The menu item Mail System the basic settings of the SEPPmail Secure E-Mail Gateway email system are implemented.
The email disclaimers and/or email templates needed in the following section, if applicable, can be created in advance or edited via the buttons Edit mail disclaimer... (if the Central Disclaimer Management (CDM) is not licensed, this button is greyed out) and/or Edit mail templates....
|
If footers are to be used, it is to be ensured at all times that they are set on the groupware system or by the SEPPmail Secure E-Mail Gateway. If footers are attached by a downstream system for outgoing emails, an already existing email signature is destroyed. |
Sections on this page:
•Manual blocklisting / welcomelisting
Defines the email domains to be managed.
The Filter... provides a search function in the column Domain name of the following table. The search term is entered as a character string.
Column |
Description |
|---|---|
List of all email domains created on the SEPPmail Secure E-Mail Gateway. For these domains, emails are accepted and processed accordingly. |
|
Displays the IP address, host name or MX record of the internal groupware system and the port to which incoming emails are routed for the corresponding Domain name indicated above. |
|
Indicates which type of TLS transport encryption is used for the groupware server (Server IP Address). |
|
Shows the smarthost to which emails of the respective Managed domain are to be sent to the Internet (Sender Based Routing). |
|
Displays the GINA domain which has been defined for the respective email domain (please also refer to ). |
|
Displays which disclaimer should be attached to outgoing emails in the respective email domain (see also Mail System Edit mail disclaimer... and/or ). |
|
Displays the postmaster address valid for this domain (see also Settings Postmaster address). If no entry exists, the default entry from SMTP Settings is used. |
|
Displays whether the Managed domain participates in the Managed Domain Service (status managed / unmanaged(see also Settings S/MIME domain keys Automatically create and publish S/MIME domain keys for this domain) and whether the key released on the SEPPmail licence and/or key server deviates from the local key (status mismatch(see also S/MIME domain encryption). If the automatic generation and transfer of domain keys for the participation in the Managed Domain Service has been deactivated globally in this section via Create S/MIME domain keys for managed domain encryption and send public key to vendor pool: (see below), the warning Autopublish globally switched offis displayed in addition. |
This column is only displayed if the MPKI interface is configured. It then displays whether the Managed domain has been set up for the automatic obtainment of user certificates via MPKI (see also Connectors MPKI managed domains). Possible status On Off |
is only displayed with an active Multitenancy licence.
Name of the client to whom this email domain has been assigned (see also Customers). |
By clicking the Add managed domain... button, additional email domains are added. These email domains must correspond to the email addresses of your company. For more information on managing email domains, please refer to .
|
If, when creating a domain, the Server IP Address (Forwarding server IP or MX name) "DISCARD" (without quotation marks) is entered for it, all emails addressed to this domain will be discarded. This can, for example, help prevent the sending of bounce emails from internal systems to unknown addresses. |
Parameters |
Description |
||||
|---|---|---|---|---|---|
|
With this setting, the participation in the Managed Domain Service is globally defined. |
||||
|
Default setting. Generally active for all Managed Domains (see also Settings S/MIME domain keys |
||||
Generally not active for all Managed Domains. If this setting has been selected, in the column SEPPmail Managed Domain Encryption of the table above, for each Managed domain the warning Autopublish globally switched off is displayed in addition.
|
|||||
With this setting, it can be decided for each Managed domain (see Settings S/MIME domain keys) whether such participation is desired or not.
|
|||||
By default, this option is inactive. Emails by users with set-up POP3/IMAP access data (see Users Remote POP3) will be collected by the SEPPmail Secure E-Mail Gateway at the set time interval. The emails collected in this manner are subsequently processed by the SEPPmail Secure E-Mail Gateway and forwarded to the corresponding Forwarding server (see table under Mail System Managed Domains Column Server IP Address).
|
|||||
By default, this option is active. Emails for a Managed domain are only accepted if the email address - including the name part - of the recipient is also known on the Forwarding server (see table under Mail System Managed Domains Column Server IP Address). This implies that the Forwarding server also checks the name part of an email and not just the domain part before accepting it. The Flush recipient cache now button is used to clear the cache in which the already successfully found recipients’ addresses are stored.
|
|||||
(new in 13.0.4) |
This configuration option allows to define the internal mail routing behaviour. It only applies to mails between ExO hosted managed domains if the X-OriginatorOrg is set.
MSP customers with ExO connected Managed Domains can enable the new routing globally or per managed domain.
