CryptoFilter · The S/MIME Gateway
Exchange

Postmaster's e-mail address

E-mail address of the person who is responsible for maintaining CryptoFilter. CryptoFilter will send error messages to this address.

Notify postmaster when a new program version is available

CryptoFilter will periodically perform an online check for a program update and will send a notification to postmaster in the case a new program version is available.

Name or IP address of the Exchange server

Host name or IP address of the Exchange server. The default is localhost, which means that the Exchange server is on the same machine as CryptoFilter.

Exchange listens on port

This is the port that CryptoFilter uses when connecting to the Exchange server. If CryptoFilter and Exchange server are running on the same machine you may need to adjust the port that you have selected for the IMC. For Exchange 5.x you do this by changing the services file.

Refuse inbound connections on problems with outbound connections

If checked and if CryptoFilter is unable to establish a connection with the Exchange server, CryptoFilter will not accept incoming messages until it can communicate with the Exchange server.

Exchange needs authentication

Allows you to enter the user and password if your Exchange needs authentication before accepting an input.

Specify by e-mail-domain (ISP Edition only)

Allows you to define inbound e-mail domains that are on a different Exchange server.

Logfiles
Write Logfile

If checked, CryptoFilter will write a logfile called MBYYMMDD.LOG, where YY is the year, MM is the month and DD is the day.

Directory

The directory where CryptoFilter will write the logfile.

If the Directory is empty, CryptoFilter writes the logfile into the directory 'where MBServer.EXE resides.

Note: This is a directory and not a filename. The filename will always be MBYYMMDD.LOG

Purge logfiles after x days

Purges the logfiles after the set number of days.

Verbose Logging

If checked, CryptoFilter displays and logs everything, whereas if unchecked only a minimal amount of information is logged.

Log Message Transfer

If checked, CryptoFilter displays and logs the communication of the message transfer.

Log Message Header

If checked, CryptoFilter displays the SMTP header of the message.

History

Keep a copy of every message

If checked, CryptoFilter keeps a copy of every message in the HIST-IN and HIST-OUT folder.

Make sure you have enough free disk space if you enable this option.

The message files are plain text files and contain exactly what was sent over the wire.

This means you can read the messages files in Notepad. If you want to extract an attachment from the messages then you can either rename the file to .eml and use Outlook Express or your rename the file to .uue and use WinZip to extract the attachment.

If you want to resend the messages then you can use SMTPSend with the -g option or you open them in Outlook Express and resent them from here.

If you want to resend more than one message, then either use CSVToEnv

Directory

The directory where CryptoFilter will write the HIST-IN and HIST-OUT folder.

If the Directory is empty, CryptoFilter writes the logfile into the directory where MBServer.EXE resides.

Purge message files after x days

Purges the message files after the set number of days.

Statistic

General

Write Statistics File

If checked, CryptoFilter will write a statistics file called SRYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The files lists all inbound and outbound messages that CryptoFilter handled.

You can use Excel or any other program which imports delimited text files to run your statistics.

Directory

The directory where CryptoFilter will write the statistics file.

If the directory is empty, CryptoFilter writes the statistics file into the directory where MBServer.EXE resides.

Purge logfiles file after x days

Purges the statistics files after the set number of days.

Write SMTP blocking statistics file

If checked, CryptoFilter will write a statistics file called SPYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that CryptoFilter rejected at the SMTP level.

Note: Due that the message are rejected before the sending server tells CryptoFilter to whom the messages is addressed, the CSV file does not show the e-mail address of the final recipient.

Write send statistics file

If checked, CryptoFilter will write a send file called SSYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that are sent by CryptoFilter.

Write virus statistics file

If checked, CryptoFilter will write a statistics file called SVYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that had a virus.

Options

Use long date in statistic file (yyyy-mm-dd vs. yy-mm-dd)

If checked, CryptoFilter will use a long date format in the statistic file.

If Excel has troubles showing the correct date, then enable this option.

