General Domain Settings
This settings page is only available to domain administrators and system administrators with the proper permissions. |
Below are the Domain Settings available for managing and configuring a domain as a domain administrator. The following options will be available:
Jump To:
- Domain Aliases - Add an alternate domain name for users on the domain
- User Options - Adjust settings that apply to users on the domain
- Authentication Providers - Select Active Directory or LDAP as the authentication provider for users. If no authentication method is set, username/password authentication will be used.
- Folder Auto-Clean - Add settings that affect the auto-clean rules set for users' default folders.
- Calendar Auto-Clean - Add settings that affect the auto-clean rules set for users' calendar entries.
- Online Meeting Video / WebRTC - Set up alternate STUN/TURN server(s) for online meetings
- Custom Help - Add a custom Help link to the Logout menu
- Webmail Login - Customize the login page for your domain
- Footer - Add a message footer that appends all outgoing messages
- Email Signing - Protect users from phishing schemes and spam attacks
- Attachments - Set exclusions and inclusions for particular file types that can be attached to messages.
- External Senders - Enables or disables additional text to be added to messages when received from external domains.
- Mailing Lists - Set the Bounces Before Removal threshold for mailing lists
- Block Authentication by Country - Select the country(-ies) you want to block or allow authentication attempts from.
Domain Aliases
A domain alias is basically an alternate domain name for one that already exists in SmarterMail. Domain aliases are useful, as they allow companies with multiple domain name extensions to receive any email sent to any one of their domains. For example, imagine you have a domain, 'example.com' with a user configured under 'user@example.com'. By adding a domain alias for 'example.net', any email sent to 'user@example.net' will be delivered to 'user@example.com'.
Note: You must own the domain name in order to create a domain alias. In addition, messages cannot be retrieved with a domain alias email address unless the domain is properly registered at a domain registrar and its DNS configured.
Creating a Domain Alias
To create a new domain alias, click New Domain Alias. Then enter the name of the alternate domain. The name will be used to create the domain alias email address. For example, if the name of the alias is "example2.com", the domain alias email address will be user@example2.com.
Note: By default, before a domain administrator can save a domain alias, SmarterMail will check that the mail exchange record for the domain is pointing to the server. This prevents domain Admins from "hijacking" mail from valid domains. For example, if this check were not in place, a domain admin could add a domain alias of example.com. Then, any mail sent from the server to "anything@example.com" would go to the domain with the example.com domain alias, rather than to the actual domain. Alternatively, system administrators who impersonate a domain will see an option when adding a domain alias on whether to verify the MX record before saving.
User Options
This feature is only available when using SmarterMail Enterprise. |
- Force two-step authentication - Two-Step Authentication is a method of providing a second way to verify account ownership before a user can log in or connect to third-party clients and/or devices. For example, when a user has set up Two-Step Authentication, the SmarterMail login page will require their primary password and a secondary verification of ownership before they can log into webmail. The second method of verification will be provided to the user through popular authentication apps, like Google or Microsoft Authenticator, or through a recovery email address. When this feature is enabled for a domain, the domain administrator can choose whether to Enable or Force Two-Step Authentication for their users - With Enable, users can choose whether to implement Two-Step Authentication whereas with Force, users MUST use Two-Step Authentication.
- Show calendar availability for all users in domain - This setting is enabled by default and allows SmarterMail to alert users of any scheduling conflicts when adding a member of the Global Address List as an attendee on a calendar appointment. In addition, this allows users to view an Availability window to review the times that their attendee is free/busy. When disabled, domain users' scheduling information will not be displayed in the appointment window.
- Allow users to edit their profile - When enabled, this allows users to manually edit their profile information. (I.e., modify their Display Name, contact information, etc.) It also makes the "Allow users to opt out of Global Address List" setting visible. NOTE: For Active Directory administrators, or companies who use Active Directory for user administration, this setting can be disabled for all users in Domain Defaults, which means any profile information is "read only" for users and, instead, managed by Active Directory.
