Mail Storage

Introduction

About this Document

The AXS Guard E-mail Storage How To serves as a reference source for technical personnel or system administrators. It explains the concepts and configuration of e-mail storage (POP, IMAP) on AXS Guard.

Examples used in this Guide

All setups and configuration examples in this guide are executed as an advanced administrator. Some options are not available if you log in as a full administrator or a user with lower access privileges.

As software development and documentation are ongoing processes, the screenshots shown in this guide may slightly deviate from the current user interface.

E-mail Server Concepts

Overview

In this section, we provide a basic explanation of e-mail, the e-mail storage capabilities of the AXS Guard and its configuration. Topics covered in this section include:

E-mail basics: The Mail Transfer Agent (MTA), e-mail domains, the e-mail envelope, headers and body.
E-mail aliases: Alternative e-mail addresses for a mailbox.
Distribution Lists: A compilation of multiple addressees in a single e-mail address.
Automatic response capabilities: Automatic replies to the sender, e.g. vacation messages.
E-mail forwarding: How to forward e-mails to another mailbox (e-mail address).
E-mail quotas: The amount of authorized e-mail storage space reserved for a user.
E-mail retrieval: Available protocols and methods to retrieve e-mails, such as IMAP, POP, Webmail and the related configuration settings.

Introduction

E-mails travel across the Internet between their source and destination via servers, in the same way that traditional paper mail travels the world via post offices (as illustrated below). On the Internet, the role of post offices or sorting offices are assumed by Mail Transfer Agents or MTAs. The concept of e-mail varies slightly from a traditional post office in that a Mail Server stores e-mails for an e-mail client and the e-mail client retrieves and delivers them. Traditional mail is usually delivered, not retrieved. Mail Servers are sometimes called Delivery Agents and Mail Clients are sometimes referred to as Mail User Agents (MUAs), e.g. MS Outlook.

Analogy between E-mail and Paper MTA

Similar to the infrastructure of traditional post offices, the MTA network links servers, such as the AXS Guard, across the world.
E-mails are sent directly from a sender MTA to the receiver MTA, based on the MX records which are looked up via a DNS request, unless configured otherwise on the sender MTA. For more information about DNS and MX records, see the AXS Guard Public DNS How To, which is available by clicking on the permanently available Documentation button in the Administrator tool.
The Mail Client is a program for viewing, replying, forwarding, sorting, creating and deleting e-mails. Common mail clients are Outlook, Outlook Express and Thunderbird.

See the AXS Guard e-mail relay how to for additional information about MTA concepts and options.

E-mail Domains

A domain identifies company web sites, e-mail servers, but also other devices such as gateways and routers via a common name. For example, microsoft.com is the domain name of Microsoft’s web sites and update servers. A single web server can serve web sites for multiple domain names, but a single FQDN can only point to one machine. For example, Apple Computer has the following web sites: www.apple.com, www.info.apple.com and store.apple.com. Each of these sites could be hosted on different machines.

The AXS Guard MTA allows you to handle mail for one or multiple domains. All e-mails for a configured domain can either be handled and stored locally, forwarded to a specific computer or relayed out to a specific SMTP server. Users only have one physical mailbox, even if they are a member of multiple local domains on the AXS Guard. All messages destined to a member of one of these domains are delivered to the same physical mailbox.

For detailed information about e-mail domains and their configuration, see the AXS Guard E-mail Relay How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool.

E-mail Domains

Message Components

The Envelope

The envelope encapsulates the message. It contains all the information needed for transporting the message, such as the destination address, the message priority, etc. This information stands on its own and is distinct from the message itself. The Message Transport Agents (MTAs) use the envelope for routing, just as the post office does. A new envelope is created per recipient.

The Header and Body

The message inside the envelope consists of two parts: the header and the body. The header contains control information for the user agents. The body is intended for the human recipient. The body is the message itself, which can be formatted in plain text or HTML. The difference between paper mail (a) and e-mail (b) is illustrated below.

Each message has exactly one header, which has separate fields. Each field has a name and a value. RFC 5322 specifies the syntax to be used. The most important header fields are listed below:

Field	Description
From	The e-mail address, and optionally the name of the sender. Forms the envelope with the `To` field.
To	The e-mail address(es), and optionally name. Forms the envelope with the `From` field.
Subject	A brief summary of the contents of the message.
Date	The local time and date when the message was written.
BCC	Blind Carbon Copy. The e-mail address(es) in this field are not visible to other addressees.
CC	Carbon copy. The e-mails address(es) in this field are visible to other addressees.
Content-Type	Information about how the message has to be displayed, usually a MIME type.
In-Reply-To	Message-ID of the message that this is a reply to.
Received	Tracking information generated by mail servers that have previously handled the message.
References	Message-ID of the message that this is a reply to, and the message-id of this message, etc.
Reply-To	E-mail address that should be used to reply to the sender.

AXS Guard uses a special header to avoid e-mail loops when the auto-response option (e.g. vacation message) is enabled. See Auto-Response Settings for more information.

Supported Protocols

POP3

The Post Office Protocol (POP) is an application-layer Internet protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. The e-mails are downloaded from the server, unless you configure the client to keep a copy of the messages on the server. Former versions of POP exist (POP1 and POP2), but are obsolete.