Connections

Outbound Message Routing

Use DNS to send all messages direct to the recipients mail server

In this mode CryptoFilter queries the DNS server for the MX record of the recipient, connect to the recipient mail server and sends the message

Relay all messages through the smart host

In this mode CryptoFilter relays all messages to the smart host. Usually the smart host is the SMTP server of your ISP or some relay server in your DMZ

Use smart host only if direct connection fails

This is a combination of the two modes above. If CryptoFilter can not send direct, it relays to the smart host.

Smart host

The name or IP address of the smart host where CryptoFilter should relay to

DNS server

The IP address of the name server (DNS) which CryptoFilter should use to get the MX record(s) for the recipient domain.

Do not use a host name, because CryptoFilter can not resolve it to an IP address, because it does not have a name server (chicken-and-egg problem).

Note: If you use the word AutoDetect rather than an IP address, then the name server is read from the registry.

Refuse inbound connections on problems with outbound connections

If checked and if CryptoFilter is unable to establish a connection with the Exchange server, CryptoFilter will not accept incoming messages until it can communicate with the Exchange server

Specify by e-mail-domain

Allows you to define e-mail domain that need special routing, for example when a target server is behind a firewall or in a private LAN.

Enable outbound SMTP authentication against the Smart Host

User

Password

If your ISPs SMTP server needs an authentication before accepting an SMTP message, then you can define the user and password here.

Note: Do not use this unless your ISP requires it!

Connection Limits

Max concurrent inbound

Defines how many concurrent inbound connections CryptoFilter accepts. Setting this to zero allows unlimited connections.

Max concurrent outbound

Defines how many concurrent outbound connections CryptoFilter opens. Setting it to zero allows unlimited connections.

Concurrent outbound connections to a single host

Defines how many concurrent connections to a single host CryptoFilter opens

As a general rule you should not allow more than 8 connections for a 64kBit bandwidth or else you may have timeouts. If you have a 64K ISDN line, set inbound and outbound to 4.

Max recipients for an inbound message

Define the max amount of recipients in a single inbound message.

If the sending server sends more recipients, then remaining recipients are blocked using a
452 4.5.3 Too many recipients error

Relay

Allow Relay of SMTP Messages

If checked, CryptoFilter relays messages for recipients not defined on your Exchange, to the next SMTP host. This is either the relay host of your ISP or the final host, depending on your settings in Connections.

Relaying is only needed if you have POP3 clients in your LAN and you want to use CryptoFilter as the relay host for them.

Allow relay of SMTP message from reserved IP addresses
(10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 224.0.0.0/8)

If checked, CryptoFilter allows s relaying for client from your local LAN.

Relaying is only needed if you have POP3 clients in your LAN and you want to use CryptoFilter as the relay host for them.

Allow relay only from host

Allow relay only from IP address

If you disable general relaying, then you can define which host (machine) or IP address relaying is allowed.

CryptoFilter compares host names from right to left. IP addresses are in CIDR notation.

If you want all the machines in the domain dataenter.com to be allowed, you need to add dataenter.com to the list. To allow all IP addresses from 10.10.10.0 to 10.10.10.255, you need to add 10.10.10.0/24 to the list of IP addresses.

Allow relay for authenticated users

If checked, CryptoFilter allows relaying for authenticated users, regardless of their IP address.

Note: You need to define which authentication method CryptoFilter should use in Authentication

Authentication

Enable inbound SMTP authentication using User/Pass

If selected, CryptoFilter validates the SMTP client's user and password against the given user and password.

Enable inbound SMTP authentication using pass-through NTLM logon

If selected, CryptoFilter performs a network logon using the user and password that the SMTP client provided.

The user need to be in the format Domain\Useror User. If User is selected, then the validation goes against the local machine. If the local machine is a domain controller, Domain\User and User is equal.

Note: If CryptoFilter is running as a service using the LocalSystem account (this is the default), then Domain\User needs to be used, even when running on a domain controller. Using User alone will result in a logon error. As a workaround use either Domain\User or start the service using the Administrator account.

Note: Make sure the Guest account is locked or the logon of every user with every password will succeed.
See KB 251149 Guest Account Allows Relaying Regardless of Routing Restrictions

Enable inbound SMTP authentication using a SMTP query to Exchange

If selected, CryptoFilter queries Exchange with the user and password.

