From Halon, SMTP software for hosting providers
Jump to: navigation, search

Answers to frequently asked questions about the Halon platform.

Anti-spam and anti-virus

What anti-spam engines are included?

We licenses CYREN's (previously known as Commtouch) IP reputation and RPD which efficiently blocks spam based on volume (outbreak signatures) rather than text patterns. More importantly, it produces near-zero false positives. CYREN's RPD is weighted against SpamAssassin, and a message is rejected (blocked with a notification) if both CYREN and SpamAssassin agrees that the message is likely spam, or if one of them is absolutely sure. Finally, we have developed our own signature-based methods which has emerged from the demands of the many large hosting providers what uses our product (blocking outbreaks that reaches only a few servers, but in very high quantities).

In other words;

What action should be taken on detected spam?

The only viable action is rejection; blocking the message in transit with a helpful message (500 error) so that the sender is informed, and may contact the recipient using other means. The reject message could even include a link, for example to a self-service spam release page.

Traditional spam filters have high false positives rates (detects many legitimate messages as spam) and has therefore relied on quarantines or spam folders, to remedy the harm of false positives. Other filters used quarantines because they operated behind an e-mail server software with no possibility of rejecting the message (it was already accepted by the server).

Modern technologies such as CYREN's RPD, and the use of in-line scanning with the ability to reject messages, make quarantines unnecessary.

Many even argue that quarantines are harmful, because they

  • Gives the sender the impression that the message was delivered (no error is presented to the sender in case the message was quarantined)
  • Gives the recipient the responsibility to frequently skimming through the quarantine, most likely filled with spam, watching for legitimate messages

What anti-virus engines are included?

Our product, and license, includes;

Sophos is an award-winning commercial anti-virus, which catches most viruses. ClamAV is an open source anti-virus, which is surprisingly good for being free, and a good complement to Sophos. CYREN's anti-virus[1] uses the RPD technology mentioned before to block viruses, not based on their content (like signature based) but rather in which in volume a certain file was distributed. It's very efficient for new viruses (virus outbreaks), for which the other two modules don't have any signatures yet.


What counts as a user?

The product is licensed "per user". The definition of a user varies. For most of our customers, it's the number of employees. For hosting providers, it could be the number of mailboxes, or end-user customers.

Technically however, the product counts the number of e-mail addresses. In other words, if you purchase a 25 user license online, without specifying any further information, you will be limited to 25 e-mail addresses. On the other hand, if you provide us with documentation about the number of employees (sometimes called warm seats) we can create a license with a "soft limit" (what you pay for) and a "hard limit" (the number of e-mail addresses scanned) estimated based on your number of aliases.

What happens if exceeding the license?

When exceeding the number of licensed e-mail addresses (which may or may not equal to the number of users you're paying for), additional addresses that appears to the product after the address count was exceeded will be unscanned (they will pass through, even if spam).

How to buy

Please see the pricing page.

Mail delivery problems

Max line length

The current max line length is 8192, and that is in line with most other e-mail servers. It's not configurable.

Max message size limit exceeded

If your users send email with very large attachments some of these might fail with an error message that says that the max message size limit has been exceeded. This limit is set per listener on the Halon and can be increased or decreased by going to the Configuration > Email engine > Settings page and clicking on the listener that you wish to change the limit for.

Cisco SMTP fixup problems

The Cicso ASA and PIX are known to contain a feature called "SMTP fixup" that is supposed to prevent attackers from hacking the SMTP server. There are two problems with that

  • It's highly questionable if that provides any security benefit at all (historically, such inspection engines have contained security issues, making the firewall itself vulnerable)
  • It contains bugs and limitations that interferes with the e-mail traffic

Actually, the first Google hit on "smtp fixup" is http://blogs.oucs.ox.ac.uk/networks/2009/11/26/cisco-firewall-smtp-fixup-considered-harmful/ and the second one http://support.microsoft.com/kb/320027 is an article from Microsoft explaining how and why it should be disabled.

One can easily see if Cisco's SMTP fixup is enabled by connecting with Telnet to the mail server, and see if the banner is replaced by asterisks:

host:~$ telnet mail.example.org 25
Escape character is '^]'.
220 ****************************************************************************

It is disabled by logging into the PIX or ASA and running

configure terminal
no fixup protocol smtp 25
write memory

and then restart or reload the firewall.

Postfix and IPv6

Starting from version 2.8, Postfix has enabled IPv6 by default. This has resulted in a large number of mail servers which is unable to send messages to recipients that have enabled IPv6 on their domain's e-mail (MX), failing with errors such as

...101::2]:25: No route to host

The problem is that the sending server try to use IPv6, even if IPv6 is unavailable. We've seen it affecting systems which are upgraded, freshly installed and various commercial anti-spam appliances, based on Postfix. The new settings are

  • inet_protocols[2] supports both IPv6 by default (all)
  • smtp_address_preference[3] is now "ipv6", choosing IPv6 only for dual-stack recipients

and the quick solution for senders with this problem is to set

inet_protocols = ipv4

Halon's Security Team

If you want to get in touch with Halon's security team for matters which may be of sensitive nature. Please contact us on [email protected]