Jump to:navigation, search
Wiki

UMA/FAQ

From Securepoint Wiki











































































syncing disks

De.png
En.png
Fr.png






Last adaption: 03.2024
New:
notempty
This article refers to a Resellerpreview
 -

General

  • Can the UMA be used without a mail server?

    Can the UMA be used without a mail server?
    • Answer

    If there are only individual mailboxes/accounts that are used by a provider of email services such as GMX, WEB, GMAIL, 1&1 or similar, are accessed by individual internal clients, the UMA cannot normally be used.
    Explanation

    The UMA only retrieves mail from mailboxes/accounts that have an "UNSEEN" tag (unread emails).

    After a retrieval, the corresponding emails are either marked as read or deleted. A direct retrieval from user mailboxes would therefore result in only incoming mails being retrieved. Outgoing mails always have a "SEEN" tag and are therefore not archived. In addition, after the UMA has retrieved the emails, the client no longer sees any "New" emails or the UMA does not retrieve any emails because in the client, by clicking on the mails, they already have a "SEEN" tag (are marked as read). The only way the UMA can archive mails in HUB mode is to fetch them from a central mailbox/account, user independent. In order for the mails to enter this newly created mailbox/account, the option of forwarding must exist for each mailbox/account. This forwarding must be applicable for incoming as well as outgoing emails!

    With most of the mentioned mail providers NO outgoing forwarding for emails can be set up, which is why the UMA cannot be used here!
    Solution

    Please consult your email provider in advance regarding the possibility of complete forwarding per mailbox/account! If this option is available, there is nothing to prevent the use of a UMA.

    When using Office365 as well as hosted mail server solutions, journaling or full forwarding is possible in most cases.
    It is also possible, in this context, to use the Terra Cloud solution or a free internal mail server such as H-Mail.

    A guide to setting up MS Office 365 is available on the Securepoint Wiki under Configuration - Office 365.


  • Is it possible to connect the UMA to multiple user environments?

    Is it possible to connect the UMA to multiple user environments?
    • Answer

    This functionality is not supported by us. Only the use of one environment (AD, OpenLDAP or local users) is supported. So-called forest root domains or the splitting of domain controllers is not supported, since the users and their email addresses cannot be queried across servers via LDAP. The LDAP request is always directed exclusively to the domain controller connected to the UMA.


  • Can the transparent mode be configured?

    Can the transparent mode be configured?
    • Answer

    The transparent mode is no longer configurable since version 2.5.8 and will be removed completely starting with UMA version 3.


  • What happens if the UMA's license becomes invalid?

    What happens if the UMA's license becomes invalid?
    • Answer

    • The retrieval of emails from the collective mailbox is discontinued.
    • There is now a read-only system access to the previously archived emails


  • Do public folders need to be licensed?

    Is it necessary to license public folders (distribution lists, shared mailboxes, public folders)?
    • Answer

    No, the public mailboxes are recognized when connected to the Active Directory and do not need to be licensed. The use of public mailboxes is only possible when using an Active Directory.


  • Is it possible to map the folder structures of the UMA?

    Is it possible to map the folder structures of the UMA?
    • Answer

    This functionality is not supported by us and there are no plans to implement it in the future. Folder structures are constantly changing and this would have to be tracked on the UMA, thus removing the read-only feature of the UMA.


    Licensing

  • Why can't the license be imported?

    Why can't the license be imported? (e.g.: There was an error uploading the files.)
    • Answer

    This may be due to the fact that the UMA is full. If the free memory is set to 0b in the overview, it is not possible to import a license.

    Solution

    The memory must be expanded. Detailed instructions on this topic can be found in the Securepoint Wiki under Replacing and Expanding the Archive Memory of the UMA
    Another cause can be the internal time of the UMA. If this deviates too far from the license period, the license cannot be uploaded or is invalid after uploading.

    1. Connect to the UMA via the console or with an ssh-client. Before an ssh-connect, the ssh-service of the UMA must be started under "Administration -> Maintenance":
    ssh -l admin 192.168.175.254
    2. Set the time of the UMA to the current date and time:
    date -s "06 Oct 2019 10:50:00"

    3. Reload the admin interface in the browser by pressing [CTRL]+[R].


    Archive / Archiving

  • Can certain email addresses be excluded from archiving?