IMAP

The Internet Message Access Protocol (IMAP) is one of the two most prevalent Internet standard protocols for e-mail retrieval, the other being the Post Office Protocol. Virtually all modern e-mail clients and mail servers support both protocols to transfer e-mail messages from a server.

POP3 vs. IMAP

POP3 has the advantage that you can access your messages while the e-mail server is down. However, if no copies are kept on the server, it’s difficult to access the same mailbox from multiple clients. Once the e-mails are retrieved by one client, they cannot be accessed by another client, since the messages are downloaded from the server and stored locally on the client. Even if the client is configured to keep copies on the server, the status of the messages (read / unread) is not managed centrally; a message may have been read by one mail client, while being unread by another.

With IMAP, the messages remain on the mail server instead of being downloaded. When the mail client is started, it connects to the AXS Guard mail server on TCP port 143. E-mail clients that use the IMAP protocol generally leave messages on the server, unless the user explicitly deletes them. This property makes backups easier. IMAP is also better alternative in case of a client failure. Since the messages are kept on the server, you simply need to resynchronize the e-mail client.

POP vs. IMAP

Transport Layer Security (TLS)

AXS Guard supports secure IMAP and POP. This way you can access your e-mails securely from the Internet. For in-depth information about TLS, see the E-mail Relay How, which can be downloaded by clicking on the Documentation button in the administrator tool.

The use of certificates is explained in the PKI How To.

E-mail Aliases

An e-mail alias is a forwarding mechanism which allows system administrators to create and link one or more alternate e-mail addresses to a single mailbox.

Some aliases are required on all MTA’s, such as the postmaster@domain.com e-mail address. This e-mail address is used to report MTA problems. Other e-mail aliases are automatically created on the AXS Guard, e.g. sysdeamon@domain.com, spam@domain.com, etc. The postmaster e-mail alias is linked to the AXS Guard sysadmin user, unless specified otherwise. More information about the AXS Guard sysadmin user is available in the AXS Guard System Administration How To, which is accessible via the Documentation button in the Administrator Tool.

As of AXS Guard version 8.2.0, virtual domains have been implemented. A virtual domain is either a local or forwarded domain for which a directory service (LDAP) profile has been configured. This implementation directly affects the way e-mail aliases are handled by the AXS Guard mail server.

E-mail aliases have 2 functions:

They are used to find and apply the matching AXS Guard mail policy (applies to local and forwarded domains).
Messages sent to a user’s alias are stored in that user’s AXS Guard mailbox (applies to local domains only). The behavior of the AXS Guard mail server varies, depending on how an alias is added to an AXS Guard user profile.

Aliases can be added to a user profile as a name, e.g. alias or as an e-mail address, e.g. alias@domain.com. In the first case, messages sent to the alias will be delivered to all the user’s AXS Guard mailboxes in non-virtual domains. In the second case, mail sent to the alias will only be delivered to the associated mailbox.

In the following examples, we assume the following:

3 local mail domains have been configured on the AXS Guard appliance, i.e. foo.com, bar.net and foobar.org.
An Directory Services (LDAP) profile has been configured for the foorbar.org domain, which is a virtual domain.

Example 1

Given an AXS Guard user with a username user1 and an e-mail alias abuse.

The user will be able to receive e-mail sent to the following addresses: user1@foo.com, user1@bar.net, abuse@foo.com and abuse@bar.net.

Mail sent to user1@foobar.org and abuse@foobar.org will not be delivered.

Example 2

Given an AXS Guard user with a username user2 and an e-mail alias info@foo.com.

The user will be able to receive e-mail sent to the following addresses: user2@foo.com, user2@bar.net and info@foo.com.

Mail sent to user2@foobar.org, info@foobar.org and info@bar.net will not be delivered.

Example 3

Given an AXS Guard user with a username user3 and an e-mail alias info@foobar.org.

The user will be able to receive e-mail sent to the following addresses: user3@foo.com, user3@bar.net and info@foobar.org.

Mail sent to user3@foobar.org, info@foo.com and info@bar.net will not be delivered.

Example 4

Given an AXS Guard user with a username: user4@foobar.org and no e-mail alias.

The user will be able to receive e-mail sent to the following addresses: user4@foobar.org.

Mail sent to user4@foo.com and user4@bar.net will not be delivered.

Example 5

Given an AXS Guard user with a username user1 and an e-mail alias abuse.

The user will be able to receive e-mail sent to the following addresses: user1@foo.com, user1@bar.net, abuse@foo.com and abuse@bar.net.

Adding the e-mail alias abuse@bar.net to another user, e.g. user2, will generate a validation error, because abuse@bar.net was already added to user1.

E-mail Forwarding

Forwarding

Messages sent to a mailbox on the AXS Guard (i.e. a local mailbox) can be forwarded to one or more e-mail addresses. E-mail forwarding redirects e-mail going to one address and sends it to one or several other addresses. Vice versa, e-mails going to several different addresses can be converged via forwarding to end up in a single address mailbox.

If the e-mail address to which e-mails are forwarded is local, the message is forwarded to the user’s AXS Guard mailbox. If the address is not local, the AXS Guard forwards the message to the authoritative MTA, e.g. hotmail, gmail, etc.

The AXS Guard allows you to keep local copies of forwarded e-mails. The forwarding options can be configured by the user, if allowed by the AXS Guard system administrator (Under Users&Groups > General).

Important

E-mails are always checked by the AXS Guard mail content filtering system before they are forwarded.

