extend a local Disc Storage If the virtual disc size has been extended, the storage in the REDDOXX Appliance need to be extended too. 1. Right click on the data storage and choose Extra - > Extend device Remove a local Disc Storage To remove a data storage, the resource needs to be unmounted. The storage will only be removed from the list, any data found within the storage will not be erased. 2. Right click on the data storage and choose Remove. 3. Confirm the selection. The data storage will no longer be found in the list of available storages. If necessary, you can re-add the storage at a later time Mount a local Disc Storage With this step, you will mount the data storage in the file system of the appliance in order to have a storage resource available for the MailDepot or for the backup files. 206

207 The Appliance Manager 1. Right click on the storage and choose Mount. 2. Confirm the selection. When the storage has been successfully mounted, the size and available space of the storage will be displayed in the storage container list. Here it is possible you receivean error message stating that the chosen storage is not available or that the user does not have the rights for this storage. A disturbance in the network is also a possible motive for these error messages. Read the description in the error message carefully Unmount a local Disc Storage If the data storage is no longer necessary, or if you need to temporarily do maintenance on the storage, it will be necessary to unmount the storage so that it is no longer available for use by the appliance. Removing the container from the storage list when performing maintenance is not necessary. Make sure that no archive containers on the storage are active (mounted) ( Archive Container Inventory) and that the Backup is not configured to the storage. If the connection to the file server is unexpectedly broken, the appliance tries to automatically reconnect once a minute. If the appliance is unable to connect, a restart of the appliance will be necessary. If an error occurs, an error message will appear in the status field of the of the storage. 1. Right click on the storage and choose Unmount. 2. Confirm the selection. When the storage is unmounted successfully, a red symbol will appear in the data storage list. If unsuccessful, the storage will still be available for use. Review the archive container and backup configuration of the storage and make sure that no Archive Task or Archive Policy is running on the storage, or that a Backup is configured to the storage. 207

208 The Appliance Manager iscsi Data Storage An iscsi data storage is a block device, which is made available through an iscsi Portal on the network. It functions like a hard drive, and also needs to be formatted and portioned like a hard drive. An iscsi Portal appropriates one or more IQNs (iscsi Qualified Names) for an application, in this case the REDDOXX appliance. The LUNs (Logical Unit Number) are found within this IQN. Access restriction can be made through the initiator name Add an external iscsi Data Storage 1. Right click on the open field in the context window and choose in the following menu Add. 2. Enter the hostname or IP-Address of your iscsi Portals and click Discover. The appliance now connects to the iscsi Portal and shows the available IQNs. If the respective IQN is not shown, it is possible that the access rights to the iscsi Portal are missing or not correct. Also check to see if the Initiator name is entered correctly and whether the target devices under the IQN are available. In Chapter you can learn more about the initiator name of your appliance. 3. Choose the correct IQN. All available target devices from the choses IQNs will now be added and connected to the data system. The name of the devices will be compiled from the IQN and LUN. You can change the name later if so wished Rename an external iscsi Data Storage 208

209 The Appliance Manager To change the name of a data storage, the resource cannot be in use, it will need to be unmounted first (see below in Section ). Unmount the respective data storage before proceeding. 1. Right click on the data storage and choose Rename. 2. Enter a new name. The name has now been changed. Remount the data storage now Remove an external iscsi Data Storage To remove a data storage, the resource needs to be unmounted. The storage will only be removed from the list, any data found within the storage will not be erased. 4. Right click on the data storage and choose Remove. 5. Confirm the selection. The data storage will no longer be found in the list of available storages. If necessary, you can re-add the storage at a later time Mount an external iscsi Data Storage With this step, you will mount the data storage in the file system of the appliance in order to have a storage resource available for the MailDepot or for the backup files. 3. Right click on the storage and choose Mount. 4. Confirm the selection. When the storage has been successfully mounted, the size and available space of the storage will be displayed in the storage container list. Here it is possible you receive an error message stating that the chosen storage is not available or that the user does not have the rights for this storage ( Check the Initiator Name). A disturbance in the network is also a possible motive for these error messages. Read the description in the error message carefully Unmount an external iscsi Data Storage If the iscsi data storage is no longer necessary, or if you need to temporarily do maintenance on the storage, it will be necessary to unmount the storage so that it is no longer available for use by the appliance. Removing the container from the storage list when performing maintenance is not necessary. Make sure that no archive containers on the storage are active (mounted) ( Archive Container Inventory) and that the Backup is not configured to the storage. If the connection to the iscsi Portal is unexpectedly broken, the appliance tries to automatically reconnect once a minute. If the appliance is unable to connect, a restart of the appliance will be necessary. If an error occurs, an error message will appear in the status field of the of the storage. 209

210 The Appliance Manager 3. Right click on the storage and choose Unmount. 4. Confirm the selection. When the storage is unmounted successfully, a red symbol will appear in the data storage list. If unsuccessful, the storage will still be available for use. Review the archive container and backup configuration of the storage and make sure that no Archive Task or Archive Policy is running on the storage, or that a Backup is configured to the storage Format an external iscsi Data Storage When you initially receive an iscsi Device for your appliance, it has usually not been formatted. For the REDDOXX appliance, a data storage can be formatted in Format EXT3 / EXT4 or NTFS. If the data storage is not so formatted, it will not be possible to mount the storage. The following status message will appear Device is not formatted. You will then be able to format the storage. 1. Right click on the storage and choose Format. 2. Confirm the selection. The formatting process of the storage will now begin in the background. A status report can be seen by pushing the F5 button on your keyboard, and the status itself will be updated every minute in the background. When it has successfully finished, the data storage can be mounted.( Chapter ) Extend an external iscsi Data Storage If the capacity of the storage is getting too full, it is possible for the administrator to extend the size of the of the storage space. It will then be necessary to enlarge the data system of the particular data storage on the appliance. 1. Right click on the storage and choose Extend. 2. Confirm the selection. The extension process of the storage will begin in the background. A status report can be seen by pushing the F5 button on your keyboard, and the status itself will be updated every minute in the background. When it has successfully finished, the data storage can be mounted. ( Chapter ) Change the iscsi Initiator Name Assigning an iscsi data storage is controlled through the Initiator name (IQN). The Initiator name is preset in the REDDOXX appliance, but can be changed if so wished. The preset name is as follows: iqn com.reddoxx:01:76ef99ae Right click on the content field and choose Change Initiator name. 210

211 The Appliance Manager 2. Enter the new name or cancel the transaction, if you would only like to display the name. 211

212 The Appliance Manager NFS Storage NFS Shares are based upon the unix network protocol. They can be implemented as Sercice on Windows Server Editions and work almost the same as CIFS Shares. However, the NFS Protocol itself is much more stable and reliable. Under linux, the option root_squash and on FreeBSD -maproot=<user> is recommended for security reasons Add an external NFS Storage 1. Right click on the open field in the context window and choose in the following menu Add. 2. Name: Enter a name for the nfs share. You will find this name later in the list of available storage devices. 3. Server: Enter the Hostname or IP Address. 4. Path: The path to the share is entered in Unix format. /folder/subfolder 212

213 The Appliance Manager Modify a NFS Storage To modify a NFS storage, the storage may not be mounted. Unmount the NFS storage before proceeding. 2. Right click on the storage and choose Modify. 3. Make the necessary changes to the storage. 4. Now remount the storage Remove a NFS Storage To remove a data storage, the resource needs to be unmounted. The storage will only be removed from the list, any data found within the storage will not be erased. 6. Right click on the data storage and choose Remove. 7. Confirm the selection. The data storage will no longer be found in the list of available storages. If necessary, you can re-add the storage at a later time Mount a NFS Storage With this step, you will mount the data storage in the file system of the appliance in order to have a storage resource available for the MailDepot or for the backup files. 5. Right click on the storage and choose Mount. 6. Confirm the selection. When the storage has been successfully mounted, the size and available space of the storage will be displayed in the storage container list. Here it is possible you receivean error message stating that the chosen storage is not available or that the user does not have the rights for this storage. A disturbance in the network is also a possible motive for these error messages. Read the description in the error message carefully Unmount a NFS Storage If the data storage is no longer necessary, or if you need to temporarily do maintenance on the storage, it will be necessary to unmount the storage so that it is no longer available for use by the appliance. Removing the container from the storage list when performing maintenance is not necessary. Make sure that no archive containers on the storage are active (mounted) ( Archive Container Inventory) and that the Backup is not configured to the storage. If the connection to the file server is unexpectedly broken, the appliance tries to automatically reconnect once a minute. If the appliance is unable to connect, a restart of the appliance will be necessary. If an error occurs, an error message will appear in the status field of the of the storage. 5. Right click on the storage and choose Unmount. 6. Confirm the selection. When the storage is unmounted successfully, a red symbol will appear in the data storage list. If unsuccessful, the storage will still be available for use. Review the archive container and backup configuration of the storage and make sure that no Archive Task or Archive Policy is running on the storage, or that a Backup is configured to the storage. 213

214 The Appliance Manager CIFS Data Storage IMPORTANT It is not recommended using CIFS Protocol anymore, as Storage Types like NFS or iscsi are much more reliable and secure. A CIFS storage is based on a connection to a shared directory on a file server available over the network. If your REDDOXX appliance was updated to MailDepot 2.0 with an earlier firmware version lower than version 2027, then the backup confirgured to the previous CIFS storage will be carried over. This can be found in the list Migrated Backup Share Add an external CIFS Data Storage 5. Right click on the open field in the context window and choose in the following menu Add. 6. Name: Enter a name for the backup share. You will find this name later in the list of available storage devices. 214

