RSS Feed
Latest Updates
VPOP3 v7.9 Released
Posted by Paul Smith on 11 December 2018 04:14 PM

We have released VPOP3 v7.9 which you can download from

This is a free upgrade for all users who have active software maintenance or priority support on 10th December 2018. Other users can purchase the upgrade and 1 year of software maintenance on our website.

The full list of changes is in our issue tracker change log, a summary is below:

  • New: With attachment filtering renaming, support changing the MIME type as well
  • New: Have option to encrypt daily backups
  • New: Put encryption type in SMTP Transcript logs and Received header
  • New: Have setting to disable use of ‘Pause/Resume Schedule’ in Status Monitor
  • New: Allow Lua script to trigger Status Monitor “popup” or send messages
  • Fix: If a Connection uses a backup Connection, and that backup connection is deleted, VPOP3 will still try to use it
  • Fix: Try to prevent DMARC Aggregate Report loops
  • Fix: Upgrade OpenSSL version for 32 bit VPOP3 to support TLS v1.2 (already supported in 64 bit VPOP3)
  • Fix: Stop VPOP3 crashing when generating DMARC aggregate reports if the RUA email address has blank domain
  • Fix: Attachment filter error messages don’t always decode non-ASCII filenames correctly
  • Fix: Attachment filter ‘skip filtering’ filters don’t work sometimes
  • Fix: Recovering messages from Archive show messages with incorrect file size

Also, there is a very early version of a new Admin interface included. This can be accessed by going to http://<vpop3>:5108/admin2/index.html

It’s very rough around the edges, and incomplete, but is being worked on. (In the menus, if an item is in red, it doesn’t exist yet, or if it’s in purple, it’s only partially implemented). Feel free to use it and report problems with what is there, as what is there should be functional, but please don’t report a bug just because a feature isn’t there yet.

The new Admin interface should handle being used from mobile devices better than the current interface, and should be quicker at switching between pages, but it may take a bit longer to load initially on slow connections.

Read more »

Two Factor Authentication
Posted by Paul Smith on 08 November 2018 12:16 PM

VPOP3 v7.8 supports Two Factor Authentication (2FA or TFA) for Webmail/admin access.

What is Two Factor Authentication

Two Factor Authentication requires the logging in user to enter their password as well as a one-time-password generated by an app or program which uses a special algorithm and a ‘secret’ to calculate the one-time-password. This means that unless you have access to that app/program with your personal ‘secret’, then you will not be able to log in. An observer cannot determine what your ‘secret’ is by looking at the one-time-password you enter, so they will not be able to calculate future one-time-passwords.

VPOP3 uses a ‘Time-based One-time password’ (TOTP) algorithm such as that supported by Google Authenticator. This means that the one-time password changes every 30 seconds using a standard algorithm, and an individual key (secret) which both the VPOP3 server and Google Authenticator know.

Enabling Two Factor Authentication

To enable Two Factor Authentication in VPOP3, go to Services -> Webmail -> Advanced and turn on ‘Support 2 Factor Authentication for Webmail/Admin‘.

Do NOT turn on Require 2 Factor Authentication for Admin area! If you do this, then you will instantly be logged out, because you are not using 2FA, and you will not be able to log back in, because you have not yet set up Google Authenticator with your individual ‘secret’.

Once you have everything set up and working, you can turn on the ‘Require 2 Factor Authentication for Admin area‘ option later.

Using Two Factor Authentication

First you need to get a TOTP program or app. I’d recommend getting Google Authenticator on your phone because that is probably always with you, and is usually separate from the PC where you are accessing VPOP3 from.

(Note that having your web browser remember your password and Google Authenticator on the same PC as the web browser is no more secure than single-factor authentication, because someone who gains access to your account on your PC has access to both your password and your 2FA secret)

Now, go to the Users list and edit the user you wish to use 2FA. Select the ‘Passwords‘ tab.

At the bottom, you will now see a QR code and ‘Google Auth Key’

If you have the Google Authenticator phone app, you can scan this QR code into the app, or you can type/copy the Google Auth Key into the software. (Note that some software may require you to trim off any trailing ‘=’ characters when entering it)

Now, if you try to log in as that user again, you will see a ‘2FA Password’ box. Type in the relevant 2FA password for the Google Authenticator app/program as well as your normal login details, and you’ll be able to log in.