E-mail Forwarding Concept

Distribution Lists

A distribution list is an easy method to send an e-mail to multiple recipients through a single e-mail address, which is in fact an alias for member recipients. Mail sent to the alias is automatically delivered to the mailbox of each recipient who is included in the distribution list.

Important

You can only create distribution lists for your own (internal) network, not for forwarded domains. However, it is possible to use external e-mail addresses as recipients, e.g. hotmail or gmail addresses. The external addresses have to be added under E-mail > Filters > External Addresses, otherwise senders will receive an "undeliverable" message.

E-mail Quotas

A mail quotum is the amount of space reserved on a mail server to house a user’s e-mail messages. Quotas are necessary to preserve the AXS Guard’s storage capacity.

Soft quotas: The soft quota is a warning limit. Once it is reached, the AXS Guard automatically sends a notification to the user and the system administrator, requesting the user to remove and / or archive his / her messages. If no action is taken within 7 days after the notification, the system will treat the mailbox as if the hard quota has been exceeded. The frequency of notifications can be configured. Administrators can also verify the status of the quota, to see how much space is available in a user’s mailbox .
Hard quotas: Hard quotas determine the maximum allowed size of disk storage to be used for a user’s mailbox. As soon as it is exceeded, no new e-mails can be sent or received by the user. Messages first have to be deleted from the mailbox or archived by the user.

Important

The POP3 protocol can be configured to leave a copy of e-mails on the server, in which case quotas become a factor, similar to IMAP.
It is not possible to delete e-mail if the hard quota has been exceeded and the mail client is configured to move the e-mail to a trash folder on the mail server. To solve this problem, configure the client to delete messages permanently or use the Webmail feature.

Automated Responses

The auto-response function enables the AXS Guard to send an automatic response to e-mails received while a user is unavailable, e.g. whe a user is on vacation. Senders are automatically notified that the addressee is unable to read his / her e-mails, allowing them to use an alternate e-mail address or another method of communication. The auto-response function can only be used for users in a local domain, i.e. a domain for which e-mail messages are stored locally (on the AXS Guard). It does not apply to forwarded domains.

The auto-response function can also be configured at the system level. If enabled, the system will automatically send an automated response on behalf of all users.

Example: Holiday season

Assuming your company employs 100 people and that you are closed for business every year between 12/23 and 2/2 for the holidays. You can have each employee configure his / her out of office message individually. This means 100 configurations on your appliance, with the risk of someone forgetting to do so. Doing this at the system level makes more sense in this case and only requires a single configuration at the system level by the system administrator.

Info

You can also configure an automatic response for distribution lists. When a user configures an auto-reply message and that user’s e-mail address is also included in a distribution list, no auto-reply will be sent on behalf of the user when a message is sent to the distribution e-mail address. This is expected behavior.

Automatic Deletion

It is possible to automatically delete incoming messages for a given user. This is very useful for old accounts that are no longer active and that are still receiving e-mail. You can combine this option with the auto-response functionality to provide senders with an alternate e-mail address or to let them know that the account is no longer monitored.

E-mail Server Configuration

Feature Activation

Log on to the AXS Guard appliance.
Navigate to System > Feature Activation.
Expand the E-mail menu.
Check the options as shown in the image below.

POP and IMAP Server Settings

Navigate to E-mail > POP3 / IMAP.
Select the appropriate option for TLS.
Update your configuration.

Parameter	Description
Security Level	No TLS: TLS is not used. Opportunistic TLS: If the client attempts to encrypt the communications channel, TLS is used. If not, the appliance falls back to unencrypted communications. This method requires no pre-arrangement between clients and the appliance. Mandatory TLS: POP and IMAP clients must always use TLS.
Server Certificate	Select the server certificate to be used by the POP / IMAP server. Go to PKI > Certificates for an overview of certificates or to generate a new certificate.
Enable compression	The option is enabled by default and should be disabled for troubleshooting, e.g. when using a traffic analyzer such as tcpdump or Wireshark.
Remove message duplicates on delivery	The mail server has the possibility to detect message duplicates by checking the message ID of e-mails. E-mails with identical message IDs are deleted if the option is enabled. Per RFC, a message ID should be unique.
Enable alternate namespace	The namespace determines how the IMAP folder structure is presented on the client. If the option is unchecked, all folders are presented as subfolders of the inbox folder. If the option is checked, all folders are shown at the same level as the inbox folder. This parameter should be disabled if your are using the Konsec Workgroup connector. Do not modify this configuration if you are using the Konsec Workgroup connector as Outlook profiles will be corrupted without the possibility to recover.

E-mail Firewall Policy Settings

System-wide Policy

Important

Do not allow IMAP or POP services at the system level. Assign these firewall rights only at the group or user level. It is also recommended to use a VPN solution or TLS when accessing POP or IMAP services from the Internet.

To assign system-wide IMAP and POP firewall policies (not recommended):

Log in to the AXS Guard appliance.
Go to Firewall > Policies > Static.
Add the desired mail policies to the appropriate static policy.
Update your configuration.

Example of System-wide Firewall Policy Assignment

Computer-level Policy

Important

Do not allow any mail services at the computer level, except if you are running a server which needs to send automated e-mails over the Internet. Enforce user authentication where possible.

Go to Computers.
Select the desired computer from the computer list.
Select the firewall access control tab.
Add the appropriate mail firewall policies.
Update your configuration.