215 The Appliance Manager 7. UNC Path: The path to the share is entered in standard UNC (Uniform Naming Convention) format. \\Servername\sharename 8. Username: A username for authorized access to the share is mandatory. 9. Password: Enter a password. (Please note that it may not be longer than 16 characters.) 10. Domain: Enter an already existing domain Modify a CIFS Data Storage To modify a CIFS storage, the storage may not be mounted. Unmount the CIFS storage before proceeding. 5. Right click on the storage and choose Modify. 6. Make the necessary changes to the storage. 7. Now remount the storage Remove a CIFS Data Storage To remove a data storage, the resource needs to be unmounted. The storage will only be removed from the list, any data found within the storage will not be erased. 8. Right click on the data storage and choose Remove. 9. Confirm the selection. The data storage will no longer be found in the list of available storages. If necessary, you can re-add the storage at a later time Mount a CIFS Data Storage With this step, you will mount the data storage in the file system of the appliance in order to have a storage resource available for the MailDepot or for the backup files. 7. Right click on the storage and choose Mount. 8. Confirm the selection. When the storage has been successfully mounted, the size and available space of the storage will be displayed in the storage container list. Here it is possible you receivean error message stating that the chosen storage is not available or that the user does not have the rights for this storage. A disturbance in the network is also a possible motive for these error messages. Read the description in the error message carefully. 215

216 The Appliance Manager Unmount a CIFS Data Storage If the data storage is no longer necessary, or if you need to temporarily do maintenance on the storage, it will be necessary to unmount the storage so that it is no longer available for use by the appliance. Removing the container from the storage list when performing maintenance is not necessary. Make sure that no archive containers on the storage are active (mounted) ( Archive Container Inventory) and that the Backup is not configured to the storage. If the connection to the file server is unexpectedly broken, the appliance tries to automatically reconnect once a minute. If the appliance is unable to connect, a restart of the appliance will be necessary. If an error occurs, an error message will appear in the status field of the of the storage. 7. Right click on the storage and choose Unmount. 8. Confirm the selection. When the storage is unmounted successfully, a red symbol will appear in the data storage list. If unsuccessful, the storage will still be available for use. Review the archive container and backup configuration of the storage and make sure that no Archive Task or Archive Policy is running on the storage, or that a Backup is configured to the storage Data Protection (Backup) The backup offers the possibility to automatically secure the data found locally on the appliance according to a regular schedule. The backup covers all configurations, archive spooler entries, and queues, as well as the entire operating system of the REDDOXX appliance. The backup is saved to a selected data storage. WARNING The backup of the appliance does NOT save the Archive Containers on the external data storage devices! This backup needs to made through your central backup program. ( ) Backup Settings Enter the day and the time at which the backup should start and enter a name for the backup data. A backup will only be saved to the data storage when the Active box next to the day has been checked. 216

217 The Appliance Manager 1. Active Click on the box next to the day to activate the backup for that day. 2. Time Enter the time for which the backup should start. (REDDOXX recommends not during busy office hours.) 3. Name Enter a name for the backup record. The backup record will then be comprised of the following files:.rdxbak, rdxbak.data, rdxbak.log, rdxbak.boot. 4. Storage Choose a storage for the backup from the list of available storages. All currently available devices will be displayed. 5. Do not backup log files Activate this option if you do not wish to save the log files. If activated,.rdxbak.log will not be found in the backup record. 6. Click on Apply Settings when finished. TIP If you like to do an immediate backup, set the time for the next minute of the day on which you would like to perform the backup. To manually perform a Backup, you need to go into the Appliance console and choose Backup from the available menu. You can stop the appliance and obtain the exact state of the data found on the appliance. This is necessary when transferring the data to another appliance. 217

218 The Appliance Manager Backup Records Here you will find a list of the most current backups. Available Backups Delete a Backup Record 1. Right click on the backup record that you would like to delete and choose Delete. 2. Confirm the selection. The backup record and all its associated files will be deleted. Accidentally deleted records can only be retrieved through the main backup of the data storage, if this is available Archive Container Backup A backup of the archive container is NOT included in the REDDOXX Backup program and should be made through the central backup program. In order to access the container, especially when located on an iscsi storage, the REDDOXX appliance provides CIFS shares. Access data for the external storage via CIFS: Host: <hostname or IP address of the appliance> Share name: storages User: admin Password: The password is here the standard password. (AppAdmin) Underneath the share name you will see, such as in Explorer, the individual directories of the container together with the directory of the appliance backups. Connect these shares to your central backup, so that the container and the appliance backup will run simultaneously together with the central backup. 218

219 The Appliance Manager Restore a backup PLEASE NOTE A backup restore can only be performed over the appliance terminal ( Appliance Console, Chapter 6). Reboot the appliance and choose Appliance Recovery in the admin boot menu. 219

220 The Appliance Manager Updates Image: Left Panel view With the option Updates, you can update your appliance to the current software version Request Updates Select Updates in the left panel view and click on Request updates in the right view. Image: Request Updates Install updates If an updates for your appliance is available and downloaded, it can be installed with a click on the install button. Wait until the update is done. Image: downloaded update Delete Updates Click the Delete button to delete a update if a networkfailure took place or if you are not sure that the update was downloaded correctly. 220

221 The Appliance Manager Show release notes Check the release notes by clicking the Button Release Notes to view the changes that take place with installing the update. Image: Release Notes 221

222 The Appliance Manager REDDOXX Diagnostics Center The Diagnostics Center allows you to test the appliance for any existing or potential problems that may or could occur in the system. The tests are divided into different categories. The NETWORK category, for example, offers classic tools to detect problems occurring in the network. 222

223 The Appliance Manager Select Test: Choose a test from the list. The result of the test will be shown in the OUTPUT column on the right. Parameter: According to which test is selected, an entry form will appear in which you can enter certain parameters for the test. Start / Cancel: Click on START to begin the selected test. You can also select different tests to start running simultaneously. Output: The results of the test are displayed in the OUTPUT column on the right side of the screen. Results will individually appear as the test is running, making it possible for longer term actions (ex. Ping) to be diagnosed. The results will be displayed step-by-step. IMPORTANT The activated selftests, that are shown in bold, will run each hour. In case of errors, a message to the administrator can be mailed. Therefor the Administrator address needs to be set in rdxadmin1 Appliance Configuration Settings General and the notifications have to be enabled in rdxadmin1 Appliance Configuration Settings Notification. The mail for failed selftests includes troubleshooting hints at the blue question mark. 223

224 The Appliance Manager System Different categories are available to choose from. A special feature is the NETWORK category, which is not diagnosed in the automatic diagnostic check found in the Admin GUI(1) Health Status (FAQ) This is the overview of all activated hourly tasks. Die background colour depends on the returning state. The colour can be green (OK), yellow (Warning) or red (Error). Image: +Health Status Mail Round Trip (FAQ) This is a runtime and mailflow test to check if mails leave the appliance correctly and reach it again. Further information can be found in the manual Server Eye. 224

225 The Appliance Manager Process list (FAQ) Tests if the following services are running. clamd: Virus scanner fbserver: Firebird data base server fbguard: Data base server watchdog rdxappcontrol: REDDOXX Remote Support rdxengine2: REDDOXX Kernel watchdog: Watchdog for these services. If a service crashes, it will be restarted through this watchdog. heartbeat: Failover-Cluster controller drbd: Synchronization service in the cluster rdxfuzzy: Important spam recognition service rdxcompliancelog: Registry service for the archive Rdxacs: MailDepot service Consistency This test examines the consistency of individual systems or components of the program Backup Verification (FAQ) Diagnoses if the Backup-Set is written correctly and if a backup recovery is suitable. Parameter: Backup Set. Choose which Backup-Set to diagnose from the list. 225

226 The Appliance Manager Container Consistency (FAQ) Diagnoses, if the archive containers are available and consistent Parameter: Archive Container. Choose if all or a special container should be checked for consistency Test Method: Choose if a check or a container repair should be performed. In version 2030 SP1 and higher, it is possible to perform a remove write lock. This removes the write lock on the selected container. A write lock can occur, if a storage or network failure happened or in case of a cluster failover. Make sure that no other REDDOXX tool (like the MailDepot Importer) has opened this container in written mode before starting the write lock removal. Fix wrong parameter errors: This fixes issues with duplicates in the archive Report Reports are useful to collect information about installed certifates and licenses Certificates (FAQ) This Diagnose checks the expiration of certificates that are provided in the MailSealer. The result is shown in either green (OK), yellow (Warning) or red (Expired) color. This is useful to automaticly check certificates for expiration, especially if there is a large number of them. Expired certificates would result in a failure of mail encryption, unless they have not been trusted manually. Parameter: Check Interval: Can be set between now, weekly, or monthly. Forecast in days: Defines the forecast for the specified days.. Include Expired: Shows already expired certicates. 226

227 The Appliance Manager Compliance Audit (FAQ) Diagnose "Compliance Audit" is used to search and show the performed audits for a specified time interval. As interval can be selected between now, daily, weekly or monthly. The "Delivery Type" can be either "Show" for showing the output in the diagnose, or " " in order to send the output as mail to the specified " Recipient". In case of an report, the attachment may be imported to a spreadsheet with the "open with" command. If the Delivery Type is "Show", the interval "now" should be selected. If using as Delivery Type, the interval in "Last Days to Review" needs to be adjusted accordingly (Daily with 1, Weekly 7, Monthly with 31 days). Parameter: Check Interval: Can be set between now, daily, weekly, or monthly. Last Days to Review: Defines the forecast for the specified days.. Delivery Type: Can be selected between Show (to show the Result in the Diagnose) or (to send the Result via mail) Recipient: The recipient, in case the Delivery Type is set to Licenses (FAQ) This Diagnose checks for Licenses that are soon to expire. It can be done weekly, or now MailSealer Policies (FAQ) This Diagnose shows or mails all MailSealer Policies. In case of problems, it is easy to check this list of rules for each mail that should be processed by the MailSealer. The html list, that is sent via mail if checked, can be opened without further editing in Excel or Libre Office Calc. Parameter: Export Interval: Can be set between now, or daily. Delivery Type: Select between show (in the diagnose) or mail. 227

