CryptoFilter - Administer

Administer CryptoFilter for Microsoft Exchange

CryptoFilter accepts the message, performs all the selected checks on the message and in the case of a policy violation, triggers the action that is associated with the policy.

You can select one of the following actions:

Discard message

The message is discarded. This means the message goes into a virtual wastebasket
and no notification is sent to the sender or the recipient.
Encapsulate and forward to Postmaster

A new message is sent to Postmaster with information what method caused the blocking.
Further the original messages is added as an attachment.
Forward to Postmaster

The original message is unchanged forwarded to Postmaster.
Forward to recipient

The original message is unchanged sent to the recipient.
Basically this action does nothing.
Encapsulate and send to recipient

A new message is sent to the recipient with information what method caused the blocking.
Further the original messages is added as an attachment.
Encapsulate and send to recipient without attachments

A new message is sent to the recipient with information what method caused the blocking. Further the original messages is added as an attachment, but the attachments of the original message are removed.
Send a non-delivery report to the sender

A non-delivery report is sent to the sender with information what method caused the blocking.
Mark subject

The subject is tagged with a short string identify the method that caused the blocking.

Here is a sample of the new subject line:

Drive yourself wild with a motor home... [smime]

General syntax

IP Address

CryptoFilter expects IP addresses in CIDR notation.

A single address is then either 10.0.0.1 or 10.0.0.1/32
For a range from 10.10.10.0 to 10.10.10.255 you need to use 10.10.10.0/24
Wildcards

CryptoFilter support the following wildcards:

? matches one character

* matches one or more characters

# matches one or more digits

Note: Make sure the star * wildcard does not match more than you want. For example s*x would match sex, but also match the phrase See how exiting this is

top

Exchange

Postmaster's e-mail address

E-mail address of the person who is responsible for maintaining CryptoFilter.
CryptoFilter will send error messages to this address.

Notify postmaster when a new program version is available

CryptoFilter will periodically perform an online check for a program update and will send a notification to postmaster in the case a new program version is available.

Name or IP address of the Exchange server

Host name or IP address of the Exchange server. The default is localhost, which means that the Exchange server is on the same machine as CryptoFilter.

Exchange listens on port

This is the port that CryptoFilter uses when connecting to the Exchange server. If CryptoFilter and Exchange server are running on the same machine you may need to adjust the port that you have selected for the IMC. For Exchange 5.x you do this by changing the services file.

Refuse inbound connections on problems with outbound connections

If checked and if CryptoFilter is unable to establish a connection with the Exchange server, CryptoFilter will not accept incoming messages until it can communicate with the Exchange server

Exchange needs authentication

Allows you to enter the user and password if your Exchange needs authentication before accepting an input.

Specify by e-mail-domain

( Enterprise Edition only )

Allows you to define inbound e-mail domains that are on a different Exchange server.

top

Logfiles

Write Logfile

If checked, CryptoFilter will write a logfile called MBYYMMDD.LOG, where YY is the year, MM is the month and DD is the day.

Directory

The directory where CryptoFilter will write the logfile.

If the Directory is empty, CryptoFilter writes the logfile into the directory 'where MBServer.EXE resides.

Note: This is a directory and not a filename. The filename will always be MBYYMMDD.LOG

Purge logfiles after x days

Purges the logfiles after the set number of days.

Diagnostic Logging

Verbose Logging

If checked, CryptoFilter displays and logs everything, whereas if unchecked only a minimal amount of information is logged.

Log Message Transfer

If checked, CryptoFilter displays and logs the communication of the message transfer.

Log Message Header

If checked, CryptoFilter displays the SMTP header of the message.

top

History

Keep a copy of every message

If checked, CryptoFilter keeps a copy of every message in the HIST-IN and HIST-OUT folder.
Make sure you have enough free disk space if you enable this option.

The message files are plain text files and contain exactly what was sent over the wire.

This means you can read the messages files in Notepad. If you want to extract an attachment from the messages then you can either rename the file to .eml and use Outlook Express or your rename the file to .uue and use WinZip to extract the attachment.

If you want to resend the messages then you can use SMTPSend with the -g option or you open them in Outlook Express and resent them from here.

If you want to resend more than one message, then either use CSVToEnv or ESATInformer

Directory

The directory where CryptoFilter will write the HIST-IN and HIST-OUT folder.