Button	Description
Add Firewall Policy	Select the desired firewall policy from the drop-down list. Go to Firewall > Policies > Dynamic for an overview of assignable firewall policies.

Group-level Policy

Go to Users & Groups > Groups.
Select the desired group.
Select the firewall tab.
Assign the sys-email firewall policy to the group.
Update your configuration.

Parameters	Description
Firewall Policies	Select the firewall policy for the members of this group. Go to Firewall > Policies > Dynamic for an overview of defined firewall policies.
VPN & RAS Policies	Select specific firewall policies for group members who connect to the corporate network with a VPN client, such as a PPTP client. Go to Firewall > Policies > Dynamic for an overview of defined firewall policies.

User-level Policy

Go to Users & Groups > Users.
Select the desired user from the list.
Select the firewall tab.
Select the appropriate firewall configuration from the drop-down list (make sure the user is assigned the sys-email policy).
Update your configuration.

Field	Description
Firewall Policy Mode	Select the desired firewall policy mode from the drop-down list.
	Use group firewall policies: Uses the firewall policies as configured for the user’s group, under Users & Groups > Groups. If firewall policies are configured for the user’s computer (based on the user’s IP), they are applied as well, in combination with the system-wide policies.
	Add to group firewall policies: Uses the firewall policies as configured for the user’s group, under Users & Groups > Groups and the specific firewall policies defined here. Note that user-specific policies can either be more restrictive or more permissive than the user’s group firewall policies. The user-specific firewall policies are applied first. If firewall policies are configured for the user’s computer (based on the user’s IP), they are applied as well, in combination with the system-wide policies.
	Overrule group firewall policies: The user’s group firewall policies are overruled and do not apply. Only the user-specific firewall policies apply. If firewall policies are configured for the user’s computer (based on the user’s IP), they are applied as well, in combination with the system-wide policies.
VPN - RAS Policy Mode	Select user-specific firewall policies for users who connect to the corporate network with a VPN client, such as a PPTP client. Go to Firewall > Policies > Dynamic for an overview of defined firewall policies.
	User group VPN - RAS policies: Uses the VPN firewall policies as configured for the user’s group, under Users & Groups > Groups. If firewall policies are configured for the user’s computer (based on the IP address of the VPN client), they are applied as well, in combination with the system-wide policies.
	Add to group VPN - RAS policies: Uses the VPN firewall policies as configured for the user’s group, under Users & Groups > Groups and the specific firewall policies defined here. Note that user-specific policies can either be more restrictive or more permissive than the user’s group VPN firewall policies. The user-specific VPN firewall policies are applied first. If firewall policies are configured for the user’s computer (based on the IP address of the VPN client), they are applied as well, in combination with the system-wide policies.
	Overrule VPN - RAS policies: The user’s group VPN firewall policies are overruled and do not apply. Only the user-specific VPN firewall policies apply. If firewall policies are configured for the user’s computer (based on the IP address of the VPN client), they are applied as well, in combination with the system-wide policies.

Adding Aliases

Navigate to Users & Groups > Users.
Select the appropriate user name.
Add the desired user alias(es).
Update the user profile.

Field	Description
E-mail alias list	An e-mail alias allows system administrators to link one or more alternate e-mail addresses to a single mailbox. Aliases can be added as a name, e.g. `alias` or as an e-mail address, e.g. `alias@domain.com`. In the first case, messages sent to the alias will be delivered to all the user’s AXS GUARD mailboxes in non-virtual domains. In the second case, mail sent to the alias will only be delivered to the associated mailbox.
Overrule Group Mail Policy	Check this option to overrule the user’s group policy. The group policy is configured under Users & Groups > Groups. Go to E-mail > Filters > Policies for an overview of defined e-mail policies on your system.
Delete incoming mail immediately	Check to delete incoming messages for the user. Use this option for inactive accounts to preserve disk space, e.g. when a user no longer works for your company. You can combine this option with the auto-response option to notify senders that the account is no longer in use.
Forwarding Enabled	Check this option to specify a forwarding address.
Store copy on AXS GUARD	Check to preserve a copy of forwarded e-mails on the appliance.
Auto-response active	Check to enable automated responses.
	Start: Enter a start date for the automated response in the DD/MM/YYYY HH:MM format.
	End : Enter an end date for the automated response in the DD/MM/YYYY HH:MM format.
	Notify sender: Select a frequency for automated responses. For example, `one time` means that only the first message from a given sender will trigger an automated response. Subsequent messages from the same sender will not trigger an automated response.
	Auto-response subject: The subject of the automated reply.
	Auto-response message: The body of the automated reply. For example, an out of office message. The following variables can be used in your message: `$SUBJECT`: The subject of the e-mail being replied to. `$START`: When the out of office period starts. `$END`: When the out of office period ends. The substitutions for the `$START` and `$END` variables include the time if they are less than 32 hours apart (a full day + a working day).
Mailbox Quota Warning	Once this limit is reached, the appliance automatically sends a warning to the user and the system administrator, requesting the user to remove or archive messages.
Mailbox Quota Limit	The maximum amount of disk space that may be used by the user’s mailbox. When exceeded, no new e-mails can be sent or received by the user. The user first needs to remove or archive excess messages.
Allow access to Webmail	Allow or deny access to the appliance’s webmail server. Use group configuration: Apply the user’s group settings. Go to Users & Groups > Groups and select the user’s group to view the webmail configuration. On: Webmail access is granted, even if not allowed in the user’s group configuration. Off: Webmail access is denied, even if allowed in the user’s group configuration.

