CryptoFilter for Microsoft Exchange

CryptoFilter Email Security Gateway for Microsoft Exchange

CryptoFilter is a pass-through S/MIME gateway for Exchange and other SMTP servers

CryptoFilter provides S/MIME decryption, encryption, sign and verification at the edge

Works with:

Every version of Exchange server including
Small Business Server and Exchange 2000/2003/2007/2010
Any SMTP server like IMail, Lotus Notes and Novell GroupWise

S/MIME:

Decrypts messages to enable spam and virus scanning
Validates the signature and optionally reject messages
Encrypts and signs outgoing messages using a single certificate

Benefits:

Encrypt all messages between two server using a single certificate
Server based policy handling rather then confused end-users

Optional Features:

Encryption of Exchange TNEF/RTF messages
Acts as a eBilling / eInvoice signature server
Automatically extracts the certificate from incoming messages
Keep a copy of every encrypted message
Run as a service on Windows® 2000/2003/2008
Compatible with various Asian, Western and Eastern European languages
Available in English, German, French, Italian, Spanish

How CryptoFilter works

For incoming messages, CryptoFilter needs to get the message before your Exchange server will get it so that it can perform it checks before passing the message over to Exchange. Depending on whether you run CryptoFilter on the same machine as Exchange or on a different machine, CryptoFilter either needs to hook up to port 25 or to act as a relay host (respectively).

For outgoing messages, Exchange server passes the message to CryptoFilter, which performs its checks and then sends the message out in the Internet. From Exchange Servers viewpoint, CryptoFilter is a normal relay host.

So the message flow for incoming messages would be Internet -> CryptoFilter -> Exchange server,
and for outgoing messages it would be Exchange server -> CryptoFilter -> Internet

top

System Requirements

Windows® 2000/2003/2008 with TCP/IP installed
Microsoft Exchange, Lotus Notes or any other SMTP server

top

Installation

Decide if CryptoFilter should be installed on the Exchange server or on a different machine:

Single Exchange server

If you have only one Exchange server and you have less than 10.000 messages each day,
then run CryptoFilter on the Exchange server.
More than one Exchange server in the organization

If you have more than one Exchange server in your organization then you should run CryptoFilter on a different machine or at least at a different ip address, because the Exchange servers communicate internal states using Microsoft propriety SMTP verbs on port 25 and third party gateways like XWALL should not be inserted between internal Exchange servers traffic flow.
Cluster

If you have a cluster then you must run CryptoFilter on a different machine, because CryptoFilter doesn't support a cluster.

Once you decided on which machine you are installing CryptoFilter, perform the following steps:

Run Setup.exe or create a directory on your machine and copy all the files into this directory

Start CryptoFilter Admin (MBAdmin.exe) to configure CryptoFilter

The first time you run CryptoFilter you will be prompted for the following information:

Postmaster's address
The address of the person who is responsible for maintaining CryptoFilter. CryptoFilter will send all error messages to this address.

The name or IP address of the Exchange server.
If CryptoFilter is running on the same machine as the Exchange server than you can ( and should ) use localhost as the name.

The port Exchange listens
If CryptoFilter is running on the same machine as the Exchange server than use port 24, else use port 25.

Screenshot: CryptoFilter on the same machine as Exchange , CryptoFilter on a different machine

The e-mail domain that your Exchange is responsible
CryptoFilter needs to know for which e-mail domain your Exchange is responsible, so that if can forward messages for this domain to your Exchange.

Screenshot: e-mail domain that your Exchange is responsible

Running CryptoFilter on the same machine as Exchange server

Incoming Messages
If you run CryptoFilter on the same machine as the Exchange, then you must tell Exchange to listen on a separate port; i.e. not port 25, because only one application can listen to a specific port at one time and CryptoFilter needs to be the first application that gets SMTP messages.
- Exchange 5.x
  
  To do this open the file services, usually located in C:\WINNT\system32\drivers\etc\SERVICES
  with Notepad or any other text editor. Locate the line smtp 25/tcp mail and change 25 to the port
  of your choice (use 24 if you are not sure which one you should use) and save the file.
  Restart the IMS (Internet Mail Service) of the Exchange server to bring the new settings into affect.
  