- Allow users to opt out of Global Address List - The Global Address List (GAL) is basically a listing of all users who have accounts for your particular email domain. However, not all accounts would necessarily need to be listed in the GAL. For example, generic addresses like info@ or support@ may not need to be listed as they're used for specific purposes (e.g., support@ being imported into a ticketing system.) NOTE: MAPI requires use of the Global Address List (GAL) in order to work properly. Therefore, regardless of whether the domain's Global Address List feature is disabled, or a user/alias has Show in GAL disabled, Outlook MAPI will always show the GAL directory and be available via autocomplete when typing in a recipient's email address.
- Allow users to bypass spam filtering for unverified trusted senders - NOTE: Enabling this setting is NOT recommended. This will allow users to add in email addresses they want to bypass DKIM, SPF, and DMARC checks. DKIM, SPF, and DMARC form the backbone of the email verification checks SmarterMail performs. If a domain fails one of these checks, SmarterMail will mark it as potentially unverified. However, users can be confused if a "Trusted Sender" still shows as unverified, or if a message from a "Trusted Sender" ends up in their Junk folder. By bypassing the core spam checks for a sender added to this list, emails from these senders will always reach the user's inbox.
Authentication Providers
By default, SmarterMail uses an internal username/password authentication type for new users. However, SmarterMail can also intreact with Microsoft's Active Directory (as a one-way sync: Active Directory -> SmarterMail, not vice versa), as well as LDAP. If a domain administrator wanted to enable AD authentication or LDAP, they'd want to add a New Authentication Provider and fill in the following information:
- Type - The type of authentication provider being set up: Active Director or LDAP.
- Name - Enter or adjust the username to authenticate against.
- Server Address - The Active Directory or LDAP server to be used.
- Port The port to use for the connection to the server. This defaults to port 389.
- Encryption - Select the encryption method to use for connecting to the server. This can be None (plain text), SSL/TLS, or StartTLS. When selecting an encryption type, the proper port to use will automatically populate.
- Domain Name - (Active Directory) The domain name used for AD authentication.
- Organizational Unit - (Active Directory) The name of the Organizational Unit of the users. (Not required.)
- Base DN - (LDAP) The string used to connect to the server being authenticated against.
- Username - (LDAP) The username of an account with administrative privileges for the authenticating server.
- Password - (LDAP) The password associated to the username entered.
- Save Credentials (LDAP) Toggle this to save the credentials entered above.
Folder / Calendar Auto-Clean
Setting up auto-clean rules for email folders and for calendars is a simple, yet effective, way to limit how much of the domain's disk space is taken up by users' default folders and their calendar appointments. By placing limits on these areas, or by automatically deleting mail and/or appointments older than X number of days, you can help ensure that your domain disk space does not fill up unnecessarily. In addition, if you want to set a size limit on a folder for users, their messages are deleted in the order that they were received so that older messages get deleted first. The same holds true for calendar appointments.
- Allow users to override auto-clean settings - Enable this setting to allow users to override the domain policy and create their own auto-clean rules.
- Override auto-clean settings - Enable this setting to override the settings established by the system administrator, allowing you to create your own rules. Any changes you make will not be affected if the system administrator changes their policy, unless they disable domain overrides.
If "Override auto-clean settings" is off, the auto-clean rules created by the system administrator will be displayed at the bottom of this card. (If no rules were created by the system administrator, a note saying such will be displayed.
However, if "Override auto-clean settings is turned on, you're presented with a New rule button that will allow you to create your own rule(s) for domain users. Auto-clean rules can be created for any default mail folder, and can be created based on a message's age, the length of time a message has been in a folder, or a particular folder's size.
Size of Folder vs. Age Rules for Folder Auto-Clean
It's possible to set an auto-clean rule either based on the size of a folder, or the age of a message (or messages) within a folder. Size-based auto-clean rules are run whenever an action is performed on a particular folder. For example, moving a message into the folder. Once that action occurs, the auto-clean rule is run, and it runs each time an action is performed. Age-based rules, however, run once per day, on the FIRST folder action for that day. For example, deleting an email first thing in the morning. When you delete an email, it's moved to the Deleted Items folder, which is a folder action. At that point, if there's an age-based auto-clean rule for the Deleted Items folder, the rule is run and then is silent until an action is performed on the next day. If no action is performed on a folder with an age-based rule, the rule still runs automatically shortly after midnight, server time.
