Skip to content

Mail Storage

Introduction

About this Document

This document serves as a reference for technical personnel and system administrators, detailing the concepts and configuration of AXS Guard email storage (POP, IMAP, Webmail).

Examples used in this Guide

All configuration examples in this guide are performed by an advanced administrator. Certain options are unavailable to full administrators or users with lower access privileges.

Due to ongoing software development and documentation updates, the screenshots in this guide may differ slightly from the current user interface.

E-mail Server Concepts

Introduction

E-mails travel across the Internet between their source and destination via servers, in the same way that traditional paper mail travels the world via post offices (as illustrated below). On the Internet, the role of post offices or sorting offices is assumed by Mail Transfer Agents or MTAs.

The concept of email differs from traditional postal service in that a mail server stores emails for an email client, which then retrieves and delivers them. Traditional mail, in contrast, is typically delivered directly, rather than retrieved. Mail servers are sometimes referred to as Mail Delivery Agents, and mail clients as Mail User Agents (MUAs), such as Microsoft Outlook.

Analogy between E-mail and Paper MTA

  • Similar to the infrastructure of traditional post offices, the MTA network links servers, such as the AXS Guard, across the world.

  • E-mails are sent directly from a sender MTA to the receiver MTA, based on the MX records which are looked up via a DNS request, unless configured otherwise on the sender MTA. For more information about DNS and MX records, see the AXS Guard Public DNS How To, which is available by clicking on the permanently available Documentation button in the Administrator tool.

  • The Mail Client is a program for viewing, replying, forwarding, sorting, creating and deleting e-mails. Common mail clients are Outlook, Outlook Express and Thunderbird.

See the AXS Guard MTA documentation for additional information.

E-mail Domains

A domain identifies company web sites, e-mail servers, but also other devices such as gateways and routers via a common name. For example, microsoft.com is the domain name of Microsoft’s web sites and update servers. A single web server can serve web sites for multiple domain names, but a single FQDN can only point to one machine. For example, Apple Computer has the following web sites: www.apple.com, www.info.apple.com and store.apple.com. Each of these sites could be hosted on different machines.

The AXS Guard MTA allows you to handle mail for one or multiple domains. All e-mails for a configured domain can either be handled and stored locally, forwarded to a specific computer or relayed out to a specific SMTP server. Users only have one physical mailbox, even if they are a member of multiple local domains on AXS Guard. All messages destined to a member of one of these domains are delivered to the same physical mailbox.

For detailed information about e-mail domains and their configuration, see the AXS Guard MTA documentation.

E-mail Domains

Message Components

The Envelope

The envelope encapsulates the message. It contains all the information needed for transporting the message, such as the destination address, the message priority, etc. This information stands on its own and is distinct from the message itself. The Message Transport Agents (MTAs) use the envelope for routing, just as the post office does. A new envelope is created per recipient.

The Header and Body

The message inside the envelope consists of two parts: the header and the body. The header contains control information for the user agents. The body is intended for the human recipient. The body is the message itself, which can be formatted in plain text or HTML. The difference between paper mail (a) and e-mail (b) is illustrated below.

Each message has exactly one header, which has separate fields. Each field has a name and a value. RFC 5322 specifies the syntax to be used. The most important header fields are listed below:

image

Field Description

From

The e-mail address, and optionally the name of the sender. Forms the envelope with the To field.

To

The e-mail address(es), and optionally name. Forms the envelope with the From field.

Subject

A brief summary of the contents of the message.

Date

The local time and date when the message was written.

BCC

Blind Carbon Copy. The e-mail address(es) in this field are not visible to other addressees.

CC

Carbon copy. The e-mails address(es) in this field are visible to other addressees.

Content-Type

Information about how the message has to be displayed, usually a MIME type.

In-Reply-To

Message-ID of the message that this is a reply to.

Received

Tracking information generated by mail servers that have previously handled the message.

References

Message-ID of the message that this is a reply to, and the message-id of this message, etc.

Reply-To

E-mail address that should be used to reply to the sender.

AXS Guard uses a special header to avoid e-mail loops when the auto-response option (e.g. vacation message) is enabled. See Auto-Response Settings for more information.

Supported Protocols

POP3

The Post Office Protocol (POP) is an application-layer Internet protocol used by local email clients to retrieve email from a remote server over a TCP/IP connection. Emails are typically downloaded from the server, unless the client is configured to leave a copy on the server. Earlier versions of POP (POP1 and POP2) are obsolete.

IMAP

The Internet Message Access Protocol (IMAP) is one of the two most prevalent Internet standard protocols for email retrieval, the other being the Post Office Protocol. Virtually all modern email clients and mail servers support both protocols for retrieving email messages from a server.

POP vs. IMAP

TLS

AXS Guard supports secure IMAP and POP, enabling secure email access from the Internet or the LAN. For detailed information about TLS, see the MTA documentation. Refer to the PKI documentation for an explanation of certificate usage.

E-mail Aliases

An e-mail alias is a forwarding mechanism which allows system administrators to create and link one or more alternate e-mail addresses to a single mailbox.

