Mail Assure Admin Guide

Mail Assure

User Guide - Admin, Domain and Email Level

Getting Started 1

Useful Links 1

Accessing Mail Assure 1

User Permissions 3

Timeout Settings 4

Supported Web Browsers 4

Multi-admin control panel access and audit trail 4

Retrieve Log-in Link 6

Existing Account - Forgotten Password 7

Create New Email Account via the Retrieve Log-in Link 7

Send User Customized Link to Reset Password 7

Admin Level Control Panel 7

What do you want to do? 7

Domain Level Control Panel 8

Accessing the Domain Level Control Panel 8

Email Level Control Panel 8

Accessing the Email Level Control Panel 9

What do you want to do? 9

Using the 'Login as' Feature 9

Finish Login as Session 11

Start a Free 30-day Trial with Mail Assure 11

Application Overview 12

Navigating Mail Assure 12

Customize Dashboard 12 Mail Assure

Edit Dashboard Panel Group 13

Add a Widget 13

Reset to Default Dashboard Setting 13

Features Preview 14

List of features in Preview mode 14

API Logs (Preview) 14

Archive Usage (Preview) 15

Email Scout Report Templates (Preview) 16

Create Email Scout Report Template 17

View Incoming/Outgoing Reports from a Particular Template 25

On-demand Archive Index 26

What's New 27

New Navigation/Dashboard Feature Mapping 36

Admin Level Mappings 36

Domain Level Mappings 41

Email Level Mappings 45

FAQs 47

Troubleshooting Tips 49

Incoming mail is wrongly blocked 49

Incoming spam is getting through 49

Outgoing mail is wrongly blocked 50

Report Security Related Issues 51

What is Spam and who Sends it? 51

Why do Spammers Spam? 51

Who is Behind Spam? 51

How do I Restrict Direct Delivery of Spam? 52

Delivery Restriction Examples 52

Why was my Message Blocked as Spam? 52 How can I Protect Against Bounce Spam? 54

What Causes Bounce Spam? 54

Catchall Domains 55

SPF / DKIM 55

BATV Signing 55

I get a lot of Unwanted Newsletters - Should I Report These as Spam? 56

How can I Block Dangerous Attachments? 56

Access the Attachment Restrictions page 56

Block Attachments Containing Hidden Executables at Domain Level 56

Block Specific Extension Types 56

Block Password Protected Archives 57

Enable Scanned Link Extensions 57

What Local Issues may Cause Non-delivery of Mail? 57

Intrusion Detection Issues 57

ASA 5505 ESMTP Inspection Problems 57

Outdated Firmware Issues 57

Exchange (On Premise or Online) and Missing Mail Assure Headers 58

Lotus Domino Notes Outbound SSL Issue 58

DNS and HTTP proxy with Custom Host Names 58

DNS Issues 58

How to Count Users/Domains? 58

Incoming 58

Domain count 58

Valid recipient (mailbox) count 59

Outgoing 59

Outbound License usage 59

How to get outbound sender counts 60 Mail Assure

Can I Change the Name of a Domain? 60

How do I Request an Export of my Domain? 60

Common questions 60

Why can't I Find a Message in the Quarantine? 61

How can I View Email Headers in Different Email Applications? 61

Gmail 61

Juno Version 4+ 62

Lotus Notes / IBM Notes 62

Microsoft Outlook for Office 365, Outlook 2019, Outlook 2016, Outlook 2013, Outlook 2010, Outlook 2007 62

Microsoft Live Mail / Hotmail 62

Mozilla Thunderbird 62

Newswatcher 62

Opera Mail 62

Pine/Alpine 62

What are Recipient Callouts? 62

5xx destination server rejects 63

Existing recipients 63

Technical details 63

Enable recipient callouts 63

How can I Test the Mail Server is Working Properly? 64

Incoming Mail 64

Outgoing Mail 64

cPanel 64

Can I Blacklist/Whitelist Messages Based on Character Set? 65

Blacklist Messages Based on MIME Language 65

How do I Blacklist/Whitelist Messages by Country/Continent? 66

Blacklist Messages Based on Country 66 Does Mail Assure Use Greylisting? 67

How can an SPF Issue Block a Message? 68

Incoming messages blocked by the filtering server 69

Incoming messages blocked by the destination mail server 69

Webinterface telnet & LDAP sync IPs 69

Mail Assure SMTP delivery IPs 69

Outgoing messages blocked by the destination mail server 69

What is my SMTP Hostname? 69

EU/US/UK/AU/CA-only 70

Branded SPF hostname 70

Why Can't I Upload my Certificate or get an Error when Trying? 70

How do I Enforce TLS? 71

Incoming Filtering 71

Outgoing Filtering - the outgoing user that handled filtering needs to be provided as well 71

Why do my Released Messages not seem to be Getting Trained by the System? 71

How to Enable Exchange Protocol Logging? 72

Can I Query an Office 365 Account with LDAP to Pull in Users to Mail Assure? 72

What Details Should I Include when Opening a Support Ticket? 72

Domain Management 73

What do you want to do? 73

View Domain Overview 73

Add a Domain 74

Check your New Domain can Communicate with the Mail Server 75

Find Destination Server Hostname 76

Office 365 Destination Server Address 76

G Suite Destination Server Address 77

Local Mail Server Address 78 Mail Assure

Transfer Domain Between Admin Accounts 78

Domain Transfer 78

Forced Migration 79

Mailboxes Overview 79

What do you want to do? 80

Configuration Tab 80

Outgoing 80

Date/Time options 81

General 81

Incoming 81

Archiving 82

Mailboxes Tab 83

View mailboxes 83

Add mailbox 84

Edit one or multiple mailboxes 84

Switch off Filtering for Specific Mailbox (whitelist recipients) 84

Mailbox Aliases Tab 85

Add a mailbox alias 85

Catch all mail and direct to a single address 85

MX Records 85

Update Your MX Records in Your Domain Provider's DNS Settings 86

MX Verification Tool 87

LDAP Authentication and Synchronization 88

LDAP Authentication 88

LDAP Mailbox Sync 88

Set up LDAP Authentication 88

Configuring LDAP Mailbox Sync 91

Prerequisites for Using LDAP Synchronization 92 Set up LDAP Mailbox Sync Details 92

Set up Custom LDAP Mapping Rules 93

Export List of LDAP Mappings for Your Domains 94

Manage General Settings 95

Available Products 95

Server Settings 95

Default MX Hostnames 95

Incoming Filtering 96

What do you want to do? 96

Filtering Technology 97

SMTP Level Filtering 97

DATA Level Filtering 98

Virus Scanning 98

Pre-virusscan blocks 98

Attachment Filtering 98

Antivirus Engine 98

Sandboxing 99

View Incoming Bandwidth Overview 99

Incoming Log Search 99

Run Custom Log Search 100

Query Rules Panel 100

Actions Available on Log Search Results 103

Regenerate Index 104

Add Customized Action Using Log Search 105

Export Log Search Results 106

Create Email Scout Report 107

Email content 108 Mail Assure

Email Scout Report Templates (Preview) 110

View/Edit Email Scout Reports 119

Spam Quarantine 121

Enable the Quarantine 121

Access the Quarantine 122

View Domain Level Incoming Spam Quarantine 122

View Email Level Spam Quarantine 123

View Quarantined Message Content 124

Release Quarantined Messages 126

Release and Train Quarantined Messages 126

Release and Whitelist Quarantined Messages 128

Remove Messages from Quarantine 128

Remove and Blacklist Quarantined Messages 128

Manage Quarantine Filter Settings 129

Manage Domains and IPs with Disabled SPF, DKIM and DMARC Checks 131

Incoming Rejection Classifications 134

Temporarily Rejected (4xx SMTP response) 134

Rejected (5xx SMTP response) 136

Messages that are rejected without being quarantined 140

Accepted (2xx SMTP response) 141

Manage Domain Aliases 142

To add a domain alias: 142

Configure Domain Settings 142

Rejected Local Part Characters 143

Manage Destinations 143

Add Destination 144

Perform Network Checks on Destination Server 145

View Domain Statistics (Incoming) 145 Report Spam 147

Train Spam 147

Train Not Spam 147

Report Spam Using the Thunderbird Add-on 148

To install the Thunderbird add-on 148

Report a Spam Message using Thunderbird 148

Report Spam Using MailApp for Apple OSX 148

Install the SpamReporter tool 149

Report Spam using the Mail App 149

Remove SpamReporter app from OSX Device 149

Report Spam - Forward Email as Attachment 149

Report Spam via IMAP 149

Report Spam via Browser-based Email Client 149

Install Add-on and Script 150

Reporting from Browser-based Email Client 150

Clear Callout Cache - Incoming 150

Customize Actions 150

Add Customized Action 151

Delivery Details 151

Email Restrictions 152

Manage Attachment Restrictions 152

Manage Email Size Restriction 155

Outgoing Filtering 157

What do you want to do? 157

View Outgoing Bandwidth Overview 157

Outbound Spam Monitoring 158

Best Practise for Smarthost Users 158 Mail Assure

Managing Outgoing Spam 158

Outgoing Log Search 158

Manually Lock Identity from Outgoing Log Search 159

Outgoing Reports page 160

Manually Lock Identity from the Outgoing Reports Page: 160

Automatic Locking 160

ARF reports 161

ARF parser 161

Manage Identities 161

Manage Lock Templates 162

Manually Add Lock Template 162

Manage Outgoing Users 163

Add an Outgoing User 164

Edit an Outgoing User 167

Outgoing Identity Setup 168

Configure Identity Header Identification Method in Mail Assure and Your MTA 168

Set up Outgoing User Authentication for Multiple Domains Sending from the Same IP Address 171

Generate Outgoing Report 171

Outgoing Blacklist Filtering Rules 172

View Outgoing Blacklist Filtering Rules 172

Add Outgoing Blacklist Filtering Rule 173

Outgoing Log Search 177

DKIM Certificate Generation 177

Why should I use DKIM? 177

How does it work? 177

What do you sign by default? 178

Generate a DKIM certificate in the Mail Assure Control Panel 178

How can I set DKIM up via command line? 178 Prerequisites 178

Create keys 179

Create a DNS record 179

Configure the keys 179

Email Scout Report

This is the email scout report for {{ destination }}, sent at {{ format_time( now ) }}.

{% for label,column,column_format in column_order if column in columns %} {% endfor %}

{% for object in objects %}

- 22 - {% for label,column,column_format in column_order if column in columns %}

{% endfor %} {% endfor %}

{{ label }}	View message
{% if not object[column] %} {{ "" }} {% elif column_format == "date_format" %} {{ format_date(object[column]) }} {{ format_ time(object[column]) }} {% elif column_format == "escaped" %} {{ object.get(column, "")\|replace(".", "."\|safe) }} {% elif column_format == "decoded" %} {{ decode_idna(object.get(column, ""))\|replace(".", "."\|safe) }} {% elif column_format == "size" %} {{ object.get(column)\|filesizeformat }} {% elif column_format == "status" %} {{ object[column]\|replace("-", " ")\|title }} {% else %} {{ object.get(column) }} {% endif %}	{% if object.get("status", "") == "quarantined" %} View quarantined message {% elif object.get("status", "") == "queued" %} View queued message {% endif %} - 23 -

View message

{% if not object[column] %} {{ "" }} {% elif column_format == "date_format" %} {{ format_date(object[column]) }} {{ format_ time(object[column]) }} {% elif column_format == "escaped" %} {{ object.get(column, "")|replace(".", "."|safe) }} {% elif column_format == "decoded" %} {{ decode_idna(object.get(column, ""))|replace(".", "."|safe) }} {% elif column_format == "size" %} {{ object.get(column)|filesizeformat }} {% elif column_format == "status" %} {{ object[column]|replace("-", " ")|title }} {% else %} {{ object.get(column) }} {% endif %}

{% if object.get("status", "") == "quarantined" %} View quarantined message {% elif object.get("status", "") == "queued" %} View queued message {% endif %}

- 23 -

8. Click Save. The new template is placed in the Templates tab irrespective of the tab from which it was copied. The following shows the Email Scout Report email using the example content shown above:

- 24 - If you are familiar with the Jinja templating language, you can create a completely new template by clicking on the + Add template link at the top of the page and adding your own content.

View Incoming/Outgoing Reports from a Particular Template You can find out what Email Scout Reports are using any of your templates:

1. At the Admin Level, select Reporting > Email Scout Report templates (Preview). 2. In the Templates or Recommended Templates tab, click on Show Results to display all existing templates. 3. From the dropdown to the left of a template, select Incoming reports using this template or Outgoing reports using this template:

- 25 - The Email Scout Reports page is displayed showing search results for the Template equals query. On-demand Archive Index

To be able to search within message text and attachment content using the message content filter in the Log Search page, you need to generate an archive index.

This feature is only available with Features Preview enabled.

1. At the Domain or Email Level, select Archiving > On-demand Archive Indexes (Preview). 2. Click on the Create an on-demand archive index button. 3. In the pop-up, enter the start and end date of the time range that you want to index and click Generate.

- 26 - What's New

11th February 2019

n Improved OAuth2/OpenID Connect (SSO) support for Email Level users - The OAuth2/OpenID Connect feature which provides a Single Sign-on (SSO) service for email users has been significantly improved and now works with common identity providers such as Office 365. The feature is only available to Admin accounts with a custom branded hostname. See: n Configure OAuth/OpenID Connect Settings n Configure SSO/OAuth with Office 365 n Configure SSO/OAuth with Google

28th January 2019

n LDAP mailbox sync mapping with LDAP username - Where LDAP username authentication is required, the new LDAP username mapping feature allows users, who may be unaware of their username, to sign in to the system using their email address. The feature maps the username to the email address to allow this to happen. See Set up Custom LDAP Mapping Rules.

14th January 2019

n Improvements to the LDAP Mailbox Sync page - The page now shows consistency in text alignment. See Configuring LDAP Mailbox Sync.

17th December 2018

n Restructure of the Navigation panel and Dashboard - The groupings have been re- arranged in a more logical and user-friendly way. Some less commonly used features which existed in the old Dashboard no longer appear in the new Dashboard, but these can still be accessed in the Navigation panel. Groupings and content vary between the Admin, Domain and Email Level Control Panels to better reflect the tasks carried out at each of these levels. The following topic describes the new structure and the corresponding previous grouping in the old Navigation/Dashboard - New Navigation/Dashboard Feature Mapping. n Archived Mailboxes management moved to Mailboxes Overview - The enabling and disabling of email archiving for mailboxes is fully supported via the Mailboxes Overview pages. As it is no longer needed, the legacy, Archived Mailboxes page has been removed. 3rd December 2018

n Internal API logging exposed at admin level (Preview) - With Features Preview enabled, Admin users can now view internal activity logs at admin level, in the Server > Logs (Preview). See API Logs (Preview).

19th November 2018

n Control Panel login available with domain or email alias - You can now log in to the Control Panel using a domain or email alias. The system automatically looks for and authenticates as the related main mailbox or domain.

- 27 - n Mail Delivery Queue extension from 4 to 14 days - Mail Assure will queue legitimate emails and retry delivery if the destination mailserver environment is unavailable. The queue time has been extended from 4 to 14 days, which applies to mailboxes listed in the Mailboxes tab (see Mailboxes Overview) for domains that are configured to accept mail only for listed mailboxes (when the destination mailserver is unreachable, automatic validation is not possible). See Message Queueing. n Email Scout Report Edit feature now available - You can now edit existing Email Scout Reports. See View/Edit Email Scout Reports.

12th November 2018

n Recipient Whitelist changes: n At the Domain Level, whitelisted recipients have been moved to the Mailboxes Overview page - In order to have a single place to manage mailboxes whose incoming mail should not be filtered, all whitelisted recipients now show as mailboxes in the General > Mailboxes Overview > Mailboxes tab with incoming filtering switched off. See Switch off Filtering for Specific Mailbox (whitelist recipients). The Recipient Whitelist at the domain level now only displays recipients whitelisted at the Admin Level. n At the Admin Level, the Recipient whitelist remains for whitelisting recipients (see Whitelist Recipient for All Domains) but you can also use the Mailbox Overview pages to switch filtering off for specific mailboxes at Admin Level as well as Domain Level. n Email Scout Report improvements: n A new feature that allows you to view incoming / outgoing Email Scout Reports which use a specific template is now available from the Email Scout Reports Templates (Preview) page. See View Incoming/Outgoing Reports from a Particular Template. n The Email Scout Reports page offers a new Edit template action which opens the template a report uses. n Rejection change from permanent to temporary for 'unknown domains' - Emails sent to domains that have not been added (yet) to the platform, are now temporarily rejected with a 451 SMTP response 'relay not permitted!'. This has changed from the previous 550 permanent rejection.

To see all pages in Preview mode, ensure you have Features Preview enabled.

29th October 2018

n Email Scout Report (ESR) improvements n When creating an ESR at the Admin Level, you can now specify which domains you want to include in your Email Scout Report. The report will include mail filtered for all mailboxes in the listed domain(s). See Create Email Scout Report. n New Automatic Email Scout Reports tab in the Email Scout Reports page - This new tab contains a list of all ESRs configured in the Incoming > Domain Settings page. See View/Edit Email Scout Reports.

- 28 - n The Email Scout Reports Templates (Preview) page has a new tab - Automatic Email Scout Report Activation Messages - This tab lists all existing ESR templates that are set up for the ESR activation messages. You can copy existing ones, create new ones and edit and remove any custom templates. See Email Scout Report Templates (Preview). n Expansion of custom whitelist/blacklist filtering rules - You can now create custom filtering rules for your whitelist or blacklist based on whether messages are from a known social media provider (e.g. Twitter, Facebook), or messages are newsletters/mailing list/bulk messages. 8th October 2018

n Improved Email Scout Report button name - The Save button in the Setup Email Scout Report dialog has been renamed to Schedule to better reflect the action when creating an Email Scout Report. See Create Email Scout Report.

1st October 2018

n Expansion of region choice for newly added domains - The Australia (AU) and Canada (CA) regions are now available when adding a new domain in Mail Assure. These two additions expand on the existing (default) Global region and the EU, UK and US regions. See Add a Domain. n OAuth 2/OpenID Connect is now available to Email Level users - OAuth SSO authentication is now not only available to Admin Level users but also to Email Level users. This means that both sets of users can use OAuth settings to set up authentication with another set of credentials e.g. Google authentication. See Configure OAuth/OpenID Connect Settings.

24th September 2018

n Improved User Profile page for OAuth users - If OAuth is set up on your system, the Users Profile page now separates your local Mail Assure log in credentials from your OAuth Single Sign On (SSO) change password option. See Manage Your Admin User Profile.

17th September 2018

n Email Scout Reports improved configuration options - When creating Email Scout Reports, a new Delivery Options panel provides more flexibility in defining the frequency and timing of your reports. See Create Email Scout Report.

10th September 2018

n LDAP authentication now can use local credentials - When using LDAP authentication, if the LDAP server cannot be reached, or an error (other than authentication failing) occurs, the provided username/password will be checked against the local control panel credentials as well. n View delivery queue earliest delivery attempt time - You can now see the earliest time that an automatic delivery attempt will be made for messages in the Incoming Delivery Queue. To do this, add the Earliest next delivery attempt column in the log search page. This calculation impacts performance, so you need to click the button in the rows that you are interested in to see the corresponding value. See View Earliest Time an Automatic Delivery Attempt Will be Made.

- 29 - This is only the earliest possible time. The actual delivery attempt may be later, depending on factors like server load for example.

3rd September 2018

n The following pages are moving out of Features Preview into General Release bringing improved user-friendly navigation and new functionality: n Incoming / Outgoing Log Search - Improved filtering and more tasks available on log search results. See Incoming Log Search and Outgoing Log Search. n Spam Quarantine - Opens the new Incoming Log Search page filtered to show all messages with the 'Quarantined status' selected. See Spam Quarantine. n Incoming Delivery Queue - Opens the new Incoming Log Search page filtered to show all messages with the 'Queued' and 'Delivery failed' status. Use this page to view messages queued when the delivery attempt to the destination server returns a temporary failure. See View Incoming Delivery Queue. n Email Scout Reports - A new page and a new direct link from the Navigation Panel and Dashboard - See View/Edit Email Scout Reports. n Delivery Details - Troubleshoot message delivery problems. See Delivery Details. n Customise Actions - Customize actions for specific types of message. For example, for messages that are failing the SPF check, you can add rules to ensure that these messages are rejected immediately instead of being placed in the quarantine. See Customize Actions. n A new Log search feature allows you to train messages as spam - This is only available if the Archiving product is enabled. See Incoming Log Search and Outgoing Log Search.

27th August 2018

n Domain Aliases page out of Preview mode - The new Domain Aliases page is now available to all users and boasts improved searching functionality. See Manage Domain Aliases.

13th August 2018

n The Log Search (Preview) now allows you to generate a search index for archived messages - At Domain level you can now search message content of archived messages and attachments. This function is similar to the Create index feature on the old Archive Status page. See Regenerate Index.

6th August 2018

n Internally generated messages now visible in the log and archive searches - Previously, messages that were generated internally, such as Email Scout Reports, were not visible in either the log search or the archive search (if relevant). The handling of these messages has been adjusted to make them visible from both searches. 23rd July 2018

n Email Scout Report 100 result limit - Email Scout Reports are now limited to 1000 results to avoid sending excessively large emails. n The Outgoing Log Search (Preview) now includes 'Blacklist sender' as an action. You can now choose to blacklist a sender from the outgoing log search results listed after running a search.

- 30 - 16th July 2018

n Region choice for newly added domains - When adding a domain to Mail Assure, you now have the option to restrict processing of the domain's messages to the data centers for a specific geographic region. See Add a Domain.

9th July 2018

n Destinations page replaces old Edit Route(s) page - The Destinations page is now out of Features Preview mode and replaces the old Edit Route(s) page - In this page you can add and manage your destination mail server(s) and check if there are any network issues. See Manage Destinations. n Region-specific MX Records for the UK - The inclusion of the UK to our list of region- specific MX records, alongside US and EU. These region-specific MX records are used where there is a requirement to route data through a specific geographic territory. See MX Records, What is my SMTP Hostname? and Setting up Your SMTP Hostname.

2nd July 2018

n Email Scout Report Templates (Preview) - You can now add and edit your own custom ESR templates. See Email Scout Report Templates (Preview).

25th June 2018

n New Email Scout Reports link in Navigation panel and Dashboard - With Features Preview enabled, a direct link to the Email Scout Reports is now available from the Navigation panel and Dashboard. 11th June

n New option to manually configure the 'catch-all' status of a domain - A domain's catch- all status (whether it is configured to accept mail from unknown mailboxes) is automatically detected by the system. This new option allows you to manually configure this status if, for example, the status has changed or has been wrongly detected. See Mailboxes Overview.

4th June 2018

n Improved Email Scout Reports UI - The Email Scout Reports page has been improved to be consistent with other new pages. When you click on a report, it opens in the Log Search page with the correct filters applied and the Show results button activated to display all matching results. n Improved automatic Email Scout Report unsubscribing - Unsubscribing from an Email Scout Report now only unsubscribes from that report and not from all automatic ESRs. n An improved Destinations page replaces the Edit Routes page with Features Preview enabled. See Manage Destinations.

21st May 2018

n Edit Multiple Mailboxes Simultaneously - You can now manage the mailbox settings for more than one mailbox simultaneously. See Edit one or multiple mailboxes.

14th May 2018

- 31 - n Last login now displayed when using the Retrieve log-in link feature - The Last login field is now updated when logging in via the Retrieve Log-in Link. n The Email Scout Report message action page now uses domain's timezone - The message's date and time is now displayed in the domain's timezone in the Message actions page of the Email Scout Report. See Log Search Report - Email content. n New 'View all delivery attempts' action available in the Log Search (Preview) page - Allows you to view all delivery attempts for a specific message. 30th April 2018

n Mailboxes Overview out of 'Preview' mode - This page allows you to enable/disable default filtering for mailboxes, and to overrule the default setting per mailbox, if required. This feature is now available from the Admin and Domain Level Control Panels to all users and not just those with Features Preview enabled. See Mailboxes Overview. n LDAP authentication custom BindDN formatter - When allowing email users to authenticate via LDAP, the BindDN can now be customized to allow for Active Directory setups using a different domain for the user logic. 16th April 2018

n Manual LDAP Sync and Preview Page now available - A new preview page allows you to preview LDAP sync changes (e.g. mailbox/aliases added, removed and updated) and perform a manual LDAP sync. See LDAP Sync Preview.

9th April 2018

n The LDAP Mailbox sync is now available to all users and not just those with Feature Preview enabled. See Configuring LDAP Mailbox Sync. n Updated Archive Usage page for users with Feature Preview enabled. This new page allows you to search your domains for archive usage information. n The Lock Notification Templates feature is now available to all users. This feature allows you to manage and customize the email notification that is sent when outgoing users / identities are automatically locked. See Manage Lock Templates.

26th March 2018

n Daily Email Scout Reports cannot be auto-enabled for domains with catch-all on their destination server. This is to avoid generating reports for invalid email addresses. See Domain Settings for more information. n New Delivery Details page - If you have Features Preview enabled, you can see this new page in the Incoming and Outgoing sections. Each attempt the filter makes to deliver a message, a log entry is created with details about the delivery attempt. This allows you to diagnose message delivery problems.

12th March 2018

New 'Filter by default' option in the 'Mailbox overview (preview)' page - If the Features preview option is enabled in your user profile, you have access to the new Mailbox overview (preview) page at the domain level. By default, any detected mailbox is filtered. You can now choose to prevent this by disabling the Filter by default option.

- 32 - If the Filter by default box is unchecked, all mailboxes set to the default will not be secured unless filtering is explicitly enabled.

5th March 2018

n Global Journal Address - This is a custom address available for each domain which you must add if you want to set up Journaling without using our Filtering system. You can set this up in the Archive > Status page at the Admin level. n Auto-enable Daily Email Scout Reports - This option automatically enables Email Scout Reports for all recipients in a domain. You can choose to have the reports delivered to recipients up to three times a day. You can do this from the Domain level in the Incoming > Domain Settings page.

26th February 2018

New Mailbox Overview page - With Features Preview enabled, you can see the new Mailbox Overview pages. These pages replace the existing Local Recipients page with the Mailbox tab, and the existing Email Address Aliases page with the Mailbox Aliases tab.

In the Configuration tab, you can choose automatic discovery or manual management of mailboxes or automatic synchronization with LDAP. You can also specify a maximum number of mailboxes for the domain. This tab is only available at Domain level to Admin and Domain users. You can also add, import and export mailboxes and mailbox aliases at the Admin Level and the Domain Level.

19th February 2018

n The archive expiry maximum has increased from 1000 to 10000 days - see Manage Archive Settings n Archived recipients configuration now only applies to messages archived by the incoming filter, not the outgoing filter - see Restrict Archiving to Specific Mailboxes n LDAP mailbox sync - Now in Feature's preview mode.

12th February 2018

- 33 - Synchronize local recipient list and email aliases via LDAP - Instead of using the incoming filter's automatic detection of destination mailboxes (local recipients) or manually managing the destination mailboxes, this feature allows you to synchronize your mailbox list (local recipients) with the mailboxes and aliases configured on your LDAP server.

Enable this in the new LDAP Mailbox Sync feature at the domain level.

In order for this to work, you must ensure that Use Local Recipients is enabled in Incoming > Local recipients.

5th February 2018

New Admin tab added to Sender/Recipient Whitelist and Blacklist. Anything applied on this tab applies to all domains underneath this Admin account. See .

29th January 2018

Reset Branding to Defaults - A new Reset button allows you to reset any branding changes you have made back to the original defaults. See Branding Management.

22/01/2018

Combining domain and email aliases - It’s now possible to use both an email and a domain alias in the same address. For example, if the domain example.org is an alias for the primary domain example.com, and example.com has an email alias example_alias@ for the primary mailbox example@, then: n [email protected] is an alias for [email protected] n [email protected] is an alias for [email protected] n [email protected] is an alias for [email protected]

15/01/2018 New features

n Improved Domain Alias Page - The Domain Aliases page now allows you to set up filters in the Query Rules panel to allow searching for aliases easier. See Manage Domain Aliases. n Outgoing Sender Blacklist - You can now manage the Sender blacklist for outgoing mail from the Admin and Domain Level Control Panels. See Manage Outgoing Sender Blacklist.

08/01/2018

New features:

n Automatic Creation and Management of HTTPS Certificates - A new HTTPS SSL certificate section added to the Branding page has the new option 'Generate and manage a TLS certificate for me via Let's Encrypt'. Choosing this option means that you will not need to go through the lengthy manual set up process which involves generating a CSR, requesting a certificate (and any intermediate certificates) from a Certificate Authority (CA) and uploading to the system. The system will do this automatically for you including

- 34 - renewing certificates when they expire. See Branding Management - System Generation and Management of TLS Certificate. n Temporary Log Search - The new Temporary Log Search feature allows you to view logs for outgoing mail which has not completed processing but may already have been delivered. These files do not show up in the standard Log Search because this would slow down the search significantly. Access this from the Admin or Domain Level Control Panels from Outgoing > Temporary log (preview). See Log Search (Preview).

This is currently only available in Preview mode and can only be accessed by Admin users with 'Features preview' enabled in the User's profile page.

25/12/2107 New features:

Location and Language added as Match Types for Custom Filtering Rules - You can now create Custom Filtering Rules based on specific languages and locations. This allows you to block / allow messages by sender location and by the language of the content. You can use these in the Simple and Advanced versions of the pages. See:

n Incoming Whitelist Filtering Rules n Incoming Blacklist Filtering Rules n Outgoing Blacklist Filtering Rules

18/12/2017 Here are this week's new features:

n New Sender/Recipient Whitelist/Blacklist pages - The new sender and recipient whitelist and blacklist pages have moved out of 'preview' this week. The new pages offer more flexibility when searching for addresses that are whitelisted or blacklisted, load faster, and are more consistent with the rest of the new pages in the control panel. See . n Customizable Dashboard - Users at Admin and Domain level are now able to customize the links that appear in the dashboard. You can move groups of links around, add or remove links from a group (including links to external pages e.g. your knowledge base or your own support system), and add or remove groups. The customizations that you make are saved for you personally, and do not impact any other users. See Customize Dashboard. n Improved Quarantine Link - Users who have ‘Features preview’ enabled have a new quarantine page (both incoming and outgoing). Rather than a completely separate system, the quarantine link takes you to a customized Log Search page, with all filters and columns selected for viewing the quarantine. Users already familiar with the Log search will find this much easier to use. The new quarantine page is also much more customizable than the old, and more compact when viewing results. All the actions available in the old quarantine pages are also available via the preview Quarantine Log Search pages. 04/12/2017 Here are this week's new features:

n Custom Filtering Rules out of Preview and on general release - New custom Whitelist/Blacklist Filtering Rules allow you to allow or block domain-specific incoming or

- 35 - outgoing mail. See last week's release details below for more information. n Unsubscribe action now available in Email Scout reports - Report recipients can choose to unsubscribe from Email Scout Reports. 27/11/2017 Here are the new features in this latest version of Mail Assure:

n New Whitelist/Blacklist Filtering Rules for Incoming/Outgoing Mail - Set up custom rules to allow or block domain-specific incoming or outgoing mail (this is currently in Preview mode and can only be accessed by Admin users with 'Features preview' enabled in the User's profile page): n Incoming Whitelist Filtering Rules n Incoming Blacklist Filtering Rules n Outgoing Blacklist Filtering Rules You can also choose to use the 'advanced' Add Rule dialog (instead of the default 'simple' dialog), by activating/inactivating the advanced dialog in the Admin or Domain User Profile pages: n Manage Your Admin User Profile n Manage Your Domain User Profile New Navigation/Dashboard Feature Mapping

This 17th December release of Mail Assure brings a restructure to the Navigation panel and Dashboard. The groupings have been re-arranged in a more logical and user-friendly way. Some less commonly used features which existed in the old Dashboard no longer appear in the new Dashboard, but these can still be accessed in the Navigation panel. Groupings and content vary between the Admin, Domain and Email Level Control Panels to better reflect the tasks carried out at each of these levels. The following mappings describe the new structure and the corresponding, previous grouping in the old Navigation Panel/Dashboard. They also show whether each feature is available from the new default Dashboard (Remember - if not available in the Default Dashboard, all features can be found from the new Navigation panel):

n Admin Level Mappings n Domain Level Mappings n Email Level Mappings Admin Level Mappings

In Default New Group- Item New Dash- Old Groupings ings board

General Domains Y Domains > overview Overview

- 36 - In Default New Group- Item New Dash- Old Groupings ings board

Add domain N Domains > Add Domain

Mailboxes Y Domains > overview Mailboxes Overview

LDAP mailbox N Incoming > LDAP sync Mailbox Sync

Domain aliases Y Incoming > Domain Aliases

Settings Y Server > Settings

MX verification N Domains > MX tool verification tool

Reporting Email Scout N Incoming > Email Reports - Scout Reports incoming (incoming mail)

Email Scout N Outgoing > Email Reports - Scout Reports outgoing (Outgoing mail)

Email Scout Y Others > Email Report templates Scout Report Templates (Preview)

Lock notification Y Outgoing > Lock templates Templates

Outgoing reports N Outgoing > Outgoing Reports

Incoming Logs Y Incoming > Log Search

Delivery details Y Incoming > Delivery details

Spam Y Incoming > Spam quarantine quarantine

Destinations Y Incoming > Destinations

- 37 - In Default New Group- Item New Dash- Old Groupings ings board

Bandwidth N Incoming > overview Bandwidth overview

Global statistics N Incoming > Global statistics

Incoming - Recipient Y Whitelist/Blacklist Protection whitelist > Recipient Settings Whitelist

Recipient blacklist Y Whitelist/Blacklist > Recipient Blacklist

Sender whitelist Y Whitelist/Whitelist > Sender Whitelist

Sender blacklist Y Whitelist/Blacklist > Sender Blacklist

Whitelist N Incoming > filtering rules Whitelist Filtering Rules

Blacklist filtering N Incoming > Blacklist rules Filtering Rules

Customise N Incoming > actions Customise Actions

Outgoing Manage users Y Outgoing > Manage Users

Manage Y Outgoing > identities Manage

Logs Y Outgoing > Log Search

Unrecognised Y Outgoing > domains log Temporary Log

Delivery details Y Outgoing > Delivery Details

Spam Y Was accessed quarantine from the Outgoing

- 38 - In Default New Group- Item New Dash- Old Groupings ings board

Log Search with the 'Quarantined' filter applied.

Bandwidth N overview

Outgoing - Sender blacklist Y Whitelist/Blacklist Protection > Sender Blacklist Settings

Blacklist filtering N Outgoing > Blacklist rules Filtering Rules

Customise N Was only available actions from Incoming

Archiving Usage Y Archive > Usage

Search - N Archive > Search - incoming Incoming

Search - outgoing N Archive > Search - Outgoing

Settings N Was only available at Domain Level

Continuity Delivery queue - N Incoming > Delivery incoming Queue

Delivery queue - N Was only available outgoing as Incoming > delivery queue

Compose email N Others > Compose Email

Network tools Y Others Network Tools

Users & OAuth settings Y Private Label > Permissions OAuth Settings

Manage admins Y Webinterface Users > Manage admins

Manage domain Y Webinterface Users

- 39 - In Default New Group- Item New Dash- Old Groupings ings board

users > Manage domain users

Manage email N Webinterface users Users > Manage email users

Manage Y Webinterface users permissions > Manage permissions

User settings Y Webinterface users > User settings

Branding Branding Y Private Label > management Branding Management

Protection Y Private Label > Report Protection Report templates Templates

Email Y Server > Email notifications Notifications templates Templates

Certificates N Part of the Private Label > Branding Management page

Development Control panel API N Server > Control calls Panel API Calls

API calls history N Server > API Calls history

API (preview) N API Logs page accessible from Server > Logs (Preview)

My Settings User Profile N Others > User's profile

- 40 - Domain Level Mappings

In Default New Group- Item New Dash- Old Groupings ings board

General Mailboxes Y Domains > overview Mailboxes Overview

LDAP mailbox Y Incoming > LDAP sync Mailbox Sync

Domain aliases Y Incoming > Domain Aliases

Train Spam N Incoming > Train Spam

Train Not Spam N Incoming > Train Not Spam

Reporting Email Scout Y Incoming > Email Reports - Scout Reports incoming (incoming mail)

Email Scout Y Outgoing > Email Reports - Scout Reports outgoing (Outgoing mail)

Protection Report N Was Protection - send now reports > On- demand domain report

Protection N Was Protection Report - domain reports > Periodic domain report

Protection N Was Protection Reports - mailbox reports > Periodic User Report

Domain report N Was Protection actions reports > Domain Report Actions

Incoming Logs Y Incoming > Log Search

Delivery details Y Incoming > Delivery details

- 41 - In Default New Group- Item New Dash- Old Groupings ings board

Spam quarantine Y Incoming > Spam quarantine

Domain Settings Y Incoming > Domain Settings

Destinations Y Incoming > Destinations

Domain N Incoming > statistics Domain statistics

Incoming - Recipient whitelist Y Whitelist/Blacklist > Protection Recipient Whitelist Settings

Recipient Y Whitelist/Blacklist blacklist > Recipient Blacklist

Sender whitelist Y Whitelist/Whitelist > Sender Whitelist

Sender blacklist Y Whitelist/Blacklist > Sender Blacklist

Whitelist filtering Y Incoming > rules Whitelist Filtering Rules

Blacklist filtering Y Incoming > rules Blacklist Filtering Rules

Customise Y Incoming > actions Customise Actions

Filter Settings Y Was Incoming > Filter Settings

Attachment Y Was Email Restrictions Restrictions > Attachment Restrictions

Email Size N Was Email Restrictions Restrictions >

- 42 - In Default New Group- Item New Dash- Old Groupings ings board

Email Size Restriction

Outgoing Manage users Y Outgoing > Manage Users

Manage Y Outgoing > identities Manage

Logs Y Outgoing > Log Search

Unrecognised Y Outgoing > domains log Temporary Log

Delivery details Y Outgoing > Delivery Details

Spam quarantine Y Was accessed from the Outgoing Log Search with the 'Quarantined' filter applied.

