Help Center


Knowledge Base


[Netmail Documentation]

This documentation is for Netmail 5.4. Documentation for [Netmail Archive 5.3] and [earlier versions of Netmail] is also available.

Skip to end of metadata
Go to start of metadata


Removing attachments at the gateway is a proactive approach for managing attachments, as it prevents attachments from ever making it into the live mail system. In this scenario, Netmail Detach makes use of Netmail Secure and Netmail Store (Netmail Store Emulator). Netmail Secure is responsible for removing attachments from incoming messages (from the Internet) at the gateway, sending them to Netmail Store, and replacing them with HTTP links. It is also responsible for re-attaching attachments to outbound messages at the gateway. Netmail Store, of course, stores the stripped attachments.

Removing attachments at the gateway

In order to remove attachments at the gateway, you must do the following:

1. Enable the Attachment Management Agent

In Netmail Secure, ensure that the Attachment Management Agent is Enabled.

2. Create an Attachment Management Policy in Netmail Secure to remove and store attachments

In Netmail Secure, create an Attachment Management Policy that uses any or all of the available Message Action options. For configuration information, expand the link below.

 Attachment Management Policy Configuration and Management

Attachment Management Policy Configuration and Management

The Attachment Management feature allows system administrators to strip attachments from email messages at the gateway and store them in Netmail Store (or a Netmail Store emulator; see note below), helping reduce storage bloat on the Exchange server. Each stripped attachment is replaced with an HTTP link that points to the original attachment in the storage repository. As such, it is possible to manage email mailbox sizes by removing storage-intensive attachments before they ever enter Exchange, all the while keeping the attachments accessible to end users.

The Attachment Management Policy was designed to streamline the configuration of Netmail Detach, in that the configuration parameters are the same as those found in the Netmail Archive Attachment Management Agent. Previously, the stripping of attachments was performed through Attachment Blocking policies. However, Attachment Blocking polices relied on long, cumbersome lists of forbidden file extensions that may not have necessarily been complete. With the Attachment Management policy, all attachments are stripped, regardless of their file type. This means that no attachments are left behind.

This page provides step-by-step instructions on how to create an Attachment Management policy. If you have already created your Attachment Management policy or are using a custom policy, then see Configuring Domains, Groups and Users to learn how to apply policies and overrides to different levels: per domain, per group or per user.

To create your Attachment Management policy, choose Secure > Policies > Attachment Management. On the Details tab, click Create Attachment Management Policy. Enter a name for your new Attachment Management policy, and then click Create. Your new policy now appears in the tree menu on the left-hand side of the Netmail Administration Console. Click the name of the Attachment Management policy you have just created to configure it. By default, the Actions tab is displayed.

Note: Netmail does not strip embedded attachments.

Important: Netmail Store is required to implement Attachment Management. If, however, an existing storage system (e.g., NAS or SAN) is already in place and has a significant amount of free storage available, Netmail Store Emulator can be configured. Netmail Store Emulator behaves like Netmail Store but runs on the file system and provides Netmail with HTTP access to your storage device.

On this page:

Setting Attachment Management Policy Criteria

Strip attachments only if message size exceeds [x] bytes/KB/MB/GB

Select this option if you want to strip attachments according to the overall message size. Enter the maximum allowed message size in bytes, KB, MB, or GB. Only those messages that reach or exceed this size limit will have all of their attachments stripped.

Automatically expire attachments after [x] days

This option allows you to set the number of days for which attachments can be viewed after they have been stripped from a message. Once the expiration date is reached, the attachments are deleted. If the number of days is not specified, attachments will be kept forever.

Place links to stripped attachments in the body of the message

If you select this option, links pointing to the stripped attachments in your storage location will appear in a table (in either HTML or plain text format, depending on the format of the message body) within the body of the email message they were stripped from. The following information will appear in the table:

  • Name of file(s)
  • Expiry date of the item(s)
  • Size of item(s)

The following screenshots show how a message looks like in a user's mailbox before attachment stripping has been implemented.

Outlook before:

OWA before:

The screenshots below show the same message after attachments have been stripped (with HTTP links placed in the body of the message). Stripped attachments can also be accessed through a small Attachments.htm file attached to the message.