Some aliases are required, such as the postmaster@domain.com e-mail address. This e-mail address is used to report MTA problems. Other e-mail aliases are automatically created on AXS Guard, e.g. sysdeamon@domain.com, spam@domain.com, etc. The postmaster e-mail alias is linked to the AXS Guard sysadmin user, unless specified otherwise. More information about the AXS Guard sysadmin user is available in the AXS Guard System Administration How To, which is accessible via the Documentation button in the Administrator Tool.

As of AXS Guard version 8.2.0, virtual domains have been implemented. A virtual domain is either a local or forwarded domain for which a directory service (LDAP) profile has been configured. This implementation directly affects the way e-mail aliases are handled by the AXS Guard mail server.

E-mail aliases have 2 functions:

  • They are used to find and apply the matching AXS Guard mail policy (applies to local and forwarded domains).

  • Messages sent to a user’s alias are stored in that user’s AXS Guard mailbox (applies to local domains only). The behavior of the AXS Guard mail server varies, depending on how an alias is added to an AXS Guard user profile.

Aliases can be added to a user profile as a name, e.g. alias or as an e-mail address, e.g. alias@domain.com. In the first case, messages sent to the alias will be delivered to all the user’s AXS Guard mailboxes in non-virtual domains. In the second case, mail sent to the alias will only be delivered to the associated mailbox.

In the following examples, we assume the following:

  • 3 local mail domains have been configured on the AXS Guard appliance, i.e. foo.com, bar.net and foobar.org.

  • An Directory Services (LDAP) profile has been configured for the foorbar.org domain, which is a virtual domain.

Example 1

Given an AXS Guard user with a username user1 and an e-mail alias abuse.

The user will be able to receive e-mail sent to the following addresses: user1@foo.com, user1@bar.net, abuse@foo.com and abuse@bar.net.

Mail sent to user1@foobar.org and abuse@foobar.org will not be delivered.

Example 2

Given an AXS Guard user with a username user2 and an e-mail alias info@foo.com.

The user will be able to receive e-mail sent to the following addresses: user2@foo.com, user2@bar.net and info@foo.com.

Mail sent to user2@foobar.org, info@foobar.org and info@bar.net will not be delivered.

Example 3

Given an AXS Guard user with a username user3 and an e-mail alias info@foobar.org.

The user will be able to receive e-mail sent to the following addresses: user3@foo.com, user3@bar.net and info@foobar.org.

Mail sent to user3@foobar.org, info@foo.com and info@bar.net will not be delivered.

Example 4

Given an AXS Guard user with a username: user4@foobar.org and no e-mail alias.

The user will be able to receive e-mail sent to the following addresses: user4@foobar.org.

Mail sent to user4@foo.com and user4@bar.net will not be delivered.

Example 5

Given an AXS Guard user with a username user1 and an e-mail alias abuse.

The user will be able to receive e-mail sent to the following addresses: user1@foo.com, user1@bar.net, abuse@foo.com and abuse@bar.net.

Adding the e-mail alias abuse@bar.net to another user, e.g. user2, will generate a validation error, because abuse@bar.net was already added to user1.

E-mail Forwarding

Messages sent to a mailbox on the AXS Guard (i.e. a local mailbox) can be forwarded to one or more e-mail addresses. E-mail forwarding redirects e-mail going to one address and sends it to one or several other addresses. Vice versa, e-mails going to several different addresses can be converged via forwarding to end up in a single address mailbox.

If the e-mail address to which e-mails are forwarded is local, the message is forwarded to the user’s AXS Guard mailbox. If the address is not local, the AXS Guard forwards the message to the authoritative MTA, e.g. hotmail, gmail, etc.

The AXS Guard allows you to keep local copies of forwarded e-mails. The forwarding options can be configured by the user, if allowed by the AXS Guard system administrator (Under Users&Groups > General).

Important

E-mails are always checked by the AXS Guard mail content filtering system before they are forwarded.

E-mail Forwarding Concept

Distribution Lists

A distribution list is an easy method to send an e-mail to multiple recipients through a single e-mail address, which is in fact an alias for member recipients. Mail sent to the alias is automatically delivered to the mailbox of each recipient who is included in the distribution list.

Important

You can only create distribution lists for your own (internal) network, not for forwarded domains. However, it is possible to use external e-mail addresses as recipients, e.g. hotmail or gmail addresses. The external addresses have to be added under E-mail > Filters > External Addresses, otherwise senders will receive an "undeliverable" message.

E-mail Quotas

A mail quotum is the amount of space reserved on a mail server to house a user’s e-mail messages. Quotas are necessary to preserve the AXS Guard’s storage capacity.

  • Soft quotas: The soft quota is a warning limit. Once it is reached, the AXS Guard automatically sends a notification to the user and the system administrator, requesting the user to remove and / or archive his / her messages. If no action is taken within 7 days after the notification, the system will treat the mailbox as if the hard quota has been exceeded. The frequency of notifications can be configured. Administrators can also verify the status of the quota, to see how much space is available in a user’s mailbox .

  • Hard quotas: Hard quotas determine the maximum allowed size of disk storage to be used for a user’s mailbox. As soon as it is exceeded, no new e-mails can be sent or received by the user. Messages first have to be deleted from the mailbox or archived by the user.

Important

  • The POP3 protocol can be configured to leave a copy of e-mails on the server, in which case quotas become a factor, similar to IMAP.
  • It is not possible to delete e-mail if the hard quota has been exceeded and the mail client is configured to move the e-mail to a trash folder on the mail server. To solve this problem, configure the client to delete messages permanently or use the Webmail feature.