Settings Y Outgoing > Settings

DKIM N Was accessed from a link in the Incoming > Filter Settings page

SPF N Was accessed from a link in the Incoming > Filter Settings page

Domain N Outgoing > Statistics Domain Statistics

Outgoing - Sender blacklist Y Whitelist/Blacklist > Protection Sender Blacklist Settings

Blacklist filtering N Outgoing > rules Blacklist Filtering Rules

Customise N Was only available

- 43 - In Default New Group- Item New Dash- Old Groupings ings board

actions from Incoming > Customise Actions

Archiving Settings Y Archive > Settings

Search - incoming Y Archive > Search - Incoming

Search - Y Archive > Search - outgoing Outgoing

Status N Archive > Status

Export N Archive > Export

Continuity Delivery queue - Y Incoming > Delivery incoming Queue

Delivery queue - Y Was only outgoing available as Incoming > delivery queue

Compose email N Others > Compose Email

Network tools Y Others Network Tools

Clear callout Y Was Incoming > cache - incoming Clear callout cache

Clear callout Y Was Outgoing > cache - outgoing Clear callout cache

Users & Manage email Y Webinterface Users Permissions users > Manage email users

Manage Y Webinterface permissions users > Manage permissions

Development API calls history N Server > API Calls history

My Settings User Profile N Others > User's profile

- 44 - Email Level Mappings

In Default New Group- Item New Dash- Old Groupings ings board

General Train Spam Y Was Incoming > Train Spam

Train Not Spam Y Was Incoming > Train Not Spam

Reporting Email Scout Y Incoming > Email Reports - Scout Reports incoming (incoming mail)

Email Scout Y Outgoing > Email Reports - Scout Reports incoming (outgoing mail)

Protection N Was Protection reports Report > Periodic User Report

Protection Logs - Incoming Y Incoming > Log Search

Logs - Outgoing Was Outgoing > Log Search

Delivery details - Y Incoming > Delivery Incoming details

Delivery details N - Outgoing

Spam N Incoming > Spam quarantine quarantine

Sender Y Was whitelist - Whitelist/Whitelist Incoming > Sender Whitelist

Sender blacklist - Y Was Incoming Whitelist/Whitelist > Sender Blacklist

Archiving Search - Y Archive > Search - incoming Incoming

Search - Y Archive > Search - outgoing Outgoing

- 45 - In Default New Group- Item New Dash- Old Groupings ings board

Export Archive > Export

Continuity Delivery queue - N Incoming > Delivery incoming Queue

Delivery queue - Y Was only available outgoing as Incoming > delivery queue

Compose email Y Others > Compose Email

Network tools N Others Network Tools

My Settings User Profile N Others > User's profile

- 46 - FAQs

Troubleshooting Tips 49

Incoming mail is wrongly blocked 49

Incoming spam is getting through 49

Outgoing mail is wrongly blocked 50

Report Security Related Issues 51

What is Spam and who Sends it? 51

Why do Spammers Spam? 51

Who is Behind Spam? 51

How do I Restrict Direct Delivery of Spam? 52

Delivery Restriction Examples 52

Why was my Message Blocked as Spam? 52

How can I Protect Against Bounce Spam? 54

What Causes Bounce Spam? 54

Catchall Domains 55

SPF / DKIM 55

BATV Signing 55

I get a lot of Unwanted Newsletters - Should I Report These as Spam? 56

How can I Block Dangerous Attachments? 56

Access the Attachment Restrictions page 56

Block Attachments Containing Hidden Executables at Domain Level 56

Block Specific Extension Types 56

Block Password Protected Archives 57

Enable Scanned Link Extensions 57

What Local Issues may Cause Non-delivery of Mail? 57

Intrusion Detection Issues 57

ASA 5505 ESMTP Inspection Problems 57

Outdated Firmware Issues 57

Exchange (On Premise or Online) and Missing Mail Assure Headers 58

Lotus Domino Notes Outbound SSL Issue 58

- 47 - DNS and HTTP proxy with Custom Host Names 58

DNS Issues 58

How to Count Users/Domains? 58

Incoming 58

Outgoing 59

Can I Change the Name of a Domain? 60

How do I Request an Export of my Domain? 60

Why can't I Find a Message in the Quarantine? 61

How can I View Email Headers in Different Email Applications? 61

Gmail 61

Juno Version 4+ 62

Lotus Notes / IBM Notes 62

Microsoft Outlook for Office 365, Outlook 2019, Outlook 2016, Outlook 2013, Outlook 2010, Outlook 2007 62

Microsoft Live Mail / Hotmail 62

Mozilla Thunderbird 62

Newswatcher 62

Opera Mail 62

Pine/Alpine 62

What are Recipient Callouts? 62

5xx destination server rejects 63

Existing recipients 63

Technical details 63

Enable recipient callouts 63

How can I Test the Mail Server is Working Properly? 64

Can I Blacklist/Whitelist Messages Based on Character Set? 65

Blacklist Messages Based on MIME Language 65

How do I Blacklist/Whitelist Messages by Country/Continent? 66

Blacklist Messages Based on Country 66

Does Mail Assure Use Greylisting? 67

How can an SPF Issue Block a Message? 68

- 48 - Incoming messages blocked by the filtering server 69

Incoming messages blocked by the destination mail server 69

Outgoing messages blocked by the destination mail server 69

What is my SMTP Hostname? 69

EU/US/UK/AU/CA-only 70

Branded SPF hostname 70

Why Can't I Upload my Certificate or get an Error when Trying? 70

How do I Enforce TLS? 71

Why do my Released Messages not seem to be Getting Trained by the System? 71

How to Enable Exchange Protocol Logging? 72

Can I Query an Office 365 Account with LDAP to Pull in Users to Mail Assure? 72

What Details Should I Include when Opening a Support Ticket? 72 Troubleshooting Tips

If you are having problems with incorrectly blocked messages or spam that has passed through the filters, there are some things you can check yourself to resolve any issues:

n Incoming mail is wrongly blocked n Incoming spam is getting through n Outgoing mail is wrongly blocked Incoming mail is wrongly blocked

1. Check the "Evidence" header in the spam quarantine: a. In the Domain Level Control Panel, select Incoming - Spam Quarantine . b. Locate the message and click on the Subject link to open the Mail Preview dialog. c. Open the Raw tab and check the 'Evidence' header for information about why it was blocked. Use the Incoming Rejection Classifications page for more details on message rejection. 2. Ensure you release and train any wrongly blocked messages from the quarantine so the system learns that this is a classification mistake and the messages are delivered. See Release and Train Quarantined Messages. 3. If messages continue to get wrongly blocked, open a support ticket with us providing the domain name so we can analyze the released messages for more details. Incoming spam is getting through

1. Ensure that the domain's Filter Settings are correctly set up. We recommend the default values, however, please ensure that these are set correctly for your domain.

- 49 - a. In the Domain Level Control Panel, select Incoming - Protection Settings > Filter Settings. The system defaults are: n Quarantine enabled = yes

n Quarantine threshold = 0.9

n Beneficial to train threshold = 0.1

n Quarantine response = Rejected b. If you want to reset to the default values, click on the Reset to defaults button at the bottom of the page. 2. Ensure that the sender/recipient whitelists do not contain your own domain, or any domains or addresses from which you do not want to receive unfiltered mail. See Manage Incoming Sender Whitelist and Manage Recipient Whitelist. 3. Ensure that the outgoing sender blacklist does not contain your own domain, or any domains or addresses from which you want mail to be sent. See Manage Incoming Sender Whitelist and Manage Recipient Whitelist. 4. Verify that the spam was not sent directly to a domain filtered by Mail Assure by checking the message headers. If antispamcloud.com is not shown in the headers, the message has not been filtered by Mail Assure. 5. If your settings appear correct, you can report the message as spam, see Report Spam. 6. If spam continues to get through, open a support ticket with us providing a sample sender/recipient/date of a spam mail (ideally a few) so we can analyze the reported spam and logs. Outgoing mail is wrongly blocked

1. Ensure that the domain's Filter Settings are correctly set up. We recommend the default values, however, please ensure that these are set correctly for your domain. a. In the Domain Level Control Panel, select Incoming > Filter Settings. The system defaults are: n Quarantine enabled = yes

n Quarantine threshold = 0.9

n Beneficial to train threshold = 0.1 b. If you want to reset to the default values, click on the Reset to defaults button at the bottom of the page. 2. Check the "Evidence" header in the Outgoing Log Search: a. In the Domain Level Control Panel, select Outgoing - Log Search . b. Use the Query Rules panel to locate the quarantined message and click on the Subject link to open the Mail Preview dialog. c. Open the Raw tab and check the 'Evidence' header for information about why it was blocked. 3. Ensure your Administrator releases and trains any wrongly blocked messages from the quarantine so that the system learns that this is a classification mistake and the messages are delivered. See Release and Train Quarantined Messages. 4. If messages continue to get wrongly blocked, open a support ticket with us providing the domain name, and a sample of the message (ideally from the recipient's inbox), so we can analyze the released messages for more details.

- 50 - 5. Ensure that the outgoing sender blacklist does not contain your own domain, or any domains or addresses from which you want mail to be sent. See Manage Outgoing Sender Blacklist. 6. Analyze the ARF report sent to [email protected] to view details why it was blocked, see ARF reports. 7. As an Admin user you can release and train any wrongly blocked messages from the quarantine so the system learns that this is a classification mistake and the messages are delivered. See Release and Train Quarantined Messages. 8. If messages continue to get wrongly blocked, open a support ticket providing the sender/recipient/date. We can release the message from quarantine and have it delivered and reported to our systems as a classification mistake. Report Security Related Issues

Security is of the utmost importance to us, and we always prioritize any potential vulnerability discovered in our software. If you discover a security issue, please contact our Product Security Incident Response Team (PSIRT) at Vulnerability Report">[email protected].

For more information, see https://www.solarwindsmsp.com/security. What is Spam and who Sends it?

Spam is the use of media to send bulk unsolicited messages. Although most spam comes in the form of emails, it also can be found in instant messaging, forum posting, blog posting, SMS, social media (e.g Facebook, Myspace & Twitter) and even still the old fashion way of postal and fax spam. Any way you can be contacted, you can be spammed. Why do Spammers Spam?

For next to no cost, spammers can send out messages to hundreds of millions of people. Their efforts are rewarded even if just one or two people click on their link, buy their product or more frighteningly, give out their private details. With improved technology and widespread internet access, spam is now a widely used medium for committing crimes including financial institution fraud, credit card fraud, and identity theft, among others. Spam can also act as a stepping stone to accessing computers and servers without authorization, and sending out maliciuos links that direct to a website usually hosted by the spammer with the sole purpose of downloading malicious material onto the user's computer without their consent. Usually the malware & viruses are used to create the infamous 'Botnet', giving the sender control of a large group of computers, using them to send out further spam and malicious material. Who is Behind Spam?

Spammers can come in many shapes and forms, starting with the single person who buys an email list from a third party, to the top end full-time illicit spammers, who have groups of people in countries worldwide, sending unsolicited email to hundreds of millions of people 24 hours a day.

- 51 - ROKSO - The Register of Known Spam Operations is a register of spam services and senders that have been removed from ISPs more than three times for connections with spam.

Spamhaus - This non-profit organization tracks internet spam operations and believes that the persons on the list are responsible for approximatley 80% of spam on the internet. For more information, see http://www.spamhaus.org/rokso/index.lasso How do I Restrict Direct Delivery of Spam?

To prevent spammers from delivering spam directly to your mail servers without filtering, you must make sure your mail server only accepts emails originating from the Mail Assure filtering system. To only accept messages from your filtering nodes you need to allow emails based on your delivery server IP(s): Allow inbound delivery from the IP range 185.201.16.0/22 and master.antispamcloud.com. Delivery Restriction Examples

The following describe how to configure your MTA to restrict filtering to the Mail Assure servers:

n Configure Inbound Filtering with Exchange Online (Office 365) n Configuring Outbound Filtering with Exchange Online (Office 365) n Configure Inbound and Outbound Filtering With G Suite n cPanel and WHM Configuration for Mail Assure n Configure Inbound Filtering with Postfix

For any other MTA configuration details, please consult the relevant MTA documentation. Allow inbound delivery from the IP range 185.201.16.0/22 and master.antispamcloud.com.

Why was my Message Blocked as Spam?

To investigate why a message is blocked as spam, use one of the following methods:

n In the Log Search pages, look at the information shown in the Classification column once you have run your search.

- 52 - n In the Spam Quarantine, look at the '-Evidence:' line in the Raw view of the message. See View Quarantined Message Content. n If you have Features preview enabled, you can find additional details in the Log search (preview): Before running your search, use the Customise Columns to be displayed dropdown to ensure the Main class, Sub class and Extra class columns are selected:

- 53 - You can then compare the information you have gathered with the system's Incoming Rejection Classifications.

Usually, Releasing and Training the messages (available in the Log Search and the Quarantine) makes the appropriate adjustments to the various databases and resolves the issue. This applies for both Incoming and Outgoing products, however access to outgoing quarantined messages is not permitted from the Mail Assure Control Panel. For assistance with releasing and training outgoing messages, please contact Support. How can I Protect Against Bounce Spam? What Causes Bounce Spam?

Bounce spam happens when a spammer tries to deliver a spam message with your email address in the From field to an unknown address. The mail server accepts the message for delivery but then finds out that the recipient does not exist and sends a bounce email to your email address because it wrongly believes you are the originating sender. Because these bounces do not come from spamming servers, but from legitimate servers, they are very hard to block by any spam filters.

- 54 - This can be an annoying problem if your mail servers are not properly set up. The SMTP protocol is a very simple protocol that was defined in 1982. Spam was not yet a problem and to keep things as simple as possible, no security measures were implemented in the protocol itself. One result of this is that there is no verification that the "From:" address in an email message actually belongs to the sender. To try to avoid spamfilters, spammers typically use random email addresses as fake senders. This way they can avoid any simple spamfilter that blacklists based on the sender email address. It is important however that the email address they use as a sender does exist, since spamfilters can apply a "sender verification check" to ensure that the sending address itself exists. SpamExperts applies advanced methods to identify and block "bounce-spam". Properly set up mail servers will not cause bounce spam and directly reject the message with a 5xx error code when the spammer tries to deliver it. Unfortunately there are many legitimate mail servers that are incorrectly set up. Catchall Domains

If you have configured your email system to accept all email sent to any address @example.com, this is called a "catchall domain". The main advantage for you is that you won't have to create a separate mailbox for each address that should work. Be Advised: The problem however is that if spammers detect that your mail server claims to accept email for any address, they can easily generate random email address and end with @example.com (your domain name) to generate millions of different "valid" email addresses! It's therefore highly recommended to disable the email catchall to avoid spammers from abusing your domain and also generate fake senders for their spam messages. SPF / DKIM

By setting a Sender Policy Framework (SPF) record for your domain, you reduce the attraction for spammers to use your domain for sending out email. Also signing your emails with a DKIM certificate should further reduce the attractiveness to spoof your domain name for outgoing spam. BATV Signing

A special "trick" to avoid bounce spam is to sign every outgoing email with a special Bounce Address Tag Validation (BATV). This adds a cryptographic token to the address used for receiving any bounce, which means that it's possible to know for sure whether a bounce is in response to a message that you sent. To effectively use BATV, you need to be using both the Incoming and Outgoing email filtering, and you must send all your outgoing mail using the outgoing filter. When you send messages, the bounce address is signed, and when you receive bounces, any message that does not have a correct signature is rejected.

If you enforce BATV for incoming messages, and you are not using the outgoing filter to sign your bounce address, then all incoming bounces will be rejected, including legitimate ones. If you enable BATV for outgoing messages, and you are not using the incoming filter to enforce BATV, then you will gain no advantage, and may have trouble receiving legitimate bounces at the destination server that handles your incoming mail.

- 55 - I get a lot of Unwanted Newsletters - Should I Report These as Spam?

Newsletters offer the option to unsubscribe. This is preferable to treating them as spam, as if they are legitimate newsletters, they may continue to appear in your mailbox even after you have trained them as spam. How can I Block Dangerous Attachments?

Mail Assure allows you to block a large amount of malware, however new malware campaigns can emerge that are able to evade all Antivirus and Anti-Spam filters. Because of this, we advise that you ensure that the "Block attachments that contain hidden executables" option is enabled for all your domains by default (the system default option is 'enabled'). This prevention is highly effective against so called 0-day malware. Once this is enabled, messages that are sent with executables within a compressed archive (e,g. .zip, .rar etc.) are rejected and quarantined.

The Block attachments that contain hidden executables option only affects messages that contain an executable within a compressed archive. The check is executed 3 layers deep into archived messages.

For information on the range of attachment blocking functions, see Manage Attachment Restrictions. Access the Attachment Restrictions page

In the Domain Level Control Panel, select Email Restrictions > Attachment Restrictions.

In this page you can perform the following tasks:

n Block Attachments Containing Hidden Executables at Domain Level n Block Specific Extension Types n Block Password Protected Archives n Enable Scanned Link Extensions Block Attachments Containing Hidden Executables at Domain Level

To block dangerous attachments for a specific domain only:

1. In the Restriction Options panel, place a tick in the Block attachments that contain hidden executables checkbox. 2. Click Save. Block Specific Extension Types

You can also block messages based on their attachment type. You can add more attachment types to the list of default ones already set up in the system.

1. In the Blocked extensions panel, place a tick in the checkbox alongside the extension type you want to block.

- 56 - 2. To add more extension types, use the Add new extensions field. 3. Click Save. Block Password Protected Archives

Spammers often use the trick of sending password encrypted archives in the hope to bypass some filters, and saying the “password” in the body of the spam message. These messages can be blocked by enabling the “Block Password Protected Attachments” feature.

1. In the Restriction Options panel, place a tick in the Block password-protected archive attachments checkbox. 2. Click Save. Enable Scanned Link Extensions

This option (which is disabled by default) allows you to configure your domain(s) to allow the download of files of a specific extension type from links within an email. The system scans the files for any viruses or malware.

1. In the Additional Restrictions panel, enter 2000000 in the Message link size limit (in bytes) field. 2. In the Scanned Link Extensions panel, add the following extension types to the existing list using the Add new extensions field: zip, rar, jar, js, java, aspx, doc, docm, xls, xlsm. 3. Click Save.

For redirect links (commonly seen in invoice related spam), an extra link-follow option is needed. This currently needs to be enabled by our Support team. If required, contact Support so that they can set this up for you.

What Local Issues may Cause Non-delivery of Mail? Intrusion Detection Issues

Messages may be queued because of a connection timeout:

Connection timed out: SMTP timeout while connected to destinationserver.example [1.1.1.1] after sending data block (49135 bytes written)

This may occur if the message is over a certain size and your firewall has Intrusion Detection enabled. Solution: Disable Intrusion Detection on your Firewall. ASA 5505 ESMTP Inspection Problems

The ASA 5505 has an ESMTP inspection rule that may wrongly block certain emails from being delivered. Please ensure to disable this rule and/or to update the firmware. Outdated Firmware Issues

You may be having issues with Inbound delivery.

- 57 - Solution: Make sure all routers and firewalls are running up-to-date firmware. Telnet from a Windows machine to the destination server to test. Exchange (On Premise or Online) and Missing Mail Assure Headers

If, when looking at the source of your message, you do not see our 'X-Headers', this could be an issue with the default HeaderPromotionModeSetting settings that Microsoft Exchange has in place. By default Microsoft Exchange sets these to 'NoCreate'. If you want to see the Mail Assure X-Headers when using IMAP and POP, you should change this to 'MayCreate'. This can be achieved from the Microsoft Exchange Shell by typing:

set-transportconfig -HeaderPromotionModeSetting MayCreate

Lotus Domino Notes Outbound SSL Issue

Older versions of Lotus Notes maybe be wrongly configured to send outbound mail by default to port 465 instead of port 25. This is a severe security issue since port 465 is not defined as an official port for incoming email delivery. Instead, email uses STARTTLS to handle encryption. To avoid email getting rejected from Lotus Notes servers, it's important to configure Lotus Notes to correctly deliver outbound mail to port 25 directly instead.

For more information, refer to the IBM Knowledge Center. DNS and HTTP proxy with Custom Host Names

Avoid using DNS/HTTP proxy services (e.g. Cloudflare, Akamai) for custom host names for the control panel, quarantine or SMTP destinations. This can result in intermittent non-delivery issues or loss of functionality in the control panel. Use the 'direct' option instead. DNS Issues

For inbound mail, verify that the DNS settings for the destination host are correct. Specifically, if you are using a FQDN rather than an IP address for the destination host (e.g. mail.myserver.com), ensure that the A or CNAME record (and any AAAA record) is correctly set.

You can test your DNS settings to ensure that your zone is correctly configured: Zonemaster DNS check.

For outbound mail, ensure that your DNS provider correctly resolves the FQDNs for Mail Assure (e.g. mx1.mtaroutes.com). Some customers experience issues where their DNS returns IPv6 addresses but there is no IPv6 route to the host. If in doubt, try using a public DNS provider or configure your server to use a local DNS server. How to Count Users/Domains? Incoming

Domain count To check the amount of domains existing on your license:

In the Admin Level Control panel, select General > Domains Overview. The Overview lists all domains on your Mail Assure system. The exact number of domains is shown at the top of the page:

- 58 - Valid recipient (mailbox) count To check the amount of mailboxes/ valid recipients for a domain for which we processed email in the last 7 days you can either use the Mail Assure API or the Control Panel. The API command you need is the following:

https://api.antispamcloud.com/api/domain/getvalidrecipientcou nt/domain/example.com/

To use the above call, you need a valid Mail Assure API username and password. Please replace example.com with the inbound domain you wish to check.

Using the Mail Assure Control Panel

1. In the Admin Level Control panel, select General > Domains Overview. The Overview lists all domains on your Mail Assure system. 2. From the drop down menu on the left of the domain you are looking for, choose Filtered recipient count.

The system displays a dialog showing the number of filtered recipients with a successful delivery in the past 7 days. Outgoing

Outbound License usage

Our outbound license checks are done based on your sending domains (the 'From:' header). We analyze the traffic of those users combined, our license will check the number of unique from domains sending legitimate email via your network. You need to ensure your license covers the number of clients/hosting accounts that are making use of your outbound services. If, for example, a smarthost user protects a server with 100 clients then it is required for your license to cover 100 domains.To check the number of domains that your users are sending from you can use the outgoing log search in the Admin Level Control Panel to get a full overview of all traffic passing the system.

- 59 - How to get outbound sender counts

Sender "From:" count

If you want to count the number of "From:" domains that your outgoing user is sending from, you will need to use the outgoing log search and any spreadsheet based program. (For example Excel).

1. In the Admin level Control Panel, click on General > Domains Overview. 2. Click on the outgoing authenticating domain to open the Domain Level Control Panel. 3. Select Outgoing > Log Search. 4. In the Query Rules panel use the filters to specify a time frame from the Timestamp rule. 5. Create a new rule (by clicking on +New rule below the Query Rules panel and apply the Quick select: Accepted filter. 6. From the Columns to be displayed: dropdown, select From as the only column to be displayed. 7. Click Show Results to list all matching results. 8. When the results are returned, export these reports to a file by clicking on the Export entries as CSV link at the top of the page. 9. Open the file in any spreadsheet based program and remove the duplicate lines. This list now displays how many unique senders the system has accepted email for during the set time frame.

The log search can also be used to show other columns, for example, if you wish to show the "Envelope-from" instead of the from.

Note: For the license match, "From domains" related to email forwarders are not included in the count.

You need to ensure your license matches the total number of domains that are being filtered (a forwarding domain would count as 1).

Can I Change the Name of a Domain?

It is not possible to rename a domain in Mail Assure.

Alternatively, you can create a new domain - see Add a Domain. How do I Request an Export of my Domain?

Generally we do not perform mailbox exports but we can provide a manual archive export.

For us to do this for you, you need to raise a Support case.

Common questions Is there a limit on the amount (storage) of data that can be exported?

We currently recommend that accounts with less than 3TB of data use this feature. What is the format of the export?

- 60 - The export will consist of a single .ZIP file containing one RFC 5322 compliant .EML file per message. How long will it take for the export to complete?

Depending on the number of messages, the export may take a few hours to several days to complete. If you have not received an update on your case after three days, please contact support. Can I request for all subdomains or specify a particular subdomain?

You can request an export for all of your domains or a single subdomain Can I request just for particular users or services? Can I request an export from a certain point in time or only the changes from a particular time period?

No. You can only export the entire content for a domain. Why can't I Find a Message in the Quarantine?

There are several reasons why a message cannot be found in the quarantine:

n Quarantine days expired - Normally Mail Assure stores quarantined spam for a maximum of 14 days. After that, older messages are automatically removed so that new messages may be stored. n Quarantine is disabled - If the quarantine is disabled (in the Incoming - Filter Settings page), all messages are delivered to the recipient mailbox, including those that would normally be quarantined. Even though those messages have not been quarantined, they still appear as 'Rejected' in the log. n Message is already released - if a message has already been released from the quarantine, it will no longer be available. The Classification column in the Log Search should provide information about this. n Not all blocked messages are quarantined - whether or not blocked messages are quarantined depends on the reason they are blocked. For more info, see Incoming Rejection Classifications.

In order to perform any actions on these messages in the Log Search, they would have to be resent by the sender, assuming the issue that blocked the message in the first place has been resolved. How can I View Email Headers in Different Email Applications?

An email header provides technical details about an email message which allow you to troubleshoot delivery problems. Information contained in the email header includes who sent the message, the software used to compose it and the email servers that it passed through on its way to the recipient. The following describes how to find email headers in various email clients. Gmail https://support.google.com/mail/answer/29436?hl=en

- 61 - Juno Version 4+

Select Options > Email Options (Ctrl-E). Under Show Message Headers, select the full option and click OK to save the setting. Juno version 4+ can display MIME and HTML email, but does not provide a way of Viewing the HTML Source for the message within Juno. To get the full source, including HTML codes: In the Juno mail client, click File > Save Message as Text File (Ctrl-T). Lotus Notes / IBM Notes https://www.ibm.com/support/knowledgecenter/en/SSWU4L/Email/imc_Email/Email_q_a_ watson_assistant/How_do_I_view_the_Email_Header_informati374.html Microsoft Outlook for Office 365, Outlook 2019, Outlook 2016, Outlook 2013, Outlook 2010, Outlook 2007 https://support.office.com/en-us/article/view-internet-message-headers-cd039382-dc6e- 4264-ac74- Microsoft Live Mail / Hotmail

Go to Options > Preferences. Scroll down to Headers and click on Advanced Headers. Mozilla Thunderbird

Open the message. Select View > Headers and select All. Newswatcher

Select File > Preferences, and check the Show Article Headers box. Opera Mail

Select Options and enable Show Message Headers in Body of Message. Pine/Alpine http://alpine.x10host.com/alpine/alpine-info/misc/headers.html#reading What are Recipient Callouts?

If a message is addressed to a recipient that is not known on your destination mail server there is no reason to accept it. For this reason, the servers first check the destination server to check if the recipient email address is an existing email account for which the destination server accepts mail. The filtering systems internally keep track of existing / non-existing email accounts at the destination server to minimize the number of recipient callouts. These callouts are all done using SMTP directly, and are compatible with any type of email destination server, therefore, it is not necessary to query for valid users externally using LDAP - the SMTP server on the destination server will handle the look-ups locally.

- 62 - 5xx destination server rejects

Whenever the destination server permanently rejects the email for a certain recipient with a 5xx error code, the destination address is considered invalid and all messages for this recipient address are rejected. This information is cached locally on each filtering server separately for up to 2 hours. You can clear the callout cache using the web interface. See Clear Callout Cache - Incoming. Existing recipients

Existing recipients are cached for up to 96 hours. Technical details

The filtering servers do a 'null sender' callout as soon as a message is to be delivered. This means that the filtering server connects to your destination server, using an empty sender field i.e. "<>" (just as a bounce message does), and the real recipient address. After checking the recipient, the connection is closed (i.e. no message is actually sent). You need to ensure that your destination servers correctly verify addresses in this way. Before verifying the actual address, the filtering server checks to see if the domain accepts all email addresses (if a "catch all" address is setup), using a randomly generated address at the domain. If this is successful, there is no need to check individual addresses as they will always be accepted (either valid addresses or not valid but directed to the "catch all" address). These checks are cached just like regular checks, but if the domain does have a "catch all" address there will be fewer callouts. Enable recipient callouts

If you want the system to only accept mail confirmed as valid by the destination mail server:

1. In the Domain Level Control Panel, select General > Mailboxes Overview. 2. In the Configuration tab, in the Incoming section ensure Accept mail for any mailbox confirmed as valid by the destination mail server option is selected.

3. Click Save settings.

See Mailboxes Overview for more information on your mailboxes and how these can be configured.

- 63 - How can I Test the Mail Server is Working Properly?

Incoming Mail Using the Network Tools feature you can manually test if your destination mail server is accepting mail using Telnet.

1. First you need to find the destination route set up for your domain,: Select Incoming > Destinations and copy the IP or hostname of the server destination route. 2. Next, you need to open the Network Tools page: Select Others > Network Tools and click to open the SMTP tab. 3. Paste the copied destination IP or hostname into the Hostname field. 4. In the Envelope recipient field enter an email address from the same domain (for testing connectivity, it can be any existing email address). 5. Click Run. The Telnet test should show the successful connection to the destination host.

Outgoing Mail Test if a destination domain is correctly accepting email using Telnet in the Network Tools feature. 1. To do this you first need to look up the destination MX record of the domain. 2. Once you have this, select Others > Network Tools and click to open the SMTP tab. 3. Enter the MX record into the Hostname field and enter a valid recipient at the domain you are testing to in the Envelope recipient field. 4. Click Run. cPanel Please make sure that when manually changing your domain MX records, the cPanel Email Routing settings are always set to "Local Mail Exchanger instead of "Automatically Detect Configuration", otherwise the cPanel server will reject all email to this domain. This will show in the log search as "Recipient Rejected by destination server". Since it is a permanent reject at the destination server, the mail will be permanently rejected. Permanent failures, including failed Recipient Callouts, are being cached up to two hours.

- 64 - Can I Blacklist/Whitelist Messages Based on Character Set?

It is not possible to block/allow messages based on character set, but you can block/allow messages based on MIME language using the Blacklist Filtering Rules and Whitelist Filtering Rules pages at Admin or Domain Level. Blacklist Messages Based on MIME Language

1. In the Domain Level Control Panel, select Incoming > Blacklist Filtering Rules. 2. Click on + Add rule to create a new rule:

3. If the Use advanced custom filtering rules option is activated in your User's Profile page, the Add a new advanced blacklist filtering rule dialog is displayed. If not activated, the Add a new simple blacklist filtering rule dialog is displayed. 4. Give the rule a name in the Rule name field. 5. In the Match dropdown, select Language. 6. Ensure is is selected from the 2nd dropdown. 7. In the text field enter the desired ISO 639-1 code. For example:

- 65 - 8. Click Save to add the rule. In the example above, all incoming messages in the language depicted by the code zh will be blocked.

You can also choose to whitelist all incoming messages in a particular language:

Select Incoming > Whitelist Filtering Rules and add a new rule in the same way as described above. How do I Blacklist/Whitelist Messages by Country/Continent?

To do this you need to set up a Blacklist or Whitelist Filtering Rule. Blacklist Messages Based on Country

1. In the Domain Level Control Panel, select Incoming > Blacklist Filtering Rules. 2. Click on + Add rule to create a new rule:

3. If the Use advanced custom filtering rules option is activated in your User's Profile page, the Add a new advanced blacklist filtering rule dialog is displayed. If not activated, the Add a new simple blacklist filtering rule dialog is displayed. 4. Give the rule a name in the Rule name field. 5. In the Match dropdown, select Country or Continent. 6. Ensure is or is not is selected from the 2nd dropdown, as needed. 7. In the text field enter the desired ISO 3166-2 country code or continent code. n Country Codes: https://datahub.io/core/country-list

n Continent Codes: https://datahub.io/core/continent-codes For example:

- 66 - 8. Click Save to add the rule. In the example above, all incoming messages from the country depicted by the code CN will be blocked.

You can also choose to whitelist all incoming messages from a particular lcountry/continent:

Select Incoming > Whitelist Filtering Rules and add a new rule in the same way as described above. Does Mail Assure Use Greylisting?

Yes - Mail Assure applies an advanced form of greylisting to help stop a significant amount of spam with minimal resource usage. Although greylisting is a controversial technology, it is still highly effective when applied properly. First of all it's important to mention that all nodes within the cluster are synchronized, and aware of the connections made to each other. Therefore, for greylisting technology, it does not matter to what node a connection is made. Mail Assure also keeps track centrally of "reputable hosts" to avoid any greylisting delays from known legitimate servers. Greylisting works based on the 'triplet' information consisting of:

n sending server IP /24 subnet n sender email address n recipient email address

- 67 - Whenthe system receives a connection from an unknown 'triplet', we will temporarily reject (SMTP code 4xx) the connection for 10 minutes after seeing the first attempt. A temporary reject in this case means that the sending server is requested to temporarily queue the email, and automatically retry later. Any legitimate SMTP server is required by the RFC to support this, and it is a fully automatic process of which the original sender will not receive any notification. It does not matter how often the server retries within the 10 minute interval or to which node. Mail Assure will only accept the email after the 10 minutes. This results in a short delivery delay, which is minimized by an advanced automatic system. After accepting the email from a previously unknown 'triplet', the 'triplet' becomes 'white' to avoid temporarily rejecting connections from such triplets in the future. Furthermore, whenever we have seen (at least) 5 different successful (white) triplets from the same IP /24 subnet or (at least) 2 different successful (white) triplets from the same subnet and sender email address, the subnet or subnet+address is added to an internal "greylisting whitelist" system to avoid greylisting connections from that IP. All active mail servers delivering email to the servers are therefore not influenced by the greylisting technology as they are on the internal "greylist whitelist". The greylisting technology is only applied to new unknown servers. Servers that have been blacklisted for sending out spam, lose their whitelisted entry again so may shortly be greylisted for new connections. Key points:

n Greylisted triplets become white after 10 minutes. n IP subnets are added to the "greylisting whitelist" after 5 white triplets. n IP subnet + sender address pairs are added to the "greylisting whitelist" after 2 white subnet+address pairs. n Greylist grey entries are expired after 8 hours. n Greylist white entries are expired after 60 days (if they have not been seen again). n Greylist triplets only apply to individual recipient domains, but the "greylisting whitelist" is shared across all domains for a cluster. The "sending server IP /24 subnet" is basically the first part of the sending server's IP address. For example, if the server's IP was 222.153.243.117, then the string used in the 'triplet' would be '222.153.243'. This includes up to 256 (.0 to .255) servers, almost always within the same organisation. This means that if an organisation has several sending servers (typically within the same subnet), it does not matter which sending server makes the second attempt.

Be Advised: Most support questions regarding temporarily rejected connections are because customers see the temporary reject log entries, and are not aware that the message was NOT blocked/identified as spam. The message was only shortly delayed to verify that the sending server is behaving correctly (in accordance with the requirement for SMTP servers). It should also be noted that delays due to greylisting are on the sender's side: the 451 temporary fail message just means 'Try again later'. The system will accept the message after 10 minutes but we have NO control over how long the sending server takes to retry. Most sending servers retry after a few minutes but some may wait hours.

More information on the RFC and greylisting can be found in RFC1123 - Section 5.3.1.1 How can an SPF Issue Block a Message?

SPF (Sender Policy Framework) problems can lead to a message being blocked by the filtering server or by the destination mail server.

- 68 - Incoming messages blocked by the filtering server

If the message was blocked by the filtering server, the message is shown as 'Rejected' in the Log Search. This occurs when the sender's SPF does not include the IP address from which the message originated. To resolve this issue, the sender must add all the relevant IPs in the SPF record. If this is not possible, you can add the sending domain to the list of domains and IP addresses with disabled SPF, DKIM and DMARC checks - see Manage Domains and IPs with Disabled SPF, DKIM and DMARC Checks. Incoming messages blocked by the destination mail server

If the message was blocked by the destination mail server, it will appear as 'Accepted' in the Log Search. Normally this happens because the SPF check is enabled on the destination mail server. As the final hop in delivery is the filtering server, this means that the message will appear to be coming from an IP (the one of the filtering server) which is not included in the sender’s SPF - this is the correct behaviour. To resolve this, the SPF check should be disabled on the destination mail server, as this is already being performed during filtering. Alternatively, you should ensure that nothing on the destination mail server is blocking the connection from the filtering server IPs listed below. Webinterface telnet & LDAP sync IPs 95.211.160.147, 2001:1af8:4500:a034:101::2 Mail Assure SMTP delivery IPs IP range: 185.201.16.0/22 IP sub-ranges: 185.201.16.0/24, 185.201.17.0/24, 185.201.18.0/24, 185.201.19.0/24 Current active IPs:

n 185.201.16.200 n 185.201.17.200 n 185.201.18.200 n 185.201.19.200

This applies automatically to all Mail Assure accounts. If you wish to use the telnet test from the webinterface or use the LDAP sync/authentication, you need to authorize the webinterface IP 95.211.160.147 / 2001:1af8:4500:a034:101::2. This is not required for deliveries.

Outgoing messages blocked by the destination mail server

When outgoing filtering is enabled and you see a bounce related to the SPF failing, this will always be rejected by the destination mail server and not by the outgoing filter. This is usually because the SPF of the sending domain does not include the IPs of the filtering server. For more details on how to adjust the SPF when the outgoing filter is used, see Setting up SPF. What is my SMTP Hostname?

SMTP hostname: smtpout.mtaroutes.com (port 587/465) SPF record: v=spf1 include:spf.mtaroutes.com -all

- 69 - EU/US/UK/AU/CA-only

For redundancy reasons we recommend using our generic hostname. Our up-time and service level guarantees do not apply to the EU/US/UK/AU/CA-only records.

n EU-only: smtpout-eu.mtaroutes.com (port 465/587) n US-only: smtpout-us.mtaroutes.com (port 465/587) n UK-only: smtpout-uk.mtaroutes.com (port 465/587) n AU-only: smtpout-au.mtaroutes.com (port 465/587) n CA-only: smtpout-ca.mtaroutes.com (port 465/587) Using the above records forces usage of our EU/US/UK/AU/CA server infrastructure, however deliveries may still be routed via our international platform. Please contact Support to force-set your customer ID to EU/US/UK/AU/CA-only delivery servers to ensure messages are not re-routed internationally. Branded SPF hostname

If you want to use your own domain in your clients' SPF records, use the "include" option:

1. Create a subdomain for the domain you wish to add to your clients SPF spf.example.com (spf.example.com). 2. Create a TXT record for spf.example.com (spf.example.com) with the following details: v=spf1 include:spf.mtaroutes.com -all 3. Add the following TXT record to your clients' domain DNS:

v=spf1 include:spf.example.com -all

Why Can't I Upload my Certificate or get an Error when Trying?

You will only be able to upload a certificate if you have the Branding product.

In the Branding Management section, once you have added a custom Hostname, you can choose from the following options:

n Generate and manage a TLS certificate for me via Let's Encrypt - the system will automatically generate a certificate n have a Let's Encrypt certificate generated by us. This will apply to the Hostname that you used. n Upload your own certificate bundle - Upload your own custom certificate(s) in a PEM file

If uploading your own certificates, make sure you upload all the necessary files with the correct components in the specified order. If you want to make sure all the components are in the correct order, you can send the file to Support to check it.

- 70 - How do I Enforce TLS?

Mail Assure fully supports incoming connections protected using TLS (Transport Layer Security). Deliveries are always made over TLS when supported by the destination mailserver (opportunistic TLS). This way email is securely transmitted when possible. If you want to enforce TLS, you need to contact support to set this up for you. While on the call you will be asked to provide Yes/No answers to the following questions: Incoming Filtering 1. Should TLS be enforced before filtering by Mail Assure? Yes/No n For all senders? Yes/No

n For all senders of a specific domain? Yes/No

n For a single sender address? Yes/No 2. Should TLS be enforced after filtering by Mail Assure? Yes/No n For all recipients of a specific domain? Yes/No

n For one recipient of a specific domain? Yes/No

Outgoing Filtering - the outgoing user that handled filtering needs to be provided as well 1. Should TLS be enforced before filtering by Mail Assure? Yes/No n For all senders? Yes/No

n For all senders of a specific domain? Yes/No

n For a single sender address? Yes/No 2. Should TLS be enforced after filtering by Mail Assure? Yes/No n For all recipients? Yes/No

n For all recipients of a specific domain? Yes/No

n For a single recipient of a specific domain? Yes/No Why do my Released Messages not seem to be Getting Trained by the System?

If you are using the Release and Train feature on some messages and this doesn't seem to have taken effect, first contact Support to find out if the messages actually have been trained. If they haven't, the Support team may be able to do this manually to make sure they are properly processed. You can make things work more efficiently by making sure messages aren't being blocked due to:

n a regex / custom filtering rule - see Incoming Blacklist Filtering Rules n a blacklisted from address - see Manage Sender Blacklist n a blocked extension - see Email Restrictions

Rather than regularly releasing messages that have been blocked for the above reasons, tackle the problem at its source and check your regex/custom filtering rules, sender blacklist and blocked extensions. Being more proactive with the system will save you time in the long term.

- 71 - Remember you can check why a message is blocked via the log search - see Incoming Log Search.

How to Enable Exchange Protocol Logging?

