How CryptoFilter works
For incoming messages, CryptoFilter needs to get the message before your
Exchange server will get it so that it can perform it checks before passing
the message over to Exchange. Depending on whether you run CryptoFilter on
the same machine as Exchange or on a different machine, CryptoFilter either
needs to hook up to port 25 or to act as a relay host (respectively).
For outgoing messages, Exchange server passes the message to CryptoFilter,
which performs its checks and then sends the message out in the Internet.
From Exchange Servers viewpoint, CryptoFilter is a normal relay host.
So the message flow for incoming messages would be
Internet -> CryptoFilter -> Exchange server
and for outgoing messages it would be Exchange
server -> CryptoFilter -> Internet
System Requirements
- Windows 2000/2003/2008/2012 with TCP/IP installed
- Microsoft Exchange, Lotus Notes or any other SMTP server
Installation
Decide if CryptoFilter should be installed on the Exchange server or on
a different machine:
- Single Exchange server
If you have only one Exchange
server and you have less than 10.000 messages each day,
then run CryptoFilter
on the Exchange server.
- More than one Exchange server in the organization
If
you have more than one Exchange server in your organization then you should
run CryptoFilter on a different machine or at least at a different ip address,
because the Exchange servers communicate internal states using Microsoft
propriety SMTP verbs on port 25 and third party gateways like XWALL
should not be inserted between internal Exchange servers traffic flow.
- Cluster
If you have a cluster then you must run CryptoFilter
on a different machine, because CryptoFilter doesn't support a cluster.
Once you decided on which machine you are installing CryptoFilter, perform
the following steps:
- Run Setup.exe or create a directory on your machine and copy all
the files into this directory
- Start CryptoFilter Admin (MBAdmin.exe) to configure CryptoFilter
- The first time you run CryptoFilter you will be prompted for the following
information:
- Postmaster's address
The address of the
person who is responsible for maintaining CryptoFilter. CryptoFilter
will send all error messages to this address.
- The name or IP address of the Exchange server
If CryptoFilter is running on the same machine as the Exchange server
than you can ( and should ) use localhost as the name.
- The port Exchange listens
If CryptoFilter is running
on the same machine as the Exchange server than use port 24, else
use port 25.
Screenshot:
CryptoFilter
on the same machine as Exchange ,
CryptoFilter
on a different machine
- The e-mail domain that your Exchange is responsible
CryptoFilter
needs to know for which e-mail domain your Exchange is responsible,
so that if can forward messages for this domain to your Exchange.
Screenshot:
e-mail domain that your Exchange is responsible
- Running CryptoFilter on the same machine as Exchange
server
Incoming Messages
If you run CryptoFilter on the same machine as the Exchange, then you
must tell Exchange to listen on a separate port; i.e. not port 25, because
only one application can listen to a specific port at one time and CryptoFilter
needs to be the first application that gets SMTP messages.
Then start MBAdmin, select Options->General->Exchange->Exchange
listens on port and type in the same port that you used in Exchange
( e.g. 24 ) .
Outgoing Messages
(this step is optional and is not needed
for inbound spam blocking)
- Exchange 5.x
Start Exchange Administrator, select the IMS (Internet Mail Service)
and click on the tab labeled Connections.
Enable Forward all messages to host
and type in localhost.
Close the dialog and restart the
IMS.
From then on the Exchange server will forward all messages
to the localhost,
which basically means it sends them to CryptoFilter.
- Exchange 2000/2003
If you have no SMTP connector then start System Manager (Exchange Admin)
and select
Servers->Your Server->Protocol->SMTP->Default
SMTP Virtual Server->Properties.
In this dialog
select the tab labeled Delivery and then
Advanced and in Smart host type in localhost.
Screenshot:
Exchange
forward
Close the dialog and restart the SMTP service of Exchange. From then
on the Exchange server will forward all messages to the localhost, which
basically means it sends them to CryptoFilter.
