I have renewed my F-Secure Messaging Security Gateway (MSG) license but the appliance still states the license is expired, how can I fix this issue?
Despite renewing your F-Secure Messaging Security Gateway (MSG) license, there is a possibility the license expiry date is not updated in our system. Proceed to contact your F-Secure reseller or sales contact. If you are unable to reach your point of contact in F-Secure, proceed to report the issue by contacting F-Secure Support.
Article no: 000019186
Recipients of encrypted mails are receiving warnings about untrusted pages and/or certificates when attempting to view messages. Looking up the MSG address using an SSL checker gives the following type of reply: "The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate."
The result from the SSL checker points to a missing intermediate certificate. This can be acquired from the Certificate Authority (CA) and added to the MSG server certificate using the instructions below:
Download the required intermediate certificate in PEM-format from your Certificate Authority Download the MSG server-certificate in PEM-format from the appliance web UI: System -> Certificates -> Certificates, use the Download...-button to the right of the certificate Open the PEM-file downloaded from the MSG-appliance in your text editor of choice To the end of this file, add the content of the intermediate certificate PEM-file and save it as a new PEM-file Import the new certificate file into the MSG-appliance: System -> Certificates -> Certificates, use the Import-button above the certificate list Take the new combined certificate in use by distributing it to the master and agent(s): System -> Certificates -> Services
Article no: 000013333
Recipients receive spam messages, why did F-Secure Messaging Security Gateway (MSG) not block these spam messages?
If recipients receive spam messages, it could be because of the following potential root causes: 1. Low spam score (False Negative) Check spam scores from message headers. Look for "X-Proofpoint" headers and check the scores. Example: X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-08_12:,, signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=39 malwarescore=0 phishscore=0 bulkscore=12 spamscore=0 mlxscore=0 mlxlogscore=518 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803080233 If you encounter messages that should've been classified as spam you can report them through a support ticket. You can either save the message and send the eml or msg file to the ticket, or if the message has been caught in, for example, an audit quarantine in msg, you can report it from the relevant quarantine folder. After reporting the False Positive or False Negative spam from F-Secure Messaging Security Gateway (MSG) management portal, at the very top of the main MSG screen, you'll see a message with the reference ID that you need to provide to the support ticket. 2. Safe listed This needs to be investigated closer through the MSG Web UI.
Get the Session ID, or SID, for the message by looking it up in Smart Search (System->Smart Search->Search, expand message details by clicking +-sign left of timestamp) Search the filter log using the particular message SID, to find out more about filtering done on the message. (Logs and Reports->Log Viewer, if you don't find any results, make sure the Log File Type is set to Filter.
Note: You might also need to switch between servers using the Server-dropdown menu, or check the box labelled Include Old Log Files) In the example below, spam score is modified (set to zero) because the sender address is in the organizational or personal safe list of the recipient. Filter log: [2018-03-06 18:43:55.695094 +0100] rprt s=2gfjcgns0q m=1 x=2gfjcgns0q-1 mod=access cmd=run rule=spamsafe duration=0.000 [2018-03-06 18:43:55.695113 +0100] rprt s=2gfjcgns0q m=1 x=2gfjcgns0q-1 mod=session cmd=judge module=access rule=spamsafe [2018-03-06 18:43:55.695348 +0100] rprt s=2gfjcgns0q m=1 x=2gfjcgns0q-1 mod=session cmd=dispose module=access rule=spamsafe action=execute value="svar('SpamScore', 0)" To check organizational safe lists, Navigate to Email Protection->Spam Detection->Settings->Organizational Safe List in the MSG Web UI. To check the personal safe list of the recipient, Navigate to System->User Management->Users, locate the recipient and click on them to open details. You find the personal safe list under the Filtering-tab in the popup window.
Article no: 000003889
The user repository in the MSG-appliance contains a large amount of users that have been imported from Active Directory, but are no longer part of it. Can the MSG-appliance automatically remove users from its user repository as they are removed from Active Directory?