See also Extended Release Notes for this entry. |
||||
|
Default setting. Generally active for all Managed Domains. |
||||
Generally not active for all Managed Domains.
|
|||||
If selected, the settings for the domain apply as defined under Internal mail handling. |
|||||
Section Managed service status
Contains a description for the meanings of the statuses from Managed domain SEPPmail Managed Domain Encryption.
Defines the type of routing for outgoing emails.
|
The outgoing routing set here may be overridden by the TLS settings, if applicable (see the following Section TLS Settings)! |
Parameters |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
Default setting. Outgoing emails to the Internet are directly addressed to the target email server of the email recipient by the SEPPmail Secure E-Mail Gateway. The appliance must be accessible directly from the Internet for this setting.
|
|||||||||
If outgoing emails are not to be sent directly to the Internet, we recommend using an email relay server (smarthost). All outgoing emails are transferred to this email relay server, which then forwards the emails to the recipient. The email relay server can be an internal server but also a server at your email provider. |
|||||||||
|
The following is accepted as input:
When specifying an IP address, a host name or an MX name, there is the option to additionally enter an individual port. The port is entered directly afterwards, separated by a colon ":", i.e. "[IP address]:port", "[hostname]:port" or "MX name:port". If no port is specified, the standard SMTP port TCP25 is used. |
||||||||
By default, this option is inactive. Email relay servers at a provider usually require a login before emails can be sent. The provider provides the login data. |
|||||||||
|
User name for registration at the Server name indicated under SMTP server. |
||||||||
Password belonging to the User ID. |
|||||||||
If individual Managed Domains require dedicated Smarthosts (see also Send ALL outgoing mails from this domain to the following SMTP server) that require a login, the access data required can be configured here accordingly. |
|||||||||
Via Add smarthost the required access data are entered. After an entry has been saved, it appears in a new line as a smarthost. Smarthost. |
|||||||||
Already entered Smarthost access data. |
|||||||||
|
Enter the Smarthost (see Server name of the section Use the following SMTP server) |
||||||||
User name for registration at the hostname: indicated under Smarthost. |
|||||||||
Password belonging to the username. |
|||||||||
The selection field lists all Managed Domains. By selecting the Managed Domains (multiple selection is possible by clicking while pressing and holding the "CTRL"), the access data is restricted to these. This is usually necessary when several clients in a Managed Service Provider (MSP) environment have the same Smarthost with different credentials in a Managed service provider (MSP) environment. |
|||||||||
Section TLS Settings (optional)
Here, TLS connections to the outside, i.e. to the Internet, are listed and/or set up.
If, in the Section Outgoing server, the option Use the following SMTP server has been selected, the TLS encryption for the server entered under Server name can be defined firmly.
If the option Use built-in mail transport agent has been selected, the route and the type of the TLS encryption can be defined here as required for specific email servers on the Internet.
|
For the TLS encryption, the certificate integrated under SSL will be used. |
The Filter... provides a search function in the column Domain name of the following table. The search term is entered as a character string.
New TLS connections are set up via the Add TLS Domain button.
Parameters |
Description |
||
|---|---|---|---|
List of all email domains created on the SEPPmail Secure E-Mail Gateway for which a TLS connection has been configured.
|
|||
Displays the IP address, host name or MX record for the respective above-mentioned Domain name.
|
|||
Displays the port used for the TLS encrypted connection to the above-mentioned Server IP Address. By default, this is the 25th |
|||
Indicates which type of TLS transport encryption is to be used by the SEPPmail Secure E-Mail Gateway to the indicated email server for the corresponding email domain. |
|||
If the TLS level fingerprint has been selected, the entered fingerprints of the certificates are displayed here. |
To manage existing TLS connections, click on the respective "Domain name" button.
For more information about managing TLS email domains, see the chapter regarding the submenu .
(new in 13.0.8)
Parameter |
Description |
||
|---|---|---|---|
By default, this option is inactive.
|
|||
Enter the domain of the key pair. |
|||
By default, this option is set to "default". |
Defines specific settings for the SMTP protocol.
|
All settings in this section with the exception of the Postmaster address are machine-related and are thus not synchronized in a Cluster. If required, these settings are to be implemented individually on each Cluster partner. |
Parameters |
Description |
|||
|---|---|---|---|---|
In this field, the maximum size of an email which may be transmitted by the SEPPmail Secure E-Mail Gateway via SMTP is defined in kilobyte. Emails exceeding this size will be rejected. If a restriction is defined here, care must be taken as to how this possibly matches the groupware server or the upstream system optionally connected to the Internet. If the SEPPmail Secure E-Mail Gateway is to be accessed directly from the Internet via the MX record, the entry of a limit is mandatory. This must not exceed the displayed size (see Note: cannot exceed xxxxx KB). The indicated value also applies to the display of the maximum size of attachments with GINA - (not LFT!) replies and/or initial emails. Consequently, nothing is displayed there if this value has not been defined. LFT emails which are delivered via the GINA portal are not affected by this restriction.