If you have a SMTP connector then start System Manager (Exchange
Admin) and select Routing Groups->Exchange->Connectors->Your
SMTP Connector->Properties->Forward all mail through this connector
to the following smart host and type in the name or IP address
of the machine where CryptoFilter is running.
Close the dialog and restart Exchange. From then on the Exchange
server will forward all messages to the name or IP address , which basically
means it sends them to CryptoFilter.
- Exchange 2007/2010 and SBS 2008/2011
Start Exchange
Management Console and select Organization Configuration->Hub
Transport->Send Connectors
If there is no connector in
the list, then create one, else select the properties of the correct
outbound connector.
In this dialog select the labeled
Network and then select Route all mail though the following
smart host. Press the Add button and add localhost
as the smart host.
Screenshot:
Exchange outbound connector list,
Exchange smart host
Close the dialog and restart Exchange.
From then on the Exchange server will forward all messages to the name
or IP address , which basically means it sends them to CryptoFilter.
- Running CryptoFilter on a different machine than the Exchange server
Incoming Messages
Start MBAdmin, select Options->General->Exchange->Name
or IP address of the Exchange server
and type in the name or
IP address of the Exchange server.
Screenshot:
CryptoFilter
on a different machine
Depending on your DNS configuration
you will need to change the MX record so that it points to the machine
where CryptoFilter is running or else CryptoFilter will not get the messages
before Exchange.
Note: On Windows 2003/2008
you need to open port 25 on the firewall. So unless you open port 25, no
mail will come in.
Outgoing Messages
(this step is optional
and is not needed for inbound spam blocking)
- Exchange 5.x
Start Exchange Administrator, select
the IMS (Internet Mail Service) and click on the tab labeled
Connections. Enable
Forward all messages to host and type
in the name or IP address of the machine where CryptoFilter is running. Close
the dialog and restart the IMS. From then on the Exchange server will
forward all messages to CryptoFilter.
- Exchange 2000/2003
If you have no SMTP connector
start System Manager ( Exchange Admin) and select Servers->Your
Server->Protocol->SMTP->Default SMTP Virtual Server->Properties.
In this dialog select the tab labeled
Delivery and then Advanced.
In Smart host type in the name
or IP address of the machine where CryptoFilter is running.
Close the dialog and restart Exchange. From then on the Exchange
server will forward all messages to CryptoFilter.
If you have a SMTP connector then start System Manager (Exchange
Admin) and select Connectors->Your SMTP Connector->Properties->Forward
all mail through this connector to the following smart host and
type in the name or IP address of the machine where CryptoFilter is
running.
Close the dialog and restart Exchange. From then
on the Exchange server will forward all messages to the name or IP address
, which basically means it sends them to CryptoFilter.
- Exchange 2007/2010 and SBS 2008/2011
Start Exchange
Management Console and select Organization Configuration->Hub
Transport->Send Connectors
If there is no connector in
the list, then create one, else select the properties of the correct
outbound connector.
In this dialog select the labeled
Network and then select Route all mail though the following
smart host. Press the Add button and add type in the name
or IP address of the machine where CryptoFilter is running as the smart
host.
Screenshot:
Exchange outbound connector list,
Exchange smart host
Close the dialog and restart Exchange.
From then on the Exchange server will forward all messages to the name
or IP address , which basically means it sends them to CryptoFilter.
Once you have done this you can start MBServer and check if all messages
are properly routed.
Run CryptoFilter as a service
Once you run CryptoFilter as a service, errors will only be visible
in the logfile or in the main window of MBAdmin. Consequently, before running
it as a service you must first ensure that CryptoFilter is running properly with
no errors by launching it in Console Mode (i.e. starting it from an icon).
In general, installing CryptoFilter as a service should be your last task
and not your first.
Note: Keep in mind that CryptoFilter needs to reside on a local disk
or the service controller will not be able to start it. Also make sure MBAdmin.exe
and MBServer.exe are in the same directory.
