1. modusGate Only
1.1. How-to: Perform a Backup/Restore on a modusGate Appliance
 
 
The attached document outlines the backup and restore procedures for the modusGate™ Appliance. 
 
The information found in this document is only for the NEI appliance platform.
 
 
1.2. How-to: Integrate modusGate with a PGP Gateway
  

Product: modusGate™
Version & Build: 4.4 and above

Attached is a document detailing the instructions for integrating modusGate™ with the PGP Universal server (for message encryption).  The document was provided by PGP Corporation, a developer of email and data encryption software.

For more information, go to www.pgp.com

 

1.3. How-to: Reset a ModusGate Appliance to its Original State
 

Product: ModusGate Appliance

Version & Build: All

 

 

The following will reset a ModusGate Appliance and return it to its original out-of-box settings:

 

  • Power the Appliance off and on
  • There will be a short beep, followed by long beep
  • Immediately after hearing the long beep, spin the knob counter-clockwise
    • If you wait too long to turn the knob counter-clockwise, the Appliance will begin to load Windows
  • The LCD display will display:

System Installer version X.X

Restore Image

Reboot <Cancel>

  • Turn the knob to select Restore Image & press the knob to confirm
  • If you attach a monitor to the Appliance, you will see that it is reformatting the 70 gig partition
  • Upon completion of the format, a ghosted image will install Windows Server 2003 (base) and the ModusGate version originally installed on the appliance
  • Configure the Appliance as you did when you first received it (all settings are lost during the reboot)

  

Note:  The system will reboot when the restore process is complete.  Do not turn the unit off during this process.

 

1.4. How-to: Encrypt ModusGate User List Population and Authentication Requests
 

Product: ModusGate

Version & Build: All

 

 

 

Before you begin:

 

If you have not obtained a certificate from the Certificate Authority CA Server, please consult the Microsoft knowledge base article How to enable LDAP over SSL with a third-party certificate authority.  After enabling LDAP over SSL, reboot the LDAP server and use the ldp.exe utility to test if Port 3269/636 responds.



1)  Export the Root Certificate Authority:

 

On the ModusGate server, before making any changes, proceed with the following:

 

  • On the LDAP server, create an MMC for the certificates on the Local Computer
  • Once created, under Console Root, go to Certificates (Local Computer)\ Trusted Root Certification Authority\Certificates
  • Double-click on the Root certificate that was Issued To: CertificateServer_CA and Issued By: CertificateServer_CA
 
 
 
 
 
 
  • Click on Details
  • Click on Copy to File
 
 
  • At the Welcome window, click on Next
  • Select DER encoded binary, click on Next and enter the certificate name
  • Click on Next and then Finish
  • A message advising that the export was successful should appear
 
 
 

 

2)  Import the Root Certificate Authority:

 

The certificate must be imported to the ModusGate server and installed under Certificates (Local Computer)\ Trusted Root Certification Authority:

  • Double-click on the certificate imported from the LDAP server
  • Click on Install Certificate
  • At the Welcome to the certificate import wizard window, click on Next
  • Click on  Place all the certificates in the following store and click on Browse
  • Check the Show physical stores option
  • Locate and expand Trusted Root Certification Authorities, select Local Computer and click on OK
  • Click on Next and then on Finish
  • A message advising that the import was successful should appear
 
 

 

 

3)  Populating the User Lists:

  • In the ModusGate Console, click on Connection
  • Click on the route to be configured
  • For Automatically populate user list and Authentication request, enable Use SSL/TLS
  • For both, enter the FQDN as specified in the subject fir your certificate (e.g. hostname.domain.com)
  • Ensure that the ports are changed to either 636 (LDAPS) or 3269 (Global Catalog)
    • When using SSL/TLS, the port must be set to 636 or 3269
  • Click on Apply
  • Stop/start the SMTPRS service
 
 

 

Troubleshooting:

 

If, after completing the above steps, you get Error 450 <username@domain.com> is temporarily unavailable, try later, ensure that the following were properly configured:

 

  • In the ModusGate Console, the FQDN (not the IP of the LDAP server) was entered
  • Ping your LDAP server (e.g. ping hostname.domain.com)
  • Verify step #2:  Make sure that the certificate you imported from the LDAP server is installed under Trusted Root Certification Authorities\Local Computer
  • Double-click on the imported certificate and make sure it is installed
  • Telnet into your LDAP server on port 636 or 3269 from your ModusGate server
    • If you do not receive a blank banner, there is a problem with your firewall or the certificate is not installed correctly on the LDAP server

 

1.5. How-to: Install ModusGate v4.4 on Small Business Server 2003
 

Product: ModusGate

Version & Build: 4.4

 

 

This document outlines the procedures for installing ModusGate v4.4 on a Microsoft Small Business Server 2003.
 
 
Background:

The default Active Directory permissions are restricted on SBS 2003 (unlike on a standard Windows server).  This prevents ModusGate from populating its user lists including aliases in SBS 2003.  Aliases are populated not as aliase but as users.  As such, this problems with quarantine reports, WebQuarantine and the license count.
 
1.6. Info: Appliance Cannot Access the ModusGate Console or System Health Panel

Product:
ModusGate Appliance

Version & Build:  4.35.480 and below

 

 

Problem:

ModusGate appliance and Vista 7.0 cannot access the ModusGate administration console or system health panel.  This affects all appliances that were initially imaged with ModusGate builds prior to 4.35.480.

 

If you are experiencing problems accessing the Console or the system health panel from the appliance’s web-based menu, there could be a problem with ActiveX.  The ActiveX control used to permit the web-based console session does not have the proper digital signature.  The current ActiveX control has a valid signature through to mid-2008.  Note that this occurs in older appliances.

 

To download the latest ActiveX control for your appliance, go to: 

http://sus.celestix.com/files/clxsalts.cab
 
Save the file in the C:\Windows\System32\ServerAppliance\Web\Admin\CLX\salts directory of your appliance.

1.7. Info: ModusGate Appliance Cannot be Reached after Hooking up to the Network

 

Product: ModusGate Appliance

Version & Build: All

 

 

 

Problem:

 

If you use the Knob to change the IP address of the NIC, the machine is no longer reachable. 

 

 

Reason:

 

The knob only lets you control the IP address and netmask of the NIC, not the Gateway.  Assuming your appliance is in your DMZ and you are using Remote Desktop or https to connect to it, chances are it cannot reply it does not know the Gateway.

 

The knob is available as a quick-fix when you need to hook up to the machine and you are on the same subnet talking to the same switch or if you want to connect to the box using a cross-cable and need to set an IP address.

 

 

Solution:

 

Change the IP address so that it uses DHCP again and then use Remote Desktop to get to the box and change the IP and Gateway of the NIC from within Windows.  You will be able to see what IP address was assigned to the machine by rotating the Knob.  If you cannot get to the machine, attach a keyboard and monitor to the box and make the necessary changes by logging in from the Windows console.

 

  • Login to Windows
  • Go to Control Panel > Network Connections
  • Right-click on LanX (where X = port you are using) and select Properties
  • Select TCP/IP > Properties
  • Change the IP, Netmask, Gateway and DNS Server addresses

1.8. How-To: Configure ModusGate with Specific OpenLDAP Server Attributes

 

Product: ModusGate

Version & Build: All

 

 

LDAP Routes with Customized Attributes

 

In a ModusGate route configured with OpenLDAP, by default, the mail mailbox attribute is ‘mail’ and the mail alias attribute is ‘uid’.

You can create OpenLDAP mailbox validation schemes in ModusGate for any OpenLDAP server.

