Long-term roadmap suggestions?

[divespeed]

The ability to download from external email accounts via IMAP, This would hopefully have the added benefit of instant download if IMAP IDLE was implemented.

[johndow]

Hi,

here are my long-term suggestions:

Replacement of the internal MSSQL Database with SQLite.
...less licence restrictions...

Adding of iCAL Calendar Server.
...with iCAL it would be a perfect replacement for me. I am using exchange only because it has a calendar function. If Hmailserver would have a calendar and a user account, which could be used as shared calendar, I could swith our main server back to Hmailserver...

Archiving - Well there are a lot of archive solutions available. Using Imap on the mirror email account can also do a lot of search. Maybe a second mirror account would be better. Sending a mirror message internal to the "Archive Account" and external to a second location or email server

[mattg]

Replacement of the internal MSSQL Database with SQLite.

Just making sure that you realise (Not picking on your post at all) that the built in MS SQL CE that is included, was included because for a few versions hMailserver was closed source, AND that the MS SQL CE database is not to be used in a commercial environment as per it's EULA. ie that users are expected to NOT use the MS SQL CE in a real world environment.

hMailserver already works with other editions of MS SQL including the zero cost Express, and other databases like MySQL (and therefore MariaDB) and PostgreSQL.

MySQL (Community Edition) and PostgreSQL both have fairly open licences, but can't be included in (what was) a closed source product. Prior to ver 5, hMailserver shipped with a MySQL database.

FWIW, I'd rather that we went back to that as the default, rather than re-write a heap of code for yet another database. In saying that, the single file and easy install of the MS SQL CE does make it attractive to those testing hMailserver.

[johndow]

Just making sure that you realise (Not picking on your post at all) that the built in MS SQL CE that is included, was included because for a few versions hMailserver was closed source, AND that the MS SQL CE database is not to be used in a commercial environment as per it's EULA. ie that users are expected to NOT use the MS SQL CE in a real world environment.

I know and realise.
But I also know what some business partners have done in the past and maybe currently doing.

Database included = use it commercial.

Their oppinion is that the included database must be also available for commercial usage and before they install an additonal software, they try to sue somebody.

I do not know if there is currently a Warning message at the installer not to use the embedded MS SQL CE for commercial purposes.

It was just an idea to prevent that some people sue Martin and makes him trouble. Not to prefer another database. Maybe a clear warning message at the installer, which must be confirmed to continue, would be enough to protect Martin...

[mattg]

Any commercial entity considering suing an open source and cost free product that they have just downloaded from the internet is not from our planet. The EULA of hMailserver is pretty clear, and very short.

[martin]

Well, the EULA for hMailServer includes the EULA for SQL Compact. This EULA is shown during the installation program. There's also a link to the web page detailing which database is recommended where this limitation is also mentioned.

[MrGadget]

I have a NO vote for the first suggestion - to remove the built-in hMS Admin interface.

I run all my hMS installations as basic VMs without a web server. So, unless there was some built in web server, for me at least, having a web-only admin interface is a non starter.

For local administration I do not see any advantage in being web based. On the contrary, I always find web based interfaces much inferior to what can be done using classical methods.

For remote admin, I would not want to trust the security of my server to a web browser. I would much rather log in via something like Remote Desktop and use the traditional interface.

So by all means enhance the web interface but please do not remove or downgrade the built-in one.

Agree 100%...hate web-based UI for complex functionality...too slow and awkward.

[mailserveruser]

Would be nice, if hmailserver could attempt to send direct like MS exchange does and if the connection is rejected, to then send through the smtp relay that can be specified. At the moment its one or the other, when I'd like to send direct as most business servers do encryption, but the big ISP's dont do email encryption, helping govts to spy on people around the world, removing any chance of people ever getting private counsel via email for example.

[mailserveruser]

I have a NO vote for the first suggestion - to remove the built-in hMS Admin interface.

I run all my hMS installations as basic VMs without a web server. So, unless there was some built in web server, for me at least, having a web-only admin interface is a non starter.

For local administration I do not see any advantage in being web based. On the contrary, I always find web based interfaces much inferior to what can be done using classical methods.

For remote admin, I would not want to trust the security of my server to a web browser. I would much rather log in via something like Remote Desktop and use the traditional interface.

So by all means enhance the web interface but please do not remove or downgrade the built-in one.

