Firetrust
MailWasher Enterprise Server

Is there an installation guide I can follow?

Answer:

Yes, just follow the guides at:

Windows Installation Instructions
Linux installation Instructions

I've installed MWES, but it does not filter inbound email

Answer:

There are some possible reasons for this.

1. Old conduit version not properly uninstalled

If the old conduit version has not been properly uninstalled, it may cause conflicts and prevent mail being delivered through the MWES proxy.

Follow these instructions to remove the conduit version

  1. Uninstall conduit Start->Program->Mailwasher Enterprise server->Uninstall conduit.
  2. Using Task Manager, kill process inetinfo.exe to make MS Exchange release and remove the existing conduit (inetinfo.exe will restart automatically)
  3. Uninstall MWES from the Control Panel->Add/Remove Programs



2. The MTA has not been moved to port 26

Change the listening SMTP port from 25 to 26 for your MTA



3. No domains defined

You will need to add any domains used at settings>>Domains, to prevent your network appearing as an open relay.




4. Router configured to present an internal IP address

When an external router or connection to the internet does not translate the external address properly, any incoming mail seems to be presented from an internal LAN address.

This will prevent any spam checks from being performed as the incoming mail is deemed to be from an internal source. ie, Services like RBL's and Greylisting won't work because they rely on checking external IP addresses.

Please reconfigure your router so it translates the external IP addresses.

Error: Cannot connect to CFS

Answer:

This is telling you that there is a connectivity issue, and MWES cannot talk to the FirstAlert! ( aka Content Filtration System or CFS ). As well as it being exactly what it says, and there are problems with routing somewhere, this could be caused by DNS or firewalling issues. We use port 4051 to talk between MWES and the FirstAlert gateways. A quick test is as follows:

The command

telnet native.first-alert.net 4051

should result in the following response ( IP address may vary depending on which gateway you connect to )

Trying 209.213.221.138...
Connected to native.first-alert.net.
Escape character is '^]'.
200 CFS service ready

In one step, this has proved that DNS is working, and there's no firewalling in the way. Depress Ctrl-] do return to the telnet> prompt, then quit to exit.

Which Mail Servers are supported?

Answer: MWES works with all mail servers because it runs as a proxy, meaning that it sits in front of your mail server, filtering the email first.

Eg, for Windows you can use Microsoft Exchange (all versions), IMail, SmarterMail etc. For Linux you can use Sendmail, Postfix, Exim, QMail etc.

How does MailWasher Enterprise Server (MWES) work?

Answer:

MWES sits in front of an existing mail server to process all incoming messages before entering the user’s mailbox.

Using a multi-layered approach to identify spam. MWES provides a combination of algorithm, connection filtering and content filtering to provide a robust approach to solving an organization’s spam problem. This approach substantially reduces the number of unwanted emails which are passed on to the email accounts serviced. MWES filters email before the mail server, thereby reducing the load on the mail server, then scans all incoming email to see whether each email matches a known unwanted email, or if they have the characteristics of an unwanted email.

Combining content identification and sender identification, MWES blocks a very high proportion of unwanted email while maintaining an extremely low false positive rate.

In addition, MWES uses a centrally controlled database of known unwanted e-mail messages. If the incoming message matches a known unwanted e-mail message, it is deleted and quarantined. For messages not found in the database, origin checking is performed to see whether the message has come from known spam senders and finally, unknown incoming email is temporarily failed (greylisted) to remove spoofed email.

The MWES system is a combination of software products and managed services for reducing spam.

The following diagram shows how MailWasher Server is integrated and works.

What filtering mechanisms does MWES use?

Answer:

Message Signatures:

FirstAlert! Global Spam Database. Adding to MWES’s comprehensive, multi-layered approach, MWES uses the FirstAlert! global spam database – a 24/7 operation which makes use of a global network of users reporting unsolicited email.

Real-time blackhole list servers:

RBL's can be used to block the origin of known spam by IP address or the URL in the message body.