Enable inbound SMTP authentication using an external program

If selected, CryptoFilter calls the external program and passes the user and password as arguments. If the external program returns errorlevel zero, the user is valid.

Advanced

Outbound SMTP options

Retry failed connection every xx Seconds

Defines how long CryptoFilter should wait until it retries a failed outbound SMTP connection.

The default is 1800 seconds, which is 30 minutes.

Retry for xx Seconds

Defines how long CryptoFilter should continue trying a failed outbound SMTP connection.

The default is 432000 seconds, which is 5 days.

Note: Set this to something between 4 - 24 hours, which makes more sense than the default of 5 days.

Retry non-delivery reports for xx Seconds

Defines how long CryptoFilter should continue trying a failed non-delivery report.

The default is 14400 seconds, which is 4 hours.

Outbound Exchange options

Retry failed connection every xx Seconds

Defines how long CryptoFilter should wait until it retries a failed outbound Exchange connection.

The default is 300 seconds, which is 5 minutes.

Retry for xx Seconds

Defines how long CryptoFilter should try a failed outbound Exchange connection.

The default is 604800 seconds, which is 7 days.

Check

Check for an Exchange server before sending a message

If checked, CryptoFilter checks if the SMTP server announces the XEXCH50 ESMTP verb.

This will prevent CryptoFilter from accidentally sending a message to the wrong server.

In Exchange 5.5 / 2000 / 2003 the virtual SMTP server always announces the XEXCH50 ESMTP verb.

In Exchange 2007/2010 the Hub connector announces the XEXCH50 ESMTP verb only if Exchange Server authentication is enabled. Notes or GroupWise or any other SMTP server do not announce the XEXCH50 ESMTP verb.

Check for on-access virus scanner at startup

If checked, CryptoFilter checks for an on-access virus scanner at startup. CryptoFilter does this by writing out the Eicar Antivirus testfile (http://www.eicar.org), which is a harmless text file, and watches if some other program deletes or locks the file. If so, then an on-access scanner is running and the CryptoFilter directory is not excluded from scanning.

CryptoFilter then shows a warning and continues working, but the CryptoFilter directory should be excluded from scanning. When you don't exclude the CryptoFilter directory, the scanner will prevent CryptoFilter from accessing it's own files. Even worse, when you have enabled some kind of "cleaning" then you get absolute unpredictable results, but not what you might expect. More technically speaking the scanner can not clean a message, because it is a file scanner and has no idea how to handle a SMTP messages.

Even if it could clean the messages, then it locks the file to do so and CryptoFilter does not fight with the scanner for the file.

When a message comes in CryptoFilter saves the message in the MSG-IN directory and gives it an unique file name with a .tmp extension (MSG0117x.TMP for example).

Once the message download is finished, CryptoFilter renames the file from MSG0117x.TMP to MSG0117x.TXT. In the case a scanner is now scanning this file, the operating system does not allow the renaming and CryptoFilter considers this as a failure and tells the sending SMTP server about this.

If the renaming could be done the message will be place in the decoding queue and wait until the decoder handles it. If the scanner now scans the file, the decoder can not open it and so the message is lost. More worst, when the scanner deletes the file, then CryptoFilter is really happy about that fact, because it always really like it when someone deletes files behind it's back.

This all does not mean that you should not use a virus scanner at all. It only means that you should use the right way to scan your messages. Either enable the virus scanner in CryptoFilter, because then CryptoFilter has fill control over the scanner or use a SMTP based virus scanner.

Size Limit

Enable outbound message size limit

Enable inbound message size limit

Enables the inbound and/or outbound message size limit.

TLS/SSL

Enable TLS/SSL for inbound connections

If checked, CryptoFilter announces TLS/SSL so that a connecting client can establish a TLS/SSL connection and thereby encrypt the data that is sent over the wire. By default this is disabled, because a valid certificate for the host is required or else the sending host can not verify your machine.