 

Information regarding the LDAP server mail attributes:

  • LDAP attribute used to identify a main mailbox
    • The default attribute is ‘mail’
      • ModusGate always issues mailbox validation requests as a whole email address, including the domain name
  • LDAP attribute used to identify a mailbox alias
    • The default attribute is ‘uid’
      • By default, ModusGate issues alias validation requests without the domain name (this can be modified, as explained later)
  • If unavailable from the LDAP server supplier, such attributes can be easily read with standard LDAP browsers or tested with the default ModusGate attributes
    • Simply verify whether a test message to a mailbox or alias is accepted by ModusGate using the default OpenLDAP settings found in the Console at Connection – Properties – General

  

 

ModusGate with a Single OpenLDAP Route Scheme

 

  • In the Console, go to Connection- Properties – General
  • Create a domain route with both Automatically populate user list and Authentication request set to OpenLDAP and pointing to the OpenLDAP server IP address
  • Click  on Apply and exit the Console
  • Open the Registry Editor (regedit or regedt32)
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Vircom\VopMail\LDAPServers
    • The Registry branch is as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Vircom\VopMail\LDAPServers\1

@=""

"Alias_AttributeName"="uid"

"AliasedObject_AttributeName"="aliasedObjectName"

"AliasedObject_UIDTag"="uid"

"Mailbox_AttributeName"="mail"

"Name"="OpenLDAP"

"StripDomainFromAliasQuery"=dword:00000001

 

  • Modify Alias_AttributeName to match your OpenLDAP server alias attribute
  • Modify Mailbox_AttributeName to match your OpenLDAP server mailbox attribute
  • Modify StripDomainFromAliasQuery to:
    • Hexadecimal 1 to exclude the domain name from alias validation
    • Hexadecimal 0 to include the domain name to alias validation requests
  • Exit the Registry Editor (changes are saved automatically)
  • Go to System – Properties – Services and stop and start the following:
    • SMTPRS
    • MODUSCAN
    • MODUSADM
  • Send a test message to a mailbox and alias on the Open LDAP validated server

 

 

ModusGate with Multiple OpenLDAP Route Schemes

 

  • In the Console, go to Connection- Properties – General
  • Create a domain route with both Automatically populate user list and Authentication request set to OpenLDAP and pointing to the OpenLDAP server IP address
  • Click  on Apply and exit the Console
  • Open the Registry Editor (regedit or regedt32)
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Vircom\VopMail\LDAPServers
    • The Registry branch is as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Vircom\VopMail\LDAPServers\1

@=""

"Alias_AttributeName"="uid"

"AliasedObject_AttributeName"="aliasedObjectName"

"AliasedObject_UIDTag"="uid"

"Mailbox_AttributeName"="mail"

"Name"="OpenLDAP"

"StripDomainFromAliasQuery"=dword:00000001

 

  • Click on   HKEY_LOCAL_MACHINE\SOFTWARE\Vircom\VopMail\LDAPServers\1 to select the branch
  • Click on File > Export, select the file location and save the file with a .reg extension
  • Exit the Registry Editor
  • Copy the file using different filenames to create new OpenLDAP schemes (e.g. QmailLDAP, PostfixLDAP, etc.)
  • Use a text editor to modify each file’s attributes according to your OpenLDAP server’s requirements:
    • At the end of the first line, modify the number to assign a unique sequence number to your scheme
      • 1 is the default OpenLDAP and Vircom uses 2 for Sun One Directory servers as illustrated above
      • Do not assign the same number twice
    • Modify Alias_AttributeName to match your OpenLDAP server alias attribute
    • Modify Mailbox_AttributeName to match your OpenLDAP server mailbox attribute
    • Assign a unique and clear name to Name
      • This name is propagated to the Console in Connection – Properties – General (e.g. QmailLDAP, PostfixLDAP, etc.)
  • Modify StripDomainFromAliasQuery to:
    • Hexadecimal 1 to exclude the domain name from alias validation
    • Hexadecimal 0 to include the domain name to alias validation requests
  • Save the .reg file after modifying it
  • Repeat the above steps for each OpenLDAP scheme, using a new sequence number and file name
  • Import the newly created .reg files by double clicking on each of them
  • Go to the Registry Editor to ensure that the new registry branches have been imported properly
  • In the Console, go to Connection – Properties – General and assign your newly created OpenLDAP schemes to the appropriate domains
  • Go to System – Properties – Services and stop and start the following:
    • SMTPRS
    • MODUSCAN
    • MODUSADM
  • Send test messages to mailboxes and aliases on the OpenLDAP validated servers

 

Consult How-To: Configure ModusGate with Sun One Open Directory for Sun Email Servers for complimentary information.

 

 

1.9. How-To: Configure ModusGate with Sun One Open Directory for Sun Email Servers

 

Product: ModusGate

Version & Build: All

 

 

Available in ModusGate is the option to use OpenLDAP for mailbox validation and authentication.  OpenLDAP servers can use different attributes for mailbox and alias identification.  As such, ModusGate needs to know which attributes to query to validate mailboxes and aliases.  ModusGate supports all attributes of OpenLDAP.

 

You can create several OpenLDAP routes in ModusGate using different LDAP mail and alias attributes types.  To facilitate the process, Vircom has created this ready-made route type for SunOne = iPlanet LDAP servers by using "mailalternateaddress" for aliases (instead of the default “uid” attribute) and by including the domain name in the alias request.  Other OpenLDAP attributes can be easily configured for different flavirs of OpenLDAP servers.

 

 

Sun One (formerly iPlanet)

 

Attached to this article are two Windows Registry branches that you can import for Sun One Open Directory.  The contents are as follows

 

OpenLDAP.reg

  • Creates the standard OpenLDAP type found in the original ModusGate installation (Connections – Properties – General)
  • The content of this Registry file is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Vircom\VopMail\LDAPServers\1]

@=""

"Alias_AttributeName"="uid"

"AliasedObject_AttributeName"="aliasedObjectName"

"AliasedObject_UIDTag"="uid"

"Mailbox_AttributeName"="mail"

"Name"="OpenLDAP"

"StripDomainFromAliasQuery"=dword:00000001

 

 

SunOne.reg

  • Adds a second OpenLDAP type to the list of validation/authentication processes in ModusGate (Connections – Properties – General)
  • The content of this Registry file is:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Vircom\VopMail\LDAPServers\2]

@=""

"Alias_AttributeName"="mailalternateaddress"

"AliasedObject_AttributeName"="aliasedObjectName"

"AliasedObject_UIDTag"="uid"

"Mailbox_AttributeName"="mail"

"Name"="SunOneLDAP"

"StripDomainFromAliasQuery"=dword:00000000

 

 

Installation Procedures:

  • You must have Administrator rights to the ModusGate server to proceed
  • Make sure that the ModusGate Console is closed
  • Double-click on each of the two Registry files to import the keys
  • Open the Console and go to Connections – Properties – General
  • At Authentication Requests, use the pull-down menu to select SunOneLDAP
  • Go to System – Properties – Services and stop and start the following:
    • SMTPRS
    • MODUSCAN
    • MODUSADM
  • Send a test message to a mailbox alias on the Sun One Open LDAP server

 

This solution is easy to install and manage and provides the option to add extra OpenLDAP types when necessary.

 

Consult How-To: Configure ModusGate with Specific OpenLDAP Server Attributes for complimentary information. 

 

1.10. Info: Mailbox Verification vs. Mailbox Authentication

 

Product: modusGate

Version & Build: All

 

 

This article will explain the differences between the User Population and Quarantine Login Authentication functions of modusGate.  One checks if the mailbox exists, while the other verifies the password.

 

The following are types of mailbox verifications:

  • SMTP
  • SMTP_VRFY
  • Exchange 2000+
  • Exchange 5.5
  • Lotus Domino
  • Open LDAP
  • Disabled
  • Tertiary MTA-Based Authentication


 
The following are for user authentication:

·         SMTP_AUTH

·         Exchange 2000+

·         Exchange 5.5

·         Open LDAP

·         POP3

·         Tertiary MTA-Based Authentication
 


Purpose of Mailbox Verification [Populate User Mailboxes]:

·         To verify the existence of a mailbox on the primary server to avoid sending messages to non-existent mailboxes

·         modusGate can reject messages immediately during dictionary attacks as opposed to passing the messages through to the primary

 

 

Purpose of Mailbox Authentication:

·         Used to permit the WebQuarantine login

·         As modusGate does not store user passwords, a method to authenticate user passwords is required

 

 

 


Mailbox Verification

 

SMTP:

  • All mail servers other than Microsoft™ Exchange & Lots Domino support this method
  • Before delivering a message to a user on the primary server, ModusGate does the following:
     
    ehlo modusgate.yourdomain.com
    mail from: originator@domain.com
    rcpt to: address@yourlocaldomain.com


  • If the originating server replies 550 no such user here, modusGate blocks the message
  • SMTP is the most widely supported method because most servers reject messages destined to a bad mailbox
  • This method does not detect aliases – aliases, therefore, count as mailboxes
     