I think all versions of windows comes with IIS built in, even the console versions of XP, so you may already have it in your accessories, unless hmailserver runs on wine?
http://en.wikipedia.org/wiki/Internet_I ... es#History

I prefer the admin interface, and like you have not setup a web interface. Like you security is an issue so I have software logging the desktop activity which I can then correlate with the hmailserver logs to check for anomolies.

[mattg]

Would be nice, if hmailserver could attempt to send direct like MS exchange does and if the connection is rejected, to then send through the smtp relay that can be specified. At the moment its one or the other, when I'd like to send direct as most business servers do encryption, but the big ISP's dont do email encryption, helping govts to spy on people around the world, removing any chance of people ever getting private counsel via email for example.

There is a global rule criteria 'Delivery attempts', and a global rule action 'send using route'.

I have tried that, but have abandoned the idea, but I can't recall why I dropped it.

Also, I've said this before and I'll say it again (and again) if you want to protect your message content, use message level encryption. PGP isn't that hard for people that know each other - you **JUST need to share the keys first.

[kk123]

I voted cluster and other.
my 'other' vote : seperate and more readable logging

current log system problems:
1. everything log in 1 file, hard to audit/open. file will be very large.
(we use IMAP, to show who is login and what ip he/she use, what he/she did, for security audit reason. the log file size increased very fast, make it difficult to find info needed, if i disable imap logging, then i can't find who is logging in and his/her operation at all)

2. hard to understand
for example hmail will log what ip delete a message, but hard to find which user the ip is /which mail it deleted

we use kerio connect before (migrating to hmailserver, for license/price, we have a lot new user this year), and i think kerio's log system is perfect.

below is a line of 'operation log of kerio', very useful for enterprise management.
[26/Dec/2014 09:43:09] {DELETE} Protocol: POP3, User: xx@xx.com, IP: 172.16.7.40, Folder: ~xx@xx.com/INBOX, From: <gxx@xxlm.com>, Subject: "JOB XX Done", Delivered: 11/Dec/2014 23:32:00, Size: 1816

'mail' log:
[26/Dec/2014 11:22:57] Sent: Queue-ID: 549cd48f-0000406e, Recipient: <kxx@oxx.xn>, Result: delivered, Status: 2.0.0
[26/Dec/2014 11:23:03] Recv: Queue-ID: 549cd496-0000406f, Service: SMTP, From: <dxo@quxx.hk>, To: <tixg@obxx.cn>, Size: 12659, Sender-Host: 111.111.111.111, SSL: yes

'config' log
[25/Dec/2014 17:30:19] admin@dxx.com - session expired for host 11.11.11.11 from Web Administration.
[26/Dec/2014 10:53:12] admin@dxx.com - Session opened for host 111.11.11.11 from Web Administration. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0.
[26/Dec/2014 11:47:23] admin@dxx.com - Update Group {Name="xx-support", DomainName="xx.cn", emailAddresses={xx-support}}


'debug' log
[04/Dec/2014 14:27:30][2952] Service HTTP started on port 8800, listens on all interfaces
[04/Dec/2014 14:27:30][3412] Loaded queue message id 547ee22a-00001e03
[04/Dec/2014 14:27:30][2952] Service HTTPS started on port 443, listens on all interfaces
[04/Dec/2014 14:27:30][2952] Service HTTPS started on port 8843, listens on all interfaces
[04/Dec/2014 14:27:30][3412] Mail queue running
[04/Dec/2014 14:27:30][2952] Service ADMIN started on port 4040, listens on all interfaces
[04/Dec/2014 14:27:30][2952] Engine was initialized.


'security' log
[07/Dec/2014 14:21:02] SMTP: User master@dxx.com doesn't exist. Attempt from IP address 125.88.253.43.
[07/Dec/2014 14:21:08] Failed SMTP login from 125.88.253.43
[07/Dec/2014 14:21:08] SMTP: User master@dxxl.com doesn't exist. Attempt from IP address 125.88.253.43.
[07/Dec/2014 14:21:14] Failed SMTP login from 125.88.253.43
[07/Dec/2014 14:21:14] SMTP server connection from 125.88.253.43 closed after 10 bad commands

thanks.

[kk123]

if i disable 'imap' in logging, i will not able to find who is deleting.