Server certificate file

The file that holds the certificate, in PEM format

Server private key file

The file that holds the privat key of the certificate, in PEM format

In most cases both the certificate and the private key are in one file and the name of the file is certt.pem

Note:Type in the filename and not the full path name (e.g. cert.pem and not c:\CryptoFilter\cart.pem)

Enable TLS/SSL for outbound messages

If checked, CryptoFilter uses TLS/SSL and encrypts the data sent over the wire.

Certificate authority certificate file

The name of the file with the certificate authority certificates, in PEM format

CryptoFilter uses this list of authority certificates to validate the target server.

However, CryptoFilter will always try to establish a TLS/SSL connection, even when the certificate or the CN name can not be verified.

TLS/SSL Toolkit:

You will find a generic certificate in the TLS/SSL Toolkit that you may use for a quick start.

Download TLS/SSL Toolkit and extract tlscert.pem and cacert.pem into the CryptoFilter directory.

Set the fields as follows:

Certificate authority certificate file: CACert.pem
Server certificate file: TLSCert.pem
Server private key file: TLSCert.pem

Note: If you have your own certificate in Windows 2000/2003/2008 then you can export it and use PKCS12_to_PEM.bat from the TLS/SSL Toolkit to convert it into PEM format which CryptoFilter is able to read.

See also TLS/SSL Quick Installation

TLS Outbound Policy

Verifies outbound TLS/SSL connections based on the following rules.

Each rule consists of a From e-mail address, a To e-mail address, a optional string in the subject and a type. Wildcards are allowed for the e-mail fields.

Examples:

Use mandatory TLS on all outbound messages from your domain to @secure.com

From: *
To: *@secure.com
Type: Mandatory

Use opportunistic TLS for all not covered by a rule

From: *
To: *
Type: Opportunistic

Don't use TLS with freefax.com

From: *
To: *@freefax.com
Type: Disabled

Reject the message during the SMTP session on

CryptoFilter terminates the connection if any checked condition is not fulfilled.

certificate not trusted

Either the certificate is verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA). Or the certificate is verified using DANE (DNS-based Authentication of Named Entities).

Note: Trusting a well know CA (Certificate Authority) that must follow the US PATRIOT Act (e.g. Verisign or Thawte) is not a feature.

self-signed certificate

Note: Trusting a self-signed certificate together with a fingerprint is secure.

expired certificate

An expired certificate means that the certification authority is no longer reporting on the integrity of the certificate. But for a self-signed certificate or trust by DANE, the exipiration date is not an issue.

revoked certificate

CryptoFilter obtains the revocation status of the certificate using CRL (certificate revocation list) or OCSP (Online Certificate Status Protocol)

CN mismatch

FQDN (fully qualified domain name) doesn't match the CN (Common Name) or SAN (Subject Alternative Name) in the certificate.

fingerprint with TOFU (Trust On First Use) mismatch

A fingerprint is a hash of the public key, usually SHA1. TOFU (Trust On First Use) is a security model whereby CryptoFilter, upon connecting to a new server, stores the fingerprint. From then on CryptoFilter uses the fingerprint to identify the server.

Note: Verify the fingerprint of a certificate prevents against man-in-the-middle attacks and using TOFU (Trust On First Use) mimizes administration.

weak key (less than 2048 bit)

Industry standards set by CA/B (Certification Authority/Browser) and NIST (National Institute of Standards and Technology) requires that certificates issued after January 1, 2014 must be at least 2048-bit key length.

Because as computer power increases, anything less than 2048-bit is at risk of being compromised by hackers or any agency with sophisticated processing capabilities.

weak cipher

Basically AES with 128 bit and all algorithms with 256 bits are strong ciphers, everything else is weak.

Note: A strong key and a strong cipher makes it harder, if not impossible, for the NSA (National Security Agency) to crack the communication.

missing PFS (Perfect Forward Secrecy) using Diffie-Hellman Key Exchange

PFS (Perfect Forward Secrecy) is a defense against an attacker who records encrypted conversations where the session keys are only encrypted with the communicating parties long-term keys. Should the attacker be able to obtain these long-term keys at some point later in the future, he will be able to decrypt the session keys and thus the entire conversation.