If the Directory is empty, CryptoFilter writes the logfile into the directory where MBServer.EXE resides.

Purge message files after x days

Purges the message files after the set number of days.

top

Statistic

General

Write Statistics File

If checked, CryptoFilter will write a statistics file called SRYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The files lists all inbound and outbound messages that CryptoFilter handled.

You can use Excel or any other program which imports delimited text files to run your statistics.

Directory

The directory where CryptoFilter will write the statistics file.

If the directory is empty, CryptoFilter writes the statistics file into the directory where MBServer.EXE resides.

Purge logfiles file after x days

Purges the statistics files after the set number of days.

Write SMTP blocking statistics file

If checked, CryptoFilter will write a statistics file called SPYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that CryptoFilter rejected at the SMTP level.

Note: Due that the message are rejected before the sending server tells CryptoFilter to whom the messages is addressed, the CSV file does not show the e-mail address of the final recipient.
Write send statistics file

If checked, CryptoFilter will write a send file called SSYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that are sent by CryptoFilter.
Write virus statistics file

If checked, CryptoFilter will write a statistics file called SVYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that had a virus.

Options

Use long date in statistic file (yyyy-mm-dd vs. yy-mm-dd)

If checked, CryptoFilter will use a long date format in the statistic file.
If Excel has troubles showing the correct date, then enable this option.

top

Connections

Outbound Message Routing

Use DNS to send all messages direct to the recipients mail server

In this mode CryptoFilter queries the DNS server for the MX record of the recipient, connect to the recipient mail server and sends the message
Relay all messages through the smart host

In this mode CryptoFilter relays all messages to the smart host. Usually the smart host is the SMTP server of your ISP or some relay server in your DMZ
Use smart host only if direct connection fails

This is a combination of the two modes above. If CryptoFilter can not send direct, it relays to the smart host.
Smart host:

The name or IP address of the smart host where CryptoFilter should relay to

DNS server

The IP address of the name server (DNS) which CryptoFilter should use to get the MX record(s) for the recipient domain.

Do not use a host name, because CryptoFilter can not resolve it to an IP address, because it does not have a name server (chicken-and-egg problem).

Note: If you use the word AutoDetect rather than an IP address, then the name server is read from the registry.

Refuse inbound connections on problems with outbound connections

If checked and if CryptoFilter is unable to establish a connection with the Exchange server, CryptoFilter will not accept incoming messages until it can communicate with the Exchange server

Specify by e-mail-domain

Allows you to define e-mail domain that need special routing, for example when a target server is behind a firewall or in a private LAN.

Connection Limits

Max concurrent inbound

Defines how many concurrent inbound connections CryptoFilter accepts. Setting this to zero allows unlimited connections.

Max concurrent outbound

Defines how many concurrent outbound connections CryptoFilter opens. Setting it to zero allows unlimited connections.

Concurrent outbound connections to a single host

Defines how many concurrent connections to a single host CryptoFilter opens

As a general rule you should not allow more than 8 connections for a 64kBit bandwidth or else you may have timeouts. If you have a 64K ISDN line, set inbound and outbound to 4.

Max recipients for an inbound message

Define the max amount of recipients in a single inbound message.

If the sending server sends more recipients, then remaining recipients are blocked using a
452 4.5.3 Too many recipients error

top

Relay

Allow Relay of SMTP Messages

If checked, CryptoFilter relays messages for recipients not defined on your Exchange, to the next SMTP host. This is either the relay host of your ISP or the final host, depending on your settings in Connections.

Relaying is only needed if you have POP3 clients in your LAN and you want to use CryptoFilter as the relay host for them.

Allow relay of SMTP message from reserved IP addresses
(127.0.0.1, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 224.0.0.0/8)

If checked, CryptoFilter allows s relaying for client from your local LAN.

Relaying is only needed if you have POP3 clients in your LAN and you want to use CryptoFilter as the relay host for them.

Allow relay only from host
Allow relay only from IP address

If you disable general relaying, then you can define which host (machine) or IP address relaying is allowed.

CryptoFilter compares host names from right to left. IP addresses are in CIDR notation.

If you want all the machines in the domain dataenter.com to be allowed, you need to add dataenter.com to the list. To allow all IP addresses from 10.10.10.0 to 10.10.10.255, you need to add 10.10.10.0/24 to the list of IP addresses.