Greylisting:

Greylisting is an effective tool to stop spam by sending a temporary fail back to the sender of the message. If the sender is sent via a valid MTA, the message is re-sent and MWES will let it through. If the message is not sent from a valid MTA it is not delivered and left in the MWES greylisting quarantine area.

Blacklists and Whitelists:

IT administrators have the ability to set and control blacklists and whitelists, through the MWES online web control panel. Email addresses of legitimate senders added to the white list will automatically bypass the antispam filters.

Custom filters:

Custom filters can be added using text or regular expressions to block unwanted email based on words and other characteristics of an email.

What filtering mechanisms does MWES use?

Answer:

Message Signatures:

FirstAlert! Global Spam Database. Adding to MWES’s comprehensive, multi-layered approach, MWES uses the FirstAlert! global spam database – a 24/7 operation which makes use of a global network of users reporting unsolicited email.

Real-time blackhole list servers:

RBL's can be used to block the origin of known spam by IP address or the URL in the message body.

Greylisting:

Greylisting is an effective tool to stop spam by sending a temporary fail back to the sender of the message. If the sender is sent via a valid MTA, the message is re-sent and MWES will let it through. If the message is not sent from a valid MTA it is not delivered and left in the MWES greylisting quarantine area.

Blacklists and Whitelists:

IT administrators have the ability to set and control blacklists and whitelists, through the MWES online web control panel. Email addresses of legitimate senders added to the white list will automatically bypass the antispam filters.

Custom filters:

Custom filters can be added using text or regular expressions to block unwanted email based on words and other characteristics of an email.

Can you provide a summary of each filtering mechanism?

Answer:

The following provides a summary of MWES's filtering features.

Whitelist

The whitelist includes email addresses from which all emails are accepted, regardless of their content. None of MWES's junk mail filters are applied to messages from addresses on the whitelist, therefore care must be taken when adding addresses. It is possible to avoid false negatives by ensuring that you do not add entire domain names to your whitelist, for example, *@aol.com.



Blacklist

MWES filters all messages from addresses that appear on the Address blacklist. All users are affected by the Address blacklist, therefore it is recommended that entire domains are not added to the blacklist as this prevents all end users from receiving possible legitimate messages from any address at that domain.



IP-based RBLs

Real-time blackhole lists (RBLs) are used to list the servers and domains of organisations that have been identified as senders of junk emails. IP-based RBLs (ip4r RBLs) are lists of IP addresses of servers that have been identified as sending or relaying junk mail. Firetrust recommends that you carefully investigate each RBL service for accuracy, before you begin using them. Inaccurate RBLs can result in a high false positive rate.



URI-based RBLs

A URI RBL is an RBL that lists the domain names and IP addresses which are found in the "clickable" links contained in the body of spams, but generally not found inside legitimate messages.



FirstAlert!

FirstAlert! is a database of reported and known junk mail messages that is used to eliminate future circulation of junk mail. FirstAlert! provides real-time spam signature updates.


Greylisting

Greylisting is an effective tool to stop spam by sending a temporary fail back to the sender of the message. If the sender is sent via a valid MTA, the message is re-sent and MWES will let it through. If the message is not sent from a valid MTA it is not delivered and left in the MWES greylisting quarantine area.

NOTE: Valid messages can be delayed by up to 15 minutes using this method since the sending MTA has to re-send the message. You can always check the quarantine>>greylisting area to see which messages are due to be resent, and thus rescue them in which case they will be added to the whitelist. See below, the three light grey messages at the top are within the 15 minute time period to be re-sent. One an email sender has been let through, they are let through instantly next time they send something.



Custom filters

Custom filters can be added using text or regular expressions to block unwanted email based on words and other characteristics of an email.

In what order are messages filtered?

Answer:

Email is filtered in the following order.

White filters section
---------------------
Trusted IP
Authenticated
Rout-able
White Listed (email address)
(Optional) Custom white filter (default sits in-front grey listing)

Black Filters section
---------------------
First Alert (cache)
First Alert (internet)
RBL's (cache)
RBL's (internet)
Custom black filter
Black listed (email address)
Black listed (IP)

Grey listing section
--------------------
Custom white filter
White Listed (IP)
White Listed friend (email address)
Grey listing process

How can we filter incoming and outgoing mail?