228 The Appliance Manager Cluster Tests The Cluster Diagnosis examines the relevant services and conditions of the cluster (if applicable) Cluster Sync Status (FAQ) Checks if both Nodes are in sync or in syncing state (after a node failure) Cluster time difference (FAQ) In a cluster, the time needs to be identical on all nodes. If the difference is 60 seconds or more, an error message will appear Default gateway (FAQ) In a cluster, a default gateway needs to be reachable via Ping. If a default gateway is not found, then the cluster nodes think the default connection is broken and the cluster services will terminate. An error message will then be sent out Heartbeat link (FAQ) Both Nodes test the availability of the other Nodes IP via the Heartbeat Link Node status (FAQ) Checks if both Nodes are activ and in sync. 228

229 The Appliance Manager Network In the Network diagnosis, there are different tools available to test the status of the components of the network. Make sure there are no Firewall limitations on the network DNS Lookup (FAQ) Test if your DNS server is available and if a logical answer is given upon a query. Also test other DNS servers and compare the results. Parameter: Nameserver. The name of the DNS server to examine. Query Type: Choose the correct type of query. Choices are: MX, A, PTR, NS. Query: The domains (MX,NS), the hostname (A), or the IP addresses (PTR) DNS Server (FAQ) Checks the configured name servers for availability Fuzzy Filter (FAQ) Tests if a TCP connection via Port can be made from the internet to the REDDOXX Fuzzy service. The Fuzzy Filter is responsible for Spam recognition HTTP (FAQ) Tests if a TCP connection can be made to the internet via Port 80. If a problem occurs, check the firewall or proxy server settings. Parameter: URL: A URL (Website), which will be downloaded for test purposes LDAP Connectivity (FAQ) Will examine all LDAP servers configures in the Local Internet Domains on the appliance LDAP Query (FAQ) Here you can specifically test if an LDAP server is able to make a connection with the given parameters and if the desired results are produced. The answer from the LDAP server will be shown in the Output column. An alternative to the REDDOXX LDAP diagnose is to test the connection parameters of your LDAP server with an outside LDAP tool (ex. LDAPBrowser). Make sure the query is made with a separate IP address (==> Firewall limitations). 229

230 The Appliance Manager Further information to LDAP configuration can be found in the instruction guide- LDAP Connectivity of the REDDOXX Appliance on the REDDOXX Support website under Manuals: Parameter: Server type: Available choices are: Active Directory, Novell Netware, Lotus Domino, OpenLDAP, OpenXchange AE. LDAP Server: IP address or hostname of the LDAP server. Port: The TCP port on which the LDAP server listens. The default port is 389, the Global Catalog Server listens on Port Use SSL: Activates an encrypted delivery to the LDAP server. Default port for encrypted queries is 636. Bind user: The username which will be applied for the LDAP bind. Make sure that a complete UPN is used, especially when using Active Directory, in which an anonymous bind is not allowed. Bind Password: The respective password for the username. Base DN: The Base Distinguished Name which should be searched in the LDAP server tree. Username: The username which should be searched. Address: The address which should be searched. Username and address are searched separately. Results will also be shown separately, although one variant may not have been found. 230

231 The Appliance Manager Network Time (FAQ) Tests the availability of the configured Time Server (This doesnt Set a Time). Possible messages are: OK (if all Time Servers are reachable), Warning (if at least one is not available) or Error (if notime Server is available) Ping (FAQ) Ping tests if a host is reachable via ICMP protocol. Makes sure there are no firewall limitations which could hinder the test. Parameter: Target Host: IP addresses or names of the hosts, which should be targeted for the Ping test. Count: Number of Ping packets which should be sent. One packet per second will be sent. After the test has been started, you can check the end result at a later time or see the current results in the output column SMTP (FAQ) Test to see if a mail server is available and send the respective mail server a test mail. 231

232 The Appliance Manager The result will appear in the output column Tcpdump (FAQ) Tcpdump allows to capture the network traffic from an ip address or host and the corresponding port. The test provides a download link for further analyse with tools like wireshark Traceroute (FAQ) A traceroute allows you to follow the path a query on a host takes through the network. By doing this, you can, for example, test with which IP address a file packet leaves the internal network. This is important when there are more public IP addresses present. Your appliance and it s IP address need to contain a PTR record in the DNS of an internet domain so that other mail servers will accept mails from your appliance. Parameter: Target Host: IP address or name of the host which should be queried. Don't resolve: No DNS resolution of the IP addresses for the hostnames. This is advantageous when there are problems with the DNS, or the DNS queries take a long time. 232

233 The Appliance Manager Hardware The Category Hardware is used to check the appliances harddisk, memory and controller Disk space (FAQ) Check the space available on the system and data partitions on the local hard drive. When 75% is reached, a warning will be sent every hour. If the disk space reaches 90%, an error message will be sent every hour Hard disk (FAQ) Tests the efficiency of the local hard drives. The basis being the S.M.A.R.T. technology of the hard drive Memory (FAQ) Checks the assigned memory, especially in virtual machines that have been updated from old versions, the assigned memory might be not enough Raid (FAQ) Checks the controller of the hard drive, if the connected drives of the Raid container are running properly Virtual SCSI Controller (FAQ) Checks if the virtual scsi controller is the correct one. 233

234 The Appliance Manager Storage The category storage checks the filesystem and performance of mounted storages Filesystem (FAQ) Checks or repairs the filesystem if necessary. Parameter: Check Mode: Select check only, force check, repair or force repair. Check and repair cannot be done with a mounted filesystem, a force check/repair maybe required. Storage Device: Select the device that needs to be checked or repaired Storage Performance (FAQ) The Storage performance checks the storage speed by transfering a given amount of data. Parameter: Storage device: Select one or all devices for the test. Amount of data: Select between 1MB, 10MB, 100MB and 1GB files to be transfered. Treshold for warnings in KB/s: Set the treshold for warnings, default is 1500 KB/s. Treshold for errors in KB/s: Set the treshold for errors, default is 1000 KB/s Storages (FAQ) Tests if the remotes storage devices are correctly mounted and re-connects them if the storage server was briefly out of service. Also checks the access rights to the files and directories, in case temporary files were saved and later deleted. As soon as there is less than 1 GB space available, an error message will be sent. 234

235 The Appliance Manager Services Includes MailDepot services and provides an overview whether the service and the queues are running without error MailDepot Connector Queue (FAQ) This test counts the mails in the MailDepot Connector Queue in order to send notifications when the counted mails are more than in the max queue length value MailDepot Service (Version 2030 SP1 and higher) (FAQ) This test checks, if all maildepot related services are running and if for example all containers are successfully opened MailDepot Spooler Queue (FAQ) This test counts the mails in the Archive Spooler Queue in order to send notifications when the counted mails are more than in the max queue length value. 235

236 The Appliance Manager 5.5 REDDOXX MailDepot Overview The REDDOXX MailDepot is an archive system which allows you to manage your saved s from a central point. MailDepot 2.0 was introduced in 2010 with the release of REDDOXX firmware 2027, with capabilities and advantages much greater than those found in the previous MailDepot 1.0. The features of both versions will be compared in a table on the following page Features of MailDepot Multiple Storages (File Share, iscsi) 2. Storage container as self-supporting archive 3. Offline access to the archive, also possible without the appliance 4. Structured archive through automatic categorization 5. transaction history 6. Retention Control 7. Auditing capability through four-eye principle 8. Extensive Im- and Export capabilities 9. Fulfills all individual compliance requirements 10. Audit-proof compliance log Licenses and Limitations For MailDepot 1.0 there was a single license for the service, but for MailDepot 2.0 there are now two types of licenses available, a Basic license and a Premium license. If you already have a license for MailDepot 1.0, then you will automatically be given a Premium license. It is possible to purchase a Basic license which has fewer functions than the Premium license. The difference between the two licenses are shown in the following table. 236

237 The Appliance Manager REDDOXX MailDepot GDPdU, GoBS, Basel II certified (TÜV) Automatic, audit-proof, and non-tamperable Archiving system Ability to redeliver accidentally or deliberately erased s from the archive Full text indexing including all text oriented attachments Single Instancing storage Exclusion of spam possible Virus protection for all incoming and outgoing s Internal archiving via MailDepot connectors Retroactive archiving of all available s (PST/EML/MSG) Microsoft Outlook integration Access to mail archive via web browser or Windows GUI Archiving of s to SMB/CIFS-Share, NAS, iscsi Overlapping mailbox access (Deputy assignment) Double storage encrypted and decrypted s with MailSealer Password encrypted (MailSealer Light) Long-term access due to archiving in standard format Saves previous searches Able to search through all deputies Self-supporting archive helps optimize storage demands Offline availability 4-Eye principle, with flexible application Archived s automatically categorized Outsourcing of archived s in long-term containers Adjustable retention times for categories and containers Able to classify and separate private s, includes a delete function Categorie structures can be created by the administrator Multiple Storage Devices 1 MD 1.0 (v1026) MD 2.0 BASIC MD 2.0 PREMIU M 1 CIFS Only for MS-Office Dokuments.doc,.xls,.ppt and.pdf 237