When troubleshooting mail flow problems between Exchange server and Mail Assure servers, you may need to enable Exchange Protocol Logging. Protocol logging records the Simple Mail Transfer Protocol (SMTP) conversations that occur between e-mail servers as part of message delivery.

n Microsoft Exchange 2000 or 2003: How to enable SMTP protocol logging in Exchange 2000 Server and in Exchange Server 2003 n Microsoft Exchange 2007: How to Configure Protocol Logging n Microsoft Exchange 2010: Configure Protocol Logging n Microsoft Exchange 2013 or 2016: Configure Protocol Logging Can I Query an Office 365 Account with LDAP to Pull in Users to Mail Assure?

This is not possible, but you can sync the Office 365 account details to a local Active Directory server using Microsoft Azure and use LDAP to query that. What Details Should I Include when Opening a Support Ticket?

Provide all of the necessary information relevant to the issue you are having, including:

n Detailed description of the issue. n Example logs / headers / messages / print screens of the log search showing any messages. n Steps taken to reproduce the issue so that we can duplicate on our test systems.

- 72 - Domain Management

Set up and manage your domain settings. What do you want to do?

n View Domain Overview n Add a Domain n Transfer Domain Between Admin Accounts n Mailboxes Overview - Manage the mailbox settings for your domain(s) n MX Records - Find out what MX records are and how to make sure you are using the correct ones. n LDAP Authentication and Synchronization - The difference between LDAP authentication and synchronization; Set up LDAP configuration details and custom mapping rules; preview LDAP sync details and run a sync immediately or at a scheduled time. View Domain Overview

In the General panel, click on Domains Overview.

The domain Overview contains a table which lists all of your domains. It displays the following columns:

n Domain column - Displays the domain name. The green boxes represent the products that are enabled for the domain (mouseover a box to see the product it represents). n Aliases - Displays all of the aliases set up for this domain. All emails sent to any of your domain aliases are sent to the same user on your main domain. Set up your aliases from the Incoming panel > Domain aliases in the Domain's Control Panel. See Manage Domain Aliases.

Click on the dropdown to the right of each domain to see the following menu:

n Configure - Opens the domain's Control Panel. See Domain Level Control Panel. You can also click on the domain itself to do this.

- 73 - n Manage products - Choose which products you want available to this domain: Incoming Mail, Outgoing Mail and Archiving. Deselecting a product removes the panel from the Domain Control Panel and the options relating to that product will no longer appear. n Protection status - Check the domain's protection status for the following: n Destination routes n MX routes check n Check routes for open relays n Catch-all status n Valid recipient count - Displays the number of valid recipients/mailboxes in the domain for which the system processed emails in the last seven days. n Transfer to an admin - Transfer the domain to another admin user. n Telnet - Use Telnet to test the connection between the filtering server and the destination route set for this domain. Add a Domain

1. In the Admin Level Control Panel, click on Domains > Add Domain 2. In the Add domain page, enter your domain name and click Continue. 3. After verifying that the domain name you have entered is correct, in the Destination routes field, add the mail server address (IP or FQDN) that incoming mail is being routed through after filtering. For more information on how to find your Destination server address, see Find Destination Server Hostname. If you do not have a specific destination server route to add from the start, the Control Panel will automatically fill in a suggested destination route for you (this route is detected from the domain's existing MX records), with a default destination port 25.

Add multiple routes here for load balancing purposes or if an alternative route is needed in case of failover.

Once you have set your destination route(s) here, they will be displayed in the Incoming > Destinations page - see Manage Destinations. 4. To restrict processing of the domain's messages to the data centers for a specific geographic region, choose the territory from the following available Regions: n Global (recommended)

n United States

n European Union

n United Kingdom

n Australia

n Canada

We recommend using the default Global region to make optimal use of our globally distributed cloud and infrastructure redundancy. When selected, our Global data

- 74 - centers are used for email filtering, logging and quarantine.

Now that you have set up your domain with the correct destination host, you need to test that Mail Assure is communicating with the server: Check your New Domain can Communicate with the Mail Server

To ensure Mail Assure can communicate with the mail server, carry out a Protection status check:

1. In the Admin Level Control Panel, select General > Domains Overview to display all of your domains. 2. Click on the dropdown alongside the new domain, and select Protection status to check the routes you have set:

The Protection status dialog should display connection details. If connection failed, a series of 'Connection timed out' responses are displayed.

- 75 - Use the Protection Status dialog to check the catch-all status of your mail server. If catch-all is enabled, the protection status check will show as failed. In this situation, (and to AVOID BEING BILLED for non-existent mailboxes) you should either disable catch-all on your server or ensure that the Accept mail only for mailboxes listed in the Mailbox tab option is ticked in the Domains > Mailboxes Overview > Configuration tab page at the Domain Level. See Mailboxes Overview.

Now that your new domain is set up you need to modify your MX Records in your domain provider's DNS Settings, in order to point to the correct Mail Assure routes - see MX Records. Find Destination Server Hostname

When setting up your domain(s) in Mail Assure you need to specify the address of the destination mail server that mail should be delivered to.

n Office 365 Destination Server Address n G Suite Destination Server Address n Local Mail Server Address

Office 365 Destination Server Address If you are using Office 365 you can find the destination server address by following these steps:

1. In the Office 365 Admin center, select Setup > Domains. 2. Locate and copy the address in the MX line.

3. Paste the server address into the Destination Routes field when adding your domain. See

- 76 - Add a Domain.

G Suite Destination Server Address If you are using G Suite, you can find the destination server address by following these steps:

1. Navigate to: https://support.google.com/a/answer/140034?visit_ id=636776301070607062-543728404&rd=1. 2. In the G Suite MX setup (Generic steps) section, copy each MX record line you require.

3. In Mail Assure, paste into the Destination Routes field when adding your domain. See Add a Domain.

- 77 - For more information about G Suite, see Configure Inbound and Outbound Filtering With G Suite.

Local Mail Server Address If you are using your local mail server, you need to enter the public IP address/FQDN of your mail server in the Destination Routes field when adding your domain. See Add a Domain. Transfer Domain Between Admin Accounts

There are two ways in which domains can be transferred from one administrator account to another:

n Domain Transfer - The admin with existing control of the domain transfers the domain(s) to another admin. n Forced Migration - A forced migration is performed when the domain cannot be transferred by the existing admin. Domain Transfer

1. As the Admin user with ownership of the domain, log into Mail Assure. 2. The Admin Level Control Panel is displayed. 3. Select General > Domains Overview. 4. Select the checkbox(es) alongside the domain(s) you want to transfer. n If you have selected more than one domain, the Apply to selected dropdown appears at the bottom of the page. Select Transfer to an admin and click Apply.

n If you only want to transfer one domain, select the checkbox alongside the domain and from the dropdown alongside the domain, select Transfer to an admin. 5. In the Move domains to dialog, enter the destination administrator's username and click Transfer.

- 78 - The new administrator will then see the incoming transfer in their own domain Domains Overview page, where the transfer should be accepted. Once this is done, the domain will be transferred. All logging, quarantine and settings will remain in place, and any custom branding will be removed.

Alternatively, the current administrator can remove the domain from their account, so that the new administrator can add the domain(s) to their own account.

Please be aware that if the domain is removed, the systems will start rejecting email for it.

If the domain has been part of a suspended trial, please ensure you request cancellation of the trial account with your account manager, so the product is purged from the system.

Forced Migration

A forced migration of a domain from one Admin user to another may be necessary if the existing Admin user is unable to transfer the domain manually.

No domains can be reserved in the system. If there is a transfer request/dispute, the domain will only be transferred to the administrator that can demonstrate control of the DNS.

1. Add an @ TXT record to the DNS of the domain to transfer, with the value yyyy-mm-dd- transfer-to-adminusername. Where: n yyyy-mm-dd should be replaced with the current date

n adminusername should be replaced with the unique number at the end of the admin username that the domain should be transferred to. For example, if the admin username is 'main-school-admin_123456789', replace adminusername with '123456789'.

Please ensure that you use the primary Admin login for the account. 2. Contact Mail Assure support from an authorized support contact address that belongs to the destination administrator. 3. Our support team will reply to the requestor to confirm the transfer and verify the email address. 4. When confirmation has been received, our support team will: a. Ensure that the TXT record matches the request b. Reach out to the existing administrator, requesting to transfer or delete the domain c. If the existing administrator does not respond or execute the request, force- transfer the domain to the new administrator. Mailboxes Overview

The Mailbox Overview pages allow you to auto-discover addresses via recipient callout verification, control whether newly discovered mailboxes are filtered, and manage mailbox filtering, archiving, and aliases in a central location. It replaces the old Local Recipients page.

- 79 - What do you want to do?

n Auto-discover local mailbox addresses via recipient callout verification - Set this up at the Domain Level from General > Mailbox overview - Configuration and select Automatically populate Mailboxes tab based on destination server response in the Incoming section. n Control whether newly discovered mailboxes are filtered - Set this up at the Domain Level from General > Mailbox overview - Configuration and select Filter mailboxes by default in the Incomingsection. n Change the 'catch-all' status of a domain - Do this at Domain Level by selecting General > Mailbox overview - Configuration, using the Destination server has a ‘catch-all’ mailbox setting in the Incomingsection. n Manage mailbox filtering (with the option to overrule the default setting per mailbox) - Set this up in the Mailboxes tab. See Edit one or multiple mailboxes. n Whitelist a recipient by turning off filtering on their mailbox - See Switch off Filtering for Specific Mailbox (whitelist recipients). n Enable Archiving for specific mailboxes - Set this up in the Mailboxes tab, in the Edit mailbox or Edit multiple mailboxes dialog in the Archiving enabled section. See Edit one or multiple mailboxes. See Restrict Archiving to Specific Mailboxes. n Manage email aliases - Perform alias management tasks in the Mailbox aliases tab. See Add a mailbox alias and Catch all mail and direct to a single address. n Switch off Filtering for Specific Mailbox (whitelist recipients).

For your business continuity feature to work (i.e. you can still send and receive mail when your mail server is down), you must ensure that your mailbox list is up-to-date and the Automatically discover mailboxes option is enabled in the Configuration tab at the Admin Level. If you don't do this, the lookup that checks if the recipient exists, fails, and the system will temporarily reject the message. The message will not be queued and will be sent back to the sender's server with a temporary failure status.

The Mailbox Overview pages combine the features in the Local recipients and the Email Alias pages and provide the preferred means to manage your mailboxes.

In the Admin Level or Domain Level Control Panel, select General > Mailbox Overview.

There are three tabs:

n Configuration Tab n Mailboxes Tab n Mailbox Aliases Tab Configuration Tab

At the Admin Level, the following options can be enabled/disabled for outgoing mail from your domain(s): Outgoing

n Rewrite Sender Addresses - If enabled, mailbox aliasing is applied to the envelope sender address of outgoing messages

- 80 - n Enforce Sender Domain - If enabled, outgoing messages where the envelope sender address is not in any of the domain(s) will not be sent. n Enforce Sender Mailbox - If enabled, outgoing messages, where the envelope sender address is not in the list of mailboxes in the Mailboxes tab, will not be sent. n Filter Outgoing Messages by Default - If enabled, messages from mailboxes that are not listed in the Mailbox tab or are set to 'Recommended' outgoing filtering, will be filtered before being delivered. If disabled, messages from all mailboxes (and not just those listed in the Mailbox tab) will be delivered without filtering. n Automatically discover senders - If enabled, envelope sender addresses are added to those listed in the Mailbox tab.

The settings configured in the Configuration tab are the recommended settings for mailboxes. Where you see Use recommended alongside a setting in the Mailboxes tab, these are the recommended settings that are referred to. To apply all recommended settings to all mailboxes, click on the Use recommended for all button at the bottom of the Configuration tab.

At the Domain Level, the following options can be enabled/disabled. Date/Time options

n Select the Timezone , Date format and Time format. General

n Maximum mailboxes - Specify haw many mailboxes can be added to the list, either automatically by discovery, automatically by Configuring LDAP Mailbox Sync or manually. Incoming

n Accept mail for any mailbox confirmed as valid by the destination mail server - If enabled, the destination mail server will be queried (with a 'Recipient Callouts'), to check whether the mailbox exists.

If the Automatically populate "Mailboxes" tab option is enabled, then the mailboxes, up to the specified limit, will be added to that list via 'recipient callout' discovery.

n Accept mail only for mailboxes listed in the "Mailboxes" tab - If enabled, only mail sent to mailboxes specified in the Mailboxes tab is accepted. If disabled, a query is sent out to the destination mail server (with a 'recipient callout') to check whether the mailbox exists. n Automatically populate “Mailboxes” tab based on destination server response - If enabled, the "Mailboxes" tab will be populated with addresses when they are confirmed as valid by the destination mail server (via a 'recipient callout'). This should not be activated for destination domains that will validate any recipient as valid (e.g. have a 'catch-all' mailbox). n Filter mailboxes by default - Controls whether messages to mailboxes that are not in the "Mailboxes" tab, or are set to "Recommended" incoming filtering, will be filtered or delivered without filtering. If enabled, mail to mailboxes not listed in the Mailbox tab will be filtered before delivery. If disabled, messages will be delivered without filtering. n Log mail to invalid recipients - If enabled mail sent to invalid recipients is logged by the system.

- 81 - n Destination server has a ‘catch-all’ mailbox - A domain's catch-all status (whether it is configured to accept mail from unknown mailboxes) is automatically detected by the system. If a domain is detected as catch-all, some functionality ( e.g. automatically detected Email Scout Reports) is not available.This option allows you to manually configure this status if, for example, the status has changed or has been wrongly detected. Archiving

n Archive by default - If enabled, messages sent to mailboxes listed in the Mailboxes tab that are set to 'Use recommended' archiving and messages sent to users not listed in the Mailboxes tab will be archived.

- 82 - In the Mailboxes tab (described below) when the Archiving enabled mailbox setting is set to Use recommended, it uses the setting specified here.

If, for example, the Archive by default setting is enabled here, all users with mailboxes set to 'Use recommended' will have archiving switched on. Alternatively, if the Archive by default setting is disabled, all users with mailboxes set to 'Use recommended' will have archiving switched off.

Mailboxes Tab

In the Mailboxes tab at Admin level you can view all mailboxes set up in the system. At Domain level you can view all mailboxes in the domain. View mailboxes

In the Mailboxes tab, click on Show Results to view all mailboxes. To search for specific mailboxes, use the Query Rules panel to refine your search and click on Show Results to display matching results.

- 83 - Add mailbox Generally, mailboxes will be detected and configured automatically but you may want to add and customize the behaviour of specific mailboxes.

Click on + Add mailbox.

Edit one or multiple mailboxes 1. For a single mailbox - Alongside the mailbox you want to edit, click on the dropdown menu and select Edit. For multiple mailboxes - Place a tick in the checkbox alongside the mailboxes you want to edit and from the Apply to selected dropdown at the bottom of the page, select Edit and Apply. The Edit mailbox or Edit multiple mailboxes dialog is displayed. If editing a single mailbox, the mailbox address is displayed. 2. Alongside the following settings:

n Filtered (incoming) - If you disable this, filtering on the selected mailboxes is switched off. Effectively the recipients are whitelisted. See Switch off Filtering for Specific Mailbox (whitelist recipients).

You can also whitelist a recipient for all domains using the Recipient Whitelist at the Admin Level, see Whitelist Recipient for All Domains.

n Archiving enabled - Yes=Archiving is active; no=Archiving is inactive.

n Automatic Email Scout Report Activation -Yes=ESRs are activated automatically; No=Automatic ESRs are inactive.

n Distribution list - Yes=the address is a distribution list; No=the address is not a distribution list.

n Discard all email without rejection response - Yes=all emails for that mailbox will be rejected without a bounce being generated; No=emails will be received for that mailbox. Choose from the following values: n Yes

n No

n Use recommended - If selected the default recommended setting specified in the Configuration tab is applied. Options with no value retain their existing values. 3. Click Apply. Switch off Filtering for Specific Mailbox (whitelist recipients)

You can choose to whitelist a recipient by switching off incoming filtering on that mailbox.

1. At Domain Level, select General > Mailboxes Overview. 2. Click to open the Mailboxes tab and use the Query Rules panel to search for the relevant mailbox. Click Show Results to see all matching results. 3. Click on the dropdown to the left of the mailbox and select Edit to open the Edit mailbox dialog.

- 84 - 4. Expand the Filtered (Incoming) panel and select No. 5. Click Save. Mailbox Aliases Tab

A mailbox alias rewrites email from one address at a domain to another address at the same domain. For example, if you have example.org as a domain alias for example.com, and alias@ as a mailbox alias for user@, then any mail directed to [email protected] or [email protected] will use logging, quarantine, and filtering settings of the primary mailbox, [email protected].

If Direct delivery for email and domain aliases is enabled in Incoming > Domain Settings, then the final delivery of the message will be made to the original version of the address. Otherwise, the delivery will be to the primary mailbox.

In the Mailbox alias tab, you can do the following:

n Add, edit and remove aliases n Catch all mail to a domain and direct it to a single address Add a mailbox alias

1. In the Admin or Domain Level Control Panel, select General - Mailbox overview. 2. Open the Mailbox aliases tab. 3. Click on + Add alias to open the Add alias dialog. 4. At Admin Level the Domain field is displayed. Start typing to find the domain to wgich you want to add the alias. 5. In the Mailbox field, enter the email address without the domain part e.g. if the mailbox address is [email protected], enter 'john.smith'. 6. In the Alias field enter the alias email address without the domain part e.g. for [email protected], enter 'j.smith'. 7. Click Save.

Catch all mail and direct to a single address

1. In the Mailbox field enter the address to which you want all mail sent. 2. In the Alias field enter *.

The only wildcard you can enter in the Alias field is a single '*'. For example if you enter 'user*', this applies to the address [email protected] and NOT all addresses starting with 'user'.

3. Click Save.

Only a single rewrite is possible. For example [email protected] cannot be rewritten to [email protected]

MX Records

Mail Exchange (MX) records are DNS records that are necessary for delivering email to your address.

- 85 - An MX record is used to tell the world which mail servers accept incoming mail for your domain and where emails sent to your domain should be routed. Assigning multiple MX records, is a fail- safe measure you can use in the event your default mail server is down. If your MX records do not point to the correct location you will not receive email. To route incoming email for your domain through the Mail Assure filter you need to update the MX records in your domain provider's DNS settings. See Update Your MX Records in Your Domain Provider's DNS Settings (below).

Prior to changing the MX records, you should check your records' TTL value. We recommend a maximum value of '3600' in order to propagate any DNS changes faster. Higher TTLs can lead to spam not being filtered by our nodes, until the previous record expires, when the TTL is reached.

The default MX records are listed in the Default MX host names section in the Server - Settings page accessible from the Admin Level Control Panel, see Manage General Settings.

You can check whether your domains have the correct MX Records configured using the MX Verification Tool.

Update Your MX Records in Your Domain Provider's DNS Settings

1. In your domain provider's DNS control panel add the following records:

MX records consist of two parts: the domain name and the priority. The lowest number is the highest priority and is the first one attempted for delivery.

Global MX Records (Recommended)

n mx1.mtaroutes.com (priority 10)

n mx2.mtaroutes.com (priority 20)

n mx3.mtaroutes.com (priority 30)

n mx4.mtaroutes.com (priority 40) We recommend configuring your domain to use the above global MX records. However, where there is a requirement to route data through a specific geographic territory, the below region-specific MX records may be used: EU Region

n mx1-eu.mtaroutes.com (priority 10)

n mx2-eu.mtaroutes.com (priority 20)

n mx3-eu.mtaroutes.com (priority 30)

n mx4-eu.mtaroutes.com (priority 40) Americas Region

n mx1-us.mtaroutes.com (priority 10)

n mx2-us.mtaroutes.com (priority 20)

n mx3-us.mtaroutes.com (priority 30)

n mx4-us.mtaroutes.com (priority 40) UK Region

- 86 - n mx1-uk.mtaroutes.com (priority 10)

n mx2-uk.mtaroutes.com (priority 20)

n mx3-uk.mtaroutes.com (priority 30)

n mx4-uk.mtaroutes.com (priority 40) AU Region

n mx1-au.mtaroutes.com (priority 10)

n mx2-au.mtaroutes.com (priority 20)

n mx3-au.mtaroutes.com (priority 30)

n mx4-au.mtaroutes.com (priority 40) CA Region

n mx1-ca.mtaroutes.com (priority 10)

n mx2-ca.mtaroutes.com (priority 20)

n mx3-ca.mtaroutes.com (priority 30)

n mx4-ca.mtaroutes.com (priority 40)

Some DNS control panels require you to use a trailing dot (.) after the hostname. Please check with your DNS provider if this is the case for you. 2. Remove the original MX records.

You must make sure you remove old MX records so that all emails are filtered through the Mail Assure cloud. Spammers actively try different MX records (such as the highest numbered priority) to bypass spam filters.

DNS changes may take some time before they are picked up by the DNS resolvers world-wide, so email may continue to deliver directly to the original MX records without filtering for some time depending on the TTL value set on the DNS server.

You can check using the Log Search if the message has passed through the Mail Assure filtering nodes. MX Verification Tool

Use the MX Verification Tool to check that your system is using the correct MX records.

1. In the Admin Level Control Panel, select General > MX verification tool. 2. The default MX hostnames are listed - the system takes these from the General> Settings page (see Manage General Settings). 3. Click on Start verification. The system then checks all domains' MX records and displays any whose MX records do not match. All incoming and outgoing mail from domains that do not have the matching MX records will not be filtered by Mail Assure.

You can also download a .CSV file listing all domains that were checked and of those, which are non-matching. Do this using the Download report button.

- 87 - LDAP Authentication and Synchronization

In Mail Assure both LDAP Authentication and LDAP Mailbox Sync use LDAP to query your company user directory. LDAP Authentication

LDAP Authentication allows users to access their personal Mail Assure control panel using their company credentials. This is useful so that your users can access their mail in a business continuity scenario (if your directory is maintained on a separate server to your mailboxes). See Set up LDAP Authentication. LDAP Mailbox Sync

LDAP Mailbox Sync keeps the Local Recipients list in sync with the users listed in the company directory. This allows you to enable local recipient only delivery without having to maintain the list manually. See Configuring LDAP Mailbox Sync. Set up LDAP Authentication

Mail Assure provides full integration with LDAP in order to allow all your email users to log in to the Mail Assure Control Panel with their existing email credentials (this is currently only available to Active Directory (Microsoft), OpenLDAP and Zimbra). This means that your users will no longer have two sets of credentials, but only one. When LDAP authentication is enabled, 2FA is still functional, but password changes and recovery are managed on your LDAP server and not by Mail Assure. Generally, there is no point in adding or removing email users to Mail Assure as they will be added automatically when LDAP is activated. However, one reason to add one or more email users is so that you can prevent them from logging into the Mail Assure Control Panel by setting the user status to inactive. LDAP support is only available at Email User Level - and not at the Admin, Sub-Admin or Domain User Levels. Because of this, and in order for the LDAP server to integrate with the Mail Assure Control Panel, the username must be an email address e.g. [email protected] (and NOT a username in the format 'fred'). Set up LDAP Authentication for Email Level users from the Domain Level Control panel:

1. In the Domain Level Control Panel, select Users & Permissions > Manage Email Users.

The Manage email users page is displayed:

- 88 - 2. Click on LDAP authentication at the top of the page, to expand the LDAP section:

- 89 - The following settings are available:

- 90 - Setting Description

Authenticatio n AD - Windows Active Directory (e.g. n mode Exchange)

n LDAP - Select this for simple LDAP authentication (e.g. Zimbra, OpenLDAP)

Domain This is the server hostname and optionally the port controller 'server:port'. For example, if your LDAP domain controller is ldap.example.com and connects on port 389 (insecure) or port 636 (secure - over TLS), you can add 'ldap.example.com:636' (this must be open in the firewall to accept connections).

Security The type of security used on the connection - protocol usually None or TLS.

BaseDN This should be the starting point of the DNs that contains all the users for this domain For example, if the users DN is "CN=test,CN=Users,DC=exchange,DC=example,DC= com" the value for this field should be “CN=Users,DC=exchange,DC=example,DC=com” BindDN This can be used to override the bind username Format that's passed to your server. For example, if your userPrincipalName format is [email protected] enter %(user)[email protected]

Search base This is the LDAP/AD value which the service will look for at login time and uniquely identifies your users. For example, if the user is [email protected], and there is an LDAP attribute like sAMAccountName: test. The correct value for the “Search base” is sAMAccountName If there is no such attribute but there is one that has the domain as well, for example: “userPrincipalName: [email protected]”, you can use userPrincipalName=%n to append the domain name Other possible values include, but not limited to: sAMAccountName, CN, uid

3. Click on Save to apply the settings.

Once LDAP is set up and the email user attempts to log in for the first time, the system automatically checks the credentials via LDAP.

If, for any reason, Mail Assure is unable to contact the LDAP server, it will check cached local credentials.

Configuring LDAP Mailbox Sync

The following tasks allow you to set up Mail Assure to synchronize with your domain's mailboxes and email aliases on LDAP:

- 91 - n Set up LDAP Mailbox Sync Details n LDAP Sync Preview n Set up Custom LDAP Mapping Rules

If needed, you can export a list of all existing LDAP mappings you have set up for your domains in the Admin Level Control Panel, see Export List of LDAP Mappings for Your Domains.

Once you have set this up, the mailboxes are listed in the Mailboxes Overview page (see Mailboxes Overview).

Prerequisites for Using LDAP Synchronization

n All information must be correctly entered when setting up the LDAP Mailbox Sync details, see Set up LDAP Mailbox Sync Details n The LDAP server must allow logging in with a username in the format [email protected].

n There must be an LDAP attribute that uniquely identifies the user either with or without the domain. For example: sAMAccountName: test n userPrincipalName: [email protected] n When users have multiple email addresses they must always use the email address stored on LDAP to access the system. Using any other email address will not allow access to Mail Assure. n Users must have the mail LDAP attribute.

Set up LDAP Mailbox Sync Details In order to synchronize a domain's mailboxes and email aliases with LDAP, you need to add your LDAP server connection details at the Domain Level for each domain.

1. At the Domain Level, select General - LDAP mailbox sync to display the Configuration tab. 2. In the Connection settings section: n Enter the Host - the hostname or IP address that points to your LDAP server e.g. exchange.domain1.com

n Enter the Port (the default ports are LDAP (389), LDAPS (636)).

n If you want to use TLS to connect, tick the checkbox. 3. In the Login settings section n Enter the Username / bind DN

n Password of the username that can access the LDAP server. 4. Enter the Base DN - the search base for the LDAP query e.g. dc=domain1, dc=com

- 92 - 5. Choose how often you want the filtering server to check the LDAP server for changes, from the Sync every dropdown: n None

n 4 hours

n 12 hours

n Day

n 2 days

n 5 Days 6. Optionally, click on Show advanced settings. and add the following: n Use the Filter field to narrow the list of directory entries that should be synchronized with the LDAP server. For example, (&(!(mail=health*)) (objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) to exclude Health Mailboxes and disabled accounts.

n Allow updates - If you want to allow the LDAP sync to update users that have already been synchronised

n Allow deactivations - If you want accounts to be removed from the Mail Assure Control Panel when they no longer exist on the LDAP server. 7. If you use non-standard attributes in your AD you might need to add a custom mapping, see Set up Custom LDAP Mapping Rules. 8. Click Save. 9. If you want to view what changes will be made in the next sync, click on the Save and Test button.

If you want to clear the configuration so LDAP Mailbox Sync is no longer used, click on the Clear button and then on Save.

LDAP Sync Preview

The LDAP Sync Preview page allows you to preview LDAP sync changes (e.g. mailbox/aliases added, removed and updated) and perform a manual LDAP sync immediately or at a scheduled time.

1. In the Domain Level Control Panel select General - LDAP Mailbox Sync. 2. In the Configuration tab, click on the Save & Test button at the bottom of the page to open the LDAP Sync Preview dialog. A summary table shows the number of mailboxes and aliases that will be added, removed or updated when the sync is performed.

n If you want to run the sync manually, click on the Save & sync now button at the bottom of the page. n If you want to schedule the sync at a later time, click Save & sync later to save the sync settings in the previous LDAP mailbox sync page and run the sync at the scheduled time.

Set up Custom LDAP Mapping Rules

The Default Mapping tab in the General - LDAP Mailbox Sync page includes the most common methods of linking LDAP attributes to Control Panel mailboxes or email aliases.

- 93 - To view the Default Mappings already set up for your system, click on Show Results.

You can also define your own set of custom mapping rules to link LDAP attributes to your mailboxes or aliases.

1. In the Admin or Domain Level Control Panel, select General - LDAP Mailbox Sync. Click on the Mapping tab. 2. Click Add mapping to open the Add a new mapping dialog. 3. Choose the Type of mapping - either Mailbox, Alias or Username.

In some environments, where the LDAP username is required to sign in to the system, some users are unaware of their username and expect to use their email address. The Username mapping allows the users to sign in with their email address while the system authenticates using the LDAP username.

4. Select the Domain you want to map. 5. In the Attribute field enter the LDAP Attribute that contains the email address/alias - e.g. userPrincipalName 6. Enter the Regular expression you want to use to find matches for the attribute you entered e.g. ^(.*)@mydomain.com 7. In the Formatter field, a string that will transform the matched value into an email address - e.g. {}. 8. Click Save.

Export List of LDAP Mappings for Your Domains

You can export a list of all LDAP mappings set up for your domains.

1. In the Admin Level Control Panel, select General > LDAP Mailbox Sync. 2. Click on Export mappings as CSV above the Query Rules panel.

The file is downloaded to your machine.

- 94 - Manage General Settings

The settings page contains a number of configurable settings including: the default settings for your purchased products; the administrator's contact details; the date and time format and timezone; chosen languages etc.

In the Admin Level Control Panel, click on General > Settings.

The following options/settings are displayed: Available Products

Displays which products are available. You can choose to auto-enable each product for new domains that are created by ticking the box alongside the product. Server Settings

n 1-click Log In Script - Download a sample script which shows how to integrate the one-click log in feature into your own systems (e.g. custom control panel), allowing users to log in without the need for them to enter their password. n Administrator’s contact - Administrator's Email address n Support URL n Accepted method by Support URL - GET/POST n Parameter name to send username value to Support URL n Parameter name to send email value to Support URL n Logout URL n Timezone n Date and time format n Default language - The language used in the application n Available languages - Languages that will be available to users from the Default languages dropdown n Force secure (HTTPS) connections n Default Items per page - The number of items in search results tables per page. n Email notifications From address n Email notifications Reply-To address n APS to Control Panel access message Default MX Hostnames

The default MX hostnames listed here are used by the MX Verification Tool to verify whether all of your domains have the correct MX records configured. See Update Your MX Records in Your Domain Provider's DNS Settings for instruction on how to enter the correct ones in your domain provider's DNS control panel.

- 95 - Incoming Filtering

From the Incoming Filtering area you can carry out a variety of tasks related to the filtering of your incoming mail. What do you want to do?

n Filtering Technology - Discover how Mail Assure 's filtering technology works. n View Incoming Bandwidth Overview - View graphical representation of bandwidth usage as a total and per domain. n View Incoming Delivery Queue - View emails that are being queued when not accepted by the destination server. n View Global statistics - View incoming statistics over a specified time-frame for all the domains you manage, in graphical and tabular format. Includes General Accuracy percentage and Spam ratio of Spam emails to all filtered emails. It also shows the following Metrics: Not Spam messages; Unsure messages; Spam messages blocked; Viruses blocked; Whitelisted and Blacklisted - and shows the Bandwidth required for each metric and the number of messages in each category. Access this from the Admin level Control Panel. n Incoming Whitelist Filtering Rules - View existing and create new rules to always allow specific mail at the domain level. n Incoming Blacklist Filtering Rules - View existing and create new rules to always block specific mail at the domain level. n View Incoming Log Search - Filter on incoming mail and report on the data available. n Create Email Scout Report - Create and email scheduled or one-off report based on your filtered log search results. n View Spam Quarantine - View inbound mail that has been blocked and quarantined and take action where necessary. n Message Queueing - View your incoming messages that have been temporarily rejected before reaching the destination server and placed in the Incoming Delivery Queue. You can reply to emails in the queue if required. n Manage Domain Aliases - Set up and manage your domain aliases. n Configure Domain Settings - Configure various settings including: the primary contact email address; email notification From address; logging for invalid recipients and Rejected local part characters. n Manage Destinations - Add and check your destination mailserver route(s) n View Domain Statistics (Incoming) - Check domain statistics including spam ratio, spam messages blocked, viruses blocked, whitelistings/blacklistings etc. n Manage Quarantine Filter Settings - Enable/disable the Quarantine and manage Quarantine filter settings for incoming mail. n Train Spam - Upload messages you want the system to treat as spam. n Train Not Spam - Upload messages you want the system to NOT treat as spam. n Report Spam n Clear Callout Cache - Incoming - Clear the domain's incoming callout cache. n Incoming Whitelist Filtering Rules - Domain Level - Set up Whitelist filtering rules for your domain.

- 96 - n Incoming Blacklist Filtering Rules - Domain Level - Set up Blacklist filtering rules for your domain. Filtering Technology

Mail Assure's filtering systems are specifically designed to avoid false positives. For example, many different checks are performed to avoid making mistakes based on only one classifier. There are two levels of filtering:

n SMTP Level Filtering n DATA Level Filtering

Thanks to the combination of the many advanced filters and compliance with IETF RFC standards on how connections should be handled, our systems ensure email messages never disappear. The sender is always informed by their sending server when a message is rejected and messages blocked at the DATA level are usually available in the Quarantine. SMTP Level Filtering

Incoming email connections are not blocked until after the "rcpt to:" SMTP command, as much as is possible. In doing so the system ensures that the connection belonging to the recipient domain in the logging server is properly logged. As a result, logs showing all connections made to a certain recipient are easy to access. If a connection appears to be coming from an unknown source or it has not yet been ranked with a good reputation in Mail Assure, it may be temporarily rejected with a 4xx code. In this scenario, the sending server queues the email in the Outbound Delivery Queue and automatically retries delivery (at a time controlled by the sending server administrator). After ten minutes, the connection is accepted by the cluster on any of the filtering nodes, and the internal IP whitelists are adjusted to avoid this delivery delay occurring the next time. This concept is also known as greylisting, however the Mail Assure implementation is a lot more advanced than traditional greylisting systems since all nodes are fully synchronized, and only connections from servers that are unknown to the Mail Assure network are temporarily delayed. Therefore email delays due to greylisting on active filtering clusters are rare and generally do not cause any problems for the recipients. If the connection appears to originate from a spamming source, it may also be temporarily rejected with a 4xx series code. This way, even if the server is wrongly listed (for example on an external blacklist) as a spamming source, or if the spamming problem has been resolved on the sending server's domain configuration, the email still does not get rejected and will be delivered to the final recipient after a delay. Only if the connection is from a known, spam-only source, or if the behavior is in direct conflict with the IETF RFC standards, a connection may be permanently rejected with a 5xx error code. If that ever happens for a legitimate sender, the sender will always receive a bounce notification from their sending server. This issue only occurs when there are serious problems with the sending server that can only be resolved at the sender's side. 5xx series rejections will only occur at SMTP level, when the receiving users have rules to do this, or if the source has been verified as sending only spam messages.

- 97 - DATA Level Filtering

After the "DATA level" is reached, the system scans the email content of the message based on a combination of advanced statistical filtering technologies, spam fingerprint databases, malware, phishing detection and spyware. An email that is detected as spam, can be configured to be:

n Quarantined n Dropped silently n Delivered anyway Email which is permanently rejected (5xx series status reply to the sending server) at this level as spam is quarantined, and will be available for release (except for viruses). If a legitimate email has been permanently blocked, the sending server is responsible for informing the sender that the email did not reach the destination recipient. Virus Scanning

Viruses, malware and other online threats often spread via email, therefore it is essential that emails are scanned for viruses before they reach users' mailboxes. Mail Assure actively blocks both spam AND its malicious attachments such as viruses, malware, ransomware, spyware and so on. Pre-virusscan blocks

Due to the fact that viruses generally try to spread as spam emails, the majority of email viruses are already blocked as spam before they reach our antivirus technologies. Thanks to this setup, even viruses not yet known to virus scanners are safely quarantined or rejected outright. Attachment Filtering

Email viruses typically try to spread as executable attachments. In the Email Restrictions > Attachment Restrictions page, accessed from the Domain Level Control Panel, you can control what attachments should be blocked by default. In this page you can also choose to:

n Block password-protected archive attachments n Block potentially unwanted attachments n Block attachments that contain hidden executables. With these options enabled, potentially dangerous email attachments are not accepted. See Manage Attachment Restrictions. Antivirus Engine

Our additional antivirus measures include running a combination of different technologies to protect you against malware. This includes the open-source ClamAV antivirus framework, which is enhanced with additional datasets specialized in detecting zero-day email viruses provided by several external partners. We combine this external data with our internal data, which is generated both automatically and provided by our analyst team. By combining various different technologies, we can ensure real-time, optimal protection against the latest virus outbreaks. All our internal spam reputation systems (including fuzzy fingerprinting) also contribute to virus scanning to ensure optimal protection against not only spam, but also malware, phishing, and viruses.

- 98 - It is just as important to run antivirus on the endpoint as well, as the delay between the actual email processing and the user opening the message allows other antivirus vendors more time to update their signatures. Based on any false negative virus reports received, our systems re-adjust automatically and our analysis team can run in-depth analysis where needed. Most of the reports come in the form of messages that have bypassed filtering due to explicit whitelisting of senders/recipients matching the virus email. Sandboxing

We actively analyze virus emails to catch zero-day viruses and continuously improve our detection systems. Sandboxing is utilized in our central environments for analyses, however we do not integrate real-time sandboxing in our scanning processes. We have not found any significant statistical evidence proving the effectiveness of sandboxing as Mail Assure has built-in technology to quarantine or drop ANY email that includes an attachment with executable content (including non-malicious executables), since email should not be used to distribute executables. View Incoming Bandwidth Overview

From the Admin Level you can view the incoming bandwidth usage per domain:

1. In the Admin Level Control Panel, select Incoming > Bandwidth overview. 2. Specify the Date range in the fields provided and click on Show. 3. The total bandwidth usage amount for all domains is shown along with the individual usage per domain - in the form of a pie chart and a table. Incoming Log Search

The Incoming Log Search is a comprehensive search tool which allows you to filter on all incoming messages over the past 28 days. In this page you can also access Quarantined messages, those that are in the Incoming Delivery Queue as well as those that are Archived. To access the Incoming Log Search, in the Admin, Domain or Email level Control Panel, select Incoming > Logs.

- 99 - Using the Log Search you can:

n Perform powerful filtering to find the results you need including: n Filtering on message size and the From, To and CC headers n Filtering on the outgoing IP used for delivering or attempting to deliver the message and the location of the sending server (based on the IP address) - See Run Custom Log Search n Perform various action on single or multiple messages - See Actions Available on Log Search Results n Customize available actions on specific messages - Add Customized Action Using Log Search n Regenerate the index to search all archived message content - Regenerate Index n Export archived messages - Export Archived Messages. n Create and email a report of your log search results (and schedule at a specified frequency) - Create Email Scout Report. Run Custom Log Search

In the Admin or Domain Level Control Panel, search incoming or outgoing logs by selecting Incoming > Logs or Outgoing > Logs

Query Rules Panel

The Query Rules panel allows you to customize your search filters. The default query rule for the incoming Log Search is the Timestamp rule.

- 100 - Use the shortcuts beneath the Timestamp filter to quickly select results from Yesterday, the Last week and Last month.

