Administration

This menu contains functions for managing the system.

Sections on this page:

•Licence and registration

•Update

•Maintenance

•Backup

•Bulk Import

•Bulk export

Section Licence and registration

If a valid licence exists, the notification "Valid License detected" is issued in this section.

Otherwise the appliance must be registered. Usually, this is done via the Register this device... button which opens the submenu REGISTER THIS DEVICE.

If access to the SEPPmail licence server (update.seppmail.ch and/or support.seppmail.ch) via TCP Port 22 (see Setting Up The Firewall/Router, as well as section System - Proxy settings) is impossible because it is, for example, a PCI-hardened or a DMZ-isolated system, the registration can be realised via Import license file....

Section Update

View release notes displays the submenu REVISION INFORMATION, which includes the complete version history as well as contents of available and planned updates of the SEPPmail Secure E-Mail Gateway. For each version there is a link to the respective Extended Release Notes (ERN).

Additionally, by clicking this button, a comparison with the SEPPmail licence server can be enforced, through which, for example, licence changes requested at short notice are immediately adopted.

empty

Attention:

Since the REVISION INFORMATION also contains information which is to be mandatorily observed by the administrator (see red lettering), we urgently recommend reading this information before every update.

Perform update (reboot automatically) starts the download of the firmware from the SEPPmail update server if a download is available and subsequently starts the system with the new firmware. After clicking this button, the display changes to the menu Home. Here, the progress of the download can be viewed under Firmware version of the section Home - System. After the download and the reboot have been completed, the login automatically reappears.

empty

Note:

If access to the administration interface is impossible in the event of an error, an update may also be realised via the console (see Rudimentary System Commands).

Prefetch update (reboot manually) starts the download of the firmware from the SEPPmail update server if an update is available. After clicking this button, the display changes to the menu Home. Here, the progress of the download can be viewed under Firmware version of the section System. After completion of the download, the new firmware is adopted with the next (manual) reboot.

If access to the SEPPmail licence server (update.seppmail.ch and/or support.seppmail.ch) via TCP Port 22 (see Setting Up The Firewall/Router, as well as section System - Proxy settings) is impossible because it is, for example, a PCI-hardened or a DMZ-isolated system, an update file can be requested from the support team. This file is uploaded via Upload button. When the SEPPmail Secure E-Mail Gateway is restarted, the new firmware is activated.

empty

Note:

(new in 13.0.0)

All firmware files are signed to prevent the import of a possibly manipulated firmware.

empty

Note:
As a rule, the latest firmware is always installed (cumulative). In rare cases, however, the update needs to take place in several steps, for example if there are dependencies in the configuration files. In such cases, the appliance must be updated multiple times until it is up-to-date (message You already have the latest version installed).

Please note the following when updating in the cluster:

•All machines should be updated at about the same time to avoid long runtimes with different versions.

•If an update in several stages is necessary (see above), the same version must always be installed on all cluster partners before the next higher version is updated.
An example for the above mentioned situation would be the update from version 7.0.4 to 7.2. At first only version 7.1 is offered for update. Once all machines are updated to this status, an update to the then offered version 7.2 may be implemented.

•If, after an update, a new generation of the ruleset is required (displayed by clicking on View release notes), initially, all machines must be updated to the same version. The ruleset must then be updated on any machine (see section Mail Processing - Ruleset generator - Save and create ruleset).

•If it is a Frontend/Backend Cluster, first update the frontend and only then the backend machines so that access within the cluster is not endangered, for example, in the case of security enhancements.

empty

Attention:

If the appliance is operated with a ruleset of a previous version after updating to a major version, the following message appears under Home System status, as well as in the Daily Report (see Groups admin and/or statisticsadmin): The current ruleset was created for another version. Please generate a new ruleset or update your special ruleset.

This means that, after updating to a major version, the ruleset must always be generated again (see Mail Processing - Ruleset generator - Save and create ruleset and/or SMTP Ruleset - Generate ruleset).

If in the Custom Rulesets (see also Custom commands) commands are still in use that are no longer supported, a corresponding error is output when generating the ruleset.

As generating a new ruleset without prior adjustments in the Ruleset generator has no influence on the way an email is processed, it is generally recommended to regenerate the ruleset after each update.

Section Maintenance

empty

Attention:

Please note that all actions listed here are maintenance operations and may therefore be associated with a restart of the appliance.

Parameters

Description

Support connection

Should unexpected errors occur on the SEPPmail Secure E-Mail Gateway , a support connection to the manufacturer can be established in the framework of a fault message by means of Connect. This establishes an SSH connection (TCP port 22) with the SEPPmail support server.

For establishing a support connection, the input of the ticket number provided when opening the fault message via the corresponding support channels is required.

empty

Note:

As long as the support connection is established, the following text is displayed in the header bar of the administration interface - regardless of the menu you are currently in:

Support connection is established: Please disconnect under 'Administration' if not needed anymore

empty

Note:

If access to the administration interface is no longer possible, the support connection may also be started via the console (please also refer to Rudimentary System Commands).