"DEBUG" 880 "2014-12-26 12:08:25.730" "Copying mail contents"
"DEBUG" 880 "2014-12-26 12:08:25.730" "Saving message: {37498523-6F9E-46C4-AFEB-FA467D0B69CB}.eml"
"DEBUG" 3856 "2014-12-26 12:08:25.948" "Deleting message"
"DEBUG" 3856 "2014-12-26 12:08:25.948" "Deleting message file."
"DEBUG" 3352 "2014-12-26 12:08:26.448" "Reading messages from database."
"DEBUG" 3352 "2014-12-26 12:08:28.257" "Copying mail contents"
"DEBUG" 3352 "2014-12-26 12:08:28.257" "Saving message: {DCDEE17C-3553-4F3C-AABA-F32240AE2382}.eml"
"DEBUG" 3752 "2014-12-26 12:08:28.460" "Deleting message"
"DEBUG" 3752 "2014-12-26 12:08:28.476" "Deleting message file."
"DEBUG" 3752 "2014-12-26 12:08:30.160" "Reading messages from database."

[stefans10]

would be lovely if you can add the tagging system

user-defined tags would really help us that use multiple user per mailbox for work sorting

viewtopic.php?f=2&t=15794&e=1&view=unread#unread

[danswartz]

I would like to see support added for the sieve protocol. Dovecot supports this and it is very handy. Allows you to define (at the client level) how to handle various messages.) They are stored on the server, and when the MTA goes to deliver message X to user Y, it iterates through any defined sieve scripts and does whatever is needed. I am not so concerned with HA, since people can already run their own HA clustering servers. For example: I run two vsphere hosts in HA mode. I have a windows server 2008 r2 VM that runs HMS. If that host goes down, vsphere will restart any VMs on the other host. Good enough for me, and it doesn't require anything special for things like HMS.

[perizia]

I vote for other because I need a webmail integration to change passwords and some other minor things but Roundcube in Windows/IIS have a very bad performance and I can't integrate Linux/Apache Roundcube with Windows hMailserver (https://myroundcube.com/myroundcube-plu ... ord-plugin).

[prisma]

I vote for other because I need a webmail integration to change passwords and some other minor things but Roundcube in Windows/IIS have a very bad performance and I can't integrate Linux/Apache Roundcube with Windows hMailserver (https://myroundcube.com/myroundcube-plu ... ord-plugin).

Just an idea, not tested, no perfect solution, but possibly it helps:

Shouldn't it be possible to have a frontend/backend/reverse proxy solution?

* IIS/roundcube and Apache/roundcube use the same database.
* Frontend Apache does an conditional for(back)warding to IIS/roundcube on URL contains "/?_task=settings". Or on whatever URL string is used by the plugin.

The only drawback I see is: The users have to login a second time to change their settings. But since they don't change their passwords and setting three times the day this would be acceptable, wouldn't it?
This would lead to have the most people using the fast frontend. Possibly there is no need for a second login and possibly there is also a way back from backend to frontend. E.g. when you you're able to share the sessions between the severs:
http://stackoverflow.com/questions/1624 ... nt-domains

Just an idea.

[SorenR]

I vote for other because I need a webmail integration to change passwords and some other minor things but Roundcube in Windows/IIS have a very bad performance and I can't integrate Linux/Apache Roundcube with Windows hMailserver (https://myroundcube.com/myroundcube-plu ... ord-plugin).

Just an idea, not tested, no perfect solution, but possibly it helps:

Shouldn't it be possible to have a frontend/backend/reverse proxy solution?

* IIS/roundcube and Apache/roundcube use the same database.
* Frontend Apache does an conditional for(back)warding to IIS/roundcube on URL contains "/?_task=settings". Or on whatever URL string is used by the plugin.

The only drawback I see is: The users have to login a second time to change their settings. But since they don't change their passwords and setting three times the day this would be acceptable, wouldn't it?
This would lead to have the most people using the fast frontend. Possibly there is no need for a second login and possibly there is also a way back from backend to frontend. E.g. when you you're able to share the sessions between the severs:
http://stackoverflow.com/questions/1624 ... nt-domains

Just an idea.

I have downloaded the code for this: http://www.j-interop.org/ but never got around to unpack it and test it - Java skills still a bit rusty... It may just just be the best FREE solution available.

[prisma]

I have downloaded the code for this: http://www.j-interop.org/ but never got around to unpack it and test it - Java skills still a bit rusty... It may just just be the best FREE solution available.