To Match all rules specified ensure that All is selected. Alternatively to allow partial matching select Any:

1. Click on + New rule and select from the filter options available:

The Query Rules are constructed of three parts: n The part of the message/metadata you are looking for e.g. sender, subject, To, From, CC, Sender location, message size etc. - Select from the first dropdown in the Query Rules panel

n The type of match e.g. contains, does not start with etc. - Select from the 2nd dropdown in the Query Rules panel

n The content you are trying to match - Select The Status of a message tells you what stage the message has reached in the filtering process e.g. rejected, queued for delivery, quarantined etc. To search for messages with a specific status, use the Status rule and tick the checkboxes of the statuses you wish to include.

- 101 - 2. If you wish, you can use the Quick select shortcuts provided e.g.Accepted; Not accepted. 3. Once you have added the rules, use the Customise dropdown to select the fields you want displayed in the search results.

There are many options available, with the most popular choices outside of the defaults being: n Main Class - How the message was classified which determines what happens to the message (e.g. temporarily or permanently rejected, for example, Spam).

n Sub Class - Why the message was given the Main Class that it was given. For example, if the message was classed as Spam, the Sub Class may be DNSBL (DNS Blacklisted).

n Delivery Data - Shows the destination mail server's most recent response to the filtering server's attempt to deliver. For example, if a message is accepted by the filter but can't be found in the recipient's Inbox, this field will show if the message was delivered to the destination mail server or not. To see all delivery attempts that have been made for a message, see the Delivery Details page.

- 102 - n Status - Shows the current status of the message. For example, Delivered, Rejected, Quarantined, Queued etc. Note that Rejected includes both temporary rejections (where the sender will most likely automatically retry delivery later) and permanent rejections (where the sender will not automatically retry).

Click on the classification link in the page description at the top of the log search to display the Classifications side-bar which shows more information on the classifications available:

4. Use the Group results by: dropdown and select from the list if you want to group the results by category. For example, to group the results by sender, select Sender. 5. Once you have specified your filters, click on Show Results to run the search and display the results at the bottom of the page. Actions Available on Log Search Results

In the Search Results listed you can carry out a variety of actions including:

n Telnet SMTP test n Sender callout n Recipient callout n Whitelist/Blacklist Sender/Recipient

- 103 - n View Delivery History n Change action for specific messages - See Add Customized Action Using Log Search n Export Log Search Results - Download the report in Excel CSV format - using the Export button.

The Outgoing Log Search provides the same functionality described in this topic for outgoing messages.

Regenerate Index

If you want to be able to search all archived message content in your domain, click on the Regenerate Index button at the top of the Domain Level Log Search page.

- 104 - The index is regenerated and any messages archived since the last time the index was generated are added to the index - allowing you to search all archived message content for that domain. Add Customized Action Using Log Search

1. Once you have run your log search and the search results are listed, select the dropdown to the left of the message and select Change action for messages like this.

2. The Add a new custom action for emails dialog is displayed with the fields pre-populated according to the message.

- 105 - 3. Click Save. The new custom action is listed in the Customize actions page accessible from the Admin and Domain Level Control Panels.

You can now use the dropdown to the left of the new action and select Find similar messages to redirect you to the Log Search where the query based on your rule is automatically run and matching results are listed.

Alternatively, you can set up custom actions manually on the Customize Actions page. However, using the log search, as described here, is quicker, easier and more versatile.

Export Log Search Results

To download log search results in CSV format to a zip file:

1. In the Incoming or Outgoing Log Search, run your search using the steps described in Run Custom Log Search. 2. At the top of the page, select Export entries as CSV.

- 106 - The zipped CSV file is downloaded to your machine. Create Email Scout Report

Once you have run your incoming or outgoing log search, you can choose to set up an Email Scout Report (ESR) which contains the results of the log search and can be scheduled to be sent to a specific recipient or to all mailboxes in the domain. An ESR can be set up to run straight away, at a scheduled date and time or periodically, at a scheduled date and time.

1. In the Domain Level Control Panel, click on Incoming > Logs or Outgoing > Logs. 2. Using the filters in the Query Rules panel, choose what log search data you want to display in the results. 3. Click on Show Results to display the results. 4. Click on Email me this report. above the Query Rules panel. The Set up Email Scout Report dialog is displayed.

5. In the Subject field enter the Email subject you want displayed. 6. From the Delivery dropdown, choose from the following options whether you want to create and send the report immediately or on a given date and time - or create a scheduled report:

- 107 - n Right away - Send the report to the specified recipient immediately.

n At given time - Displays the Delivery options panel allowing you to specify a date and time to the specified recipient.

n Weekdays at 09:00

n Every day at 09:00, 12:00 and 16:00

n Repeat - Displays the Delivery Options panel in which you can schedule the report using a variety of frequency options.

n Advanced - Displays the Delivery Options panel allowing you to further specify your repeat schedule (in a 'crontab' style format). 7. Enter the sender you want to be displayed in the Sender field of the email. 8. Enter the report recipient in the Recipient field. 9. In the Choose the domain(s) to generate a report for field choose one or more domains. The report will include mail filtered for all mailboxes in the listed domain(s). 10. Select the template you want to apply in the Template name field.

You can create your own Email Scout Report templates to define your report format - see Email Scout Report Templates (Preview).

11. Click on Schedule. The newly created report will be emailed to the recipient on the date and time specified.

You can automatically enable Email Scout Reports so that they will be sent to each recipient in your domain, up to three times a day. Do this in Incoming - Domain Settings.

Email content The Email Scout Reports email contains a list of emails that match the report filters you specified in your log search.

- 108 - The subject line may contain a link. When clicked this will open a web page in your browser containing the message content.

In this page you can:

- 109 - n View the message as Plain text or Raw (which displays the message headers) n Use the Available Actions dropdown to perform the following: n Blacklist Sender n Release n Whitelist Sender n Remove n Release and Train n Unsubscribe

Once you have created your Email Scout report, it is listed in the Reporting > Email Scout Reports page: See View/Edit Email Scout Reports.

Email Scout Report Templates (Preview) Use the Email Scout Report templates feature to customize the format of your reports.

Please ensure you have Features Preview enabled to use this feature.

At the Admin Level, select Reporting > Email Scout Report templates (Preview).

This page contains the following tabs:

n Templates tab - Lists all custom templates (and any copies made from the Recommended Templates tab). Using the menu to the left of each template listed, you can create, edit, remove and copy templates. You can also view all incoming and outgoing Email Scout Reports that use each template. n Recommended Templates tab - Contains the default templates available to all users: n Column based - suitable for reports containing a small number of results n Row based - suitable for reports with a large number of results Use these templates to base your own custom ones on. For information on default template content, see Email Scout Report (ESR) Template Defaults and Variables. Using the menu to the left of each template listed here, you can copy each template and view all incoming and outgoing Email Scout Reports that use each template. Copying a template in this tab pastes a copy into the Templates tab. n Automatic Email Scout Report Activation Messages - Contains all templates created for the Email Scout Report activation messages (sent when an ESR is scheduled to be sent to a recipient). You can add a new activation message template in this tab (by clicking the + Add activation message template link at the top of the page). In this tab, you can also copy an existing template - the copy is listed here too.

Create Email Scout Report Template

- 110 - 3. The Copy Email Scout Report template dialog opens. 4. Replace the copied template name with a new name in the Template name field. 5. In the Admin field enter the Admin user for which this template applies. 6. Use the HTML and Plain tabs to add your template format. n HTML tab - content here will be displayed in the text/html version of the report which is the default for most email clients

- 111 -

- 112 - ("Destination port", "destination_port", None), ("Status", "status", "status"), ("Classification", "main_class", None), ] %}

- 113 -

- 114 - cQAQEAAgEDBAICAwEAAAAAAAERACExQVFhQHGBkaGxMMEQIFDw/9oACAEBA AE/EP8AuoEFBWG+fWoxAbVeMRMPRQP/AJ0uOjt37TT8ZzYgMz7Djxjo8k/6zHag hoTkDi8D2vrQBDyI9hN4+PMSQP2+PrBICpkm8eFer/bbfgxgfUBV7nfz9YzNOpP4f QbqSJjHYm/5C8qBqo4nBy+v8PGOI0mbrtFp+svgx2z7y/o3j922l77HAeR7Yc4MGB 8H8hA+jBpQTjcXzj4wQgUKAFXDAMiFNW7Intpnle0iHQgZbHhgXukm7lPEKoLvIm HFDWcTeFrGJLw3cnO5g8zDmFQ6CwXt34xsjBwKIBpJnllNSYVlbuauwbbf1aIXwf bE2/BRqoew/GV4uKiRjkCBgzoPa6O3ghi6AnroL7B4osLjUo0dnB1uvitXHCU11VAu sEPYMbisVI0Mhqqy27riulkVA0GnTXvgEAR0jguNEoYIo6R308Ya65c2/wCjx/KNjFx 6PeNB84G6phhFGlMHnbxu5xlkg3R2afbYUpjcLnEBId2aOVnTebc2OfeBD5wbZrRq 6dGnZppjtDjhaUVjZK73iXDSuOg8Ls1hlgIjwmKkJoFaURq8ykupVBA4EXwY3FEAE YTogh8ZvJmAYkRWusRY9mVUo743lA9ZgMNJHnpnbkJq8bN0vzGTYLqrjAAhBFvI +MTSTJAUFog8074muAK0hDs2KefOTxiygevAQLgyQwdg16mO595TuZTviHIPnKS 0mU7n+vHp+b2x0sEEVBV5vJiwOuRdCvbZndwxJnbW5+EfBgU8Q2DWpOD8YFiDo ZHCdMYIEhpBBPYL85sEZtUQRfO58erNAdsSEUQKcn4cuIcSBvT7PvAUxJ2OAfh+s 1U6kjdGzWcvabbLI/v5wrSBGwaQGkvjjJACSG0gB9B+fXyYxgdGmgdwe2K0hVRQ 6ZN317Mn+Nf83//Z/>

Email Scout Report

This is the email scout report for {{ destination }}, sent at {{ format_time( now ) }}.

{% for label,column,column_format in column_order if column in columns %} {% endfor %}

{% for object in objects %}

- 115 - {% for label,column,column_format in column_order if column in columns %}

{% endfor %} {% endfor %}

{{ label }}	View message
{% if not object[column] %} {{ "" }} {% elif column_format == "date_format" %} {{ format_date(object[column]) }} {{ format_ time(object[column]) }} {% elif column_format == "escaped" %} {{ object.get(column, "")\|replace(".", "."\|safe) }} {% elif column_format == "decoded" %} {{ decode_idna(object.get(column, ""))\|replace(".", "."\|safe) }} {% elif column_format == "size" %} {{ object.get(column)\|filesizeformat }} {% elif column_format == "status" %} {{ object[column]\|replace("-", " ")\|title }} {% else %} {{ object.get(column) }} {% endif %}	{% if object.get("status", "") == "quarantined" %} View quarantined message {% elif object.get("status", "") == "queued" %} View queued message {% endif %} - 116 -

View message

{% if object.get("status", "") == "quarantined" %} View quarantined message {% elif object.get("status", "") == "queued" %} View queued message {% endif %}

- 116 -

- 117 - If you are familiar with the Jinja templating language, you can create a completely new template by clicking on the + Add template link at the top of the page and adding your own content.

View Incoming/Outgoing Reports from a Particular Template

You can find out what Email Scout Reports are using any of your templates:

- 118 - The Email Scout Reports page is displayed showing search results for the Template equals query. View/Edit Email Scout Reports

The Email Scout Reports (ESR) page lists all Email Scout Reports existing in the system and all those that have been set up automatically. ESRs are created from the Log search page, see Create Email Scout Report.

1. In the Admin or Domain Level Control Panel, click on Reporting > Email Scout Reports - Incoming. 2. The reports are split over the following two tabs:

n Email Scout Reports tab - This tab lists all ESRs created in the Incoming > Logs.

n Automatic Email Scout Reports tab - Lists all automatic ESRs that have been configured in the Incoming > Domain Settings page (see Automatically Enable Daily Email Scout Reports). 3. To search for a particular report. select your filters from the Query Rules panel e.g. you can specify a particular domain when accessing this page at the Admin Level. 4. Click on Show Results to display all matching Email Scout Reports in the table at the

- 119 - bottom of the page.

In this page you can perform various actions on the listed reports, using the dropdown to the left of each report:

n Remove - Removes the report. n Edit - Allows you to edit the report details including: n Name and subject of the report n Sender and recipient n Schedule and delivery details n Template used n Execute search - Run the log search based on the original search filters when creating the report. n Send now - Send the ESR straight away to the recipient specified in the report. n Export as .CSV - Export report configuration as CSV file.

You can automatically enable Email Scout Reports so that they will be sent to each recipient in your domain, up to three times a day. Do this in Incoming - Domain Settings.

- 120 - You can add and edit your own custom ESR templates. See Email Scout Report Templates (Preview). This feature is only available when you have Features Preview enabled.

Spam Quarantine

The incoming Spam quarantine holds incoming messages that the filtering system rejects with a 5xx SMTP rejection code at SMTP level. Legitimate sending servers inform the sender about the rejection. By default, the quarantined spam is stored for 14 days. Spam messages that were temporarily rejected at SMTP level are not listed in the quarantine, and will be automatically retried by legitimate sending servers. What do you want to do?

n Enable the Quarantine n Access the Quarantine n View Domain Level Incoming Spam Quarantine n View Email Level Spam Quarantine n Manage Quarantine Filter Settings n View Quarantined Message Content n Release Quarantined Messages n Release and Train Quarantined Messages n Release and Whitelist Quarantined Messages n Remove Messages from Quarantine n Remove and Blacklist Quarantined Messages n View Incoming Rejection Classifications Enable the Quarantine

Enabling the quarantine is optional, but you must enable it for it to start rejecting messages and for you to view those messages:

In the Domain Level Control Panel, select Incoming - Protection Settings > Filter Settings and ensure the Quarantine enabled box is ticked:

- 121 - Access the Quarantine

You can access the Quarantine from the Domain Level and Email Level Control Panels.

Tip - You set up how the system deals with spam in the Incoming - Protection Settings > Filter Settings page. See Manage Quarantine Filter Settings.

n View Domain Level Incoming Spam Quarantine n View Email Level Spam Quarantine View Domain Level Incoming Spam Quarantine

In the Domain Level Control Panel, select Incoming > Spam Quarantine:

The Incoming Log search page is displayed, and filtered to show all messages with the 'Quarantined' status. You can further filter your listed results by adding new rules using the + New rule link.

In this page you can:

- 122 - n Search for a quarantined message - Using the Query rules panel - and remove all rules to see unfiltered results n Preview quarantined message content - By clicking on the message link in the Subject column. See View Quarantined Message Content. n Empty spam quarantine - Click on the Empty spam quarantine button at the top right of the page. n Release quarantined messages - Allow messages to be delivered to the recipient. See Release Quarantined Messages. n Release and train messages - Allow messages to be delivered and train the system to recognize future messages from this sender as not spam. See Release and Train Quarantined Messages. n Release and whitelist messages - Allow messages to be delivered and whitelist the sender. See Release and Whitelist Quarantined Messages. n Remove messages - See Remove Messages from Quarantine. n Remove and Blacklist Messages - Remove the message and blacklist the sender. See Remove and Blacklist Quarantined Messages.

Important - You can view outgoing messages held in the outbound Quarantine via the Out- going Log Search. From here you can choose to release or release and train messages.

View Email Level Spam Quarantine

Access the Spam quarantine to view incoming messages that have been blocked as spam.

Select Incoming - Spam quarantine.

The Spam quarantine page is displayed, listing all messages that have been quarantined.

In this page you can:

n Search for a quarantined message - Using the Search fields at the top of the page. n Preview quarantined message content - By clicking on the message link in the Subject column. See View Quarantined Message Content. n Empty spam quarantine - Click on the Empty spam quarantine button at the top right of the page. n Release quarantined messages - Allow messages to be delivered to the recipient. See Release Quarantined Messages. n Release and train messages - Allow messages to be delivered and train the system to recognize future messages from this sender as not spam. See Release and Train Quarantined Messages. n Remove messages - See Remove Messages from Quarantine.

See also:

n Release and Train Quarantined Messages n Release and Whitelist Quarantined Messages n Incoming Rejection Classifications Release and Train Quarantined Messages

Allow messages to be delivered and train the system to recognize future messages from this sender as not spam (report the message as a false positive). You can do this from the Domain and Email Level Control Panels. You can Release and Train a single message by using the dropdown to the left of the message and selecting Release and train from quarantine.

- 126 - To Release and Train multiple messages, place a tick in the box to the left of all messages that apply, and from the dropdown at the bottom of the page select Release and train from quarantine - then click Apply.

- 127 - Important - Releasing a message from quarantine may also result in it being reported as a classification mistake to correct our systems - this is dependent on the classification type. For example, a rejected phishing attempt, when released will report a classification mistake and correct the system. Conversely, releasing a message that has been quarantined because the date header is more than 7 days in the past or in the future will only deliver the message to the recipient. For more information on the classifications used to describe why a message was rejected or temporarily rejected, see Incoming Rejection Clas- sifications.

Tip - You can also release or release and train messages from the Mail preview page. See View Quarantined Message Content.

Release and Whitelist Quarantined Messages

This facility is only available at Domain Level.

1. Select Incoming - Spam quarantine. 2. From the dropdown alongside the message, select Release and whitelist. 3. To release and whitelist multiple messages at once, place a tick in the box alongside each message, and from the --select action-- dropdown at the bottom of the page, select Release and whitelist. 4. All selected messages will be delivered to the intended recipient(s) and the sender will be whitelisted so that future messages from this sender will bypass filtering and be delivered automatically.

Remove Messages from Quarantine

1. Select Incoming - Spam quarantine. 2. To remove a single message, select Remove from the dropdown to the left of the message. 3. To remove multiple messages, place a tick in the box alongside each message you want to remove and select, Remove from the --select action-- dropdown at the bottom of the page - and click Apply. The message(s) will be removed from the system completely. Remove and Blacklist Quarantined Messages

This facility is only available from the Domain Level Spam Quarantine.

1. From the Domain Level Control Panel, select Incoming - Spam quarantine. The Spam quarantine page is displayed, showing all quarantined messages for this domain. 2. Click on the dropdown to the left of the message and select Remove and blacklist.

- 128 - 3. To remove and blacklist multiple messages, place a tick in the box alongside each message and, from the --select action-- dropdown at the bottom of the page, select Remove and blacklist.

The message(s) will be removed from the system completely and the sender will be blacklisted so that future messages from this sender will be rejected. Manage Quarantine Filter Settings

In this page you can enable/disable your quarantine and manage your quarantine filter settings for incoming emails.

Important - If you choose to disable your quarantine, all emails detected as Spam will be delivered to your email server unfiltered.

In the Domain Level Control Panel, select Incoming - Protection Settings > Filter settings.

The Filter settings page for your domain is displayed:

The following settings are available:

Setting Description

Manage list of domains and IP This link opens a page which addresses with disabled SPF, DKIM, allows you to disable SPF, and DMARC checks DKIM and DMARC checks for specific domains, IPs or subnets - so that if, for example, an SPF check fails for any of the specified domains or sender IPs, the system will continue to process the message.

Quarantine enabled Enables/disables the quarantine.

- 129 - Setting Description

Important - If you choose to disable your quarantine, all emails detected as Spam will be delivered to your email server unfiltered.

Quarantine threshold Every message that has a combined score above this setting will be classed as spam and will be quarantined.

Beneficial to train threshold Every message which breaches this combined scoring threshold will be considered unsure. Messages with a score below this threshold will be delivered.

Sender checks SPF (Sender Policy Framework) - This is a common check that allows the sender to indicate which IPs are allowed to deliver email for the sender domain. We advise keeping this enabled to block Spam. DKIM (DomainKeys Identified Mail) - Lets an organization take responsibility for a message that is in transit. The organization is a handler of the messages, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. DMARC (Domain-based Message Authentication, Reporting & Conformance) - An email authentication protocol that builds on SPF and DKIM by adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

- 130 - Setting Description

Skip maximum line length check There are strict regulations on allowed line length in emails which are automatically enforced by the email software. Some applications or badly developed scripts do not adhere to the official specifications thereby exceeding the maximum allowed line length. This check can be disabled by ticking this box but we advise keeping it enabled to block Spam.

Beneficial to train notation Text added here is prepended to the subject line of all messages classed as unsure.

Quarantine response When an inbound message is detected as spam and quarantined, the response you send to the recipient can be Rejected or Accepted. The default and advised setting for incoming mail is 'Rejected'.

Manage Domains and IPs with Disabled SPF, DKIM and DMARC Checks

The Manage list of domains and IP addresses with disabled SPF, DKIM, and DMARC checks page allows you to disable SPF, DKIM and DMARC checks for specific domains, IPs or subnets - so that if, for example, an SPF check fails for any of the specified domains or sender IPs, the system will continue to process the message.

In the Domain Level Control Panel, select Incoming - Protection Settings > Filter settings and click on the Manage list of domains and IP addresses with disabled SPF, DKIM, and DMARC checks link at the top of the page.

The following page is opened allowing you to add domains according to check type:

- 131 - DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email protocol designed to help prevent email spoofing when used in conjunction with SPF and/or DKIM, and gives the administrator of the receiving server the ability to act on messages when the criteria is not met. DMARC also provides the tools for senders to monitor the abuse of their domains. We highly recommend configuring DMARC DNS records on managed domains especially if your domain is the target of spoofed emails and enabling the functionality within Mail Assure where possible. If you are unclear on how to setup DNS records please consult your DNS administrator.

n Does Mail Assure Support DMARC? n How Does DMARC Work? n How to Set up a DMARC Record? n Configuring DMARC Checks in Mail Assure n Skip Specific Domains from DMARC Checks

Does Mail Assure Support DMARC?

Yes, Mail Assure fully supports DMARC on all incoming mail. Outbound DMARC conformity is handled by the domain DNS administrator. No DMARC checks are enforced on outbound email by the outbound filter (the inbound recipient may still DMARC filter the message).

- 132 - How Does DMARC Work?

DMARC works by allowing the domain administrator to specify the actions that should be taken when a spoofing message is received. It also allows for reporting of spoofing attempts. More information on how DMARC works can be found here:

n https://dmarc.org/wiki/FAQ n RFC 7489 - Full technical specifications of the DMARC internet standards.

How to Set up a DMARC Record?

DMARC records are set up in the domain's DNS (Domain Name Server). When you set up your DMARC record you choose the policy type (reject, quarantine, none). This record tells the server what should happen to messages that fail SPF/DKIM checks. The following online tools may help you:

n https://kitterman.com/dmarc/assistant.html - allows you to build your DMARC record which you can then add to your DNS. n https://dmarc.org/resources/deployment-tools/

Configuring DMARC Checks in Mail Assure

To enable the DMARC check within the Mail Assure dashboard:

1. In the Domain Level Control Panel, select Incoming - Protection Settings > Filter Settings. 2. In the Sender checks panel, ensure the DMARC option is ticked:

3. Click Save.

- 133 - Skip Specific Domains from DMARC Checks

At times you may need to skip this check for a specific sending domain so that any messages originating from that domain will skip the DMARC check.This can be done very much like the current SPF and DKIM skips.

1. In the Domain Level Control Panel, select Incoming - Protection Settings > Filter Settings. 2. Click the Manage list of domains and IP addresses with disabled SPF, DKIM, and DMARC checks link at the top of the page.

3. Navigate to the Disabled DMARC Domains tab. 4. In the Add a Domain panel, enter the domain name in the Domain field and click Add. Any messages originating from that particular domain, will now skip the DMARC check. Incoming Rejection Classifications

In Mail Assure we use different classifications to describe why a message was rejected or temporarily rejected. Temporarily Rejected (4xx SMTP response) Messages which have been temporarily rejected, stay stored on the sending mail server. Legitimate mail servers always automatically retry delivery of such messages. Depending on the reason of the temporary reject, the message could get accepted at a subsequent delivery attempt. It's always possible to whitelist the sender to disable any checks and to ensure that the message will get accepted as soon as it's retried by the sending server.

Greylisted

Temporary rejection due to greylisting. This technology is only applied to new IP addresses which do not have a (good) reputation yet in our global systems. We do not apply "classical greylisting" so this should not cause any delays on your legitimate traffic.

You have been denied authentication

This means that you have used incorrect outgoing authentication details too often in a short period of time. To resolve this, use the correct authentication details and wait a few moments and try again. This is to protect against brute-force attacks on your SMTP credentials.

- 134 - Unable to verify destination address

This means the destination server is unreachable or temporarily rejecting the email traffic. You'll have to check the destination route set to ensure delivery is attempted to the correct server. The logs on the destination server should show why it is not accepting the delivery attempts.

Unable to verify sender address

This means the system was unable to verify the sender using a sender callout. You'll have to check the sender mail-server to verify why such callouts count not be done. When the sender verification option is used in the outgoing user settings, then each specific sender address must be verifiable like this.

Internal error

An internal error occurred, this should automatically resolve. If not, please contact support.

Per-minute connection limit exceeded

The sender has exceeded his/her per-minute limit.

Too Many Connections

Too many connections from the sending server. Ratelimited.

Too Many Concurrent SMTP Connections

There is a hard-coded limit of 10 concurrent SMTP connections per IP to protect the systems against attack. Please ensure that the sending mail server only opens up a maximum of 10 concurrent connections to avoid hitting this limit.

Too many messages. Please wait for a while and try again.

This indicates that the outgoing user has exceeded the maximum amount of messages configured for that outgoing user to be sent. In case the limits should be changed, they can be modified via Mail Assure for the outgoing user. These limits can be entirely disabled there as well.

Mail for this domain cannot be accepted right now; please retry (Unable to handle in active connection.)

Within a single SMTP connection, it is possible to deliver a message to different recipients. The SMTP protocol only allows you to either "accept" OR "reject" the email, without distinguishing between the different recipients. In case one of the recipients has different filtering settings, we cannot "accept" or "reject" the message as the classification may differ per-recipient. In such case we return a temporary rejection, so the sending server will retry delivery individually for the recipients allowing to classify each message separately. Most SMTP servers retry immediately, and hence there will be no delivery delay. If all recipients are sharing the same filtering settings, the message will be immediately accepted for all recipients (or rejected) without this temporary reject. In case a delay is experienced, the sender can instead configure their server to either immediately retry (to prevent such delay), or to open a separate delivery connection for each recipient.

- 135 - Rejected (5xx SMTP response) Messages which have been rejected are blocked by the system. Generally these messages can be reviewed in the "Spam quarantine", from where they can be released. It's always possible to whitelist the sender to disable any checks and to ensure that the message will get accepted as soon as it's retried by the sender.

Lines in message were longer than user maximum

This means that line within the email is longer than the set maximum. The RFC 5322 (SMTP 5321) specifies a maximum line length of 998. Normal email clients always enforce this limit to avoid delivery problems. The problem should be resolved at the sender side, or the check can be disabled.

Message had more parts than the user maximum (Too many MIME parts)

This refers to the amount of MIME parts that a message contains. The default limit is set to 100. This can be de-passed and triggered with excessive amounts of attachments or other MIME parts.

Sending server used an invalid greeting

The sender has used an invalid HELO/EHLO. This could be either because an IP address is used for the HELO, or because the HELO contains an invalid character, for example : underscore (_). The RFC states that a FDQN (Fully Qualified Domain Name) MUST be used.

Considered spam

Our systems considered this message as SPAM and quarantined the message. Releasing the message from quarantine will report it as a classification mistake to correct our systems.

SPF failure

This means that the SPF (Sender Policy Framework) has been broken. If this is legitimate mail, then this could be due to a forwarding construction. Please see our SPF knowledgebase article for more information. Please note, releasing and training large amounts failed SPF messages, can result in the sending domain being skipped from further SPF checks.

Pyzor

Pyzor is a content related classifier based on collected/reported data from our datasets. Releasing the message from quarantine will report it as a classification mistake to correct our systems directly.

Sending server is missing DNS records

The sending server is missing MX records or A records. Please note that any DNS changes only take effect after the initially set TTL has expired.

Destination address does not exist

The destination server is rejecting the connection with a 5xx permanent failure. The logs on the destination server will show why the message was rejected. You'll have to resolve the problem on the destination server to ensure it accepts the email.

- 136 - Recipient address rejected by destination

The destination server is rejecting the recipient callout with a 5xx permanent failure. The logs on the destination server will show why the message was rejected. You'll have to resolve the problem on the destination server to ensure that recipient callouts can be used.

Phishing attempt detected

Our systems detected a phishing attempt. Releasing the message from quarantine will report it as a classification mistake to correct our systems.

Date header far in the past or future

This classification means that the date header of the email is more than the default 7 days in the past or future. Releasing this will only deliver the message to the recipient. This is something the sender will need to resolve.

Bad header count (Message incorrectly formed)

Emails should never contain duplicate headers such as "Subject" or "To". In case such duplicate headers are found, the message will be rejected until the underlying bug is fixed in the email sending software.

Blacklisted sending server

The sending server has been blacklisted on the IP blacklist.

Sending server listed on multiple DNSBL

The sending server has been found on multiple blacklists. Releasing the message from quarantine will report it as a classification mistake to correct our systems. For a temporary override please see http://www.spamrl.com Sending server attempted too many invalid addresses The email sending server has attempted to deliver email to too many invalid email addresses in a certain time period. Please retry again later.

Blacklisted sender

The sender was added to the custom sender blacklist.

URLBL

A URL within the email has been listed on several blacklists. Releasing the message from quarantine will report it as a classification mistake to correct our systems. The rejection message contains more information about the responsible list.

UCEPP

A token was detected in the message that has been seen in recent spam (e.g. URL, IP, phone number, or other specific details). Releasing the message from quarantine will report it as a classification mistake to correct our systems.

- 137 - External Pattern Match

The layout & format of the email matches known spam emails already listed. Releasing the message from quarantine will report it as a classification mistake to correct our systems. The rejection message contains more information about the responsible list.

User-specified blackhole address

A user specified /dev/null Address. This email will not get delivered anywhere.

Combined Score

The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured "quarantine threshold", the message will be rejected as spam or accepted. A quarantine threshold score of 0.9 is recommended. To be more tolerable for senders using a wrong HELO/PTR/IP configuration, a score of 0.91 can be set. The lower the quarantine threshold, the more messages will be quarantined as spam. The SMTP message returned for this classification is "High probability of spam" to the sender. Please ensure to release the message from quarantine if it's legitimate, this will adjust the scoring in our various databases.

CRM114

CRM114 is a statistical content check. When a message gets blocked by this classifier on our systems, then this mean there has been a close match within the email that corresponds to an already seen spam message. Releasing the message from quarantine will report it as a classification mistake to correct our systems.

Subject contains invalid characters

When a message is rejected with "550 Subject contains invalid characters" the email subject will have non-ASCII characters, which is not allowed by the RFC. To include non-ASCII characters in subjects, the subject is required to be properly encoded, for example with UTF-8. Any normal mail client will automatically handle that for you, so it's likely a bug in a custom written script that generated the invalid subject. The evidence header for this classification will show "Badly formed Subject header". Tokens

Global Tokens

These are statistical content checks that are built based on data collected from all our clusters and clients worldwide. Releasing the message from quarantine will report it as a classification mistake to correct our systems..

Sanesecurity

We make use of certain datasets from Sanesecurity. To decode Sanesecurity signatures please check here.

Heuristics.Safebrowsing

In case your message has been rejected with "safebrowsing" in the rejection message, it means it has been (recently) listed by Google as hosting malicious files.

- 138 - Header is too long

Mail Assure by default will reject emails with excessive large header values, as this is a common indicator for non-legit emails.

Restricted characters in address

In case your message has been rejected with "550 restricted characters in address" in the rejection message, it means that the recipient address contains a character that is not accepted by the system, for example: "&". You can control which characters are allowed for a domain on the "Domain settings" page.

Relay not permitted

In case your message has been rejected with "550 Relay not permitted!" in the rejection message, it means that delivery was attempted to the incoming filtering service on port 25 to a domain which has not (yet) been added to the filtering solution. To resolve this, please add the domain to the incoming filtering service. If you're trying to use the outgoing filtering service, please ensure to use the outgoing filtering service port 587 instead.

Message submission is for authorised users only!

This indicates you're attempting delivery via our outgoing email filter on port 465/587 (default). If you're receiving this response to an incoming email delivery attempt, your mail server is wrongly set up (and likely a misconfigured version of Lotus Domino). If you're trying to send outgoing email, please ensure to provide a valid username/password to authenticate.

Legitimate bounces are never sent to more than one recipient

In case your message has been rejected with "Legitimate bounces are never sent to more than one recipient" in the rejection message, it means that the mail server was trying to deliver an email to multiple recipients with an empty "MAIL FROM:<>" (return-path). The SMTP RFC 5.3.2.1 indicates that null sender emails (bounces) can never be sent to multiple recipients, so there may be be a misconfiguration on the mailserver.

Destination address is not configured

This usually means that the filtered domain is using 'Local Recipients' and that specific email address in not in their list of approved recipients.

The content of this message looked like spam

This indicates the message has been blocked based on our content scanners, as similar messages have been reported as spam. In case the message is legitimate, please ensure to release it from quarantine. This will update the statistical filters to prevent such issues in the future.

This message contains a known spam email address

This indicates that a known spam email address has been seen in the body or "Reply-To" field. These are commonly used in 419 type spam.

- 139 - Unrouteable address

This error occurs if there is a (permanent) network error delivering to the destination mail server. This issue is unrelated to the Mail Assure software and indicates a network problem. Possibly the DNS servers of the domain are broken, or they cannot be reached from the filtering server. Alternatively it's possible the destination hostname or IP does not exist, or is unreachable because of a permanent issue. You can check for DNS errors on the following page: http://dnscheck.sidn.nl/. Please contact your network administrator to investigate any networking issues.

We do not accept mail from this address

This error occurs if the sender has been manually added to the "Sender blacklist" for the receiving domain.

We do not accept message/partial messages here

Before people had a permanent internet connection, sending larger emails was time-consuming and often failed. Therefore older email clients sometimes still break up large emails into separate parts for delivery. This old email feature is not used anymore nowadays, and imposes a severe risk as it makes detection of viruses impossible (as viruses would be split over separate emails before being assembled again by the destination email client). Please ensure to resolve your email client settings to to split up larger emails.

DMARC - REJECT

This error occurs if the sender's domain has a strict DMARC policy in place. If the sender's DMARC record is set to "REJECT" and the messages come from IP addresses that are not in the sender's SPF, then these are rejected and not quarantined.

DMARC - Quarantine

This error occurs if the sender's domain has a strict DMARC policy in place. If the sender's DMARC record is set to "QUARANTINE" and the messages come from IP addresses that are not in the sender's SPF, or have a failed DKIM, then these messages are quarantined. Whitelisting will not bypass this. Messages that are rejected without being quarantined Some messages are rejected immediately without being quarantined. This happens at SMTP level and the rejection is permanent. For example this will happen for Incoming messages in the following scenarios:

n Have an invalid recipient or domain n Do not use TLS (if enforced on the incoming domain) n Do not follow RFC specifications about sending, publishing records (invalid helo) n Unsigned Bounce messages (if BATV is enforced) n Messages containing malware/viruses, n Restricted characters in the address local-part, n Dmarc compliance fail with reject policy n Blacklisted sender IP (Blacklisted by super-admin) n Blacklisted sender IP on internal lists, while pre_data_dnsbl feature active (feature not exposed in Spam panel)

- 140 - n Blacklisted envelope sender n Maximum local parts reached (feature not exposed in Spam panel) n Invalid HELO/EHLO greeting n Maximum hourly bounces exceeded n SPF indicates that the domain never sends email (spf1 -all) n Headers contain illegal BOM n Bounce message sent to more than one recipient n Too many failed recipients n Oversized messages n Too many unrecognized commands

Outgoing messages are rejected in this way in the following scenarios:

n Messages do not provide authentication n Too many failed authentication attempts (brute force protection) n Do not use TLS (if enforced on the outgoing domain) n Have the sender’s IP blacklisted n Have the sender blacklisted (matching the envelope from) n Have invalid senders n Recipient could not be verified (check only ran for bounce messages) n Ratelimit (when excessive messages per connection behaviour is set to drop) n Bounce message sent to more than one recipient n Headers contain illegal BOM n Messages containing malware/viruses n Restricted characters in the address local-part n Oversized messages n Too many unrecognized commands Accepted (2xx SMTP response) Messages that display the 'Accepted' response have been accepted for delivery but have not necessarily been delivered. If immediate delivery fails, the message will be retried automatically. If the destination server rejects the email, a bounce is sent to the sender.

Message looked like non-spam

This message was accepted for delivery based on our content checks. Reporting the message as spam will correct our systems.

Accepted, DNSWL

The sending server is listed on several DNS-Whitelists. This means that no spam has been seen recently from this sending server. Reporting the message as spam will correct our systems.

Accepted, whitelist

The sender has been placed on a manual whitelist by the recipient. Removing the sender/recipient from the whitelist will prevent spam getting through.

- 141 - Manage Domain Aliases

If you have multiple domains, you can make use of the domain aliasing option. Any email sent to any of your domain aliases will be delivered to the same user on the main domain.

In the Domain aliases page you can add and delete aliases for this domain.

When you add a domain alias and switch the MX records to activate the filtering for this alias domain, mail directed to [email protected] will be filtered and delivered to [email protected]. If, however, in the Domain Settings page, the Direct delivery for email and domain aliases option is selected, the system attempts direct delivery to the alias. To add a domain alias:

1. In the Domain Level Control Panel, go to General > Domain aliases. The Domain aliases page is displayed. 2. To search for a specific alias, use the Query Rules panel to set up your search filters. 3. Click on Show Results to show all matching aliases. 4. Using the dropdown to the left of each alias, you can choose to edit or remove the alias. 5. To add an alias, click on Add domain alias to open the Add a New Domain Alias dialog 6. Enter the domain alias in the Alias field and click on Add.

Domain aliases do not have separate access to the Domain Level Control Panel. Since all SMTP traffic to the domain alias is rewritten to the main domain, any changes/lookups on the main domain will simply include the alias domain traffic as if it was sent directly to the main domain. If you are searching for a specific email sent to a domain alias using the Log Search, the recipient will therefore show as user@maindomain.

Configure Domain Settings

In the Domain Level Control Panel, select Incoming > Domain settings.

The Domain settings page is displayed with the following settings:

n Primary Contact Email for that domain n Email notifications From address n Enable logging of invalid recipients n Direct delivery for email and domain aliases - When selected, this means that when aliasing is in use, emails will be delivered to the alias address, instead of the original one. This applies to both email and domain aliasing.

The Log Search still shows the message for the original address.

n Rejected Local Part Characters - When the system detects any of these characters in the local part of a recipient's email address in an incoming email, the email will be rejected. n Timezone n Automatically Enable Daily Email Scout Reports

- 142 - If enabled, an Email Scout Report is automatically sent to every mailbox in the domain at the times specified (up to three times daily). The report lists all quarantined messages of which the filter was least certain and has an option to release any wrongly classified messages. Reports will not be sent if there are no such messages. You can schedule the report to arrive up to three times daily at specified times. Users who receive the report can choose to unsubscribe from the reports from within the message.

If the domain has a catch-all set up on the mail server, the auto-enable option is unavailable - to prevent invalid reports being sent to invalid email addresses.

Rejected Local Part Characters

The Rejected local-part characters page allows you to list the characters that will not be accepted in the local part of an email address (the text before the @ symbol e.g. @domain.xyz). If any of the listed characters is detected, the message will be rejected and not quarantined. In this page you can also test the settings you have configured:

Manage Destinations

After incoming messages are processed, they are delivered to the destinations configured here - this is typically the final mail server for the recipient. Delivery is attempted to each of the destinations, from the lowest priority to the highest (as with MX records). Destinations with identical property values are attempted in random order and do NOT have deliveries spread across them. The Destination Routes you set up when adding a domain are listed here automatically but you can also add any manually. In this page you can:

- 143 - n Add, edit and delete destinations n Perform a connection check n Perform a catch-all check - Discover whether the destination mail server is a 'catch-all' for a specified domain (accepting mail for any address at that domain) n Check Routes for Open Relays

n Carry out a Telnet test for a route by clicking on alongside the route.