238 The Appliance Manager Migration from Maildepot 1.0 to 2.0 You will find a separate handbook for instructions on the migration process from MailDepot 1.0 to MailDepot 2.0 available for download in our download center on the REDDOXX Support website: Offline Reader An offline reader is available for MailDepot 2.0 archive container access without use of the appliance. You will find the instructional guide for this in our download center on the REDDOXX Support website: Administration The administration of MailDepot 2.0 now involves the use of a second Administration GUI, the file name as follows: rdxadmin2.exe. With this GUI, you will configure and manage the entire MailDepot, the backup settings, and the data storage devices for the archive. The remaining applications (Application Configuration, Application Administration, Spamfinder, MailSealer) will be, as before, configured and administered with the original Administrator GUI: rdxadmin.exe. It is planned to combine the two GUIs in the near future. 238

239 The Appliance Manager Archive Container An archive container is a data container very similar to a ZIP-archive, which can store and contain a very large amount of individual files (= s). In the REDDOXX appliance, the archive container is not a single file, but rather acts as a directory for your available file storages on your external data storage. Archive Container Structure WARNING The files in an active (mounted) container are permanently open and their behavior can be compared to the behavior of a database. This behavior necessitates an absolutely reliable deployment of external data storage devices. You need to make sure that the network connection is stable and runs without any handicaps, and that the storage containers are readily available. Recommended, at least for the default container, is an independent NAS device. 239

240 The Appliance Manager Features and Advantages of an Archive Container Simple administration in the file manager (copy, delete, move) Parallel access of up to 32 archive containers Offline availability of the container (access without the appliance) Retention Control Long-term archive with offline mediums Password-controlled access A container is exponentially voluminous. It is only limited by the size of the storage device Examples of Archive Container Application and Best Practice REDDOXX would like to offer you some tips on how best to organize the files and the containers and answer some questions you may have regarding the application of MailDepot 2.0. Understand that frequent copying and moving of files (mails) into different containers can compromise the performance of the appliance and the storages. Duplicates will no longer be recognized if the original is not in the Default Container. The more containers that are mounted parallel, the slower the search function will be. A task for each container is necessary in order to further process the mails. If you would like to store the mails on a yearly basis, consider if it is possible to group years together (for example: ). Containers being used only for offline viewing should not be active (containers should be unmounted). An extremely reliable storage (for example, a NAS device) is an absolute must for the Default Container. The Default Container must always be active. The containers which should not be changed or overwritten, should be secured with a write protection. PLEASE NOTE Avoid separating the existing archive into lots of different containers. Only create new containers when there is a definite need. Follow this simple guideline: As much as necessary, but as little as possible! 240

241 The Appliance Manager Archive Container List In the archive container list, you will see an inventory of all registered containers. One container has to be the Default Container. The Default Container will be marked with green OK symbol and be written in thicker script. The arriving mails to be archived flow into this container. Container List (Inventory) with Default Container 1. Name The name which you gave to the container when you created the container. A status symbol is shown in front of the name. We explain the definitions of these symbols: Container has a flaw. Note the error message. ( 5.) Container is not mounted and is not active. Container is mounted and is available for use. Container is mounted and set as Default Container. s to be archived flow into this container. 2. File Storage, path, and file name of the container. 3. Documents Number of archived mails in the container. 4. State AutoMount: Container will be automatically mounted after a new start. Searchable: Container is available for a search. These states can occur in combination. 5. Error Error messages, for example, when a container is unable to be mounted, because the storage is not available Create an Archive Container In a new appliance, there is not a registered container in place. You need to first create an archive container. 1. In the navigation tree, left click on Archive container. Then right click in the context field to the right. Choose Create Container from the following menu. 241

242 The Appliance Manager Properties 2. Name Enter a name for the new container. The name is also a prerequisite for the directory name on your file storage. The name of the container can be changed later. 3. Password A password is optional. Every time you wish to open the container, you will need to enter a password. The password will also be necessary to mount the container in the inventory list, and also to access it with the Offline Reader. Leave this field empty if you do not wish to have a password for the container. 4. Confirm password Enter the same password again, if you have chosen to have a password for the container. PLEASE NOTE Without a password, every user that has access to the container (=Directory), has the possibility to open a copy of the container with the REDDOXX Offline Reader! 5. Location Open the menu and choose the correct file storage for the container. The file storages in the list are those that you previously made available and mounted. 242

243 The Appliance Manager 6. Choose the directory in which you would like to create the container. Typically you choose the root directory of the file storage, provide you have made this file storage available exclusively for the REDDOXX MailDepot. 7. Maximum Chunk Size Maximum size of the individual data files in one container in Megabytes. If the size of a data file is exceeded, a new data file will be created under the next consecutive number. The default amount is 4096 MB. Adjust the number to the specifications of the file system of your file storage system. For example, if you create a container on physical data storage (ex. CD, DVD with Iso9660 format), you would need to lower the size to 2048 MB. 8. Minimum Retention Time Enter the number of days the (s) should be archived before it can be deleted. This will ensure that the mails in this container cannot be tampered with for at least this period of time. By clicking OK, the container is created and will be added to the inventory as well as available for mounting. The container is now operational. Now set the container properties. 243

244 The Appliance Manager PLEASE NOTE Do not forget to set a container as the Default Container ( Right Click Set Default Container). If no container is set as the default container, the mails to be archived will be saved locally on the appliance in the spooler until a default container is set. Mails will not be lost if this occurs Archive Container Properties Here you can set certain properties for the container. Always check the properties of a container after adding it to the inventory. 1. Double click (left) on the container to open the Archive Container Properties menu. 2. Name Change the name of the container if you would like the container to be shown with a different name. The name change is only for the displayed name in the inventory list. 3. Commit Interval The default value in this field is 10. The files, or mails, will be saved to the file storage after every 10th mail that goes into the container. This is similar to a cache of a hard drive and greatly enhance the performance of the appliance. If the storage happens to malfunction (a power outage, for example), there could be a potential loss of the last 9 mails. If this is not acceptable, it is possible to lower the value. In the case of a mass import, ex. the retroactive archiving of mailboxes, a higher value would greatly speed up the process. 4. Mount on service start Mounts the container after every new start of the appliance. This requires that the 244

245 The Appliance Manager storage on which the container is found is also programmed to be automatically mounted upon a new start. Enable searching The container will be included when a search is conducted. The more containers that need to be searched, the slower the search will be. Read-Only Activate this when you would like to ensure that the container cannot be changed. Non-writeable mediums, ex. DVDs, should also have this option activated. This action takes place immediately. Disable body indexing Activate this option when the text of an should not be indexed for a search. Activating, or changing the status of this option only works for new, incoming mails. Disable attachment indexing Activate this option when an attachment in a mail should not be indexed for a search. Activating, or changing the status of this option only works for new, incoming mails. PLEASE NOTE To perform a complete new indexing of a container, all mails in the container need to be copied to a new container through a task or a policy Add Container to Inventory After migrating from MailDepot 1.0 to 2.0, you can add the container to the inventory. Naturally this goes also for containers previously removed or that you have available from other sources (ex. DVD). Required is that the container is reachable over the network. 1. Right click in the context field (under Archive Container in the navigation tree) and choose from the following menu Add Container to inventory. 245

246 The Appliance Manager 2. Choose the storage in which the desired container is found. 3. Open the root directory of the chosen storage and open the container to be added. Select the file reddoxx.rdxacs and click on OK. 4. Enter the password for the container if necessary. If you received the container from another user, you may need to ask them for the password. 246

247 The Appliance Manager Confirm by pressing OK. The container will now be added to the inventory. You can now mount the container. You can also change the container properties Mount Container After you have added the container to the inventory, you can mount the container so that it is active for storage. Only mounted containers are able to receive files and are available for searching and reading. 1. In the Navigation Tree, click on Archive Container. In the context field now appearing to the right, right click on the correct container, and in the following menu, select Mount Container. 2. Confirm the selection. The container is now mounted and is available for MailDepot usage. Check the container properties, especially the automatic mount function and the write-protection settings Unmount Container Unmount a container when the container is no longer necessary and further usage (searches, tasks) of the container should be blocked. When unmounting, the s since the last Commit ( see Container Settings) will be written to the file storage and all access to files and directories will be closed. This is a prerequisite to be able to unmount the underlying file storages. Also check if the container has any tasks or policies assigned to it. If so, these need to be deactivated or deleted. If you only want to ensure that the container cannot be written to, activate the writeprotection ( Container Properties). 1. In the Navigation Tree, click on Archive Container. In the context field now appearing to the right, right click on the correct container, and in the following menu, select Unmount Container. 2. Confirm the selection. The container is now unmounted and no longer available for MailDepot usage. 247

