MailWasher Enterprise Server

Is there an installation guide I can follow?

Answer:

Yes, just follow the guides at:

Windows Installation Instructions
Linux installation Instructions

I've installed MWES, but it does not filter inbound email

Answer:

There are some possible reasons for this.

1. Old conduit version not properly uninstalled

If the old conduit version has not been properly uninstalled, it may cause conflicts and prevent mail being delivered through the MWES proxy.

Follow these instructions to remove the conduit version

  1. Uninstall conduit Start->Program->Mailwasher Enterprise server->Uninstall conduit.
  2. Using Task Manager, kill process inetinfo.exe to make MS Exchange release and remove the existing conduit (inetinfo.exe will restart automatically)
  3. Uninstall MWES from the Control Panel->Add/Remove Programs



2. The MTA has not been moved to port 26

Change the listening SMTP port from 25 to 26 for your MTA



3. No domains defined

You will need to add any domains used at settings>>Domains, to prevent your network appearing as an open relay.




4. Router configured to present an internal IP address

When an external router or connection to the internet does not translate the external address properly, any incoming mail seems to be presented from an internal LAN address.

This will prevent any spam checks from being performed as the incoming mail is deemed to be from an internal source. ie, Services like RBL's and Greylisting won't work because they rely on checking external IP addresses.

Please reconfigure your router so it translates the external IP addresses.

Error: Cannot connect to CFS

Answer:

This is telling you that there is a connectivity issue, and MWES cannot talk to the FirstAlert! ( aka Content Filtration System or CFS ). As well as it being exactly what it says, and there are problems with routing somewhere, this could be caused by DNS or firewalling issues. We use port 4051 to talk between MWES and the FirstAlert gateways. A quick test is as follows:

The command

telnet native.first-alert.net 4051

should result in the following response ( IP address may vary depending on which gateway you connect to )

Trying 209.213.221.138...
Connected to native.first-alert.net.
Escape character is '^]'.
200 CFS service ready

In one step, this has proved that DNS is working, and there's no firewalling in the way. Depress Ctrl-] do return to the telnet> prompt, then quit to exit.

Which Mail Servers are supported?

Answer: MWES works with all mail servers because it runs as a proxy, meaning that it sits in front of your mail server, filtering the email first.

Eg, for Windows you can use Microsoft Exchange (all versions), IMail, SmarterMail etc. For Linux you can use Sendmail, Postfix, Exim, QMail etc.

How does MailWasher Enterprise Server (MWES) work?

Answer:

MWES sits in front of an existing mail server to process all incoming messages before entering the user’s mailbox.

Using a multi-layered approach to identify spam. MWES provides a combination of algorithm, connection filtering and content filtering to provide a robust approach to solving an organization’s spam problem. This approach substantially reduces the number of unwanted emails which are passed on to the email accounts serviced. MWES filters email before the mail server, thereby reducing the load on the mail server, then scans all incoming email to see whether each email matches a known unwanted email, or if they have the characteristics of an unwanted email.

Combining content identification and sender identification, MWES blocks a very high proportion of unwanted email while maintaining an extremely low false positive rate.

In addition, MWES uses a centrally controlled database of known unwanted e-mail messages. If the incoming message matches a known unwanted e-mail message, it is deleted and quarantined. For messages not found in the database, origin checking is performed to see whether the message has come from known spam senders and finally, unknown incoming email is temporarily failed (greylisted) to remove spoofed email.

The MWES system is a combination of software products and managed services for reducing spam.

The following diagram shows how MailWasher Server is integrated and works.

What filtering mechanisms does MWES use?

Answer:

Message Signatures:

FirstAlert! Global Spam Database. Adding to MWES’s comprehensive, multi-layered approach, MWES uses the FirstAlert! global spam database – a 24/7 operation which makes use of a global network of users reporting unsolicited email.

Real-time blackhole list servers:

RBL's can be used to block the origin of known spam by IP address or the URL in the message body.

Greylisting:

Greylisting is an effective tool to stop spam by sending a temporary fail back to the sender of the message. If the sender is sent via a valid MTA, the message is re-sent and MWES will let it through. If the message is not sent from a valid MTA it is not delivered and left in the MWES greylisting quarantine area.

Blacklists and Whitelists:

IT administrators have the ability to set and control blacklists and whitelists, through the MWES online web control panel. Email addresses of legitimate senders added to the white list will automatically bypass the antispam filters.

Custom filters:

Custom filters can be added using text or regular expressions to block unwanted email based on words and other characteristics of an email.

What filtering mechanisms does MWES use?

Answer:

Message Signatures:

FirstAlert! Global Spam Database. Adding to MWES’s comprehensive, multi-layered approach, MWES uses the FirstAlert! global spam database – a 24/7 operation which makes use of a global network of users reporting unsolicited email.

Real-time blackhole list servers:

RBL's can be used to block the origin of known spam by IP address or the URL in the message body.

Greylisting:

Greylisting is an effective tool to stop spam by sending a temporary fail back to the sender of the message. If the sender is sent via a valid MTA, the message is re-sent and MWES will let it through. If the message is not sent from a valid MTA it is not delivered and left in the MWES greylisting quarantine area.