Answer:

You'll need to add the configuration entry use_is_routable=0

Windows
Go to the Windows Registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Firetrust Limited\mwes"

After you have added use_is_routable=0, restart the MailWasher Enterprise Server Service (Go to Start>>Run>>Type 'services.msc' and locate MailWasher Enterprise Server, and restart).

Linux
Add use_is_routable=0 in the mwes.conf file

At: /etc/mwes.conf

When changed, restart service/daemon.

How can I access the admin panel from outside the office?

Answer: The control panel is accessed by navigating to your machines domain/IP, on port 4044 – similarly to when accessesing the panel locally.

Example: if the mail server has an external address of: mail.company.com, then you would navigate to: http://mail.company.com:4044.
You can also use IP addresses: ie: http://123.456.789.123:4044 (obviously you would use the real IP address)

The only caveat is that any firewall in place must allow TCP access through port 4044 to the mail server.

How do retrieve my admin username and password?

Answer:

The default username/password is admin/password, so try this first.

The username and password is stored in an SQL Lite database. Probably the easiest way to retrieve them from the database is by installing the Firefox SQL lite browser: https://addons.mozilla.org/en-US/firefox/addon/5817

Navigate to the installed program directory and locate mwes.db (you might need to 'Show all Files' when browsing), then navigate to the configure table >> name, and locate the username and password fields.

How many days are messages kept in quarantine?

Answer:

7 days at present. Changing this can affect performance, but go to the config file (Unix) or Registry (Windows) and add these manually.
housekeeping_quarantine=7
housekeeping_gray_listing=7
housekeeping_gray_listing_friends=35
housekeeping_delivered=7
housekeeping_track=7

Can I install MWES in an Exchange Cluster?

Answer: MWES is fully compatible with an Exchange 2007/2010 cluster (Front end with Mail stores behind)

There are a couple of caveats however:
* Version 2.80 of MWES or later needs to be installed (it has specifics to handle Exchange clustering)
* SMTP Replay needs to be switched off (registry key 'use_replay' with a value of 0, or create this key if it doesn't exist) - Microsoft use an extended proprietary SMTP command set between the FE and MS servers which is not handled by Replay.
* MWES needs to be installed on the Front end server, and communicate to the front end exchange server - not with the Mail stores.
* All domains accepted by the front end server need to be added into the MWES Domains list (otherwise they will be immediately rejected)

What do all the registry/file configuration entries mean?

Answer:

Windows users can add/change these options in the registry

Windows Registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Firetrust Limited\mwes"
or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Firetrust Limited\mwes (64 bit OS)

If changed, restart the MailWasher Enterprise Server Service (Go to Start>>Run>>Type 'services.msc' and locate MailWasher Enterprise Server, and restart).



Linux users can add/change these options in the mwes.conf file

Linux: /etc/mwes.conf

If changed, restart service/daemon.



Database location

database_location C:\Program Files\MailWasher Enterprise Server\data



Default page after login

default_page Quarantined.srv



Location of installed files

home C:\Program Files\MailWasher Enterprise Server



Web server details

root_document C:\Program Files\MailWasher Enterprise Server\site
web_port=4044
web_hostname=localhost



Change the logging level

If you want to change the logging level. Default is 2 (normal)

0 = Full
1 = Partial
2 = Normal
3 = Warnings
4 = Errors

log_level=2



Location of logs

logging C:\Program Files\MailWasher Enterprise Server\logs



Proxy configuration

Details show the port and location of MWES proxy
use_mta_proxy=1
proxy_port=25
proxy_hostname=



Change the location and port where MWES sees the MTA

MTA Relay is used to show the location and port of your MTA. Defaults are shown below.
mta_hostname=localhost
mta_port=26



FirstAlert cache size information.

This is used to cache already checked spam to reduce the number of external checks.
cfs_max_cache_size=20000



RBL cache size information.