Automated Responses

The auto-response function enables the AXS Guard to send an automatic response to e-mails received while a user is unavailable, e.g. when a user is on vacation. Senders are automatically notified that the addressee is unable to read his / her e-mails, allowing them to use an alternate e-mail address or another method of communication. The auto-response function can only be used for users in a local domain, i.e. a domain for which e-mail messages are stored locally (on the AXS Guard). It does not apply to forwarded domains.

The auto-response function can also be configured at the system level. If enabled, the system will automatically send an automated response on behalf of all users.

Example: Holiday season

Assuming your company employs 100 people and that you are closed for business every year between 12/23 and 2/2 for the holidays. You can have each employee configure his / her out of office message individually. This means 100 configurations on your appliance, with the risk of someone forgetting to do so. Doing this at the system level makes more sense in this case and only requires a single configuration at the system level by the system administrator.

Info

You can also configure an automatic response for distribution lists. When a user configures an auto-reply message and that user’s e-mail address is also included in a distribution list, no auto-reply will be sent on behalf of the user when a message is sent to the distribution e-mail address. This is expected behavior.

Automatic Deletion

It is possible to automatically delete incoming messages for a given user. This is very useful for old accounts that are no longer active and that are still receiving e-mail. You can combine this option with the auto-response functionality to provide senders with an alternate e-mail address or to let them know that the account is no longer monitored.

E-mail Server Configuration

Feature Activation

  1. Log on to the AXS Guard appliance.

  2. Navigate to System > Feature Activation.

  3. Select the E-mail menu.

  4. Enable the options as shown in the image below.

    MTA and E-mail Feature Activation

Adding E-mail Domains

Mail is only accepted and processed for registered domains.

  1. Navigate to E-mail > Domains.

  2. Click on the + button (add new).

  3. Enter a domain, e.g. mydomain.com.

  4. Enter a description for the domain (optional).

  5. Set the type to local.

  6. Enable or disable masquerading for the domain.

  7. Save your configuration.

    Adding E-mail Domains

Parameter Description
Domain The domain for which e-mail should be handled by the AXS Guard MTA.
Disabled Disables the domain, e.g. for maintenance.
Local Select this option if e-mails are stored locally on the AXS Guard appliance. The e-mail server feature must be enabled under System > Feature Activation > E-mail.
Forwarded Forwards e-mail traffic to the specified computer. The computer can be listed or unlisted. Listed means that the computer has been added to the AXS Guard computer list (under Computers). In case of an unlisted computer, enter the computer’s IP address or FQDN, e.g. computer.mydomain.com.
Forward port The SMTP port of the computer to which e-mails are forwarded. The default SMTP port is 25.
Verify Recipient Address If enabled, the recipient addresses are verified by initiating an SMTP connection to the server. If the server refuses delivery to the recipient, AXS Guard will too. If the server is unreachable, the delivery of the e-mail will be postponed.
Relay Out Relays outgoing e-mail traffic to a non-listed computer. Enter the computer’s IP address or FQDN, port number (default is 25) and authentication credentials (if required).
Masquerade See Masquerading for details.

POP & IMAP Server Settings

  1. Navigate to E-mail > POP3 & IMAP.

  2. Configure the options as explained in the table below.

  3. Update your configuration.

    POP3 and IMAP Server Settings

Parameter

Description

Security Level

  • No TLS: TLS is not used.

  • Opportunistic TLS: If the client attempts to encrypt the communications channel, TLS is used. If not, the appliance falls back to unencrypted communications. This method requires no pre-arrangement between clients and the appliance.

  • Mandatory TLS: POP and IMAP clients must always use TLS.

Server Certificate

Select the server certificate to be used by the POP / IMAP server. Go to PKI > Certificates for an overview of certificates or to generate a new certificate.

Enable compression

The option is enabled by default and should be disabled for troubleshooting, e.g. when using a traffic analyzer such as tcpdump or Wireshark.

Remove message duplicates on delivery

The mail server has the possibility to detect message duplicates by checking the message ID of e-mails. E-mails with identical message IDs are deleted if the option is enabled. Per RFC, a message ID should be unique.

Enable alternate namespace

The namespace determines how the IMAP folder structure is presented on the client. If the option is unchecked, all folders are presented as subfolders of the inbox folder. If the option is checked, all folders are shown at the same level as the inbox folder. This parameter should be disabled if your are using the Konsec Workgroup connector. Do not modify this configuration if you are using the Konsec Workgroup connector as Outlook profiles will be corrupted without the possibility to recover.

Enable storage of ephemeral data in memory

To enhance performance on high I/O systems, enable in-memory database caching. This stores caching data in memory, bypassing disk I/O. Prior to enabling, please confirm your system has at least 2GB of free memory.

Firewall Configuration

System-wide Policy

CAUTION

It is recommended to disable IMAP and POP services at the system level. Grant firewall access for these services only at the group or user level. Either use a VPN or TLS to access POP or IMAP services over the internet.

To assign system-wide IMAP and POP firewall policies (not recommended):

  1. Log in to the AXS Guard appliance.

  2. Go to Firewall > Policies > Static.

  3. Add the POP and IMAP mail policies to the appropriate static policy.

  4. Update your configuration.

Example of System-wide Firewall Policy Assignment

Computer-level Policy

Important

Disable mail services at the computer level, unless a server requires sending automated emails over the Internet. Require user authentication whenever possible.