What's the plan? Writing a java servlet using DCOM to configure hmailserver remotely? And writing a rouncube plugin forwarding to a tomcat serving this servlet? Or how to wire Roundcube(PHP) and Java?

[SorenR]

I have downloaded the code for this: http://www.j-interop.org/ but never got around to unpack it and test it - Java skills still a bit rusty... It may just just be the best FREE solution available.

What's the plan? Writing a java servlet using DCOM to configure hmailserver remotely? And writing a rouncube plugin forwarding to a tomcat serving this servlet? Or how to wire Roundcube(PHP) and Java?

Well... I have not gotten to that part yet

[Dravion]

Ok, now its my turn

I think many areas could play together.

1) Perfomance
2) Crossplatform
3) Clustering
4) Security
5) Interop

This can be done in a single refactoring project.

Part 1)
Adding CMake as central build and configure system and dependency management.
If this is up and running we can create builds for Microsoft Visual C/C++ and GNU C/C++ Compilers
from one CMakefile.

Part 2)
Beginning refactoring of the codebase

[Dravion]

New Management protocol:

Now we are relying heavy on OLE/ActiveX/COM/DCOM/COM+/WDNA and .NET and the Windows Registry.
As Martin allready in one of its posts earlier mentioned:

PHPWebAdmin is included, but i agree that the lack of a REST/similar API is a bit crappy. COM ain't fun...viewtopic.php?f=10&t=28228&p=175755&hil ... un#p175755

As an programmer myself i agree with Martin.
The small benefits we get from COM isnt worth thadt much of trouble we experiencing and COM (ActiveX is has also a bad rep when it comes to sercurity). I dont say we should cancel the existing COM-Support but we should consider adding a new, switchable configuration to the hMailserver Visual Studio Solution called "Universal" with build targets for (Debug/Release) => Win32/x64:

#A typical Universal/Classic-Server Installation would look like this:#
*Win32*
=> "C:\Program Files (x86)\hMailServer\Bin\hMailServer.exe" (classic server, as usual, no change)
=> "C:\Program Files (x86)\hMailServer\Bin\hmsd.exe" (additional, new universal server side by side)

*x64*
=> "C:\Program Files\hMailServer\Bin\hMailServer.exe" (classic server, as usual, no change)
=> "C:\Program Files\hMailServer\Bin\hmsd.exe" (additional, new universal server side by side)

According to Microsoft design guidelines and best practices for system service programming
(native 32/64-Bit and 32-Bit system services on 64-Bit Version of Windows SysWOW64) the system service config files should allways placed in the special folders for (NT AUTHORITY\SYSTEM) (LocalSystem)
which is:

psexec -sid cmd.exe (sysinternals)

From an elevated cmd (e.g as Administrator) use sysinternals:
psexec -sid cmd.exe

C:\Windows\system32>echo %appdata%
C:\Windows\system32\config\systemprofile\AppData\Roaming

C:\Windows\system32>whoami
"nt authority\system" (highest possible system account on any NT based Windows System)

For any usermode programs (even if you logged in as Windows "Administrator" this is a diffrent talk:

Usermode:
CMD+ENTER (non elevated)
C:\>echo %appdata%
C:\Users\dravion\AppData\Roaming
C:\>whoami
camelot\dravion

I think this is the most inversive way without breaking any existing functionality while on the other hand we have the freedom adding new Universal features to hMailserver.

#Back to COM/DCOM#
Some people saying "a REST API" should be implemented side by side to COM but i dont believe this
is a good idea. REST needs an in the first place an HTTP-Server Stack HTTP/1.0 (RFC 1945) and HTTP/1.1 (RFC 2616) with its numerous extensions like MIME and if you want SSL you need to implement HTTP Over TLS (HTTPS). Anyway, with HTTP(s) you get a large load of security pitfalls like "Session Fixation",
"Crossite Scripting" (CRSS), "Cross Site Request forgery (CSRF)" ect. At least (if you dont want to implement all theese RFC's and CERT security best practices) you have to setup/configure and maintain a full blown, existing Webserver like Apache2+Modules and/or NGINX+FastCGI+PHP5 and its various extensions and encoding settings ISO/UTF-8/PHP.INI [MBSTRING] charset etc.