  Screenshot: Notepad with SERVICES
- Exchange 2000/2003
  
  Start System Manager (Exchange Admin) and select
  Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties.
  In this dialog select the tab labeled General and then Advanced and here you can set
  the port on which this virtual server listens.
  
  Screenshot: Exchange port
  
  Also make sure Anonymous access is allowed or else CryptoFilter is not able to connect to Exchange.
  
  In System Manager ( Exchange Admin) select
  Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties.
  In this dialog select the tab labeled Access and then Authentication and enable Anonymous access.
  
  Screenshot: Exchange access
  
  Restart the SMTP service of Exchange to bring the new setting into effect.
- Exchange 2007/2010/SBS 2008
  
  Start Exchange Management Console and select
  Server Configuration->Hub Transport->Receive Connectors
  
  Exchange 2007/2010 has two receive connectors, Client SRV and Default SRV.
  
  SBS 2008 has three receive connectors, Client SRV and Default SRV and Windows SBS Fax SharePoint Receive SRV.
  
  Default SRV and Windows SBS Fax SharePoint Receive SRV are the connectors that are bound to port 25 and you either need to change them to port 24 or disable them and create a new connector.
  
  In the first case select the properties of the Default SRV connector and in this dialog select the tab labeled Network and set the port to 24.
  
  In the second case create a new receive connector, type Internet and bind it to port 24.
  
  Screenshot: Exchange inbound connector list, Exchange port
  
  Also make sure Anonymous access is allowed or else CryptoFilter is not able to connect to Exchange. In the properties of the connector select the tab labeled Permission Groups and make sure Anonymous users is enabled.
  
  Or you tell CryptoFilter an user and password so that it can perform a SMTP authentication. Start MBAdmin, select Options->General->Exchange->Exchange needs authentication and type in the user and password.
  
  Note: The user that you use for authentication MUST NOT have a mailbox and MUST be an administrator. DO NOT use Administrator, because there is a mailbox associated with that account and therefore it can't be uses for SMTP authentication.
  
  Note: On Windows 2008 and SBS 2008 you need to open port 25 on the firewall. The firewall has only exceptions for Exchange, but not for CryptoFilter. So unless you open port 25, no mail will come in.
Then start MBAdmin, select Options->General->Exchange->Exchange listens on port and type in the same port that you used in Exchange ( e.g. 24 ) .

Outgoing Messages
(this step is optional and is not needed for inbound spam blocking)
- Exchange 5.x
- Exchange 2000/2003
- Exchange 2007/2010/SBS 2008
  
  Start Exchange Management Console and select
  Organization Configuration->Hub Transport->Send Connectors
  
  If there is no connector in the list, then create one, else select the properties of the correct outbound connector.
  
  In this dialog select the labeled Network and then select Route all mail though the following smart host. Press the Add button and add localhost as the smart host.
  
  Screenshot: Exchange outbound connector list, Exchange smart host
  
  Close the dialog and restart Exchange. From then on the Exchange server will forward all messages to the name or IP address , which basically means it sends them to CryptoFilter.

Running CryptoFilter on a different machine than the Exchange server

Incoming Messages
Start MBAdmin, select Options->General->Exchange->Name or IP address of the Exchange server
and type in the name or IP address of the Exchange server.

Screenshot: CryptoFilter on a different machine

Depending on your DNS configuration you will need to change the MX record so that it points to the machine where CryptoFilter is running or else CryptoFilter will not get the messages before Exchange.

Note: On Windows 2003/2008 you need to open port 25 on the firewall. So unless you open port 25, no mail will come in.

Outgoing Messages
(this step is optional and is not needed for inbound spam blocking)
- Exchange 5.x
  
  Start Exchange Administrator, select the IMS (Internet Mail Service) and click on the tab labeled Connections.
  Enable Forward all messages to host and type in the name or IP address of the machine where CryptoFilter is running. Close the dialog and restart the IMS. From then on the Exchange server will forward all messages to CryptoFilter.
- Exchange 2000/2003
  
  If you have no SMTP connector start System Manager ( Exchange Admin) and select Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties. In this dialog select the tab labeled Delivery and then Advanced.
  
  In Smart host type in the name or IP address of the machine where CryptoFilter is running.
  