Blacklists and Whitelists:

IT administrators have the ability to set and control blacklists and whitelists, through the MWES online web control panel. Email addresses of legitimate senders added to the white list will automatically bypass the antispam filters.

Custom filters:

Custom filters can be added using text or regular expressions to block unwanted email based on words and other characteristics of an email.

Can you provide a summary of each filtering mechanism?

Answer:

The following provides a summary of MWES's filtering features.

Whitelist

The whitelist includes email addresses from which all emails are accepted, regardless of their content. None of MWES's junk mail filters are applied to messages from addresses on the whitelist, therefore care must be taken when adding addresses. It is possible to avoid false negatives by ensuring that you do not add entire domain names to your whitelist, for example, *@aol.com.



Blacklist

MWES filters all messages from addresses that appear on the Address blacklist. All users are affected by the Address blacklist, therefore it is recommended that entire domains are not added to the blacklist as this prevents all end users from receiving possible legitimate messages from any address at that domain.



IP-based RBLs

Real-time blackhole lists (RBLs) are used to list the servers and domains of organisations that have been identified as senders of junk emails. IP-based RBLs (ip4r RBLs) are lists of IP addresses of servers that have been identified as sending or relaying junk mail. Firetrust recommends that you carefully investigate each RBL service for accuracy, before you begin using them. Inaccurate RBLs can result in a high false positive rate.



URI-based RBLs

A URI RBL is an RBL that lists the domain names and IP addresses which are found in the "clickable" links contained in the body of spams, but generally not found inside legitimate messages.



FirstAlert!

FirstAlert! is a database of reported and known junk mail messages that is used to eliminate future circulation of junk mail. FirstAlert! provides real-time spam signature updates.


Greylisting

Greylisting is an effective tool to stop spam by sending a temporary fail back to the sender of the message. If the sender is sent via a valid MTA, the message is re-sent and MWES will let it through. If the message is not sent from a valid MTA it is not delivered and left in the MWES greylisting quarantine area.

NOTE: Valid messages can be delayed by up to 15 minutes using this method since the sending MTA has to re-send the message. You can always check the quarantine>>greylisting area to see which messages are due to be resent, and thus rescue them in which case they will be added to the whitelist. See below, the three light grey messages at the top are within the 15 minute time period to be re-sent. One an email sender has been let through, they are let through instantly next time they send something.



Custom filters

Custom filters can be added using text or regular expressions to block unwanted email based on words and other characteristics of an email.

In what order are messages filtered?

Answer:

Email is filtered in the following order.

Whitelist
Blacklist
FirstAlert
RBL's
Custom filters
Greylisting

How can we filter incoming and outgoing mail?

Answer:

You'll need to add the configuration entry use_is_routable=0

Windows
Go to the Windows Registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Firetrust Limited\mwes"

After you have added use_is_routable=0, restart the MailWasher Enterprise Server Service (Go to Start>>Run>>Type 'services.msc' and locate MailWasher Enterprise Server, and restart).

Linux
Add use_is_routable=0 in the mwes.conf file

At: /etc/mwes.conf

When changed, restart service/daemon.

What is the url for accessing the quarantine or admin tool?

Answer:

The login screen is located at http://[company.site]:4044

How do retrieve my admin username and password?

Answer:

The default username/password is admin/password, so try this first.

The username and password is stored in an SQL Lite database. Probably the easiest way to retrieve them from the database is by installing the Firefox SQL lite browser: https://addons.mozilla.org/en-US/firefox/addon/5817

Navigate to the installed program directory and locate mwes.db, then navigate to the configure table >> name, and locate the username and password fields.

How many days are messages kept in quarantine?

Answer:

7 days at present. This is not currently able to be changed.

What do all the registry/file configuration entries mean?

Answer:

Database location

database_location C:\Program Files\MailWasher Enterprise Server\data



Default page after login

default_page Quarantined.srv



Location of installed files

home C:\Program Files\MailWasher Enterprise Server



Web server details

root_document C:\Program Files\MailWasher Enterprise Server\site
web_port=4044
web_hostname=localhost



Change the logging level

If you want to change the logging level. Default is 2 (normal)

0 = Full
1 = Partial
2 = Normal
3 = Warnings
4 = Errors

log_level=2



Location of logs

logging C:\Program Files\MailWasher Enterprise Server\logs



Proxy configuration

Details show the port and location of MWES proxy
use_mta_proxy=1
proxy_port=25
proxy_hostname=



Change the location and port where MWES sees the MTA

MTA Relay is used to show the location and port of your MTA. Defaults are shown below.
mta_hostname=localhost
mta_port=26



FirstAlert cache size information.

This is used to cache already checked spam to reduce the number of external checks.
cfs_max_cache_size=20000



RBL cache size information.

This is used to cache already checked spam to reduce the number of external checks.
rbl_max_cache_size=20000



Use working domains to stop open relay

use_check_domains=1
# If set = 1 this stops your MTA appearing as an open relay by checking the list of your working domains.
# If set = 0 will let all email through without checking your working domains. (ie. it will filter everything instead of distinguishing between internal and external email). You'll just need to make sure your MTA is configured to not appear as an open relay.