     

 

SMTP_VRFY:

 

  • This method is similar to SMTP, except it makes use of the VRFY function that exists on most mail servers
  • Also supported by Exchange 5.5 (but not subsequent versions)
  • On many servers, it can help to detect aliases
    • modusGate connects to the main mail server to verify the existence of a mailbox:
       
      ehlo modusgate.yourdomain.com
      vrfy user@yourlocaldomain.com
       
    • If your server returns the following, the feature is supported:

550 no such user here - for invalid users and
250  user@yourlocadomaincom - for valid users

o        ModusGate can detect aliases if the following is successful:
 
VRFY alias@yourlocaldomain.com 
250 realusername@yourlocaldomain.com
 

  • If the target server supports the above, then aliases are detected
     

 

 

 

Exchange 2000+ / Exchange 2003: 

  • modusGate performs an Active Directory lookup to see if the user exists or not via an LDAP Query
  • For more information about this configuration, please see the following article:  How-To: Deploy modusGate with Exchange/LDAP Servers
     
    How-To: Deploy ModusGate with Exchange/LDAP Servers

  • modusGate looks for the user in the AD tree, specifically for these four attributes:
     
    mail:  xyz@yourdomain.com [the email address of the user]

    proxyAddress:  SMTP:jim@yourdomain.com [his alias for xyz@yourdomain.com is jim@yourdomain.com]

    mailnickname: could be anything - the property must exist but the content is not important

    displayname:  could be anything - the property must exist but the content is not important 

  • Aliases are detected with Active Directory lookups
  • Distribution lists do count as mailboxes
     
     

 

Exchange 5.5:

  • This is a special LDAP connector that requires the use of custom attributes for the feature to work properly (see the Exchange Deployment Guide, How-To: Deploy ModusGate with Exchange/LDAP Servers.  Vircom does not usually recommend using Exchange 5.5. LDAP verification because of the requirement for custom attributes via the X400 connectors.
  • We strongly encourage Exchange 5.5 users to use SMTP_VRFY instead
  • To Enable SMTP_VRFY on Exchange 5.5:
    • On the exchange 5.5 server, open the Registry Editor
    • Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange\Parameters
    • Right-click and select New > DWORD value
    • Name the new value EnableVRFY
    • Double-click the EnableVRFY and, at Value data, enter 0x1 (to enable)
  • NOTE:  Administrators consider SMTP_VRFY a security risk because it can generate a list of valid accounts on the domain, which, for example, could give spammers legitimate email accounts to target on your domain.  However, if your main mail server is kept off the public Internet (i.e. only ModusGate is visible to the outside world), this will not be an issue.
  • Once you have Exchange 5.5 SMTP_VRFY enabled, you can configure the panel to use SMTP_VRFY on Port 25
  • Aliases and distribution lists are not detected and will count as mailboxes

 

 

Lotus Domino:

  • Please consult the following the Lotus Deployment document attached to the following article:
     
    How-To: Deploy ModusGate with Lotus Domino 5 & 6

  • Domino supports SMTP_VRFY so you should use this before trying to implement an LDAP-based solution
  • Aliases may not be detected in this situation and may count as mailboxes


OpenLDAP:

  • OpenLDAP is a generic LDAP authentication mechanism that works with many mail servers, assuming an LDAP server is being used
  • However, you should use another method (SMTP or SMTP_VRFY) before trying OpenLDAP (because of the complexity of an LDAP setup)
  • Aliases may not be detected in this situation and may count as mailboxes
     

References:


How-To: Deploy ModusGate with QMAIL 


How-To: Deploy ModusGate with Sendmail


How-To: Deploy ModusGate with PostFix


How-To: Deploy ModusGate with Groupwise 
 

 

Disabled:
 

  • As there is no verification, you need to populate the users in advance in modusGate
  • This option exists in the event that there is no way to verify the existence of a mailbox
  • Example: target mail server is an Exchange Server behind layered firewalls and the Administrator dos not want to expose the LDAP / Active-Directory port
  • In those cases, the only option is to pre-populate the server and set the Do not delete flag for these mailboxes to true
  • You can mass-create mailboxes using the mailbox.exe command-line tool:
     
    mailbox -create jim@yourlocaldomain.com 0
    mailbox -create joe@yourlocaldomain.com 0
    mailbox -create bill@yourlocaldomain.com 0


  • To set the Do not delete flag
     
    mailbox -set jim@yourlocaldomain.com GateManualNotSync 1
    mailbox -set joe@yourlocaldomain.com GateManualNotSync 1
    mailbox -set bill@yourlocaldomain.com GateManualNotSync 1


  • Note that this method does not fix the problem with mailbox authentication for the WebQuarantine login
  • Users may not be able to log into WebQuarantine but may be able to use the Quarantine reports (because Modus does not keep passwords locally)
     
     

Tertiary MTA-Based Authentication:

 

  • Because passwords are not kept locally with disabled mailboxes, WebQuarantine login is impossible unless you can use POP3 or SMTP_AUTHENTICATION
  • If this is not possible, you can use ModusMail-L, a lightweight version of ModusMail
  • ModusMail-L, with no spam scanning, is used solely to store users and passwords
  • Install the software on an older PC (Pentium, 400Mhz, 192MB RAM, minimum) and populate the mail server using mailbox.exe
  • You can also set passwords which would be independent from the password system you use internally
  • This ensures a very secure authentication system
     
    maildomain -create yourlocaldomain.com
    mailbox -create jim@yourlocaldomain.com 0
    mailbox -pass jim@yourlocaldomain.com thepassword
    mailbox -create joe@yourlocaldomain.com 0
    mailbox -pass joe@yourlocaldomain.com thepassword

     
  • Point mail flow to the primary server and mailbox population/authentication to the ModusMail-L PC (STMP or SMTP_VRFY)
  • If IIS is installed on the Modus-L PC, when users want to change their passwords, they could do so by going to http://<ip-of-modusL>/webadmin
     

 

 

Mailbox Authentication


SMTP_AUTH:

  • The preferred authentication method in most cases
  • Most mail servers support some form of SMTP authentication for relaying purposes
  • In this case, modusGate can proxy the request
  • The only complication is that modusGate usually passes the full username@domain.com during the SMTP Authentication transaction
    • If your primary mail server does not support this, enable the option  Strip Domain name from authentication requests which leaves the username during the authentication attempt
    • To enable this, go to Connections – Properties – General
  • This method can only be used for Exchange 2000/2003 but you can use Active Directory lookups


 
Exchange 2000+:

  • modusGate performs an Active Directory lookup to see if it can bind to the user via an LDAP Query
  • A failed bind usually occurs when the password does not match
  • For more information about this configuration, please see the following article:
     
    How-To: Deploy ModusGate with Exchange/LDAP Servers
     
     


Exchange 5.5:

  • This is is a special LDAP connector that requires the use of custom attributes for the feature to work properly
  • Vircom does not usually recommend using Exchange 5.5. LDAP verification because of the requirement for custom attributes via the X400 connectors 
  • We strongly encourage Exchange 5.5 users to use SMTP_ AUTH instead
     
     

OpenLDAP:

  • OpenLDAP is a generic LDAP authentication mechanism that works with many mail servers, assuming an LDAP server is being used
  • However, you should use another method (SMTP_AUTH) before trying OpenLDAP (because of the complexity of an LDAP setup)

 

References:


How-To: Deploy ModusGate with QMAIL 


How-To: Deploy ModusGate with Sendmail


How-To: Deploy ModusGate with PostFix


How-To: Deploy ModusGate with Groupwise 


 


 
POP3:

  • An alternative to using SMTP_AUTH
  • You need to be running a POP3 server
  • You may need to enable the Strip Domain name from authentication requests for this to work properly
    • To enable this, go to Connections – Properties – General
       


 
Tertiary MTA-Based Authentication:

  • Please refer to the Mailbox Verification section for complete details
  • After implementing this solution, use SMTP_AUTH

 

1.11. How-To: Deactivate the Mimicking of Active Directory’s "Disabled Accounts" in ModusGate

 

 

Product: ModusGate

Version & Build: 4.35.480

 

 

In service pack 4.35.480, we added a new behavior to ModusGate for Active Directory lookups when doing pre-authentication with Exchange 2000+.