  1. Go to Computers.

  2. Select the desired computer from the list.

  3. Select the firewall access control tab.

  4. Add the appropriate POP and IMAP firewall policies.

  5. Update your configuration.

    Firewall Access Control at the Computer Level

Button Description

Add Firewall Policy

Select the desired firewall policy from the drop-down list. Go to Firewall > Policies > Dynamic for an overview of assignable firewall policies.

Group-level Policy

  1. Go to Users & Groups > Groups.

  2. Select the desired group.

  3. Select the firewall tab.

  4. Assign the sys-email firewall policy to the group.

  5. Update your configuration.

    Firewall Access to AXS Guard Mail Services

Parameters Description

Firewall Policies

Select the firewall policy for the members of this group. Go to Firewall > Policies > Dynamic for an overview of defined firewall policies.

VPN & RAS Policies

Select specific firewall policies for group members who connect to the corporate network with a VPN client, such as a PPTP client. Go to Firewall > Policies > Dynamic for an overview of defined firewall policies.

User-level Policy

  1. Go to Users & Groups > Users.

  2. Select the desired user from the list.

  3. Select the firewall tab.

  4. Select the appropriate firewall configuration from the drop-down list (make sure the user is assigned the sys-email policy).

  5. Update your configuration.

    Firewall Access to Mail Services at the User Level

Field Description
Firewall Policy Mode Select the desired firewall policy mode from the drop-down list.
Use group firewall policies: Uses the firewall policies as configured for the user’s group, under Users & Groups > Groups. If firewall policies are configured for the user’s computer (based on the user’s IP), they are applied as well, in combination with the system-wide policies.
Add to group firewall policies: Uses the firewall policies as configured for the user’s group, under Users & Groups > Groups and the specific firewall policies defined here. Note that user-specific policies can either be more restrictive or more permissive than the user’s group firewall policies. The user-specific firewall policies are applied first. If firewall policies are configured for the user’s computer (based on the user’s IP), they are applied as well, in combination with the system-wide policies.
Overrule group firewall policies: The user’s group firewall policies are overruled and do not apply. Only the user-specific firewall policies apply. If firewall policies are configured for the user’s computer (based on the user’s IP), they are applied as well, in combination with the system-wide policies.
VPN - RAS Policy Mode Select user-specific firewall policies for users who connect to the corporate network with a VPN client, such as a PPTP client. Go to Firewall > Policies > Dynamic for an overview of defined firewall policies.
User group VPN - RAS policies: Uses the VPN firewall policies as configured for the user’s group, under Users & Groups > Groups. If firewall policies are configured for the user’s computer (based on the IP address of the VPN client), they are applied as well, in combination with the system-wide policies.
Add to group VPN - RAS policies: Uses the VPN firewall policies as configured for the user’s group, under Users & Groups > Groups and the specific firewall policies defined here. Note that user-specific policies can either be more restrictive or more permissive than the user’s group VPN firewall policies. The user-specific VPN firewall policies are applied first. If firewall policies are configured for the user’s computer (based on the IP address of the VPN client), they are applied as well, in combination with the system-wide policies.
Overrule VPN - RAS policies: The user’s group VPN firewall policies are overruled and do not apply. Only the user-specific VPN firewall policies apply. If firewall policies are configured for the user’s computer (based on the IP address of the VPN client), they are applied as well, in combination with the system-wide policies.

Adding Aliases

  1. Navigate to Users & Groups > Users.

  2. Select the appropriate user name.

  3. Add the desired user alias(es).

  4. Update the user profile.

    Adding an Alias

Field

Description

E-mail alias list

An e-mail alias allows system administrators to link one or more alternate e-mail addresses to a single mailbox. Aliases can be added as a name, e.g. alias or as an e-mail address, e.g. alias@domain.com. In the first case, messages sent to the alias will be delivered to all the user’s AXS GUARD mailboxes in non-virtual domains. In the second case, mail sent to the alias will only be delivered to the associated mailbox.

Overrule Group Mail Policy

Check this option to overrule the user’s group policy. The group policy is configured under Users & Groups > Groups. Go to E-mail > Filters > Policies for an overview of defined e-mail policies on your system.

Delete incoming mail immediately

Check to delete incoming messages for the user. Use this option for inactive accounts to preserve disk space, e.g. when a user no longer works for your company. You can combine this option with the auto-response option to notify senders that the account is no longer in use.

Forwarding Enabled

Check this option to specify a forwarding address.

Store copy on AXS GUARD

Check to preserve a copy of forwarded e-mails on the appliance.

Auto-response active

Check to enable automated responses.

Start: Enter a start date for the automated response in the DD/MM/YYYY HH:MM format.

End : Enter an end date for the automated response in the DD/MM/YYYY HH:MM format.

Notify sender: Select a frequency for automated responses. For example, one time means that only the first message from a given sender will trigger an automated response. Subsequent messages from the same sender will not trigger an automated response.

Auto-response subject: The subject of the automated reply.

Auto-response message: The body of the automated reply. For example, an out of office message. The following variables can be used in your message:

  • $SUBJECT: The subject of the e-mail being replied to.