Allow relay for authenticated users

If checked, CryptoFilter allows relaying for authenticated users, regardless of their IP address.

Note: You need to define which authentication method CryptoFilter should use in Authentication

top

Authentication

Enable inbound SMTP authentication using pass-through NTLM logon
(Windows NT® and Windows® 2000/2003/2008 only)

If checked, CryptoFilter performs a network logon using the user and password that the SMTP client provided.

The user need to be in the format Domain\Useror User. If User is selected, then the validation goes against the local machine. If the local machine is a domain controller, Domain\User and User is equal.

Note: If CryptoFilter is running as a service using the LocalSystem account ( this is the default ), then Domain\User needs to be used, even when running on a domain controller. Using User alone will result in a logon error. As a workaround use either Domain\User or start the service using the Administrator account.

Note: Make sure the Guest account is locked or the logon of every user with every password will succeed. See KB 251149 Guest Account Allows Relaying Regardless of Routing Restrictions

Enable inbound SMTP Authentication using

User
Password

If checked, validates the SMTP client's user and password against the given user and password.

Enable outbound SMTP authentication using

User
Password

If your ISPs SMTP server needs an authentication before accepting an SMTP message, then you can define the user and password here.

Note: Do not use this unless your ISP requires it!

top

TLS/SSL

Enable TLS/SSL for inbound messages

If checked, CryptoFilter announces TLS/SSL so that a connecting client can establish a TLS/SSL connection and thereby encrypt the data that is sent over the wire. By default this is disabled, because a valid certificate for the host is required or else the sending host can not verify your machine.

Server certificate file

The file that holds the certificate, in PEM format

Server private key file

The file that holds the privat key of the certificate, in PEM format

In most cases both the certificate and the private key are in one file and the name of the file is certt.pem

Note: Type in the filename and not the full path name ( e.g. cert.pem and not c:\cryptofilter\cart.pem )

Enable TLS/SSL for outbound messages

If checked, CryptoFilter uses TLS/SSL whenever the target server announces is and encrypts the data sent over the wire.

Certificate authority certificate file

The name of the file with the certificate authority certificates, in PEM format

CryptoFilter uses this list of authority certificates to validate the target server.
However, CryptoFilter will always try to establish a TLS/SSL connection,
even when the certificate or the CN name can not be verified.

TLS/SSL Toolkit:

You will find a generic certificate in the TLS/SSL Toolkit that you may use for a quick start.
Download TLS/SSL Toolkit and extract cert.pem and cacert.pem into the CryptoFilter directory.

Set the fields as follows:

Certificate authority certificate file: CACert.pem

Server certificate file: Cert.pem

Server private key file: Cert.pem

Note: If you have your own certificate in Windows® 2000/2003/2008 then you can export it and use PKCS12_to_PEM.bat from the TLS/SSL Toolkit to convert it into PEM format which CryptoFilter is able to read.

See also TLS/SSL Quick Installation

top

Advanced

Outbound SMTP options

Retry failed connection every xx Seconds

Defines how long CryptoFilter should wait until it retries a failed outbound SMTP connection.
The default is 1800 seconds, which is 30 minutes.

Retry for xx Seconds

Defines how long CryptoFilter should continue trying a failed outbound SMTP connection.
The default is 432000 seconds, which is 5 days.

Note: Set this to something between 4 - 24 hours, which makes more sense than the default of 5 days.

Retry non-delivery reports for xx Seconds

Defines how long CryptoFilter should continue trying a failed non-delivery report.
The default is 14400 seconds, which is 4 hous.

Outbound Exchange options

Retry failed connection every xx Seconds

Defines how long CryptoFilter should wait until it retries a failed outbound Exchange connection. The default is 300 seconds, which is 5 minutes.

Retry for xx Seconds

Defines how long CryptoFilter should try a failed outbound Exchange connection.
The default is 604800 seconds, which is 7 days.

Check

Check for an Exchange server before sending a message

If checked, CryptoFilter checks if the SMTP server announces the XEXCH50 ESMTP verb.
This will prevent CryptoFilter from accidentally sending a message to the wrong server.

In Exchange 5.5 / 2000 / 2003 the virtual SMTP server always announces the XEXCH50 ESMTP verb.

In Exchange 2007 /2010 the Hub connector announces the XEXCH50 ESMTP verb only if Exchange Server authentication is enabled.