If there’s a problem using the 2FA password, then if you leave the 2FA Password empty, you will be able to log in without it, as VPOP3 will, at the moment, allow you to log in either using the correct 2FA password, or no 2FA password at all.

Once you can log in using the 2FA password, you can tick the box in the user’s Password settings which says ‘Require Google 2FA (Webmail/admin only)‘. Once you have done that, then that user will no longer be able to log in without using their correct 2FA password (the option of not using a 2FA password at all will no longer work for this user).


Read more »

Posted by Paul Smith on 12 October 2018 04:31 PM

VPOP3 v7.8 adds DMARC checking support, so this post is to give you more information about DMARC.

Note that to have VPOP3 check incoming messages using DMARC, it must receive messages using direct incoming SMTP (not via a third party’s SMTP server, and not from a POP3 mailbox) and you must have either VPOP3 Enterprise or an active VPOP3 Spamfilter subscription.

Email message authentication is an important issue, because a lot of email attacks are performed by sending messages pretending to be from someone else. For instance, it is not uncommon for a fraudster to send a message claiming to be from a supplier asking to transfer money to the fraudster’s bank account, or claiming to be a bank asking to verify bank login details.

The subject of message authentication is not a trivial one, and it needs a degree of understanding of what is going on behind the scenes. Doing it badly can lead to messages going missing for no apparent reason. So, this article will try to explain, in basic terms, what is happening and what needs to be done.

Message Authentication

Two main methods of email message authentication have been developed over the years. These are SPF and DKIM.


SPF works by looking at the domain of the ‘return path’ of the message, and seeing which IP addresses are authorised to send messages from that domain. This is done via DNS records, because only the owner of the sending domain can set those.

For instance, the owner of the domain, could create an SPF DNS record saying that messages from can only come from the IP address Then, when a mail server receives a message from that domain, it can check the DNS record and the sending IP address, and reject (or otherwise filter) the message if the sending IP address is not

This would be done by the owners of the domain, creating a TXT DNS record for with these contents:

v=spf1 ip4: -all

This indicates that it is an SPF rule (v=spf1) that IPv4 address is allowed (ip4:, and mail from all other IP addresses should be rejected (-all)


One problem with this is that people are still using email forwarding nowadays, so if that message from is sent to and‘s mail server forwards the message on to gmail, then gmail will see the message as coming from the mail server, not from So, gmail may then reject the message, and, worse, may mark the mail server as being a spamming mail server, causing other messages from that server to be rejected as well.

Another problem is that often people don’t know all the places that their mail may come from, for instance, while people at a company may send mail through a particular mail server, their website may send mail through a different mail server, and they may use third party accounts or payroll software that sends mail on their behalf, but through other mail servers, or they may use a mail service provide (eg MailChimp or SparkPost) which sends mail from their domain as well.

A third problem is that SPF validates the Return Path of the message, but that is often invisible to the recipient. There is no need for the Return Path to match the From header (which is what the recipient usually sees), and, in fact, there are may good reasons for it not to match.

To set up SPF authentication for your outgoing messages, you just need to create a TXT DNS record for your domain. The sending mail server does nothing special.


DKIM works in a totally different way from SPF. In this case, rather than authenticating where a message comes from, it authenticates the message itself. Again, this uses DNS because that is only configurable by the sending domain’s administrators.

A public key/private key pair is generated by the administrators. The private key is configured into the mail server and the public key is stored in a DNS record for the domain. You choose a name called the ‘selector’, eg ‘s1’ and then create a DNS TXT record as and put the public key into that TXT record.

Now, the sending mail server will extract key parts of the sent message – the subject, sender, recipients, message content and create a digital signature of that data using the private key. This digital signature is inserted into the message header, eg:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=xzr7cjj46bvb5ib4fyyv5hcqwj7o5lx2;; t=1539000354;

(This is an example of a message from, with the selector ‘xzr7…’. The bh= and b= fields are the digital signatures of the headers and data respectively, and it is signing the From, To, Message-ID, Subject, MIME-Version, Content-Type and Date headers, as well as the message content.)