Mail Processing

By clicking on Preempt the email traffic on the appliance is stopped. Incoming emails are temporarily rejected.
(new in 14.0.0) The desired SMTP return code for this can be entered.

While Preempt is active, the following message Mail processing is preempted. Please restore it under 'Administration' if not needed anymore. is displayed in the status bar. The setting is retained even after restarting the SEPPmail Secure E-Mail Gateway.

Via the button Restore, the normal function of the SEPPmail Secure E-Mail Gateway is restored.

empty

Note:

With this function, the email queue is stopped, e.g. during an update in the Cluster - even if that is not required.

If the Cluster makes use of virtual IP addresses (please also refer to System IP ALIAS Addresses), the email traffic can already be diverted on the network level before an update, if applicable. For this purpose, the "Priority" can be temporarily set to "Backup".

Clone device

Creates a clone of another SEPPmail Secure E-Mail Gateway.

For this purpose, the cluster ID (see Cluster Prepare For Cluster - Download cluster identifier) of the SEPPmail Secure E-Mail Gateway to be cloned – that is the source machine – is to be downloaded and provided for the target machine via the "Select file button" under Cluster ID of original device:. Under IP address, enter the IP address of the source machine. The cloning process is then started by clicking on Start cloning.....

empty

Note:

Ideally, the source and target machines should have the same firmware version installed before cloning. If different firmware versions cannot be avoided, for example because the update on the source machine is refused due to insufficient partition sizes, cloning from a lower version to a higher one is permitted. However, the delta of the version statuses should be kept as low as possible. This means that the source machine must be brought up to the highest possible firmware level. For the target machine, the image available under https://downloads.seppmail.com/index.php/images/ can always be used.

Cloning a source machine with a higher version to a target with a lower version is never permitted!

empty

Attention:

If the source machine is hardware, the Device ID cannot be taken over! For this reason, a ticket is to be sent to support@seppmail.ch stating the existing License ID. The support team then transfers the licence data to a new licence ID and communicates it in the ticket. After the virtual appliance has been set up, it must be registered (Administration - Licence and registration - Register this device) and the new License ID must be entered under Activation Code.

Since changing the License ID has an effect especially in a Cluster, the source machine in a cluster configuration MUST be removed from the Cluster before the cloning (see Remove from cluster remove this device from cluster)!

After completion of the process, the clone can be added to the Cluster again (see Add this device to existing cluster).

empty

Attention:
If Large File Transfer (LFT) is active on the source machine, it is to be ensured before cloning that the target machine also has LFT memory of at least the same size as the source machine (at least, however, the size stipulated under Sizing).

empty

Attention:

During cloning

•all data on the SEPPmail Secure E-Mail Gateway on which the process is started (target machine) is deleted.

•all data of the source machine, including IP addresses, Device ID (exception: hardware, see above), SSL Certificates licence data, etc., are transferred to the target machine.

•the source machine is automatically shut down after the cloning process has been completed, among other things to avoid duplicate IP addresses in the network.

Reboot

Reboot... restarts the system. A dialogue box for entering a security code appears, which prevents an accidental reboot.

empty

Note:

If access to the administration interface is impossible, a restart may also be realised via the console (please also refer to Rudimentary System Commands).

Shutdown

Shut down... shuts down the system. A dialogue box for entering a security code appears, preventing accidental shutdown.

Resize large file storage

The Resize... function initiates a change of the LFT partition size. In the following menu, a dialogue box appears in which a security code is requested. After entering the code, the appliance shuts down.

In the case of virtual systems, the virtual hard disk must now be expanded and the system restarted in order to complete the process.

In the case of hardware, the individual raid disks would have to be gradually replaced by larger ones and restored before resizing could be carried out. Once all disks have been replaced, the actual process can be implemented.

empty

Attention:

In general, a backup should be created before this action.

Factory reset

Perform factory reset... resets the system to the factory settings. A dialogue box for entering the security code in reverse order appears to prevent an unintentional reset.

empty

Note:

Access to the GUI should no longer be possible immediately after starting the reset. If this option has been selected, the login prompt in the console window of the appliance is retained during ten overwrites. Upon completion of the reset, the appliance shuts down.

If the machine is restarted afterwards, the message as indicated in the chapter Console Login appears again in the console window.

LDAP

(new in 12.1.18)

Migrate LDAP to MDB Backend migrates the LDAP backend to MDB (if applicable, see also https://openldap.org/pub/hyc/mdb-paper.pdf).

After successful migration, this section is no longer visible.

empty

Attention:

In general, a Backup should be created before this action.

empty

Note:

The MDB Backend is mandatory for the later update to version 13.x!

Section Backup

empty

Note:

The backup is machine-related and therefore contains the complete configuration.

empty

Note:

Backups do not contain logs. In order to store them permanently and securely, it is recommended to export the logs to an external system, see the description under Syslog settings.