Creating Distribution Lists

Navigate to E-mail > Distribution List.
Click on Add new.
Enter the settings as explained in the table below.
Save your configuration.

Field	Description
Name	A name for the distribution list. Invalid characters are not accepted.
Description	Provide a description for the distribution list (not required).
Distribution e-mail address	Enter the address without the domain name; rather than entering `all@mydomain.com`, just enter `all`.
Domain	Select the domain of the distribution address, e.g.`mydomain.com`. Go to E-mail > Domains to view all configured domains.
Overrule System Mail Policy	Check this option to overrule the system mail policy as configured under E-mail > General. Go to E-mail > Filters > Policies for an overview of available policies or to configure a new policy.
Recipients	Local Users: Add recipients as listed under Users & Groups > Users. Added recipients will receive a copy of mails sent to the distribution address. Local Groups: Add groups as listed under Users & Groups > Groups. Members of added groups will receive a copy of mails sent to the distribution address. External users or list names: Enter the e-mail address(es) of the external recipient.
Auto-response active	Sends an automated response according to the configured settings.
Accessibility	Allow access from anywhere: Select this option to allow anybody to send messages to the distribution e-mail address. If enabled, messages coming from the Internet will be accepted and relayed. Restrict access to internal use: If selected, the broadcast mailbox will not accept messages originating from the Internet. Messaging will be restricted to users in your secure network.

Auto-Response Settings

Auto-responses are automatically disabled when their end date has been reached.

Avoiding E-mail Loops

Between AXS Guard MTAs

To avoid two or more AXS Guard users from generating auto-response messages to each other in a never-ending loop, an additional header field is automatically added to auto-response messages.

Between AXS Guard and 3^rd party MTA

The same principle applies to auto-responses sent from the AXS Guard to mailboxes of a 3^rd party MTA. The AXS Guard has an option so that only a single auto-response message is sent per external address. This prevents message looping. While the auto-response function is enabled, the AXS Guard maintains a list of e-mail addresses to which an auto-response message has already been sent.

Important

The auto-response function only answers messages if a user has been contacted via his user name or alias(es). Distribution list addressees and BCC addressees do not receive automatic responses. This is to avoid unnecessary or indiscrete message traffic.

Priorities

Automatic responses can be configured on three levels, i.e. the user level, the distribution list level and the system level. The system will only send an automatic reponse for the most specific match.

Example: Automatic responses at the user and system level

Assume that userX configured an automatic response and that an auto-response has also been activated at the system level. When a message is sent to userX, the appliance will only send one automatic response, i.e. the one that was configured by the user.

Users cannot change their auto-response settings, unless authorized by the AXS Guard system administrator. To allow users to configure their auto-response settings, navigate to Users & Groups > General and check the May users change their auto-response settings? option.

User-level Configuration

Navigate to Users & Groups > Users.
Click on the appropriate user name.
Enter the settings as explained in the context-sensitive help.
Update your configuration.

System-level Configuration

Navigate to E-mail > Server
Check auto-response active
Select the System-wide vacation tab.
A new tab will appear. Complete the settings as explained the context-sensitive help.
Update your configuration.

Auto-response for Distribution Lists

Navigate to E-mail > Distribution List.
Select the list for which you want to configure an automated response.
Configure the auto-response settings as explained in the context-sensitive help.
Update your configuration.

Field	Description
Auto-response Active	Check to enable. Uncheck to disable.
Start	Enter the Start time in the `DD/MM/YYYY hh:mm` format.
End	Enter the End time in the `DD/MM/YYYY hh:mm` format.
Notify sender	Select the desired frequency.
Auto-response Subject	The subject of the auto-response message.
Auto-response message	The message you wish to convey.

Auto-deleting E-mail

Navigate to Users & Groups > Users.
Select the account of which messages should be automatically deleted.
In the e-mail tab, select delete incoming mail immediately.
To notify senders, configure the auto-response functionality.
Update your configuration.

E-mail Forwarding Options

Navigate to Users & Groups > Users.
Select the appropriate user in the list.
Under the e-mail tab, select Forwarding enabled.
Enter the settings as explained in the table below.
Update your configuration.

Field	Description
Forwarding Enabled	Check to enable forwarding.
Forwarding Address	Specify the e-mail address(es) to which your messages must be forwarded.
Store copy on AXS Guard	Check to keep a copy of the forwarded messages on the AXS Guard mail server.

Quota Configuration

Navigate to Users & Groups.
Click on the appropriate username.
Enter the quota settings under the e-mail tab as explained in the table below.
Update the user profile.

Field	Description
Mailbox Quota Warning	Enter the size of the soft quota. Once the specified limit is reached, the appliance automatically warns the user and the system administrator(s). The user will be requested to remove or archive messages to free up disk space on the appliance. If no action is taken by the user within 7 days following the warning, the appliance will act as if the hard quota has been exceeded.
Mailbox Quota Limit	Enter the size of the hard quota. Hard quotas determine the maximum size of disk storage that can be used by a user’s mailbox. As soon as this limit is exceeded, the user will no longer be able to send or receive messages until excess messages are deleted or archived.