  • $START: When the out of office period starts.

  • $END: When the out of office period ends.

The substitutions for the $START and $END variables include the time if they are less than 32 hours apart (a full day + a working day).

Mailbox Quota Warning

Once this limit is reached, the appliance automatically sends a warning to the user and the system administrator, requesting the user to remove or archive messages.

Mailbox Quota Limit

The maximum amount of disk space that may be used by the user’s mailbox. When exceeded, no new e-mails can be sent or received by the user. The user first needs to remove or archive excess messages.

Allow access to Webmail

Allow or deny access to the appliance’s webmail server.

  • Use group configuration: Apply the user’s group settings. Go to Users & Groups > Groups and select the user’s group to view the webmail configuration.

  • On: Webmail access is granted, even if not allowed in the user’s group configuration.

  • Off: Webmail access is denied, even if allowed in the user’s group configuration.

Creating Distribution Lists

  1. Navigate to E-mail > Distribution List.

  2. Click on Add new.

  3. Enter the settings as explained in the table below.

  4. Save your configuration.

    image

Field

Description

Name

A name for the distribution list. Invalid characters are not accepted.

Description

Provide a description for the distribution list (not required).

Distribution e-mail address

Enter the address without the domain name; rather than entering all@mydomain.com, just enter all.

Domain

Select the domain of the distribution address, e.g.mydomain.com. Go to E-mail > Domains to view all configured domains.

Overrule System Mail Policy

Check this option to overrule the system mail policy as configured under E-mail > General. Go to E-mail > Filters > Policies for an overview of available policies or to configure a new policy.

Recipients

  • Local Users: Add recipients as listed under Users & Groups > Users. Added recipients will receive a copy of mails sent to the distribution address.

  • Local Groups: Add groups as listed under Users & Groups > Groups. Members of added groups will receive a copy of mails sent to the distribution address.

  • External users or list names: Enter the e-mail address(es) of the external recipient.

Auto-response active

Sends an automated response according to the configured settings.

Accessibility

Allow access from anywhere: Select this option to allow anybody to send messages to the distribution e-mail address. If enabled, messages coming from the Internet will be accepted and relayed.

Restrict access to internal use: If selected, the broadcast mailbox will not accept messages originating from the Internet. Messaging will be restricted to users in your secure network.

Auto-Response Settings

Auto-responses are automatically deactivated upon reaching their end date.

Avoiding E-mail Loops

Between AXS Guard MTAs

To avoid two or more AXS Guard users from generating auto-response messages to each other in a never-ending loop, an additional header field is automatically added to auto-response messages.

Between AXS Guard and 3rd party MTA

The same principle applies to auto-responses sent from the AXS Guard appliance to mailboxes of a 3rd party MTA. AXS Guard has an option so that only a single auto-response message is sent per external address. This prevents message looping. While the auto-response function is enabled, AXS Guard maintains a list of e-mail addresses to which an auto-response message has already been sent.

Important

The auto-response function only answers messages if a user has been contacted via his user name or alias(es). Distribution list addressees and BCC addressees do not receive automatic responses. This is to avoid unnecessary or indiscrete message traffic.

Priorities

Automatic responses are configurable at three hierarchical levels: user, distribution list, and system. In cases where multiple configurations exist, the system resolves conflicts by sending only the most specific response.

Example: Automatic responses at the user and system level

Assume that userX configured an automatic response and that an auto-response has also been activated at the system level. When a message is sent to userX, the appliance will only send one automatic response, i.e. the one that was configured by the user.

Auto-Response Access

Users cannot change their auto-response settings, unless authorized by an AXS Guard system administrator. Tool access is required at the user level. Navigate to Users & Groups > Preferences to allow users to update their auto-response configuration.

Auto-Response Configuration

User-level Configuration

  1. Navigate to Users & Groups > Users.

  2. Click on the appropriate username.

  3. Select the e-mail tab.

  4. Activate the auto-response option.

  5. Enter the required information as explained in the context-sensitive help.

  6. Update your configuration.

    User-level Auto-Response Configuration

System-level Configuration

  1. Navigate to E-mail > Server

  2. Check auto-response active.

  3. Select the auto response tab.

  4. Enter the required information as explained the context-sensitive help.

  5. Update your configuration.

    Automatic Response at the System Level

Distribution Lists

  1. Navigate to E-mail > Distribution Lists.

  2. Select the list for which you want to configure an automated response.

  3. Check auto-response active.

  4. Enter the required information as explained the context-sensitive help.

  5. Update your configuration.

Field Description

Auto-response Active

Check to enable. Uncheck to disable.

Start

Enter the Start time in the DD/MM/YYYY hh:mm format.

End

Enter the End time in the DD/MM/YYYY hh:mm format.

Notify sender

Select the desired frequency.

Auto-response Subject

The subject of the auto-response message.

Auto-response message

The message you wish to convey.

Auto-deleting E-mail

  1. Navigate to Users & Groups > Users.

  2. Select the account of which messages should be automatically deleted.

  3. In the e-mail tab, select delete incoming mail immediately.

  4. To notify senders, configure the auto-response functionality.

  5. Update your configuration.

    Automatic Deletion of E-mail

E-mail Forwarding Options

  1. Navigate to Users & Groups > Users.

  2. Select the appropriate user in the list.

  3. Under the e-mail tab, select Forwarding enabled.

  4. Enter the settings as explained in the table below.

  5. Update your configuration.

    Configuring E-mail Forwarding

Field Description

Forwarding Enabled

Check to enable forwarding.