The import profile can be set to remove user profiles that are not present in the imported data:
Log in to the MSG Web UI Select the System-tab at the top of the page Navigate to User Management->Import/Auth Profiles using the left-hand menu Click on the Ldap import profile you want to modify From the window that appears, click on Advanced in the top right corner Under Import Settings, set Remove User Profiles Not Imported to On If you have multiple import profiles, set Add to Group/Sub-org With Profile Name () to On and set Type to the preferred option, between Group and Sub-Org. This is to prevent an import profile to remove users belonging to another profile Click Save Changes
Next time the import profile is run, any user that isn't present in the AD will be removed from the MSG user repository. This will be either when the next ldap import is scheduled, or when the task is run manually (by marking the import profile on the User Management->Import/Auth Profiles-page using the left-hand side checkbox and clicking Import)
Article no: 000018910
The MSG appliance has stopped sending emails out to external domain addresses Sending emails to internal domain addresses works without issue Receiving emails from any sender works normally Outgoing connector is showing errors about invalid certificates
The problem might be caused by an invalid or expired certificate on the MSG-appliance To verify the active certificate:
Log in to the MSG web UI Select the System-tab on the top of the page Navigate to System->Certificates->Services using the menu on the left-hand side Note which certificate is in use for the different services Navigate to System->Certificates->Certificates Verify the validity of the certificate(s) that is in use
If the wrong certificate is in use, it can be changed on the Services-page from step 3. Use the dropdown menus to change the certificate for all services and click Save changes. If the certificate in use has expired, use the Generate Certificate Request-button on the Certificates-page from step 5 to start the process of adding a new certificate to the MSG-appliance. Use the created certificate request with an acquired certificate from a certificate vendor to make a new certificate for the MSG, then import the new certificate into the appliance using the Import-button, also on the Certificates-page from step 5. After this, use the instructions mentioned above to change the active certificate for all services, and save the changes.
Article no: 000018374
Trying to send emails through MSG results in the following Non-Delivery Report (NDR) message: SMTP Protocol Returned a Permanent Error 550 5.7.0 Blocked - see https://ipcheck.proofpoint.com/?ip=<ip.address.goes.here>
The sending IP-address has been blocked by Proofpoint Dynamic Reputation (PDR). This can be double-checked by visiting the page https://ipcheck.proofpoint.com The section About Proofpoint® Dynamic Reputation (PDR) contains more information about the function as well as a link to an FAQ-page with common questions and answers, for example what to do to prevent this from happening. To get the situation investigated quicker, open a support ticket with F-Secure. Include the IP that is blocked and information about how long the situation has been ongoing.
Article no: 000005857
A mail targeted to multiple recipients returns with the message saying that "the following addresses had permanent fatal errors", followed by a list of all recipients. However when sending the same message to individual users it seems to work. It seems that if one recipient is invalid, all recipients get the same label, why is this happening? When checking the message in Smart Search in the MSG Web UI, the MTA logs contains the following error: relay=, dsn=5.0.0, reply=550 5.1.1 User unknown, stat=Service unavailable
The entry from the MTA logs list a reply from a server relaying the mail to the final recipient, so the problem is not within MSG but coming from the relay server of the recipient. This is something that the recipient needs to verify on their end. If the recipient causing these errors is a legit user, they might be missing from a user verification database on the receiving end and their relay server might be set up to reject messages where any of the recipients are unknown.
Article no: 000009919
How to configure DKIM and DMARC in Messaging Security Gateway?
To configure DKIM:
Navigate to Email Protection > Email Authentication > DKIM > General For Enable, select On. A Policy Routes section appears Enable Restrict processing to selected policy routes... Confirm that the policy route default_inbound is present in the Require Any Of-list Add any other required inbound policy routes to the Require Any Of-list Click Save Changes
To enable DKIM signing: DKIM signing is not required for authenticating incoming email, but needs to be set up if you want others to be able to authenticate emails coming from your organization.
Navigate to Email Protection > Email Authentication > DKIM Signing> General For Enable, select On Set the DKIM Signing Error to Reject the message temporarily
Click Edit Rule... Make sure Delivery Method is set to Retry Click Save Changes
Navigate to Email Protection > Email Authentication > DKIM Signing> Keys Click Generate Key Set Domain to the domain that the key should be signing Set Selector to any alphanumeric string, at your discretion. The important thing is to NOT leave the field empty Set Scope to either Any, Domain Including Sub-Domains or Exact Domain Tick the Disable processing for selected policy routes...-checkbox Add all inbound policy routes to the Disable For Any Of-list
Once the key is generated, a DNS text record is also generated which will need to be published to your DNS servers. Click View in the DNS Text Record column to see the record for a specific key.