If you look for a DNS TXT record at you will find the public key which is used to verify the digital signatures: 900 IN CNAME 718 IN TXT "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoXXbwsbFrOLoiYLjkxW2VqIHN5XtlimenJYBMryjIcBBoyEFoyjD6LfThjlmmlLYB8PzKsWaCukDWKQv0jBxalFxfHJblvFkE

So, the receiving mail server can verify that the From, To, Subject and message content is exactly the same as it was when the sender sent it. That sounds great because the recipient will know that what they received was exactly what was sent through a valid mail server.

One problem with this is that the digital signature breaks if something changes the message. So, if something adds ‘Virus scanned by ….’ to the bottom of your message, that will break the DKIM signature, or if your message goes to a mailing list which adds a signature or alters the subject line, that will break the DKIM signature, etc.

Another problem is that there is no ‘policy’ associated with the message. If a message arrives without a digital signature, the receiving mail server will accept it as normal, because it won’t know that it should contain a signature, and if the signature doesn’t work, the receiving mail software doesn’t know what to do, so it may warn about it, but probably not, because there are many legitimate ways that the digital signature can be broken.

So, what is DMARC?

DMARC is not a new method of method authentication. In fact, it builds on both the SPF and DKIM methods and adds policy and feedback mechanisms to it.

Like SPF and DKIM, a DMARC policy is created by publishing a DNS record for the sending domain – but this time it is the domain of the FROM header field, not  the domain of the Return Path, so it validates what the recipient can see.

So, the sending domain owner will create a TXT DNS record like with content like

v=DMARC1; p=quarantine;

This sets a policy where if a message fails authentication it should be quarantined, and the domain owner wants ‘aggregate feedback reports’ to be sent to the email address

When a message is received using SMTP by a mail server which supports DMARC, that server will do both SPF and DKIM checks on the incoming message using the mechanisms based above. Then, if it can find a valid SPF or DKIM result using the same domain as the FROM header field, the message will be deemed to have passed the DMARC check. So, that means that either the Return-Path or the DKIM header need to match the FROM header domain, and need to have passed the SPF or DKIM validation.

If the message doesn’t pass the DMARC validation, then the policy of the DMARC record indicates what should happen. This can either be none – the message is processed as normal, quarantine – the message should be quarantined, or reject – the message should be rejected. (These policies can be overridden by the receiving mail server, they’re just ‘recommendations’).

Also, if an rua record is present in the DMARC record, then a DMARC aggregate report will be sent to the specified email address(es) showing how many messages passed or failed DMARC verification and which IP addresses they came from. These aggregate reports are in a structured XML format, so aren’t easily human-readable, but there are tools such as DMARCIAN which can be used to process the aggregate reports to make something more user-friendly. Note that if the email address(es) specified are not in the same domain as the DMARC policy, then you need to perform extra steps (to avoid people publishing DMARC records asking for reports to be sent to someone else’s email address without their permission).

You can set up DMARC with a ‘p=none’ policy just to get the aggregate reports which can be used to evaluate whether a stricter policy can be used, by checking to see where legitimate mail from you is coming from. It may also show which mail systems need reconfiguring, for instance, to sign messages using DMARC, or need to be added to an SPF record.

Checking DMARC in VPOP3

In VPOP3, to enable DMARC checking, you do this in Services -> SMTP Server -> Spam Reduction and turn on Check DMARC policies. To use this you must have either VPOP3 Enterprise or a VPOP3 Spamfilter subscription. Turning on DMARC checking will automatically enable SPF and DKIM checking as well, as those are required.

Sending DMARC compliant mail using VPOP3

You need to enable DKIM signing in VPOP3 and create your SPF and DMARC DNS records, and then VPOP3 will be sending messages which should pass DMARC checks


To use DMARC for your outgoing emails, you need to set up SPF and DKIM and create a DMARC DNS record. Most of this is done outside of VPOP3, but DKIM signing is enabled inside VPOP3.

If you need help setting up DMARC, then we can help, but as it is not a VPOP3 issue, it will be charged at £40 + VAT per hour (1 hr minimum).

Further reading



Read more »

VPOP3 v7.8 released
Posted by Paul Smith on 12 October 2018 02:48 PM

We have released VPOP3 v7.8 which you can download from

This is a free upgrade for all users who have active software maintenance or priority support on 11th October 2018. Other users can purchase the upgrade and 1 year of software maintenance on our website.