Outlook after:

OWA after:

Choose language for replacement text

When you strip attachments from a message, it is possible to set the language of the headings in the table in which links to stripped attachments are displayed. You can choose from German, English, Spanish, French (France), and French (Canada). Note that this language setting is independent of browser settings.

Implementing Action Confirmation

The Action Confirmation feature allows administrators to give users Moderator privileges. A Moderator can review email messages caught by the Attachment Management policy filter before the messages are sent, which allows the Moderator to essentially override the default actions of the policy. After having reviewed the message, the Moderator can decide to send the message as is, encrypt the message, return the message to sender, etc. The Action Confirmation feature is configured in the Confirmation section. For more information on configuring this feature, refer to Action Confirmation.

Sample Attachment Management Policy

The following Attachment Management policy can be created to strip attachments from incoming messages (at the gateway) that are larger than 1 MB in overall size, delete stripped attachments from Netmail Store after 2 years, and place links in the message body for accessing stripped attachments:

1. Choose Policies > Attachment Management > Create Attachment Management Policy.

2. Enter a name for your policy, and then click Create.

3. Select your new policy from the list of policies that appear on the left-hand side of the Netmail Administration Console.

4. Select Strip attachments only if message size exceeds 1 MB.

5. Select Automatically expire attachments after 730 Days.

6. Select Place links to stripped attachments in the body of the message.

7. Click Save Changes to save your policy.

8. Select Domains. Highlight the name of your domain. The Policies tab is displayed by default.

9. Under Policies in Effect, click Assign Policy.

10. In the window that appears, select Attachment as the policy Type, select either Incoming for the Direction, and select the name of the Policy you have just created.

11. To apply the policy to all users in the organization, do not select Allow this policy to be overridden.

12. Click Assign to assign your Attachment Management policy.

Implementing Attachment Management Policies with the Attachment Management Agent

The Netmail Attachment Management Agent allows system administrators to use the attachment management capabilities of Netmail Secure to control incoming attachments into the mail system. To enable the Attachment Management Agent, choose Secure > Clusters > <Cluster Name> > Agents > Attachment Management. The agent should be Enabled in order to implement attachment management policies.

3. Assign the Attachment Management Policy to users or groups in your organization

In Netmail Secure, apply the Attachment Management Policy that you just created to individual users and/or groups of users. For information on managing user/group details and policies, expand the link below.

 Managing Users and Groups

Managing Users and Groups

Netmail Secure automatically creates users and populates your user list when mail traffic first begins moving through your SMTP mail server. This is true for every domain you create. The user list can be found by selecting Domains > <domain name> (the name of the domain you are administering) and then clicking the Users tab. You can search this list for a specific user by typing in the first few letters of the user’s name in the search textbox and then pressing Enter.

It is also possible to manually create users, groups, and distribution lists. Existing users can be edited, assigned to a group, moved to another domain, or deleted.

On this page:

Creating Users

To create a new user, click Create A User on the Users tab. Complete the following in the window that appears:

  • Create A User: Enter a user name for the new user.
  • Identity: Enter the new user’s first and last name.
  • Authentication: Enter and confirm a password for the new user.

Creating Groups

To create a user group within the domain, click Create a Group on the <domain name> > Users tab. Enter a name for the group, and then click Create Group. The new group you have just created appears in the tree menu on the left-hand side of the screen, under the name of the domain in which the group was created.

Creating Distribution Lists

To create a distribution list, click Create a Distribution List on the Users tab. In the window that appears, complete the following:

  • Create a Distribution List: Enter a name for your new distribution list.
  • Details: Enter an external or internal email address you want to add to the distribution list, and click Add. To edit an existing email address, highlight the email address in the list, and click Advanced Edit. Make your edits, and then click Confirm. You can also click Advanced Edit to add multiple addresses at one time (one address per line). To delete an existing email address from the list, highlight the email address and click Remove.

When you are done, click Create List.

 

Managing User Details and Policies

It is possible edit existing user details and policies. To do so, on the <domain name> > Users tab, select a user you want to modify, and then click Edit. The following modification options are available:

Modifying User Details

The Identification tab allows you to edit the following user information:

  • Details: This section allows you to modify the user’s first name, last name, full name, preferred name, group, and aliases.
  • Security: This section allows you to edit the user’s password and user rights.
  • Contact: This section allows you to edit the user’s contact information, such as their title, department, company, photo URL, birthday, and description.
  • Work Address: This section allows you to edit the user’s work address and contact details.
  • Home Address: This section allows you to edit the user’s home address and contact details.