This is used to cache already checked spam to reduce the number of external checks.
rbl_max_cache_size=20000



Use working domains to stop open relay

use_check_domains=1
# If set = 1 this stops your MTA appearing as an open relay by checking the list of your working domains.
# If set = 0 will let all email through without checking your working domains. (ie. it will filter everything instead of distinguishing between internal and external email). You'll just need to make sure your MTA is configured to not appear as an open relay.



Ignore MTA Authentication

use_mta_authentication=1

# If set =1 then all emails authenticated by MTA are safe and will not be filtered.
# If set =0 then MTA Authentication is ignored and all emails pass through filters.



Don't check local email

use_is_routable=1

# If set = 1 to not check your local mail going out.
# If set = 0 to check your local mail going out.



Discard empty email's.

Emails without a body are discarded.
discard_empty_emails=1
# If set = 1, emails with empty bodies are discarded
# If set = 0, emails with empty bodies are passed through for filtering



Preview body of blocked emails

Displays the number of characters used in the email preview when the mouse is moved over the subject
view_body_max=200
# 200 characters is the default but feel free to adjust this to a higher value.



SPF lite

A lite version of SPF is able to be turned on. This means emails will be delivered more quickly as many of them won't need to be greylisted, but you may receive slightly more spam.
use_spf=0
# If set = 1, spf lite is turned on
# If set = 0, spf lite is turned off



Stop Rejected email notifications (554) being sent.

use_rejected=0



Days to hold email in quarantine.

(You’ll need to add these in)

housekeeping_quarantine=7

housekeeping_gray_listing=7

housekeeping_gray_listing_friends=35

housekeeping_track=7



Login expire

The login screen expires, so you must login again
use_expire_login=1
# If set = 1, login will expire
# If set = 0, login will not expire

What is the url for accessing the quarantine or admin tool?

Answer:

The login screen is located at http://[company.site]:4044

It is possible to configure MWES with multiple NICs ?

Answer: MWES doesn't bind to a NIC per se, it binds to an ip address.
The difference is that a NIC can have multiple addresses, but MWES can only listen on one per service.

The address that MWES binds/listens on is set in the configuration.

I've installed MailWasher Server but it does not filter the inbound email

Answer:

There are some possible reasons for this.

First, perform a couple of quick tests.

Perform these ON the machine MWES is installed on:
1) telnet to the MWES proxy port: telnet [external IP address] [port] - should result in a HELO string with (MP) on the end.
2) telnet to the MTA port: telnet [IP address] [port] - should result in the above, minus the (MP)

Perform the same test from a PC outside the network.

Make sure all firewalls have allowances for MWES. - this is rather important, as windows auto provisions firewall rules, and removes them when you disable a MTA service such as Exchange.



1. The MTA has not been moved to port 26

Change the listening SMTP port from 25 to 26 for your MTA



2. Old conduit version not properly uninstalled

If the old conduit version has not been properly uninstalled, it may cause conflicts and prevent mail being delivered through the MWES proxy.

Follow these instructions to remove the conduit version

  1. Uninstall conduit Start->Program->Mailwasher Enterprise server->Uninstall conduit.
  2. Using Task Manager, kill process inetinfo.exe to make MS Exchange release and remove the existing conduit (inetinfo.exe will restart automatically)
  3. Uninstall MWES from the Control Panel->Add/Remove Programs

Error: Cannot connect to CFS

Answer:

This is telling you that there is a connectivity issue, and MWES cannot talk to the FirstAlert! ( aka Content Filtration System or CFS ). As well as it being exactly what it says, and there are problems with routing somewhere, this could be caused by DNS or firewalling issues. We use port 4051 to talk between MWES and the FirstAlert gateways. A quick test is as follows:

The command

telnet native.first-alert.net 4051

should result in the following response ( IP address may vary depending on which gateway you connect to )

Trying 209.213.221.138...
Connected to native.first-alert.net.
Escape character is '^]'.
200 CFS service ready

In one step, this has proved that DNS is working, and there's no firewalling in the way. Depress Ctrl-] do return to the telnet> prompt, then quit to exit.