Notes or GroupWise or any other SMTP server do not announce the XEXCH50 ESMTP verb.

Check for on-access virus scanner at startup

If checked, CryptoFilter checks for an on-access virus scanner at startup.

CryptoFilter does this by writing out the Eicar Antivirus testfile ( http://www.eicar.org ), which is a harmless text file, and watches if some other program deletes or locks the file. If so, then an on-access scanner is running and the CryptoFilter directory is not excluded from scanning.

CryptoFilter then shows a warning and continues working, but the CryptoFilter directory should be excluded from scanning.

When you don't exclude the CryptoFilter directory, the scanner will prevent CryptoFilter from accessing it's own files. Even worse, when you have enabled some kind of "cleaning" then you get absolute unpredictable results, but not what you might expect.

More technically speaking the scanner can not clean a message, because it is a file scanner and has no idea how to handle a SMTP messages. Even if it could clean the messages, then it locks the file to do so and CryptoFilter does not fight with the scanner for the file.

When a message comes in CryptoFilter saves the message in the MSG-IN directory and gives it an unique file name with a .tmp extension ( MSG0117x.TMP for example ).
Once the message download is finished, CryptoFilter renames the file from MSG0117x.TMP to MSG0117x.TXT. In the case a scanner is now scanning this file, the operating system does not allow the renaming and CryptoFilter considers this as a failure and tells the sending SMTP server about this.

If the renaming could be done the message will be place in the decoding queue and wait until the decoder handles it. If the scanner now scans the file, the decoder can not open it and so the message is lost. More worst, when the scanner deletes the file, then CryptoFilter is really happy about that fact, because it always really like it when someone deletes files behind it's back.

This all does not mean that you should not use a virus scanner at all. It only means that you should use the right way to scan your messages. Either enable the virus scanner in CryptoFilter, because then CryptoFilter has fill control over the scanner or use a SMTP based virus scanner.

Size Limit

Enable outbound message size limit
Enable inbound message size limit

Enables the inbound and/or outbound message size limit.

top

S/MIME Verify

Verifys the S/MIME signature of an inbound message based on the following rules.

Each rule consists of a From address, a To address and one or more methods. Wildcards are allowed for all fields.

Verify the S/MIME signature

If checked, CryptoFilter verifies the S/MIME signature on an inbound message.

The result of the verification is written to the X-CryptoFilter-SMIME-Verify-Status: header line.
Remove the S/MIME signature

If checked, CryptoFilter removes the S/MIME signature from an inbound message.

top

S/MIME Sign

Signs outbound message based on the following rules.

Each rule consists of a From address, a To address and a certificate. Wildcards are allowed for all fields.

The wildcard for the certificate is a * (star) and this means that CryptoFilter searches for a certificate file with the same name as the senders e-mail address, but with a .pem extension ( e.g. user@domain.com.pem )

Examples:

Sign all outbound messages from your domain with your company certificate

From:	*@yourdomain.com
To:	*
Certificate:	company_certificate.pem

Sign all outbound messages from your domain with a user certificate ( e.g. user@domain.com.pem )

From:	*@yourdomain.com
To:	*
Certificate:	*

Sign all outbound messages from a user to a recipient with a user certificate

From:	user@yourdomain.com
To:	recipient@other.com
Certificate:	some_certificate_file.pem

Don't sign outbound messages to a fax gateway
( use the !!void-certificate!! for do-nothing rules )

From:	*
To:	*@freefax.com
Certificate:	!!void-certificate!!

Some guidelines for the certificate:

The certificate must be in PEM format
The certificate file with the private key, required for signing, must be in the CERT \ PRIV directory
The entire content of your message, including all attachments,
will be signed with your private key and your certificate will added to the message signature
The header of the message, including the subject of the message, will not be signed
Recipients of your signed message will be able to verify that the content has not been altered,
and they will be able to store your certificate and later send you encrypted messages

top

S/MIME Encrypt

Encrypts outbound message based on the following rules.

Each rule consists of a From address, a To address and a certificate. Wildcards are allowed for all fields.

The wildcard for the certificate is a * (star) and this means that CryptoFilter searches for a certificate file with the same name as the recipients e-mail address, but with a .pem extension ( e.g. user@domain.com.pem ).

If there is no such certificate, CryptoFilter searches for a certificate file with the db- in front ( e.g. db-user@domain.com.pem ). This are the certificates that CryptoFilter optionally extracted from signed messages.

