Regigate appliance tech

From regify WIKI
Jump to navigation Jump to search

Report a regigate issue

If you think you encountered a bug or some issue with regigate, please note that the regify support needs detailed information about what happened. If you consider to report such to regify support, please make sure that the following information is contained:

  1. A detailed description about the issue. For example, what happened and what did you expect?
  2. If the issue is related to routing or rules, we need the used rule set.
  3. For encryption or decryption issues, or conversation issues, we mostly need the original messages in MIME format.
    • We need the message in a form that reproduces the issue.
    • Meaning that we need the message in a form as it arrives at regigate (before conversion or encryption/decryption).
    • For this, send us such a message without using regigate to support(at) in a second step after you sent information of step 1.
  4. If encryption or decryption does not even happen, we need a debug log from the affected regigate. This will tell us why the message has passed.
    • See below information about debugging on this page.
    • Make sure that the issue happens while debugging is activated.
  5. Please add any additional information that might affect the issue:
    • Do you use Outlook/Thunderbird/Lotus Notes or other? How about Exchange server?
    • Are there other Gateways in the flow that might affect the issue?

Please always use support(at) for communication. If you are not a direct regify customer, please send all this information to your regify re-seller. They will verify and forward to regify if first level support is not able to fix your issues.

Debugging regigate

Set regigate debug level in HA mode

$ vim /d1/etc/rfmilter/route-1/conf.json

Change "logLevel" to be "verb" instead of "info" and save. Now restart rfmilter using

$ svc -t /service/rfmilter1-1/

or for strange PuTTY sessions

$ /usr/local/bin/svc -t /service/rfmilter1-1/

You can inspect the log now using:

$ tail -f /d1/log/rfmilter/debug-1.log

Please, don't forget to reset log level to "info" after you fixed your issues.

Set regigate debug level in normal mode

Please note that below examples affect route 1 (route-1, rfmilter-1 etc). Please adapt this number for debugging other routes.

$ vim /etc/rfmilter/route-1/conf.json

Change "logLevel" to be "verb" instead of "info" and save. Now restart rfmilter using

$ svc -t /service/rfmilter-1/

You can inspect the log now using:

$ tail -f /var/log/rfmilter/debug-1.log

Please, don't forget to reset log level to "info" after you fixed your issues.

Test valid provider connection

At first, identify the correct URL and ports from existing routes:

$ grep 'providerUrl' /etc/rfmilter/route-*/conf.json

There are several tests available for you to be executed on regigate:

 $ curl -k
 curl: (7) Failed connect to; No route to host

The above result means, firewall not setup correctly or wrong regigate IP entered at provider, which equals firewall not set up.

 $ curl -k
 url: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Above you can see an SSL handshake error because of certificate issue. But this is valid and means good as curl is not using the self signed certificates we use for our regigate routes. But it also tells us, that the connection is technically available and the routing should work. To test for real, you can execute the below test for full functionality (for HA mode, you have to replace /etc with /d1/etc):

$ curl --key /etc/rfmilter/route-1/client.key -E /etc/rfmilter/route-1/client.crt

The return of a valid JSON encoded string (even if it says invalid) points you to a working regigate connection.

Save messages for diagnosing

Beginning with regigate version 5.3.3, there is the option to save messages of routes just before they get processed. This is useful for debugging message related issues like handling MIME headers and invalid attachment processing. It must not be activated for a longer period (best only a few hours). If you are not sure, please check with regify support!

IMPORTANT: Do not activate this option permanently! Disable it as soon as you finished! There is a serious risk that the entire application storage will become full and regigate will no longer work!

Please note that below examples affect route 1 (route-1). Please adapt this number for editing other routes.

$ vim /etc/rfmilter/route-1/conf.json

Add one or both of the options:

  • dumpFrom -> Either @domain or full email address which needs to match the SMTP sender address
  • dumpTo -> Either @domain or full email address which needs to match any of the SMTP recipient addresses

You can combine both, where the two rules are OR connected. Example:

 "dumpFrom": "",
 "dumpTo": ""

Above example will dump all messages either sent by or sent to someone at

Now restart rfmilter using

$ svc -t /service/rfmilter-1/

The dumped files will be stored in folder /tmp/ and filename starts with msg_. You should delete them immediately after you did your inspection!

Create SRS handling rules

regigate does not support SRS address schema if you plan to encrypt outgoing emails. The reason is, that the SRS address encoding schema does not create a reliable sender account. It just generates a sender using original sender name and current domain. Thus, it is not reliable to find a matching user in the connected regify provider.

One way around the problem of stuck outgoing messages with SRS address schema in regigate is the following:

  1. Login to your regigate with root account.
  2. Open regigate appliance menu (run regigateConfig).
  3. Identify the route for outgoing emails (check your regigate routes menu). Note the number in front of the route name!
  4. Leave regigate appliance menu.
  5. Create a file /etc/postfix/sender_canonical
  6. Insert a RegEx to replace your SRS sender addresses with a generic email address (eg Example:
    Hint: Note that the domain dots in RegEx have to be escaped!
    See postfix regexp_table documentation for more details on this.
  7. Edit /etc/postfix-milter-<no>/ (replace <no> with the number gathered in step 3 above).
  8. Add the following line:
    sender_canonical_maps = regexp:/etc/postfix/sender_canonical
  9. Now restart postfix with the following two calls:
    postmap /etc/postfix/sender_canonical
    systemctl restart postfix
  10. Make sure your regify provider has a regify account on (see step 6).
  11. Make a note about your settings (especially your RegEx). There is a chance that you have to repeat this after a major regigate upgrade.

Explanation: This postfix rule is executed before the milter is processing the regigate rules. The RegEx is looking for a SRS encoded sender that matches the domain, or and replaces this sender with the address By this, regigate can use a regify account with to encrypt the message.

Updating Rule-Lists automatically

If you created rules that are using lists (eg user-list or domain-list), you may feel the need to write such lists (eg by some LDAP synchronization) and update the regigate lists automatically. It is important that the initial list is generated using the appliance menu (even if empty). Upon this you can update the lists automatically if needed.

The lists are located in the filesystem:


or, if using HA mode:


A list is ending with the extension .txt. Please do not touch the automatically generated .cdb files. If you updated such a list file in these folders, the list needs to be compiled (compilation is for better speed and creates the .cdb file).
This is done by restarting the rfmilter service as root:

svc -t /service/rfmilter-n

or, if using HA mode:

svc -t /service/rfmilter[12]-n

If you updated several lists, you may want to restart all rfmilter instances at once by calling:

svc -t /service/rfmilter*

Hint: If an e-mail is sent to regigate in exactly the moment where the rfmilter is not available because of the restart, the sending MTA will get a 4.x.x error (temporary problem). Normally, an MTA then will try it again in a minute and the e-mail(s) will only be a little late.