When using a folder's size, it's possible to set upper and lower limits for the space used for the folder. For example, you can create an auto-clean rule so that when a folder gets larger than 50MB in size, the rule automatically deletes messages to reduce the folder's size to 5MB. When freeing up space, the total size of each message is used, which includes any message attachments.
When using Age as a guideline, there are two types of age: Message Age and Age in the Folder.
- Message Date: This is based on the initial receipt date of the message. So if you received a message on January 1st, and the number of days is set to 14, on January 15 the message is automatically deleted.
- Time in Folder: This is based on when a message is actually moved to the folder that has the auto-clean rule configured. The age of the message itself is not used. That means, if the Age in Folder is set to 14 days, it doesn't matter when the message was received. Instead, the message is deleted 14 days after it's been moved into the folder.
Online Meeting Video / WebRTC
This feature is only available when using SmarterMail Enterprise. |
SmarterMail's online meetings use Web RealTime Communication (WebRTC) for peer-to-peer audio and video chat. WebRTC is an open standard that uses plugin-free APIs to connect web browsers (WebRTC compatible web browsers, that is) for the transfer of voice, video and general data.
For most people, using online meetings, without making any changes, is perfectly fine. This is because online meetings use a default STUN service to assist with the transfer of the data from user-to-user. However, larger or more complex networks may have restrictions that limit, if not fully deny, WebRTC requests. For example, the use of firewalls or the use of Network Address Translation (NAT) on routers. In these cases, using a standalone STUN or TURN server may be necessary.
There is an additional benefit to using a secondary STUN/TURN server: when using SmarterMail's STUN/TURN, the maximum number of video participants is 9 (8 + the organizer). With an external STUN/TURN server, that number jumps to 16 participants (15 + the organizer).
To add a separate STUN/TURN server for a domain, simply click the New STUN/TURN Server button. Once you do so, you'll be presented with the following:
- Type - Whether you're adding a STUN or TURN server.
- URI Paths - These are the paths to the STUN or TURN server you're setting up.
- Username - When setting up a TURN server, this is the username used to connect to that server.
- CredentialL - When setting up a TURN server, this is the "password" for connecting to that server.
While STUN servers are very inexpensive for a company to operate (they're basically a glorified “What's My IP” service), TURN servers can consume a significant amount of bandwidth. Therefore, a TURN server may require you to use a paid service to host it for you. Companies like Twilio or Xirsys offer such services. If you want to host your own TURN server, one of the most popular options is Coturn, a Linux-based TURN server. Note: These are simply examples, and are NOT endorsements of any product or service mentioned.
Custom Help
Note: This section will only be visible if the system administrator has enabled Login Display Customization for the domain.
- Custom Help URL - Entering a full URL in this field will add a custom button to the Help menu that users can access in the SmarterMail interface. Administrators can link to a variety of things, including server-specific instructions for syncing, help resources, contact information, etc.
- Custom Help Text - The hyperlink text for the custom URL in the Help menu. Note: If no text is entered in this field, the hyperlink text in the Help menu will default to "External Help".
Webmail Login
Domain administrators can customize the SmarterMail login page for their domain to add a company logo, provide additional branding text, or simply adjust the default “Login to SmarterMail” text to be more in line with an overall brand message.
Note: This section will only be visible if the system administrator has enabled Login Display Customization for the domain. Furthermore, if the system administrator allows a domain to override the custom login display and the domain administrator does not enable customization for their domain, users will see the default SmarterMail login screen, regardless of whether the system administrator has enabled a custom login display for the server.