To enable DMARC:
If SPF is not enabled:
Navigate to Email Protection > Email Authentication > SPF > General For Enable, select On. A Policy Routes section appears Enable Restrict processing to selected policy routes... Confirm that the policy route default_inbound is present in the Require Any Of-list Add any other required inbound policy routes to the Require Any Of-list Click Save Changes
If DKIM is not enabled:
Refer back to the instructions above, "To configure DKIM", regarding how to set up DKIM
Before you enable DMARC, ensure that you have also enabled the SPF and DKIM modules Navigate to Email Protection > Email Authentication > DMARC > General For Enable, select On. A Policy Routes section appears Enable Restrict processing to selected policy routes... Confirm that the policy route default_inbound is present in the Require Any Of-list Add any other required inbound policy routes to the Require Any Of-list
Important: Ensure that the same inbound policy routes that you selected for the SPF and DKIM modules are also on the Require Any Of-list
Click Save Changes
Article no: 000003216
Email messages are delivered but the sender gets an empty permerror email notification from MSG.
The PermError condition means the sender published SPF record could not be verified. Permerror are usually caused by an incorrect SPF syntax or format error in the SPF record. You may advise the sender to ensure their SPF record is set up correctly and does not have any extra spaces or unrecognizable characters in the DNS TXT record. To prevent the sender from getting the same message, please follow these instructions: 1. Logon to your MSG admin web user interface. 2. Click Email Protection tab. 3. Expand Email Authentication > SPF > Rules. 4. Click on the Edit Rule option of SPF Permanent Error. 5. Under Dispositions, untick the "Reply to sender based on detected language" check box. By disabling the option, senders should not receive the e-mail notification. If you want to use that option, leave the check box ticked and write some message in the Subject and Message field.
Article no: 000016530
A software in our environment sends out regular emails to internal and external recipients. A tag is added to the subject line to have these messages encrypted by MSG. Only the messages intended for internal recipients are being encrypted, all messages from the software to external recipients arrive unencrypted.
Start by verifying that these messages are being routed through the MSG-appliance. It is possible that the software has different routing rules based on domains and that the external traffic isn't routed to the MSG-appliance at all. In MSG, you can check the details of a message using Smart Search:
Log in to the MSG Web UI Make sure the System-tab is selected at the top On the left-hand menu, navigate down to Smart Search-> Search Use the sender and/or recipient information to search for the message. Do note that the Time-field usually is set to Last 24 Hours, which might be too restrictive, so expanding it to for example Last 7 Days is recommended. If you find messages, you can verify their encryption status by checking the envelope symbol at the left of the message row. If it has a small lock on it, the message is encrypted. Expand the message info by clicking the small + next to the envelope symbol to see more details. Here the Encryption-field should also be set to Proofpoint Encryption/Secure Reader Encrypted if the message is encrypted.
If you find messages that should be encrypted but aren't, open a support ticket so that it can be investigated. Provide the appliance-ID and information about the messages so that we can identify them (sender/recipient info, time when it was sent, subject field text). A sample message saved as .eml or .msg is also useful. To ensure that we can help you efficiently, please make sure that the following IP-addresses can access the MSG-appliance on ports 22 and 10000: 22.214.171.124 F-Secure Support / Kuala Lumpur 126.96.36.199 F-Secure Support / HTC Helsinki 188.8.131.52 Proofpoint 184.108.40.206 Proofpoint 220.127.116.11 Proofpoint
Article no: 000018154
Does MSG message encryption work normally when sending emails from a distribution list?
Yes, sending from a distribution list has no effect on the MSG message encryption functionality.
Article no: 000018149
After creating or modifying a Branding template, when adding the Title -information and clicking Save, the saving request keeps hanging (Saving... Please wait) and the Title -information is not being saved.
This happens if you are using empty spaces in the Title and also possibly when using different special characters, which are not supported. To resolve the issue, you will need to remove the spaces and the special characters.
Article no: 000006820
How to allow users to be able to see and manage the encrypted messages they have sent through Messaging Security Gateway using the end user web service?
To enable management of sent encrypted messages in the end user web service (euweb):
Log into the Messaging Security Gateway Web UI. Click on the System tab. From the left-side menu, navigate to End User Services > Web Application. Under Settings, change Show Encryption Key Management to On. Click Save Changes at the top left corner.
Article no: 000015840
Submitting a False positive or False negative for MSG
This article explains how you can send false spam positives and false spam negatives to Proofpoint for further analysis.