248 The Appliance Manager Remove Container from Inventory If a container is not going to be used for a certain period of time, you should remove it from the inventory. If you plan on storing the container on another file storage, then remove it so that you can add it to the inventory from the new file storage. It is allowed to have containers with the same name, but the containers do need to have a difference. Containers with the same Creation Identification (GUID) are not allowed. The unique ID of a container is obtained at the creation time of the container, but not through copying the data files with a file manager. 1. Right click in the context field (under Archive Container in the navigation tree) and choose from the following menu Remove Container from inventory. 2. Confirm the selection Optimize Container Index When and where files can be altered, it is necessary to optimize the database from time to time, and optimization is also necessary for the container index. Index optimization is programmed to automatically be done every 24 hours. If a bigger change to the files has taken place and the performance of the appliance is somehow slower, then you can optimize the index manually. 1. Right click in the context field (under Archive Container in the navigation tree) and choose from the following menu Optimize container index. 2. Confirm the selection. Depending on the size and contents of the container, the optimization process can take an extended period of time Backup Container Metadata Not applicable Move Container to a different storage device This option is not available in the REDDOXX Appliance Manager. This needs to be accomplished with the help of a file manager. Follow these steps to move a container to a different storage device: Unmount the container. Remove the container from the inventory. Start the file manager (ex. Windows Explorer) and move the complete container directory to the desired file storage. Add the container to the inventory. Choose the new file storage. Mount the container and set the container properties. 248

249 The Appliance Manager Archive Policies Through different archive policies, you can determine which mails should be archived and which mails should not be archived. If the archiving function is activated, all mails will be archived. For different reasons, you may wish that not all mails are archived. With a policy, it is possible to eliminate certain mails from being archived by meeting certain defined criteria, for example, the subject, sender, recipient, etc. Illustration: Archive Policies Overview Add an Archive Policy 1. In the navigation tree, click on Archive Policies, right click in the context field on the right and choose Add from the menu.common 249

250 The Appliance Manager 2. Disabled: Activate this option if you would like to deactivate the policy for a certain period of time. 3. Policy Name: The name of the Archive Policy. The name will appear in the policy overview. Also, in the protocol, the name will be shown in the archiving process. 4. Action: Choose between Archive and Do not archive. You can combine different policies. You may also arrange the policies in a desired chronological order, beginning from top to bottom. You can change the order with the blue arrows. PLEASE NOTE To generally prevent archiving, place a Do not archive policy at the bottom of the Policies list. Policies are processed from top to bottom Therefore, policies defined with archiving exceptions, should be placed above the final policy. As soon as a mail complies with defined conditions found in a policy, the mail will not be tested against further policies. 5. Comment: A comment can help describe the policy. Subject Patterns 6. Subject pattern: Enter the pattern for which the subject should correspond. Add a star (*) to allow for generic comparisons. For example, *Newsletter* would also correspond to 1st Newsletter

251 The Appliance Manager 7. Patterns are case-sensitive If this is activated, capitalized letters will be considered. Sender Patterns 8. Sender address patterns: For example, *newsletter* would correspond to all mails which have the word newsletter in the mail address or in the domain. Recipient Patterns 9. Recipient address patterns: Example: This corresponds to all recipients which have mycompany in the domain name, regardless to which TLD (top level domain) it belongs. 251

252 The Appliance Manager 10. All recipients must match: If this activated, the policy will only be applied when a mail is addressed to all recipients on this list. 11. Compare only local recipient addresses If this is activated, the policy will only be applied when the recipient address ( alias) is valid. If you have no recipient verification (LOCAL or LDAP) in place but you want to preserve those s from beeing archived, you need to deactivate this option. NOTE Operating the appliance without a recipient verification in a productive environment is not recomented if you have set the appliance in front to receive s directly from the internet. Size Limit 12. Message size: Enter the desired size and choose the respective action which should be taken regarding the mail. Choose from: Match if message size is greater than value Match if message size is less than value 13. Click OK to add the policy. PLEASE NOTE The following fields can be combined and linked together with a logical AND conjunction. Only when all conditions are met will the action be carried out (Archive or Do not archive). Subject pattern, Sender pattern, Recipient pattern, Message size 252

253 The Appliance Manager Archive Categories Archive categories offer you the chance to group together archived mails into specific groups by meeting certain criteria defined by the administrator. Through archive categories, you can automatically sort your mails according to a pre-defined Task or manually sort them by a privileged user or a controller, who confirms the proposed categorization. Categories are defined and created by the Administrator and can be made available to certain user groups through specified Access Rights (ACLs) Add a Folder A folder groups categories together and offers a better overview of the categories. You can create as many folders and sub-folders as you wish. 1. Left click on Archive Categories in the navigation tree and in the context field to the right, right click on Archive Categories at the top. In the following menu, choose Add folder. 2. Enter a name for the folder and click OK. The folder is now available. You can add sub-folders to existing folders if you wish Delete a folder If you choose to delete a folder, the elements contained in the folder (subfolders, categories) will be preserved. These will also need to be manually deleted. When a folder is deleted, the contents within will be displayed a level higher. 1. Right click on the folder to be deleted. In the following menu, choose Delete folder. 2. Confirm the selection Add a category 1. Right click on Archive Categories in the context field and choose Add category. 2. Enter a name for the category and click OK. The category is now available. Continue by defining the properties of the category. 253

254 The Appliance Manager Properties of a Category Right click on the category and choose Properties. A new window will be displayed with the following tabs: Access Control, Policies, Controllers and Voting Policy Access Control Access control defines which rights and actions users or groups have to the contents in the category. If no rights are defined, nobody will have access to the category. 1. Right click in the empty field and choose User or Group. Users and Groups are defined in the User Administration (Chap ). You can reduce the number displayed by setting a Filter. 254

255 The Appliance Manager 2. Select the access rights each user should have to the category. Access Rights Read (own): The category will be seen by the user in the User GUI, and the user may read and deliver their own mails found in this category. Read (all): The category will be seen by the user in the User GUI, and the user may read and deliver all mails found in this category. Suggest: The user can propose a mail for this category. The controller will process the proposals made through the User GUI. Assign: The user may assign mails to the category. Delete: The user may remove mails from the category. The mail will not be deleted from the archive Policies Define which types of policies should be applied to the category. You are able to choose when the start time of the policy begins and what type of action should take place. 1. Click on the Policies tab. In the empty field, right click and choose Add Policy. 255

256 The Appliance Manager Category Policy Name: Enter a name for the new policy. Time base: Determines at which point in time the policy should be applied to the archive category. You have two choices for this: Time in source container The point in time at which the mail arrived in the source container. Time in category The point in time at which the mail was assigned to the category. Time to apply policy: The amount of time which must pass before the policy takes the defined action. The policies will be automatically checked once a day. Example in the screen shot: The policy will be applied after 1 year, 2 months, and 3 days after Action: The action determines what should happen with the mails found in the category when the policy is implemented. Move: The mails will be moved from the source container to the target container. Copy: The mails will be copied from the source container to the target container. Delete: Mails will be deleted from the source container. But this is only possible when the retention time of the container is exceeded. Export: The mails will be exported to a targeted directory. Source Container: The container from which the mails should be acted upon. If delete or move is selected, the mail will be deleted from the this container after the policy has been executed. Target Container: This is the container to which the mails will be directed when the policy is executed. Target location: Choose from the available storages, a directory, to which the mails should be exported. The mails will be saved as single files in.eml or.msg format. An.XML file will be saved which contains the Metadata of the mail. PLEASE NOTE When creating new policies, make sure that the policies do not conflict and cancel each other out. For example, if a policy states that the mails should be moved and a new policy is created for the mails to be exported, then there are no mails available to be exported, 256

257 The Appliance Manager because the mails are deleted after they have been moved, depending on the start time of the initial policy Controllers Controllers are users, who process the proposals of other users. Proposals are processed in the controller s user console. It is possible to have one or more controllers control the categorization of a mail. 1. Choose the tab Controllers and right click in the empty field. Choose Add Controller or Add Controller Group from the menu. 2. Select the user whom you would like to add as a controller. These controllers will now be shown in the Administrator GUI as a controller and will oversee the proposals of mails for categorization as suggested by the other users Voting policies The voting policies determine if a proposal is confirmed or denied, if a controller is unable to reach a decision. This may also be the case when there are more controllers assigned, and they are unable to reach a decision regarding the catgorization of mails. These unresolved conflicts can be solved by defining rules found in the voting policies. 257

258 The Appliance Manager 1. Click on the tab Voting policy. Execute on voting timeout Time Limit: The number of days that need to pass until the chosen action is implemented. If a proposal has not been processed after 30 days (from the example in the screenshot), then the selected action will be implemented. Action None No action will be taken. The proposal remains disregarded. Report A message will be sent to the address entered (in the next step), informing the controller that the proposal has reached the time limit. Move to category The mail will be moved to the specified category. Suggest to category The mail will be proposed for the specified category. Accept The proposal will be automatically accepted. Reject The proposal will be rejected. Address The address on which messages regarding the status of the proposals will be sent. Category The target category into which the proposed mail will be moved or re-proposed. 258

259 The Appliance Manager Execute on voting conflict When more controllers are responsible for processing the proposals, it could sometimes result in a deadlocked decision (one accepts the proposal, another rejects it). A majority does not win in such a situation. In this case, the following entries will determine what happens when such a voting conflict occurs. Action None No action will be taken. The proposal remains disregarded. Report A message will be sent to the address entered (in the next step), informing the controller that the proposal has reached the time limit. Move to category The mail will be moved to the specified category. Suggest to category The mail will be proposed for the specified category. Accept The proposal will be automatically accepted. Reject The proposal will be rejected. Address The address on which messages regarding the status of the proposals will be sent. Category The target category into which the proposed mail will be moved or re-proposed. PLEASE NOTE It is important to avoid that the proposal ends up in an endless cycle of indecision. Please make sure that action is ensured to avoid a proposal will not be recycled over and over Rename a category 1. Right click on the intended category and choose Rename category in the following menu. 2. Enter the new name and click OK. 259