Quota Notifications

Navigate to E-mail > Notifications.
Click on the Quota Notifications Tab.
Select the desired options, as explained in the table below.
Update your configuration.

Parameter	Description
Send quota notification to Administrator	Notifies the system administrator as specified under System > General about the storage that remains available for each mailbox (the soft and hard limits).
Send quota notification to User	Notifies the user about the remaining size of his / her mailbox (the soft and hard limits).
Specify other e-mail address to sent quota notification	Sends quota notifications to the specified e-mail address(es).
Check the size of the user mailboxes	Select the desired frequency from the drop-down list.
Allow user to request quota status by sending an e-mail to `quota-status@domain`	Users can send an empty message to `quota-status@<systemdomain>` to receive a summary of their current mailbox quota. This only works if the message is sent from a secure or whitelisted network. `quota-status` is a reserved system name and cannot be modified.

Info

Users can send an empty message to quota-status@<systemdomain> to receive a summary of their current quota. This only works if the message is sent from a secure or whitelisted network. quota-status is a reserved system name and cannot be modified. See the troubleshooting section for specifics.

Viewing and Exporting Mail Quota

Navigate to E-mail > Status > Mail Quota.
Click on export to export the data to a CSV file, .

Mail Client Configuration Examples

Overview

In this section we explain how to configure your mail clients to access:

E-mail on the AXS Guard POP3 server.
E-mail on the AXS Guard IMAP server.

For practical reasons, explanations are limited to Microsoft Outlook 2007.

POP3

To configure Outlook 2007:

Open Outlook 2007.
In the menu, go to Tools > Account Settings.
Click on New.
Choose Microsoft Exchange, POP3, IMAP or HTTP.
Click on Next.
Check Manually configure server settings or additional server types.
Click on Next.
Check Internet E-mail.
Click on Next.
Enter the following settings:
- Your name
- Your AXS Guard e-mail address.
- Set the Account Type to POP3.
- Incoming mail server: Enter the LAN IP address or internal FQDN of the AXS Guard.
- Outgoing mail server: Enter the LAN IP address or internal FQDN of the AXS Guard. If you are using an external (ISP) SMTP server, enter its address or FQDN here.
- Your AXS Guard user name (use lower cases).
- The password of your AXS Guard e-mail account (case sensitive).
- Check Remember password.
Click on Test Account Settings.
Close the Test Account Settings window.
Click on Next if the account test completed successfully.
Info
- Make sure that the entered user settings (user name and password) are identical to the ones entered on the AXS Guard.
- Make sure the user is authenticated on the client (SSO Tool).
- Verify the user’s Firewall settings on the AXS Guard (sys-email).
Click on Finish.

IMAP

To configure Outlook 2007:

Open Outlook 2007.
In the menu, go to Tools > Account Settings.
Click on New.
Choose Microsoft Exchange, POP3, IMAP or HTTP.
Click on Next.
Check Manually configure server settings or additional server types.
Click on Next.
Check Internet E-mail.
Click on Next.
Enter the following settings:
- Your name
- Your AXS Guard e-mail address.
- Set the Account Type to IMAP.
- Incoming mail server: Enter the LAN IP address or internal FQDN of the AXS Guard.
- Outgoing mail server: Enter the LAN IP address or internal FQDN of the AXS Guard. If you are using an external (ISP) SMTP server, enter its address or FQDN here.
- Your AXS Guard user name (use lower cases).
- The password of your AXS Guard e-mail account (case sensitive).
- Check Remember password.
Click on Test Account Settings.
Close the Test Account Settings window.
Click on Next if the account test completed successfully.
Info
- Make sure that the entered user settings (user name and password) are identical to the ones entered on the AXS Guard.
- Make sure the user is authenticated on the client (SSO tool).
- Verify the user’s Firewall settings on the AXS Guard (sys-email).
Click on Finish.

LDAP Address Book

Introduction

In this chapter, we explain how to configure and use the AXS Guard Address Book. The Address Book contains contact information, such as e-mail addresses, telephone numbers and other data. The information in the Address Book can be shared and is accessed by clients using the Lightweight Directory Access Protocol (LDAP).

The Lightweight Directory Access Protocol (LDAP) is an application protocol of the TCP/IP protocol suite and uses port 389. It allows the sharing of directory information. A directory is a database which is optimized for read operations, i.e. powerful search and browsing capabilities.

The structure of the Address Book and its use is similar to a phone book; a user name leads to an e-mail address.

Server-side Configuration

Feature Activation

Log in to the appliance.
Navigate to System > Feature Activation.
Expand the E-mail menu.
Enable the Do you use the AXS Guard Central Address Book option.
Update your configuration.

Address Book Options

Navigate to E-mail > Address Book > General.
Configure the Address Book options as explained in the table below.
Update your configuration.

Field	Description
Always add users to the Central Address Book?	If enabled, AXS Guard users under Users & Groups > Users are automatically added to the central address book.
AXS Guard user lookup type	This option determines by which property address book entries are retrievable by a mail client. Possible lookup parameters are the username or the full name as entered in the AXS Guard user list.

Adding Address Book Entries

Navigate to E-mail > Address Book > Addresses.
Click on Add New.
Enter the Address Book data and save your configuration.