To access this page, go to Incoming > destinations in the Domain Level Control Panel. Add Destination

1. In the Admin or Domain Level Control Panel, select Incoming > Destinations. All existing destination servers are listed.

2. Click on + Add a destination at the top of the page. 3. In the Add a destination dialog enter: n Priority - delivery is attempted from lowest priority to higher

n Host - destination server address

n Port - destination port 4. Click Save.

- 144 - Perform Network Checks on Destination Server

You can perform a Connection check, Catch all check or Open relay check on a destination server.

1. In the Admin or Domain Level Control Panel, select Incoming > Destinations. 2. In the list of destinations displayed, locate the destination to check. 3. Click on the dropdown to the left of the destination and select from the following: n Connection check

n Catch all check

n Open relay check The SMTP tab in the Network Tools page is displayed with the check running. For more information, see Network Tools. View Domain Statistics (Incoming)

This page displays incoming statistics of your domain's email traffic over a specified time-frame.

In the Domain Level Control Panel, select Incoming > Domain statistics.

Statistics displayed include: Spam ratio of spam emails to all filtered emails and the following metrics: Not Spam messages; Unsure messages; Spam messages blocked; Viruses blocked; Whitelisted and Blacklisted etc.

- 145 - You can also view the same domain statistics for outgoing traffic - from Outgoing > Domain statistics, see View Domain Statistics - Outgoing.

- 146 - Report Spam

If you find some spam is not being blocked by the filters, you can upload the emails to the Mail Assure training system. This allows the system to gather valuable information on the nature of the emails and helps to reduce future spam from reaching your mailbox. Emails that bypass our filters are automatically excluded from the training system, e.g. if a sender/recipient is whitelisted. You can report spam in the following ways:

n In Mail Assure using the Train Spam feature n Using the Thunderbird add-on n In MailApp Apple OSX using the SpamReporter tool n Forward Email as attachment n Via IMAP n Via Browser-based Email Client

To report email as NOT spam in Mail Assure use the Train Not Spam feature.

Train Spam

1. In the Domain Level or Email Level Control Panel, select General > Train spam. 2. In the Train spam page, drag and drop or browse for and upload messages you want the system to treat as spam. Messages can be in .eml or .msg format.

Important - The emails should be in .eml or .msg format and must contain the full headers.

Train Not Spam

Use the Train not spam page to train the filter to recognize specific messages as NOT spam.

1. In the Domain Level Control Panel, select General > Train not spam. 2. In the Train spam page, drag and drop or browse for and upload messages you want the system to treat as NOT spam in the future.

- 147 - Important - The emails should be in .eml or .msg format and must contain the full headers.

Report Spam Using the Thunderbird Add-on

Mail Assure provides email client add-ons to report spam which is not blocked by Mail Assure.

If you are using Thunderbird you can also use the free Mozilla Thunderbird client add-on to report spam. This version is currently supported by Mozilla Thunderbird versions 3.0 and above. To install the Thunderbird add-on 1. Save the download to your local machine. 2. Open Thunderbird. 3. Click Tools > Addons. 4. Click the dropdown box in the top left corner, and click on Install addon from file. 5. Navigate to your downloaded Thunderbird add-on. 6. Click Ok. 7. Once the add-on has been installed, restart Thunderbird.

If you are upgrading your installation, please remove the old installation before installing the new one.

Report a Spam Message using Thunderbird 1. Select the message from the overview. 2. Right click and choose Report Spam.

The message will be reported to us, and moved directly to your trash folder.

For this to work, the emails must contain our headers as well as the standard email headers. If you are unsure, then you can see the headers by clicking "Ctrl + U" to view the source. The following is needed to report the message correctly:

n X-Filter-ID: n X-BRANDNAME-Class: n X-BRANDNAME-Evidence: n X-Recommended-Action:

Report Spam Using MailApp for Apple OSX

To report spam to the Mail Assure systems and databases from Apple OSX use the SpamReporter tool:

Make sure your Mail.app is closed before installing the application.

- 148 - Install the SpamReporter tool 1. Download the .DMG file to your system. 2. Double-click on the SpamReporterV3.1.dmg to mount the disk. 3. Start the installation by double clicking on the .app file. 4. Once the installer has finished, restart your mail client (Mail.app).

Report Spam using the Mail App 1. Select the message(s) you wish to submit. 2. Click on the Mail menu at the top left of the screen. 3. Select Services from the list and choose SpamReporter_v3. 4. Follow the on-screen instructions to complete the submission.

Remove SpamReporter app from OSX Device 1. Close the Mail.app program 2. Remove the folder '~/Library/Services/SpamReporter.workflow' Report Spam - Forward Email as Attachment

If your email client is not supported, you can report spam by forwarding the spam email(s) as an attachment to [email protected] . All messages attached in .eml, .msg, or winmail.dat format will be processed by the system.

You can also report non spam via the same method using [email protected]. Report Spam via IMAP

You can report spam via our special IMAP system using your own third-party email client. IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server, and allows email clients to access those messages remotely. In order to access your messages stored in the Mail Assure Quarantine, from an email client (such as Outlook or Thunderbird), using IMAP, you need to set up your email clients with the following Mail Assure credentials:

n IMAP hostname: quarantine.antispamcloud.com n IMAP Port: 993 n IMAP username: Either domain username or email username (these need to exist in Mail Assure first) n IMAP Password: The password for the above username. Report Spam via Browser-based Email Client

Using a browser-based email client, you can report spam to Mail Assure. If you can view the whole source of the email, you can report spam this way using a simple script that pushes the message to our systems. The following Browsers are compatible (Windows/Linux/OSX):

n Firefox - the Greasemonkey add-on is required n Chrome

- 149 - Currently the script will only work for:

n Google Mail (Google Apps) n Horde n RoundCube n OWA (Exchange Online) If you have other browser-based email clients you would like to include, please contact your Account Manager. Install Add-on and Script

1. Install and enable the Greasemonkey add-on. 2. Download the script. This link should automatically download and install the script. If the script does not download and install: a. Open the file, select all, and copy to your clipboard. b. Click on the Greasemonkey icon in Firefox and select New User Script > Use script from Clipboard. 3. Once the script is installed, please verify that the Greasemonkey icon is enabled in Firefox.

Reporting from Browser-based Email Client 1. Log in to your mail client with your preferred browser. 2. Select the message you wish to report. 3. View the source of the message. 4. A Report Spam button should appear on the page on the right. (If using OWA - this will show in the pop-up box when viewing the source). 5. Click Report Spam. 6. If successful, a pop-up will appear confirming that the message was sent. 7. Close window.

The script will not move, delete or change the message in any way. It will simply send the headers and body content to the Mail Assure training servers.

Clear Callout Cache - Incoming

In the Clear callout cache page you can manually clear the domain’s incoming callout cache and the outgoing callout cache. This tool is especially useful after changing the domain routes, DNS records and for removing the good/bad responses from the destination mail server.

1. In the Domain Level Control Panel, select Continuity > Clear Callout Cache - Incoming. 2. To clear the callout cache for the domain, click on Clear.

To clear the outgoing Callout cache see Clear Callout Cache - Outgoing. Customize Actions

Use this feature to customize actions for specific types of message. For example, for messages that are failing the SPF check, you can add rules to ensure that these messages are rejected immediately instead of being placed in the quarantine.

- 150 - Add rules manually or use the Incoming Log Search to apply an action change to messages.

1. In the Admin or Domain Level Control Panel select Incoming - Protection Settings > Customise actions. 2. Use the Query Rules panel to filter existing customized actions and click Show Results to display matches. Add Customized Action

1. Click + Add at the top of the page to open the Add a new custom action for emails dialog. 2. Fill in the following fields: n Domain (only displayed at the Admin Level) - Select the domain to apply custom action to

n Order - the rule order number

n Main class (optional) - The log search results show the main class e.g. phish

n Sub class (optional) - Further restrict the rule e.g. spf

n Extra class (optional)- Further restrict the rule if required

The main, sub, and extra classes are regular expressions which allow you to match more than one class with a single custom action.

n Action:

n Accept - message will be accepted by the filter

n Reject- message will be rejected and will not be quarantined

n Fake Accept - message will be quarantined but the sender will not be informed (250 SMTP response code)

n Quarantine - message will be quarantined (550 SMTP response code)

n Quarantine (hidden) - message will be quarantined but cannot be released (550 SMTP response code)

n Accept and notate - message will be accepted and delivered to the recipient, with the subject being notated

n Blackhole - message will be dropped without informing the sender 3. Click Save.

It is much quicker and easier to add these new rules using the Log Search (preview). See Add Customized Action Using Log Search (preview).

Delivery Details

Diagnose message delivery problems for incoming and outgoing mail over the previous 28 days. Each attempt the filtering server makes to deliver a message results in the creation of a log entry detailing that message delivery attempt. The Log Search results already reveal the destination mailserver's most recent delivery attempt (by selecting Delivery date from the Customise dropdown), however the new Delivery Details page reveals information about all delivery attempts over the previous four weeks.

- 151 - 1. In the Admin, Domain or Email Level Control Panel select Incoming or Outgoing > Delivery Details. 2. The Query rules panel already displays the Delivery date filter - you can change this if you need to. 3. You can also filter further by adding more rules - click on + New rule to do this. 4. Click Show Results to list all matching messages. The following actions are available from the dropdown to the left of each individual message: n Show details - Opens the Log Search result for that message id and recipient.

n Retry delivery - Forces the email to retry delivery.

n Telnet test - Redirects you to the Network Tools page to run a Telnet test.

n Recipient callout - Redirects you to the Network Tools page to run a Recipient Callout.

n Ping destination - Redirects you to the Network Tools page to ping the destination mail server.

n Trace route to destination - Redirects you to the Network Tools page to run a Traceroute.

n Export as .CSV - Save the entry locally in CSV format. Email Restrictions

Restrict which emails are allowed based on attachment type and file size.

n Manage Attachment Restrictions n Manage Email Size Restriction Manage Attachment Restrictions

The Attachment restrictions page allows you to configure which email attachments to allow and which to block.

In the Domain Level Control Panel, select Email restrictions - Attachment restrictions the Attachment restrictions page is displayed:

- 152 - The following restrictions can be configured:

- 153 - Restriction Description

Blocked Extensions Messages that have an attachment with any of the selected extensions will be rejected. You can add new extensions to those listed using the Add new extension feature.

Disallowed release extensions Email users will not be allowed to release messages that contain attachments with the selected extensions. You can add extensions to this list using the Add new extension feature.

Restriction options n Block password-protected archive attachments - If enabled, blocks messages with password protected attachments like zip files. n Block potentially unwanted attachments - If enabled, rejects attachments that are considered dangerous or unwanted. For example, compressed executable files (e.g. UPX packers), password tools, network tools, peer-to-peer clients, remote access applications, system tools, spying tools and documents containing scripts. n Block attachments that contain hidden executables - If enabled, ZIP, TAR, GZIP, BZIP2 and 7Z archives (other than those compressed with deflate64) are checked and the message will be rejected if the archive appears to contain an executable.

- 154 - Restriction Description

Additional restrictions Message link size limit (in bytes) - This option restricts the amount of data that is downloaded per message. Links in messages to executable files that would be blocked as attachments are followed and the content is checked against an anti-virus database.

Maximum MIME defects - Messages that are sent with standard email clients have no defects, whereas spam messages are often generated with poorly developed software and have many defects. Normally we reject messages with defects but if you have a need to receive defective messages, you may set a limit or disable this check. If the defective messages come from a single sender, it would generally be better to either convince the sender to fix their software or whitelist that sender.

Scanned link extensions If the Message link size limit is set (above), then links in messages to files with the selected extensions will be scanned for viruses and other malware. You can add extensions to this list using the Add new extension feature.

Manage Email Size Restriction

In the Email size restriction page you can set the maximum accepted size for incoming and outgoing emails.

1. In the Domain Level Control Panel, select Incoming - Protection Settings > Email size restriction:

- 155 - 2. Enter the email size limit (under 2048 MB) or select No limit if you do not want to limit the size of emails. 3. If you have set a limit, select the preferred Action for oversized messages - either quarantine or reject. 4. Click Update to save your changes.

- 156 - Outgoing Filtering

Mail Assure's Outgoing Filtering facility is used to relay your organization's outgoing mail securely and efficiently. The Outgoing Filtering service works independently of the Incoming Filtering facility also available with Mail Assure - see Incoming Filtering. What do you want to do?

From the Outgoing Filtering area you can carry out a variety of tasks related to the filtering of your outgoing mail.

n Getting Started with Outgoing Filtering - See the Quick Start Guide on how you need to get started with outbound filtering. n Outbound Spam Monitoring - The different means by which you can monitor and act on your outgoing spam. n View Outgoing Bandwidth Overview - View graphical representation of outgoing bandwidth usage as a total and per domain. Displays data in the same way as the Incoming Bandwidth overview (see View Incoming Bandwidth Overview. n Manage Identities - Manage the identities that you have previously set up in the Manage outgoing users page. For example, if you see an identity is sending a lot of Spam, you can lock it from here while you investigate the issue. n Manage Outgoing Users - Set up the authenticating users that will allow the outgoing Mail Transfer Agent (MTA) to authenticate mail through the Mail Assure outbound filter. n Generate Outgoing Report - Report on outgoing mail sent from your domains in the last hour, 6 hours, 12 hours, 24 hours or 7 days. n Outgoing Blacklist Filtering Rules - View existing and create new rules to always block specific outgoing mail from your domains. n Outgoing Log Search - Filter on outgoing mail and report on the data available. n Create Email Scout Report - Create and email scheduled or one-off report based on your filtered log search results. n DKIM Certificate Generation - Add special DKIM signature to your email headers. n Manage Outgoing Settings - Add the domain administrator's contact email and the address to which abuse reports are sent. n Clear Callout Cache - Outgoing n View Domain Statistics - Outgoing View Outgoing Bandwidth Overview

To view the outgoing bandwidth usage per domain:

1. In the Admin Level Control Panel, select Outgoing > Bandwidth overview. 2. Specify the Date range in the fields provided and click on Show. 3. The total bandwidth usage amount for all domains is shown along with the individual usage per domain - in the form of a pie chart and a table.

- 157 - Outbound Spam Monitoring

The Mail Assure filters are extremely effective at blocking a large percentage of outbound spam/viruses, to prevent issues with your network reputation. However, it is essential that you are proactive in stopping the abuse at its source by suspending any spamming customers/accounts. If such accounts are not suspended/blocked, there may eventually be a spam run which is missed by our engines. You can prevent any such spam escalations (or other type of attacks from abusive customer accounts), by ensuring the account is locked down before it starts to cause real issues. Our systems allow you to quickly and easily identify such abusive accounts, before any third-party issues occur. There are a number of ways that spammers can be monitored via our systems. Best Practise for Smarthost Users

Ensure all your smarthost authentication users are grouped as part of a single administrative domain (e.g. out.yourcompany.tld) Configure your sending MTA to always include an end-user identification header Set your outgoing Mail Assure user account to use this identity header Manually/automatically locate abusive identities and shutdown the main spam source (and temporarily lock down the identity via our identity management as an immediate measure). Managing Outgoing Spam

Outgoing Log Search You can view outbound blocked messages from the Admin, Domain or Email Level Control Panel using the outgoing log search:

1. Select Outgoing > Logs. 2. In the Query Rules panel, filter using Status > is one of > Quarantined.

- 158 - 3. Click Show Results to list all matches.

Manually Lock Identity from Outgoing Log Search You can choose to lock a sender based on their identity header from this page:

1. Locate the relevant message and select Lock Identity from the dropdown:

2. In the prompt, enter a reason for locking this sender and click Confirm.

You can also lock the Outgoing user from here (by selecting Lock user in the dropdown). This would prevent any outbound mail being sent from that outgoing user (IP or domain).

- 159 - Outgoing Reports page

You can view senders/Identities in grouped format using the Outgoing Reports feature from the Admin or Domain Level or Control Panel.

1. Select Reporting > Outgoing Reports. 2. Select the relevant domain if accessing from the Admin Level. 3. Enter the Period. 4. In Classification, select Rejected (or Accepted if you wish to see accepted emails and not quarantined ones). 5. In the Group by dropdown, select identity. 6. Click Show. to display all results.

Manually Lock Identity from the Outgoing Reports Page: 1. Click the lock icon next to the identity. 2. To unlock the identity, click the lock icon again.

Automatic Locking You can choose to auto-lock senders based on their Identity header. For this to work, there must first be a configured Identity. To start autolocking senders based on this you need to make sure the option Lock Identities Automatically:" is set to "Yes" in the outgoing user settings page:

1. Select Outgoing > Manage users. 2. Locate the outgoing user you want to configure, and from the dropdown, select Edit. The Outgoing user settings page is displayed. 3. Ensure the Lock identities automatically option is set to Yes:

Identities will be locked when a certain amount of spam, phishing or virsues is seen in a short time frame.

The locked identities can continue to be seen via the log search and outgoing reports page.

- 160 - ARF reports An ARF report is sent each time an outgoing spam message is blocked, and will contain a copy of the original message including headers. For information on how to set this up, see Configure the Abuse Report Address.

Many larger companies already process ARF reports originating from external sources such as AOL. You can simply set your administrator address to point to your existing ARF parsing infrastructure, so your existing abuse handling systems automatically receive and process our datafeeds. ARF parser If you do not have an ARF parser yet, we recommend that you set up a system to handle your incoming ARF reports. We can recommend the free opensource software Abuse.IO for this. Alternatively you can e.g. use a simple python file that can parse the contents of the ARF reports. Your sysadmins will know how best they can utilize this and parse the data that they need. Using ARF automation also allows you to accept ARF feed from third-parties, to further improve your abuse handling and to deal with abuse that does not (yet) use our outgoing filter. Manage Identities

In the Manage identities page, you can manage the identities that you have previously set up in the Manage Outgoing Users page. For example, if you see an identity is sending a lot of Spam, you can lock it here while you investigate the issue. You can manage identities from the Admin level or the Domain Level. From the Domain Level you manage identities specific to the logged in domwin.

1. In the Admin or Domain Level Control Panel, select Outgoing > Manage identities. 2. Use the Query Rules panel to set up and save search filters for the identities you have set up in your domains. 3. Use the Customise dropdown to choose which columns you want to show in your results. You must select at least one column from the following: n Domain

n User

n Identity

n Lock time

n Reason

n Locked

n Automatic unlocks 4. Click on Show results to display the matching results. 5. The identities are listed. Click on the dropdown to the left of an identity to choose from the following tasks: n Lock - If you select this, the identity will not be able to relay any emails until it is unlocked manually.

n Unlock - Select this to unlock the identity.

- 161 - Tip - You can enable automatic locking of identities. This means that if an identity sends approximately 5 spam messages in 10 minutes, it will be locked automatically. You can configure this in the Outgoing User Settings page: Go to Outgoing > Manage Users and select Edit from the dropdown alongside the user. The Outgoing User Settings page is displayed. Select Yes in the Lock identities automatically dropdown. See Manage Outgoing Users for more information on locking.

n Reset the count of automatic locks - Resets the automatic lock counter back to 0. Manage Lock Templates

When an outgoing user or identity is automatically locked, an email notification is sent to the Admin.

In the Lock templates page, as the Admin user, you can assign a specific lock template that will be applied to the email notification that is sent to you (or your Sub-admin(s)) when an outgoing user/identity is automatically locked. You can add a new template manually or you can import templates from a CSV file. Manually Add Lock Template

1. In the Admin Level Control Panel, select Reporting > Lock Notification Templates. 2. There are two tabs available: n Admin - As an admin user, you can create your own custom template that will be sent to you when an identity/outgoing user is automatically locked.

n Defaults - Displays all existing default templates 3. In the Admin tab, click on + Add lock template to open the Add a new lock template dialog. 4. Select the Admin user you want to apply the template to (the logged in Admin is displayed by default but any sub-admins that you have created under you are listed here too). 5. In the Name field, enter the name of the template. 6. Enter the Subject of the email lock notification. 7. In the Body box, enter the plain text body of the email. 8. In the HTML body box, add the HTML version of the email to be sent out.

In the Body and HTML body fields, you can use the variables listed on the right. These variables will be replaced with the relevant content when the email is sent.

9. Click Save.

To make things easier when creating a new template, copy an existing template and tweak as required.

- 162 - Manage Outgoing Users

Authentication for outgoing mail is set up in the Manage users page. In this page you choose how the outgoing Mail Transfer Agent (MTA) will authenticate to send mail through the Mail Assure outbound filter. There are three types of user:

n Authenticating IP or range (e.g. a smarthost) - Any connections from the IP or IP range are considered authenticated and do not require SMTP AUTH. n Authenticating user - Uses the username@domain and selected password for SMTP AUTH. n Authenticating domain - Uses the domain name and selected password for SMTP AUTH. You can manage Outgoing Users from the Admin Level and Domain Level Control Panels. When accessed from the Domain Level the outgoing users are specific to the logged in domain.

In the Admin Level or Domain Level Control Panel, go to Outgoing > Manage Users. The Manage Users page is displayed.

We recommend using the Authenticating domain option, entering the username and password you have, then all mail to that domain is going to route through the connector regardless of what IP address it comes from.

- 163 - All users set up for all your domains are listed here. Use the search field at the top of the page to find a specific user. You can perform the following tasks:

n Add an Outgoing User n Edit an Outgoing User n Outgoing Identity Setup n Set up Outgoing User Authentication for Multiple Domains Sending from the Same IP Address Add an Outgoing User

1. Click on Outgoing > Manage users. 2. In the Add a user panel, choose which type of user you want to add by selecting the relevant tab (Authenticating IP or range, Authenticating user or Authenticating domain (see Manage Outgoing Users for a description of each)). 3. Enter the user details and click on Add & Configure. The Outgoing User Settings page is displayed:

- 164 - 4. Configure the following user settings:

- 165 - n Password - Set the password for the username authenticated outgoing user (not applicable for IP outgoing users).

n Identification Method - Choose from: “envelope sender”, “authentication user” or “Header” as the identification method:

Envelope Use this if your system enforces the “envelope sender” (or Sender MAIL FROM value). This is typically used by Mail Assure users.

Authentication The outgoing user’s authentication details. This is the best User choice when you are providing unique usernames and passwords for each outgoing user, rather than using a smarthost system. Header If you choose this option, you are able to add any number of identification headers that we should search for in the message. For example, you might have a system that adds an “X-Client- ID” header, which uniquely identifies each of your end users. For each header, you may choose to either use the entire header value as the identity, or you can provide a regular expression that extracts out a part of the value to use. You may also choose to have our software remove the header after we have found the identity, if you don’t want this to be available to the recipient of the message. We strongly recommend that an identity Header is set for all outgoing traffic. This makes monitoring and taking action against spammers much easier.

n Automatic lock - When enabled, and when the system detects that the user has sent approx 5 spam messages in 10 minutes, the user will be locked automatically. The user cannot send mail until they are unlocked (the administrator can do this from the alert sent or from the Manage Outgoing Users page.

We recommend that you do not enable the Automatic lock if you are using IP authentication within a smarthost.

n Lock Identities Automatically - This spam prevention, when enabled and the system detects that the identity has sent approx 5 spam messages in 10 minutes, the identity will be locked automatically. The identity cannot send mail until they have been unlocked. The identity can be unlocked from the Manage Identities page.

n User and Identity Lock timeout - The amount of time an outgoing user or identity will be unable to send messages. This only applies to if you are using the Automatic User Lock or the Automatic Identity Lock.

n Maximum unlocks by timeout - The maximum number of times the user will be automatically unlocked after the time-out value has passed. After this has been depleted, the user will have to be manually unlocked.

n Enable outgoing connection limits - Enable or disable limits on outgoing connections whether spam or not, to prevent bulk mailing.

- 166 - n Limit per month - The amount of outgoing connections that can be opened per month.

n Limit per week - The amount of outgoing connections that can be opened per week.

n Limit per hour - The amount of outgoing connections that can be opened per hour.

n Limit per minute - The amount of outgoing connections that can be opened per minute.

n DKIM Selector- Choose the selector you wish to use at domain level. Use the default or add one that has been generated using the DKIM Certificate Generation tool. Once you have created the certificate you need to add the TXT to your DNS.

n Maximum number of recipients per day - The maximum number of recipients the user can send emails to daily.

n Invalid Recipient limit - The limit for sending emails to invalid recipients (not applicable at Domain Level).

n Maximum days to retry - The maximum number of days the message will be retried for delivery (this applies to messages stuck in the delivery queue) (not applicable at Domain Level).

n Quarantine Response – When an outbound message is detected as spam and it goes into the outbound quarantine the response you send back to the sender can be Rejected or Accepted. If 'Rejected', legitimate senders will receive a bounce message when their mail gets blocked and quarantined even though the message is stored in the quarantine. If 'Accepted' the SMTP response would be ‘Accept’ and the message would still be blocked and shown in the quarantine but the sender will not receive a bounce message and will not know that the message is in the outbound quarantine.

The administrator will be notified that there are messages in the outbound quarantine in the Abuse Report by entering the Adminstrator's contact email address in the Outgoing > Settings page in the Domain Level Control Panel (see Configure the Abuse Report Address). Alternatively, use the Email Scout Reports to create a schedule report with details of outbound quarantine content.

Tip - Administrators may use this option to prevent the sender receiving notifications when messages are quarantined. For example, they may want to review a rejected message before releasing it.

n Message archiving for senders - Enabled/Disabled – If enabled, all outgoing messages from the outgoing user will be archived. If this is disabled, no outgoing messages will be archived. See Ensure Archiving Option is Selected for Outgoing Mail. Edit an Outgoing User

1. Go to Outgoing > Manage users. 2. Click on the dropdown alongside the user you want to edit and select Edit.

- 167 - The Outgoing User Settings page is displayed. 3. Edit the user settings as necessary. For details of each setting see Add an Outgoing User. 4. Click Save when finished. Outgoing Identity Setup

When configuring your servers to use Mail Assure outbound filtering, you need to choose the method by which the system should identify users sending mail. There are three identification methods that can be used:

n Envelope sender - This uses the SMTP MAIL FROM address. n Authentication User - This uses the same identity for all messages n Identity Header - This uses a custom header, see Configure Identity Header Identification Method in Mail Assure and Your MTA

Unless you know that you specifically need to use the Authentication User or Identity Header method, we recommend using the Envelope Sender method since it requires no additional configuration.

In Mail Assure you set up the identification method in the Outgoing > Manage Users page, see Add an Outgoing User.

Configure Identity Header Identification Method in Mail Assure and Your MTA Using an identity header allows the system to track and prevent spammers without affecting other senders for the domain. 1. Step 1 - Configuring the Identity Header Identity Method via the Mail Assure Control Panel 2. Step 2 - Identity Header Setup in the MTA

Step 1 - Configuring the Identity Header Identity Method via the Mail Assure Control Panel

Configure Mail Assure to log and monitor identity headers. 1. Navigate to the outgoing authenticating domain. 2. Select Outgoing > Manage Users. 3. Select Edit from the dropdown alongside the 'Authenticating Domain' outgoing user:

- 168 - The Outgoing User Settings page is displayed. 4. From the Identification Method dropdown, select Header. 5. Click on + Add a new identification header. 6. In the Header name field, add the header name that you are configuring, (for example X- AuthUser for Exim/cPanel). 7. From the Header value dropdown select from: n Simple - The entire header value will be used to identify unique users that share this identification method

n Custom - Specify a custom regular expression that will be used to extract the identity from the header value in order to identify unique users that share this authentication method.

The custom regular expression you enter MUST contain a group that represents the identity.

8. If you want to keep this header after processing, ensure the Remove after processing option is ticked. Alternatively, to keep the header after processing remove the tick.

Depending on how the header is created, it may contain information that you do not want to release. For example, if the identification is based on the user's login id, you probably want to ensure Release after processing is ticked.

9. Click Add.

If you have configured more that one identity, each will be processed in order. If multiple headers are in the same outgoing email, the first header in the message will be the one that is processed first. 10. Once you have set this up, verify that all is working correctly by checking your outgoing messages in the Outgoing Log Search and look for new messages using the Identity column. If you see data which is using the new identity, it is working correctly. It is important to set up a good identifier for your different mail streams in order to make effective use of this feature.

- 169 - The other Identification Method options available are Envelope-Sender and Authenticating User. For more info, see Outgoing User - Identification Method.

If you are not able to add a specific outgoing Header, we recommend you set the Identification Method to the "Envelope-Sender, so that you can continue to use the lock senders option (either via API or the Outgoing Log Search).

Example Identities

There are many different headers and identities that can be set. Here are some examples:

n cPanel: n Header name: X-AuthUser n Header value: Simple n cPanel: n Header name: X-PHP-Originating-Script n Header value: ^(.*?)$.*$ n Postfix: n Header name: Received n Header value: .*\(Authenticated sender: (.*?)$.*

Step 2 - Identity Header Setup in the MTA

As well as configuring Mail Assure to log and monitor identity headers you must ensure that this is also set up in your sending MTA. Here are some example configurations:

Microsoft Exchange Identification headers

Currently on Microsoft Exchange, to be able to add custom outgoing headers a XHeader transport agent must be built. For more information, see the Microsoft KB cPanel/Exim

headers_add = X-AuthUser: $authenticated_id

headers_add = X-AuthUser: ${if match {$authenticated_id}{.*@.*}\ {$authenticated_id} {${if match {$authenticated_id}{.+}\ {$authenticated_id@$primary_hostname}{$authenticated_id}}}}

headers_add = ${if !eq{$original_domain}{$domain}{X-Forwarded-For: $original_domain}}

Postfix Identification headers

To do this in Postfix, you need to add the following line to your main.cf if not already there:

smtpd_sasl_authenticated_header = yes

This will add an "Authenticated Sender" part to the received header

- 170 - Set up Outgoing User Authentication for Multiple Domains Sending from the Same IP Address

When you have several domains sending from the same IP address, follow the steps below to configure the outbound user settings. For the first domain added:

1. In the Domain Level Control Panel, click on Outgoing > Manage users. 2. In the Add a user section add all sending IPs to the IP address field (for details, see Add an Outgoing User). The Outgoing user is added to the list. 3. Click on the dropdown to the left of the new outgoing user and select Edit to open the Outgoing user settings page. 4. At the bottom of the page, set Re-authenticate as to Sender domain:

5. Click Save.

For any subsequent domains added:

1. In the Domain Level Control Panel, click on Outgoing > Manage users. 2. In the Add a user section, click on the Authenticating Domain tab and enter a Password for the domain (the password should be entered here but is not used in this specific scenario) - see Add an Outgoing User for setting details. The outgoing user is added to the list. 3. Click on the dropdown to the left of the new outgoing user and select Edit to open the Outgoing user settings page. 4. At the bottom of the page, place a tick in the Re-authentication permitted box:

5. Click Save. Generate Outgoing Report

Report on outgoing mail sent in the last hour, 6 hours, 12 hours, 24 hours or 7 days. This report displays the total number of outgoing messages per domain - and also the number of messages grouped by either identity, envelope sender or from header.

- 171 - You can access this facility from the Admin and the Domain level Control Panels. When accessed from the Domain Level, the settings are specific to the logged in domain:

1. Go to Reporting > Outgoing reports. The Outgoing reports page is displayed. 2. Enter the domain name of the domain you want to report on. Add more domains by using the Add another domain button. If you are accessing this page from the Domain Level, the logged in domain is already displayed in the Domain field. 3. From the Period dropdown, choose from: n 6 hours

n 12 hours

n 24 hours

n 7 days 4. Alongside Classification, select which mail you want to include - either Accepted, Rejected or All. 5. In the Group by dropdown, select how you want your mail grouped in the report output: By identity, envelope sender or from header. 6. Click on Show to generate your report. The report details are displayed at the bottom of the page.

Tip - You can also access the Outgoing reports facility from the Domain Level Control Panel - where you can report on the domain you are logged into. See Generate Outgoing Report - Domain Level.

Outgoing Blacklist Filtering Rules

In the Outgoing Blacklist Filtering Rules page you can view all blacklist filtering rules that have been set up for your domains' outgoing mail and you can also add new ones. Outgoing mail that matches any of the rules will always be blocked. The rules are based on Python's regular expression (regex) syntax. (For more information on regular expressions, see regex101.com).

You can access this page at the Admin Level and the Domain Level.

n View Outgoing Blacklist Filtering Rules n Add an Outgoing Blacklist Filtering Rule View Outgoing Blacklist Filtering Rules

View all the Blacklist Filtering Rules that, when applied to a domain, will always block matching outgoing mail.

1. In the Admin Level or Domain Level Control Panel, select Outgoing - Protection Settings > Blacklist filtering rules. The Outgoing blacklist filtering rules page is displayed. There are three tabs:

- 172 - n Domain Rules - Rules that apply to a specific domain. You can add new rules in this tab - see Add Outgoing Blacklist Filtering Rule.

n Default Rules - Displays the default rules that apply to all domains using default settings (where no changes have been made at Domain level to filtering settings, Whitelist, Blacklist, Quarantine Threshold etc.).

n Global Rules - Displays all rules that apply to all domains regardless of default settings. All existing rules are displayed in the table. 2. Use the Query Rules panel to filter existing rules and click on Show Results to display all matching results.

In this page you can:

n Add rule - Using the Add rule link - for details see Add Outgoing Blacklist Filtering Rule. n Import rules from CSV - Using the Import rules from CSV link above the Query Rules panel. n Export rules as CSV - Using the Export rules as CSV link above the Query Rules panel. Add Outgoing Blacklist Filtering Rule

1. In the Admin Level or Domain Level Control Panel, select Outgoing - Protection Settings > Blacklist filtering rules. The Domain Rules tab is displayed in the Outgoing blacklist filtering rules page. 2. Click on Add rule:

The dialog that is displayed here depends on whether you have enabled or disabled the 'Use advanced custom filtering rules' option in the User profile page. For more information, see Manage Your Admin User Profile or Manage Your Domain User Profile. If the option is Inactive you will see the 'Add a new simple blacklist filtering rule' dialog:

- 173 - If this is Active, you will see the 'Add a new advanced blacklist filtering rule' dialog:

- 174 - 3. Choose from the following filters:

- 175 - Field/Option Description Simple page

Rule name Add the name of this rule Match Use the Match fields to structure your rule Advanced page

Domain If you are accessing this page at the Admin Level you need to choose the domain you want to apply the rule to from those available in the Domain dropdown. (When you are accessing this page at the Domain Level, the system applies the rule to the logged in domain). Rule name Enter the name you want to give this rule in the Rule name field.

Priority In the Priority field enter a number to represent the priority given to the rule. Rules are evaluated by Priority from the lowest number to the highest number, until one matches or all rules have been checked. All Whitelist rules are checked before Blacklist rules.

Header name If you want to restrict the check to a particular header, enter the Header name. You may enter a regular expression here, if required. Regular expression Enter the regular expression for the rule in the Regular expression field.

Tip - Use the Cheatsheet panel on the right of the page for examples of how to build your regex.

Match Choose what you want the rule to match. The following options are available: Flags The following flags are available:

- 176 - Field/Option Description

n i (ignore case)

n m (^ and $ match start and end of line),

n s (. matches newline)

n x (allow spaces and comments)

4. Click Save when finished. Outgoing Log Search

The Outgoing Log Search works in the same way as the Incoming Log Search but logs all outgoing messages over the past 30 days. Available from the Admin Level, Domain level and Email level Control Panels, from Outgoing - Logs.

Tip - Using the Outgoing Log Search you can filter outgoing messages that have been rejected and quarantined and then go on to release or release and train these as required.

For more information about the filters and actions available, see Incoming Log Search.

For information on how to create Email Scout Reports for outgoing messages, see Create Email Scout Report. DKIM Certificate Generation Why should I use DKIM?

There are several advantages to using DKIM to sign your outgoing emails:

n The recipient is able to verify that the message originated from the specified sender. n The recipient is able to verify that the message content (and important headers e.g. the subject) has not been altered. n It lowers the chance of the email being identified as spam, although this is not the primary reason to sign. If a spammer is trying to abuse your domain or email address, using DKIM reduces the chances of spam getting through. Many email servers check for a valid DKIM signature on incoming email. How does it work?

DKIM adds a special DKIM Signature to the email headers. This signature contains a hashed value of the content (both important headers and the body). When a server that is checking for DKIM receives an email, it does the following: 1. Retrieves the public key from the DNS of the sending domain. 2. Uses the key to decrypt the signature. 3. Verifies the content.

- 177 - The exact actions a mail server takes when it discovers an invalid signature depend on the configuration of that server.

What do you sign by default?

Besides the body, the following headers are by default included in the signing:

n from n date n subject n reply-to n sender n to n cc n bcc n message-id n in-reply-to n references n content-type n mime-version n content-transfer-encoding Generate a DKIM certificate in the Mail Assure Control Panel

1. In the Domain Level Control Panel, select Outgoing > DKIM . 2. Choose the DKIM key length (we advise 2048, if your DNS can accept that). 3. Enter the DKIM selector and click on Generate and save new private/public pair.

Once the key has been generated, you will need to add it to the DNS on the sub domain: ------For example with:

test._domainkey.example.com

Save this in your DNS as a TXT record and then, in the Outgoing User Settings page for your outgoing user ( see Manage Outgoing Users), you need to enter 'test' in the DKIM Selector field.

Any domain that sends using outgoing authentication that has this selector, should sign with this (assuming they do not have their own DKIM). ------How can I set DKIM up via command line?

Setting up DKIM involves a few steps. Prerequisites

n Python n OpenSSL

- 178 - n Access to your DNS n Mail Assure Outgoing Filtering enabled on your cluster. Create keys DKIM uses a pair of public and private keys - the private key is known only to you (and Mail Assure, since we are signing the mail on your behalf) and is used to create the signature. The public key is available to anyone, and can be used to verify that the correct private key was used.

Generate a private key

openssl genrsa -out domainname.com.key 2048

Generate a public key

openssl rsa -in domainname.com.key -out rsa.public -pubout -outform PEM

Create a DNS record In order for the receiving mail server to obtain your public key, you must create a DNS record for the specified domain.

selector._dkim TXT "k=rsa; p=[public key in one line];"

The name "selector" can be anything and you can use it to have different keys with the same domain. Make sure you use the same name in the next steps. Configure the keys In order to use the keys for all outgoing mails for a certain user, there are a few steps to take to implement this in your Mail Assure Filtering Cluster. Create a file "makepriv.py" and enter the following content:

s = """ -----BEGIN RSA PRIVATE KEY----- YOUR KEY HERE -----END RSA PRIVATE KEY----- """ import urllib print urllib.quote(s)

Replace the YOUR KEY HERE part with the contents of your private key. Execute this:

python makepriv.py

It will return a your key in a single line. Input the name of the selector into the api. To do so, you should replace a few values in the URL:

- 179 - https://SERVERNAME/cgi-bin/api?call=api_set_dkim_ certificate&domain=DOMAINNAME&certificate=VALUE&selector=SELE CTOR

1. Replace SERVERNAME with the hostname of your primary server or the used CNAME 2. Replace DOMAINNAME with the domainname you want to be using DKIM 3. Replace VALUE with the value the Python script earlier produced. 4. Replace SELECTOR with the desired selector you've chosen earlier.

To finish things up, the desired outgoing user should be DKIM enabled:

https://SERVERNAME/cgi-bin/api?call=api_set_dkim_ selector&domain=DOMAINNAME&selector=SELECTOR&username=USERNAM E

1. Replace SERVERNAME with the hostname of your primary server or the used CNAME 2. Replace DOMAINNAME with the domainname you want to be using DKIM 3. Replace SELECTOR with the desired selector you've chosen earlier. 4. Replace USERNAME with the username of the outgoing user.