260 The Appliance Manager Only the name will changed in the displayed list. Tasks and Policies will still be routed to the category via the unique, internal GUID identification Delete a category Note that when deleting a category, check first to see if any tasks or policies are assigned to the category. Deleting a category does not automatically remove a policy from the category., on the contrary, an error message will appear in the Policies Overview. 1. Right click on the intended category and choose Delete category. PLEASE NOTE Warning! A confirmation question will not appear, the category will be immediately deleted by clicking Delete category Policies Overview In the Policies Overview, you will find all valid policies configured for the above categories. You are able to see if a policy is running, or the last time the policy was successfully completed, or if a policy encountered a problem during the last action. You can find individual settings for a policy under Add Archive Policy Archive Tasks 260

261 The Appliance Manager Archive Tasks are defined actions, regularly scheduled to be performed on archived mails (ex. Task Type Categorize). The defined actions of tasks can overlap those of Category Policies, but the task has priority and will always win against a policy. The following table illustrates the possible actions and the differences between Archive Tasks and Archive Category Policies Archive Task vs. Archive Category Policy Task Category Policy Based on entire containers Based only on a category Flexible Schedule Runs once every 24 hours Actions: Move, Copy, Delete, Export, Categorize Actions: Move, Copy, Delete, Export Constructed and performed with a search Performed only on categorized mails Archive Tasklist The Archive Tasklist provides you a detailed list of all available tasks. Most important is the status of the task, which tells you if a task was successfully run. If, for example, the external data storage connection is broken, the task will no longer be able to read or write to the files, understandably so. After reconnecting the data storage, you can manually restart the unsuccessful task. PLEASE NOTE Do not unmount containers or storages on which tasks are currently running or scheduled to run. Tasks can be momentarily disabled through the context menu. WARNING! If a task has just finished running, the REDDOXX appliance remembers which mails were last included in the search. The next time the task is run, only the newly received mails will be included in the search. Please note this will be the case if you have changed the search parameters during this time. The Tasklist 261

262 The Appliance Manager Filter If the tasklist has grown too large over time, you can filter the listed tasks by way of its type source or container. Clicking on the red X will clear the filter setting. You can also sort the list by clicking on the header of the column. Clicking on the header of the column returns the columns to its original order. Status The current status of the task. Idle: The task is idle until its next scheduled start time. Disabled: The task is deactivated and will not run again until re-activated. Running: The task is currently running. Last duration The time necessary to complete the last run. This value is helpful in optimizing the system performance. Avoid running tasks with a long duration too close together. Last Status The status of the task after its last completion. Succeeded: The last run was successfully completed. Error: An error occurred during the last run. Note the message found in the column Last Error. Progress n/a: Not available at this time. Last error If an error occurred during the last run ( Last Status), a text describing the error will be displayed here. Execution Count Shows how many times the task has been completed. Frequency Shows when or how often the task will be run. 262

263 The Appliance Manager Last Start Date and time at which the task was last started. Last Success Date and time at which the task was last successfully completed. Next Execution Date and time at which the task will next be executed. Further columns will be described in chapter Add an Archive Task System Tasks There are three system tasks listed in the tasklist. These system tasks control tasks performed on the entire system. You are not able to change or delete these tasks, but you can manually start them if necessary. Policies Scheduler The Policy Scheduler starts the Archive Category Policies every 24 hours. If you would like to start an Archive Category Policy immediately, you can right click on the Policies Scheduler and click on Run Task immediately. Please note that by doing this, all other category policies will also be immediately executed. Vote Control This task is run every 24 hours and checks if any category proposals have exceeded their time limits. If a time limit has been exceeded, the defined rules in the Archive Category Voting Policies will be immediately executed. ( Voting Policies). 263

264 The Appliance Manager Optimizer Task When data is constantly being changed, it is necessary to reorganize the database occasionally. This is also true for an archive container. This optimization process is automatically scheduled to run every 24 hours. If massive file changes have taken place (Move/Copy), and the performance of the container is weaker, you have the choice to perform an immediate optimization manually. Individual containers can be optimized in container administration ( Archive Container) Add an Archive Task 1. Click on Archive Tasks in the navigation tree. Right click in the context field on the right and choose Add Task from the following menu. Properties 2. Task name The name of the task as it should appear in the tasklist. The name can be changed. 3. Task type 264

265 The Appliance Manager Categorize mails: The mails of a container will be categorized according to the defined criteria of a search (found below). The category needs to be available for the found mails. Only references to the mails will be categorized, no copies of the mail will be made. Move mails: Mails will be moved from one container into another container. Copy mails: Mails will be copied from one container into another container. Delete mails: Mails will be deleted from a container. This is only possible when the retention time of a container has been exceeded ( Retention time). Export mails: Mails will be exported from a container into a selected registry. A mail will be saved in it s original format (EML or MSG) and also be given an extra XML meta data. The exported mails can then be immediately imported into another mail system. 4. Source container The container from which the mails should be copied, moved, deleted, exported, or categorized. 5. Target container The container to which the mails should be copied or moved. 6. Target category References to mails matching the search parameters will be placed in this category. The category need to be available for the mails matching the search. 7. Add to category as suggestion (only available when Categorizing) The mail to be categorized will be sent as a proposal for the chosen category. The definitive inclusion will be made by the controller. 8. Query Builder Build a search defining the parameters of which mails should be categorized to selected containers. a) Click on Build Query to start creating your search parameters. 265

266 The Appliance Manager b) By clicking on the plus symbol (+), you can add further search criteria. By clicking on the minus symbol (-), you can remove search criteria. Multiple search criteria are linked together through an AND relationship, meaning all criteria needs to be met exactly. An OR relationship can be created through Expert Mode at the bottom, by substituting AND with OR. c) Types of criterion Subject: The subject line of the mail. Message Body: The body of the mail, but only in following formats: Plain Text, Rich-Text and HTML. Attachments are not included in the search. From: Sender of the mail. To: Recipient of the mail. Since a mail might be addressed to more recipients, you can also include addresses other than your own. CC: Same as the To field, but only as a copy. Bcc: Same as the To field, but only as a blind copy. Note that BCC is not always found in a mail, especially in POP3 settings. Date: The date the mail was created. The date is generated by the mail client. Size: The size of the entire mail, in KB or MB (variable). Attachment Name: The file name of the attachment. Attachment Text: The contents of a text attachment will be searched. Attachment size: The size of all the attachments, in KB or MB (variable). Nr. of Attachments: Number of files in the attachment. Store time: Time at which the mail was saved to the container. Archive time: Time at which the mail was archived in the appliance. d) Not Function: By selecting Not, the criteria can not be met in the search. 266

267 The Appliance Manager e) Conditions: Contains: The criterion needs to contain some part of this text. A * symbol is necessary at the end of this entry. Exact phrase:the criterion needs to be exactly so written. An entry can be defined through spaces, and through punctuation marks such as commas, exclamation marks, question marks, colons, and periods. Start with: The criterion needs to coincide with the beginning of a word. Ähnlich wie: The criterion will be compared with similarly written texts. The entry can also be found in the middle of a word. Using a generic symbol (ex. * ) is not necessary. Queries based on numbers or dates do not need to be explained. f) Entry: Enter the criterion for which the search should be conducted. If conducting a contains search, include a * at the end of the entry. g) Show Query If activated, the search proposal will be shown in technical syntax. h) Expert Mode Here you can adjust the search to be a bit more technical. For example, changing the AND function to an OR -related search. Simply replace AND with OR. You can also do an AND/OR search by placing parentheses around the search criteria. i) Test Query Activate this function to see if your search produces the desired results. It is possible to alter the search, but only newly received mails will be checked. You will need to copy the task, and then delete the old task in order to start a fresh search. Task Settings 9. Immediately After configuring the task, the task will begin immediately. 10. First execution date: The date on which the task should be initially executed. Combines together with the time. 11. First execution time: The time at which the task should be initially executed. Combines together with the date. 12. Execution frequency Frequency with which the task should be executed. The fields days, hours, and minutes determine how long after the last execution should the next execution start. All fields will then be added together. For example: 3 / 8 / 10 is calculated as follows3 days = 72 hours + 8 hours = 80 hours + 10 minutes 267

268 The Appliance Manager The task will start 80 hours and 10 minutes after the end of the previous execution. 13. Add Task enabled By adding, or after changing, a task, the task is activated. If immediately has been selected, the task will start immediately after adding or changing it. If the task should not start for a certain period of time, or is only being prepared for later use, do not activate immediately. The option will be set through the Activate or Disable selection in the context menu Change an Archive Task This can be done exactly as you would by Add an Archive Task, but without an ability to change the Task Type. If you need to change the Task Type, you first need to delete the original task, and then re-add the newly configured task Copy an Archive Task Use a previously created task to build a new one. The contents of the original task will be copied. 268

269 The Appliance Manager MailDepot Connectors Principle The MailDepot Connectors are designed to archive mails, without the mails needing to be directed through the standard archiving process. The mails are archived to the selected MailDepot container, but are not delivered to the respective mailbox, due to the fact that only copies of mail files are involved. The MailDepot connectors replace the need for separate internal mail archiving and depending on the type of mail infrastructure, the connectors are suitable for different scenarios. You can choose between SMTP, POP3, or directories as file interface connection. 269