Forwarding Address

Specify the e-mail address(es) to which your messages must be forwarded.

Store copy on AXS Guard

Check to keep a copy of the forwarded messages on the AXS Guard mail server.

Quota Configuration

  1. Navigate to Users & Groups.

  2. Click on the appropriate username.

  3. Enter the quota settings under the e-mail tab as explained in the table below.

  4. Update the user profile.

    Quota Configuration

Field Description

Mailbox Quota Warning

Enter the size of the soft quota. Once the specified limit is reached, the appliance automatically warns the user and the system administrator(s). The user will be requested to remove or archive messages to free up disk space on the appliance. If no action is taken by the user within 7 days following the warning, the appliance will act as if the hard quota has been exceeded.

Mailbox Quota Limit

Enter the size of the hard quota. Hard quotas determine the maximum size of disk storage that can be used by a user’s mailbox. As soon as this limit is exceeded, the user will no longer be able to send or receive messages until excess messages are deleted or archived.

Quota Notifications

  1. Navigate to E-mail > Notifications.

  2. Click on the Quota Notifications Tab.

  3. Select the desired options, as explained in the table below.

  4. Update your configuration.

    Quota Notification Settings

Parameter Description

Send quota notification to Administrator

Notifies the system administrator as specified under System > General about the storage that remains available for each mailbox (the soft and hard limits).

Send quota notification to User

Notifies the user about the remaining size of his / her mailbox (the soft and hard limits).

Specify other e-mail address to sent quota notification

Sends quota notifications to the specified e-mail address(es).

Check the size of the user mailboxes

Select the desired frequency from the drop-down list.

Allow user to request quota status by sending an e-mail to quota-status@domain

Users can send an empty message to quota-status@<systemdomain> to receive a summary of their current mailbox quota. This only works if the message is sent from a secure or whitelisted network. quota-status is a reserved system name and cannot be modified.

Info

Users can send an empty message to quota-status@<systemdomain> to receive a summary of their current quota. This only works if the message is sent from a secure or whitelisted network. quota-status is a reserved system name and cannot be modified. See the troubleshooting section for specifics.

Exporting Mail Quota

  1. Navigate to E-mail > Status > Mail Quota.

  2. Click on the export button to export the data to a CSV file.

    Viewing and Exporting Mail Quota

User Authentication Settings

  1. Navigate to Authentication > Services and select IMAP / Webmail.

  2. Select the desired authentication policy.

  3. Update your configuration.

    Webmail Policy Selection

Client Configuration

Introduction

Numerous POP3 and IMAP mail clients are available, though their configuration processes share notable similarities. While the specific user interfaces and menu options may differ, the core settings for server addresses, ports, and authentication remain consistent.

Frequently used mail clients include Microsoft Outlook, Mozilla Thunderbird, Apple Mail, and mobile applications like Outlook for iOS and Android.

Useful References

Client Description Source
Mozilla Thunderbird Manual account configuration. Mozilla
Outlook for Windows Email account settings in Outlook for Windows. Microsoft
Apple Mail Change settings in Mail on Mac. Apple

LDAP Address Book

Introduction

In this chapter, we explain how to configure and use the AXS Guard Address Book. The Address Book contains contact information, such as e-mail addresses, telephone numbers and other data. The information in the Address Book can be shared and is accessed by clients using the Lightweight Directory Access Protocol (LDAP).

The Lightweight Directory Access Protocol (LDAP) is an application protocol of the TCP/IP protocol suite and uses port 389. It allows the sharing of directory information. A directory is a database which is optimized for read operations, i.e. powerful search and browsing capabilities.

The structure of the Address Book and its use is similar to a phone book; a username leads to an e-mail address.

Server-side Configuration

Feature Activation

  1. Log in to your AXS Guard appliance.

  2. Navigate to System > Feature Activation.

  3. Under E-mail, enable the AXS Guard Central Address Book option.

  4. Update your configuration.

    MTA and E-mail Feature Activation

Address Book Options

  1. Navigate to E-mail > Address Book > General.

  2. Configure the Address Book options as explained in the table below.

  3. Update your configuration.

    Address Book Configuration

Field Description

Always add users to the Central Address Book?

If enabled, AXS Guard users under Users & Groups > Users are automatically added to the central address book.

AXS Guard user lookup type

This option determines by which property address book entries are retrievable by a mail client. Possible lookup parameters are the username or the full name as entered in the AXS Guard user list.

Adding Address Book Entries

  1. Navigate to E-mail > Address Book > Addresses.

  2. Click on Add New.

  3. Enter the Address Book data and save your configuration.

    Address Book Entry Screen

Field Description

Full Name

Enter the full name of the contact to be added to the address book.

E-mail Address

Enter the contact’s e-mail address.

Organization

Enter the name of the contact’s organization.

Phone Number

Enter the contact’s phone number.

Country

Select the country of the contact from the drop-down list.

Important

  • Only basic administrators or above are authorized to add entries or modify the AXS Guard address book.
  • You cannot add entries to the AXS Guard address book with e-mail clients, e.g. Microsoft Outlook.