- Install the service using the GUI
Start MBAdmin,
select View->Service and here you can install, remove, start and stop
the service. By default it is an AutoStart service and any time your computer
is started, CryptoFilter will start.
Note:After you
have started CryptoFilter as a service, verify that CryptoFilter has no errors. You
need to take a look into the logfile to do this or start MBAdmin and in
the main window you see the logfile.
- Install the service from the command line
Open a DOS
box and change to the directory where CryptoFilter is installed ( usually
C:\Program Files\CryptoFilter )
- Installing CryptoFilter as a service
Start MBServer.exe with the argument of install, by typing
MBServer install at the command prompt and CryptoFilter will create
the service.
By default it is an AutoStart service and any time your computer
is started, CryptoFilter will start. You can start and stop CryptoFilter at
any time via Control Panel
Note: After you have started CryptoFilter
as a service, verify that CryptoFilter has no errors. You need to
take a look into the logfile to do this or start MBAdmin and in the
and in the main window you see the logfile.
- Removing CryptoFilter as a service
Start MBServer.exe
with the argument of remove, by typing MBServer remove
at the command prompt and CryptoFilter will delete the service.
How to Stop CryptoFilter
- CryptoFilter runs as a console application
- Press ESCAPE
- Select Close from the system menu (works only on Windows
NT®)
- Press Alt-F4 (works only on Windows NT)
- CryptoFilter runs as a service
- Open Control Panel, select Services, locate CryptoFilter
and press the button labeled Stop
- Type Net Stop CryptoFilter at the command prompt
Upgrade to the latest Version
You will find the latest version of CryptoFilter in the
Download Area
setup_cryptofilter_??.exe searches for a previously installed CryptoFilter
and updates only the executable files. The settings, which are stored in cryptofilter.ini
and *.dat, are not touched.
If the CryptoFilter service is running,
it is stopped and restarted after the update. In the unlikely event that a
executable is locked, the setup program asks for a reboot to change the file.
If you refuse the reboot, you need to manually reboot later to bring the new
executable into affect.
Note: If you are upgrading from a very old version then you must
reapply your registration number.
Helper Programs
- Signal
is a command line program
that allows you to perform the same commands as from the Signal menu of
MBAdmin. You can force the download of POP3 messages by simply clicking
on a link rather than starting MBAdmin.
- LogView
allows you to view
the logfile in real time from any machine on your network. This is
especially useful if MBServer runs as a service.
- TestMX is a command line program to
resolve the MX record for a give domain and then connect to the mail server.
The main purpose is to troubleshoot MX related problems or to check if
a domain can accept messages.
- CSVToEnv is a command line program
to recreate the envelope from the statistic file. CSVToEnv is needed to
resend messages from the history folder.
- TLS/SSL Toolkit contains a generic
certificate that you may use for a quick start. Download
TLS/SSL Toolkit and extract cert.pem
and cacert.pem into the XWall directory and then turn on TLS/SSL.
- SerializeLog by Softec Integrations
AG is a command line program to serialize the
XWall logfile to facilitate troubleshooting.
- UniqueLog
extracts the part from a logfile that belong to an unique id
Troubleshooting
Click here to view the troubleshooting section
Licensing Agreement
CryptoFilter ® is copyrighted 1993-2012 by DataEnter GmbH
This product and its documentation may not, in whole or in part, be copied,
rent, leased, loaned, resold, assigned, sublicensed, modified, reproduced,
transmitted, transcribed, stored in a retrieval system, or translated into
any other natural or computer language, in any form or by any means whatsoever,
be it electronic, mechanical, magnetic, optical, manual or otherwise, without
the prior written consent of DataEnter.