 

If a user is disabled in AD, he/she also appears as disabled in ModusGate.  This way, when an account is temporarily disabled, Modus does not lose the Trusted Senders, Blocked Senders and custom settings.  Disabled accounts (Users ¦ General: Disable Account) do not count against the total user license count.

 

To deactivate this feature:

 

  • Open the Registry (Start > Run, regedit)
  • Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Vircom \ Vopmail \ RelayAuthServers
  • Right-click on the key
  • Click Find
  • Search for the domain that is performing the Exchange 2000+ lookup (e.g.: domain.com)
  • Once you have found the proper sub-key, create a new DWORD value named CheckUserAccountControl
  • Set the value to 0 (zero)
  • Exit the Registry
  • Stop & Start SMTPRS & SMTPDS in Services

 

1.12. Info: Forward Lookup / Pre-auth Options in ModusGate

 

Product: ModusGate

Version & Build: All

 

ModusGate can be configured to work with most Unix-based and Windows MTA servers.  This is achieved by using the forward lookup option (Automatically populate user list)  found in the Console, under Connection - Properties - General.  This setting establishes the type of communication that will be used between ModusGate and the mail and/or authentication server to determine ifthe recipient address exists on the local system or not:

  • If the response from the mail/authentication server is an invalid mailbox type error, Modus rejects the message and bounces it back to the sending server with a delivery failure report, thus providing security for your mail server and reducing its load at the same time.
  • If the address does exist, Modus accepts the message for processing and sends it to the mail server for local delivery (assuming it's not quarantined or deleted because of content, based on ModusGate's settings)
  • If there is no specific invalid mailbox response from the mail server, the address is assumed to be good and is accepted and processed by Modus

This latter behavior often occurs when using a simple SMTP connection for the forward lookup and it depends entirely on how the mail server itself handles invalid addresses.  The downside to this behavior is that mailboxes for invalid names automatically created on the ModusGate server and counted towards your licensed user limit.

To prevent this from happening, it is recommended that you use one of the other selections such as SMTP_VRFY or OpenLDAP, if your server and/or network configuration supports the use of these options.  For example, most mail servers do not natively support SMTP_VRFY but some can be tweaked to accept it (e.g. by making a change in the Registry).  To find out of your mail server can use this option, please consult your product manual and/or website for configuration details.  NOTE: For information about Exim server configuration, go to http://www.exim.org/

The following is a list of available forward lookup or authentication options.  The one you should use depends on what your mail server is able to support:

SMTP:  This provides no authentication (see above).  It simply allows a straight SMTP connection between ModusGate and the mail server and relies on the mail server itself to reject messages sent to invalid addresses.  Use this setting only if the mail server does not support one of the other authentication options.  Otherwise, consider using Disabled (see below).

SMTP_VRFY:  Use this setting only if the mail server supports it (possibly by making a change in the Registry - consult your mail server documentation for configuration details)

Exchange 2000+:  Can only be used with Exchange 2000, 2003 servers

Exchange 5.5:  Can only be used with Exchange 5.5 servers

Lotus Domino:  Can only be used with Lotus servers

Open LDAP:  This is the recommended method for most mail servers that support LDAP (excluding Exchange and Lotus)

Disabled:  This can be used if one of the above settings is not a viable option and if the SMTP connection does not provide enough security for your system.  This setting turns off the automatic mailbox creation and requires that you manually enter the valid user names in the Users panel of the ModusGate Console.  While it requires more work to set up, it offers protection from abuse for both the ModusGate and the mail server by limiting the permitted mail to only the addresses specified.

 

1.13. How-To: Change the IIS Port on the ModusGate Appliance

 

Product: ModusGate

Version & Build: All



The Modusgate Appliance is equiped with a built-in firewall.  For security reasons, some customers change the listening port of the IIS Server. This articles provides instructions to do this:

The firewall is turned on with Windows 2003.  To change the ports:
  • Right-click My Network Places
  • Right-click the active NIC and Properties
  • Click on Advanced and change the HTTP port allowed from 80 to 82
  • Open the TCP/IP Properties
  • Go to Advanced > Options > TCP/IP Filtering and add port 82 to the ports that are opened

 

1.14. How-To: Configure ModusGate with an Exchange/Outlook Junk Email Folder

 

Product: ModusGate

Version & Build: All

The attached PDF document provides the steps required to use ModusGate in conjunction with an Outlook Junk Email folder.  Microsoft Exchange Server 2003 with Service Pack 2 is required for Intelligent Message Filtering (IMF), which is required for this configuration.

The attached MSExchange.UCEContentFilter.xml file can only be used if you are using the default [SPAM] tag in ModusGate's tag and pass configuration.  If you are using a custom tag, please refer to the information contained in the PDF file.

 

1.15. How-To: Deploy ModusGate with Exchange/LDAP Servers

 

Product: ModusGate

Version & Build: 4.7 and up

 

ModusGate - Exchange Deployment Guide

There are several ways to deploy ModusGate with Exchange.  Please download and review the attached document before contacting Support.  The document contains useful information that will help you configure and troubleshoot your setup.
 
Exchange 2003 Info
 

Exchange does not natively reject invalid addresses during the SMTP connection.  This can cause problems for ModusGate customers who select the SMTP authentication option for Automatically populate user list instead of using the LDAP or Exchange 2000+ options.  Problems arise when Exchange appears to accept invalid addresses which are added to the user list on ModusGate (thus causing licensing problems). 

 

However, Exchange 2003 can be configured to reject invalid addresses, resulting in a 550 5.5.1 User unknown error.  ModusGate, in turn, bounces these messages and your user count will reflect only valid addresses on your system.  Use the following instructions to configure this on the Exchange server:

 

NOTE: These instructions apply to Exchange 2003 only. 

 

Enable directory lookup for recipients in the recipient filter:

  • Go to the Exchange System Manager 
  • Open Global Settings and right-click Message Delivery
  • Select Properties and click on Recipient Filtering
  • Put a checkmark at Filter recipients who are not in the Directory
  • Click OK

Enable the recipient filter on the SMTP protocol binding that accepts mail from the Internet:

  • Navigate to the SMTP Virtual Server that listens on the Internet (repeat these steps if you have more than one)
  • Right-click on the SMTP Virtual Server, choose Properties
  • From General, click on Advanced 
  • Select the IP/port binding that corresponds to the one that listens on the Internet and click on Edit
  • Put a checkmark at Apply Recipient Filter
  • Click OK and exit

When someone does a RCPT TO: invaliduser@localdomain, they will get a 550 5.5.1 User unknown error.

 
Exchange 2007 Info

Microsoft® Exchange Server 2007, by default, accepts up to 5,000 total connections, with only 2% permitted from the same source (i.e. a maximum of 100 connections).  The server receives mail from countless addresses throughout the world.  However, with modusGate™ (or any SMTP gateway) in front of the Exchange Server, mail is received from only one IP address – that of modusGate™.

If modusGate™ is handling a heavy mail load, relaying legitimate mail to Exchange, it could be choked by Exchange’s limitations.  Therefore, Vircom suggests that you increase the percentage from 2 to 20. 

Please consult the following Microsoft KB article for complete details: http://technet.microsoft.com/en-us/library/bb232205(EXCHG.80).aspx



The following Exchange 2007 settings, mentioned in the article, are relevant to modusGate:


Set-ReceiveConnector > MaxInboundConnection

This parameter specifies the maximum number of inbound SMTP connections that this Receive connector allows at the same time. The default value is 5,000.


Set-ReceiveConnector > MaxInboundConnectionPercentagePerSource

This parameter specifies the maximum number of SMTP connections that a Receive connector allows at the same time from a single source messaging server. The value is expressed as the percentage of available remaining connections on a Receive connector. The maximum number of connections that are permitted by the Receive connector is defined by the MaxInboundConnection parameter. The default value of the MaxInboundConnectionPercentagePerSource parameter is 2%. Change this parameter to 20%.


Set-ReceiveConnector > MaxInboundConnectionPerSource

This parameter specifies the maximum number of SMTP connections that a Receive connector allows at the same time from a single source messaging server. The default value is 100.  Change this value to 1,000.
 
 
Exchange 2010 Info 
 
It is not required to configure an Edge Transport server for Exchange 2010, since modusGate and the Edge server perform similar functions. If you wish, however, an Edge server can be used in addition to modusGate for redundancy or dual protection purposes. 