    Can certain email addresses be excluded from archiving?
    • Answer

    Yes. Email addresses can be excluded from archiving under System settings Tab Email accounts .
    notempty
    Attention: Only complete email addresses can be defined. Wildcards cannot be used.


  • How are spam emails excluded from archiving?

    How are spam emails excluded from archiving?
    • Answer

    Emails should already be identified as SPAM and filtered at the email gateway (e.g. Securepoint NextGen UTM). Thus, SPAM does not even reach the journal mailbox of the mail system.


  • Are encrypted emails archived?

    Are encrypted emails archived?
    • Answer

    Encrypted emails are archived as they are. The header of an email is not encrypted, so that the assignment to the user can be made. A private key cannot be stored in the UMA. Therefore, these emails must be downloaded from the UMA for viewing, so that they can then be opened by internal means.


  • Why are mails not picked up from the Exchange mail server?

    Why are mails not picked up from the Exchange mail server?
    • Answer

    There can be several reasons why the emails from the journal mailbox of the Exchange mail server cannot be fetched by the UMA. Below we have listed the most common ones.
    Solution

    Possibility 1: The UMA license has expired

    The retrieval of emails from the collective mailbox is discontinued.
    Solution: A new valid license must be registered in the UMA.

    Possibility 2: The archive space of the UMA is full
    If no memory is available, the UMA cannot archive any more data. Taking into account the system requirements/project planning, the existing memory can be replaced by new memory with a higher capacity.
    Detailed instructions on this topic can be found in the Securepoint Wiki under Replacing and Expanding the Archive Memory of the UMA.

    Possibility 3: Journal mailbox too full
    Above a certain number of emails, the IMAP service of an email system can react sluggishly.
    Solution: In this case, on the mail server you need to check the inbox of the journal mailbox and delete unnecessary emails.
    The "Leave emails on server" function can be deactivated via the UMA web interface. The UMA then deletes the emails from the journal mailbox after it has picked them up.

    notempty
    Attention: Deleting via this function only applies to emails that are picked up after deactivation.



    Possibility 4: The IMAP service on the mail system is not running
    Solution: Check the status of the service on the mail server and restart the service if necessary.
    Then perform a connection test with a telnet client to the mail server. How to do this is described in possibility 5.

    Possibility 5: Fundamental problem with the IMAP service of the mail system
    Solution: Debugging the IMAP service via telnet.

    1. Connect to the mail system using a computer with Telnet client installed.
    telnet 192.168.1.50 143
    Welcome to the server.
    OK The Microsoft Exchange IMAP4 service is ready.
    2. Log in with the journal account that is also configured in the UMA. In this example, the username is "journal" and the password is "insecure".
    a1 LOGIN journal insecure
    The IMAP service of the mail system accepts the login.
    a1 OK LOGIN completed.
    3. Show the available IMAP folders.
    a2 LIST „“ „*“
    The mail system lists all folders.
    * LIST (\HasNoChildren) „/“ Tasks 

    * LIST (\HasNoChildren) „/“ Entw&APw-rfe
* LIST (\HasNoChildren) „/“ „Gel&APY-schte Items“
* LIST (\HasNoChildren) „/“ „Sent items“
* LIST (\HasNoChildren) „/“ Journal
* LIST (\HasNoChildren) „/“ Junk-E-Mail
* LIST (\HasNoChildren) „/“ Calender
* LIST (\HasChildren) „/“ Contacts
* LIST (\HasNoChildren) „/“ Notes
* LIST (\HasNoChildren) „/“ Outgoing mail
* LIST (\Marked \HasNoChildren) „/“ INBOX
a2 OK LIST completed.


    4. Select the INBOX (Inbox) folder.
    a3 SELECT INBOX
    The server outputs an overview of the folder.
    * 0 EXISTS 

    * 0 RECENT
* FLAGS (\Seen \Answered \Flagged \Deleted \Draft $MDNSent)
* OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft $MDNSent)] Permanent flags
* OK [UIDVALIDITY 14] UIDVALIDITY value
* OK [UIDNEXT 40] The next unique identifier value
a3 OK [READ-WRITE] SELECT completed.


    If the mail system has not reported an error up to this point, the IMAP service appears to be running normally and without errors.
    Common error: Imap Proxy component on Exchange is inactive.
    The status of the component can be retrieved using the following command via the Exchange shell on Exchange 2013 and 2016:
    Get-ServerComponentState -identity <ServerName>
    If the ComponentState is "inactive", then it can be reactivated with the following command:
    Set-ServerComponentState -identity <ServerName> -Component ImapProxy -Requester HealthAPI -State Active
    After enabling ComponentState, the IMAPv4 and IMAPv4 BackEnd services must be restarted.