Field	Description
Full Name	Enter the full name of the contact to be added to the address book.
E-mail Address	Enter the contact’s e-mail address.
Organization	Enter the name of the contact’s organization.
Phone Number	Enter the contact’s phone number.
Country	Select the country of the contact from the drop-down list.

Important

Only basic administrators or above are authorized to add entries or modify the AXS Guard address book.
You cannot add entries to the AXS Guard address book with e-mail clients, e.g. Outlook 2007.

Client Configuration Example

Important

The user must be authenticated on the client, e.g. by means of the SSO Authentication Utility.
The user should have the appropriate AXS Guard firewall rights assigned , e.g. the sys-email firewall policy.

Open Outlook 2007.
Got to Tools > Account Settings.
Click on the Address Books Tab.
Click on New.
Select Internet Directory Service (LDAP).
Click on Next.
Enter the Internal FQDN or LAN IP address of the AXS Guard (see below).
Click on Next.
Click on Finish.
Restart Outlook 2007.
Click on the Address Book Icon.
Select the Address Book you have just created, e.g. 192.168.250.254 .
Enter a search string in the Search field and press enter.

Important

In the search field, press the space bar to view all address book entries.

Webmail

Overview

In this chapter, we explain how to configure and access the AXS Guard Webmail server.

The Webmail feature is comparable to a mail client that uses the IMAP protocol. The difference is that an Internet browser is used to access and read your e-mails, instead of a classic e-mail client, such as MS Outlook.

The AXS Guard Webmail server listens for incoming connections on the Internet Interface and uses TCP port 443 by default. The connection is encrypted, allowing users to securely access their e-mail from virtually anywhere.

Mail Storage

The AXS Guard webmail server supports:

Local webmail: AXS Guard stores the e-mails locally, in which case a backup to a network share is highly recommended.
Back-end webmail: the e-mails are stored on a back-end server, e.g. an OWA server.

Server Configuration

Feature Activation

Log on to the AXS Guard appliance.
Navigate to System > Feature Activation.
Expand the E-mail menu.
Enable the Do you use the AXS Guard Webmail Service? option.
Update your configuration.

Server Certificate and Port Configuration

Go to Web Servers.
Enter the the desired port number and hostname.
Select the appropriate server certificate.
Update your configuration.

Webmail Settings

Navigate to E-mail > Webmail.
Enter the settings as explained in the table below.
Update your configuration.

Field	Description
Use AXS Guard services for Webmail	Enable this option if your mail is stored on the AXS Guard appliance. Disable this option if your mail is stored on a dedicated mail server in your network. If the option is disabled, you will be required to configure the folder and service settings for Webmail.
Default E-mail Domain	Enter the name of your default e-mail domain. If left empty, the system domain will be used.
Create Special Folders ?	Check to automatically create special folders for users who log in.
Webmail Logo	Select the image to be used as your webmail portal’s logo. The following formats are supported: JPG, GIF or PNG.
Max. upload size	The maximum allowed size of attachments in outgoing messages. Make sure to also check the e-mail size limit under E-Mail > General. The specified size may not be exceeded by Webmail.

Info

The following options are only visible if "Use AXS Guard services for Webmail" is disabled. See the context-sensitive help on the appliance for additional information.

Webmail Service Settings

Group-level Access Settings

Navigate to Users & Groups > Groups.
Select the group which needs Webmail access.
Enable Allow access to Webmail under the e-mail tab.
Update your configuration.

User-specific Access Settings

Navigate to Users & Groups > Users.
Select the user who needs access to webmail.
Select the policy for webmail access under the e-mail tab.
Update the user profile.

Field	Description
E-mail alias list	An e-mail alias allows system administrators to link one or more alternate e-mail addresses to a single mailbox. Aliases can be added as a name, e.g. `alias` or as an e-mail address, e.g. `alias@domain.com`. In the first case, messages sent to the alias will be delivered to all the user’s AXS GUARD mailboxes in non-virtual domains. In the second case, mail sent to the alias will only be delivered to the associated mailbox.
Overrule Group Mail Policy	Check this option to overrule the user’s group policy. The group policy is configured under Users & Groups > Groups. Go to E-mail > Filters > Policies for an overview of defined e-mail policies on your system.
Delete incoming mail immediately	Check to delete incoming messages for the user. Use this option for inactive accounts to preserve disk space, e.g. when a user no longer works for your company. You can combine this option with the auto-response option to notify senders that the account is no longer in use.
Forwarding Enabled	Check this option to specify a forwarding address.
Store copy on AXS GUARD	Check to preserve a copy of forwarded e-mails on the appliance.
Auto-response active	Check to enable automated responses.
	Start: Enter a start date for the automated response in the DD/MM/YYYY HH:MM format.
	End : Enter an end date for the automated response in the DD/MM/YYYY HH:MM format.
	Notify sender: Select a frequency for automated responses. For example, `one time` means that only the first message from a given sender will trigger an automated response. Subsequent messages from the same sender will not trigger an automated response.
	Auto-response subject: The subject of the automated reply.
	Auto-response message: The body of the automated reply. For example, an out of office message. The following variables can be used in your message: `$SUBJECT`: The subject of the e-mail being replied to. `$START`: When the out of office period starts. `$END`: When the out of office period ends. The substitutions for the `$START` and `$END` variables include the time if they are less than 32 hours apart (a full day + a working day).
Mailbox Quota Warning	Once this limit is reached, the appliance automatically sends a warning to the user and the system administrator, requesting the user to remove or archive messages.
Mailbox Quota Limit	The maximum amount of disk space that may be used by the user’s mailbox. When exceeded, no new e-mails can be sent or received by the user. The user first needs to remove or archive excess messages.
Allow access to Webmail	Allow or deny access to the appliance’s webmail server. Use group configuration: Apply the user’s group settings. Go to Users & Groups > Groups and select the user’s group to view the webmail configuration. On: Webmail access is granted, even if not allowed in the user’s group configuration. Off: Webmail access is denied, even if allowed in the user’s group configuration.