270 The Appliance Manager SMTP Connector Mails with a standard SMTP protocol can be delivered to the archive with the SMTP connector. Different mail servers (ex. Postfix from Linux) can create a copy of an incoming mail and, via SMTP, forward the copy to another mail server. In this instance, the SMTP connector would act as the receiving mail server. Service status 1. Enabled Activate the SMTP connector by checking the box next to Enabled and confirm the selection to start the SMTP server of the MailDepot. The service starts immediately upon confirmation. 2. SMTP Server: The status of the SMTP server is displayed. Possibilities are: [ running ] [ stopped ] You can click the Stop/Start button to change the status of the SMTP server. 3. Spooler: The spooler processes the incoming mails through the SMTP connector and delivers them to the central archive spooler. There, the mails will be indexed and written to the default container. For diagnostic purposes, you can stop the spooler. Possibilities are: [ running ] [ stopped ] You can clicke the Stop/Start button to change the status of the SMTP spooler. 4. Queue length: The incoming mails found in SMTP format will be shown in the waiting list below. The complete number of mails in this list are displayed next to Queue length. 270

271 The Appliance Manager SMTP Connector Configuration Server Settings 1. Server name Enter the hostname of the SMTP server and the name to be used for SMTP dialogue purposes. The name is yours to choose as long as it conforms to standard hostname syntax. This name will be displayed in SMTP dialogue sessions and will be the name found in the file logs. 2. Port The TCP Port on which the SMTP server is found. Port 25 is NOT to be used. Port 25 is already taken by the SMTP server of the REDDOXX appliance. Therefore it is required that you properly configure the TCP port of the server which delivers the outgoing mails. 3. Max. Sessions The allowed maximum number of simultaneous incoming connections. When this number is exceeded, a Connection refused message will be sent to the connecting server. This option limits the possible overload of the REDDOXX appliance, especially when disk space is nominal. 4. Timeout The amount of time upon which the connection will be broken if data is no longer being exchanged. This limits the amount of resources being blocked by non-activity. 271

272 The Appliance Manager Addresses to use for the Access Control List (ACL) 5. SMTP Envelope only The recipient address from the transmission protocol will be used when allocating a mail to the intended user. (RCPT TO:) 6. Mail Header only The recipeint address taken from the header of a mail will be used when allocating a mail to the intended user. (To:) 7. SMTP Envelope and Mail Header The recipient address from both the transmission protocol and the header will used when allocating a mail to the intended user. In the archive, the mails which include either of the two addresses will be displayed. Address Restrictions 8. Enable Address Restriction If this option is activated, only IP addresses listed in the field below will be allowed to connect to the SMTP server. This limits unauthorized access to the server. The addresses need to be entered in IPv4 (x.x.x.x) format and separated with a carriage return. SMTP Authentication 9. Authentication required If activated, the delivery of mails via SMTP is only allowed with the correct authorization from the following user and password. 10. Username 11. Password 12. Static Access Control List (ACL) Additional mail addresses which are allowed access to mails archived through the SMTP connector. Enter only complete, unique mail addresses, symbols or wild cards are not allowed. Advanced 13. Use custom message type tag If this option is activated, every mail archived through the SMTP connector will be given a custom tag, which can be used when doing an advanced search in expert mode in the archive. 14. Custom tag Enter a number to serve as the designated SMTP tag. 272

273 The Appliance Manager POP3 Connector Principle The POP3 Connector can be used to configure mailboxes to be regularly singled out and scanned according to POP3 principles. Mails found matching POP3 format will be delivered to the spooler of the POP3 connector and, at the same time, deleted from the POP3 server. The matching mails will then be delivered to the central archive and archived in the default container. WARNING The mails picked up from a POP3 Server with the POP3 Connector will be deleted! Do not use the Connector for normal user mailboxes! NOTE: The REDDOXX POP3 MailDepot Connector is designed to archive mails passing through a normal infrastructure. The MailDepot Connector was not designed to retroactively archive mass amounts of . The REDDOXX MailDepot Importer should be used for this purpose Archiving internal mails from the MS Exchange Server Archiving internal mails from an MS Exchange server works best using a journaling mailbox which can be singled out via POP3. Instructions on creating a journaling mailbox can be found on the REDDOXX Support website under Manuals: support.reddoxx.net/manuals.php. Service Status Enabled Click the box next to "Enabled" to activate the POP3 connector and confirm the selection. The mailboxes will be scanned when the scheduled time has been reached.. Scheduler The service of the POP3 connector will start depending on when the mails are scanned and picked up from the POP3 mailboxes. The scheduled time is calculated using the time of the last execution plus the delivery time. This time determines the timing of the next start, which is shown in the POP3 Accounts list. Possibilities are: [ running ] [ stopped ] You can click the Stop/Start button to change the status of the POP3 server. Spooler The spooler processes the mails picked up from the POP3 server via the POP3 Connector and delivers them to the central archive spooler. There, the mails will be indexed and written to the default container. For diagnostic purposes, you can stop the spooler. Possibilities are: [ running ] 273

274 The Appliance Manager [ stopped ] You can click the Stop/Start button to change the status of the POP3 spooler. Queue length: The incoming mails picked up from the POP3 server will be shown in the waiting list below. The complete number of mails in this list are displayed next to Queue length POP3 Accounts In the POP3 Accounts window, you can configure different mailboxes to be cyclically scanned, and the mails matching POP3 criteria will be picked up by the POP3 Connector. The Journaling Mailbox of the MS Exchange server should be entered in this field. Note that there are other mail servers which create duplicates and place them in a separate mailbox. The mails taken from these mailboxes will be deleted! 1. Right click in the POP3 Accounts field and select Add. Account 2. Hostname Enter the hostname of the mail server from which the POP3 mails should be picked up. 3. Port The TCP Port which will be used for the POP3 connection. The standard port is 110 for non-encrypted mails, Port 995 for SSL. 4. Transport security Here you can choose if and how the delivery should be encrypted. Choices of encryption are: None, TLS, SSL. 274

275 The Appliance Manager If SSL is selected, the port will change to 995. When selecting an encryption method, make sure that the recipient supports the chosen encryption method. 5. Username The name of the mailbox which should be scanned for POP3 mails. Enter the Journaling mailbox name if the MS Exchange server is the intended target. For example: If you have the REDDOXX MSX-Agent already in operation, you can use it s user information. 6. Password Enter a password if necessary. Advanced 7. Account enabled Check the box to activate the POP3 pick up for this mailbox. If pick up is no longer necessary, uncheck the box. 8. Poll interval The amount of time which should pass between pick ups. The default amount of time is 60 minutes. 9. Use custom message type tag If this option is activated, every mail archived through the POP3 Connector will be given a custom tag, which can be used when doing an advanced search in expert mode in the archive. 10. Custom tag Enter a number to serve as the designated POP3 tag. 11. Static Access Control List (ACL) Additional mail addresses which are allowed access to mails archived through the POP3 connector. Enter only complete, unique mail addresses, symbols or wild cards are not allowed Troubleshooting If an error occurs, a message will appear in the POP3 Account list. At every pick up interval, if an error occurs, a message will be sent to the REDDOXX administrator. Possible errors which can occur: No connection to the POP3 server. The server is not reachable. Invalid user name or invalid password. Corrupt mail format. The file needs to be deleted from the server. A corrupt mail will be skipped, but the valid mails will continue to be processed. The corrupted mail can be identified by the date in mailbox. 275

276 The Appliance Manager Directory Watcher The Directory Watcher allows you to enter a directory which will be scanned for mail files, and the found mail files will be sent directly to the central archive spooler. The mail file will then be deleted from the directory. WARNING The mails found by the Directory Watcher will be deleted from the directory after the Directory Watcher has forwarded the file! PLEASE NOTE The Directory Watcher is not suited for the retroactive archiving of large quantities of files, for example, gigabyte large mailboxes with thousands of files in them. Service status 1. Enabled Check the box next to Enabled and confirm the selection to start the Directory Watcher. The directories will be scanned as soon as the scan interval has passed. 2. Scheduler The service of the Directory Watcher will start depending on when the mails are scanned and picked up from the directories. The scheduled time is calculated using the time of the last execution plus the delivery time. This time determines the timing of the next start, which is shown in the Monitored paths list. Possibilities are: [ running ] [ stopped ] You can click the Stop/Start button to change the status of the Directory Watcher. 276

277 The Appliance Manager Directory Watcher Settings 1. Right click in the Monitored Paths field to Add a directory. Path Settings 2. Path Choose a directory to be watched from the pull-down list. Click on the button at the end of this field to start the selection. PLEASE NOTE Make sure that the chosen directory and the subdirectories are able to be written to and the files are available to deletion. 3. Search mask Here you can enter different file types. Default is *.eml, which is the file type for standard internet mail. 4. Include subdirectories If activated, subdirectories will also be included in the scan. 5. Static ACL Additional mail addresses which are allowed access to mails archived through the Directory Watcher. Enter only complete, unique mail addresses, symbols or wild cards are not allowed. 277

278 The Appliance Manager Advanced 6. Enabled Check the box to activate the Directory Watcher for this directory. 7. Scan interval The amount of time which should pass between pick ups. The default amount of time is 60 minutes. 8. Use custom message type tag If this option is activated, every mail archived through the Directory Watcher will be given a custom tag, which can be used when doing an advanced search in expert mode in the archive. 9. Custom tag Enter a number to serve as the designated Directory Watcher tag Additional Access Rights per ACL Files You can add further access rights based on ACL files, directory level, or also on the basis of an file. Directory Method In the desired subdirectory, create a text file with the following name: rdxmaildepot.rdxacl. Enter the desired mail addresses, those users which should receive additional access rights, individually on a new row. Addresses need to be unique, symbols or wild cards are not allowed. For example: thomas@reddoxx.com administrator@reddoxx.com File Method In the dame directory in which the mail is found, create a file with the same name, but ending with the following file format:.rdxacl. For example: xyz.eml xyz.acl Continue by following the above Directory Method Troubleshooting Errors will be shown in the Monitored Paths list under the 2Message column. If an error occurs, a message will be sent to the REDDOXX administrator after every scan interval. Possible errors include: No authorization for this share, directory, subdirectory, or file. Corrupt Mail Format. A corrupt mail will be skipped and placed in a new directory. 278

