Updates to GFI MAX Mail Services

Posted on December 26, 2013 by

We will be implementing a number of enhancements to the Mail services, including extensions to the quarantine duration, continuity period, and message delivery logs; addition of diagnostics and basic encryption controls to the control panel; and inclusion of TLS data within message headers.  the new capabilities will be aavailable in conjunction with a planned control panel deployment on the afternoon (Pacific time) of Friday, December 27.  Details regarding these enhancements are below.

Extended Continuity

The inbound queue period will now be configurable, from the existing 4 days (which remains the default) up to a maximum of 14 days.  The additional continuity is designed to aid customers that anticipate or are in the midst of an extended outage of their mail infrastructure.  The available intervals are 4 days, 7 days, 10 days, and 14 days.  For the duration of the selected interval, inbound message will be queued and no NDR (bounce) notifications will be generated.

The applicable queue period is dynamically determined each time a message delivery attempt occurs, which enables policy changes to be applied retroactively to messages already received.  For example, a message which was originally queued under a 4 day policy can be extended to 10 days, if the change is made at any point before an NDR is issued for that message.  Conversely, a message which has been in the queue for 8 days under a 14 day policy would, if the policy were reduced to 4 days, generate an NDR on the next delivery attempt.

The settings to control the duration of the inbound queue will be located in the control panel under  Management -> Inbound Filtering -> Advanced Options -> Queue Duration.

Extended Quarantine Duration

The inbound quarantine period has been extended from 10 days to a maximum of 21 days.  Administrators can configure the default settings at the domain level through the distributor level for a 10 day, 14 day or 21 day quarantine period.  Note that the configuration affects visibility of messages within the quarantine, not the actual
message storage, which has been extended to the full 21 days. As a result, customers will be able to release any message in the quarantine for up to 21 days via their digest, regardless of any changes to the policy governing how long messages are displayed in the control panel.

The settings to control the duration of the quarantine will be located in the control panel under: Management -> Inbound Filtering -> Advanced Options -> Quarantine Duration.

Extended Message Delivery Logs

The time period encompassed by the message delivery logs has been extended from 10 days to 30 days, to allow customers to search for older messages.

TLS Management

All administrators will now be able to directly configure TLS encryption settings for inbound delivery to the customer mail server, and/or for outbound delivery to third party receiving servers.  (Messages sent to our inbound filters and outbound smart hosts always accept TLS traffic, and no customer intervention is needed.)

The configurable options for TLS delivery to customer servers and to third-party receiving servers are as follows:

1) no use of TLS;

2) best effort TLS (if the receiving mail server supports TLS, the message will be delivered encrypted, and if the receiving mail server does not support TLS, the message will be delivered unencrypted); and

3) required TLS (if the receiving mail server supports TLS, the message will be delivered encrypted, and if the receiving mail server does not support TLS, the message will NOT be delivered and an NDR will be generated)

Note that not all mail servers support TLS, as this requires a certificate to be installed on the customer mail server, similar to https for web traffic.

As a result, we strongly advise that customers use either no TLS or best effort TLS for the default delivery options.  For customers using TLS, we also recommend that they choose to trust all certificates, regardless of the certificate authority.  A configuration of mandatory TLS and/or acceptance of only CA-issued certificates should only be made by system administrators who fully understand the consequences of these settings, since some mail will NOT be delivered with that configuration.

The TLS settings will be located in the control panel under Management -> Inbound Filtering -> Mail Delivery -> Encryption for inbound deliveries to customer servers, and under Management -> Outbound Filtering -> Handling Settings -> Encryption for outbound message delivery.

TLS Information in Received Header

Messages that have been received using STARTTLS now include diagnostic information in the Received headers, indicating the version of TLS and the negotiated cipher suite.  For instance:

Received: from na01-bn1-obe.outbound.protection.outlook.com
([207.46.163.183]) by ams1-mh582.smtproutes.com [(5.10.67.96)] with
ESMTP via TCP (TLSv1/TLS_RSA_WITH_AES_128_CBC_SHA); 24 Dec 2013 03:29:39 +0000

Diagnostics

The following diagnostic tools have been expanded for use by distributors, partners, organization and domain administrators:

  • Inbound Mail Delivery test
  • Mail Exchange (MX)
  • Authoritative Nameserver
  • SPF Check
  • Open Relay Test
  • Reverse DNS Test
  • DNS Blacklist Check

The diagnostics will be located in the control panel under Support -> Diagnostics.

Thank you for your attention.

This entry was posted in Mail Assure. Bookmark the permalink.