Firewall Configuration

Navigate to Firewall > Policies > Static.
Verify if the int-webmail firewall rule is added to the stat-int policy.

Important

You can also enable Webmail access from the secure LAN or the DMZ. Access to port 443 should be allowed for each zone. More information is available in the AXS Guard Firewall How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool.

Authentication Settings

If you use Webmail with an external IMAP service, the Authentication Services IMAP/Webmail must be set to the suitable Authentication Policy:

Password if the user’s password on the AXS Guard is the same as on the back-end server.
DirectoryServices if the back-end is an Exchange server and the users are synchronized from there.

In all cases, the user must exist on the AXS Guard to allow Webmail access.

Navigate to Authentication > Services and select on IMAP / Webmail.
Select the desired authentication policy.
Update your configuration.

Webmail Logo Settings

Navigate to E-mail > Webmail
Upload the desired logo (JPG, GIF or PNG).
Update your configuration.

Accessing Webmail

Open an Internet browser, e.g. Internet Explorer.
In the URL field, enter https://, followed by the FQDN or external IP address of the AXS Guard appliance, followed by a forward slash and webmail, e.g. https://axsguard.mydomain.com/webmail
Enter your username and password.
Click on Login.

POP3, IMAP and Webmail Logs

Overview

The POP3, IMAP and webmail logs contain the access records of the AXS Guard mail server. These logs allow system administrators to check:

When a given user logged in or logged out.
When a given user removed e-mails. Internally, webmail uses the IMAP protocol. All activity is therefore logged in the IMAP logs.

Accessing the POP3 and IMAP Logs

Log in to the AXS Guard appliance.
Navigate to E-mail > Logs > POP3/IMAP.
Click on the appropriate log date.

Accessing the Webmail Logs

Navigate to E-mail > Logs > Webmail.
Click on the appropriate log date.

Troubleshooting

My client cannot log on to the AXS GUARD POP3 server.

Make sure the user is authenticated on the client (SSO).
Verify the user name and password. Passwords are case sensitive.
Verify if the user has e-mail access (sys-email Firewall Policy).
Verify if the user has not been locked. (Authentication > Status > Blocked Users and Hosts).

My client cannot log on to the AXS GUARD IMAP server.

Make sure the user is authenticated on the client (SSO).
Verify the user name and password. Passwords are case sensitive.
Verify if the user has e-mail access (sys-email Firewall Policy).
Verify if the user has not been locked. (Authentication > Status > Blocked Users and Hosts).
Verify if the user exists .

I cannot access the Address Book.

Make sure the user is authenticated on the client (SSO).
Verify if the user has e-mail (LDAP) access (sys-email Firewall Policy).
Verify if the user has not been locked. (Authentication > Status > Blocked Users and Hosts).

I cannot modify the Address Book

Only Basic Administrators or above are authorized to modify the AXS Guard Address Book . You cannot modify the AXS Guard Address Book via the mail client, e.g. Outlook 2007.

Make sure the user is authorized to access the Webmail service.
Verify if the user has not been locked. (Authentication > Status > Blocked Users and Hosts).
Make sure Firewall access is granted to port 443 for the authorized network zone (Internet, Secure LAN or DMZ).

The users cannot change their auto-response settings.

Make sure the users are authorized to change their auto-response settings :

Log on to the AXS Guard as explained in the AXS Guard System Administration How To, which is accessible via the Documentation button.
Navigate to Users & Groups > Preferences.
Verify if the correct options are checked .
Click on Update when finished.

The user cannot change his / her e-mail forwarding settings.

Verify if the option is enabled.

Recipient address is rejected when sending a message to <quota-status@systemdomain>

The network from where the message is sent must be part of the AXS Guard secure network zone or an alias thereof. An alternative is to whitelist the sender’s IP address or network range.

Example: Unknown range

Assume that your AXS Guard’s secure device has the following IP address: 10.132.30.192/19

A client is connecting to the AXS Guard, but from a network range that is different from the AXS Guard’s secure range, e.g. 10.32.64.0/24. Since the sender’s range is unknown, any attempt to send a message to the SMTP server will result in an error:

554 5.7.1 <quota-status@systemdomain>: Recipient address rejected: Access denied (Net::SMTPFatalError)

Possible solutions:

NAT the 10.32.64.0 range to 10.132.30.0
Whitelist 10.32.64.0/24 under Email > Filters > Whitelist
Add the range as an IP alias in the secure device’s network configuration (beware of routing issues)

Support

If you encounter a problem

If you encounter a problem with AXS Guard, follow the steps below:

Check the troubleshooting section of the feature-specific manual.
Check the knowledge base on this site for information about special configurations.
If no solution is available in any of the above sources, contact your AXS Guard vendor.

Contact Information

(+32) 15-504-400
support@axsguard.com