    Possibility 6: Bug in the mail server software
    It is no longer possible to retrieve emails from the collective mailbox.
    Until CU6 (Cumulative Update 6) in the Exchange servers 2013 and 2016 there is a bug which affects the IMAP and POP service. After some time no login can take place, although the services are running and the component state is active.
    Solution: Install the latest updates on the mail server. Starting with CU7 on both server variants this error is fixed.

    Possibility 7: In Exchange, the trash of the mailbox is full
    Pickup from an Exchange is no longer possible.
    If the message NO Expunch failed appears in the log, then the recycle bin for the mailbox is full in the Exchange. Mail header errors also appear in the log, but they are not errors because the first mail retrieved is fetched and then cannot be deleted. Every further mail cannot be fetched and generates this message.

    Solution: Empty the recycle bin of the journal.


  • Does the UMA archive encrypted emails?

    Does the UMA archive encrypted emails?
    • Answer

    The UMA archives encrypted as well as unencrypted emails, since the header is always freely readable and thus a user mapping can take place. However, there is no possibility to store certificates for the encrypted emails. The search in the user interface can therefore only be carried out on the basis of the information in the header.
    Solution

    One way of making emails available to the user without encryption is to store the certificate in the user's email client and to connect the email client directly to the UMA via IMAP.


  • What happens if there is no more archive space available?

    What happens if there is no more archive space available?
    • Answer

    Detailed instructions on this topic can be found in the Securepoint Wiki under Replacing and Expanding the Archive Memory of the UMA.


  • How do I set up encrypted retrieval from Hetzner mail servers?

    How do I set up encrypted retrieval from Hetzner mail servers?
    • Answer

    Instead of the usual mail server address "mail.your-server.de", the address of the Managed Root Server must be entered.
    Mail retrieval via IMAP with STARTTLS/TLS (port 143 recommended by Hetzner) or SSL (port 993) then also works via this server.


    Import

  • Why is the bulk import not available?

    Why is the bulk import not available?
    • Answer

    The mass import is not being displayed.
    Mass import can only be used in conjunction with an AD environment and Microsoft Exchange.

    Monitoring

  • Enable SNMP in the UMA

    Enable SNMP in the UMA
    • Answer

    The following steps must be performed in the admin interface:

    In the System settings / Network section SNMP settings

    • SNMP Service Activated
    • Depending on the type of SNMP query, necessary settings for SNMPv3 or SNMPv2c/v1 can still be selected.


  • Read out occupied memory of the UMA via SNMP

    Read out occupied memory of the UMA via SNMP
    • Answer

    The occupied memory can be calculated with the following OIDs:

    hrStorageUsed.45 → .1.3.6.1.2.1.25.2.3.1.5 New OID
    hrStorageAllocationUnits.45 → .1.3.6.1.2.1.25.2.3.1.5 New OID

    The two values must be multiplied:
    hrStorageUsed.45 * hrStorageAllocationUnits.45 = Occupied memory in byte


  • Read out the total memory of the UMA via SNMP

    Read out the total memory of the UMA via SNMP
    • Answer

    The total memory can be calculated from the following OIDs:

    hrStorageSize.45 → .1.3.6.1.2.1.25.2.3.1.5 New OID
    hrStorageAllocationUnits.45 → .1.3.6.1.2.1.25.2.3.1.5 New OID

    The two values must be multiplied:
    hrStorageSize.45 * hrStorageAllocationUnits.45 = Total memory in byte

    notempty
    Attention: The calculation should take into account that about 14% of the memory in the UMA is reserved for databases and snapshots.
    A warning message via the monitoring system should therefore be issued at the latest when the system is 80% full, in the best case 70%.


    Error messages

  • Mails are not archived and remain in the journal

    Mails are not archived and remain in the journal
    • Error message

    err auth: Error: ldap(testuser@securepoint.de): LDAP search returned multiple entries

    err lmtp(testuser@securepoint.de): Error: auth-master: userdb lookup(testuser@securepoint.de): Auth USER lookup failed
    err lmtp(6584): Error: lmtp-server: conn unix:pid=6596,uid=1 [1]: rcpt testuser@securepoint.de: Failed to lookup user testuser@securepoint.de: Internal error occurred. Refer to server log for more information.
    err temp error on testuser@securepoint.de. will skip this run (8)

    debug error fetching mail: msg_uid=1608625960-18520, errormsg: no error - authenticated (1)


    Cause

    The specified email address in the user repository (Azure AD, AD, openLDAP, or local user) is associated with more than one object.