The User Enabled option allows you to either enable or disable the user. When you are done, click Save changes.

Managing User-Assigned Policies

The Policies tab allows you to view and manage policies that are currently in effect for the selected user, as well as assign new policies. The following actions can be taken:

  • Disable: Click Disable if you want to cancel the policy that is in effect.
  • Override: Click Override if you want to override the policy with another policy of the same type.

If no policies have been assigned or if you want to assign additional policies, click Assign Policy. In the window that appears, select the Type of policy you want to apply, the Direction of mail flow to which you want to apply the policy (if applicable), and the name of the Policy you want to apply. If you have not created any policies, only the default policies will be available. For more information about creating a policy, see Policy Planning, Configuration and Management.

Note: User-level policies apply only to the selected user. If you create a user-level policy, it will override all other (domain- and system-level) policies.

The Quarantine Reports option allows you to send quarantine reports to the selected user. Click Send Quarantine Report to send a quarantine report of only new items in quarantine. Click Send Full Quarantine Report to send a quarantine report of all items in quarantine.

Important: After specifying your options, make sure you click Save Changes to save your work.

Managing User Allow/Block Lists

The Allow/Block Lists tab allows you to add, edit, or remove the selected user’s allow and block lists. These lists can contain email addresses, domain names, or IP addresses.

It is also possible to select multiple users at once for editing. This will allow you to make modifications to the policies that are applied to the selected users. You will not, however, be able to edit personal user information, send quarantine reports, or edit allow/block lists.

To edit the policies of multiple users, select the users you want to edit, and then click Edit. In the window that appears, you can choose to edit General policies (such as Delivery Route policy), Sender Policies, Recipient Policies, and User-Selectable policies. The dropdown lists allow you to select different policies, and you can choose to add or cancel policies. When you are done, click Save to save your changes.

Managing Group Details and Policies

Just as for users themselves, it is also possible edit existing user group details and policies. To do so, click <domain name> > <user group name>. The Rights tab is displayed by default.  The following group modification options are available:

Managing Group Rights

The Rights tab allows you to set the modification rights that users in the group have. You can choose from the following options:

  • These users may modify any domain and any policy
  • These users may modify their entire domain
  • These users may modify their group
  • These users may only modify their own settings

Be sure click Save changes after having made any changes.

Managing Users in Groups

The Users tab allows you to view and manage users that belong to the selected group. You can add new users to the group, edit individual users' details, assign users to another group (if other groups exist), or delete users from the group.

Managing Group Policies

The Policies tab allows you to view and manage policies that are currently in effect for the selected group, as well as assign new policies. The following actions can be taken:

The following actions can be taken:

  • Disable: Click Disable if you want to cancel the policy that is in effect.
  • Override: Click Override if you want to override the policy with another policy of the same type.

If no policies have been assigned or if you want to assign additional policies, click Assign Policy. In the window that appears, select the Type of policy you want to apply, the Direction of mail flow to which you want to apply the policy (if applicable), and the name of the Policy you want to apply. If you have not created any policies, only the default policies will be available. For more information about creating a policy, see Policy Planning, Configuration and Management.

The Quarantine Reports option allows you to send quarantine reports to the selected user group. Click Send Quarantine Report to send a quarantine report of only new items in quarantine. Click Send Full Quarantine Report to send a quarantine report of all items in quarantine.

Important: After specifying your options, make sure you click Save Changes to save your work.

Modifying Group Allow/Block Lists

The Allow/Block Lists tab allows you to add, edit, or remove the selected group’s allow and block lists. These lists can contain email addresses, domain names, or IP addresses.

4. Specify the storage location for attachments

Along with the Attachment Management Policy, you also need to specify the storage location for stripped attachments. To do so, expand the link below for information on specifying an IP address for your storage cluster.