  Close the dialog and restart Exchange. From then on the Exchange server will forward all messages to CryptoFilter.
  If you have a SMTP connector then start System Manager (Exchange Admin) and select Connectors->Your SMTP Connector->Properties->Forward all mail through this connector to the following smart host and type in the name or IP address of the machine where CryptoFilter is running.
  
  Close the dialog and restart Exchange. From then on the Exchange server will forward all messages to the name or IP address , which basically means it sends them to CryptoFilter.
- Exchange 2007/2010/SBS 2008
  
  Start Exchange Management Console and select
  Organization Configuration->Hub Transport->Send Connectors
  
  If there is no connector in the list, then create one, else select the properties of the correct outbound connector.
  
  In this dialog select the labeled Network and then select Route all mail though the following smart host. Press the Add button and add type in the name or IP address of the machine where CryptoFilter is running as the smart host.
  
  Screenshot: Exchange outbound connector list, Exchange smart host
  
  Close the dialog and restart Exchange. From then on the Exchange server will forward all messages to the name or IP address , which basically means it sends them to CryptoFilter.

Once you have done this you can start MBServer and check if all messages are properly routed.

top

Run CryptoFilter as a service

Once you run CryptoFilter as a service, errors will only be visible in the logfile or in the main window of MBAdmin. Consequently, before running it as a service you must first ensure that CryptoFilter is running properly with no errors by launching it in Console Mode (i.e. starting it from an icon).

In general, installing CryptoFilter as a service should be your last task and not your first.

Note: Keep in mind that CryptoFilter needs to reside on a local disk or the service controller will not be able to start it. Also make sure MBAdmin.exe and MBServer.exe are in the same directory.

From MBAdmin

Start MBAdmin, select View->Service and here you can install, remove, start and stop the service. By default it is an AutoStart service and any time your computer is started, CryptoFilter will start.

Note: After you have started CryptoFilter as a service, verify that CryptoFilter has no errors. You need to take a look into the logfile to do this or start MBAdmin and in the main window you see the logfile.

From the command line

For the examples below, we assume CryptoFilter is in C:\CryptoFilter

Installing CryptoFilter as a service

Start MBServer.exe with the argument of install, by typing MBServer install at the command prompt and CryptoFilter will create the service.

By default it is an AutoStart service and any time your computer is started, CryptoFilter will start. You can start and stop CryptoFilter at any time via Control Panel

Note: After you have started CryptoFilter as a service, verify that CryptoFilter has no errors. You need to take a look into the logfile to do this or start MBAdmin and in the main window you see the logfile.

Removing CryptoFilter as a service

Start MBServer.exe with the argument of remove, by typing MBServer remove at the command prompt and CryptoFilter will delete the service.

top

How to stop CryptoFilter

CryptoFilter runs as a console application:

Press ESCAPE

Select Close from the system menu (works only on Windows NT®)

Press Alt-F4 (works only on Windows NT®)

CryptoFilter runs as a service on Windows NT®:

Open Control Panel, select Services, locate CryptoFilter and
press the button labeled Stop

type Net Stop CryptoFilter at the command prompt

top

Upgrade to the latest Version

You will find the latest version of CryptoFilter in the Download Area

setup_cryptofilter_??.exe searches for a previously installed CryptoFilter and updates only the executable files. The settings, which are stored in cryptofilter.ini and *.dat, are not touched.

If the CryptoFilter service is running, it is stopped and restarted after the update. In the unlikely event that a executable is locked, the setup program asks for a reboot to change the file. If you refuse the reboot, you need to manually reboot later to bring the new executable into affect.

Note: If you are upgrading from a very old version then you must reapply your registration number.

top

Helper Programs

Signal

Signal

LogView

LogView

TestMX

TestMX is a command line program to resolve the MX record for a give domain and then connect to the mail server. The main purpose is to troubleshoot MX related problems or to check if a domain can accept messages.
CSVToEnv

CSVToEnv is a command line program to recreate the envelope from the statistic file. CSVToEnv is needed to resend messages from the history folder.
TLS/SSL Toolkit

The TLS/SSL Toolkit contains a generic certificate that you may use for a quick start.
Download TLS/SSL Toolkit and extract cert.pem and cacert.pem into the CryptoFilter directory and then turn on TLS/SSL.
SerializeLog by Softec Integrations AG