|
||||
Input of the email address of the local administrator of the SEPPmail Secure E-Mail Gateway. All status entries created by SEPPmail Secure E-Mail Gateway such as watchdog messages, but also the Daily Reports (see also Groups admin and statisticsadmin) are sent to this email address if they have the status "IMPORTANT"; this means that an administrative action on the appliance is needed.
|
||||
|
(optional) |
Definition of the name with which the SEPPmail Secure E-Mail Gateway registers when an SMTP connection is established from the outside. If no entry is made, the name entered under System Name is used. |
|||
|
(optional) |
Definition of the name with which the SEPPmail Secure E-Mail Gateway is to login at the opposite SMTP server when sending emails (HELO/EHLO command). The appliance will normally log in with the name entered under System Name. If this is, for example, a name that cannot be reached from the Internet (for example domain ".local"), it may be necessary to enter the name (FQDN) accessible from the Internet. This ensures that email servers with the setting "Require fully qualified domain name in HELO command" will accept mails from SEPPmail Secure E-Mail Gateway. This means the setting is usually only relevant when in the Section Outgoing server the setting Use built-in mail transport agent is active. |
|||
|
(use with care!) (optional) |
Setting of the IP address of a network interface via which all emails are received (usually not necessary). The SEPPmail Secure E-Mail Gateway usually binds all existing network interfaces. If several interfaces are active, but only one of them is to be available for SMTP connections, its IP address can be entered here.
|
|||
|
By default, this option is inactive. By activating this option, only TLS-secured connections are accepted.
|
|||
|
(new in 12.1) |
By default, this option is inactive. By activating this option, the name of the destination server is sent in the client hello package for every TLS-encrypted outgoing SMTP connection. This allows the accepting target server to select the appropriate certificate if it manages multiple domains and uses different certificates. |
|||
Extended postfix MTA settings opens the subsequent menu , via which the Postfix parameters and thus the SMTP mail flow can be influenced if required.
Changes in only become active after the additional saving by means of Save in Mail System.
|
||||
(new in 13.0.0)
Definition of the ciphers available for the Dovecot IMAP Server.
|
Note: The Dovecot IMAP Server is only active in a GINA satellite constellation (see also This is a remote GINA server)! |
Parameters |
Description |
||
|---|---|---|---|
Selection of the available ciphers
|
Definition of the systems authorised to send emails to the Internet.
Parameters |
Description |
||
|---|---|---|---|
At this point, the IP address(es) or subnet(s) can be entered from which the SEPPmail Secure E-Mail Gateway is to accept emails to external recipients. Optionally, in the field Comment: a custom comment can be added for each entry. After saving, a further input field is displayed.
|
|||
This field is used to enter additional relay addresses or subnets. After saving, additional input fields are displayed. |
Section Managed domain relaying
(new in 13.0.0)
Parameters |
Description |
|---|---|
Available for selection are all Managed Domains that have one ore more entries under Allowed sending servers for this domain. By selecting a Managed Domain, the IP addresses under Allowed sending servers for this domain are globally available for relaying. |
Section Exchange Online Relaying
Parameters |
Description |
|||
|---|---|---|---|---|
|
|
By default, this option is inactive. By activating this option, all Microsoft Office Outlook 365 servers are entitled to relay via the SEPPmail Secure E-Mail Gateway.
|
||
Lists the current IPv4 and IPv6 networks that are used by Microsoft Office Outlook 365 servers (see also O365 Endpoints and O365 Endpoints of the German Cloud for the IPs of the German Cloud). |
||||
|
(new in 13.0.0) |
The input field of this section allows the manual input of further "Exchange Online servers". |
|||
(new in 12.1.1)
Parameters |
Description |
|---|---|
By default, this option is inactive. Activating this option activates the "Submission-Port" 587 and thus the STARTTLS protocol. This means that emails can also be processed by internal Users who do not send from any of the Relaying addresses (see also Settings Password and certificate authentication). |
(new in 13.0.0)
Parameters |
Description |
|---|---|
By default, this option is inactive. Activating this option activates the "Postscreen". |
|
If the SEPPmail Secure E-Mail Gateway has another upstream relay, e.g. a spam filter, the antispam functions should not be activated. The antivirus functions should be used in any case. |
Parameters |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
By default, this option is inactive. With this feature, incoming external emails - that is, emails which are not received from any IP or subnet registered under Relaying - are no longer directly accepted but only at the second delivery attempt. This is to ensure that methods used by SPAM senders for the direct transmission of emails remain unsuccessful. The reception of desired emails is not prevented by this function, but - in the case of unknown senders - only temporarily delayed. The email server of the sender will make a new delivery attempt after a short time. The email is then accepted.