Whatever your chosen setup, the modusGate server must communicate directly with the Exchange / Active Directory server through LDAP port (3268) to validate the email address. Therefore
when configuring the routes in modusGate, enter the IP of the Exchange / Active Directory Global Catalog Server for Auto-populate user list and Authentication.
 
If you wish to use a Hub Transport server and need help with configuration, please contact Microsoft directly for advice. 
 
 
1.16. How-To: Deploy ModusGate with Groupwise

 

Product: ModusGate

Version & Build: 4.1.361+

 

ModusGate - Groupwise Deployment Guide

 
Groupwise 6.x Configuration:
 
The recommended configuration for ModusGate/Groupwise is to use SMTP Authentication for the auto-create mailbox mechanism and to accept logins in the form of username@domain.name.  Groupwise v6.x supports SMTP Auth by default and does not require special configuration.
 
 
 
SMTP Authentication:
 
This method provides support for ModusGate's forward lookup feature: all incoming messages are be verified against the GWIA to ensure that the email addresses exist on your mail server.  In the Console, go to Connections - Properties - General to configure this feature.
 
Please consult the attached Exchange Deployment Guide, specifically the sections ModusGate Connection Creation and Other ways to configure mailbox lookup and authentication for configuration details:
  • Select SMTP_VRFY for Automatically populate user list 
  • Select SMTP_AUTH for Authentication requests
If the GWIA cannot support username@domain.name logins, enable Strip domain name for Authentication requests for the WebQuarantine logins.
 
 
 
LDAP Authentication Method:
 
If you are using Novell's LDAP, ModusGate can be configured to connect to it for mailbox authentication.  However, the LDAP server must be manually configured to accept plain text logins and nicknames (if required):
 
Groupwise Server Configuration:
  • Open the LDAP Group tab in the ConsoleOne User Management Snapin
  • Remove the checkmark for Require TLS for simple binds
  • Unload and Reload the NLDAP module on the Novell Server
  • In LDAP, manually add Groupwise Nicknames as a mail attribute for users in order for them to receive mail at their Groupwise nicknames
    • On your ModusGate server, you are pointing to your GroupWise GWIA server for LDAP authentication.  Find that GroupWise server in ConsoleOne.   In that OU, find the object LDAP Group - servername.  Open the object and go to Attribute Mappings.  Click on Add.  From the NDS Attribute drop-down section, find nickName.  Then, in the Primary LDAP attribute field, type in (case sensitive) nickName and click on OK (you may enter a description).  Click on OK on the LDAP Group page.  There is no need to reboot the server. 
    • Once the nicknames are set up, you can send email to them with the format of nickname@domain.xxx.
Please see the attached Groupwise Sreen Capture document for more details.
 
 
ModusGate server configuration:
  • Select OpenLDAP for Automatically populate user list
  • Select SMTP_AUTH for Authentication requests
1 Note that the recommended configuration for Auto-create mailboxes has changed: select OpenLDAP from the drop-down menu, enter the required LDAP connection information (using the attached Guide as an example) and stop/restart the SMTPRS service.  (We had suggested using the Exchange 2000+ setting in version 4.0, but now that connection can ONLY be used with an Exchange server.)
 
 
SMTP Method (No Authentication):
 
If end users have nicknames or aliases and you do not use LDAP or are unable to manually configure the LDAP server for nicknames, you must use a simple SMTP connection for Automatically populate user list. 
 
WARNING: This option does not provide a forward lookup verification: messages to both valid and invalid addresses will be sent through to Groupwise and invalid mail will have to be handled internally by the GWIA. 
 

Configuration with Older Groupwise Versions (pre-6.x)
 
Older Groupwise versions do no support SMTP Auth.  If you use an LDAP server, please use the instructions above.  Otherwise, you must select SMTP for the Automatically populate user list section.  If the GWIA supports POP3 access, you may select POP3 in the Authentication requests section.
 
 
Acknowledgement:  Thanks to Jon Clemons for his help and advice in putting this article together and to Paul Caron for his information about setting up Gropwise nicknames.
 
 
1.17. How-To: Deploy ModusGate with Lotus Domino 5 & 6

 

Product: ModusGate

Version & Build: 4.0.340 and up

 

ModusGate - Lotus Deployment Guide

There are several ways to deploy ModusGate with Lotus Domino.  Please download and review the attached document before contacting Support.  The document contains useful information that will help you configure and troubleshoot your setup.

NOTE:  Lotus Notes is the email client software and Lotus Domino is the email server software.  ModusGate filters messages for the Lotus Domino server which, in turn, makes them available to Lotus Notes users.

 

1.18. How-To: Deploy ModusGate with Postfix

 

Product: ModusGate

Version & Build: All

 

 
The purpose of this how-to is to outline the recommended configuration to enable ModusGate to communicate properly with your Postfix server.
 
DISCLAIMER:  Vircom has limited knowledge of Sendmail systems and, therefore, makes the following recommendations based on our knowledge of ModusGate and how it functions best.  We are not able to provide support for the Postfix server itself.  If you require more information about Postfix, please consult your product manual or search online.
 
 
Step 1- Configure a domain and define its route(s)
 

Once the ModusGate program has been installed and the services have started, you must enter each domain for which ModusGate will filter mail and configure the route(s).  This is done, manually or by using the wizard, in the ModusGate Console in Connections - Properties - General.  For connection options and examples, please consult the ModusGate Administration Guide.

 

If there is more than one email server for a domain (such as a backup server), then several routes can be created per domain with different priorities.  Any additional routes will be used, in order, if the first email server does not respond.

 

Several domains can be routed to the same email server: enter each domain name, and create the same route configuration for each.

 
 
Step 2- Configure the Automatically update user list settings
 

Whenever ModusGate receives a message reception request, it must check whether or not the recipient mailbox is valid in order to either accept and filter the message or to reject it with a notification for the sending mail server.  This process is done through a forward lookup using the Automatically update user list configuration.  These settings also ensure that valid mailbox addresses and aliases are automatically created on the ModusGate server as the messages are received and processed.

 

After entering the domain name, click on Add Route to access the following configuration settings:

 

NOTE: The recommendation is to use either OpenLDAP or SMTP_VRFY but only if you can make changes to the configuration as outlined below.  If you are unable to make these changes, you may have to use a standard SMTP connection
 
 

1. SMTP on Port 25

 

This is the default communication method between ModusGate and all types of mail servers.  However, you must note the following:

  • Each valid email address and all aliases are all counted as separate mailboxes
  • Users can have different user settings (one per address)
  • Users will have several WebQuarantines (one per address)
  • Users will receive several Quarantine reports (one per address)

 

2.     SMTP_VRFY on Port 25

By default, PostFix does not allow this SMTP command but it can easily be enabled by adding/modifying the line "disable_vrfy_command = no" in the PostFix file /etc/postfix/main.cf.

 

3.      Exchange 5.5 & 2000+:  For use with Microsoft Exchange only

 

4.  OpenLDAP on Port 389:  This is the preferred option if Postfix is configured with an OpenLDAP server.  See details below.

 

5. Lotus Domino:  Similar to SMTP_VRFY

 

 

6. Disabled (for manual, not automatic mailbox creation) 

 

User mailboxes and aliases must be entered and maintained manually in the ModusGate Console or WebAdmin interface.  This option involves little or no configuration changes and is intended for domains with small mailbox counts and few changes.

 
 
Configure OpenLDAP Settings on port 389:
 

1. Make sure that the Route mail to host or IP address setting points to the valid email server IP address for that domain

 

2. Enter the IP address of the LDAP server for the domain (ideally the root server) in the field next to Automatically update user list 

 

3. ModusGate must access the LDAP server database by means of a user account that has Read access for all domains on the LDAP server itself.  You can use the rootdn but if this is a security issue, create a new user (on the LDAP server) that has Read capabilities on the LDAP database.

 

Configuration under LDAP Identification:

  • On the LDAP server, open the slapd.conf file (usually located in /usr/local/etc/openldap/slapd.conf)

The slapd.conf file is as follows:

database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /usr/local/var/openldap-data

 

In the Console (under Connections), at the LDAP Identification > Base DN field, enter the domain of the configured LDAP user in the format: dc=example,dc=com

 

 

4. In the Console (under Connections), at the LDAP Identification > User DN field, enter the domain of the configured LDAP user in the format: cn=username,dc=example,dc=com

 

Example of a typical object representing a user account:

dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
uid: john
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/john
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount

 

5. In the Console (under Connections), at the LDAP Identification > Password field, enter the password of the configured LDAP user account.