I dont know, i like it small and compact and recommend Websocket + TLS (WSS)
It is scalable, can multiplex channel, needs no polling, can react in realtime, serverside notifications
and you can inform thousands of logged in users on a Server event and/or forward a Message and it uses 90% less protocol overhead and processing then HTTP 1.0/1.1 https://tools.ietf.org/html/rfc6455

[b9chris]

I'd like to see something simpler:

Lots of events exposed to external code, so hMailServer can be easily customized. In particular, OnEmailSend, OnEmailReceived.

With that and a few wrapper libraries (like one for .Net, one for PHP), you'd open up a lot of what I think an open source Email Server's real potential is, and that's custom coding for each implementer's own special email needs, or even just new ideas about email.

For example, it's unfortunate the Distribution List and Groups both fail to do some basic things, like restrict send to a list of users (without a 2-DList hack). But with exposed events in popular Windows server platform languages, people could write short libraries that do any number of things, including replace this functionality.

It seems like the road to get to a basic version would be a lot shorter than the other things suggested here, and then refining it so you could share the libraries like plugins would take some long-term thought and care.

[jim.bus]

1. I, too, am opposed to removing hMailAdmin from usage. One of the things I tout to people when I tell them of the advantages I have with hMailServer is that the Administration of hMailServer is done on my Local PC and not with a Web based Administration utility. By having the Adminstration utility running locally on my PC (computer), I can make changes such as setting up email accounts (email ids) very quickly as I do not have to wait on response time from the Administration program over the internet. With hMailAdmin the maintenance transactions happen virtually instantly compared to the response time if the maintenance transactions were done with a web browser. Currently I also have email with GoDaddy which uses web based maintenance and the response time while not terrible slows down the process. I frequently set up my email addresses while on the phone with various businesses, etc. as I set up a separate email address for each business I deal with. The faster response time I get from using hMailAdmin aids greatly when doing this 'on the fly' while on the phone with the business. I do not oppose having a web based Adminstration utility as it would allow remote administration of hMailServer but I do oppose removal of hMailAdmin.

2. Unless I have not discovered the way to do this with hMailAdmin, I tried once to change the 'Host name' in hMailAdmin to see if I could remotely control a separate installation of hMailServer which I have on a second computer in my Local Network and found I couldn't do this even though hMailAdmin allows you to change this 'Host name'. If there isn't another way to accomplish this or even if there is, I would like to see hMailAdmin include this capability without having to specify any other libraries, etc. somewhere else. I maintain two hMailServer servers on separate computers in my Local Network. Currently I use the second server when I may have to bring the first server out of service for a significant period of time. It would be nice to be able to apply the same maintenance to the first server at the same time to the second server so the two would always be in sync.

3. Refer back to number 2 above. It would be nice to be able to do the same dual maintenance I refer to with one change on hMailAdmin. That is have the capability for one maintenance change done in hMailAdmin to affect more than one hMailServer server running on separate PCs (computers).

4. I would like to see more Microsoft Exchange Server type abilities such as having a Global Address Book (Contacts). Right now one of the problems with using hMailServer is that one POP3 user doesn't have access to the same Contact another POP3 user uses. In other words there isn't a convenient way for one say Outlook Email User to sync his/her Contacts or Calendar with another Email User. I know in Microsoft Exchange Server by having the Global Address Book all Email Users have access to the same Contact (Global Address) information. Being able to do this would be a nice feature.

[mattg]

#2 What database do you use? Have you looked at MySQL Replication??

[jim.bus]

mattg,

#2 What database do you use? Have you looked at MySQL Replication??

I use MySQL but use them separately on both of my two computers. I do not share the one MySQL database between the two computers each running their own copy of hMailServer. Both computers also have their own hMailAdmin. I do not use MySQL Replication.

[mattg]

replication keeps two copies of the database exactly the same on two different computers. As a change is made to one database, then the other database is updated automatically

[jim.bus]

Mattg,

Thanks for the information. But one thing puzzles me about what goes into the MySQL Database for hMailServer. In addition to the actual email message itself, does all the information regarding the Domains, Email Accounts, and settings go into the MySQL hMailServer database as well such that, for instance, I add an email account (email id) to my hMailServer through hMailAdmin then does that email account (email id) get stored in the MySQL Database for hMailServer too such that Replication would then duplicate the email id in the second computers MySQL Database for hMailServer. I ask this because I see the Domains and Email Accounts stored elsewhere with what appears to be possibly pointers into the MySQL database.