- Logo Image - Upload an image, like a company logo, by dragging and dropping a file in the highlighted area or clicking to browse for a file (max file size of 3mb). Uploading an image using this upload control will host the image publicly on the server and enter the <img src="URL" /> tag in the HTML section. Note: Uploading an image here alone will NOT display the image on the login screen. The HTML must remain in the Login Page HTML section. This upload control can be used by those who don't have their logo publicly hosted or who wish the image source to point back to their mail server. Furthermore, regardless of the image uploaded, the image's source URL will remain the same; only one image may be hosted at a time.
- Custom Login Text - Use this setting to customize the login page header to something more in line with an overall brand message. If Custom Login Text is left blank, SmarterMail's login page will show the default text "Welcome to SmarterMail".
- Custom Title Text - Use this setting to customize the title of the login page to something more in line with an overall brand message. If Custom Title Text is left blank, SmarterMail's login page will show the default text of "SmarterMail" in the browser tab title. Note: Users will see this text on the login page only, with their email address displayed as the browser title for all other pages.
- Enable custom login page HTML - Enable this setting to use HTML to further modify the login screen to add additional text or adjust the layout.
- Login Page HTML - Enter the custom HTML that will be used to further modify the login screen (in-line custom CSS can be used as well). Note: To include white space around the Image for Login Screen, the div id "companyinfo" must be included. In addition, domain administrators cannot enter scripts as this is considered to be unsafe code; however, system administrators do not have this limitation.
- Preview Login - This button will open a small preview in a pop-up window of the login customizations you've made without you having to save your changes and test it yourself.
Footer
If the system administrator has enabled footer customization for the domain, domain administrators can configure server-wide message footers that SmarterMail will append on all outgoing messages, forwards that do not already have a footer, replies to messages and emails sent to a mailing list from SmarterMail, if enabled. Although similar to signatures, message footers are typically used to convey disclaimers or provide additional information. For example, a domain administrator may want every message to include a notice that the message was scanned for viruses or the text "Sent by SmarterMail." NOTE: If the system administrator has a footer configured and enabled for all messages, incoming messages will use that footer. If the domain footer is the only one being used, it is only appended to outgoing messages.
The following options will be available:
- Override footer settings for this domain - Enable this setting to customize the footer for your domain.
- Enable footer for all messages - When enabled, all messages -- new messages as well as replies and forwards -- will have the footer appended. When disabled, only outgoing messages will have the footer appended.
- Apply to mailing lists - By default, footers are not applied to emails posted to mailing lists. To add the footer to mailing list emails, enable the setting. Note: Mailing lists have their own configurable footers. If a custom mailing list footer is already configured, enabling this option will append a second footer at the end of each message posted to the mailing list subscribers. Because this may be confusing for mailing list moderators and recipients, most administrators will choose to keep this option disabled.
- Footer - Use this section to create the message footer text. Clicking the edit icon will open a modal that includes an HTML-based editor, allowing admins to create footers that seamlessly fit into any email message. Note: The message footer does not support the use of variables.
Email Signing
Email signing protocols, such as DKIM (DomainKeys Identified Mail), can help protect users from phishing schemes or spam attacks by using cryptography to verify the authenticity of an email. This ensures the message came from your server and was not altered in transit.
To enable DKIM Signing in SmarterMail:
- Click the Enable button. SmarterMail will display a unique Text Record Name and Text Record Value.
- Contact your DNS provider to add the TXT record to your DNS server. If you are using a subdomain, you may need to modify the TXT record name to point specifically to that subdomain, especially if your DNS control panel does not automatically handle this for you.
- After the TXT record has been added, click the Enable button again. SmarterMail will attempt to verify the DNS settings, and if successful, DKIM Signing will be enabled.
To view the Text Record Name and Value, click on View Record. To adjust the mail signing settings, click the Settings button. Note: In most cases, these settings do not need to be altered. However, in the event that you would like to specify how closely you want the system to monitor messages in transit, please refer to the DKIM documentation linked below.
- Key Size - The length of encryption key to use. 2048 is recommended. NOTE: Changing the Key Size will require a new DNS entry. This is the only email signing change that requires a new DNS entry.
