Regigate faq

From regify WIKI
Revision as of 14:08, 7 March 2023 by Regify (talk | contribs) (→‎How do I renew the regigate certificate?)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

What ports and domains do I need to whitelist?

Please note that we recommend to NOT restrict outgoing internet access to regify appliances. If regify settles parts of the infrastructure to new IP addresses or changes the SSL cert vendor, you very likely will have hard to find issues.

Anyway, the following connectivity is needed:

  1. Port 443 TCP to the connected regify provider.
  2. Ports 9000 to 9100 TCP to the connected regify provider.
  3. Port 443 and 80 to regify infrastructure (eg for updates).
    • You can find all domains by entering your (sub)provider domain to this tool.
  4. NTP (Port 123 TCP+UDP).
  5. All SMTP ports and gateways that you configured in your regigate routes (in- and outgoing).

I can't paste the signed certificate / the rules / user lists?

Please note the following hints in order to paste:

  • If you paste the cert/rules/list and ctrl+d does not work, try pressing the enter key first and then ctrl.d.
  • Be sure to copy directly from PuTTY to the browser window and back.
  • Every intermediate software is not allowed to add other line-breaks. If you need to use an external editor in between, please make sure he is not adding or changing the line-breaks.

How to see the current mail-queues

Enter the regigate shell (ssh or PuTTY). Either by logging in directly as root or by using "Appliance..." -> "Other Settings..." -> "Drop into shell".

Now, simply type

regimailq

This script will show you all messages currently stuck in the queues. The number suffixes match the route ids shown in the appliance menu.

regigate appliance diagnostics

If you want the regify support to help you on a specific appliance issue (eg routes and rule configuration), please go to your SSH appliance menu and visit Appliance -> Other Settings -> Support Diagnostics. Please enter an e-mail address as destination. This will send the regigate appliance configuration to the given address. Passwords and sensitive information are not part of this report.

How do I renew the regigate certificate?

Please follow these steps:

  1. Go to your regigate SSH appliance menu (SSL login, regigateConfig)
  2. Enter regigate... -> Routes... -> Select your route -> Show Certificate Request and copy the certificate request.
  3. Enter your (sub)provider administration (https:/yourdomain/ADMINISTRATION) and log in with your administration enabled regify account.
  4. Enter Manage regigates (bottom right)
  5. Identify your regigate and click the Sign Certificate icon right below Action.
  6. Paste your request from the appliance and click Sign certificate
  7. Copy the resulting certificate including header and footer lines (-----BEGIN/END.... -----).
  8. Go back to your regigate appliance SSH menu and select Import Signed Certificate.
  9. Paste the signed certificate and confirm using CTRL+d
  10. Repeat steps 2-9 for all other routes (usually you have at least 2).

How do I prevent messages from being stuck in regigate?

The reason for messages stuck can be various. If you run a route with "Recipient Based" process rules, the message is first split for every recipient (see regigate manual). By this, the message is initially received and the sending MTA gets a success result. Then, the message is split internally and the single messages are processed in a second step. Unfortunatelly, direct feedback to the sending MTA is no longer possible in this mode. Because of this, faulty messages can become stuck in the regigate appliance.

In order to fix this, set all your routes to "Message Based". By this, messages causing problems will become bounced immediately instead of becomming stuck.

BACKGROUND: In general, message based processing is the better solution. Especially while sending, there is no reason to only encrypt for some of the recipients. If the content must become encrypted, it must be done for all. Recipient based processing is only needed in rare cases for routes used for ingoing messages.