Also I assume MySQL Replication is a function of MySQL itself that needs to be set up. If not can you direct me to where the information on MySQL Replication is so I can research how to implement it.

Also the problem I described when attempting to access the hMailServer on a remote computer in my Local Network generates this error. Where on the hMailAdmin connect screen I added a hostname of Sally with hMailServer username of Administrator. I selected the Sally entry and got the following error:

'Retrieving the COM Class Factory for remote component with CLSID {some Hex string} from machine Sally failed due to the following error 80070005'.

[mattg]

But one thing puzzles me about what goes into the MySQL Database for hMailServer. In addition to the actual email message itself...

No, the messages are NOT stored in the database, only metadata about the messages.

...does all the information regarding the Domains, Email Accounts, and settings go into the MySQL hMailServer database as well such that, for instance, I add an email account (email id) to my hMailServer through hMailAdmin then does that email account (email id) get stored in the MySQL Database for hMailServer too such that Replication would then duplicate the email id in the second computers MySQL Database for hMailServer. I ask this because I see the Domains and Email Accounts stored elsewhere with what appears to be possibly pointers into the MySQL database.

Yes

Also I assume MySQL Replication is a function of MySQL itself that needs to be set up. If not can you direct me to where the information on MySQL Replication is so I can research how to implement it.

http://dev.mysql.com/doc/refman/5.7/en/ ... howto.html

Also the problem I described when attempting to access the hMailServer on a remote computer in my Local Network generates this error. Where on the hMailAdmin connect screen I added a hostname of Sally with hMailServer username of Administrator. I selected the Sally entry and got the following error:

'Retrieving the COM Class Factory for remote component with CLSID {some Hex string} from machine Sally failed due to the following error 80070005'.

I've NEVER gotten that to work, and given up trying. 800XXXXXX errors are windows permissions errors
https://www.hmailserver.com/documentati ... ter_remote

[jimimaseye]

'Retrieving the COM Class Factory for remote component with CLSID {some Hex string} from machine Sally failed due to the following error 80070005'.

In case you havent seen: https://www.hmailserver.com/documentati ... management ("Common Problems")

[mattg]

Perhaps some work on GreyListing is needed...

1) Maillinglists most often use a one-time email address as sender. Is sender a requirement?
2) Support for DNS based Whitelists like dnswl.org
3) Lingertime in minutes (unused records), not days.
4) Whitelist on HELO (with wildcard)
5) Whitelist on domain (with wildcard)
6) Update triplet if mail is accepted via incoming relay (fx. Backup-MX) in second attempt from sender.

Greylisting definitely needs some work

Whitelist on SPF, but only for some (customisable) domains.
I'd like to NOT greylist where the sending server for 'google.com', 'Outlook365.com' is contained in their spf record, but I still want to run all other AntiSPAM tests on these messages. The SPF record contains different servers than their MX record. There is 200 000 + IP addresses that are covered by these two senders (hosters of commercial domains), entering them individually or even using a script and COM API takes ~30 minutes on my system. I'm sure that checks against that list also take a long time. My attempt at a workaround hasn't worked very effectively >> viewtopic.php?f=21&t=29238 and misses far more than it allows through.
What I'd like to see is the potential to Greylist >> SPF Check >> whitelist for specific FQND, like the google 'spf.google.com'

ALSO
We seem to be doing some AntiSPAM tests before we greylist, and I'm not sure why.
If we are going to greylist, let's do that first and save some bandwidth, OR because only some of the AntiSPAM tests are done before greylisting, perhaps we could have a different outcome based on the prelim AntiSPAM Scoring.
Example.
I normally score spam at 6 and delete at 25.
If a prelim spam score (ie before greylisting, and therefore before spamAssassin, DKIM checks, SURBL, but after DNSBL, HELO check, MX check and SPF check) is above my score mark, say 12, and the message would normally get given a '451 please try again later', I'd rather just like to reject that mail then and there.
If the prelim score is 4, I'd like to greylist block for 30 minutes rather than my usual 10 minutes, so that the SURBL and DNSBL lists have a few minutes longer to get updated, to make the final Spam Scoring more reliable