Parameters

Description

Backup

Download starts the download, while Send Backup starts the email delivery (see Groups - backup (Backup Operator)) of the backup file. The file only contains the configuration and key material of the SEPPmail Secure E-Mail Gateway. One precondition for a backup is a set backup password, which can be set and/or changed via Change password.

Restore

Restoring is initiated via Import backup file....

(new in 14.0.0) If a system has an LFT partition and a database, a snapshot of this database is created every night. A full snapshot on Sundays, incremental snapshots during the week. All snapshots are stored for 14 days. (No restore is offered for clusters, so the snapshots are not displayed. Nevertheless, the snapshots are taken in the background and would be available.)

empty

Note:
In a Cluster, the restore function may not be performed on only a single cluster partner in this way. If necessary, a failed machine is first to be removed from the Cluster on the remaining, intact machine, as described under Cluster Cluster members Device ID. A new virtual machine can then be set up and added to the Cluster again (see Add this device to existing cluster).

Backup using scp

If the backup is to be retrieved via SCP, a corresponding public key can be entered via the input field (this begins with "ssh-rsa " and ends with "= <description>") which is imported via the Save public key button. This ensures access to the system via the operating system's proprietary user "backup" for retrieving the backup provided daily at midnight (backup.tgz).

By entering another key, the existing key will be deleted. This means that if Save public key is clicked without entering a key, the key will be deleted.

empty

Note:
Members of the backup (see Groups) receive the backup file daily at midnight by email. One precondition is a set backup password.

Please note that backups of the previous firmware version can be imported into the current firmware version. The ruleset should be generated again afterwards (see Mail Processing - Ruleset generator - Save and create ruleset).

Backups of newer firmware versions must never be installed on machines with older firmware versions.

Section Bulk Import

This section provides numerous (bulk) import functions.

On client-capable systems, the imported users or private keys can be assigned either automatically on the basis of the email domains or manually.

GINA users must always be assigned manually.

Parameters	Description
Import users (CSV)	Clicking the Import button can be used to import encryption/signature users using a csv file with the structure "USERID;NAME;EMAIL;PASSWORD". The assignment of a password is optional here (see Users). With users who have been created automatically by the SEPPmail Secure E-Mail Gateway, both the USER ID and EMAIL correspond to the email address of the user, which guarantees uniqueness.
Import GINA users (CSV)	Clicking the Import button, GINA users can be imported by means of a csv file with the structure "EMAIL;PASSWORD;NAME;MOBILE". The specification of a mobile phone number is optional. For example, a customer list in which the customer's postal code serves as the initial password could be entered.
Import OpenPGP key pairs	Clicking the Import button, OpenPGP key pairs can be imported. If no user exists on the SEPPmail Secure E-Mail Gateway for the email address included in the key encryption yet, one is automatically created with this action. The import is possible via a file as well as by inserting it as text, in each case specifying the appropriate passphrase. By stringing together key pairs - whether as file or as text - a bulk import is also possible. Individual key files can also be imported from an unencrypted ZIP file without a folder structure. When performing a bulk import, it is to be ensured that all keys have the same passphrase!
Import X.509 keys and certificates	The Import button opens the BULK IMPORT PKCS#12 CERTIFICATE STRUCTURE submenu via which the bulk import of PKCS#12 files is possible.

Parameters

Description

Import

users (CSV)

Clicking the Import button can be used to import encryption/signature users using a csv file with the structure "USERID;NAME;EMAIL;PASSWORD". The assignment of a password is optional here (see Users).

With users who have been created automatically by the SEPPmail Secure E-Mail Gateway, both the USER ID and EMAIL correspond to the email address of the user, which guarantees uniqueness.

Import

GINA users (CSV)

Clicking the Import button, GINA users can be imported by means of a csv file with the structure "EMAIL;PASSWORD;NAME;MOBILE". The specification of a mobile phone number is optional.

For example, a customer list in which the customer's postal code serves as the initial password could be entered.

Import

OpenPGP key pairs

Clicking the Import button, OpenPGP key pairs can be imported. If no user exists on the SEPPmail Secure E-Mail Gateway for the email address included in the key encryption yet, one is automatically created with this action.

The import is possible via a file as well as by inserting it as text, in each case specifying the appropriate passphrase.

By stringing together key pairs - whether as file or as text - a bulk import is also possible. Individual key files can also be imported from an unencrypted ZIP file without a folder structure. When performing a bulk import, it is to be ensured that all keys have the same passphrase!

Import

X.509 keys and certificates

The Import button opens the BULK IMPORT PKCS#12 CERTIFICATE STRUCTURE submenu via which the bulk import of PKCS#12 files is possible.

Section Bulk export

Used to export public keys of internal users (Users).

Thus, if required, these can be passed on collectively to a communication partner, for example.

Parameters	Description
Export OpenPGP public keys	Via the button Export all valid "OpenPGP public keys" of the internal users (Users) are downloaded to a file named public_openpgp_keys.zip.
Export X.509 certificates	Via the button Export all valid S/MIME certificates of internal users (Users) are downloaded to a file called public_smime_cert.zip.

Please enable JavaScript to view this site.

Keyboard Navigation