The biggest change in this version that will affect many people is the addition of DMARC checking support for direct incoming SMTP mail. We will be writing a full blog article on this soon, but if you know what DMARC is all about, you can enable VPOP3’s DMARC policy checking in Services -> SMTP -> Spam Reduction. The latest VPOP3 Spamfilter will use the DMARC check results to quarantine messages

The full list of changes is in our issue tracker change log, a summary is below:

  • New: Add DMARC checking support to the SMTP service for incoming mail
  • New: Allow Lua script to translate login usernames for IMAP4, POP3, SMTP (eg if you have to use email addresses instead of usernames)
  • New: When releasing spam without logging in, user’s ‘release actions’ settings are now honoured
  • New: Add spam score to Message Trace message info
  • Fix: Problem with extracting archived messages to ZIP file
  • Fix: DKIM signing crashing VPOP3
  • Fix: 2FA isn’t working – user can enter any 2FA code
  • Fix: When customising Text Strings in VPOP3, blank spaces are trimmed and shouldn’t be
  • Fix: Bulk Delete from Spam filter Blacklist not working with date rules
  • Fix: MIME decode text for ‘Text Strings’ replacements
  • Fix: MIME decode headers for Attachment processing ‘skip filtering’/’do filtering’
  • Fix: If archive.lua is returning the ‘block’ string (see 0001829) then the message will be stuck in the archive queue
  • Fix: ‘Includes Headers’ option not working when exporting Mappings to file

Also, there has been a lot of work going on behind the scenes adding support for a totally rewritten admin web interface. This new interface will use modern Javascript methods (it’s using the VueJS framework), and is responsive so should work on mobile devices better than the current system, and it will also be faster once loaded as it’s a ‘single page application’. There is a lot of work involved in this as there are about 400 pages/tabs in the current system and they all need rewriting. They aren’t all boilerplate code either as many pages have complex custom behaviour.

Read more »

VPOP3 v7.7 Released
Posted by Paul Smith on 04 June 2018 12:31 PM

We have released VPOP3 v7.7 which you can download from

This is a free upgrade for all users who have active software maintenance or priority support on 4th June 2018. Other users can purchase the upgrade and 1 year of software maintenance on our website.

The full list of changes is in our issue tracker change log, a summary is below:

  • New:  Support 2FA (Google Authenticator) in Webmail/Admin (Services -> Webmail -> Advanced)
  • New: Store parsed message header data for quicker IMAP4 searches (VPOP3 Enterprise)
  • New Add more info about assistant decision making to Message Trace info
  • Fix: Reduce Performance monitor CPU load
  • Fix: When deciding which signature to use, a single & nbsp ; in a HTML signature is making VPOP3 think that signature was defined
  • Fix: Show whether 32 or 64 bit version is installed
  • Fix: Add User wizard only allows up-to 16 character passwords

Changes in V7.6

  • Fix: VPOP3 reports misleading error if there’s an error retrieving a message using IMAP4
  • Fix: Can’t delete a user with personal address book entries
  • Fix: Can’t delete a user with multiple message rules
  • Fix: Assistants aren’t always being processed if assistants are also recipients
  • New: Allow user to search quarantine for all dates
  • New: Have an archive manager “role” who receives notifications of archive actions
  • Fix: Message action auditing isn’t logging message copy actions
  • New When logging archive searches, record which user requested it
  • New Detect busiest IP address and show in admin status bar
  • Fix: If Webmail Login MD5 encryption is used, then disabled accounts can still be accessed
  • New: Have facility for Lua script to rewrite MIME sections of incoming messages
  • Fix: Autoresponder expansions not working in reply-to & From fields
  • Fix: If autoresponder expansions are only used in subject, copyto etc then the custom fields are not shown
  • New: Handle NULL MX records – RFC 7505
  • New: For attachment filtering have option to tell intended recipient(s) if message was redirected or deleted
  • Fix: If you edit a user, their comment disappears from the user list
  • New: Allow paging of quarantine search results
  • New: Have option to zip up & download archive search results
  • New: Add feature to be able to view & clear MX sending DNS cache
  • Fix: Exporting ‘Received’ report when a date range is selected only exports the first day’s messages, not the whole range


Read more »