SerializeLog is a command line program to serialize the CryptoFilter logfile to facilitate troubleshooting.
UniqueLog (beta)

UniqueLog.vbs extracts the part from a logfile that belong to an unique id

top

Troubleshooting

Click here to view the troubleshooting section

top

Licensing Agreement

CryptoFilter ® is copyrighted 1993-2009 by DataEnter GmbH

This product and its documentation may not, in whole or in part, be copied, rent, leased, loaned, resold, assigned, sublicensed, modified, reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any other natural or computer language, in any form or by any means whatsoever, be it electronic, mechanical, magnetic, optical, manual or otherwise, without the prior written consent of DataEnter.

DataEnter makes no warranty or representation, either expressed or implied, with respect to the product CryptoFilter and its documentation, their quality, performance, merchantability, or fitness for a particular purpose. DataEnter reserves the right to revise the user's guide and make changes to the content without obligation to notify any person or organization of such change. In no event will DataEnter be liable for any direct, indirect, special, incidental or consequential damages, real or imagined, resulting from the use or purchase of this software. Under no circumstances shall DataEnter's liability for damages exceed the price paid for the software license. Should any remedy hereunder be determined to have failed, all limitations of liability and exclusion of damages set forth above shall remain in full force and effect. The extent of the DataEnter's warranty for the software and its documentation is limited to physical defects of the distribution media containing the software. Contact DataEnter to obtain return authorization for the replacement diskette within 30 days of the original date of purchase. Any further statement made by agents, employees, distributors or dealers of DataEnter do not constitute warranties and are not binding. No employee of DataEnter has the authority to modify any portion of this warranty.

All brand and product names we refer to in the documentation are used solely for identification purposes and may be trademarks of other companies.

CryptoFilter Standard Edition: DataEnter, (the licensor) grants the buyer (the licensee) the right to use this copy of CryptoFilter Standard Edition (the program) on a single computer at a single location running a single instance and servicing a single Exchange server as long as the licensee complies with the terms of this license.

CryptoFilter Enterprise Edition: DataEnter, (the licensor) grants the buyer (the licensee) the right to use this copy of CryptoFilter Enterprise Edition (the program) on a single computer at a single location running a single instance as long as the licensee complies with the terms of this license.

The licensor reserves the right to terminate this license if the licensee violates any part of the agreement. The licensee agrees to make copies of the program only for backup purposes. The licensee agrees not to copy the documentation and to take all necessary precautions to ensure that the backup copies of the software are not distributed to or acquired by other parties.

Support: Support is by e-mail

Upgrades, Updates: Updates are free, as long as the major version number does not change.
( at present the major version number is v3.x )

Trademarks, OpenSSL Credit

top

History

v3.01 2010-01-20

New: View->Statistic
New: Disable TLS/SSL weak cipher ( TLSServOmitWeakCipher=True, TLSClientOmitWeakCipher=True )
New: Support for RFC 2319 - Ukrainian Character Set KOI8-U
Chg: If TLS is enforced and the recipients server returns a temporary error, the message is rescheduled rather then sending a non-delivery report ( happens with Bank of America )
Chg: Default codepage from UTF-7 to UTF-8 because some free mailer don't support UTF-7
Chg: Outbound messages scheduler performs better when there are a lot of messages in the queue
Chg: Timeout for DATA set to the values of RFC 5321
Chg: Using Microsoft VCC rather then Watcom for 32bit application
Chg: In 64bit XWall, MBAdmin is a native 64bit application
Fix: SSLv2 security flaw ( SSLv2 is still in place or else SSLv3/SSLv2 clients can't auto-negotiate )
Fix: Faster shutdown when a lot of SSL connections are open
Fix: parenthesis in Received: header line

v3.02 2010-08-17

New: SMIME verbose output for certificate rule (VerboseSMIMECert=True)
Chg: Updated e-mail address parser for RFC 3696, RFC 5321 and RFC 5322
Fix: SMIME removing of non-detached signature with different header lines
Fix: SMIME sign validates private key and prints an error into the logfile
Fix: SMIME ignores lonesome smime.p7m attachment

Click here to view the complete History

top