MailStore Gateway Help - User contributions [en]

Using Let's Encrypt Certificates

2022-02-28T08:36:11Z

Rrommelrath:

== About Let's Encrypt ==
Let's Encrypt is a free, automated, and open certificate authority, trusted by all major web browsers and operating systems. Many large, well known sponsors from the IT industry support Let's Encrypt's effort to help making the internet a safer place.

A fully automated certificate approval process eliminates email or phone verification of traditional certificate authorities that often take days.

Let's Encrypt certificates are only valid for 90 days and thus need to be renewed regularly. The MailStore Server service handles the automatic renewals once the initial configuration is done.

== Prerequisites ==
For the MailStore Gateway computer, a public DNS record (A or CNAME) must exist and point to a public IP address.
The MailStore Gateway computer must be accessible from the Internet on TCP port 80 (HTTP) for Let's Encrypt's automatic domain approval process. A port forwarding on your firewall or gateway might be necessary. Since Let's Encrypt validates from different IP addresses, such a firewall rule cannot be limited to certain source IP addresses.

== Scenario 1: MailStore Gateway on Local Area Network (LAN) ==
The most common scenario for a MailStore Gateway installation is on a local network inside the organization's premises. Typically, the MailStore Gateway computer has a private IP address (e.g. 192.168.0.10) and the Internet connection is established through a router which masks all internal IP addresses with its own external IP address assigned by the ISP. This is known as Network Address Translation (NAT).

For this scenario, we assume that MailStore Gateway is running on a new, dedicated computer.

# Ask your Internet access provider to assign a static, public IP address to the router.
# Assign an available static IP Address from your local network to the MailStore Gateway computer.
# Create a port forwarding rule on the router, that forwards all connections to TCP port 80 on the public IP address, which was assigned in step 1, to the internal IP address of your MailStore Gateway computer assigned in step 2. '''Note:''' In the MailStore Gateway Configuration, you can change the Let's Encrypt HTTP-01 Challenge Port on which the MailStore Gateway service listens on the internal IP address assigned in step 2. However, on the public IP address assigned to the router in step 1, TCP port 80 must be used because Let's Encrypt's certificate approval process only supports this HTTP standard TCP port. If you change Let's Encrypt HTTP-01 Challenge Port, you must update the port forwarding rule created in step 3 accordingly.
# Add an A or CNAME record to the DNS zone of your public domain, e.g. mailstore.example.com pointing to the public IP address that was assigned in step 1.
# Depending on how DNS resolution is handled in your local network, you need to add a corresponding DNS record on your internal DNS server or router as well. This record should point to the internal IP address of the MailStore Gateway computer.

== Scenario 2: MailStore Gateway on External Network ==
If the MailStore Gateway computer is already on a network that used public IP address, e.g. in a data center, or a DMZ it is much easier to fulfill the prerequisites.

For this scenario, we assume that MailStore Gateway is running on a new, dedicated computer.

# Assign an available public IP Address from your public network to the MailStore Gateway computer.
# If there is a firewall in place, create a firewall rule, that allows all connections to TCP port 80 on the public IP address to pass through. '''Note:''' In the MailStore Gateway Configuration, you can change the Let's Encrypt HTTP-01 Challenge Port on which the MailStore Gateway service listens on the public IP address assigned in step 1. However, in the scenario described here, TCP port 80 must be used because Let's Encrypt's certificate approval process only supports this HTTP standard TCP port.
# Add an A or CNAME record to the DNS zone of your public domain, e.g. mailstore.example.com pointing to the public IP address that was assigned in step 1.

== Obtaining the Certificate ==
The MailStore Gateway tests the settings against Let's Encrypt's staging environment. If an issue occurs, the Gateway will show a warning. Please review the log output, resolve the issue and try again.
If the test was successful, the MailStore Gateway will automatically request a certificate from Let's Encrypt's production system and confirm that setup was successful.
The automatic renewal of Let's Encrypt certificates every 60 days is active as long as no other certificate is selected manually.

[[de:Verwendung von Let's Encrypt Zertifikaten]]
[[en:Using Let's Encrypt Certificates]]

Using Let's Encrypt Certificates

2022-02-28T08:31:08Z

Rrommelrath: Created page with "== About Let's Encrypt == Let's Encrypt is a free, automated, and open certificate authority, trusted by all major web browsers and operating systems. Many large, well known s..."

Configuration Tool

2022-02-28T08:07:17Z

Rrommelrath:

__NOTOC__
[[File:MailStore_Gateway_Configuration_LE_EN.png|right|300px]]

With the MailStore Gateway Configuration tool administrators can configure basic settings of the MailStore Gateway service.

The tool is started automatically during the initial installation process; it can be started manually through the corresponding desktop icon or start menu link.

{{clear}}

== E-Mail Domain ==
This value specifies the domain part of each MailStore Gateway mailbox email address (i.e. ''<mailbox-id>@'''<e-mail domain>'' ''').