Diffie-Hellman Key Exchange is a specific method of exchanging cryptographic keys. The Diffie-Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher like AES.

Diffie-Hellman is used in SSL/TLS, as ephemeral Diffie-Hellman, the cipher suites with DHE in their name. What is very rarely encountered is static Diffie-Hellman, cipher suites with DH in their name, but neither DHE or DH_Anon. These cipher suites require that the server owns a certificate with a DH public key in it, which is rarely supported for different reasons.

Note: DHKE prevents against an attack, where the government obtained a secret order from a judge, demanding to hand over the private key of the recipients server, like is was done with Lavabit.

TLS Inbound Policy

Verifies inbound connections based on the following rules.

Each rule consists of a From address, a To address and a type. Wildcards are allowed for the e-mail fields.

Note: At present the To address is not honored and must be a *

Examples:

Use mandatory TLS on all inbound messages from @secure.com

From: *
To: *@secure.com
Type: Mandatory

Use opportunistic TLS for all not covered by a rule

From: *
To: *
Type: Opportunistic

Reject the message during the SMTP session on

CryptoFilter terminates the connection if any checked condition is not fulfilled.

weak cipher

Basically AES with 128 bit and all algorithms with 256 bits are strong ciphers, everything else is weak.

Note: A strong key and a strong cipher makes it harder, if not impossible, for the NSA (National Security Agency) to crack the communication.

missing PFS (Perfect Forward Secrecy) using Diffie-Hellman Key Exchange

PFS (Perfect Forward Secrecy) is a defense against an attacker who records encrypted conversations where the session keys are only encrypted with the communicating parties long-term keys. Should the attacker be able to obtain these long-term keys at some point later in the future, he will be able to decrypt the session keys and thus the entire conversation.

Diffie-Hellman Key Exchange is a specific method of exchanging cryptographic keys. The Diffie-Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher like AES.

Diffie-Hellman is used in SSL/TLS, as ephemeral Diffie-Hellman, the cipher suites with DHE in their name. What is very rarely encountered is static Diffie-Hellman, cipher suites with DH in their name, but neither DHE or DH_Anon. These cipher suites require that the server owns a certificate with a DH public key in it, which is rarely supported for different reasons.

Note: DHKE prevents against an attack, where the government obtained a secret order from a judge, demanding to hand over the private key of the recipients server, like is was done with Lavabit.

S/MIME Verify

Verifys the S/MIME signature of an inbound message based on the following rules.

Each rule consists of a From address, a To address and one or more methods. Wildcards are allowed for all fields.

Verify the S/MIME signature

If checked, CryptoFilter verifies the S/MIME signature on an inbound message.

The result of the verification is written to the X-CryptoFilter-SMIME-Verify-Status: header line.

Remove the S/MIME signature

If checked, CryptoFilter removes the S/MIME signature from an inbound message.

S/MIME Sign

Signs outbound message based on the following rules.

Each rule consists of a From address, a To address and a certificate. Wildcards are allowed for all fields.

The wildcard for the certificate is a * (star) and this means that CryptoFilter searches for a certificate file with the same name as the senders e-mail address, but with a .pem extension (e.g. user@domain.com.pem)

Examples:

Sign all outbound messages from your domain with your company certificate

From: *@yourdomain.com
To: *
Certificate: company_certificate.pem

Sign all outbound messages from your domain with a user certificate (e.g. user@domain.com.pem)

From: *@yourdomain.com
To: *@freefax.com
Certificate: *

Sign all outbound messages from a user to a recipient with a user certificate

From: user@yourdomain.com
To: recipient@other.com
Certificate: some_certificate_file.pem

Don't sign outbound messages to a fax gateway

(use the !!void-certificate!! for do-nothing rules)

From: *
To: *@freefax.com
Certificate: !!void-certificate!!