Explanation of greylisting Greylisting is a method to combat SPAM emails. This function assumes that email servers and email clients adhere to the RFC standard for SMTP. SPAM senders often do not adhere to the RFC standard. Thus, they do not always evaluate the temporary rejection, which prevents a further delivery attempt. To prevent possible restrictions due to an excessive one-time rejection of desired emails, it is recommended activating the option Greylist learning only (no e-mail rejection) from the optional settings for two to four weeks after commissioning. By doing so, the SEPPmail Secure E-Mail Gateway is put into a learning mode with respect to the greylisting and does not reject any emails temporarily.
|
||||||||
By default, this option is inactive. Activates the SPAM filter on the SEPPmail Secure E-Mail Gateway. The configuration of the SPAM filter is done in Protection Pack of Section Ruleset generator of the menu Mail Processing.
|
|||||||||
|
By default, this option is inactive. Activates the virus scanner on the SEPPmail Secure E-Mail Gateway. The configuration of the virus scanner is done under Protection Pack of Section Ruleset generator of the menu Mail Processing.
|
||||||||
|
Enable unofficial signatures for ClamAV |
By default, this option is active. This option allows additional, third-party signatures to the standard antivirus signatures of ClamAV.
|
||||||||
By default, this option is inactive. Activates the verification of a HELO command sent by the sending email server. If the command is not sent, the receipt of the emails is denied (bounced). |
|||||||||
By default, this option is inactive. Emails from servers with IP addresses for which no valid DNS entry exists will be rejected. SPAM senders often use email servers without a valid DNS entry. |
|||||||||
By default, this option is inactive. Verification of the resolvability of the domain part of an email address via DNS. If the resolution fails, the email is rejected (bounced)., the email will be rejected.
|
|||||||||
By default, this option is inactive. Emailsare accepted exclusively from servers which identify themselves in the HELO command with a valid hostname, i.e. a hostname which can be resolved in DNS. This could also be a NetBIOS name. |
|||||||||
By default, this option is inactive. Emails are accepted exclusively from servers which identify themselves in the HELO command with their complete FQDN (fully qualified domain name) which can be resolved in the DNS. The FQDN requires at least a full stop".", for instance "SEPPmail.tld". |
|||||||||
By default, this option is inactive. Limits the number of parallel connections to ten per IP address. This helps prevent an overload of the SEPPmail Secure E-Mail Gateway through individual servers. |
|||||||||
By default, this option is inactive. Activates the Sender Policy Framework function. The optional SPF record entered in the DNS is checked. If the sending server for the corresponding email domain is not stored there, the email is rejected (bounced). |
|||||||||
|
By default, this option is inactive. Greylisting learning mode. The database is set up with the information required for the greylisting operation. For new installations, it is recommended using this option for two to four weeks to avoid bottlenecks during the start-up phase due to the greylisting. |
||||||||
By default, this option is inactive. It activates a double DNS check. Initially, it is checked whether a valid DNS entry is required for the IP address, to subsequently check whether the DNS query returns the original IP. |
|||||||||
Parameters |
Description |
|---|---|
Email servers are included in blocklists due to SPAM activities. These lists are maintained by various providers on the Internet. To reject emails from servers listed in these lists, the URLs of the desired real-time blackhole lists (RBL) must be entered. After saving, a further input field is displayed. |
Section Manual blocklisting / welcomelisting
In this menu item, the receipt of external emails from specific IP addresses and/or networks can be blocked (blocklisted) or explicitly allowed (welcomelisted). Welcomelist entries are also excluded from the spam check.
Parameters |
Description |
|||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
For blocking or allowing, the IP network, the action and a comment are entered into the corresponding input fields. (new in 14.0.0) In addition, the validity can be limited (not before / not after).
Example:
|
||||||||||||||||||||
|
External addresses to which emails are sent from an internal source (except non-delivery reports (NDR)), are automatically welcomelisted for six months as of the last delivery and thus marked as real communication partners. |
|
All antispam functions (see Antispam, as well as Mail Processing Ruleset generator Protection Pack) are deactivated for emails from welcomelisted IP addresses. The virus scan remains unaffected. |
The changes made are saved via the Save button.