I can't rescue email

Answer:

There's two options to fix this.



1. Go to Exchange System Manager and locate SMTP properties like below.

You will likely have an IP address specified. If you change this to 'All Unassigned' then rescue will work. Stop and start the service (wait a minute for it to work). If you want to keep the IP address specified then go to option 2.

2. Make sure you're using version 2.68 or later and go to the Windows Registry setting (Start>>Run>>regedit) - "HKEY_LOCAL_MACHINE\SOFTWARE\Firetrust Limited\mwes"

Locate the key 'mta_hostname' and enter the IP address you're using above.

Restart MailWasher Enterprise Server in the services (go to Start>>Run>> type 'services.msc' and locate MailWasher Enterprise Server)

Why do messages in the tracker not appear in the quarantine screen?

Answer: The reason for this is that MWES doesn't store duplicates of quarantined messages, because there’s no point in storing the same spam email (this is only specific to emails blocked by FirstAlert), but you will still see them in the tracking screen.

The quarantine only holds email for 7 days, but it’s actually cached in the background as a signature (until it reaches 20,000 emails in the cache, then the oldest blocked emails get dropped off).

You can change these parameters if you wish as below.

Windows users can add/change these options in the registry
Windows Registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Firetrust Limited\mwes"
or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Firetrust Limited\mwes (64 bit OS)
If changed, restart the MailWasher Enterprise Server Service (Go to Start>>Run>>Type 'services.msc' and locate MailWasher Enterprise Server, and restart).

Linux users can add/change these options in the mwes.conf file
Linux: /etc/mwes.conf
If changed, restart service/daemon.
------------------------------------
FirstAlert Cache:
cfs_max_cache_size=20000

RBL cache
rbl_max_cache_size=20000

Quarantine days: (You’ll need to add these in)
housekeeping_quarantine=7
housekeeping_gray_listing=7
housekeeping_gray_listing_friends=35
housekeeping_track=7

Email addresses in the blacklist are not being blocked

Answer: MWES uses the email address which it receives via the SMTP conversation, which is not necessarily the same as the one in the header (since it can be forged). If you look at the header of an email which has passed in via MWES, it will have a header item X-MWES which shows the correct email address used for the whitelist/blacklist etc

How do I upgrade my version?

Answer:

Windows

Download and run the latest mwes.x.x.x.exe. MWES will automatically upgrade itself.

If you're upgrading from the old conduit version, you'll need to first follow these steps.

  1. Uninstall conduit Start->Program->Mailwasher Enterprise server->Uninstall conduit.
  2. Using Task Manager, kill process inetinfo.exe to make MS Exchange release and remove the existing conduit (inetinfo.exe will restart automatically)
  3. Uninstall MWES from the Control Panel->Add/Remove Programs

Follow the installation instructions to install the proxy version



Linux

Sendmail Milter:

1. Need to completely uninstall 2.4.3 or older version before installing later releases.
2. Later versions can be uninstalled using "Uninstall" script.
3. Download and Install new version (For installation refer to Installation Section).



Proxy:

1. Download and Untar current release
2. Stop mwes service
3. cd mwes.xxx
4. Run ./install script it will automatically upgrade related files.
5. Start mwes

Note: No need to restart MTA

How do I uninstall my version?

Answer:

Windows

Uninstall MWES from the Control Panel->Add/Remove Programs

If uninstalling an old conduit version of MWES, follow these steps.

  1. Uninstall conduit Start->Program->Mailwasher Enterprise server->Uninstall conduit.
  2. Using Task Manager, kill process inetinfo.exe to make MS Exchange release and remove the existing conduit (inetinfo.exe will restart automatically)
  3. Uninstall MWES from the Control Panel->Add/Remove Programs



Linux

Users running 2.4.3 or older version should follow the uninstall instructions

Later versions can be uninstalled using "Uninstall" script.

1. cd mwes-xxxx
2. Run script ./uninstall as "root"