Some guidelines for the certificate:

  • The certificate must be in PEM format
  • The certificate file with the private key of the sender, required for signing, must be in the CERT \ PRIV directory

The entire content of your message, including all attachments, will be signed with your private key and the certificate will added to the message signature

The header of the message, including the subject of the message, will not be signed

Recipients of your signed message will be able to verify that the content has not been altered, and they will be able to store your certificate and later send you encrypted messages.

See also S/MIME Quick Start

S/MIME Encrypt

Encrypts outbound message based on the following rules.

Each rule consists of a From address, a To address and a certificate. Wildcards are allowed for all fields.

The wildcard for the certificate is a * (star) and this means that CryptoFilter searches for a certificate file with the same name as the recipients e-mail address, but with a .pem extension (e.g. user@domain.com.pem).

If there is no such certificate, CryptoFilter searches for a certificate file with the db- in front (e.g. db-user@domain.com.pem). This are the certificates that CryptoFilter optionally extracted from signed messages.

Examples:

Encrypt all outbound messages where a public certificate for the recipient is available

From: *
To: *
Certificate: *

Encrypt all outbound messages from a user to a recipient with a recipient public certificate

From: *
To: recipient@other.com
Certificate: some_certificate_file.pem

Some guidelines for the certificate:

  • The certificate must be in PEM format
  • The certificate file with the public key of the recipient, required for encrypting, must be in the CERT \ PUB directory

The entire content of your message, including all attachments, will be encrypted with the public key of the recipient.

The header of the message, including the subject of the message, will not be encrypted.

S/MIME Decrypt

Decrypts inbound message based on the following rules.

Each rule consists of a From address, a To address and a certificate. Wildcards are allowed for all fields.

The wildcard for the certificate is a * (star) and this means that CryptoFilter searches for a certificate file with the same name as the recipients e-mail address, but with a .pem extension (e.g. user@domain.com.pem)

CryptoFilter searches for alternate certificate files in the CERT\PRIV\ALT directory. CryptoFilter uses for all certificate files that start with the same name as the original certificate file (e.g. if the original certificate name is peter@mydomain.pem, CryptoFilter will find peter@mydomain-2007.pem). This allows you to move outdated certificate files into the ALT directory, so that CryptoFilter can use them in the case it needs to decrypt an old message.

Examples:

Encrypt all inbound messages where a privat certificate for the recipient is available

From: *
To: *
Certificate: *

Encrypt all inbound messages from a user to a recipient with a recipient private certificate

From: user@yourdomain.com
To: recipient@other.com
Certificate: some_certificate_file.pem

Some guidelines for the certificate:

  • The certificate must be in PEM format
  • The certificate file with the private key of the recipient, required for decrypting, must be in the CERT \ PRIV directory
S/MIME Inbound Policy

Defines the S/MIME policy for an inbound message based on the following rules.

Each rule consists of a From address, a To address and one or more methods. If at least one checked method is fulfilled, CryptoFilter triggers the selected action. Wildcards are allowed for all fields.

Action

List of Actions

S/MIME Outbound Policy

Defines the S/MIME policy for an outbound message based on the following rules.

Each rule consists of a From address, a To address and one or more methods. If at least one checked method is fulfilled, CryptoFilter triggers the selected action. Wildcards are allowed for all fields.

Action

List of Actions

S/MIME Options

Certificate authority certificate file

The name of the file with the certificate authority certificates, in PEM format.

CryptoFilter uses this list of authority certificates to validate the signature certificate.

CryptoFilter searches the file in the CERT folder, unless a full file name is given.

Collect the public certificate of the sender

If checked, CryptoFilter writes the certificate of the sender into the CERT\PUB directory.

The file name consist of the string db- and the e-mail address of the sender and the .pem extension.

This certificate can then be use to automatically encrypt all outgoing messages to the sender.

Log detailed S/MIME description

If this is enabled CryptoFilter shows a detailed description about the status of the S/MIME handling.

© 1996-2017 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
support@dataenter.co.at
2017-01-04 / Phone
2017-01-04 / Tablet
Changed: 2017-01-04
Server
Desktop
Copyright © 1996-2017 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
Fax: +43 (1) 2020770
support@dataenter.co.at