Your outgoing emails which are being sent through the Outgoing Filter will now be signed with your DKIM key. Further reading

The following sites provide more information on DKIM: RFC4870 RFC4871 RFC5322 Wikipedia Manage Outgoing Settings

In the outgoing Settings page you can set the administrator's contact email for your domain.

In the Domain Level Control panel, select Outgoing > Settings.

- 180 - The address configured here is the one to which abuse reports are sent when outbound messages are blocked, see Configure the Abuse Report Address. Configure the Abuse Report Address

An ARF (Abuse Reporting Format) report is an email format abuse report which is generated every time an outgoing sender's message is rejected. The report is sent to the Admin contact entered in the Domain Level, Outgoing > Settings page.

Use this report to target spammers in your network, alerting you each time a spam message is sent. Each report contains:

n An attachment containing the blocked message n Information about the outbound sender account that was used n Timestamp When using the Outbound filter, it is highly recommended that you set this up to identify spammers in your network.

1. In the Domain Level Control Panel, select Outgoing > Settings. 2. In the Administrator's contact field, enter the email address to send the abuse reports. 3. Click Save.

The address that is configured should be an address that has no inbound filtering, and not a "freemail" address as these can often cause problems in receiving the reports.

We recommend also adding the email address to the recipient whitelist - the ARF report contains a copy of the blocked message which may be blocked by the incoming filter. Alternatively you can use an email address that is not filtered specifically for this purpose.

It is also possible to use other methods of monitoring the outbound spam, if using ARF reports is not possible. For example you may use using API's, CSV reports and/or IMAP. See Outbound Spam Monitoring.

Important - When spammers are reported in your network, either via ARF reports or other means, ensure that these problem sources (senders, scripts, etc) are dealt with promptly.

- 181 - Clear Callout Cache - Outgoing

1. In the Domain Level Control Panel, select Continuity > Clear callout cache - Outgoing. 2. To clear the callout cache for the domain, click on Clear.

To clear the incoming Callout cache see Clear Callout Cache - Incoming. View Domain Statistics - Outgoing

This page displays statistics of your domain's outgoing email traffic over a specified time-frame.

In the Domain Level Control Panel, go to Outgoing > Domain statistics:

Statistics displayed are described in View Domain Statistics (Incoming). Setting up Your SMTP Hostname

Use the following settings to configure your outbound mail flow:

n Global server: smtpout.mtaroutes.com n EU-only server: smtpout-eu.mtaroutes.com n US-only server: smtpout-us.mtaroutes.com n UK-only server: smtpout-uk.mtaroutes.com n AU-only server: smtpout-au.mtaroutes.com n CA-only server: smtpout-ca.mtaroutes.com n Available Ports: 587 n Security: TLS

- 182 - Setting up SPF

SPF (Sender Policy Framework) is used to restrict which mail servers are allowed to send email for your domain name. This framework is designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records in the form of an SPF record which is a specially formatted TEXT record. An example of an SPF would be : example.com. TXT "v=spf1 -all"

Forwarding emails can sometimes break the SPF. If this is the case we recommend using SRS (Sender Rewriting Scheme - http://www.openspf.org/SRS).

To Set up SPF for a Domain

Existing SPF record If you have an existing SPF record, you should add "include:spf.mtaroutes.com". Create new SPF record 1. If you do not have an existing SPF record, you need to create one using the following: "v=spf1 include:spf.mtaroutes.com -all" ... where: n v=spf1 is the version of spf

n include:spf.mtaroutes.com uses the SPF record on mtaroutes.com (the Mail Assure server)

n -all means EXCLUDE everything else another example you can use is: "v=spf1 ip4:1.2.3.4 include:spf.mtaroutes.com include:yourdomain.com -all" ... where you need to replace the ip4 entry with your mail server address. 2. If you have multiple sending addresses, the following external links can be used for additional formatting and guidance: Open SPF - http://www.openspf.org/ SPF wizard - https://www.spfwizard.net/ 3. Next you need to publish the TXT record to the authoritative DNS server for your domain. This step will differ from each domain provider. If assistance is required contact your provider.

Depending on your domain's current Time to Live (TTL), this may take up to 24 hours to propagate.

- 183 - If SPF checking is turned on in a domain's Filtering Settings, this causes a hard fail of SPF records that don't match - and the message is quarantined. You can control whether SPF/DKIM/DMARC are enabled in the Filtering Settings for a domain. You can also manage a list of domains and IP addresses with disabled SPF, DKIM and DMARC (see Manage Domains and IPs with Disabled SPF, DKIM and DMARC Checks). SPF checking will prevent any targeted spoofs. If required, you will need to add any inten- tional spoofing to your SPF records or whitelist the sender (whitelisting the sender is a last resort as this can also be spoofed).

If you are using other sources for outbound filtering, you need to make sure you modify the SPF record appropriately. The above is only suitable if all outbound filtering is handled by Mail Assure.

Temporary Log

The Temporary Log feature allows you to view logs for outgoing mail which has not completed processing but may already have been delivered. These files do not show up in the standard Log Search because this would slow down the search significantly.

1. You can access this from the Admin or Domain Level Control Panels by selecting Outgoing > Unrecognized Domains Log. 2. Click on Show Results to show all temporary logs or use the Query Rules panel to filter your search. Delivery Details

1. In the Admin, Domain or Email Level Control Panel select Incoming or Outgoing > Delivery Details. 2. The Query rules panel already displays the Delivery date filter - you can change this if you need to. 3. You can also filter further by adding more rules - click on + New rule to do this. 4. Click Show Results to list all matching messages. The following actions are available from the dropdown to the left of each individual message: n Show details - Opens the Log Search result for that message id and recipient.

n Retry delivery - Forces the email to retry delivery.

n Telnet test - Redirects you to the Network Tools page to run a Telnet test.

n Recipient callout - Redirects you to the Network Tools page to run a Recipient Callout.

- 184 - n Ping destination - Redirects you to the Network Tools page to ping the destination mail server. n Trace route to destination - Redirects you to the Network Tools page to run a Traceroute. n Export as .CSV - Save the entry locally in CSV format.

- 185 - Integrations and Add-ons

Exchange Online (Office 365) Configuration and Setup 186

Configure Inbound Filtering with Exchange Online (Office 365) 186

Configuring Outbound Filtering with Exchange Online (Office 365) 188

Configure Mail Archive / Journaling with Exchange Online (Office 365) 189

Enable Recipient Filtering, for Recipient Verification in Exchange Online (Office 365) 190

Enable Recipient Filtering, for Recipient Verification in Exchange Server 2013/2016 190

Configure Inbound and Outbound Filtering With G Suite 191

------192

Step 1: Configuring Mail Assure 192

Step 2: G Suite Configuration 195

Step 3 : Configuring Mail Assure (MX Records) 198

Configure Inbound Filtering with Postfix 198

Per domain setup 199

cPanel and WHM Configuration for Mail Assure 200

Inbound 200

Outbound 200 Exchange Online (Office 365) Configuration and Setup

To set up Mail Assure to work with Microsoft Exchange Online (Office 365), follow the instructions covered in these three tasks:

n Configure Inbound Filtering with Exchange Online (Office 365) n Configuring Outbound Filtering with Exchange Online (Office 365) n Configure Mail Archive / Journaling with Exchange Online (Office 365)

Configure Inbound Filtering with Exchange Online (Office 365)

In order to configure inbound filtering for Exchange Online / Office 365 follow these steps:

n Add the domain in the Mail Assure web interface n Create a partner connector and rule in Exchange Online to accept filtered mail n Change the MX record to point to the Mail Assure inbound servers

- 186 - Add the domain in the web interface 1. Log in to the Mail Assure control panel as an administrator. 2. Click on General > Add Domain. 3. Enter the domain name and click Continue. 4. Use the auto-detected route if it is correct, otherwise enter the correct Destination route(s) for the domain. 5. Click Add.

Create a partner connector and rule in Exchange Online to accept filtered mail 1. Log in to the Exchange Admin Center. 2. Click on Mail Flow > Connectors and click on + button. 3. Choose Partner organization as the From and Office 365 as the To, then click Next. 4. Give the connector a name and click Next. 5. Choose Use the sender's IP address then click Next. 6. Add the following Mail Assure delivery IP ranges: n 185.201.16.0/24

n 185.201.17.0/24

n 185.201.18.0/24

n 185.201.19.0/24 7. Ensure that Reject email messages if they aren't sent over TLS is ticked and click Next. 8. Verify the settings and click Save. 9. Click on Mail Flow > Rules. 10. Under Rules, click on the + button and choose Bypass spam filtering.... 11. Enter a rule name (e.g. Disable filtering for Mail Assure). 12. Choose Apply this rule if... > Senders IP Address is in any of these ranges or exactly matches. 13. In the specify IP address ranges dialog, add the following Mail Assure delivery IP ranges: n 185.201.16.0/24

n 185.201.17.0/24

n 185.201.18.0/24

n 185.201.19.0/24 14. Ensure that Do the following... is set to: Modify the message properties > Set the spam confidence level (SCL) > Bypass spam filtering. 15. Click OK. 16. Click Save.

Change MX record for the domain to point to inbound servers The default records are:

Hostname Value Priority @ mx1.mtaroutes.com 10

- 187 - Hostname Value Priority @ mx2.mtaroutes.com 20

@ mx3.mtaroutes.com 30

@ mx4.mtaroutes.com 40

To use US only routing, replace mxn with mxn-us; for EU routing use mxn-eu; for UK routing use mxn-uk; for CA routing use mxn-ca; for AU routing use mxn-au.

Configuring Outbound Filtering with Exchange Online (Office 365)

Follow these two steps:

n Create Outbound User in Mail Assure n Set up a Transport Rule in Exchange Online

Create Outbound User in Mail Assure 1. Log in to the Mail Assure control panel as an administrator. 2. Select General > Domains Overview then click on the relevant domain to open the Domain Level Control Panel. 3. Select Outgoing > Manage Users. 4. Select the Authenticating Domain tab and ensure that the domain you are using with Exchange Online is shown. Enter a secure password and click Add. 5. Once the domain is added, click on the downward-facing arrow and select Edit. 6. Ensure that Re-authentication permitted is ticked. 7. Click Save.

Set up a Transport Rule in Exchange Online 1. Log in to the Exchange Admin Center. 2. Click Mail Flow > Connectors. 3. Click on + and add a connector From > Office 365 to Partner Organization. 4. Select Only when I have a transport rule set up that redirects messages to this connector. 5. Select Route messages through these smart hosts and enter smtpout25.mtaroutes.com. 6. Ensure that Always use Transport Layer Security (TLS) to secure the connection (recommended) and Issued by a trusted certificate authority (CA) are selected. 7. Validate the connector (e.g. by using [email protected] as the recipient) and Save. 8. Click on Mail Flow > Rules. 9. Click on the + (plus button) and choose Create a new rule.. 10. Enter a name for your rule (e.g. Route outbound via Mail Assure). 11. Click More Options. 12. Set Apply this rule if... to The sender's domain is.... 13. Specify the domain entered in the previous step.

- 188 - 14. Set Do the following... to Redirect the message to > The following connector and select the connector created earlier. 15. Click Add exception. 16. Select The recipient > is external/internal. 17. Choose Inside the organisation. 18. Save the rule. Configure Mail Archive / Journaling with Exchange Online (Office 365)

n Enable Archiving of Inbound/Outbound Mail n Enable Journaling of Internal Messages

Enable Archiving of Inbound/Outbound Mail 1. Log in to Mail Assure as an Admin or Domain user:

If you log in as the domain user, the Domain Level Control panel is displayed on login.

If you log in as an admin user, go to General > Domains Overview and click on the domain you want to enable archiving for. The Domain Level Control Panel is now displayed.

2. Click on Archiving > Status > Enable to enable inbound and outbound archiving for all users on the domain. 3. If required, navigate to Archive > Archived recipients to restrict the users whose mail will be archived. 4. Make a note of the global journaling address if you want to enable journaling. If the address ends with '@MX-record-hostname' please use @mx1.mtaroutes.com.

Enable Journaling of Internal Messages 1. Log in to the Exchange Admin Center. 2. Navigate to Compliance management > Journal rules. 3. Enter a valid email address to receive journal failure alerts. 4. Click on the + (plus sign) and create the journal rule as follows: n Send journal reports to: Enter the global journal address noted in Enable Archiving of Inbound/Outbound Mail (above).

n Name: Give the rule a meaningful name

n If the message is sent to or received from: Choose [Apply to all messages]

n Journal the following messages: - Select Internal messages only if the domain uses inbound/outbound filtering - Select All messages if the domain is archive-only.

- 189 - Enable Recipient Filtering, for Recipient Verification in Exchange Online (Office 365)

To enable recipient filtering in Exchange Online, you need to have Exchange Online Protection enabled on the server, as well as a Global Admin or an Exchange Company Administrator account:

1. Ensure the domain is set to Internal Relay, by going to Exchange Admin Center > Mail Flow > Accepted Domains > Select your domain and click Edit. 2. Ensure the domain type is set to Internal relayand click Save. 3. Ensure that all desired mailboxes are configured in Exchange Online as the next step will block mail delivery to any addresses that are not listed. 4. Set your domain to Authoritative by going to Mail Flow > Accepted Domains, select your domain and set it to Authoritative. After you click Save, please confirm that you wish to enable Directory Based Edge Blocking. For on-premise Exchange, see: How to enable recipient filtering on an Exchange 2013 and 2016 server Enable Recipient Filtering, for Recipient Verification in Exchange Server 2013/2016

1. Open the Exchange Management Shell on the Mail Server. 2. Enter the command:

Get-TransportAgent 3. Check for 'Recipient Filter Agent' to see if it is enabled: a. To install this feature, enter: & $env:ExchangeInstallPath\Scripts\Install- AntiSpamAgents.ps1

b. To enable the feature, run: Enable-TransportAgent “Recipient Filter Agent”

c. Restart the "Microsoft Exchange Transport" service, using command: Restart-Service MSExchangeTransport

4. Ensure your accepted domains are using Address Book to check for valid recipients. By default, this should be enabled when Exchange is an authoritative Mailbox Server for the domain. 5. Enable the recipient filter:

Set-RecipientFilterConfig -RecipientValidationEnabled $true 6. Restart the "Microsoft Exchange Transport" service, using command:

Restart-Service MSExchangeTransport

- 190 - 7. To set the Hub Transport receive connector to receive filtered email, and correctly validate users addresses: a. Issue the command: Get-ReceiveConnector | fl name,bindings

b. Note the name of the connector with binding ending :2525 (listening on connections from port 2525) c. Set the receive connector to accept unauthenticated SMTP connections using command: Set-ReceiveConnector -identity '' - PermissionGroups 'AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers'

8. Restart the "Microsoft Exchange Transport" service, using command:

Restart-Service MSExchangeTransport 9. Run the following command:

Set-RecipientFilterConfig -RecipientValidationEnabled $true 10. Open port 2525 on the firewall on the MTA's public connection. 11. Edit the route in Mail Assure (Domain Level Control Panel > Incoming > Destinations) to use port 2525 rather than port 25. See Manage Destinations. Configure Inbound and Outbound Filtering With G Suite

In order to configure inbound filtering for G Suite follow these steps: Step 1. Mail Assure Configuration:

n Add the Domain in Mail Assure n Check your Domain can Communicate with the G Suite Mail Servers n Set the Outgoing User n Automatically Populate Mailboxes Tab Based on Destination Server Response

Step 2. G Suite Configuration:

n Configuring G Suite

Step 3. Mail Assure (MX Record) Configuration After you have configured everything else you must now ensure that your MX records are pointing to Mail Assure (if they aren't already).

n Change the MX record to point to the Mail Assure inbound servers

- 191 ------Step 1: Configuring Mail Assure

Add the Domain in Mail Assure 1. Log in to the Mail Assure control panel as an administrator. 2. Click on General > Add Domain. 3. Enter the domain name and click Continue.

4. Enter the correct Destination route(s) for G Suite - see G Suite Destination Server Address to find out the G Suite destination server addresses you can use. 5. Click Add.

Check your Domain can Communicate with the G Suite Mail Servers

To ensure Mail Assure can talk to the G Suite servers you have just added, carry out a Protection status check in Mail Assure:

1. In the Admin Level Control Panel, select General > Domains Overview to display all of your domains. 2. Click on the dropdown alongside the domain you want to check, and select Protection status to check the routes you have set:

- 192 - Set the Outgoing User

1. Click on the newly added domain in the General > Domains Overview page to open the Domain Level Control Panel for that domain. 2. Select Outgoing > Manage users and click on the Authenticating Domain tab in the Add a user section. 3. The domain name is already entered in the Domain field. 4. Enter any password in the Password field (the password is not important in the G Suite setup as it is not used).

5. Click and hold the Add button and select Add and configure.

6. The Outgoing User Settings page is displayed.

- 193 - 7. Ensure the Re-authentication permitted option is ticked.

8. Click Save.

Automatically Populate Mailboxes Tab Based on Destination Server Response You may want to configure the system to make sure all the mailboxes are filtered (you may want to do this as catch-all is disabled).

1. In the Domain Level Control Panel, select General > Mailboxes overview. 2. In the Configuration tab, in the Incoming panel, ensure Automatically populate 'Mailboxes' tab based on destination server response is ticked.

3. Click Save settings.

- 194 - Step 2: G Suite Configuration

Configuring G Suite

1. Sign in to the G Suite control panel and click on G Suite Core Services.

2. Click on Gmail.

3. Scroll down to the bottom of the page and click on Advanced Settings. 4. Scroll down to the Spam section and locate Inbound gateway. Click the CONFIGURE button to the right of the page.

5. In the first field, enter a name for this configuration e.g. 'Mail Assure Inbound'.

- 195 - 6. In the 1. Gateway IPs section, click Add and enter Mail Assure's delivery IP addresses range ( 185.201.16.0/22) in the IP addesses / ranges box. 7. The option to Reject all mail not from gateway IPs (from Mail Assure) is available but it may be best to leave this option unticked just now as existing servers might still have the old MX records. We advise waiting a few days before selecting this option.

8. Click ADD SETTING. to take you back to the previous page. 9. Scroll down to the Routing section and enter smtpout25.mtaroutes.com in the Outbound gateway field.

10. Click to open the Hosts tab and click ADD ROUTE. 11. Give the route a name e.g. Mail Assure Outbound. 12. Enter smtpout.mtaroutes.com and 587 in the hostname and port fields.

- 196 - 13. Click SAVE. 14. Click to open the Default routing tab and Click ADD SETTING. 15. From the Specify envelope recipients to match dropdown, select Single recipient.

16. Tick the Change route box and select the host added in step 10 above..

- 197 - 17. Click SAVE.

Although we strive to provide the most up-to-date information, the instructions covered in this G Suite configuration may change. To ensure you have the correct up-to-date information, please refer to the G Suite website.

Step 3 : Configuring Mail Assure (MX Records)

Change the MX record to point to the Mail Assure inbound servers The default records are:

Hostname Value Priority @ mx1.mtaroutes.com 10

@ mx2.mtaroutes.com 20

@ mx3.mtaroutes.com 30

@ mx4.mtaroutes.com 40

To use US only routing, replace mxn with mxn-us; for EU routing use mxn-eu; for UK routing use mxn-uk; for CA routing use mxn-ca; for AU routing use mxn-au.

Configure Inbound Filtering with Postfix

1. Create a file /etc/postfix/access with the content:

185.201.16.0 OK 185.201.17.0 OK

- 198 - 185.201.18.0 OK 185.201.19.0 OK 2. Execute:

postmap /etc/postfix/access 3. Add the following to /etc/postfix/main.cf

smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, permit_mynetworks, reject 4. Or, if you already have smtpd_client_restrictions defined, insert :

"check_client_access hash:/etc/postfix/access"

... at the beginning of your definition, and replace permit with reject and the end of definition. 5. Restart Postfix:

/etc/init.d/postfix restart

Per domain setup

It's also possible with Postfix to configure the MTA to only allow connections from the Mail Assure servers for specific protected domains: 1. Add this to the main.cf

smtpd_restriction_classes = mailassure mailassure = check_client_access hash:/etc/postfix/mailassure, reject smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination 2. Create the following file:

/etc/postfix/mailassure 3. with the following content:

185.201.16.0 OK 185.201.17.0 OK 185.201.18.0 OK 185.201.19.0 OK 4. Create the following file:

/etc/postfix/protected_destinations 5. Add the domains that you want to configure:

example.com mailassure 6. Postmap both files. 7. Restart Postfix.

- 199 - cPanel and WHM Configuration for Mail Assure

The following instructions describe how to:

n Restrict inbound delivery to Mail Assure only n Disable catchall behaviour n Route outbound mail through Mail Assure Inbound

In WHM As the root user:

1. Set the Service configuration > Exim Configuration Manager > Access lists to Only- verify-recipient to contain: n 185.201.16.0/22

n master.antispamcloud.com 2. In the Service configuration > Exim Configuration Manager > ACL options set: n Ratelimit suspicious SMTP servers > False

n Ratelimit incoming connections with only failed recipients > False 3. In Server configuration > Tweak settings > Mail set: n Email delivery retry time > 5 minutes

n Initial default/catch-all forwarder destination > Fail

n Enable BoxTrapper spam trap > Off

n Enable Apache SpamAssassin™ spam filter > On 4. In Email > Spamd startup configuration > Allowed IPs set: n 185.201.16.0/22,95.211.160.147

This will restrict the server from receiving mail for all domains to only accepting mail from Mail Assure.

In cPanel As the admin for the domain, or higher:

Select Email > Default Address > > Discard the email while your server processes it by SMTP time with an error message. Outbound

In WHM

In Service configuration > Exim Configuration Manager > Mail set:

n Smarthost support > * smtpout.mtaroutes.com::587

This should be .

- 200 - Email Archiving

Our Email Archiving facility allows you to back up and store all of your organization's mail and access it easily if needed. In doing so it helps maintain legal compliance. Archiving v's Journaling

When Archiving is enabled in Mail Assure, a copy of all messages to and from external addresses (outside your domain), is stored on the Mail Assure server. Internal messages, sent between addresses in the same domain, are processed by the local mail server and are sent directly to the users' mailboxes. They are not stored in Mail Assure. In order to store internal messages on the Mail Assure server you need to ensure Archiving is enabled and set up journaling on your MTA. The Mail Assure Archiving facility, when enabled, generates a global journaling address. It is this address that you need to record in your MTA (e.g. Exchange, Exim, etc.) to allow the storage of internal messages on the Mail Assure server. To use the system's Archiving / Journaling features you must first ensure that your domain has been added to the system and the Archive product has been enabled for your domain. What do you want to do?

n Enable Archiving on a Domain n Ensure Archiving Option is Selected for Outgoing Mail n Search Incoming/Outgoing Archive n View Archive Usage per Domain n Export Archived Messages n Manage Archive Settings n View Archive Status n Restrict Archiving to Specific Mailboxes n Export Archived Messages n Import Historical Data into Archive n Configure Journaling in Mail Assure/Exchange n Configure Journaling in Mail Assure/Exim on Linux n Configure Journaling in Mail Assure/Postfix on Linux Enable Archiving on a Domain

When you enable archiving on a domain, incoming mail is archived and stored in your Mail Assure system. To use the Archiving feature you must ensure that your domain has been added to the system (see Add a Domain) and the Archiving product is enabled for your domain:

- 201 - 1. From the Admin Control Panel, click on Overview in the General panel. 2. Click on the domain for which you want to enable archiving. The Domain Control Panel is now displayed. 3. Alternatively, you can access the Domain Level Control Panel directly by logging in to Mail Assure with your domain login - see Domain Level Control Panel. 4. Select Archiving > Status. 5. Click Enable.

The Archive is now enabled and a list of parameters and values is displayed. Ensure Archiving Option is Selected for Outgoing Mail

If you want outgoing mail to be archived too, you must ensure that the Message archiving for senders option is ticked in the Outgoing user settings page which is displayed when you add or edit the Outgoing user (see Add an Outgoing User). Search Incoming/Outgoing Archive

At the Admin, Domain and Email level, you can search for incoming and outgoing archived message logs. You can search your own message archive when logged in to the Email Level Control Panel as an Email user or you can search your domains' archived messages from the Admin and Domain Level Control Panels. Before you can search your Archive, you need to:

n Add all the necessary domains to the system, see Add a Domain. n Enable the Archive product on all domains, see Enable Archiving on a Domain.

To search your archived messages:

1. Select Archiving > Search - Incoming for incoming logs or Archiving > Search - Outgoing for outgoing logs. This opens the Incoming or Outgoing Log Search with the In archive filter enabled and the search results displayed. 2. To regenerate the index to include all recent archived messages, click on Regenerate Index at the top of the page. This allows you to search archived message content at Domain level. This means that you can search within archived messages and attachments.

- 202 - In Archiving > Settings, at the Domain Level, you can choose the archive indexing options. If you select everything, the index creation will take longer due to the amount of data to parse. If you limit your selection e.g. headers, html and text, then it will take a lot less time to index your messages. For more information, see Manage Archive Settings.

3. If you want to filter further, use the Query Rules panel to add more rules using the + New rule link. 4. Use the Customise dropdown to choose what information is displayed for each message e.g. Timestamp, Auth domain, sender, recipient.

5. Click on Show Results. The search results are displayed at the bottom of the page:

If you are logged in as the domain user for the domain, or as an admin user whose access to view/export Archive messages is restricted (in Users & Permissions - Manage admins by activating Protection for archived messages), you will not be able to view message content. If you click on a message in the Archive search results you will be prompted to go through an authentication process in which you can authenticate as an Email user by logging in with your credentials. Only then will you be able to see your own message content - and not that of any other user.

- 203 - View Archive Usage per Domain

In the Admin Control Panel, select Archiving > Usage.

In the Usage page, your domains are listed, showing the status of the Archive product:

n Available - The Archive is available for this account. n Enabled - The Archive is activated for the domain, however this does not imply that there has been any activity. See Enable Archiving on a Domain. n Active - If active, the domain is actively using the Archive product.

In the Storage used column, you can see how much storage is being used by the Archive for each domain. Click on the refresh icon to see the up-to-date storage used. Manage Archive Settings

In the Archive Settings page you can manage archive settings for your domain including how many days to store emails and what parts of the message you want to index.

1. In the Domain Level Control Panel, select Archiving > Settings. 2. If you want to remove stored emails after a set amount of days, select Expire messages and enter the number of days in the Number of days to store email field.

The maximum number of days you can set is 10,000. If you disable the expire feature, messages are stored without limit.

3. In the Indexing options panel, select which contents you want to index from those available: n Message headers - Searches for text in the header name or value of the message. For example, searching for messages that have a X-Campaign header, or that have a particular name in the CC header.

n HTML - Searches the HTML version of the message. Most messages will include both HTML and plain text versions of the message text. Because some messages do not have both HTML and plain text versions it is recommended to keep this option enabled.

n Text - Searches the plain text version of the message. Because some messages do not have an HTML version, or the text cannot be extracted from the HTML you should nearly always leave this option enabled.

n Images (via OCR) - Searches text contained within an image. When messages containing images are received, the images will be processed via OCR and any text found will be added to the index.

n Attachments/Documents (.doc) - Searches for text in a Microsoft Word document (Office 2003 and earlier) .doc attachment.

n Attachments/Documents (.docx) - Searches for text in a Microsoft Word document (Office 2007 and later) .docx attachment.

- 204 - n Attachments/Documents (.pdf) - Searches for text in an unencrypted PDF document attachment. The text content of the pdf as well as some meta-data (e.g. author and subject) will be added to the index, but images are not processed with OCR. 4. Click on Update. View Archive Status

In your Domain Level Control Panel, click on Archiving > Status. The following Archive information may be displayed:

n Status - Enabled or disabled for the domain n Space used - n Archive mail n Number of days emails are stored n Soft quota n Hard quota n Global journal address Global Journal Address

This is a custom address available for each domain which allows you to set up Journaling without the MX records pointing to the filtering server. You can use this in your Journaling setup directly, without having to configure anything in the Archived Recipients.

If you are using Mail Assure Filtering, the address will be automatically populated with the MX record.

Restrict Archiving to Specific Mailboxes

1. In the Domain Level Control Panel, select General > Mailboxes Overview. 2. In the Mailboxes tab search for the specific mailbox(es) using the Query Rules panel. 3. Click on the dropdown to the left of the mailbox and select Edit. 4. In the Edit mailbox dialog, expand the Archiving enabled panel and choose from: n Yes

n No

n Use recommended - uses the configured setting for archiving set in the Configuration tab. 5. Click Save. Export Archived Messages

There are two ways to export archived messages:

n Using the Archiving > Export facility - Available to Domain Level users only. n Using the Log Search - Available to Admin, Domain and Email Level users.

- 205 - Export archived messages using the Archive - Export facility

This page is only available at the Domain Level, where you can choose to export archived messages in your domain.

1. At the Domain Level, go to Archiving > Export. 2. Enter the Date range.

3. Click on Export. 4. Next you need to authenticate that you are the user to whom the archived messages belong. Click on Proceed to authentication and enter your password in the log in panel. Click Submit. 5. The Export page reappears. Click on Export. All the archived emails from that period are downloaded in a zip archive. Export archived messages using the Log Search

Use the Log Search to download your archived emails at Admin, Domain or Email level.

You must have Features Preview active in your User's profile page to access the Log Search.

1. Select Incoming > Logs. 2. In the Query Rules panel, select In archive and make sure the Yes button is selected alongside to include this in your search:

- 206 - 3. Click on Show Results to display all matching messages. 4. Select the messages you want to download by ticking the checkbox to the left of the message or use the Select all / Deselect all buttons at the top of the search results. 5. At the bottom of the search results, select Download archived message and click Apply. A zip folder containing the individual messages in .eml text format is downloaded.

.pst or.msg files cannot be exported as these are propriety formats.

Import Historical Data into Archive

To import existing archived emails into Mail Assure.

1. Export the emails that you wish to import into Mail Assure to .eml format (plain text message).

.msg or .mbox binary formats are not suitable for import but there are tools available that allow you to convert from.eml. 2. Create a separate archive (.zip or .gzip format) for each domain you wish to import.

If you want to import inbound and outbound messages separately then create separate archives for each. 3. Contact support, specifying how to access the archive files and detailing exactly what each file contains. We will process the message data for you and add the messages to the Mail Assure archive. Configure Journaling in Mail Assure/Exchange

To set up journaling in Mail Assure/ Exchange you need to:

- 207 - n Ensure Archiving is enabled in Mail Assure - see Enable Archiving on a Domain. n Add the global journal address to your mail server. Find Global Journal Address

You can find the global journal address at the Domain Level, in the Archiving > Status page.

If the address ends with '@MX-record-hostname' please use @mx1.mtaroutes.com.

Configure Journaling in Microsoft Exchange 2010

1. Open EMC - Organization Configuration - Hub Transport - Journal Rules. 2. Right click and select New Journal Rule. 3. Enter the global journal address in Send Journal reports to e-mail address. 4. Select Internal Scope. 5. Select Journal messages for recipient and select the Dynamic Distribution Group for this domain. Configure Journaling in Exchange 2013/2016/Online (Office 365)

1. Log into the Exchange Admin Center (EMC). 2. Go to Compliance Management > Journal rules. 3. Enter a valid email address to receive journal failure alerts. 4. Click on the + (plus sign) and create the journal rule as follows: n Send journal reports to: Enter the global journal address noted from the Archive > Status page (above).

n Name: Give the rule a meaningful name.

n If the message is sent to or received from: Choose [Apply to all messages].

- 208 - n Journal the following messages:

n Select Internal messages only if the domain uses inbound/outbound filtering.

n Select All messages if the domain is archive-only. Configure Journaling in Mail Assure/Exim on Linux

This topic describes how to set up journaling using Mail Assure and the Exim MTA on Linux. To set this up you need to:

n Ensure Archiving is enabled in Mail Assure - see Enable Archiving on a Domain. n Find the Mail Assure global journal address - see Find the Mail Assure Global Journal Address n Add the global journal address to your Exim MTA on Linux - see Configure Journaling in Exim on Linux Find the Mail Assure Global Journal Address

You can find the global journal address at the Domain Level, in the Archiving > Status page.

If the address ends with '@MX-record-hostname' please use @mx1.mtaroutes.com.

Configure Journaling in Exim on Linux

This can be achieved by editing the local user router to redirect mail to a modified smart host router:

The following configuration has been tested on Ubuntu 14.04.5 LTS, other distributions may use different file locations.

- 209 - 1. Edit the local recipient router: /etc/exim4/conf.d/router/900_exim4-config_local_user 2. Add a new router at the top of the file:

journal: debug_print = "R: journaling for $local_part@$domain" driver = redirect domains = +local_domains redirect_router = journal_send data = daba7d5d-19a3-4a62-b796-37d1f71a2953- [email protected] 3. Add the following to the local_user router:

local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = +local_domains check_local_user local_parts = ! root transport = LOCAL_DELIVERY cannot_route_message = Unknown user 4. Add a new router at the bottom of the file:

journal_send: driver = manualroute domains = +local_domains transport = remote_smtp route_list = * smtpout.mtaroutes.com

Configure Journaling in Mail Assure/Postfix on Linux

There are two ways to configure journaling with Postfix:

n Using a local journaling address - Here you create a journaling address that is local to your main domain configured in Mail Assure e.g. your domain name is mydomain.com, and you choose to use [email protected]. See Set up Journaling Using a Local Journaling Address in Postfix on Linux n Using the global journaling address - Here you use the global journaling address that uses the Mail Assure domain e.g. 27d88847-3ec2-4f80-bc71-3b7c11b692dc- [email protected]. See Set up Journaling Using the Global Journaling Address in Postfix on Linux

Before you set up your journaling using either the global or a local journaling address you must first ensure Archiving is enabled in Mail Assure - see Enable Archiving on a Domain. Set up Journaling Using a Local Journaling Address in Postfix on Linux

There are three steps to setting this up:

- 210 - n Create a transport rule for each of the two journaling addresses - an SMTP transport rule to the journaling address generated in Mail Assure and pipe to an internal address on your mail system used to route mail to the journaling script - see Create a Transport Rule for Each of the Two Journaling Addresses. n Edit the Postfix master config file and add an external pipe transport to the journaling script - see Edit the Postfix Master Config File and Add an External Pipe Transport to the Journaling Script. n Create a script which will determine if the mail is internal and needs to be journaled - see Create a Script to Determine if the Mail is Internal and Should be Journaled.

The following configuration has been tested on Ubuntu 14.04.5 LTS, other distributions may use different file locations.

Make sure your Postfix configuration files are stored in /etc/postfix/.

Create a Transport Rule for Each of the Two Journaling Addresses 1. Add the following lines to the postfix transport table e.g. /etc/postfix/transport replacing the placeholder values with appropriate values for your setup (do not include the angle brackets): smtp::587 external-pipe 2. Run the following command as root to create the transport database:

postmap /etc/posfix/transport 3. Ensure that the transport_map line in /etc/postfix/main.cf is set to use the transport map database: transport_maps = hash:/etc/postfix/transport

Edit the Postfix Master Config File and Add an External Pipe Transport to the Journaling Script Add the following lines to /etc/postfix/master.cf (the second line must be indented):

external-pipe unix - n n - - pipe flags=DRhu user=dovecot:dovecot argv=/etc/postfix/journal.sh {-f $sender} {-j } {-d }

The script must be run as a non-root user (dovecot in this example) and not as postfix. This is to avoid potential script injection hazards.

Create a Script to Determine if the Mail is Internal and Should be Journaled The following script can be used as a basis for your own script. Customize it to suit your own environment. Save it as etc/postfix/journal.sh (if you save it elsewhere you must change master.cf to reflect the change).

#!/bin/bash

- 211 - ################ # # Takes three parameters: -f -j -d # ############### while getopts f:d:j: option do case "${option}" in f) FROM_ADDRESS=${OPTARG# };; j) JOURNAL_ADDRESS=${OPTARG# };; d) LOCAL_DOMAIN=${OPTARG# };; esac done TO_ADDRESS="unset" TO_DOMAIN= FROM_DOMAIN= #Create a temp file OUTFILE="$(mktemp)" #Cleanup on errors trap "rm -f $OUTFILE; exit 1" 0 1 2 3 13 15 # Exit, HUP, INT, QUIT, PIPE, TERM #Write the email to temp file and also read it to find the to and from addresses tee $OUTFILE | { while read -r LINE do if [[ "$TO_ADDRESS" == "unset" ]] ; then #Read this line and see if it is the To: line, if it is then strip out the email address THIS_LINE=`echo $LINE | grep -E "^(To:)" | grep - E -o "(\S)*@(\S)*" | sed 's///'`

- 212 - #If the address hasn't already been captured, store it into TO_ADDRESS if [[ $THIS_LINE ]] ; then TO_ADDRESS=$THIS_LINE break fi fi done #Strip the domain from the to and from email addresses TO_DOMAIN=$(echo $TO_ADDRESS | sed 's/.*@//') FROM_DOMAIN=$(echo $FROM_ADDRESS | sed 's/.*@//') #If the domains match then go ahead and send it to the journaling address if [[ "$TO_DOMAIN" == "$LOCAL_DOMAIN" && "$LOCAL_DOMAIN" == "$FROM_ DOMAIN" ]]; then cat $OUTFILE | /usr/sbin/sendmail -f $FROM_ADDRESS -t $JOURNAL_ ADDRESS fi } #Cleanup rm -f $OUTFILE trap 0 exit $exit_status

Ensure the script is executable by the user uid set in master.cf Once you have completed all three steps, restart Postfix. Set up Journaling Using the Global Journaling Address in Postfix on Linux

To set this up you need to:

n Find the Mail Assure Global Journaling Address n Set up the Global Journaling Address in Postfix on Linux

Find the Mail Assure Global Journaling Address

You can find the global journal address at the Domain Level, in the Archive > Status page.

If the address ends with '@MX-record-hostname' please use @mx1.mtaroutes.com.

- 213 - Set up the Global Journaling Address in Postfix on Linux The following instructions assume that you are NOT already using Procmail. If you are already using Procmail, skip to step 3. 1. Install Procmail using your distribution’s package management solution – e.g. sudo apt install procmail on Ubuntu or sudo yum install procmail on Centos. 2. Edit /etc/postfix/main.cf and add the following line:

mailbox_command = /usr/bin/procmail -a "$EXTENSION" 3. Edit /etc/procmailrc and add the following:

:0c: To:\W?.*@(?.*)(?=(?:From: ?.*@(\k))) ! $DEFAULT 4. Restart Postfix – sudo postfix reload

The setup described on this page have been confirmed working in our test environment but should be verified in your own configuration.

- 214 - Branding

From the Branding panel you can customize the branding of your system using our branding management, OAuth configuration and Protection Report template features: What do you want to do?

n Manage the branding of your system. See Branding Management. n View and manage SSL certificates. See SSL Certificates. n Set up your private brand login / Oath Settings. See Configure OAuth/OpenID Connect Settings. n Manage your Protection Report templates. See Manage Protection Report Templates. Branding Management

You can fully customize your system with your own branding requirements. Branding options include logos, custom email headers, web interface, customized protection reports & copyright notices.