Ignore MTA Authentication

use_mta_authentication=1

# If set =1 then all emails authenticated by MTA are safe and will not be filtered.
# If set =0 then MTA Authentication is ignored and all emails pass through filters.



Don't check local email

use_is_routable=1

# If set = 1 to not check your local mail going out.
# If set = 0 to check your local mail going out.



Discard empty email's.

Emails without a body are discarded.
discard_empty_emails=1
# If set = 1, emails with empty bodies are discarded
# If set = 0, emails with empty bodies are passed through for filtering



Preview body of blocked emails

Displays the number of characters used in the email preview when the mouse is moved over the subject
view_body_max=200
# 200 characters is the default but feel free to adjust this to a higher value.



SPF lite

A lite version of SPF is able to be turned on. This means emails will be delivered more quickly as many of them won't need to be greylisted, but you may receive slightly more spam.
use_spf=0
# If set = 1, spf lite is turned on
# If set = 0, spf lite is turned off

I've installed MailWasher Server but it does not filter the inbound email

Answer:

There are some possible reasons for this.

1. Old conduit version not properly uninstalled

If the old conduit version has not been properly uninstalled, it may cause conflicts and prevent mail being delivered through the MWES proxy.

Follow these instructions to remove the conduit version

  1. Uninstall conduit Start->Program->Mailwasher Enterprise server->Uninstall conduit.
  2. Using Task Manager, kill process inetinfo.exe to make MS Exchange release and remove the existing conduit (inetinfo.exe will restart automatically)
  3. Uninstall MWES from the Control Panel->Add/Remove Programs



2. The MTA has not been moved to port 26

Change the listening SMTP port from 25 to 26 for your MTA



3. No domains defined

You will need to add any domains used at settings>>Domains, to prevent your network appearing as an open relay.

Error: Cannot connect to CFS

Answer:

This is telling you that there is a connectivity issue, and MWES cannot talk to the FirstAlert! ( aka Content Filtration System or CFS ). As well as it being exactly what it says, and there are problems with routing somewhere, this could be caused by DNS or firewalling issues. We use port 4051 to talk between MWES and the FirstAlert gateways. A quick test is as follows:

The command

telnet native.first-alert.net 4051

should result in the following response ( IP address may vary depending on which gateway you connect to )

Trying 209.213.221.138...
Connected to native.first-alert.net.
Escape character is '^]'.
200 CFS service ready

In one step, this has proved that DNS is working, and there's no firewalling in the way. Depress Ctrl-] do return to the telnet> prompt, then quit to exit.

I can't rescue email

Answer:

There's two options to fix this.



1. Go to Exchange System Manager and locate SMTP properties like below.

You will likely have an IP address specified. If you change this to 'All Unassigned' then rescue will work. Stop and start the service (wait a minute for it to work). If you want to keep the IP address specified then go to option 2.

2. Make sure you're using version 2.68 or later and go to the Windows Registry setting (Start>>Run>>regedit) - "HKEY_LOCAL_MACHINE\SOFTWARE\Firetrust Limited\mwes"

Locate the key 'mta_hostname' and enter the IP address you're using above.

Restart MailWasher Enterprise Server in the services (go to Start>>Run>> type 'services.msc' and locate MailWasher Enterprise Server)

How do I upgrade my version?

Answer:

Windows

Download and run the latest mwes.x.x.x.exe. MWES will automatically upgrade itself.

If you're upgrading from the old conduit version, you'll need to first follow these steps.

  1. Uninstall conduit Start->Program->Mailwasher Enterprise server->Uninstall conduit.
  2. Using Task Manager, kill process inetinfo.exe to make MS Exchange release and remove the existing conduit (inetinfo.exe will restart automatically)
  3. Uninstall MWES from the Control Panel->Add/Remove Programs

Follow the installation instructions to install the proxy version



Linux

Sendmail Milter:

1. Need to completely uninstall 2.4.3 or older version before installing later releases.
2. Later versions can be uninstalled using "Uninstall" script.
3. Download and Install new version (For installation refer to Installation Section).



Proxy:

1. Download and Untar current release
2. Stop mwes service
3. cd mwes.xxx
4. Run ./install script it will automatically upgrade related files.
5. Start mwes

Note: No need to restart MTA

How do I uninstall my version?

Answer:

Windows

Uninstall MWES from the Control Panel->Add/Remove Programs

If uninstalling an old conduit version of MWES, follow these steps.

  1. Uninstall conduit Start->Program->Mailwasher Enterprise server->Uninstall conduit.
  2. Using Task Manager, kill process inetinfo.exe to make MS Exchange release and remove the existing conduit (inetinfo.exe will restart automatically)
  3. Uninstall MWES from the Control Panel->Add/Remove Programs



Linux

Users running 2.4.3 or older version should follow the uninstall instructions

Later versions can be uninstalled using "Uninstall" script.

1. cd mwes-xxxx
2. Run script ./uninstall as "root"