 

Without a valid LDAP user login, ModusGate rejects all WebQuarantine and WebAdmin login attempts with a temporary error.

 

If experience problems with the configuration, we recommend using a Windows freeware LDAP browser program to test the connection.  Go to http://www.ldapadministrator.com and download the lightweight LDAP Browser 2.6.  It can be run on the ModusGate server to check credentials.  If the LDAP browser login is successful, it displays the LDAP directory contents.

 

 

 

Step 3 - Configure the Authentication request settings:

 

This setting is used to authenticate WebQuarantine and WebAdmin access.  Users must enter their full email address and password to log in.  ModusGate does not store any passwords so it, therefore, queries the mail or authentication server for validation.

 

The recommended setting to use with Sendmail is either OpenLDAP, SMTP Auth or POP3.

 

 

Alternative methods:

 

1.  SMTP_Auth on Port 25 in base64 coding

 
Please consult the following URL for information about enabling SMTP AUTHENTICATION on a PostFix server: http://www.tcbug.org/postfix_smtpauth.html
 
 
2.  Exchange 5.5 & 2000+:  To be used with Microsoft only
     
 
3.  POP3 on Port 110
 

This is the preferred option as most users are configured to use the POP3 protocol.  Test this with the option Strip domain name* disabled and enable it only if necessary.  Do not forget to click on Apply and Stop and Start all services in the Console.

 

* When using this setting, users are still required to enter their full email address to log into the Web applications but ModusGate will send only the username portion of the address for authentication.

 
 
4. OpenLDAP on Port 389
 

This is the preferred option if Postfix is configured with an OpenLDAP server and if mailbox validation is already running this setting.

 

 

IMPORTANT:  If there are any firewalls installed between the ModusGate and Postfix servers, you must allow communication on all ports configured above for the Modus server's IP address.

 
 
For further details about configuring PostFix in various configurations, see: http://www.linux-magazine.com/issue/47/Postfix_Mailserver_Scenarios.pdf
 
1.19. How-To: Deploy ModusGate with Qmail

 

Product: ModusGate

Version & Build: All

 

 
The purpose of this how-to is to outline the recommended configuration to enable ModusGate to communicate properly with your Qmail server.
 
DISCLAIMER:  Vircom has limited knowledge of Qmail systems and, therefore, make the following recommendations based on our knowledge of ModusGate and how it functions best. We are not able to provide support for the Qmail server itself.  If you require more detailed information about Qmail, please consult your product manual or search online.
 
 

Step 1 - Configure a domain and define its route(s)

 

Once the ModusGate program has been installed and the services have started, you must enter each domain for which ModusGate will filter mail and configure the route(s).  This is done, manually or by using the wizard, in the ModusGate Console in Connections - Properties - General.  For connection options and examples, please consult the ModusGate Administration Guide.

 

If there is more than one email server for a domain (such as a backup server), then several routes can be created per domain with different priorities.  Any additional routes will be used, in order, if the first email server does not respond.

 

Several domains can be routed to the same email server: enter each domain name, and create the same route configuration for each.

 

 

 

Step 2 - Configure the Automatically update user list settings

 

Whenever ModusGate receives a message reception request, it must check whether or not the recipient mailbox is valid in order to either accept and filter the message or to reject it with a notification for the sending mail server.  This process is done through a forward lookup using the Automatically update user list configuration.  These settings also ensure that valid mailbox addresses and aliases are automatically created on the ModusGate server as the messages are received and processed.

 

After entering the domain name, click on Add Route to access the following configuration settings:

 

NOTE: The recommendation is to use either OpenLDAP or SMTP_VRFY but only if you can make changes to the configuration as outlined below.  If you are unable to make these changes, you may have to use a standard SMTP connection.

 

 

1. SMTP on Port 25

 

This is the default communication method between ModusGate and all types of mail servers.  However, you must note the following:

  • Each valid email address and all aliases are all counted as separate mailboxes
  • Users can have different user settings (one per address)
  • Users will have several WebQuarantines (one per address)
  • Users will receive several Quarantine reports (one per address)

2. SMTP_VRFY on Port 25

 

By default, SendMail does not allow this SMTP command but it can be easily enabled by adding/modifying the line "PrivacyOptions=authwarnings,noexpn,restrictqrun,nobodyreturn,needmailhelo,restrictmailq" in the SendMail file '/etc/sendmail.cf'.

 

 

3.  Exchange 5.5 & 2000+:  To be used with Microsoft Exchange only

 

 

4.  OpenLDAP on Port 389:  This is the preferred option if Sendmail is configured with an OpenLDAP server.  See details below.

 

 

5. Lotus Domino:  Similar to SMTP_VRFY

 

 

6. Disabled (for manual, not automatic mailbox creation) 

 

User mailboxes and aliases must be entered and maintained manually in the ModusGate Console or WebAdmin interface.  This option involves little or no configuration changes and is intended for domains with small mailbox counts and few changes.

 
 

Configure OpenLDAP Settings on Port 389:

 

1. Make sure that the Route mail to host or IP address setting points to the valid email server IP address for that domain

 

2. Enter the IP address of the LDAP server for the domain (ideally the root server) in the field next to Automatically update user list 

 

3. ModusGate must access the LDAP server database by means of a user account that has Read access for all domains on the LDAP server itself.  You can use the rootdn but if this is a security issue, create a new user (on the LDAP server) that has Read capabilities on the LDAP database.

 

Configuration under LDAP Identification:

  • On the LDAP server, open the slapd.conf file (usually located in /usr/local/etc/openldap/slapd.conf)

The slapd.conf file is as follows:

database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /usr/local/var/openldap-data

 

In the Console (under Connections), at the LDAP Identification > Base DN field, enter the domain of the configured LDAP user in the format: dc=example,dc=com

 

 

4. In the Console (under Connections), at the LDAP Identification > User DN field, enter the domain of the configured LDAP user in the format: cn=username,dc=example,dc=com

 

Example of a typical object representing a user account:

dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
uid: john
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/john
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount

 

5. In the Console (under Connections), at the LDAP Identification > Password field, enter the password of the configured LDAP user account.

 

Without a valid LDAP user login, ModusGate rejects all WebQuarantine and WebAdmin login attempts with a temporary error.

 

If experience problems with the configuration, we recommend using a Windows freeware LDAP browser program to test the connection.  Go to http://www.ldapadministrator.com and download the lightweight LDAP Browser 2.6.  It can be run on the ModusGate server to check credentials.  If the LDAP browser login is successful, it displays the LDAP directory contents.

 
 
Step 3 - Configure the Authentication request settings:
 

This setting is used to authenticate WebQuarantine and WebAdmin access.  Users must enter their full email address and password to log in.  ModusGate does not store any passwords so it, therefore, queries the mail or authentication server for validation.

 
The recommended setting to use with Qmail is either OpenLDAP or POP3
 
Alternative methods:
 
1. SMTP_Auth on port 25 in base64 coding
 
By default, Qmail needs a patch to support the SMTP_Auth protocol.  If you choose not to install this patch, select POP3 or OpenLDAP.
 
 
 

2.  Exchange 5.5 & 2000+:  To be used with Microsoft only

 
 
 

3. POP3 on Port 110

 

This is the preferred option as most users are configured to use the POP3 protocol.  Test this with the option Strip domain name* disabled and enable it only if necessary.  Do not forget to click on Apply and Stop and Start all services in the Console.

 

* When using this setting, users are still required to enter their full email address to log into the Web applications but ModusGate will send only the username portion of the address for authentication. 

 
 

4. OpenLDAP on Port 389

 

This is the preferred option if Qmail is configured with an OpenLDAP server and if mailbox validation is already running this setting.

  

IMPORTANT:  If there are any firewalls installed between the ModusGate and Sendmail servers, you must allow communication on all ports configured above for the Modus server's IP address.

 
 
 
LDAP-related Internet pages: 
 
1.20. How-To: Deploy ModusGate with Sendmail

 

Product: ModusGate

Version & Build: All

 
 

The purpose of this how-to is to outline the recommended configuration to enable ModusGate to communicate properly with your Sendmail server.