 System Configuration

System Configuration

The Secure object in the navigation tree allows system administrators to apply advanced configuration setting changes to Netmail Secure at any time. During the Netmail Secure configuration procedure, you provided configuration settings for your system. These settings are automatically applied and updated to the Netmail Administration Console. However, you can still make changes to these settings at any time by choosing Secure on the left-hand side of the Netmail Administration Console and then selecting the System tab.

On this page:

Specifying a System-wide Postmaster Email Address

During the configuration procedure, you were prompted to specify a System-wide Postmaster Email Address and the name of your Netmail Secure Host Cluster. To change the System-wide Postmaster Address, enter the new address in the available textbox.

Specifying SMTP Log Retention Duration

The SMTP Log Retention option allows you to specify the number of days for which the SMTP log should be kept. The longer the retention period, the slower the log will be. A retention period of no longer than 5 days is recommended.

Specifying a Netmail Store URI

The Netmail Store URI option allows you to enter the URI of your Netmail Store cluster.

Specifying an End-User Access URI

The End-user Access URI option allows you to specify an alternative URI for end users when they access stripped attachments in email messages. This feature works in conjunction with Attachment Management and must be entered in the following format: http(s)://hostname/path.

Specifying an SNMP Community String

The SNMP Community option allows you to specify an SNMP community string. SNMP community strings function as embedded SNMP passwords. Netmail Secure supports Read-only SNMP communities. Read-only gives read access to all objects in the MIB, but does not allow write access.

Adding an SNMP Trap Receiver

This option allows you to add a Trap Receiver. SNMP Trap Receivers are used to notify a network management system which communicates with agents to get statistics and alerts from managed devices that a significant event has occurred. When a trap condition occurs, the SNMP Agent sends an SNMP trap message to any network management systems specified as the trap receiver.

To add a SNMP Trap Receiver, use the dropdown box next to Version to select a trap object. Then, enter the SNMP Community, the Host name or IP address of the remote SNMP trap receiver and the Port number. Click Add.

The list box displays a list of currently configured SNMP Trap Receivers that were added using the Add option. To modify an existing Trap Receiver, select the Trap Receiver in the list, and click Advanced Edit. To remove an existing Trap Receiver from the list, highlight the Trap Receiver in the list, and then click Remove.

Important: Click Save Changes to save your changes.

Re-attaching attachments at the gateway (for outbound mail to external recipients)

To re-attach attachments to outbound messages, ensure that the Netmail Secure Attachment Management Agent is Enabled.

1 Comment

  1. Create DNS Records for the Storage Servers or Storage Locations

    As Best Practice, it is recommended to create DNS records to reach the server where the attachments are stored.  You may use resource records type A  or CNAME (alias).

    Specifying a Netmail Store URI

    The Netmail Store URI option allows you to enter the URI of your Netmail Store cluster.  This URI is accessed by Netmail Secure to fetch the attachments and re-attach them.

    NOTE: Be careful in choosing the host name or FQDN, This setting provides access  to the internal network host name or FQDN where the attachments are stored. You may choose to use a DNS CNAME record to resolve the Netmail URI.

    Depending on the Storage Service selected (Netmail Store, Netmail Store Emulator) you may need to enter a TCP Port at the end of this string (http://store.somedomain.com:PORT).

    Netmail Store Emulator by default uses either ports 3237 over HTTP, or 3238 over HTTPS.

    Netmail Store uses default HTTP port 80.

    Specifying an End-User Access URI

    The End-user Access URI option allows you to specify an alternative URI for end users when they access stripped attachments in email messages. This feature works in conjunction with Attachment Management and must be entered in the following format: http(s)://hostname/path.

    NOTE: This is the "external" FQDN that authenticated users outside the network (Internet) will use to fetch the attachments from the Storage Location. The recommended configuration would be https://, for example https://detach.somedomain.com.

    If available, the use of publicly signed certificates is recommended to avoid browser error prompts.

    Netmail Proxy

    This configuration will provide authentication to users from outside (Internet) whenever they try to download a detached item. The settings are:

    Source Path: External URI resolvable from the Internet, i.e. https://detach.somedomain.com

    Destination URI: Internal URI to the Storage Service, i.e. http://hoststore.somedomaincom:PORT

    Authentication Route:  This uses the existing Mail Route Policies as the authentication mechanism and adds it in the form of " x-nm-route: xxxxxxx ".