In Admin Level Control Panel, select Branding > Branding Management. The Edit brand page is displayed:

The following settings can be managed:

n Hostname - Add your own hostname here. If you wish to change this and have your own custom URL, you must create a CNAME for this on your DNS server pointing to the master hostname to ensure your users access the correct login page. See Create a Custom

- 215 - Control Panel URL. This hostname shows up in the Protection reports. You can redirect clients to login via your own links and any system messages e.g. password reset messages, will show this custom hostname.

n Brandname - Customise the brandname. This is displayed in the bottom left of all Mail Assure application pages, in the title of the emailed report and in the headers of scanned emails. n Branding Logo - Customise the logo that is displayed in the Login screen, the Protection reports and the top left corner of the Dashboard/Control Panel. n Favicon - Customise the icon displayed in the browser address bar alongside your custom URL. n HTTPS SSL certificate - In this section you can choose from the following options: n Generate and manage a TLS certificate for me via Let's Encrypt - The system will automatically generate a TLS certificate and renew when required. See Use the Mail Assure Default TLS Certificate. n Upload your own certificate bundle - Manually upload the PEM file containing all necessary Certificate Authority (CA) certificates and private key. See Upload Certificate Bundle Manually. n Not using a certificate. n Colour schemes for Admin, Domain and Email Level Control Panels. n Hide Header - Select this if, for privacy reasons, you do not want to show the raw header transactions from the filtering servers. n Custom CSS for login screen - You can use this if, for example, you want to centre a logo: #top_logo_container { text-align: center; }

n Working with transparent logos: #top_logo_container { background-color: #39b0da; margin: -20px -20px 25px -20px; }

n Centre and transparent logo: #top_logo_container { background-color: #39b0da; text-align: center; margin: -20px -20px 25px -20px; }

n Reset - Reset branding back to the system defaults.

- 216 - Create a Custom Control Panel URL

This topic describes how to customize the URL that is displayed in the Protection Reports and is used to access the Mail Assure Control Panel. 1. First you need to add your custom hostname in Mail Assure: a. At the Admin Level, select Branding > Branding Management. b. In the Hostname field, enter the custom hostname your users will use to access Mail Assure e.g. login.yourdomain.com 2. Next you need to create a CNAME for this custom hostname in your DNS and point it to the master hostname e.g. login.yourdomain.com. CNAME login.antispamcloud.com.

Once you have made these changes, in the above example, anyone going to login.yourdomain.com will in fact go to login.antispamcloud.com. To avoid any potential warnings, you can also upload a certificate for your host. See SSL Certificates.

Manage Protection Report Templates

Protection Report Templates are set up by language. When you choose to generate a Protection report, the template used depends on the language selected in that particular report. For example, if you generate an On-demand Domain Report in English, the English version template is used. In this page you can edit existing Protection Report Templates and create new ones in a different language. To access the protection report templates:

Click on Branding > Protection Report Templates.

The Protection report templates page is displayed and lists all the reports in the languages available. You can perform the following tasks:

n Edit a template - Click on the Edit icon to make changes to a template. n Copy an existing template to create a new template in a new language - Click on the Copy

icon alongside the template you want to copy. n Create a new template for another language - Click on the Create new report template link at the top of the page to create a new template. Tip - Use the Protection Report Template Notes at the bottom of the page for guidance.

You can add a new logo to your Protection Reports in the Branding Management page.

- 217 - SSL Certificates

By default, Mail Assure automatically generates and manages the installation of a publicly signed TLS certificate on your server for HTTP, SMTP and IMAP. The certificate is automatically renewed when it is due to expire. This option fits most scenarios and means you don't have to go through the lengthy certificate request and upload process. In some situations, however, you may want to manage your own certificates. For example, if your Mail Assure system is embedded within another system that has its own certificates, you may need to use the same certificates used by the host system - to avoid complications, or if you prefer to use a certificate from another or specific certification authority. You can replace these certificates with a signed certificate manually, see Upload Certificate Bundle Manually.

You can also choose to manage the entire SSL certificate process manually, see Manage your own SSL Certificates. What do you want to do?

n View HTTPS Certificate Info n Use the Mail Assure Default TLS Certificate n Upload Certificate Bundle Manually n Manage your own SSL Certificates View HTTPS Certificate Info

To view any current HTTPS signed certificate information: 1. Click on the padlock icon to the left of the Mail Assure Control Panel URL:

2. The following link describes how to check the certificate details in the various browsers. https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details/ Use the Mail Assure Default TLS Certificate

Choose this option to allow the system to automatically generate and manage the necessary TLS certificate - and renew when it is due to expire.

1. In the Admin Level Control Panel, select Branding > Branding Management. The Edit Brand page is displayed. 2. In the HTTPS SSL Certificate section, select the Generate and manage a TLS certificate for me via Let's Encrypt option. Upload Certificate Bundle Manually

This feature is only really needed if you want to re-use an existing certificate rather than the automatically generated Let's Encrypt certificate (Use the Mail Assure Default TLS Certificate).

- 218 - First, you need your certificate chain saved as a bundle file. This is a single file containing the private key, any intermediate certificates and the Certification Authority (CA) certificate in a single file: 1. Export the required key and certificate(s) to text files. 2. Create a file locally with a .pem extension, containing the following data (replace text in italic with your personal data) and save in a temporary location:

- - - - - BEGIN PRIVATE KEY - - - - - - - - - - END PRIVATE KEY ------BEGIN CERTIFICATE - - - - - - - - - - END CERTIFICATE ------BEGIN CERTIFICATE - - - - - - - - - - END CERTIFICATE ------BEGIN CERTIFICATE - - - - - - - - - - END CERTIFICATE - - - - -

Next you need to upload your bundle:

1. In the Admin Level Control Panel, select Branding > Branding Management. 2. In the Edit brand page, in the HTTPS SSL certificate section, choose the option Upload your own certificate bundle. 3. Browse and select the .pem file or drag and drop into the dialog box. 4. Click Import. 5. Click Save. Manage your own SSL Certificates

As an Admin user, instead of using the default system generated certificate, you can manage your own SSL certificates.

n Step 1 - Generate a Certificate Signing Request and RSA key from Mail Assure n Step 2 - Send the generated CSR to your Certificate Authority (CA) n Step 3 - Create PEM file containing certificates and RSA key n Step 4 - Upload SSL Certificates and RSA Key

Step 1 - Generate a Certificate Signing Request and RSA key from Mail Assure This step requires that you generate the CSR to send to the Certificate Authority (CA) when applying for a signed certificate. It is vital that you copy and store this information somewhere safe for use in the next steps, otherwise you will have to start this process all over again.

- 219 - If you already have a Certificate (CRT), and the certificate key (KEY), the certificate signing request (CSR) and the Certificate Bundle (Root Intermediary Certificate) you can skip this step and go directly to step 4 - Step 4 - Upload SSL Certificates and RSA Key.

Before generating an SSL Certificate, ensure the following:

n Web interface SSL matches the full hostname used to access the Mail Assure Control Panel n Incoming certificate matches the MX records n Outgoing certificate matches the SMTP hostname used

1. In the Admin Level Control Panel, select Server > Certificates. 2. In the Generate Certificate Signing Request (CSR) and RSA Key panel, click on the Generate CSR & RSA Key button. The Generate Certificate Signing Request (CSR) and RSA Key dialog is displayed. 3. Enter the details (the Country, Organisation, Email and Server name fields are mandatory) and click Generate. The next dialog displays the CSR tab containing the Certificate Signing Request and the RSA key tab containing the RSA key. 4. Copy the contents of the CSR and RSA key tabs - and paste them somewhere safe. You will need the CSR when applying for a signed certificate to the Certificate Authority (CA), and the RSA key will be used later on when uploading the certificate to Mail Assure. See Step 4 - Upload SSL Certificates and RSA Key.

Alternatively, you can Generate a KEY and CSR via a Terminal: Generate a KEY and CSR via a Terminal

Generate a KEY via a Terminal

1. Ensure you have OpenSSL installed on your machine. 2. Create a key and sign the certificate with it using the following command:

openssl genrsa -out example.com.key 2048

Replace example.com with the hostname the certificate is intended for.

The output should be similar to: Generating RSA private key, 2048 bit long modulus ...... +++ ...... +++ e is 65537 (0x10001)

The process takes a few seconds before you can go on to the next step.

Keep the key safe - without it you can’t generate the certificate signing request (CSR). You also need the key later when uploading the certificate.

Generate the CSR via a Terminal

1. After generating the private key, create the CSR using the following command:

openssl req -new -key example.com.key -out example.com.csr

- 220 - Replace example.com with the hostname the certificate is intended for. 2. You are asked to enter some information. Enter the details but do not set a challenge password - press Enter when asked. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: NL State or Province Name (full name) [Some-State]: State Locality Name (eg, city) []: Cityname Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Name Organizational Unit Name (eg, section) []: Department Common Name (eg, YOUR name/FQDN) []:example.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

The Common Name is important and should match your server CNAME/ Control Panel Hostname settings. If, for example, your Control Panel is hosted at server1.example.com, you should enter this as the Common Name. DO NOT enter HTTP:// or HTTPS://

Step 2 - Send the generated CSR to your Certificate Authority (CA) The CA, on receipt of the CSR, will send you the signed certificate you need. You will also need to download any intermediate certificate(s) and root certificates from the certificate provider's website. (Make sure that you get both intermediate and root certificates and not just the root one as this will not be accepted by the system).

- 221 - Step 3 - Create PEM file containing certificates and RSA key Once you have all the information you need from the Certificate Authority, you need to create a PEM file containing (and in the following order):

n RSA key - This is the key generated along with the CSR that you saved earlier on - See Step 1 - Generate a Certificate Signing Request and RSA key from Mail Assure. n Issued Certificate - This is the certificate issued by the Certificate Authority (CA). n Intermediate Certificate(s) (if any) - Downloaded from the CA website. n Root Certificate(s) - Downloaded from the CA website.

Next, you need to upload the PEM file to Mail Assure - See Step 4 - Upload SSL Certificates and RSA Key.

Step 4 - Upload SSL Certificates and RSA Key Once you receive the certificates from the Certificate Authority (CA) and create the PEM file containing these certificates and the RSA Key, you can then upload the PEM file to Mail Assure.

If you already have a wildcard certificate for your domain, you can upload it, but you must ensure the certificate matches your Fully Qualified Domain Name (FQDN) or the browser will display an error stating that the certificate is invalid.

1. In the Branding > Certificates page, in the Certificate for HTTPS Connections panel, click on Browse and locate the PEM file containing the certificates and RSA key. A message will be displayed at the top of the page indicating if the upload was successful or not. 2. Click Save.

You can also upload the certificates from the Admin Level Control Panel in the Branding Management page - see Upload Certificate Bundle Manually.

- 222 - Development

From the Development panel you can perform a variety of tasks. What do you want to do?

n View Control Panel API Calls - View detailed descriptions of the API calls used in your system. n View API Calls History - View the API call history for your domain(s). n API Logs (Preview) - View all API request logs. View Control Panel API Calls

1. In the Admin Level Control panel, select Development > Control Panel API Calls to open a web page describing all the API calls used by the system. 2. Click to expand groups to see API Calls in that group. 3. Click on an API call to see details.

- 223 - Manage Email Notifications Templates

This page lists all available email notifications templates for email notifications sent out from the Control Panel. If required you can edit any of these - and restore them to their defaults if necessary.

In the Admin level Control Panel, go to Server > Email notifications templates to open the Email notifications template page:

Edit an Email Notification Template

Click on the dropdown alongside the template you want to edit and select Edit.

The generic template settings are displayed at the top of the page followed by the email subject and body for each language available:

- 224 - - 225 - In the generic settings at the top of the page, you can choose to customize the 'From' address of the notification. You can also make any changes to any of the different language notifications where required.

Once you've made your changes, click on Save at the bottom of the page. View API Calls History

You can view your API calls history at the Admin Level and the Domain Level. At the Admin Level you can see all API calls for all your domains. At Domain Level you can see the call history for the logged in domain.

1. In the Admin Level or Domain Level Control Panel, click on Development > API calls history. 2. Input the Date range of the logs you want to see. 3. From the API method dropdown, select the method you want to view. 4. Enter the relevant Domain (if you are accessing the page from the Domain Level, your domain will be displayed here and cannot be changed). 5. Optionally enter the Client username to show specific results. 6. Click on Start search to display matching results:

- 226 - Reporting

Mail Assure provides the following reports:

n Email Scout Reports - These reports are email digests created from Log Search results and emailed to users on a specified date and time, see View/Edit Email Scout Reports. Make sure these reports are enabled in the Incoming > Domain Settings page, see Configure Domain Settings.

For information on Email Scout Report templates, see Email Scout Report Templates (Preview).

n Protection Reports - These reports are email digests listing incoming Spam messages that have been quarantined, see Protection Reports.

You cannot specify the protection reports to run and send on a particular date and time - to do this use Email Scout Reports (above).

n Outgoing Reports - Report on outgoing mail sent in the last 6h, 12h, 24h or 7 days. Access from the Admin or Domain Level Control Panels. See Generate Outgoing Report. Protection Reports

Mail Assure's Protection Reports list the incoming spam messages that have been quarantined. These reports are available to Domain and Admin users from the Domain Level Control Panel. One of the reports, the Periodic user report, is also available to Email users from the Email Level Control panel.

You cannot specify the protection reports to run and send on a particular date and time. If you want to configure a report to do this (like a daily digest), the Email Scout Reports feature provides this functionality. For more information, see View/Edit Email Scout Reports. You can automatically enable Email Scout Reports to run up to three times daily at specified times from the Domain Settings page at Domain Level - see Automatically Enable Daily Email Scout Reports.

The following Protection Reports are available:

n On-demand Domain Report - Allows you to send a report for the specified day or week to the address you specify. n Periodic Domain Report - Sends a daily digest of all the previous day's blocked messages for all the domain's users. n Periodic User Report - Sends each individual domain user an overview of the previous day's messages that were quarantined for that user. You can manually add users, import a CSV file of multiple users or enable it for all recipients.

Access the Protection reports from the Reporting panel. What do you want to do?

n Set up the Protection Report - Send now n Set up the Protection Report - Domain n Set up the Protection Report - Mailbox at Domain Level or Email Level

- 227 - n Manage Domain Report Actions including enabling actions that can be performed on emails listed in Protection reports. Protection Report - Send now

Reports on spam and virus messages blocked in the specified timeframe. Allows you to send a report for the specified day or week to a particular email address.

1. In the Domain Level Control Panel, click on Reporting > Protection Report - send now.

2. Enter the date you want the report to start being sent and the frequency of the report. 3. Enter the email address of the report recipient. 4. If you want to include a table of messages that were rejected but not quarantined, enable the Include extra spam table option. 5. Click on Send.

You cannot specify the protection reports to run and send on a particular date and time. If you want to configure a report to do this, the Email Scout Reports feature provides this functionality. For more information, see View/Edit Email Scout Reports.

Protection Report - Domain

The Periodic Domain Report sends a daily digest of all the previous day's blocked messages for all the domain's users.

1. In the Domain Level Control Panel, click on Reporting > Protection report - domain. 2. The report page is displayed. 3. To enable the report tick the Report enabled box. 4. In the Recipient address field, enter the report recipient(s) email address - separate multiple recipients with a comma. 5. From the Report Frequency dropdown, select Daily or Weekly.

- 228 - 6. Select the Language you want the report to be in. 7. For the report Format select either HTML or PDF. 8. Select the Include extra spam table option if you want to add a table of messages that were rejected but not quarantined to the report. 9. If you want the report to be sent even when no messages have been quarantined in the set period, select Send report with no quarantined messages. 10. Once you've made your changes, click on Update.

Protection Report - Mailbox

Sends recipient(s) an overview of the previous day's messages that were quarantined. You can set this up at the Domain level where you can manually add users, import a CSV file of multiple users and enable the report for all recipients. You can also set this up at the Email Level for the logged in recipient.

Access this report from the Domain Level or Email Level Control panel by selecting Reporting > Protection Report - Mailbox.

What do you want to do?

n Add Report Recipient Manually at the Domain Level n Enable Periodic User Report at the Email Level

Add Report Recipient Manually at the Domain Level

1. In the Domain Level Control Panel, select Protection report - Periodic user report. All existing report recipients are listed in the Periodic user report page.

- 229 - 2. Click on Add a recipient to open the Enable for recipient page:

3. In the For address field, enter the local part of the user you want to report on. Because you are logged into a domain, the domain part of the email address is already there.

- 230 - 4. In the Send to field, enter the email address you want to send the report to. 5. From the Report Frequency dropdown, select Daily or Weekly. If you would prefer to report on this data more frequently, you can use the Incoming/Outgoing Log Searches to create an Email Scout Report. This report can be set up to report on the same data more frequently - at your own specified times. See Create Email Scout Report.

6. Select the Language you want the report to be in. 7. For the report Format select either HTML or PDF. 8. Select the Include extra spam table option if you want to add a table of messages that were rejected but not quarantined to the report. 9. When finished, click on Enable to activate your report. Once a user is added to the list they receive a welcome email with a confirmation that their quarantine is enabled. They start receiving reports containing blocked messages daily or weekly (depending on the Report Frequency chosen) and they also have a link they can use to create a Mail Assure web interface account if needed.

Tip - Email users logged into the Email Level Control Panel can set up the Periodic user report for their own quarantined messages.

Enable Periodic User Report at the Email Level Set up and send yourself a report containing an overview of your previous day's quarantined messages.

1. In the Email Level Control Panel, select Protection report - Periodic user report. 2. If the table is blank, you have not already set this up. To set this up, select Add recipient. 3. The Enable for recipient page is displayed.

- 231 - 4. In the Send to field, enter where you want your report to be sent. 5. From the Report Frequency dropdown, select Daily or Weekly. 6. Select the Language you want the report to be in. 7. For the report Format select either HTML or PDF. 8. Select the Include extra spam table option if you want to add a table of messages that were rejected but not quarantined to the report. 9. Click on Enable to activate the report and close the dialog. The report is added to the table:

Using the dropdown to the left of the report, you can choose to Edit, Disable or Remove the report. Manage Domain Report Actions

1. In the Domain Level Control Panel, go to Reporting > Domain report actions. 2. Select from the following which options you wish to be available to users in the Protection report. Settings will apply to the Domain Level report and any Email user reports that do not have custom settings: n Release - Release the message from the quarantine

n Release and train - Release the message from the quarantine and train the system to recognize as not spam

n Whitelist and release - Whitelist sender and release from quarantine for delivery to the recipient.

n Blacklist and remove - Blacklist sender and remove the email from the system. 3. Click Update to save your changes. Email Scout Report Templates (Preview)

Use the Email Scout Report templates feature to customize the format of your reports.

- 232 - Please ensure you have Features Preview enabled to use this feature.

At the Admin Level, select Reporting > Email Scout Report templates (Preview).

This page contains the following tabs:

- 233 - 3. The Copy Email Scout Report template dialog opens. 4. Replace the copied template name with a new name in the Template name field. 5. In the Admin field enter the Admin user for which this template applies. 6. Use the HTML and Plain tabs to add your template format. n HTML tab - content here will be displayed in the text/html version of the report which is the default for most email clients

- 234 -

- 235 - ("Destination port", "destination_port", None), ("Status", "status", "status"), ("Classification", "main_class", None), ] %}

- 236 -

- 237 - cQAQEAAgEDBAICAwEAAAAAAAERACExQVFhQHGBkaGxMMEQIFDw/9oACAEBA AE/EP8AuoEFBWG+fWoxAbVeMRMPRQP/AJ0uOjt37TT8ZzYgMz7Djxjo8k/6zHag hoTkDi8D2vrQBDyI9hN4+PMSQP2+PrBICpkm8eFer/bbfgxgfUBV7nfz9YzNOpP4f QbqSJjHYm/5C8qBqo4nBy+v8PGOI0mbrtFp+svgx2z7y/o3j922l77HAeR7Yc4MGB 8H8hA+jBpQTjcXzj4wQgUKAFXDAMiFNW7Intpnle0iHQgZbHhgXukm7lPEKoLvIm HFDWcTeFrGJLw3cnO5g8zDmFQ6CwXt34xsjBwKIBpJnllNSYVlbuauwbbf1aIXwf bE2/BRqoew/GV4uKiRjkCBgzoPa6O3ghi6AnroL7B4osLjUo0dnB1uvitXHCU11VAu sEPYMbisVI0Mhqqy27riulkVA0GnTXvgEAR0jguNEoYIo6R308Ya65c2/wCjx/KNjFx 6PeNB84G6phhFGlMHnbxu5xlkg3R2afbYUpjcLnEBId2aOVnTebc2OfeBD5wbZrRq 6dGnZppjtDjhaUVjZK73iXDSuOg8Ls1hlgIjwmKkJoFaURq8ykupVBA4EXwY3FEAE YTogh8ZvJmAYkRWusRY9mVUo743lA9ZgMNJHnpnbkJq8bN0vzGTYLqrjAAhBFvI +MTSTJAUFog8074muAK0hDs2KefOTxiygevAQLgyQwdg16mO595TuZTviHIPnKS 0mU7n+vHp+b2x0sEEVBV5vJiwOuRdCvbZndwxJnbW5+EfBgU8Q2DWpOD8YFiDo ZHCdMYIEhpBBPYL85sEZtUQRfO58erNAdsSEUQKcn4cuIcSBvT7PvAUxJ2OAfh+s 1U6kjdGzWcvabbLI/v5wrSBGwaQGkvjjJACSG0gB9B+fXyYxgdGmgdwe2K0hVRQ 6ZN317Mn+Nf83//Z/>

Email Scout Report

This is the email scout report for {{ destination }}, sent at {{ format_time( now ) }}.

{% for label,column,column_format in column_order if column in columns %} {% endfor %}

{% for object in objects %}

- 238 - {% for label,column,column_format in column_order if column in columns %}

{% endfor %} {% endfor %}

{{ label }}	View message
{% if not object[column] %} {{ "" }} {% elif column_format == "date_format" %} {{ format_date(object[column]) }} {{ format_ time(object[column]) }} {% elif column_format == "escaped" %} {{ object.get(column, "")\|replace(".", "."\|safe) }} {% elif column_format == "decoded" %} {{ decode_idna(object.get(column, ""))\|replace(".", "."\|safe) }} {% elif column_format == "size" %} {{ object.get(column)\|filesizeformat }} {% elif column_format == "status" %} {{ object[column]\|replace("-", " ")\|title }} {% else %} {{ object.get(column) }} {% endif %}	{% if object.get("status", "") == "quarantined" %} View quarantined message {% elif object.get("status", "") == "queued" %} View queued message {% endif %} - 239 -

View message

{% if object.get("status", "") == "quarantined" %} View quarantined message {% elif object.get("status", "") == "queued" %} View queued message {% endif %}

- 239 -

- 240 - If you are familiar with the Jinja templating language, you can create a completely new template by clicking on the + Add template link at the top of the page and adding your own content.

View Incoming/Outgoing Reports from a Particular Template

You can find out what Email Scout Reports are using any of your templates:

- 241 - The Email Scout Reports page is displayed showing search results for the Template equals query.

- 242 - Whitelist / Blacklist

You can use Mail Assure's Whitelist to list email addresses from which incoming mail (which would usually be identified as spam) will always be allowed. Conversely, use the Blacklist to block incoming mail from known spammers. You can do this from the Admin Level, Domain Level and Email Level Control Panels:

n At Admin Level you can manage sender and recipient whitelisting and blacklisting for all your domains. n At Domain Level you manage sender and recipient whitelisting and blacklisting for the logged domain. n At Email Level you can manage your own sender whitelisting and blacklisting. You can perform the following tasks:

n Manage Incoming Sender Whitelist - Whitelist incoming mail from specific email senders. n Manage Recipient Whitelist - Whitelist incoming mail to specific email recipients. n Manage Sender Blacklist - Blacklist incoming mail from specific email senders. n Manage Recipient Blacklist - Blacklist incoming mail to specific email recipients.

Admin and Domain users can also access the Sender Blacklist for outgoing mail. See Manage Outgoing Sender Blacklist. Whitelist/ Blacklist Filtering Rules

You can also set up incoming whitelist/blacklist filtering rules:

n Incoming whitelist filtering rules - Incoming mail that matches any of the rules will always be allowed. See Incoming Whitelist Filtering Rules n Incoming blacklist filtering rules - Incoming mail that matches any of the rules will always be blocked. See Incoming Blacklist Filtering Rules

In the Incoming Whitelist/Blacklist Filtering Rules page you can view all whitelist and blacklist filtering rules that have been set up for your domain(s) and you can also add new ones. Manage Recipient Whitelist

Incoming mail sent to recipients listed in the Recipient Whitelist will always be allowed.

Be careful which recipients you whitelist. This is generally not intended for normal mail recipients as this will allow ALL mail to reach the recipient's mailbox unfiltered. This is primarily used for abuse@ addresses, Postmaster@ addresses or any address that should not have filtering (for example, an address used to send outbound abuse reports to).

At the Admin Level you can choose to whitelist a recipient for all domains and at the Domain Level you can only view the list of recipients who have been whitelisted at Admin Level. If you want to whitelist specific recipients at a particular domain you can turn off filtering for a specific mailbox. See Switch off Filtering for Specific Mailbox (whitelist recipients). Admin Level

- 243 - In the Admin Level Control Panel, select Incoming - Protection Settings > Recipient whitelist.

The Recipient Whitelist page is displayed:

The following options/fields are available:

Option/Field Description

Add whitelist recipient Click to add a recipient to the whitelist.

Import recipients from CSV Drag and drop or select .csv file for upload to the recipient whitelist

Export recipients as CSV Export all your listed recipients as .csv file

Query Rules The Query Rules panel allows you to search for existing whitelisted recipients. Once you have set up your query rules, click on Show Results to display all matching recipients. If you do not use any of the Query Rules, clicking on Show Results will display a list of all whitelisted recipients. Add new query rules as required using the + New rule link.

Group results by Choose if you want to group results by Domain, Local-part, or leave the default No grouping.

Columns to be displayed Customise which columns you want to be displayed.

Show results Displays matching results

When you click on Show results to display matches you can perform the following actions on individual or multiple existing whitelisted recipients:

n Edit n Remove

- 244 - n Export as .csv Whitelist Recipient for All Domains

You can do this from the Admin Level Control Panel.

1. Select Whitelist/Blacklist > Recipient whitelist and click on Add whitelist recipient to open the dialog. 2. Enter the Admin user in the Admin field. All mailboxes at all domains linked to this Admin recipient will be whitelisted. 3. Enter the local-part of the admin recipient's email address.

To whitelist all recipients (ie. filter no mail) enter * in the Local-part field.

4. Click Save. The recipient is added to the whitelist. Manage Incoming Sender Whitelist

Incoming mail received from senders listed in the whitelist will always be allowed.

In the Admin Level, Domain Level or Email Level Control panel, select Incoming - Protection Settings > Sender whitelist.

The Sender Whitelist page is displayed.

The following tabs are available:

n Sender Whitelist - Domain - Available at the Admin and Domain Levels. At the Admin Level, this tab allows you to manage the sender whitelist for mailboxes at a specific domain. At the Domain Level, this whitelist is specific to mailboxes at the logged in Domain. You can add, import and export. n Sender Whitelist - Admin - Only available at the Admin level, anything applied on this tab applies to all domains linked to the specified Admin. You can add, import and export. n Sender Whitelist - Recommended/Inherited - Available at the Admin and Domain Levels. Anything shown here was set up at the cluster level.

At the Email level there are no tabs - just the main page (see Manage Sender Whitelist - Email Level).

In the Domain and Admin tabs, the following options/fields are available:

Option/Field Description

+ Add whitelist sender Click to add a sender to the whitelist. See Add Sender to Whitelist.

Import senders from CSV Drag and drop or select .csv file for upload to the Sender Whitelist

Export senders as CSV Export all your listed senders as .csv file

- 245 - Option/Field Description

Query Rules The Query Rules panel allows you to search for existing whitelisted senders. Once you have set up your query rules, click on Show Results to display all matching senders. If you do not use any of the Query Rules, clicking on Show Results will display a list of all whitelisted senders. Add new query rules as required using the + New rule link.

Group results by Choose if you want to group results by Domain, Local-part, Sender flag , Address or leave the default No grouping.

Columns to be displayed Customize which columns you want to be displayed.

Show results Displays matching results

When you click on Show results to display matches, you can perform the following actions on individual or multiple existing whitelisted senders:

n Edit n Remove n Export as .csv

- 246 - Add Sender to Whitelist

1. Click on Add whitelist sender to open the dialog:

2. If you are accessing this from the Admin Level, the Domain dropdown is displayed. Select the relevant domain. 3. If accessing from the Domain Level the Local-part field is displayed. Specify the local-part of a particular recipient here, or leave blank to apply to the whole domain. 4. Choose which address you want to apply by selecting from the following Sender Flags: n Apply to Envelope Sender - The SMTP Envelope from address

n Apply to From: Address - The MIME message address

n Apply to both 5. In the Address field, enter the email address of the sender you want to whitelist. 6. Click on Save to add the sender to the whitelist. Manage Sender Whitelist - Email Level

Incoming mail received from senders listed in the Sender Whitelist will always be accepted into the mailbox of the logged in Email user.

1. In the Email Level Control Panel, click on Whitelist/Blacklist - Sender whitelist. 2. Click on Add whitelist sender. 3. The Add whitelist sender dialog is displayed: 4. Choose which address you want to apply by selecting from the following Sender Flags: 5. n Apply to Envelope Sender - The SMTP Envelope from address

n Apply to From: Address - The MIME message address

n Apply to both 6. In the Address field, enter the email address or domain you want to whitelist. 7. Click Save.

- 247 - Any messages sent from this whitelisted sender will now be accepted into the logged in Email user's mailbox. Manage Recipient Blacklist

Incoming mail sent to recipients in the Recipient Blacklist will always be blocked.

In the Admin Level or Domain Level Control panel, select Incoming - Protection Settings > Recipient blacklist.

The Blacklist recipients page is displayed.

There are three tabs available:

n Recipient Blacklist - Domain - This tab allows you to manage the recipient blacklist for your domain. You can add, import and export. n Recipient Blacklist - Admin - Anything applied on this tab applies to all domains underneath this one. You can add, import and export. This tab is only available at the Admin Level. n Recipient Blacklist - Default - In this tab you can view/export any default blacklisted recipients. From the Admin Level Control Panel you will see all three tabs. From the Domain level you will only see the Domain and Default tabs.

In the Admin and Domain tabs, the following options/fields are available:

Option/Field Description

Add blacklist recipient Click to add a recipient to the blacklist. See Add Recipient to the Blacklist.

Import recipients from CSV Drag and drop or select .csv file for upload to the recipient blacklist

Export recipients as CSV Export all your listed recipients as .csv file

Query Rules The Query Rules panel allows you to search for existing blacklisted recipients. Once you have set up your query rules, click on Show Results to display all matching recipients. If you do not use any of the Query Rules, clicking on Show Results will display a list of all blacklisted recipients. Add new query rules as required using the + New rule link.

Group results by Choose if you want to group results by Domain, Local-part, or leave the

- 248 - Option/Field Description

default No grouping.

Columns to be displayed Customise which columns you want to be displayed.

Show results Displays matching results.

When you click on Show results to display matches you can perform the following actions on individual or multiple existing blacklisted recipients:

n Edit n Remove n Export as .csv Add Recipient to the Blacklist

You can do this from the Admin and Domain Level Control Panels.

1. Select Incoming - Protection Settings > Recipient blacklist and click on Add blacklist recipient to open the dialog.

2. If accessing from the Admin Level, select the domain that the recipient belongs to. 3. Enter the local-part of the recipient's email address. 4. Click Save. The recipient is added to the blacklist. Manage Sender Blacklist

Incoming mail received from senders listed in the Sender Blacklist will always be blocked.

In the Admin Level, Domain Level or Email Level Control panel, select Incoming - Protection Settings > Sender blacklist.

The Sender Blacklist page is displayed.

There are three tabs available:

n Sender Blacklist - Domain - This tab allows you to manage the sender blacklist for your domain. You can add, import and export.

- 249 - n Sender Blacklist - Admin - Anything applied on this tab applies to all domains underneath this one. You can add, import and export. This tab is only displayed at the Admin level. n Sender Blacklist - Default - In this tab you can view/export any default blacklisted senders set up. If you are accessing as an Email user there are no tabs - just the main page.

In the Domain and Admin tabs, the following options/fields are available:

Option/Field Description

Add blacklist sender Click to add a sender to the blacklist. See Add Sender to Blacklist

Import senders from CSV Drag and drop or select .csv file for upload to the Sender Blacklist.

Export senders as CSV Export all your listed senders as .csv file

Query Rules The Query Rules panel allows you to search for existing blacklisted senders. Once you've set up your query rules, click on Show Results to display all matching senders. If you don't use any of the Query Rules, clicking on Show Results will display a list of all blacklisted senders. Add new query rules as required using the + New rule link.

Group results by Choose if you want to group results by Domain, Local-part, Sender flag , Address or leave the default No grouping.

Columns to be displayed Customise which columns you want to be displayed.

Show results Displays matching results

When you click on Show results to display matches you can perform the following actions on individual or multiple existing blacklisted senders:

n Edit n Remove n Export as .csv

- 250 - Add Sender to Blacklist

1. Click on Add blacklist sender to open the dialog:

2. If you are accessing this from the Admin Level, the Domain dropdown is displayed. Select the relevant domain. 3. In the Local-part field, you can specify the local-part of a particular recipient here, or leave blank to apply to the whole domain. 4. Choose which address you want to apply by selecting from the following Sender Flags: n Apply to Envelope Sender - The SMTP Envelope from address

n Apply to From: Address - The MIME message address

n Apply to both 5. In the Address field, enter the email address of the sender you want to blacklist. 6. Click on Save to add the sender to the blacklist. Manage Sender Blacklist - Email Level

Incoming mail received from senders listed in the Sender Blacklist will always be rejected.

In the Email Level Control Panel, click on Incoming - Protection Settings > Sender blacklist.

The Sender Blacklist page is displayed.

Add Sender to Blacklist

You can add multiple senders to the blacklist by uploading a CSV file or you can add senders manually. To add a sender manually:

Enter the Sender email address or domain in the Sender field and click on Add. Manage Outgoing Sender Blacklist

Outgoing mail sent from senders listed in the Sender Blacklist will always be blocked.

- 251 - In the Admin Level and Domain Level Control Panel, select Outgoing - Protection Settings > Outgoing sender blacklist.

The Outgoing Sender Blacklist page is displayed.

There are two tabs available.

n The Domain senders tab allows you to manage the blacklist senders for your domain(s). n The Default senders tab allows you to view/export any default blacklist senders set up at the super admin level.

In the Domain senders tab, the following options/fields are available:

Option/Field Description

Add blacklist sender Click to add a sender to the blacklist. See Add Outgoing Sender to Blacklist

Import senders from CSV Drag and drop or select .csv file for upload to the Sender Blacklist.

Export senders as CSV Export all your listed senders as .csv file

Group results by Choose if you want to group results by Domain, Local-part, Sender flag , Address or leave the default No grouping.

Columns to be displayed Customise which columns you want to be displayed.

Show results Displays matching results

When you click on Show results to display matches you can perform the following actions on individual or multiple existing blacklisted senders:

n Edit n Remove n Export as .csv

- 252 - Add Outgoing Sender to Blacklist

1. Click on Add blacklist sender to open the dialog:

n Apply to From: Address - The MIME message address

n Apply to both 5. In the Address field, enter the email address of the sender you want to blacklist. 6. Click on Save to add the sender to the blacklist. Incoming Whitelist Filtering Rules

In the Whitelist Filtering Rules page you can view all whitelist filtering rules that have been set up for your domain(s) and you can also add new ones. Incoming mail that matches any of the rules will always be delivered. The rules are based on Python's regular expression (regex) syntax. (For more information on regular expressions, see regex101.com).

This page can be accessed from the Admin Level and the Domain Level.

n View Incoming Whitelist Filtering Rules n Add an Incoming Whitelist Filtering Rule

- 253 - View Incoming Whitelist Filtering Rules

1. In the Admin Level or Domain Level Control Panel, select Incoming - Protection Settings > Whitelist filtering rules. The Incoming whitelist filtering rules page is displayed. There are three tabs: n Domain Rules - Rules that apply to a specific domain. You can add new rules in this tab - see Add an Incoming Whitelist Filtering Rule.

In this page you can also:

n Add rule - Using the Add rule link - see Add an Incoming Whitelist Filtering Rule. n Import rules from CSV - Using the Import rules from CSV link above the Query Rules panel. n Export rules as CSV - Using the Export rules as CSV link above the Query Rules panel. Add an Incoming Whitelist Filtering Rule

1. In the Admin Level or Domain Level Control Panel, select Incoming - Protection Settings > Whitelist filtering rules. The Domain Rules tab is displayed in the Incoming whitelist filtering rules page. 2. Click on Add rule:

- 254 - The dialog that is displayed here depends on whether you have enabled or disabled the 'Use advanced custom filtering rules' option in the User profile page. For more information, see Manage Your Admin User Profile or Manage Your Domain User Profile. If the option is Inactive you will see the 'Add a new simple whitelist filtering rule' dialog:

If this is Active, you will see the 'Add a new advanced whitelist filtering rule' dialog:

- 255 - 3. Choose from the following filters:

- 256 - Field/Option Description Simple page

Rule name Add the name of this rule Match Use the Match fields to structure your rule Advanced page

Tip - Use the Cheatsheet panel on the right of the page for examples of how to build your regex.

Match Choose what you want the rule to match. The following options are available: Flags The following flags are available:

- 257 - Field/Option Description

n i (ignore case)

n m (^ and $ match start and end of line),

n s (. matches newline)

n x (allow spaces and comments)

4. Click Save when finished. Incoming Blacklist Filtering Rules

In the Incoming Blacklist Filtering Rules page you can view all blacklist filtering rules that have been set up for your domain(s) and you can also add new ones. Incoming mail that matches any of the rules will always be blocked. The rules are based on Python's regular expression (regex) syntax. (For more information on regular expressions, see regex101.com).

You can access this page at the Admin Level and the Domain Level.

n View Incoming Blacklist Filtering Rules n Add an Incoming Blacklist Filtering Rule

You can also set up Blacklist filtering rules for outbound mail - see Outgoing Blacklist Filtering Rules.

View Incoming Blacklist Filtering Rules

View all the Blacklist Filtering Rules that, when applied to a domain, will always block matching incoming mail.

1. In the Admin Level or Domain Level Control Panel, select Incoming - Protection Settings > Blacklist filtering rules. The Incoming blacklist filtering rules page is displayed. There are three tabs: n Domain Rules - Rules that apply to a specific domain. You can add new rules in this tab - see Add an Incoming Blacklist Filtering Rule.

In this page you can:

- 258 - n Add rule - Using the Add rule link - for details see Add an Incoming Blacklist Filtering Rule. n Import rules from CSV - Using the Import rules from CSV link above the Query Rules panel. n Export rules as CSV - Using the Export rules as CSV link above the Query Rules panel. Add an Incoming Blacklist Filtering Rule

1. In the Admin Level or Domain Level Control Panel, select Incoming - Protection Settings > Blacklist filtering rules. The Domain Rules tab is displayed in the Incoming blacklist filtering rules page. 2. Click on Add rule:

- 259 - If this is Active, you will see the 'Add a new advanced blacklist filtering rule' dialog:

- 260 - 3. Choose from the following filters:

- 261 - Field/Option Description Simple page

Rule name Add the name of this rule Match Use the Match fields to structure your rule Advanced page

Use the Cheatsheet panel on the right of the page for examples of how to build your regex.

Match Choose what you want the rule to match. The following options are available: Flags The following flags are available:

- 262 - Field/Option Description

n i (ignore case)

n m (^ and $ match start and end of line),

n s (. matches newline)

n x (allow spaces and comments)

4. Click Save when finished.

- 263 - Users & Permissions

The system's Users & Permissions pages, allow you to manage users who have been set up with login credentials to access Mail Assure. There are three different types of users:

n Admin - Admin users can access the Admin Level Control Panel and from here can also access the Domain and Email Level Control Panels. The Admin user can manage other Admin users as well as Domain and Email users. n Domain - The Domain user for a domain can access the Domain Level Control Panel. The Domain user can manage Email users. n Email - Email users can access their Email Level Control Panel. They cannot manage any users. This page also allows you to set credentials for enabling OAuth on your Control panel. What do you want to do?

n Manage Admin Users n Manage Domain Users n Manage Email Users n Manage Permissions n Configure OAuth/OpenID Connect Settings Configure OAuth/OpenID Connect Settings

We support OAuth 2/OpenID Connect as a method for Admin and Email Level users to use Single Sign On (SSO) authentication when accessing Mail Assure. This means that you can use an alternative set of credentials to authenticate when accessing the system e.g. Office365, Google OAuth 2.0 etc. For specific details, see Configure SSO/OAuth with Office 365 and Configure SSO/OAuth with Google.

With OAuth set up, the web-based login to the Control Panel remains available. If two-factor authentication (2FA) is active, this step is still required when using the Mail Assure login link. Admins are able to (re)set their password to access the control panel - this will not affect the OAuth setup. In order to be able to connect with OAuth, the following tasks must be carried out:

1. In the OAuth Provider app, add the Mail Assure login URL. The provider generates: n a Client ID and Secret

n Authentication/User/Token endpoints

- 264 - 2. In Mail Assure: a. In the Branding Management page, add a custom hostname to the Hostname field - this will be used to generate the OAuth login link. b. To ensure OAuth is enabled for Email Level users, tick Enable in the SSO/OAuth login for email users panel and enter the button label. c. In the OAuth Settings page, enter the details generated by the provider in step 1 (above). See Configure OAuth Settings in Mail Assure below. 3. Any end-user who wants to access Mail Assure using authentication via the OAuth provider must create an account with the provider. Configure OAuth Settings in Mail Assure

Using the information provided by the chosen authentication provider, configure the necessary OAuth settings in Mail Assure:

1. in the Admin Level Control Panel, select Users & Permissions > OAuth Settings. 2. The Private brand login / OAuth page is displayed. 3. To enable OAuth login, activate the OAuth login toggle button at the top of the page.

The Login link is the URL generated by the system for the OAuth login. The URL should contain the customer's domain. 4. Your service provider should be able to provide the following information to enter in either tab: n Provider URL

n Client ID - Generated by the provider after registering Mail Assure details with the provider.

n Client Secret - Generated by the provider after registering Mail Assure details with the provider.

n Token Endpoint - Generated by the provider after registering Mail Assure details with the provider.

n Authorization Endpoint - Generated by the provider after registering Mail Assure details with the provider.

n User info endpoint - Generated by the provider after registering Mail Assure details with the provider

n Jwks Uri - URL for the OAuth Client's JWK Set (JWK) document. If the OAuth Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the OAuth Client.

n Change password URL (optional) - URL where SSO users can change their passwords. It can contain an optional "redirect_to" token which will be replaced with the actual link to redirect the user after a successful password change.

n Logout URL (optional) - URL where SSO users will be redirected upon logging out. It will get the following parameters: "post_logout_redirect_uri" and "id_ token_hint".

n Use Nonce validation - Select Yes

n Login button text e.g. 'Login with {{ brand_name}}'

- 265 - n User identification method: n Subject - External ID: Will match the OAuth subject with the local "External ID" field - use this when the local username and the remote directory system are not the same, and email is not a suitable choice e.g. telephone number.

n Subject - Username: Will match the OAuth "subject" with the local username - use this when the local username and the one in the remote directory system are identical.

n Verified email: Will match the OAuth email address with the local email address (this is the most common option).

n Invitation flow (optional) n Invitation URL - the URL to use to sign up if the user has no account

n Redeem invitation URL - the link to use in the sign-up email 5. Click Save settings.

Configure SSO/OAuth with Office 365 Configure SSO/OAuth with Google

For any other providers, please refer to the relevant provider's website.

Configure SSO/OAuth with Office 365

For general information on OAuth and how you can get your Single Sign On (SSO) with working with Mail Assure, see Configure OAuth/OpenID Connect Settings.

n Step 1 - Mail Assure Configuration n Step 2 - Configure Azure Active Directory Settings n Step 3 - Retrieve Onmicrosoft Account Details for Addition to Mail Assure Control Panel n Step 4 - Configure Microsoft Details in Mail Assure

Step 1 - Mail Assure Configuration 1. Log into your Mail Assure Control Panel using your branded URL (this is set up in the Hostname field in the Branding Management page. See Create a Custom Control Panel URL). 2. In the Admin Level Control Panel, select Branding > Branding Management. 3. Ensure that SSO/OAuth login for email users is enabled. 4. Add the label text that will be displayed on the login button.

- 266 - 5. Click Save. 6. Navigate to the domain, by selecting General > Domains Overview and click on the relevant domain. 7. Select Users & Permissions > OAuth Settings and make sure that OAuth login is toggled on. 8. Copy the url in the Login link field and keep a note of this for using in Step 2 - Configure Azure Active Directory Settings.

9. Click Save settings.

- 267 - Step 2 - Configure Azure Active Directory Settings

1. Navigate to the Azure Control Panel and click on Azure Active Directory:

2. From the Manage list select App registrations and click on New application registration:

3. Add a name in the Name field e.g. Spam Filter. 4. Ensure Web app / API is selected from the Application type dropdown.

- 268 - 5. In the Sign-on URL field, enter the URL for the branded Mail Assure Control Panel (this is the URL entered in the Hostname field in the Branding Management page in Mail Assure.

6. Click Create. 7. Click on Settings:

8. In the Settings panel, click on Reply URLs and, in the field displayed, add the Login Link URL that you noted in Step 1 - Mail Assure Configuration.

9. Next, you need to add a key: In the Settings panel, click on Keys and in the Keys panel, enter a Description e.g. Mail Assure and an expiry option e.g. Never expires.

- 269 - 10. Click Save to display the key.

11. Copy the key and save it somewhere safe.

It is important that you do save the key as you will not be able to retrieve it again after leaving the Keys panel. 12. Keep your Azure Active Directory Control Panel open as you will need to return to this screen in Step 4 - Configure Microsoft Details in Mail Assure.

Step 3 - Retrieve Onmicrosoft Account Details for Addition to Mail Assure Control Panel

1. In your browser, enter your onmicrosoft URL e.g. https://login.microsoftonline.com//.well-known/openid-configuration. For example: https://login.microsoftonline.com/myid.onmicrosoft.com/.well-known/openid- configuration

- 270 - 2. Copy the page content and format in Notepad in preparation for finalizing the Mail Assure setup in Step 4 - Configure Microsoft Details in Mail Assure:

Step 4 - Configure Microsoft Details in Mail Assure

1. In the Mail Assure Control Panel, return to the OAuth Settings page for the domain by selecting Users & Permissions > OAuth Settings. 2. In the Provider URL field, enter the onmicrosoft URL without /well-known/openid- configuration at the end. In the example shown in Step 3 - Retrieve Onmicrosoft Account Details for Addition to Mail Assure Control Panel above, this URL would look like: https://login.microsoftonline.com/myid.onmicrosoft.com/ 3. In the Client ID field enter the Application ID from the Settings page shown in the Azure setup in Step 2 - Configure Azure Active Directory Settings:

- 271 - 4. In the Client Secret field enter the key you retrieved and saved in Step 2 - Configure Azure Active Directory Settings. 5. In the Token Endpoint, Authorization endpoint, User Info endpoint and Jwks URL fields, enter the respective URLs defined in the text retrieved from the Onmicrosoft URL in Step 3 - Retrieve Onmicrosoft Account Details for Addition to Mail Assure Control Panel.

6. Optionally, enter a link where users can change their password in the Change password URL field, or add a specific logout URL in the Logout URL field. 7. Ensure Use Nonce validation is ticked. 8. In the User Identification section, ensure Unique name is selected as the Identification method.

- 272 - 9. Click Save settings. The login page for users on that domain will now display the new login button allowing authorization with O365.

Although we strive to provide the most up-to-date information, the instructions covered in the Microsoft configuration may change without our knowledge. To ensure you have the correct up-to-date information, please refer to Microsoft's website.

- 273 - Configure SSO/OAuth with Google

For general information on OAuth and how you can get your Single Sign On (SSO) with working with Mail Assure, see Configure OAuth/OpenID Connect Settings.

n Step 1 - Configure Google API Console n Step 2 - Configure Google Details in Mail Assure

Step 1 - Configure Google API Console 1. Login to Google API Console 2. Add a project: a. Create OAuth consent. Enter: i. Email address: Your email address ii. Product name: Project name iii. Homepage URL: https://master.example.com iv. Product Logo (optional) v. Privacy policy URL (optional): Link to your Privacy policy. vi. Terms of services URL (opional): Link to your Terms of Service. vii. Click Save. Setup OAuth credentials: i. Click OAuth client ID. ii. Select WEB application. iii. Add a name e.g.test. iv. Authorized JavaScript origins. n This should contain the hostname of your cluster and the branded / custom hostname that you’ve chosen to use in your branding

n This should contain both https:// and http:// links e.g. o https://mycustom.domain.com (branded hostname) o http://mycustom.domain.com (branded hostname) v. Authorized redirect URIs - needs to point to the authorized redirect endpoint setup on your cluster. n This should contain the branded / custom hostname that you’ve chosen to use in your branding.

n This should contain both https:// and http:// links e.g. o http://mycustom.domain.com/rest/auth/openid/authorize/mailbox o https://mycustom.domain.com/rest/auth/openid/authorize/mailbo x vi. Click create. This returns: n Client ID number

n Client Secret

The above are required for the interface setup.

- 274 - Step 2 - Configure Google Details in Mail Assure 1. Log into your Mail Assure Control Panel using your branded URL (this is set up in the Hostname field in the Branding Management page. See Create a Custom Control Panel URL). 2. In the Admin Level Control Panel, select Branding > Branding Management. 3. Ensure that SSO/OAuth login for email users is enabled. 4. Add the label text that will be displayed on the login button. 5. Click Save. 6. Navigate to the domain, by selecting General > Domains Overview and click on the relevant domain. 7. Select Users & Permissions > OAuth Settings and make sure that OAuth login is toggled on. 8. Complete the following details: n Provider URL - For Google setup this will always be: https://accounts.google.com

n Client ID - This was provided in Step 1 - Configure Google API Console (above)

n Client Secret - This was provided in Step 1 - Configure Google API Console (above)

n Token Endpoint - for Google this will always be: https://www.googleapis.com/oauth2/v4/token

n Authorization Endpoint - For Google this will always be: https://accounts.google.com/o/oauth2/v2/auth

n User info endpoint - For Google this will always be: https://openidconnect.googleapis.com/v1/userinfo

n User Identification Method - select Verified Email

n Jwks Url - For Google this will always be: https://www.googleapis.com/oauth2/v3/certs

n Use Nonce Validation - Select Yes 9. Click Save.

The login page for users on that domain will now display the new login button allowing authorization with Google OAuth2.0.

Although we strive to provide the most up-to-date information, the instructions covered in the Google configuration may change without our knowledge. To ensure you have the correct up-to-date information, please refer to Google's website. For Google's OAuth 2.0 authentication details see https://developers.google.com/identity/protocols/OpenIDConnect.

Manage Admin Users

Only Admin users with the appropriate access rights can add and manage other Admins.

In the Admin Level Control Panel, click on Users & Permissions > Manage Admins to display the Manage Admins page.

In this page you can carry out the following tasks:

- 275 - n Add - Add an Admin or add multiple Admins by uploading a CSV file. See Add an Admin User. n View overview of bandwidth usage per Admin. The dropdown alongside each Admin user provides the following options:

n Edit - Edit the Admin n Delete - Delete the Admin n Login as user - Log into the system as this Admin n Enforce 2FA - Enforce 2FA for this Admin. n Move admin - Move this Admin to another domain n Show sub-admins for this user - Show all Admins that this user has created (Admins created by an Admin or Sub-Admin become Sub-Admins of the user who created them). Add an Admin User

To create an Admin user you must be an Admin user and have the permission to add other Admin users. A Sub-Admin is an Admin user created by another Admin user. The Admin user has control over the access given to a Sub-Admin that they create. Effectively, they are the same - a Sub-Admin user can have the same rights as the Admin user. 1. Log into Mail Assure. 2. In the Admin Level Control Panel, click on Users & Permissions > Manage admins. You can add multiple users using the Upload CSV file link or add each user individually. 3. To add users individually, click on Add to open the New admin creation page. The following Fields/Options are available:

Field/Option Description

Username The user's username.

Password/Confirm password The user's password.

Email The user's email address.

Status Active - Activates the user so they can access the system. Inactive - Inactivates the user so that they cannot access the system.

Allow sub-admins Allow - The user can create sub-admins. Deny - The user cannot create sub-admins. Default - The user inherits the properties of the parent Admin user.

- 276 - Field/Option Description

Allow actions on outgoing spam Allows the user to act on messages outgoing spam messages found in the Outgoing Log Search e.g. Release, Train spam, Train not spam.

Allow control panel API usage Allows the user to execute any of the API calls listed in the Control Panel API Calls page - see View Control Panel API Calls.

Available products Choose which products the user can access (Incoming mail, Outgoing mail, Archiving) and whether they have access to the Private label area of the application in which branding can be customized.

Protection for archived messages Active - The user will not be able to view/export archived message content unless they authenticate at Email level and are viewing their own messages. When Active, sub- admins cannot over-ride this. Inactive - The user will be able to view/export all other user's archived message content.

Domain's Limit How many domains this admin can add. If you want to limit the number to two domains, then you can set the limit to 2, otherwise use 0 for unlimited domains.

- 277 - Field/Option Description

The limit is shared with your own limit. For example, if your license is of 20 domains, you cannot set the limit to 0 for a Sub-admin. You can set it to 20, however this means that you will be unable to add domains on your Admin account and all new added domains will be attributed to the Sub-admin account.

4. Enter the user details and click Save. Manage Domain Users

Currently, only one user can be created per domain and only Admin users can manage Domain users

In the Admin Level Control Panel, select Users & Permissions > Manage Domain Users to display the Manage domain users page.

If you already have a domain user per domain, you cannot add any others.

If there are no domain users for a domain, click Add to add one or Upload CSV file - see Add a Domain User. Add a Domain User

To create a user who can access their own Domain Level Control Panel, manage their own domain specific settings and use the system to view their domain's spam and access their emails in the event their server is offline or unavailable: 1. Log into Mail Assure. 2. In the Admin Level Control Panel, click on Users & Permissions > Manage domain users. You can add multiple users using the Upload CSV file link or add each user individually. 3. To add users individually, click on Add to open the New domain user creation page. 4. Select the domain you want the user to access/manage. 5. Enter the user's Password and Email address. 6. Ensure the Status is set to Active. 7. Click Save.

- 278 - Tip - To access the system, the Domain user must use their domain name in the Username field and the Password entered here when logging in.

You can only create one Domain user per domain.

Manage Email Users

In the Admin Level or Domain Level Control Panel, click on Users & Permissions > Manage email users.

The Manage Email users page is displayed.

In this page you can carry out the following tasks:

n Set up LDAP authentication - See Set up LDAP Authentication. n Add - Add an email user or add multiple users by uploading a CSV file. n View overview of bandwidth usage per email user. The dropdown alongside each Admin user provides the following options:

- 279 - n Edit - Edit the user. n Delete - Delete the user. n Login as user - Log into the system as this user. n Enforce 2FA - Enforce 2FA (Two-Factor Authentication) for this user. Add an Email User

To create a user who can access their own Email Level Control Panel, perform a log search, view their incoming delivery queue and Quarantine settings and access their emails in the event the mail server is offline or unavailable: 1. Log into Mail Assure. 2. In the Admin Level or Domain Level Control Panel, click on Users & Permissions > Manage email users. You can add multiple users using the Upload CSV file link or add each user individually. 3. To add users individually, click on Add to open the New email user creation page. 4. Select the domain you want the user to access/manage. 5. Enter the local part of the Username. (The domain is already entered). 6. Enter and confirm the Password. 7. Ensure the Status is set to Active if you want the new user's login credentials to work. 8. Click Save. Manage Permissions

The Manage Permissions page allows you to manage Mail Assure access permissions for Domain and Email Users. If you are accessing the page from the Admin Level Control Panel, you can manage permissions for both Domain and Email Users. Alternatively, if you are accessing the Manage Permissions page from the Domain Level Control Panel you can only manage permissions for Email users. You can decide which features they can access from each of the panels in the Dashboard (e.g. Incoming, Outgoing, Archive, Server etc.) by enabling/disabling the GET, POST, PUT and DELETE actions alongside each feature as required, where:

n GET - View data n POST - Create new entries n PUT - Edit existing entries n DELETE - Delete entries

To access the Manage permissions page: In the Admin Level or Domain Level Control Panel, select Users & Permissions > Manage permissions. Manage User Settings

In the User Settings page you can manage the system's global user settings.

In the Admin Level Control Panel, click on Users & Permissions > User settings:

- 280 - Password Policies

Configure your password policies for Users & Permissions. The following settings will be enforced when passwords for new users are first set or when users' passwords are updated:

n Minimum number of characters n Minimum number of digits n Minimum number of lowercase characters n Minimum number of uppercase characters n Minimum number of punctuation characters n Allow spaces: Yes/No n Allow common passwords: Yes/No n Allow dictionary words: Yes/No

Click on Save to save your changes.

- 281 - Continuity

The Continuity panel gives you access to the Incoming and outgoing delivery queues, the compose email page and the Network tools page, used for troubleshooting any network problems. What do you want to do?

n View your queued messages - See Message Queueing. n Compose Email n Network Tools Compose Email

Use this facility to send email if your mail server is down or offline.

1. Access this page from the Admin, Domain and Email Level Control Panels in Other > Compose email.

2. Once you have entered your recipient, subject and message content, click on Send Message. Network Tools

The Network tools page allows you to test mail transfer using various tools:

n Ping - tests the reachability of hosts n SMTP Tab

- 282 - n Traceroute - Displays the route and transit time for connections between servers in the cluster and a specified destination n Dig - Used to query Domain Name System (DNS) servers. You can query a specific name server or leave blank to use the Control Panel's default name server. You can access this page from the Admin, Domain and Email Level Control Panels from Continuity > Network Tools. SMTP Tab

Use the SMTP tab to test mail transfer using the SMTP protocol with the following checks:

n Sender callout - If you are seeing problems with sender verification, you can see exactly what the sender's mail server responds with when the address is checked. n Recipient callout - If you are seeing delivery problems, you can see exactly what the destination's mail server responds with when the recipient is specified. n Open relay check - You can see whether a mail server appears to be an "open relay", accepting mail for any destination. n Catch-all check - You can see whether a mail server appears to be a "catch-all" for a specified domain, accepting mail for any address at that domain. n Telnet test - You can check the full SMTP delivery process to a destination, to see exactly how the destination responds in answer to each of the SMTP commands, and the final message content. The tool will go as far as the information provided. If a recipient is not provided, then the connection will end after "MAIL FROM", and if a message is not provided, then the connection will end after "RCPT TO". If you have a message in the DATA section, this will send an email to the specified recipient. To test deliverability issues from a specific server in the cluster, or IP assigned to a server, select the relevant IP. If left blank, then one of the control panel IPs will be used. You can access this page from the Admin, Domain and Email Level Control Panels from Continuity > Network Tools.

The following fields/options are available:

Field/Option Description

Hostname You must either enter a server hostname here or enter the Envelope sender for any checks to run.

EHLO Name of the EHLO/HELO that you want to use in the SMTP transaction.

Envelope Sender Enter the envelope sender to initiate a sender callout.

Envelope Recipient Enter the envelope recipient to initiate a recipient callout.

- 283 - Field/Option Description

Using the Catch all option you can see whether a mail server appears to be a 'catch-all' for a specified domain, accepting mail for any address at that domain.

Data If you want to send data to the envelope-recipient e.g. the content of the SMTP transaction and not just a callout.

Timeout, per SMTP command How long you want the SMTP commands to last (e.g. for slower mta's there may be a need to set this higher before it times out)

Interface Choose what IP you do the verification from. For example, if you want to do a sender verification check from a certain IP, choose the IP address from those available. If it is the default , then it uses the interfaces server IP/hostname (master.antispamcloud.com).

Prefer TLS Try to use STARTTLS to perform the test over a secure connection.

Data only for Exchange servers Some versions of Microsoft Exchange do not support doing a sender or recipient callout in the usual manner. If you select this option and the server appears to be a Microsoft Exchange Server, the tool will send a suitable test message in DATA. You should generally use this when doing a 'callout' check, but be aware that if the recipient is valid they will receive the test email message.

If Data only for Exchange servers is unchecked, Default message is unchecked and there is nothing in the data part then no DATA is sent.

- 284 - Message Queueing

Generally emails are delivered directly to the destination server. However, if the delivery attempt to the destination server returns a temporary failure, all email messages sent to known, valid recipients are queued locally on the filtering servers for delivery retry - see View Incoming Delivery Queue.

Emails which have been permanently rejected by the destination server with a 5xx error code, will NOT be queued and are rejected by the system - you can see these messages in the Spam Quarantine. Automatic Retry Schedule

Messages queued for known valid recipients because of temporary problems with the destination route (e.g network problems) are automatically retried for delivery at the following approximate intervals:

n During the first 2 hours, delivery is retried at a fixed interval of 15 minutes. n During the next 14 hours, delivery is retried at a variable interval, starting at 15 minutes and multiplying by 1.5 with each attempt (e.g. after 15 minutes, then 22.5 minutes, then 34 minutes, and so on). n From 16 hours since the initial failure, until 14 days have passed, delivery is retried at a fixed interval of every 6 hours. n After 14 days we generate a bounce to the sender. If the bounce cannot be delivered immediately (i.e. if the 'message could not be delivered' message (Non-Delivery Report) fails to send), it will be frozen automatically. After this time, delivery of the message will have permanently failed. When a message is frozen (it cannot be delivered to the recipient or returned to the sender), no more automatic delivery attempts are made. An Admin user can “thaw” ( force retry) such messages when the problem has been corrected. Mail Assure caches valid recipients up to 14 days. After this time, Mail Assure will not queue email for those recipients and instead temporarily rejects the message so it is queued on the sending server. The sending server in this case will automatically retry delivery. When using the 'Local Recipients' feature (described above), no caching is involved and Mail Assure continues to accept and queue the emails for all specified recipients. Messages Queued

The SMTP RFC 5321 specifies a sending server must queue messages which cannot be directly delivered because of a temporary failure at the receiving end. Therefore in the case of temporary issues with the email infrastructure, emails will not be bounced immediately but are instead queued on the sending server(s) and automatically retried for delivery. In case of downtime of the destination mailserver, messages are only accepted for delivery by the filtercluster if the recipient is known to be valid. Valid destination recipients are cached (when “Accept mail for any mailbox confirmed as valid by the destination mail server” is enabled”) up to 96 hours, per filtering server.

- 285 - To make use of message continuity in Mail Assure, the recipient callouts must be disabled. To do this, ensure that in the Mailboxes Overview pages, the Mailboxes and Aliases lists are complete (do this manually, by CSV import or LDAP sync), and select Accept mail only for mailboxes listed in the "Mailboxes" tab in the Configuration tab of the Mailboxes Overview page. This will accept mail for all recipients listed in the filter, and queue this for up to 14 days, until the message can be successfully delivered to the recipient, or when a destination server cannot be reached for 14 days,all messages will be bounced after 14 days and no new email will be accepted/queued until the destination server is back online. The reason that it is not longer than 14 days, is because it is important for the sender to be aware that delivery of their message has been failing for 14 days so they can try and contact the recipient in another way. Your own Fallback Server(s)

Please note that when you specify multiple destination routes, Mail Assure assumes you run your own fallback system. If the specified fallback server is not responding to recipient callouts, there will be no database built up of valid recipients internally. We recommend not to specify any fallback server(s) unless you've specifically designed your infrastructure to handle outages of the main destination server. See also:

n View Incoming Delivery Queue n View Earliest Time an Automatic Delivery Attempt Will be Made n Troubleshoot Messages in the Delivery Queue n Reply to Email in the Delivery Queue View Incoming Delivery Queue

The Incoming Delivery Queue stores emails that are not being accepted by the destination server (your mail server administrator should be able to check why these emails are not being accepted - see ). The system attempts to re-deliver queued messages automatically for 14 days. If, after 14 days, a message still cannot be delivered to the recipient, the system will try to bounce it to the sender. If it cannot be bounced, the message is placed in a frozen state - it cannot be delivered to the recipient or bounced back to the server. If required, you can manually force delivery of a queued message after resolving the destination mail server issues. Access the Incoming Delivery Queue You can view the Incoming Delivery Queue at the Admin Level, Domain Level and Email Level.

n At the Admin Level you can see the queue for all recipients for all domains (and can filter). n At the Domain Level you can see the queue for all recipients in the domain you are logged into. n At the Email Level, you can see the queue for your own mailbox.

1. Click on Continuity > Delivery queue - incoming to open the Incoming Log Search page filtered to show all messages with the 'Queued' and 'Delivery failed' status. You can further filter your listed results by adding new rules using the + New rule link.

- 286 - 2. After adding more rules, click Show Results to run the search and list the results. All queued emails which match the filters are listed in the table at the bottom of the page. The dropdown to the left of each email allows you to carry out a variety of actions including various troubleshooting tools: n Retry delivery from queue

n Remove from queue

n Remove from queue and notify sender

n Remove from queue and train as spam

n Redeliver archived message

n Download archived message

n Telnet SMTP test - Opens the Network Tools page and runs a check on the full SMTP delivery process to the destination server.

n Sender callout - Opens the Network Tools page and runs a check on what the sender's mail server responds with when the address is checked.

n Recipient callout - Opens the Network Tools page and runs a check on what the destination mail server responds with when the recipient is verified.

n Whitelist sender

n Blacklist sender

n Whitelist recipient

- 287 - n Blacklist recipient

n Delivery history

n Compose reply - See Reply to Email in the Delivery Queue.

n View email - view email content

n Export as .CSV 3. To customise what columns are displayed, choose from the columns available in the Customise dropdown:

View Earliest Time an Automatic Delivery Attempt Will be Made 1. Follow the steps described above to list all matching messages. 2. From the Customise dropdown, select Earliest next delivery attempt and click on Show Results.

3. To lessen the impact on performance, you can only select one message at a time to see this value:

- 288 - The earliest delivery time is then displayed in the column:

View Outgoing Delivery Queue

The Outgoing Delivery Queue stores emails that are not being accepted by the destination server. Access the Outgoing Delivery Queue You can view the Outgoing Delivery Queue at the Admin Level, Domain Level and Email Level.

1. Click on Continuity > Delivery queue - outgoing to open the Outgoing Log Search page filtered to show all messages with the 'Queued' and 'Delivery failed' status. You can further filter your listed results by adding new rules using the + New rule link.

- 289 - 2. After adding more rules, click Show Results to run the search and list the results. All queued emails which match the filters are listed in the table at the bottom of the page. The dropdown to the left of each email allows you to carry out a variety of actions including various troubleshooting tools: n Train as spam

n Redeliver archived message

n Download archived message

n Lock user

n Telnet SMTP test - Opens the Network Tools page and runs a check on the full SMTP delivery process to the destination server.

n Sender callout - Opens the Network Tools page and runs a check on what the sender's mail server responds with when the address is checked.

n Recipient callout - Opens the Network Tools page and runs a check on what the destination mail server responds with when the recipient is verified.

n Blacklist sender

n Add whitelist filtering rule

n Add blacklist filtering rule

n View email - view email content

n Export as .CSV

- 290 - 3. To customize what columns are displayed, choose from the columns available in the Customise dropdown:

Troubleshoot Messages in the Delivery Queue

If there are messages stored in the queue there will always be a (temporary) error when delivering to the destination server. To investigate the issue: 1. Verify you have set the correct destination route (also ensure there are not multiple destination routes specified, normally there should just be one route). See Manage Destinations. 2. Check the logs on your destination server to investigate why delivery attempts are not being accepted. 3. Run a telnet test to check the response of your destination mailserver. There are two ways you can do this: a. From the Message Queue by selecting Telnet SMTP Test from the dropdown alongside any of the queued messages. This takes you to the Network Tools page. b. Directly from the Continuity > Network Tools page and selecting the SMTP tab (see the Telnet tips in the right panel). 4. If after following these steps you still have an issue, please contact Support providing a sample sender/recipient/date for investigation. Reply to Email in the Delivery Queue

Whilst a message is queued you can reply to it directly using the "Reply" option from the message options:

1. Go to Continuity > Delivery queue - incoming. 2. Enter your filters then click on Start search. 3. Locate the message you want to reply to, click on the dropdown to the left of the message and select Compose Reply:

The Compose reply page is displayed, allowing you to reply to the message.

- 291 - My Settings

Manage Your Admin User Profile 292

SSO Settings 292

Local credentials 292

Two Step Authentication 292

Notification 292

Manage Your Domain User Profile 293

Manage your Email User Profile 293 Manage Your Admin User Profile

The User's Profile page allows you to manage your user account settings.

In the Admin Level Control Panel, select My Settings > User Profile.

The following features are available:: SSO Settings

If Oath/SSO is set up, you can change your password. Local credentials

n Change your Username n Change your password - You need your old password in order to do this. n Change your email address. n Activate/inactivate the feature preview option - When activated you can see any new features which are in preview mode (not yet released). n Activate/inactivate the advanced whitelist/blacklist custom filtering rules. By activating the 'Use advanced custom filtering rules' option you access the advanced page when creating a new custom whitelist or blacklist filtering rule. If this setting is Inactive the simple page is displayed. For more information, see Add an Incoming Whitelist Filtering Rule, Add an Incoming Blacklist Filtering Rule or Add Outgoing Blacklist Filtering Rule. Two Step Authentication

Configure two step authentication. Notification

Enable email notifications when your account is accessed from a new location or IP address.

From the Admin Level Control Panel, select My Settings > User profile. and choose from:

n Don't notify me n Notify me when my account is accessed from a new location n Notify me when my account is accessed from a new IP address

- 292 - Manage Your Domain User Profile

When you are logged in as a Domain user, the User profile page allows you to perform the following:

n Change your password - You need your old password in order to do this. n Change the Domain user email address n Activate/inactivate the feature preview option which shows upcoming system features n Activate/inactivate the advanced whitelist/blacklist custom filtering rules. By activating the 'Use advanced custom filtering rules' option you access the advanced page when creating a new custom whitelist or blacklist filtering rule. If this setting is Inactive the simple page is displayed. For more information, see Add an Incoming Whitelist Filtering Rule, Add an Incoming Blacklist Filtering Rule or Add Outgoing Blacklist Filtering Rule. n Configure two step authentication n Enable notification when your account is accessed from a new location or IP address.

From the Domain Level Control Panel, select My Settings > User profile.

Manage your Email User Profile

The User Profile page allows you to manage your profile settings.

From the Email Level Control Panel, select My Settings > User profile.

The User's profile page is displayed:

- 293 - From this page you can perform the following tasks:

n Change your password - You need your old password in order to do this.

If LDAP authentication is configured, this option will not be available.

n Enable/disable the feature preview option which shows upcoming system features. n Configure two step authentication - This enables a two step login process which entails entering a code as well as your username and password. Download the necessary app on your phone to generate the code you need: n Download Google Authenticator (Android/iPhone/Blackberry) n Download Authenticator (Windows Phone) n Enable email notification when your account is accessed from a new location or IP address.

After making any changes, click Save.

- 294 - Appendix cPanel and WHM Configuration for Mail Assure Encryption TLS

Mail Assure fully supports incoming connections protected using TLS. Deliveries are always made over TLS when supported by the destination mail server (opportunistic TLS). As a result, email is securely transmitted where possible. If you want to enforce TLS it needs to be set up explicitly by our Support team. When you contact Support, please provide the Yes / No answer to the following questions: Incoming Filtering

n Should TLS be enforced between the sender and the Mail Assure servers? n For all senders n For all senders of a specific domain n For a single sender address n Should TLS be enforced between the Mail Assure servers and the destination server(s)? n For all recipients of a specific domain n For one recipient of a specific domain

Outgoing Filtering - the outgoing user that handles filtering needs to be provided as well.

n Should TLS be enforced between the sending server and the Mail Assure servers? n For all senders n For all senders of a specific domain n For a single sender address n Should TLS be enforced between the Mail Assure servers and the final destination? n For all recipients n For all recipients of a specific domain n For a single recipient of a specific domain Once we have the answers to the above, we can assist you to get this set up. Email Scout Report (ESR) Template Defaults and Variables

The Email Scout Report templates are written using the Jinja templating language. If you are unfamiliar with this, we recommend that you begin by copying and editing an existing template - see Email Scout Report Templates (Preview). Default/Recommended ESR Templates

The following default templates are available from Reporting > Email Scout Report templates (Preview) (with Features Preview enabled), in the Recommended Templates tab:

- 295 - n column n row Column template

- 296 - Row template

Template Variables

The following variables can be added to the Email Scout Report templates. When the template is applied to a report, the variable content is added.

n {{ columns }} - Use this variable to choose from the following columns:

Column Variable name Message ID exim_id

Domain domain

Filtering host host

Timestamp date

Sender sender

Recipient recipient

- 297 - Column Variable name Sender hostname sender_host

Sender IP sender_ip

Sender location sender_location

Bytes received incoming_size

Bytes sent: outgoing_size

Main class main_class

Sub class sub_class

Extra class extra_class

Error class error_class

From fromh

To toh

CC cch

Subject subjecth

Original Message ID message_id_header

Status status

Delivery date delivery_date

Delivery IP delivery_ip

Delivery hostname delivery_fqdn

Delivery port delivery_port

Delivery data delivery_data

Delivery interface delivery_interface

In archive archive_id

n {{ objects }} - Log search results list n {{ brand }} - Brand name for the domain n {{ now }} - Current date and time n {{ name }} - Name of the report n {{ destination }} - Email address of the report recipient n {{ view }} - Generates a link to view message and optionally perform specific actions n {{ decode_idna() }} - Converts an IDNA encoded domain to a Unicode representation. n {{ country_name() }} - Converts a two-character country code to the country name n {{ unsubscribe_link() }} - Generates a link to unsubscribe from the Email Scout Report

- 298 - n {{ format_date(datetime or date[, format]) }} - Converts a date or datetime (timestamp) to a user-readable string n {{ format_time(datetime[, format]) }} - Converts a datetime (timestamp) to a user-readable string n {{ format_timedelta(timediff) }} - Converts a date/time difference to a user-readable string n {{ brand_color }} - Adds the brand colour to the report n {{ logo_url }} - Adds the Branding logo specified in the Branding Management page to the report.

Look at the existing templates (above) to see how the variables have been applied using Jinja.

Example Email Scout Report (ESR) Template Content

- 299 - {% set column_order = [ ("Datetime", "datetime", "date_format"), ("Filtering server", "filtering_host", "decoded"), ("Message ID", "message_id", None), ("Sender IP", "sender_ip", None), ("Sender hostname", "sender_host", "decoded"), ("Sender", "sender", "decoded"), ("Recipient", "recipient", "escaped"), ("From", "from_header", "escaped"), ("To", "to_header", "escaped"), ("CC", "cc_header", "escaped"), ("Subject", "subject_header", None), ("Incoming size", "incoming_size", "size"), ("Outgoing size", "outgoing_size", "size"), ("Delivery date", "delivery_date", "date_format"), ("Destination IP", "destination_ip", None), ("Destination host", "destination_host", "decoded"), ("Destination port", "destination_port", None), ("Status", "status", "status"), ("Classification", "main_class", None), ] %}

- 300 -

- 301 - MUEhQFFxMGGRgf/aAAgBAgEBPxDeJNTJu/KIKJjWPlqBT0tIvyhp1sFApI5HHU5ovpTi8e ly+RQqSpKkasiaCCDyQ4mEuMRNAA6ous3EdQFAIXDBE9K39dUEiMiJLpF7s8bCy0iP7RB aCNv/AP/EACcQAQEAAgEDBAICAwEAAAAAAAERACExQVFhQHGBkaGxMMEQIFDw/9o ACAEBAAE/EP8AuoEFBWG+fWoxAbVeMRMPRQP/AJ0uOjt37TT8ZzYgMz7Djxjo8k/6zH aghoTkDi8D2vrQBDyI9hN4+PMSQP2+PrBICpkm8eFer/bbfgxgfUBV7nfz9YzNOpP4fQbq SJjHYm/5C8qBqo4nBy+v8PGOI0mbrtFp+svgx2z7y/o3j922l77HAeR7Yc4MGB8H8hA+jB pQTjcXzj4wQgUKAFXDAMiFNW7Intpnle0iHQgZbHhgXukm7lPEKoLvImHFDWcTeFrGJLw 3cnO5g8zDmFQ6CwXt34xsjBwKIBpJnllNSYVlbuauwbbf1aIXwfbE2/BRqoew/GV4uKiRjk CBgzoPa6O3ghi6AnroL7B4osLjUo0dnB1uvitXHCU11VAusEPYMbisVI0Mhqqy27riulkVA0 GnTXvgEAR0jguNEoYIo6R308Ya65c2/wCjx/KNjFx6PeNB84G6phhFGlMHnbxu5xlkg3R2 afbYUpjcLnEBId2aOVnTebc2OfeBD5wbZrRq6dGnZppjtDjhaUVjZK73iXDSuOg8Ls1hlgIjw mKkJoFaURq8ykupVBA4EXwY3FEAEYTogh8ZvJmAYkRWusRY9mVUo743lA9ZgMNJHn pnbkJq8bN0vzGTYLqrjAAhBFvI+MTSTJAUFog8074muAK0hDs2KefOTxiygevAQLgyQwd g16mO595TuZTviHIPnKS0mU7n+vHp+b2x0sEEVBV5vJiwOuRdCvbZndwxJnbW5+EfBg U8Q2DWpOD8YFiDoZHCdMYIEhpBBPYL85sEZtUQRfO58erNAdsSEUQKcn4cuIcSBvT7Pv AUxJ2OAfh+s1U6kjdGzWcvabbLI/v5wrSBGwaQGkvjjJACSG0gB9B+fXyYxgdGmgdwe2K 0hVRQ6ZN317Mn+Nf83//Z/>

Email Scout Report

This is the email scout report for {{ destination }}, sent at {{ format_time( now ) }}.

{% for label,column,column_format in column_order if column in columns %}

{% endfor %}

- 302 -

{% for object in objects %} {% for label,column,column_format in column_order if column in columns %}

- 303 - {% endfor %}

{% endfor %}

{{ label }}	View message
{% if not object[column] %} {{ "" }} {% elif column_format == "date_format" %} {{ format_date(object[column]) }} {{ format_time (object[column]) }} {% elif column_format == "escaped" %} {{ object.get(column, "")\|replace(".", "."\|safe) }} {% elif column_format == "decoded" %} {{ decode_idna(object.get(column, ""))\|replace(".", "."\|safe) }} {% elif column_format == "size" %} {{ object.get(column)\|filesizeformat }} {% elif column_format == "status" %} {{ object[column]\|replace("-", " ")\|title }} {% else %} {{ object.get(column) }} {% endif %}	{% if object.get("status", "") == "quarantined" %} View quarantined message {% elif object.get("status", "") == "queued" %} View queued message {% endif %}

View message

{% if not object[column] %} {{ "" }} {% elif column_format == "date_format" %} {{ format_date(object[column]) }} {{ format_time (object[column]) }} {% elif column_format == "escaped" %} {{ object.get(column, "")|replace(".", "."|safe) }} {% elif column_format == "decoded" %} {{ decode_idna(object.get(column, ""))|replace(".", "."|safe) }} {% elif column_format == "size" %} {{ object.get(column)|filesizeformat }} {% elif column_format == "status" %}

{{ object[column]|replace("-", " ")|title }} {% else %} {{ object.get(column) }} {% endif %}

{% if object.get("status", "") == "quarantined" %} View quarantined message {% elif object.get("status", "") == "queued" %} View queued message {% endif %}

- 304 - Example ESR Email Sent

- 305 -