DataEnter makes no warranty or representation, either expressed or implied,
with respect to the product CryptoFilter and its documentation, their quality,
performance, merchantability, or fitness for a particular purpose. DataEnter
reserves the right to revise the user's guide and make changes to the content
without obligation to notify any person or organization of such change. In
no event will DataEnter be liable for any direct, indirect, special, incidental
or consequential damages, real or imagined, resulting from the use or purchase
of this software. Under no circumstances shall DataEnter's liability for damages
exceed the price paid for the software license. Should any remedy hereunder
be determined to have failed, all limitations of liability and exclusion of
damages set forth above shall remain in full force and effect. The extent
of the DataEnter's warranty for the software and its documentation is limited
to physical defects of the distribution media containing the software. Contact
DataEnter to obtain return authorization for the replacement diskette within
30 days of the original date of purchase. Any further statement made by agents,
employees, distributors or dealers of DataEnter do not constitute warranties
and are not binding. No employee of DataEnter has the authority to modify
any portion of this warranty.
All brand and product names we refer to in the documentation are used solely
for identification purposes and may be trademarks of other companies.
CryptoFilter Standard Edition: DataEnter, (the licensor) grants
the buyer (the licensee) the right to use this copy of CryptoFilter Standard
Edition (the program) on a single computer at a single location running a
single instance and servicing a single Exchange server as long as the licensee
complies with the terms of this license.
CryptoFilter Enterprise Edition: DataEnter, (the licensor) grants
the buyer (the licensee) the right to use this copy of CryptoFilter Enterprise
Edition (the program) on a single computer at a single location running a
single instance as long as the licensee complies with the terms of this license.
The licensor reserves the right to terminate this license if the licensee
violates any part of the agreement. The licensee agrees to make copies of
the program only for backup purposes. The licensee agrees not to copy the
documentation and to take all necessary precautions to ensure that the backup
copies of the software are not distributed to or acquired by other parties.
Support: Support is by e-mail
Upgrades, Updates: Updates are free, as long as the major version
number does not change.
( at present the major version number is v3.x
)
Trademarks,
OpenSSL Credit
History
v3.04 2021-08-06
- New: Compiled with ASLR (address space randomization) and NX (no execution)
- New: Support status query using Nagios
- New: Verify a certificate using the CommonName and the subjectAltName
- New: Global exclusion for TLS required sender (InboundExclTLSRequired=True)
- New: Enhanced TLS peer certificate verification (OutboundSMTPTLSVerify=True)
- New: Support for Online Certificate Status Protocol (OCSP)
- New: The Format column in the statistic file indicates a IPv6 connection
- Chg: Outbound TLS connection use TLSv1, omit SSLv2, and reconnect with
SSLv3 when TLSv1 fails
- Chg: IPv6 DNS query using ALL and fall back to A/AAAA for server that
don't support it
- Fix: Binding to a IPv6 address erroneously enabled inbound IPv6
- Fix: Message-id was not unique when created within one tick
- Fix: SMIME certificates with an e-mail only in subjectAltName
- Fix: Unnecessary restart when timezone changes
- Fix: FQDN on a machine with more than one IP address
- Fix: SMIME encryption with missing cert file failed with wrong error
v3.05 2013-01-15
- New: SMIME sign and encryption of pre-signed and/or pre-encrypted
messages
- New: Reassemble of SMIME signed, detach signed and encrypted
messages
- New: Support for DANE TLSA certificate verification
(OutboundSMTPTLSVerifyDANE=True)
- New: Support for DomainKeys Identified Mail Signatures (DKIM)
- New: DKIM verification using Author Domain Signing Practices (ADSP)
- New: Added additional DKIM error messages
- New: Terminate connection after a client tried two messages without
any valid sender or recipient address
- Chg: Accept an E-Mail address with a user part longer than 64 bytes
- Chg: Removed support for Domain-Based Email Authentication Using
Public Keys Advertised in the DNS (DomainKeys)
- Fix: SMIME remove signature for outgoing messages
- Fix: Disable TLS/SSL cipher DES-CBC-SHA
- Fix: TLS with more than one intermediate certificate shows wrong
status
Click here to view the complete History
|