Client Configuration

Important

  • The user must be authenticated on the client, e.g. by means of the SSO Authentication Utility.
  • The user should have the appropriate AXS Guard firewall rights assigned , e.g. the sys-email firewall policy.
Client Description Source
Apple Configure access to an LDAP directory on Mac. Apple
Outlook for Windows Open and use the address book in Outlook. Microsoft

Webmail

Introduction

This chapter explains how to configure and access the AXS Guard Webmail server.

Unlike traditional email clients such as MS Outlook, which rely on dedicated software, Webmail allows users to access their email through a standard web browser.

The AXS Guard Webmail server secures connections by listening for incoming traffic on TCP port 443 via the Internet Interface, ensuring encrypted access to email from any location.

Mail Storage Options

The AXS Guard webmail server supports:

  • Local webmail (default configuration): AXS Guard stores the e-mails locally, in which case a backup to a network share is highly recommended.

  • Back-end webmail: e-mails are stored on a back-end server, e.g. an OWA server.

Server Configuration

Feature Activation

  1. Log on to the AXS Guard appliance.

  2. Navigate to System > Feature Activation.

  3. Expand the E-mail menu and enable Webmail.

  4. Update your configuration.

    Webmail Feature Activation

Server Certificate & Port

  1. Go to Web Servers.

  2. Enter the the desired port number and hostname.

  3. Select the appropriate server certificate.

  4. Update your configuration.

    Webmail Server Port and Certificate Configuration

Webmail Settings

  1. Navigate to E-mail > Webmail.

  2. Enter the settings as explained in the table below.

  3. Update your configuration.

    Webmail General Settings

Field Description

Use AXS Guard services for Webmail

Enable this option if your mail is stored on the AXS Guard appliance. Disable this option if your mail is stored on a dedicated mail server in your network. If the option is disabled, you will be required to configure the folder and service settings for Webmail.

Default E-mail Domain

Enter the name of your default e-mail domain. If left empty, the system domain will be used.

Create Special Folders ?

Check to automatically create special folders for users who log in.

Webmail Logo

Select the image to be used as your webmail portal’s logo. The following formats are supported: JPG, GIF or PNG.

Max. upload size

The maximum allowed size of attachments in outgoing messages. Make sure to also check the e-mail size limit under E-Mail > General. The specified size may not be exceeded by Webmail.

AXS Guard services for Webmail

The following options only appear if AXS Guard services for Webmail are disabled. See the context-sensitive help for additional information.

Webmail Service Settings

Group-level Access

  1. Navigate to Users & Groups > Groups.

  2. Select the group which needs Webmail access.

  3. Enable Allow access to Webmail under the e-mail tab.

  4. Update your configuration.

    Access to Webmail at the Group Level

User-level Access

  1. Navigate to Users & Groups > Users.

  2. Select the user who needs access to webmail.

  3. Select the policy for webmail access under the e-mail tab.

  4. Update the user profile.

    Allowing Webmail Access at the User Level

Field

Description

E-mail alias list

An e-mail alias allows system administrators to link one or more alternate e-mail addresses to a single mailbox. Aliases can be added as a name, e.g. alias or as an e-mail address, e.g. alias@domain.com. In the first case, messages sent to the alias will be delivered to all the user’s AXS GUARD mailboxes in non-virtual domains. In the second case, mail sent to the alias will only be delivered to the associated mailbox.

Overrule Group Mail Policy

Check this option to overrule the user’s group policy. The group policy is configured under Users & Groups > Groups. Go to E-mail > Filters > Policies for an overview of defined e-mail policies on your system.

Delete incoming mail immediately

Check to delete incoming messages for the user. Use this option for inactive accounts to preserve disk space, e.g. when a user no longer works for your company. You can combine this option with the auto-response option to notify senders that the account is no longer in use.

Forwarding Enabled

Check this option to specify a forwarding address.

Store copy on AXS GUARD

Check to preserve a copy of forwarded e-mails on the appliance.

Auto-response active

Check to enable automated responses.

Start: Enter a start date for the automated response in the DD/MM/YYYY HH:MM format.

End : Enter an end date for the automated response in the DD/MM/YYYY HH:MM format.

Notify sender: Select a frequency for automated responses. For example, one time means that only the first message from a given sender will trigger an automated response. Subsequent messages from the same sender will not trigger an automated response.

Auto-response subject: The subject of the automated reply.

Auto-response message: The body of the automated reply. For example, an out of office message. The following variables can be used in your message:

  • $SUBJECT: The subject of the e-mail being replied to.

  • $START: When the out of office period starts.

  • $END: When the out of office period ends.

The substitutions for the $START and $END variables include the time if they are less than 32 hours apart (a full day + a working day).

Mailbox Quota Warning

Once this limit is reached, the appliance automatically sends a warning to the user and the system administrator, requesting the user to remove or archive messages.

Mailbox Quota Limit

The maximum amount of disk space that may be used by the user’s mailbox. When exceeded, no new e-mails can be sent or received by the user. The user first needs to remove or archive excess messages.

Allow access to Webmail

Allow or deny access to the appliance’s webmail server.

  • Use group configuration: Apply the user’s group settings. Go to Users & Groups > Groups and select the user’s group to view the webmail configuration.

  • On: Webmail access is granted, even if not allowed in the user’s group configuration.