 

DISCLAIMER:  Vircom has limited knowledge of Sendmail systems and, therefore, make the following recommendations based on our knowledge of ModusGate and how it functions best.  We are not able to provide support for the Sendmail server itself.  If you require more information about Sendmail, please consult your product manual or visit their Website at www.sendmail.com.

 

 

Step 1 - Configure a domain and define its route(s)

 

Once the ModusGate program has been installed and the services have started, you must enter each domain for which ModusGate will filter mail and configure the route(s).  This is done, manually or by using the wizard, in the ModusGate Console in Connections - Properties - General.  For connection options and examples, please consult the ModusGate Administration Guide.

 

If there is more than one email server for a domain (such as a backup server), then several routes can be created per domain with different priorities.  Any additional routes will be used, in order, if the first email server does not respond.

 

Several domains can be routed to the same email server: enter each domain name and create the same route configuration for each.

 

 

 

Step 2 - Configure the Automatically update user list settings

 

Whenever ModusGate receives a message reception request, it must check whether or not the recipient mailbox is valid in order to either accept and filter the message or to reject it with a notification for the sending mail server.  This process is done through a forward lookup using the Automatically update user list configuration.  These settings also ensure that valid mailbox addresses and aliases are automatically created on the ModusGate server as the messages are received and processed.

 

After entering the domain name, click the Add Route button to access the following configuration settings:

 

NOTE: The recommendation is to use either OpenLDAP or SMTP_VRFY but only if you can make changes to the configuration as outlined below.  If you are unable to make these changes, you may have to use a standard SMTP connection.

 

 

1. SMTP on Port 25

 

This is the default communication method between ModusGate and all types of mail servers.  However, you must note the following:

  • Each valid email address and all aliases are all counted as separate mailboxes
  • Users can have different user settings (one per address)
  • Users will have several WebQuarantines (one per address)
  • Users will receive several Quarantine reports (one per address)

2. SMTP_VRFY on Port 25

 

By default, SendMail does not allow this SMTP command but it can be easily enabled by adding/modifying the line "PrivacyOptions=authwarnings,noexpn,restrictqrun,nobodyreturn,needmailhelo,restrictmailq" in the SendMail file '/etc/sendmail.cf'.

 

 

3.  Exchange 5.5 & 2000+:  To be used with Microsoft Exchange only

 

 

4.  OpenLDAP on Port 389:  This is the preferred option if Sendmail is configured with an OpenLDAP server.  See details below.

 

 

5. Lotus Domino:  Similar to SMTP_VRFY

 

 

6. Disabled (for manual, not automatic mailbox creation) 

 

User mailboxes and aliases must be entered and maintained manually in the ModusGate Console or WebAdmin interface.  This option involves little or no configuration changes and is intended for domains with small mailbox counts and few changes.

 

 

Configure OpenLDAP Settings on Port 389:

 

1. Make sure that the Route mail to host or IP address setting points to the valid email server IP address for that domain

 

2. Enter the IP address of the LDAP server for the domain (ideally the root server) in the field next to Automatically update user list 

 

3. ModusGate must access the LDAP server database by means of a user account that has Read access for all domains on the LDAP server itself.  You can use the rootdn but if this is a security issue, create a new user (on the LDAP server) that has Read capabilities on the LDAP database.

 

Configuration under LDAP Identification:

  • On the LDAP server, open the slapd.conf file (usually located in /usr/local/etc/openldap/slapd.conf)

The slapd.conf file is as follows:

database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /usr/local/var/openldap-data

 

In the Console (under Connections), at the LDAP Identification > Base DN field, enter the domain of the configured LDAP user in the format: dc=example,dc=com

 

 

4. In the Console (under Connections), at the LDAP Identification > User DN field, enter the domain of the configured LDAP user in the format: cn=username,dc=example,dc=com

 

Example of a typical object representing a user account:

dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
uid: john
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/john
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount

 

5. In the Console (under Connections), at the LDAP Identification > Password field, enter the password of the configured LDAP user account.

 

Without a valid LDAP user login, ModusGate rejects all WebQuarantine and WebAdmin login attempts with a temporary error.

 

If experience problems with the configuration, we recommend using a Windows freeware LDAP browser program to test the connection.  Go to http://www.ldapadministrator.com and download the lightweight LDAP Browser 2.6.  It can be run on the ModusGate server to check credentials.  If the LDAP browser login is successful, it displays the LDAP directory contents.

 

 

Step 3 - Configure the Authentication request settings:

 

This setting is used to authenticate WebQuarantine and WebAdmin access.  Users must enter their full email address and password to log in.  ModusGate does not store any passwords so it, therefore, queries the mail or authentication server for validation.

 

The recommended setting to use with Sendmail is either OpenLDAP, SMTP Auth or POP3.

 

 

Alternative methods:

 

1.  SMTP_Auth on Port 25 in base64 coding

 

Please consult the following URL for information about enabling SMTP AUTHENTICATION on a SendMail server: http://www.joreybump.com/code/howto/smtpauth.html

 

 

2.  Exchange 5.5 & 2000+:  To be used with Microsoft only

 

 

3. POP3 on Port 110

 

This is the preferred option as most users are configured to use the POP3 protocol.  Test this with the option Strip domain name* disabled and enable it only if necessary.  Do not forget to click on Apply and Stop and Start all services in the Console.

 

* When using this setting, users are still required to enter their full email address to log into the Web applications but ModusGate will send only the username portion of the address for authentication.

 

 

4. OpenLDAP on Port 389

 

This is the preferred option if Sendmail is configured with an OpenLDAP server and if mailbox validation is already running this setting.

 

  

IMPORTANT:  If there are any firewalls installed between the ModusGate and Sendmail servers, you must allow communication on all ports configured above for the Modus server's IP address.

 

 

LDAP-related Internet pages: 

 

http://www.metaconsultancy.com/whitepapers/ldap.htm

http://www.openldap.org/doc/admin22/quickstart.html

http://www.openldap.org/doc/admin22/slapdconfig.html

 

1.21. How-To: Prevent the Accumulation of Invalid User Names with Remote Exchange Server

 

Product: ModusGate

Version & Build: 4.0 + up

 

 

Background:

Some customers use ModusGate to filter mail for an Exchange 2000/2003 server that is outside of their own network.  Because these clients have no control over the security of the external Exchange server, they use a simple SMTP connection which does not involve validation (forward lookup) of the recipients' manes.  As a result, there is an accumulation of invalid user names in the Console which, in turn, can cause licensing errors if the mailbox limit is reached.

 

Solutions:

THe best solution is to use one of the forward lookup options by connecting to an LDAP or Active Directory server, as outlined in the ModusGate manual.

However, some people have security concerns such as not opening up Port 389 to outside traffic.  We offer the following alternatives:

1. Install an Active Directory DC SSL Security Certificate on the Exchange server.  On the ModusGate server, go to Connections - Properties - General and configure the following:

  • For Automatically populate user list and Authentication Requests, select Exchange 2000+
  • For both settings, enable Use SSL/TLS
    • If using an LDAP or standard Active Directory connection, use Port 636
    • If connecting to the Global Catalog on the AD server, use Port 3269
  • Click Apply 
  • Stop and Start the SMTPRS service

The following links provide information about installing the Domain Controller certificate and how to Enable LDAP over SSL:

http://support.microsoft.com/?kbid=321051
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx#ELAA

 

2.  Use VPN for a secure connection between the ModusGate and Exchange servers.  Afterwards, configure an LDAP connection on Port 389 to authenticate the users.

 

1.22. How-To: Test POP3 Authentication with ModusGate

 

Product: ModusGate

Version & Build: All

 

Background:
 
With ModusGate's web interface, users are able to access their personal quarantine and scan settings and domain administrators are able to manage and configure server, domain and user settings.  Users and administrators log into the web interface with their eEmail address and password.
 
If POP3 is selected as the authentication option, ModusGate immediately queries the mail server to validate the email address and password combination, instantaneously grant or deny access.
 
NOTE: The Web Quarantine program does not allow end users to send or receive mail.  It provides access and control of the quarantine contents, as well as access to the scan settings configured on the mailbox.  Users can change their scan settings only if the administrator grants them permission to do so.
 