279 The Appliance Manager <Supervised-Directory>/_RdxImportErrors Note the underline at the beginning of the of the file format. The error will be detailed in the following log file. <Supervised-Directory>/_RdxImportErrors/RdxImportError.log Audit Sessions Overview An Audit Session (Revision, Examination) allows authorized users access to selected mails. An audit session is coordinated for a limited time by an administrator. The authorized user, or auditor, is able to access the audit session from their user console. An audit is completely detailed, in order to show who, when, and where a mail was accessed and on whose authority the audit session was ordered Add an Audit Session 1. Click on Audit Sessions in the navigation tree. In the context field on the right, right click in the field and choose Add from the following menu. 279

280 The Appliance Manager Properties 2. Title Name of the audit. 3. Enabled Activates or deactivate the audit. Period of validity 4. No Limit No time limit on the audit session. 5. Valid from Enter a start date for the audit if wished. 6. Valid to Enter an end date for the audit if wished. Restrictions Containers 7. Allow all containers All containers found on the appliance will be available for the audit. Deactivate this option if you only wish to include certain containers. Categories 280

281 The Appliance Manager 8. Allow all categories Deactivate this option if you only wish to include certain categories. Filter Query 9. In the filter query, you can limit the audit to certain criteria that the mails must meet in order to be included in the audit. This is built exactly as a filter query is built in Archive Tasks. Access Control 10. Access control defines which users may participate in the audit. You can add one or more users, or an entire group if wished. TIP Participants not found under the local domains in the appliance administration (ex. an outside tax auditor), can be entered in the user administration in the local realm and then added to the ACLs. If there are more outside participants, it might be worth adding an entire user group. Participiants 11. Participants granted access to the audit. At the beginning of the audit, all listed participants need to authenticate themselves on the user console of the auditor in order to proceed with the audit. Description 12. Enter a detailed description of the need for the audit, and the areas which the audit will cover. The description will be included in the compliance log. 281

282 The Appliance Manager Archive Spooler Image: Archive Spooler The Archive Spooler shows a list of mails that are to be processed by the appliance. Image: Archive Spooler Queue The mail that is processed is shown in blue color. In case of Errors, the Last try and Last error field is getting additional information. The view can be refreshed with F5. Image: right-click options The option Reload spooler files can be used after a failure of storage, or a not mounted container. The spooler will then process the mails again. The option Delete will remove Mails from the spooler. These mails will NOT be archived. This function should only be used on corrupted mails with errors like no message loaded or There is not Action with index (1) stored. A Restore of deleted Mails is NOT possible. It is quite useful to enable the Diagnose Archiv Spooler Queue to watch the number of messages in the queue. This can be helpful, if a storage fails an the mails cannot be processed. The Storage problem can then be fixed before the appliance internal storage runs full. 282

283 The Appliance Console 6 The Appliance Console General The appliance (or also terminal-) console is used to make system closed configuration and administration tasks as for e.g. network settings, backup and restore settings and starting and stopping services. How to connect to the appliance console You get an appliance console on a directly plugged terminal, or via ssh protocol (port 22) with the putty-application on a Windows PC. Login as user admin with initial password AppAdmin Overview The Appliance console contains the following functions: Initial network settings for immediate accessibility in the network; System and data backup (backup and restore); Resetting the appliance to the original (factory) settings; Cluster administration; Clear the MailDepot and rebuild the full text index of the mail archive; Starting and stopping the remote support services and the appliance; Adapting the admin password for this appliance console. 6.1 Appliance Settings Here you adjust the network and the time server settings and the backup for a Restore. 283

284 The Appliance Console Network Settings Adjust the appliance with hostname, Domain, IP-Address, Netmask, Gateway and two DNS-Servers. First you will be asked to enable the bridge mode or not. Then setup the network parameters for hostname, domain name, IP address, net mask and 2 name servers. Choose OK. The network will be restarted and is ready with the new settings. 284

285 The Appliance Console Time Server Settings Setup the time servers. Note, that you have opened UDP Port 123 on the firewall. 285

286 The Appliance Console Timezone Select the timezone that matches the location of your Appliance Backup and Restore Settings Please refer to chapter IP-Aliases Some services can be bound with a seperate IP address. Enter here an IP address to enable the MailDepot SMTP Connector service to receive s on this seperated IP address. Finally all Reddoxx services gets restarted. 286

287 The Appliance Console 6.2 Backup and Restore Backups can be started in the backup menu. A reboot to the recovery mode or restore of an appliance is also possible Backup and Restore Settings Please refer to chapter Start an Appliance Backup If you want to migrate the appliance to another hardware, you need a constant state. Stop the REDDOXX engine with YES to ensure this. The operation of the REDDOXX is stopped. NO: The operation of the REDDOXX is not interrupted. The backup runs in the background Start an Appliance Restore To restore an appliance you have to reboot it and on the boot menu select the second item called Appliance recovery. 287

288 The Appliance Console After rebooting in recovery mode a login is prompted. Login as admin. The password is AppAdmin. You will see the main menu Select the option Restore. 288

289 The Appliance Console Restore Settings Select the Storage where your Backup is stored (CIFS or iscsi). CIFS If your Backup is saved on a CIFS Share, select CIFS in the menu and provide your credentials. ISCSI If your Backup is saved on an iscsi Device, select isci in the menu and provide your iscsi settings. Initiatorname is used to authorize the connection to your ISCSI-Target. Default is: iqn com.reddoxx.appliance. Enter IP-Address and Port (default is 3260) of your iscsi Portal. 289

290 The Appliance Console All available iscsi targets are shown, select the one where your backup-set is stored. Select the LUN that has your Backup Sets. You will get a list of current available backups. With the cursor buttons, select the desired backup and activate it for restore with the SPACE bar. Then the marking shows an asterisk (*). 290

291 The Appliance Console Confirm the prompt with YES. The RESTORE starts. 291

292 The Appliance Console The restore is starting and shows the state. Check for errors after a restore in the log and run a new restore from another Backup, if errors are shown. Reboot the Appliance in normal Mode if everything went fine. IMPORTANT! A Database Restore is required after rebooting in normal mode. Login to the Appliance Console and confirm the Question with OK. Confirm the Database restore. The engine is started and the appliance is working again after a short time. 292

293 The Appliance Console Reboot You may reboot the Appliance to get into the recovery mode where you can restore an appliance. 6.3 Advanced Options In the ADVANCED OPTIONS you can reset the appliance to factory default settings. Further more you can delete the whole MailDepot or rebuild the full text search index. WARNING Resetting the appliance to factory default settings will destroy all data. You are not able to restore the data until you have a successfully done BACKUP Database Maintenance 293

294 The Appliance Console After selecting one of the options in the menu, the REDDOXX Engine needs to be stopped, remember to start the Engine later on Database Check The Database will be checked for consistency and data error. 294

295 The Appliance Console Database Maintenance Select Yes to start the database maintenance if you think that the appliance is running slowly. Finnish the maintenance with EXIT. 295

296 The Appliance Console Database Repair Start a Database Repair, if the database check found errors, following screen is shown: Rebuild the full text index of the MailDepot Choose YES to start the rebuild of the full text search index. On the screen appears as follows: At this point the indexer is waiting until the next incoming which is to be archived. This is necessary to mark the endpoint for the full text indexer and the starting point fort he daily incremental indexer. 296

297 The Appliance Console Please note that the option full text indexing in the MailDepot configuration is activated. If not set, the indexer is waiting until infinitely. If the option was not already enabled, you can enable now without interrupting the indexer. The indexer will recognize immediately after enabling this option. After receiving the next mail into the archive the indexer starts and counts the amount of mails to be indexed and shows an estimated time how long it will take. At the end the dialogue goes back to the main menu. The full text indexer needs for ~ s on a MEDIUM appliance up to 24 hours. We recommend starting the full text indexing over the weekend Set Appliance Settings to Factory Defaults You may set the Appliance to factory default, by selecting one of three possible modes. Before resetting, you will be asked once again whether you really want to do this. Cancel with NO if you do not want to reset the appliance after all CleanDatabaseOnly This option deletes all s, filter lists and user data. Before resetting, you will be asked once again whether you really want to do this. Cancel with NO if you do not want to reset the database after all. 297

298 The Appliance Console Keep Network Settings Here you can delete all data inside the MailDepot. The internal database will be cleaned and the local files will be deleted. The network settings will remain Complete This mode includes both above options. The Appliance needs to be restarted after completion. 298

299 The Appliance Console 6.4 Cluster Options Show size of data partition Check the size of the data partition. Compare the value with the one of the otter appliance you want to setup a cluster. The value of the secondary appliance must not be higher that the primary appliance Leave Cluster Select Yes if you want to release the cluster. After rebooting this appliance it will work in single mode. 299

300 The Appliance Console 6.5 Start and Stop Services Start REDDOXX Engine Serves to stop and restart the REDDOXX Engine Start REDDOXX Remote Support By starting the remote support services, you enable the support staff of REDDOXX to access your REDDOXX Appliance. Stop this service after checking with the REDDOXX support Appliance Reboot Serves to restart the appliance. A prompt appears beforehand Appliance Shutdown Serves to shut down the appliance. A prompt appears beforehand. 300

301 The Appliance Console 6.6 Change Admin Password Here you can change the password for the user admin for access to the appliance console. If you want to cancel the dialog, press CTRL-C. 301