  • Off: Webmail access is denied, even if allowed in the user’s group configuration.

Firewall Configuration

  1. Navigate to Firewall > Policies > Static.

  2. Verify if the int-webmail firewall rule is added to the stat-int policy.

    Webmail Firewall Settings

Important

You can also enable Webmail access from the secure LAN or the DMZ. Access to port 443 should be allowed for each zone. More information is available in the AXS Guard Firewall How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool.

Webmail Logo Settings

  1. Navigate to E-mail > Webmail

  2. Upload the desired logo (JPG, GIF or PNG).

  3. Update your configuration.

    Webmail Logo Settings

User Authentication

Using Webmail with an external IMAP service requires the Webmail service to be configured with the appropriate authentication policy:

  • Password if the user’s AXS Guard password is the same as on the back-end server.

  • DirectoryServices if the back-end is a MS Exchange server and users are synchronized from there.

In all cases, users must exist on AXS Guard to allow Webmail access.

  1. Navigate to Authentication > Services and select IMAP / Webmail.

  2. Select the desired authentication policy.

  3. Update your configuration.

    Webmail Policy Selection

Accessing Webmail

  1. Open an Internet browser.

  2. In the URL field, enter https://, followed by the FQDN or external IP address of the AXS Guard appliance, followed by a forward slash and webmail, e.g. https://axsguard.mydomain.com/webmail

  3. Enter your webmail credentials.

  4. Click on the Login button.

    Roundcube Webmail Login Page

POP3, IMAP & Webmail Logs

Overview

The POP3, IMAP and webmail logs contain the access records of the AXS Guard mail server. These logs allow system administrators to check:

  • When a given user logged in or logged out.

  • When a given user removed e-mails. Internally, webmail uses the IMAP protocol. All activity is therefore logged in the IMAP logs.

Accessing POP3 & IMAP Logs

  1. Log in to the AXS Guard appliance.

  2. Navigate to E-mail > Logs > POP3/IMAP.

  3. Click on the appropriate log date.

    POP3 and IMAP Logging

Accessing the Webmail Logs

  1. Navigate to E-mail > Logs > Webmail.

  2. Click on the appropriate log date.

Troubleshooting

My client cannot log on to the AXS GUARD POP3 server.

  1. Make sure the user is authenticated on the client (SSO).

  2. Verify the user name and password. Passwords are case sensitive.

  3. Verify if the user has e-mail access (sys-email Firewall Policy).

  4. Verify if the user has not been locked. (Authentication > Status > Blocked Users and Hosts).

My client cannot log on to the AXS GUARD IMAP server.

  1. Make sure the user is authenticated on the client (SSO).

  2. Verify the user name and password. Passwords are case sensitive.

  3. Verify if the user has e-mail access (sys-email Firewall Policy).

  4. Verify if the user has not been locked. (Authentication > Status > Blocked Users and Hosts).

  5. Verify if the user exists .

I cannot access the Address Book.

  1. Make sure the user is authenticated on the client (SSO).

  2. Verify if the user has e-mail (LDAP) access (sys-email Firewall Policy).

  3. Verify if the user has not been locked. (Authentication > Status > Blocked Users and Hosts).

I cannot modify the Address Book

Only Basic Administrators or above are authorized to modify the AXS Guard Address Book . You cannot modify the AXS Guard Address Book via the mail client, e.g. Outlook 2007.

  1. Make sure the user is authorized to access the Webmail service.

  2. Verify if the user has not been locked. (Authentication > Status > Blocked Users and Hosts).

  3. Make sure Firewall access is granted to port 443 for the authorized network zone (Internet, Secure LAN or DMZ).

The users cannot change their auto-response settings.

Make sure the users are authorized to change their auto-response settings :

  1. Log on to the AXS Guard as explained in the AXS Guard System Administration How To, which is accessible via the Documentation button.

  2. Navigate to Users & Groups > Preferences.

  3. Verify if the correct options are checked .

  4. Click on Update when finished.

    User Settings

The user cannot change his / her e-mail forwarding settings.

Verify if the option is enabled.

Recipient address is rejected when sending a message to <quota-status@systemdomain>

The network from where the message is sent must be part of the AXS Guard secure network zone or an alias thereof. An alternative is to whitelist the sender’s IP address or network range.

Example: Unknown range

Assume that your AXS Guard’s secure device has the following IP address: 10.132.30.192/19

A client is connecting to the AXS Guard, but from a network range that is different from the AXS Guard’s secure range, e.g. 10.32.64.0/24. Since the sender’s range is unknown, any attempt to send a message to the SMTP server will result in an error:

554 5.7.1 <quota-status@systemdomain>: Recipient address rejected: Access denied (Net::SMTPFatalError)

Possible solutions:

  • NAT the 10.32.64.0 range to 10.132.30.0

  • Whitelist 10.32.64.0/24 under Email > Filters > Whitelist

  • Add the range as an IP alias in the secure device’s network configuration (beware of routing issues)

Support

If you encounter a problem

If you encounter a problem with AXS Guard, follow the steps below:

  1. Check the troubleshooting section of the feature-specific manual.

  2. Check the knowledge base on this site for information about special configurations.

  3. If no solution is available in any of the above sources, contact your AXS Guard vendor.

Contact Information

(+32) 15-504-400
support@axsguard.com