- Max message size to sign (MB) - This is the largest message size you want to sign using DKIM. DKIM generates a "hash" on the email up to the size limit. Generating the "hash" could be an expensive operation, especially if the domain sends large messages all the time. Limiting it means not having to process the whole message -- It would only grab the bytes up to the size limit and sign that.
- Body Canonicalization - The method used to monitor in-transit changes to the body of a message. Two canonicalization algorithms are defined for the body: a "simple" algorithm that tolerates almost no modification and a "relaxed" algorithm that tolerates common modifications such as whitespace replacement and header field line rewrapping. For more information, please visit https://dkim.org/specs/rfc4871-dkimbase.html#canonicalization.
- Header Canonicalization - The method used to monitor in-transit changes to the header of a message. Two canonicalization algorithms are defined for the header: a "simple" algorithm that tolerates almost no modification and a "relaxed" algorithm that tolerates common modifications such as whitespace replacement and header field line rewrapping. For more information, please visit https://dkim.org/specs/rfc4871-dkimbase.html#canonicalization.
- Header Field to Use - The header fields included in the hash algorithm. This is further defined by header fields. For assistance in determining the header fields to sign, please visit this Wikipedia page.
- Header Fields - The header fields included in the hash algorithm. Note: List only one header field per line break.
Setting Up Email Signing
Setting up email signing and creating the fields necessary to add DKIM to a domain's DNS record is simple within SmarterMail.
- Click on the Settings button
- A modal window opens, like the one below. Here, all the DKIM settings are displayed. SmarterMail defaults all of these to a set of general recommendations, but they can be adjusted as needed.
- Make any changes you want and save them. If no changes are made, simply click the Cancel button.
- Next, click the Enable button on the Email Signing card. A modal window will open, and it will contain the text necessary for adding the DNS record. This window contains two important pieces of information: the “Text Record Name” and the ”Text Record Value”. The Text Record Name contains the “DKIM selector”, which is the value that precedes “._domainkey”. For example, “2B8U4DAB93D58YR”. The selector can be used to verify that your DKIM record is set up correctly. (When the Text Record Name is added to DNS, the ".domain" should automatically be appended by DNS.) The Text Record Value is also the public key that's created by the SmarterMail server. Therefore, it's the encrypted key that pairs to the private key that's stored on the mail server. This is why it looks like a random series of characters.
- Now that you have the Name and Value for the TXT record, you will want to log in to your DNS provider and create the actual DNS record. How you do this depends on who your provider is. In general, the DNS TXT record format will be as follows:
- NAME = Text Record Name, which will be something like 2B8U4DAB93D58YR._DomainKey
- TYPE = TXT
- VALUE = Text Record Value, which contains the public key created by SmarterMail
NOTE: As this is a change to DNS, it may take a few hours for the record to propagate for the domain. Generally that propagation is pretty fast, but it could take 24 hours or more.
Adding a Rollover Record
A Rollover Record is a secondary DKIM record that can be created, and used, as the needs of a business change. Some suggest periodically changing DKIM as a good security practice because DKIM keys are public. In this case, a rollover DKIM record can be created and published to DNS as needed. After the rollover key is created and added to DNS both keys will be used for a period of time. Once DNS verification occurs on the rollover key it becomes the "Active" key in SmarterMail and the old key is removed automatically. Administrators can then remove the old TXT record from DNS.
Validating Your DKIM Record
Once you've made the changes to your domain's DNS, it can take a few hours for those changes to take effect. To test whether you're set it up properly, you can do a search for "DKIM record validation" or use a site such as MXToolbox. MXToolbox makes DKIM validation simple; you just need your domain name and the selector. (The "selector" is what comes before the "." in your Text Record Name. So if your Text Record Name was 2B8U4DAB93D58YR._domainKey, the selector is 2B8U4DAB93D58YR). Enter those into their form, and they'll let you know a) if the record can be found, and b) if it's valid.