 
Testing the POP3 communication between ModusGate and the Email server
 
Configure POP3 authentication:
  • In the Console, go to Connection - Properties - General
  • Click on one of the routes (e.g. an incoming route for yourdomain.com)
  • Click the route for yourdomain.com (not the domain name) and the connection and authentication information is displayed in the upper portion of the panel
  • At Authentication requests, use the pull-down menu to select POP3
  • Enter the IP address of your mail server and the POP3 port  - 110
 
Example:
Assumption: The POP3 connection to yourdomain.com is configured for IP address: 10.0.0.9, Port: 110

Goal: Test to successfully open a POP3 session on the server and to properly authenticate a valid email address

  • On the ModusGate server, go to a Command Prompt
  • Use the telnet command to open a connection to the destination mail server (e.g. type: telnet 10.0.0.9 110 <enter>)
    • If using Windows 2000, go to a DOS prompt and use the following to see what you are typing:

Type telnet <enter>

Type set local_echo <enter>

Type open 10.0.0.9 110 <enter>

    • Remember that telnet does not allow for backspaces so, if you make a typo, you must start over
  • In the telnet session screen, the mail server's banner will appear with a message similar to: 

OK MailServer POP3 Server 4.1.361.0 Ready 10381880.1122284320.656@yourdomain.com

  • If you don't get a banner, check the IP address and firewall configuration and start the test again
  • Type user followed by a valid email address
    • e.g. user mailboxname@yourdomain.com <enter>
  • The mail server should reply OK...
  • Type pass followed by the mailbox password
    • e.g. pass mailboxpassword <enter> 
  • The following is this transaction as it appears in the telnet session:

>Telnet 10.0.0.9 110

+OK ModusMail POP3 Server 4.1.370.0 Ready 10381880.1122284320.656@yourdomain.com

>user mailboxname@yourdomain.com
+OK mailboxname is welcome here
>pass mailboxpassword
+OK mailboxname's mailbox has 1 message(s) (541 octets)
>quit
+OK yourdomain.com POP3 server signing off (1 messages left)

 

·         If the mail server replies OK, you have successfully logged into the mail server from the ModusGate server using the POP3 protocol

o        The Web access via the WebQuarantine or WebAdmin screens should also be successful using the email address / password combination

·         If the mail server replies Invalid mailbox or password, the server likely does not accept the full email address as a login

·         Without closing the telnet session, proceed with the following:

o        Type user (without the domain name)

§         e.g. user mailboxname <enter>

o        Type pass followed by the mailbox password

§         e.g. pass mailboxpassword <enter>

·         If the mail server replies OK, you have successfully logged in using only the username and password

§        * See below for the required configuration change

·         Type quit <enter> to end the telnet session to the POP3 connection

o        No email will be collected

 

* IMPORTANT: If the mail server requires only the mailbox name for login, you must make the following change in the Console:

  • Go to Connection - Properties - General
  • At Authentication requests, enable the option Strip domain name for authentication requests
  • Users and Administrators will still be required to enter their full email address when logging into WebQuarantine and/or WebAdmin (e.g. mailboxname@domain.com)
    • ModusGate will strip the domain name and forward just the 'mailboxname' and password to the mail server for authentication
  • Once mailbox validation is configured properly, WebAdmin and WebQuarantine logins will be successful
 
1.23. Info: Modusadm will not start while installed on Exchange 2013.

 

Product: ModusGate

Version & Build: 5.42+

 

 

 

Problem:

 

When ModusGate is installed on the same physical or virtual server as Exchange 2013, there might be a conflict with Modusadm and Exchange Health Manager with the RPC Client Access Service. 

 

 

Reason:

 

The reason being is that Modusadm is very RPC Client Access intensive. which is the same can be said for Exchange Health Manager. it is also explained in the link that follows. http://msexchangeguru.com/2013/05/22/rpc-client-access-restart/
 

 

Solution:

 

The workaround solution for the time being can be done during or after the install of ModusGate. The Microsoft Exchange Health Manager needs to be stopped, once it is then the Modusadm service can be started. then both services can run simultaneously together.

1.24. How-To: Upgrade NEP to modusGate \ modusCloud

Product: All

Version & Build: All

 

 

 

Situation:

 

Clients running Norman Email Protection (NEP) have now been informed that AVG support of NEP prodcucts will no longer be supported and have the option to install modusGate \ modusCloud as a replacement solution. Anyone running NEP products interested in switching solutions must first contact Vircom's sales department in order to acquire a valid license key and provide client information. You can contact Vircom's sales department at sales@vircom.com or call our sales line at 514-845-1666. 

 

Once this has been completed the following steps below can begin in the upgrade from NEP to modusGate \ modusCloud. 


Scenario 1: NEP to modusGate

If one would like to simply upgrade there existing NEP solution to on premise modusGate solution, the following steps below must be done to complete the upgrade.

 

   1-   Close all applications on your NEP server.

   2-   Open a browser to my.vircom.com and paste in your modusGate license key which was obtained from our sales department.

   3-   locate the latest version of modusGate and click the DOWNLOAD button.

   4-   Once the download is complete simply run the modusGate installer over the existing NEP installation and follow the steps on the screen.

   5-   Select I AGREE option and click NEXT. 

   6-   Paste in the license key in the field that is required and click the VALIDATE button and click NEXT to continue the installation.

   7-   Select STANDARD and click NEXT.

   8-   Check the option YES, MY DATABASES ARE BACKED UP and click NEXT.

   9-   Click NEXT to accept the default installation paths.

 10-   Click NEXT to create the BACKUP MAIL SERVER CONFIGURATION.

 11-   Check the option HELP IMPROVE MODUSGATE and click NEXT.

 12-   Click FINISH to complete the installation.

 13-   Reboot the server once the install is completed, it is required.

 

Scenario 1: Post modusGate Install 

   1-   Locate the old Norman Email Protection icon on the desktop of the server and delete it. Now you will only have the orange modusGate icon on the desktop.

   2-   Open up the modusGate console and click on the QUARANTINE tab to ensure all spam messages are still present.

   3-   Ensure that users trusted and block list are present.

   4-   Click the VIRUS and SPAM tabs to ensure there are no error messages for these updates.


 

Scenario 2: NEP to modusCloud

If one would prefer our modusCloud solution it would be best recommend to contact Vircom support team either via email at support@vircom.com or by our support line 514-845-8474. The reason for this is that a third party software is required to extract your existing configuration and have it imported into our modusCloud solution. This process does NOT come with any additional cost for this service.

 


1.25. How-To: Deploy ModusGate with Azure

 

Product: ModusGate

Version & Build: 6.5+

 

modusGate - Azure Deployment Guide:

This section provides information for the configuration of modusGate as a managed APP within your Microsoft Azure AD server.  

 
(1) Log into your Azure Portal
(2) Click on Azure Active Directory on the far left blade.
(3) Click App registrations in the manage section.
(4) Click New registration
(5) Enter modusGateApp in the required Name field
(6) Select Accounts in this organizational directory only (usually the default setting).
(7) Click Register
(8) Copy the Application (client) ID as it will need to be entered into the Native App ID and Web App ID fields when configuring a route on modusGate
(9) Next we need to add 2 permissions in the API permissions section. Click API permissions in the manage section on the left then add a permission to the existing default delegated User.Read permission.
(10) Click Microsoft Graph, then Application Permissions
(11) Add Group.Read.All and Directory.Read.All Application Permissions. Once done, click Grant Admin Consent and confirm by clicking Yes. Once permissions are done, there should be 3 permissions visible. The default User.Read delegated permission as well as 2 application permissions, Group.Read.All and Directory.Read.All.
(12) Next we need to add a secret key. Click Certificates and Secrets in the manage section, then click New Client Secret.
(13) Enter modusGateSecret in the Description field and select Never in the expiry section.
(14) Upon clicking Add, copy the value of the newly created secret key. This needs to be entered in the Web App Key section on modusGate route configuration section. Note that if you navigate away from this screen without copying the value, you will have to create a new value.
(15) Finally we need to setup Authentication. Click Authentication in the manage section. In the Advanced settings area, check ID tokens and select Yes to treat the application as a public client. (this is in the default client type section)
Once all steps above are completed and you have entered the three fields on modusGate, test the route to see that a mailbox is created via population and that a user can also authenticate using the modus web components.