Examples:

Encrypt all outbound messages where a public certificate for the recipient is available

From:	*
To:	*
Certificate:	*

Encrypt all outbound messages from a user to a recipient with a recipient public certificate

From:	user@yourdomain.com
To:	recipient@other.com
Certificate:	some_certificate_file.pem

Some guidelines for the certificate:

The certificate must be in PEM format
The certificate file with the public key, required for encryption, must be in the CERT\PUB directory
The entire content of your message, including all attachments,
will be encrypted with the public key of the recipient
The header of the message, including the subject of the message, will not be encrypted

top

S/MIME Decrypt

Decrypts inbound message based on the following rules.

Each rule consists of a From address, a To address and a certificate. Wildcards are allowed for all fields.

The wildcard for the certificate is a * (star) and this means that CryptoFilter searches for a certificate file with the same name as the recipients e-mail address, but with a .pem extension ( e.g. user@domain.com.pem )

CryptoFilter searches for alternate certificate files in the CERT\PRIV\ALT directory. CryptoFilter uses for all certificate files that start with the same name as the original certificate file ( e.g. if the original certificate name is peter@mydomain.pem, CryptoFilter will find peter@mydomain-2007.pem ). This allows you to move outdated certificate files into the ALT directory, so that CryptoFilter can use them in the case it needs to decrypt an old message.

Examples:

Encrypt all inbound messages where a privat certificate for the recipient is available

From:	*
To:	*
Certificate:	*

Encrypt all inbound messages from a user to a recipient with a recipient private certificate

From:	user@yourdomain.com
To:	recipient@other.com
Certificate:	some_certificate_file.pem

Some guidelines for the certificate:

The certificate must be in PEM format
The certificate file with the private key, required for decryption, must be in the CERT\PRIV directory

top

S/MIME inbound Policy

Defines the S/MIME policy for an inbound message based on the following rules.

Each rule consists of a From address, a To address and one or more methods. If at least one checked method is fulfilled, CryptoFilter triggers the selected action. Wildcards are allowed for all fields.

Action

You can select one of the following what should happen with the message when at least one of the methods is fulfilled:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

S/MIME outbound Policy

Defines the S/MIME policy for an outbound message based on the following rules.

Each rule consists of a From address, a To address and one or more methods. If at least one checked method is fulfilled, CryptoFilter triggers the selected action. Wildcards are allowed for all fields.

Action

You can select one of the following what should happen with the message when at least one of the methods is fulfilled:

Discard message

Encapsulate and forward to Postmaster
Send a non-delivery report to the sender

top

S/MIME Options

Options for S/MIME message processing.

Certificate authority certificate file

The name of the file with the certificate authority certificates, in PEM format.

CryptoFilter uses this list of authority certificates to validate the signature certificate.

CryptoFilter searches the file in the CERT folder, unless a full file name is given.
Collect the public certificate of the sender

If checked, CryptoFilter writes the certificate of the sender into the CERT\PUB directory.

The file name consist of the string db- and the email address of the sender and the .pem extension.

This certificate can then be use to automatically encrypt all outgoing messages to the sender.
Log detailed S/MIME description

If this is enabled CryptoFilter shows a detailed description about the status of the S/MIME handling.

top

IP Address

Bind to address

SMTP outbound port

By default CryptoFilter uses port 25 for outgoing connections and there is usually no need to change this.

SMTP inbound port

By default CryptoFilter accepts incoming connections on port 25 and there is usually no need to change this.

Note: Don't change the port from the default ( port 25 ) unless you know what you are doing. Usually using a different port results that CryptoFilter can no longer send out or that you create a message loop.

Bind to IP address

In general you should leave the fields blank and let CryptoFilter detect the IP address automatically.

Note: CryptoFilter binds to every address of the machine, if your machine has more than one IP address, and in general this is ok.

Note: Don't bind to an IP address unless you know what you are doing. Usually binding to an IP address results that your Exchange can not send or that CryptoFilter can not detect Exchange.

top

Screenshots
Product Info
Administer
Introduction
Action
IP Address
Options - General
Exchange
Logfiles
History
Statistic
Connections
TLS/SSL
Relay
Authentication
Advanced
Options - S/MIME
Verify
Sign
Decrypt
Encrypt
Inbound Policy
Outbound Policy
Options
Advanced Config
IP Address