Some other enhancements that I'd like
1. Event that is triggered every 'user defined' number of minutes. There is obviously a fair bit of stuff that is done on a schedule within hMailserver (indexing, greylist cleanup etc), it would be nice to be able to trigger an event within the eventhandlers.vbs to utilise this.
2. Global rules that can add (or subtract) from the the total SPAM score for a message
3 The ability to set an spf record in certain circumstances. SPF records that end in a '+all' or even a '~all' are useless. We should be able to set a default SPF record to test if there is no SPF record, and also in circumstances where the domain owner has specifically removed SPF as valid tool by setting a '+all" SPF record, we should be able to rewrite the locally held SPF record before tests are run, and fail accordingly
4. On the SpamAssassin connection timeout causing error out, a default score should be allocated
5. All spam scores should be to one decimal place (like SpamAssassin), and should allow negative scores (again consistent with SpamAssassin)
6. Logging needs an overhaul. I'm trying to troubleshoot some SSL connection issues, and I'm just not getting enough detail to do this. For example, I've worked out that a CDO Mail Message will send via SSL (port 465) connections but not StartTLS connections, and that .NET MAIL (System.Net.Mail) is the opposite way around. System.Net.Mail uses StartTLS (port 587) and not SSL. It would be nice to see issues that arise when removing / adding certain ciphers. Ie if a connection is dropped due to the use of an unlisted cipher, or when a connection is dropped because say SSL v3.0 is deselcted and the remote client doesn't support TLS
7. An event that is triggered on a SSL connection fail, with some error handling detail would be awesome to help with #6 above

[rastaginger]

http://www.pcworld.com/article/3046484/ ... ndard.html

SMTP Strict Transport Security is a new mechanism that allows email providers to define policies and rules for establishing encrypted email communications.

The new mechanism is defined in a draft that was published late last week for consideration as an Internet Engineering Task Force (IETF) standard....
The newly proposed SMTP Strict Transport Security (SMTP STS) addresses both of those issues. It gives email providers the means to inform connecting clients that TLS is available and should be used. It also tells them how the presented certificate should be validated and what should happen if a TLS connection cannot be safely negotiated.

These SMTP STS policies are defined through special DNS records added to the email server’s domain name. The protocol provides mechanisms for clients to automatically validate these policies and to report back on any failures.

Servers can also tell clients to cache their SMTP STS policies for a specific amount of time, in order to prevent man-in-the-middle attackers from serving fraudulent policies when they attempt to connect.

The proposed protocol is similar to the HTTP Strict Transport Security (HSTS), which is meant to prevent HTTPS downgrade attacks by caching a domain’s HTTPS policy locally in the browser. It does, however, assume that the first connection from a particular client to the server was performed without being intercepted; otherwise, a fraudulent policy might have been cached.

[delphiham]

http://www.pcworld.com/article/3046484/ ... ndard.html

SMTP Strict Transport Security is a new mechanism that allows email providers to define policies and rules for establishing encrypted email communications.

The new mechanism is defined in a draft that was published late last week for consideration as an Internet Engineering Task Force (IETF) standard....
The newly proposed SMTP Strict Transport Security (SMTP STS) addresses both of those issues. It gives email providers the means to inform connecting clients that TLS is available and should be used. It also tells them how the presented certificate should be validated and what should happen if a TLS connection cannot be safely negotiated.

These SMTP STS policies are defined through special DNS records added to the email server’s domain name. The protocol provides mechanisms for clients to automatically validate these policies and to report back on any failures.

Servers can also tell clients to cache their SMTP STS policies for a specific amount of time, in order to prevent man-in-the-middle attackers from serving fraudulent policies when they attempt to connect.

The proposed protocol is similar to the HTTP Strict Transport Security (HSTS), which is meant to prevent HTTPS downgrade attacks by caching a domain’s HTTPS policy locally in the browser. It does, however, assume that the first connection from a particular client to the server was performed without being intercepted; otherwise, a fraudulent policy might have been cached.

This is not completely a new system from google, yahoo and microsoft. At this time we start a connection with starttls unsafed and not of the provider check the certificate for the session. Hmail has implemented the function to verifite the certificate over the Certificatemanager of Windows (correct me, if is wrong). I think the best method to control the certificate is the method of D.A.N.E. The DNS on this method is safed over DNSSEC. But none of the big provider used it! Why, i have not a idea, why this one not use it. STS is the same, he check certificate over the DNS-Server and if failed, he denied the message!

See the following Mailprovider https://mail.de/unternehmen/presse/2014 ... -dane-tlsa