    Solution

    For email archiving, there must always be a unique assignment.
    The email address must be removed from the multiple objects (user or public folder) so that it is assigned exclusively to one object.
    • In Azure AD, the same mail addresses can exist in different objects only under the item "otherMails"
    • In a local AD, multiple entries are also possible for primary mail addresses (attribute "mail"), even if Microsoft does not support it
    • Alternatively, duplicate entries can also exist under the attribute "proxyAddresses"
    If the issue is resolved and the mail address is assigned to only one object in the user repository, the emails not retrieved for the time being will be retrieved and archived again by fetchmail the next time the journal is run.


  • Mails of a specific domain are not archived

    Mails of a specific domain are not archived
    • Error message

    fetchmail info recipient tMTMNyBrh3jf@gmail.com not in our domainlist


    Cause

    The mail domain is not stored in the list of email domains to be archived under the item System settings Tab Email server  section Remote Email server settings.


    Solution

    This is not necessarily an error, but can also simply serve as a hint.
    The domain named in the mail header must be entered in the list of domains to be archived.


  • Mails of a certain email address are not archived

    Mails of a certain email address are not archived
    • Error message

    fetchmail info recipient 1.lok-leipzig@arcor.de not available, or denied by license


    Cause

    The email address is not associated with any known user or public folder.


    Solution

    Verify that this email address is assigned to a user or public folder under System settings Tab Email server  section Remote email server settings.


    The log message "info" also indicates that this is not necessarily an error, but simply serves as an indication that this very email address is not currently archived.

    Since the UMA checks all mail addresses of the header (from,to,cc or the enverlope header), this message may appear more frequently for unknown "recipients".
    If another header entry with an email address matching a user known to the UMA exists in the same email, this mail will also be archived despite the log message for the same.


  • Backup target cannot be mounted

    Backup target cannot be mounted
    • Error message

    Kernel warning No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.


    Cause

    No specific SMB variant is selected on the target (in the backup device settings under the "Maintenance" item) and the most secure available one is selected automatically.


    Solution

    This message is not an error, but only points out the mentioned circumstance.
    On a successful backup with a Windows share and automatic SMB selection, the following log run is generated:
    2021-05-11 13:46:25 +02:00 Backup info starting to backup files

    2021-05-11 13:46:25 +02:00 Kernel info EXT4-fs (dm-5): mounted filesystem with ordered data mode. Opts: (null)
    2021-05-11 13:46:26 +02:00 Backup info syncing disks
    2021-05-11 13:46:26 +02:00 Backup info unmounting snapshot
    2021-05-11 13:46:26 +02:00 Backup info removing snapshot
    2021-05-11 13:46:26 +02:00 Kernel warning No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
    2021-05-11 13:46:26 +02:00 Backup info checking for old lingering backup snapshots
    2021-05-11 13:46:26 +02:00 Backup info unmounting snapshot
    2021-05-11 13:46:26 +02:00 Backup info removing snapshot
    2021-05-11 13:46:26 +02:00 Backup info The data backup was completed (job: backup)
    2021-05-11 13:46:26 +02:00 Backup info done

    2021-05-11 13:46:35 +02:00 Kernel warning No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.



  • Backup has failed

    Backup has failed
    • Error message

    2021-05-11 14:03:20 +02:00 Backup err The data backup was terminated due to an error (job: backup)

    2021-05-11 14:03:20 +02:00 Backup info done
    2021-05-11 14:03:20 +02:00 Kernel err CIFS VFS: Server 192.168.175.56 has not responded in 180 seconds. Reconnecting...
    2021-05-11 14:03:20 +02:00 Kernel err CIFS VFS: Send error in SessSetup = -11

    2021-05-11 14:03:20 +02:00 Kernel err CIFS VFS: cifs_mount failed w/return code = -11


    Cause

    Backup aborts due to an error.


    Solution

    Log message from "Backup" as well as "Kernel". Messages are displayed coherently under the log item "System".
    The cause can then be seen in the kernel log below. In this example, the backup target is no longer accessible.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UMA/FAQ&oldid=90841"