Attachments
Inbound Extension Blacklist - This list allows you to limit the file types that can be attached to emails sent to users on your domain. For example, many email administrators won't allow executable files (EXE) as they can cause issues on the mail server, and possibly across an entire network. To add a blacklisted file type, simply type in the file extension, one per line. (E.g., .exe or EXE)
Outbound Extension Blacklist - This list allows you to limit the file types that are users on your domain are allowed to send out of the mail server. For example, many email administrators won't allow batch files (BAT) as they can cause issues on the recipients' mail server, and possibly across their entire network. To add a blacklisted file type, simply type in the file extension, one per line. (E.g., .bat or BAT)
External Senders
Some organizations, for example those in banking or finance, want to ensure their users are aware when they receive emails that are from an outside source: external domains, external companies, free email services, etc. They like these extra precautions so that users are wary of clicking links or opening attachments that come from outside their own company as there's no guarantee the links or attachments aren't phishing attempts or items that may compromise the user's account, much less the organization itself. That's where "external sender" notifications come in handy. These notifications make it very clear that messages DO NOT originate from within the company.
- Add text to body - When enabled, this will add a text box to the body of the message that cautions the recipient that the email originated outside their own domain, and to take caution when clicking links or opening attachments.
- Add text to subject - When enabled, this adds the text "[EXTERNAL SENDER]" to the subject line of the message.
- Known External Domains - If there are trusted domains -- that is, domains that an organization knows and is comfortable with -- they can be exempted from any External Sender text. For example, emails from trusted vendors can bypass the external sender text if their domain is entered as a "Known External Domain". Domains should be entered one per line, and they should include their domain extension (e.g., .com, .net, etc.).
Mailing Lists
Mailing Lists are a great way to allow users to communicate with a number of different individuals via a single email address. Unlike an Alias, a mailing list allows people to subscribe to, or unsubscribe from, email communications. In addition, mailing lists can be public or private, be replied to by all users or managed by a single list moderator and more. Use this card to specify the following mailing list setting:
- Mailing List Command Address - This is, essentially, the "To" address for your listserv. If someone wants to subscribe to a list, for example, they'd email listserv@your-domain.com with the listname and the word "subscribe" in the body of their message. They'd then be subscribed to that mailing list.
- Bounces Before Removal - The number of times a message to a specific subscriber can bounce before the subscriber is automatically removed from the mailing list. By default, this number is 2.
- Enable threshold for bounce removal - When enabled, domain administrators can add a timeframe that corresponds to when a bounce is added to the number of "Bounces Before Removal" total. For example, if the setting is set to 14 (days), and "Bounces Before Removal" is set to "2", any 2 bounces within those 14 days will remove the subscriber. If a bounce comes in at day 20, it's not counted towards the "Bounces Before Removal" total.
- Command help email - This is the emails that's sent when a subscriber emails the list requesting 'Help'. Domain administrators can edit this message as they see fit.
NOTE: This card will only be displayed if Mailing Lists are enabled for the domain.
Block Authentication by Country
Part of a domain administrator's job is making sure bad actors can't access their domain or attempt to brute force logins to user accounts. Much of this prevention occurs at the system level, but domain administrators also have the ability to add an extra layer of security by blocking authentication attempts from specific countries, or ONLY ALLOW authentication from specific countries. Adding a country to the setting will just block authentication attempts, it won't impact sending or receiving messages from the country. It will simply prevent anyone from the country(-ies) logging into the server, regardless of protocol. In addition, domain administrators won't be able to add their “home” country, which will prevent them from accidentally locking out users. Use this card to specify the following:
NOTE: If one or more countries are blocked at the system level, a notification will appear for domain administrators letting them know that "one or more of these settings is controlled by [the] administrator."
- Countries to Block - Use this dropdown to select "Specified Countries" or "All But Specified Countries". When selecting "Specified Countries", authentications attempted from the country(-ies) that are selected will be blocked. When selecting "All But Specified Countries", only authentication attempts from the selected country(-ies) will be allowed. Attempts from any other country will be blocked.
- Country - Use this dropdown to select one or more countries, based on the block type selected.