Both administrators and end users can report false positives and false negatives. For end users, the administrator must first enable end user digests. End users can then report false positives and false negatives from the digest. Reporting false negatives requires the use of the Audit folder in the Quarantine.
It also requires setting up a Spam Reporting Group.
False negatives are messages that are considered spam by the end user, but since they were scored below 50 by the MLX engine, they were delivered to the end user. By reporting these messages to the Proofpoint Attack Response Center (PARC), you can help improve spam effectiveness against that specific type of message.
In order to fully examine the reported message, PARC requires the entire original/unaltered message. Since the best way to capture the original message is in the quarantine (before it arrives at your mail server), we use the "Audit Messages" feature to store Not Spam messages in the Audit folder.
There are two steps required to enable the reporting of false negatives:
Enable Auditing in all Spam Policies Enable Audit Messages for users
Enable Auditing in all Spam Policies
This option will quarantine (into the Audit folder) any message (<200K) marked as Not Spam that is also not being quarantined by any other rule.
Click Spam Detection > Policies. Edit the Default policy. Edit the Not Spam rule. Select the Include in Audit folder box. Click Save Changes. Repeat these steps for all other spam policies.
Note: The "Not Spam" messages will not be copied into the Audit folder until the "Audit Message" feature is actually enabled for one or more users (next step).
Enable Audit Messages for users
Navigate to Groups and Users / Users and select the checkbox next to each user who will use this feature.
Click the Groups button. Under "Available Groups" column, click Spam Reporting, then click >> to move it under the "Add" column. Click Save Changes.
Once these steps have been completed, mail marked as "Not Spam" will begin appearing in the Audit folder in the quarantine.
For performance reasons, we do not recommend that you enable Audit Messages for all users. If you do decide to enable it for all users, do so on Groups and Users / Global.
False positives are messages are scored as spam but are considered valid e-mail by the end user. False positives are very rare and are treated with the highest priority by Proofpoint. Digests allow for the reporting of false positives in the default configuration. Users click the Not Spam link next to an individual message and that e-mail is then delivered directly from the Quarantine to the Proofpoint Attack Response Center.
If this link does not appear in your digest, check the following:
Click Digest / Commands / Display Spam False-Positive Link (on). Click Digest / Filters / Modules. Click Spam, Options and then Digest Commands. "Report False Positive Spam" should be on the right-hand side. Digest / Content / Labels. Verify the name assigned to "Report False Positive Spam".
Reporting directly from the Quarantine
An administrator can perform the same reporting function, but directly from the Quarantine:
Navigate to Quarantine / Messages. Search for message by Subject, Sender, Recipient, etc. Select the checkbox next to the message and click Options / Report.
If you do not want your users to be able to report messages directly from their digest, and wish to only have administrators report directly from the quarantine, change the following options:
Digest > Commands. Disable "Report False Positive Spam". Digest > Commands. Disable "Report False Negative Spam". Groups and Users > Groups. Select the checkbox next to Spam Reporting and click Attributes. Set "Include Audit Messages in Digest" to "Default" and save.
These changes will still store both spam and not spam in the quarantine, but the end users will no longer see the Audit section in their digest and they will no longer see the "Not Spam" option in the Quarantine section.
Article no: 000001938
A user has forgotten their password to Secure Reader and there is no direct way to reset it.
For internal users, the password can be reset through the appliance webGUI:
Log in to the appliance webGUI Go to the System-tab Navigate to User Management->Users on the right Search for the users email-address Click the email address to bring up the user details Go to the Authentication-tab Click the Reset-button next to the password The user will get a welcome email with a temporary password and a link to the end user services that is valid for 30 minutes
For external users, the recommendation from Proofpooint is to remove the user and have them re-register:
Log in to the appliance webGUI Go to the System-tab Navigate to User Management->Users on the right Search for the users email-address Check the box to the left of the account that needs to be removed Click the Delete-button on top of the user list The next time the user tries to access the Secure Reader, they will be prompted to create a new account
Removing a user has no impact on how the user can access mails in the future. After the re-registering they will be able to access all their secure mails as before, as long as they are still stored on the appliance. Although the temporary password sent by the welcome-email will work for an external user to access the Secure Reader, the link in the mail to the end user services will not. As this might cause unwanted confusion the better solution is to remove the current user completely.
Article no: 000007798
Is it possible to schedule monthly reporting in MSG?
No, it's not possible. You can can have reporting scheduled for selected days, so the longest interval is one week.
Article no: 000005286