If MailStore Gateway should receive emails from other email servers (e.g. Microsoft Office 365, Google G Suite, etc.), the configured e-mail domain must be resolvable through DNS.

'''Example: ''' If the primary domain is ''example.com'' and MailStore Gateway should receive emails, a DNS record like ''msgw.example.com'' needs to be created in the DNS zone ''example.com''. The record must point to a public IP address on which MailStore Gateway is reachable. In MailStore Gateway the value of ''E-Mail Domain'' would be set to <tt>msgw.example.com</tt>.
If MailStore Gateway is located behind a NAT router or firewall, additional configuration may be needed. Refer to [[Firewall Configuration]] for further details.

== Certificate ==
MailStore Gateway uses TLS certificates to establish encrypted communication channels with clients and other servers.

Administrators can choose from the following options which certificate MailStore Gateway should use:

* '''Select from Certificate Store''' A certificate can be selected from the Windows certificate store. Please note that the ''Personal'' certificate store of the computer account is used, not the store of the current Windows user.
* '''Create Self-Signed Certificate''' A new self-signed certificate can be created and is automatically selected afterwards. Please note that self-signed certificates are neither trusted by other clients, which may lead to warnings on client computers, nor other servers. Therefore, self-signed certificates are suitable for testing purposes only and should be replaced once a system is used in a productions environment.
* '''Import from File''' With this option certificates can be imported from ''Private Information Exchange (*.p12;*.pfx)'' files. The configuration tool will automatically import the certificates into the correct Windows certificate store. Since Private Information Exchange files are password protected, a password must be entered to start the import process.
* '''Obtain from Let's Encrypt''' Let's Encrypt is a free, automated, and open certificate authority, trusted by all major web browsers and operating systems. Please refer to [[Using Let's Encrypt Certificates]] for more details.

== Management Console Port ==
Defines the TCP ports on which MailStore Gateway's Management Console is available. If no other web server is running on the same server, it can safely be changed to the standard HTTPS port 443.

== Let's Encrypt Port ==
This port is used temporarily when requesting or renewing certificates from Let's Encrypt.

== Log Level ==
The ''Log Level'' defines how much information MailStore Gateway logs into its log files. The default settings is ''Information'' which should not be changed unless troubleshooting is required.

== Apply Configuration Changes ==
After the configuration of MailStore Gateway has been changed, the changes must be written to the configuration file by clicking on ''Apply''. Otherwise the changed settings will not be used when starting the MailStore Gateway service.

== Starting the MailStore Gateway Service ==
By clicking the ''Start Service'' button, the MailStore Gateway service will be started. Changes to the configuration must be applied first, otherwise a warning is issued. This button is only available if the service is currently stopped.

== Stopping the MailStore Gateway Service ==
By clicking the ''Stop Service'' button, the MailStore Gateway service will be stopped. Changes to the configuration can only be made while the service is stopped. This button is only available if the service is currently running.

[[de:Konfigurationswerkzeug]]
[[en:Configuration Tool]]

Firewall Configuration

2022-02-25T14:42:07Z

Rrommelrath:

__NOTOC__
It is highly recommended to protect any MailStore Gateway with appropriate firewall rules. This document should help with setting up the required rules.

'''Please note: '''On Windows, the installation process automatically creates an appropriate firewall rule. Therefore the below information is only applicable if other firewall solutions are used.

If MailStore Gateway computer is on a private network, refer to the manual of the router or firewall that connects the private network to the Internet to find out how to set up appropriate port forwarding rules in addition to the firewall rules described in this document.

The table below lists all TCP ports that need to be opened in the firewall when using MailStore Gateway. The following abbreviations are used in the source and target columns of that table:

* ANY = Any computer from private or public networks
* ADM = Computer or network used for administration
* GTW = Computer that hosts MailStore Gateway

{| class="wikitable sortable"
! width="80px" | Port
! width="80px" | Source
! width="80px" | Target
! class="unsortable"| Description
|-
| align="center" | 25
| align="center" | GTW
| align="center" | ANY
| Access to email servers via SMTP needed by the SMTP proxy functionality.
|-
| align="center" | 25
| align="center" | ANY
| align="center" | GTW
| Access from email servers to send emails to MailStore Gateway mailboxes. Access from email clients via SMTP needed by the SMTP proxy functionality.
|-
| align="center" | 80
| align="center" | ANY
| align="center" | GTW
| Access from Let's Encrypt for challenge requests.Required for the Let's Encrypt functionality.
|-
| align="center" | 110
| align="center" | GTW
| align="center" | ANY
| Access to email servers via POP3 needed by the POP3 proxy functionality.
|-
| align="center" | 110
| align="center" | ANY
| align="center" | GTW
| Access from email clients via POP3 needed by the POP3 proxy functionality.
|-
| align="center" | 8450
| align="center" | ADM
| align="center" | GTW
| Access to the Management Console by administrators.
|-
| align="center" | 465
| align="center" | GTW
| align="center" | ANY
| Access to email servers via SMTPS needed by the SMTP proxy functionality.
|-
| align="center" | 465
| align="center" | ANY
| align="center" | GTW
| Access from email clients via SMTPS needed by the SMTP proxy functionality.
|-
| align="center" | 587
| align="center" | GTW
| align="center" | ANY
| Access to email servers via SMTP needed by the SMTP proxy functionality.
|-
| align="center" | 587
| align="center" | ANY
| align="center" | GTW
| Access from email clients via SMTP needed by the SMTP proxy functionality.
|-
| align="center" | 995
| align="center" | GTW
| align="center" | ANY
|Access to email servers via POP3S needed by the POP3 proxy functionality.
|-
| align="center" | 995
| align="center" | ANY
| align="center" | GTW
|Access from email clients via POP3S needed by the POP3 proxy functionality.
|-
| align="center" | 995
| align="center" | MailStore
| align="center" | GTW
|Access from MailStore Server or MailStore Service Provider Edition to retrieve emails from MailStore Gateway mailboxes.
|}

