SWITCH TO BETTER EMAIL-TECHNOLOGY TUXGUARD GmbH © 2020 Table of Contents Installation • Installation 10 • System Requirements 10 • OS 10 • Hardware 10 • Network 11 • Preparing the installation 11 • Webmaster Installation 11 • Worker Installation (on web host) 11 • Worker Installation (remote) 11 • Web/Database master setup 12 • Worker 12 Domains • Domains 13 • Add new domain 13 • Next Hop 13 • Recipient Verfcation 14 Mail Rules • Mail Rules 15 • Adding Mail Rules 15 • Lookup Order 17 • Connect 17 • Host connected over IPv6 17 • Host connected over IPv4 17 • IP address has a rDNS entry that can be forward confrmed (FCrDNS) 18 • HELO 18 • From 19 • To 19 • Body 20 • Subkeys 20 • ACL 20 • Pattern Lists 21 • TLS 22 • Concurrent Connection Limits 22 • Connection Rate Limits 22 • Greylist TTL 23 • Null Sender Rate Limits 23 • Message Rate Limits 24 • Message Size Limits 24 • Relay 25 • Blind Carbon Copy 25 • No List Traffic 25 Reporting • Reporting 27 • Logs 27 • Log Search 27 • Cluster 28 • License 28 Administration • Administration 30 • Resellers 30 • Hierarchies 30 • Domain Aliases 30 • Add a new Reseller 31 • Companies 31 • Add a new Company 31 • Users 31 • Add a new User 32 Confguration Mail Core 34 • Mail Core Confguration 34 • Listen on ports 34 • Other ports 34 • Administrative Contacts 34 • Maximum Message Size 34 • SMTP Greeting 34 • Inactivity Timeout 35 • HAProxy Hosts 35 • TLS Private Key 35 • TLS Public Key 35 Pre-Data 36 • Pre-DATA Checks 36 • Early Talkers 36 • Delay 36 • DNS Lists 36 • Use FSL DNS Lists 36 • DNS Blacklists 36 • DNS Whitelists 37 • Domain Blacklists 37 • URI Blacklists 37 • rDNS 38 • Require rDNS 38 • Reject generic rDNS 38 • Reject invalid rDNS domains 38 • EHLO/HELO 38 • Require valid hostname 39 • Reject hosts that send mismatched HELO 39 • Reject bare IP addresses 39 • Reject mismatched IP literals 39 • Reject dynamic 39 • Bounce Messages 39 • Single recipient only 40 • Enable backscatterer DNSBL list 40 • Reject all 40 • Sender Policy Framework (SPF) 41 • Enabled 41 • Sender Authentication 41 • Skip rDNS/HELO rejections 41 • Greylisting 41 • Time 42 • Fail TTL 42 • Pass TTL 42 • Miscellaneous 42 • Single domain per session 42 Clickwhitelisting 43 • Click Whitelisting 43 • Enabled 43 • Secret 43 • Private Key 43 • Public Key 43 • Initial TTL 43 • Whitelist TTL 44 Outbound/Relaying 45 • Address Book 45 • Enabled 45 Post-Data 46 • Post-DATA Checks 46 • Watermarking 46 • Enabled 46 • Secret 46 • Expiry Time 46 • Reject Bounces without watermark 46 • Bounce Messages 47 • Check each received hop with SPF 47 • DSPAM 47 • Training 48 • Enabled 49 • Host 49 • Server Password 49 • Training Level 49 • Reject Level 49 • Enable Auto Training 49 • Auto Training Level 50 • SpamAssassin 50 • Enabled 50 • Host 50 • Reject Score 50 • Relay Reject Score 51 • MessageSniffer 51 • Enabled 51 • License ID 52 • Authentication 52 • Miscellaneous/Experimental 52 • Reject unreplyable messages 52 • Non-Latin character limit 52 Antivirus 54 • Anti-Virus 54 • ClamAV 54 • Enabled 54 • Hosts 54 • Reject Broken Executables 54 • Reject Encrypted Archives 54 • Enable PUA Signatures 55 • Packed 55 • PwTool 55 • NetTool 55 • P2P 55 • IRC 55 • RAT 55 • Tool 55 • Spy 56 • Server 56 • Script 56 • Enable DLP Signatures 56 • Reject OLE2 Macros 56 • Enable Google SafeBrowsing Signatures 56 • Enable Phishing Signatures 56 • Enable UNOFFICIAL Signatures 56 • Exclude List 56 • AVG AntiVirus 57 • Enabled 57 • ESET Mail Security 57 • Enabled 57 Attachments 58 • Filename Rules 58 • Archive Filename Rules 58 • Archive File Extensions 58 • Maximum Archive Depth 58 • MIME-Type Rules 59 Alerts 60 • Alerts From 60 • Alerts To 60 HAProxy 61 • Example HAProxy Confguration 61 Shared Cache 62 • Secret 62 • Port 62 • Unicast Hosts 62 • Multicast IP 62 • Multicast TTL 62 Mail Server 63 • Mail Server Confguration 63 • Microsoft Exchange 2003 63 • Microsoft Exchange 2007 63 • Microsoft Exchange 2010 63 • Microsoft Exchange 2013/2016 64 • Office 365 64 • Google Apps 66 • Zimbra 66 Reports 68 • User Reports 68 • Admin Reports 68 Miscellaneous Hostname 70 • Changing Hostnames/ IP addresses 70 • Change IP Address 70 • Standalone TUXMAIL Server 70 • Master node 70 • Worker/Slave node 70 • Changing the Hostname 71 Data Import 73 • Backup File Import 73 DMX Migration 74 • Migrating from DefenderMX 74 • Exporting DMX Data 74 • Import DMX Data during Installation 74 10 Installation Installation System Requirements TUXMAIL can be installed on a single server, but it is highly recommended to have at least two systems for redundancy and a dedicated server that runs the web interface (and databases) for best performance. If you are sending a lot of outbound or relay traffic for a lot of domains and other SMTP servers (e.g. using TUXMAIL for SMTP AUTH or as a smart host), then it is highly recommended that you dedicate one or more servers to outbound traffic only and not to mix it with the inbound service. This is to prevent inbound and outbound services adversely affecting each other should there be any abnormal traffic levels. OS A minimal installation of Redhat Enterprise Linux 7 (https://access.redhat.com/products/red- hat-enterprise-linux) or CentOS 7 (https://www.centos.org) with all updates applied is required. Hardware The recommended system specifcation is: • Intel Xeon CPU with minimum 2 cores or better • min. 8GB RAM for the Web/Database master (due to the ElasticSearch (https:// www.elastic.co/elasticsearch/) requirements) • 2GB RAM per Core for additional Workers • min. 32 GB HDD In case of running both Web master and a Worker instance on the same host 16GB RAM are recommended. A minimal Red Hat Enterprise Linux or CentOS installation with TUXMAIL uses around 3GB disk space, but a minimum of 32GB, all on one large partition, is recommended for a small system since the system uses space for logging, temporary fles, etc.. The database role will take approximately 5GB of disk space per million SMTP transactions logged. TUXGUARD GmbH © 2020 11 Installation Network We recommend to ensure the following: • installation on machines at network edge within DMZ without any ‘helpers’ or ALG (Application Level Gateways) enabled on frewall (such as Cisco SMTP/ESMTP inspection, PIX fxup protocol or any other form of SMTP Proxy) • application must speak directly to the host originating the message and see its external IP (the only exception to this being if a HAProxy is used for SMTP traffic) Preparing the installation Before starting the installation verify that • firewalld is enabled and running • the system hostname is set-up correctly (if not, run the command: hostnamectl set- hostname <hostname>) • a static IP address is set • at least 2GB swap space is available • all ports are open between the Web/Database master host and each worker host (the installer will correctly re-confgure and secure frewalld during its fnal step) • the root user on each worker host must be able to ssh to the Web/Database master host using a userid that can sudo to root. • the hosts all have an active internet connection Webmaster Installation 1) download the TUXMAIL YUM repository fle 2) copy the .repo fle into the /etc/yum.repos.d/ directory on the webmaster host 3) run yum clean all and yum install tuxmail-web Worker Installation (on web host) In order to install a worker on the same host as the webmaster, simply run yum install tuxmail-worker tuxmail-worker-sync on the webmaster host. Worker Installation (remote) In order to install a worker on a remote host: 1) ensure a working ssh-connection to your webhost 2) run ssh root@<your-web-host> "tux_add_cluster_node `hostname` "|bash TUXGUARD GmbH © 2020 12 Installation Web/Database master setup After the Web/Database master has been installed successfully, the following steps are needed to complete setup: 1) Navigate to https://your-web-master-host-ip (or the appropriate DNS entry) using a browser (we recommend using the latest version of Firefox or Chrome) 2) Accept SSL exception 3) Optional step: import a backup fle (more Information here (/misc/data_import.md)) 4) Import your license file by either uploading the .json or copy-pasting its contents into the appropriate text feld 5) Create an initial Superadmin user by flling out the form You can now login using the created initial credentials. Once you’re done with your TUXMAIL setup, you should remove any hosts from your MX records that do not run TUXMAIL (e.g. backup MXs) as they will adversely affect fltering performance. Alternatively you can stop the SMTP services on any of these hosts and only start them in a DR scenario. Worker During worker installation, the following steps are being performed automatically: • copy the SSH key from the master Web/Databese host, enables passwordless access to any of the cluster nodes • allows access through the frewall to the host • copies the tuxmail.repo fle to the host • starts the installation of ‘tuxmail-worker’ automatically which automatically creates a replica of the master node Installation may take a few minutes to complete as virus and spam definitions are downloaded for the frst time to ensure everything is completely up-to-date. Once the installation is complete, your system is ready to scan emails. TUXGUARD GmbH © 2020 13 Domains Domains Here you configure the Domains that you want to handle inbound mail for. Any inbound mail to recipients not in the domains listed here will be rejected by TUXMAIL. The domains are displayed in alphabetical order and show the next hop, disabled checkbox and the creation date, last update and the options to edit or delete the domain. Add new domain Enter the domain name in the input box provided. The disabled checkbox allows the administrator to disable reception of mail for a domain temporarily. This will defer all recipients to the domain, which means that any mail will be queued on the sending system, it is likely that the senders will get a warning that their message is queued after 4 hours and the mail will eventually be bounced back to them as undeliverable after 5 days (these are the RFC defaults).