[[de:Firewall-Konfiguration]]
[[en:Firewall Configuration]]

Configuration Tool

2022-02-25T14:36:48Z

Rrommelrath:

__NOTOC__
[[File:MailStore_Gateway_Configuration_LE_EN.png|right|300px]]

With the MailStore Gateway Configuration tool administrators can configure basic settings of the MailStore Gateway service.

The tool is started automatically during the initial installation process; it can be started manually through the corresponding desktop icon or start menu link.

{{clear}}

== E-Mail Domain ==
This value specifies the domain part of each MailStore Gateway mailbox email address (i.e. ''<mailbox-id>@'''<e-mail domain>'' ''').

If MailStore Gateway should receive emails from other email servers (e.g. Microsoft Office 365, Google G Suite, etc.), the configured e-mail domain must be resolvable through DNS.

'''Example: ''' If the primary domain is ''example.com'' and MailStore Gateway should receive emails, a DNS record like ''msgw.example.com'' needs to be created in the DNS zone ''example.com''. The record must point to a public IP address on which MailStore Gateway is reachable. In MailStore Gateway the value of ''E-Mail Domain'' would be set to <tt>msgw.example.com</tt>.
If MailStore Gateway is located behind a NAT router or firewall, additional configuration may be needed. Refer to [[Firewall Configuration]] for further details.

== Certificate ==
MailStore Gateway uses TLS certificates to establish encrypted communication channels with clients and other servers.

Administrators can choose from the following options which certificate MailStore Gateway should use:

* '''Select from Certificate Store''' A certificate can be selected from the Windows certificate store. Please note that the ''Personal'' certificate store of the computer account is used, not the store of the current Windows user.
* '''Create Self-Signed Certificate''' A new self-signed certificate can be created and is automatically selected afterwards. Please note that self-signed certificates are neither trusted by other clients, which may lead to warnings on client computers, nor other servers. Therefore, self-signed certificates are suitable for testing purposes only and should be replaced once a system is used in a productions environment.
* '''Import from File''' With this option certificates can be imported from ''Private Information Exchange (*.p12;*.pfx)'' files. The configuration tool will automatically import the certificates into the correct Windows certificate store. Since Private Information Exchange files are password protected, a password must be entered to start the import process.
* '''Obtain from Let's Encrypt''' Let's Encrypt is a free, automated, and open certificate authority, trusted by all major web browsers and operating systems. Many large, well known sponsors from the IT industry support Let's Encrypt's effort to help making the internet a safer place. A fully automated certificate approval process eliminates email or phone verification of traditional certificate authorities that often take days. Let's Encrypt certificates are only valid for 90 days and thus need to be renewed regularly. The MailStore Gateway service handles the automatic renewals once the initial configuration is done.

== Management Console Port ==
Defines the TCP ports on which MailStore Gateway's Management Console is available. If no other web server is running on the same server, it can safely be changed to the standard HTTPS port 443.

== Let's Encrypt Port ==
This port is used temporarily when requesting or renewing certificates from Let's Encrypt.

== Log Level ==
The ''Log Level'' defines how much information MailStore Gateway logs into its log files. The default settings is ''Information'' which should not be changed unless troubleshooting is required.

== Apply Configuration Changes ==
After the configuration of MailStore Gateway has been changed, the changes must be written to the configuration file by clicking on ''Apply''. Otherwise the changed settings will not be used when starting the MailStore Gateway service.

== Starting the MailStore Gateway Service ==
By clicking the ''Start Service'' button, the MailStore Gateway service will be started. Changes to the configuration must be applied first, otherwise a warning is issued. This button is only available if the service is currently stopped.

== Stopping the MailStore Gateway Service ==
By clicking the ''Stop Service'' button, the MailStore Gateway service will be stopped. Changes to the configuration can only be made while the service is stopped. This button is only available if the service is currently running.

[[de:Konfigurationswerkzeug]]
[[en:Configuration Tool]]

File:MailStore Gateway Configuration LE EN.png

2022-02-25T14:35:55Z

Rrommelrath: