Overview
MailEssentials creates several Windows services during the installation process that need to be running optimally for the product to function as expected. It is important for support agents to understanding these services as they will often be strong indicators when support requests are raised.
This article describes the various services that are installed by MailEssentials and the functionality they provide to the overall product.
Introduction
MailEssentials creates the following services during the installation process:
- GFI List Server
- GFI MailEssentials Attendant
- GFI MailEssentials AS Scan Engine
- GFI MailEssentials Autoupdater
- GFI MailEssentials AV Scan Engine
- GFI MailEssentials Backend
- GFI MailEssentials Legacy Attendant
- GFI POP2Exchange
- GFI MailEssentials Quarantine Action Services
The Windows Services Manager (Services.msc) is a useful utility for monitoring the status of these services that must be running for MailEssentials to function properly.
The next section will describe the role played by each of these services as well as any dependencies to other MailEssentials or Windows services. The first step in the troubleshooting process is often to confirm that all services together with their dependent services running properly.
Description
GFI List Server
The GFI List Server service is the service that takes care of the processing done when a message is sent to a newsletter or list. This service is not a dependent service for any other MailEssentials service and can be stopped and disabled if its functionality is not required.
When the MailRoute module, which is the first module that processes a message in MailEssentials anti-spam process, detects an email destined for a newsletter or list, the message is not processed any further by the MailEssentials MTA. The message is saved to the ..GFI\MailEssentials\Antispam\ListServ\Incoming
directory. The List Server will process all the messages that are found in this directory.
The above representation shows the different ways that emails can arrive at the MailEssentials List Server when MES is installed on the same machine as IIS. The main module that is shown above is the MailRoute module which is checking for emails that are destined to the List Server and will save them to the List Server’s incoming folder.
Executable Name : |
"..\MailEssentials\Antispam\listserv.exe" |
Service name : |
“listserv” |
Display name : |
“GFI List Server” |
Install : |
Via command line using the syntax: Listserv –install |
Removal : |
Via command line using the syntax: Listserv -remove |
Default Log On Account |
Local System |
Dependencies: |
Event Log GFI MailEssentials Legacy Attendant Message Queuing |
Programming language: |
C++ |
The following diagram shows the components which make up the List Server.
The List Server Components:
ListServ Pickup: This module will check the <ListServ\Incoming> directory for new emails saved to this location. It will also check that the emails that are found in the Incoming directory are valid emails with valid x-sender:<email address> and x-receiver: <email address> fields. If these fields are invalid, the email will be moved to <ListServ\BadMail>. This module will also try to pass the emails to the List Server sub-system. If this fails, the emails are moved to the <ListServ\Retries> directory. It will try to pass the emails from the Retries directory to the List Server sub-system every 10 seconds.
ListServ MTA: This module loads the rest of the List server modules and plug-ins. It will also check the Licensing properties to check that the installation is properly licensed and that the Evaluation is not expired.
ListServ Queue: This module provides a standard interface for the plug-ins to retrieve information from the MSMQ queues. It stores any new emails received by the List server in the MSMQ queues.
The List Server service loads various Plug-ins. These are Preprocessor, Scrubber, Subscriber, Footer, and Exploder. More information on these plug-ins is provided below:
Plug-ins:
PreProcessor: This module checks the email in the Queue and creates a property bag that will be used by the rest of the modules. It will also perform other initialization functions on the emails.
Scrubber: This module performs the cleaning of the emails. It will remove any attachments from the emails if the list is a Discussion list. It will also drop NDRs, and take care of un-subscribing email addresses that are returning NDRs.
Subscriber: This module will pick up subscription or un-subscription emails and removes them from the database (or mark them as unsubscribed). In the case of a discussion list, this module will also check if the sender of the email is subscribed to the discussion list (and can, therefore, send to the discussion list).
Footer: This module inserts the footer, configured in the list configuration, at the end of each email. By default, this will list the List’s email addresses used to send emails to the list, subscribe and unsubscribe from the list.
Exploder: This module creates the emails that are to be sent to all the email addresses on the list. The Exploder module makes use of the PickupSM module to place the emails in the IIS/Exchange pickup directory so that the emails are delivered to the destination by IIS. In the case of a Newsletter, it will first check that the sender of the email is allowed to send to the newsletter list.
Notes:
- All the list server plug-ins have at least one Private Queue in MSMQ. These can be checked from Administrative Tools > Computer Management > Services and Applications > Message Queuing >Private Queues. The ListServ Queue module will check the MSMQ queues and will load the modules as required.
- If there is a huge amount of emails being processed by the list server, multiple MSMQ queues are created and multiple instances of the list server plug-ins are initiated to keep up with the email load. The queues can be differentiated between each other by the number at the end of the queue name.
- SMTP email addresses are used to check recipients.
GFI MailEssentials Attendant Service
The GFI MailEssentials Attendant Service hosts all components related to configuration.
It is installed under the installation folder in the Attendant subfolder and makes use of the HKLM\Software\GFI\MailEssentials\Attendant registry root.
It requires the installation of the MSMQ component in Windows.
This service cannot be stopped.
Executable name : |
“..\MailEssentials\Attendant\bin\MailEssentials.Attendant.Service.exe” |
Service name : |
“gfimesattendant” |
Display name : |
“GFI MailEssentials Attendant” |
Default Log On Account |
Local System |
Dependencies: |
Message Queuing (MSMQ) |
Other services depending on it: |
Web UI, GFI ME Autoupdater, GFI ME Backend, GFI ME Quarantine Action Services |
Programming language: |
C# |
The GFI MailEssentials Attendant service is written in .NET, and is used to host modules (plug-ins) which are also written in .NET.
Plug-ins which are run by the Attendant remoting plug-in:
..\GFI\MailEssentials\Attendant\Data\asettings.xml
Plug-ins which are running under the remoting functionality can be found:
..\GFI\MailEssentials\Antispam\Data\rsettings.xml
Following components are hosted by the Attendant service and will therefore not function if the service is stopped:
- Remoting Helper
- Patch Checker
- Configuration Service
- CS
- Remoting Monitor
- Public Folder Training EWS
- Public Folder Training
- Notifications
- Ticket Manager
- Remoting
- Reg Count
- Monitoring Activity
- License Service
- Unicorn License Service
- Failed Mails Notifier
- Disk Space Notifier
- Centralization
- Centralized Configuration
- Centralized Quarantine
- Centralized Reporting
All the functionality provided by the above-mentioned modules is exposed through .NET Remoting so that other modules in MailEssentials can utilize it.
GFI MES Attendant hosts a Remoting server on port 9091.
Configuration Services (CS)
CS is used by the different modules in MailEssentials to read settings from the MES configuration if they request information or setting.
WebDav Public Folder Scanning
WebDav is another protocol that can be used to access Exchange Public Folders. The WebDav Public Folder Scanning functionality is implemented in the GFI MailEssentials AntiSpam Attendant service and is also exposed through Remoting.
Note: The MAPI Public Folder scanning and IMAP Public Folder scanning functionality are implemented in the GFI MailEssentials Legacy Attendant service.
EWS Public Folder Scanning
EWS is another protocol that can be used to access Exchange Public Folders. The EWS Public Folder Scanning functionality is implemented in the GFI MailEssentials AntiSpam Attendant service and is also exposed through Remoting.
Ticket Manager
When an email is processed by ME, the email is tagged with a ticket, which will be added in the header of the message. These tickets will be used to ensure that the message is not processed again by the same installation of ME. Examples of modules using the Ticket Manager indirectly are:
- MailMonitorIn
- MailMonitorOut
- Auto-Replies
- Forward to email address action in the Anti-Spam modules
The modules that are directly making use of the Ticket Manager are:
- Sinks and Agents
- Quarantine Store
- PickupSM/Notification Service
On an Exchange 2010 and 2013 machine, the two new header fields which are added to the email are called X-GFI-METKID and X-GFI-METKTKEY. The email will be submitted to the Exchange Pickup Directory using the Pickup Submission Module (PickupSM).
On a non-Exchange 2010/2013/2016/2019 system, the Ticket Management functionality is not used. The email generated by MES will still be submitted to Pickup using the SM module. When this is done, the name of the email created by MES will include an ID called the ALK. When installed on an Exchange 2010/2013/2016/2019 machine, the name of the email stored in Pickup is not made available to the Transport Agents, therefore MES would not be able to perform any actions based on this.
Starting with MailEssentials 2014 R2 and currently used in MailEssentials 21, the Ticket Manager module has been redesigned in order to better accommodate Multi-Server synchronization environments.
Until ME 2014 R2 the Ticket Manager would create tickets, store them in an Access database, and add them as X-headers to the corresponding emails. These X-headers would be verified at a later stage before the second scanning of the email starts. In a ME multi-server environment, keeping those databases synchronized would have proven unreliable and inefficient.
Instead of synchronizing large databases of tickets, the new architecture is only synchronizing RSA certificates used to encrypt the time date string signature of emails. Each synched server would have a copy of all certificates of the other ME servers, enabling it to decrypt and verify emails ticketed by any server in the multi install environment, including own signed emails.
The tickets are valid for 10 minutes.
The certificates are stored in the Attendant\Data\Tickets folder. A certificate is made up of 2 files: a bin and a prp file. The bin file contains the RSA parameters and the prp file contains a set of properties like the Server (name), CreationDate, and information on whether it HasPassiveCertificate or not.
Below an example certificate properties with filename 1f5572b7-c41c-12a0-9d6b-5f837263847a.prp:
<?xml version="1.0" encoding="utf-8"?>
<TMCertificateProps xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CreationDate>2014-11-23T21:00:00Z</CreationDate>
<Server>MEServer1</Server>
<HasPassiveCertificate>false</HasPassiveCertificate>
</TMCertificateProps>
Further settings are stored under Attendant\Data\product.config. The Ticket manager settings will be the entries starting with TM. It is not recommended to change those settings.
Sample of X-Headers as saved in the email:
X-GFI-METKTSID: 1f6352b7-c81c-42a0-9b6b-5a180149618a
X-GFI-METKTSIG: GDWz2ApwMIBW3Vnqp2qXu0BwvepptDI3fjOzwUwh/oJoemFbYe3wJmL7/pzoqtPpsBpU/B/4cBwBt3
OaOnNXl4t87fJQAAFfshlFUkMcg3vV2dzCL5puT5+zdkjXxtqooX1TujcQSxFB93rfPA/JgSKIp5YcMo15qAE2QJkHtXw=
Dashboard Statistics
The Dashboard Statistics is another Remoting plug-in that is used exclusively by the Dashboard. It provides information on the Status of the MES services, information from mtastrdb.log and popstr.log, and retrieves information from the reporting database. All this information is used to provide Status updates and Statistical information in the Dashboard.
The dashboard is what shows:
- The GFI MailEssentials services status
- Quarantined store statistics which includes:
- Number of emails in the quarantine store
- Quarantine Store Sizes
- Free Disk Space
- Charts
- Line graph, which can be filtered by the past hours or days. This will include the number of processed emails, the number of quarantined emails, and the number of failed emails.
- Pie chart, which is based on the total emails in the line graph
- Logs
- Updates
- Events
- POP2Exchange
More information on the Dashboard module can be found in MailEssentials Dashboard (WebUI).
Notification Services (NS)
NS is a Remoting plugin that is used by all the .NET modules which need to send a notification. The emails are stored in the IIS / Exchange pickup folder.
GFI MailEssentials AS Scan Engine
The GFI MailEssentials AntiSpam Scan Engine service is the service used to process the emails through the AntiSpam and Email Management features. The AntiSpam Scan Service starts the MTA, which in turn will start all the scanning plugins.
Executable name : |
“..\MailEssentials\Antispam\gfiscans.exe” |
Service name : |
“GFIScanS” |
Display name : |
“GFI MailEssentials AS Scan Engine” |
Default Log On Account |
Local System |
Dependencies: |
Remote Procedure Call (RPC) Message Queuing |
Programming language: |
C++ |
The MES AS Scan Engine is an out of proc COM object which loads the MTA. The MES AS Scan Engine receives emails for scanning from the IIS Event Sinks and the MES Exchange Agents, and passes the emails to the MTA for scanning. The results of the scan are received by the MES AS scanning engine from the MTA. These are passed back to the IIS SMTP Sink or the Exchange Transport Agent which provided the email for scanning.
If this service is stopped, the SMTP Sinks and the Exchange Transport Agents will try to start the service when the first email is processed.
GFI MailEssentials Autoupdater
The GFI MailEssentials Autoupdater service is used to update virus definition files for the virus scanning engines, and EED (Email Exploit Engine) and SED (Trojan and Executable Scanner) databases from GFI updates site. (Note that EED and SED databases are static on GFI update servers and their updates are not provided anymore) The connection to update server is initiated through HTTPS (https://meupdate.gfi.com/license/gfi.key), then after authentication, Autoupdater is redirected to HTTP download location. The service supports making connections via a proxy server that the admin can configure from the MailEssentials WebUI.
Executable Name : |
"..\GFI\MailEssentials\MEC.AutoUpdate.ausvc.exe" |
Service name : |
“msecavupdate” |
Display name : |
“GFI MailEssentials Autoupdater” |
Default Log On Account |
Local System |
Dependencies: |
GFI MailEssentials EmailSecurity Attendant GFI MailEssentials AV Scan Engine |
Programming language: |
C# |
GFI MailEssentials AV Scan Engine
The GFI MailEssentials AV Scan Engine loads a set of plug-ins that are used to scan emails with the EmailSecurity and ContentSecurity modules. When emails are passed through IIS or Exchange, the MailEssentials sinks or the MailEssentials Exchange Agents will provide a copy of the emails to the MailEssentials AV Scan engine for scanning. This service starts the Scanning Core (SCore) which is the module that loads the EmailSecurity and ContentSecurity scanning plug-ins.
If this service is stopped, IIS or the Exchange Transport agents will start it when the first email is processed. If the service cannot be started, the emails will not be processed and a copy of the emails will be placed in the EmailSecurity FailedMail folder.
Executable name : |
“..\GFI\MailEssentials\EmailSecurity\GFIScanM.exe” |
Service name : |
“GFIScanM” |
Display name : |
“GFI MailEssentias AV Scan Engine” |
Default Log On Account |
Local System |
Dependencies: |
Message Queuing Remote Procedure Call (RPC) |
Programming Language: |
C++ |
GFI MailEssentials Backend Service
The GFI MailEssentials Backend Service takes care of the Reporting and Quarantine components, scheduling, and generation of reports as well as generation of Spam and Quarantine digests.
The GFI MailEssentials Backend Service is a .NET application, which is also used to load a set of modules and plug-ins, which in turn may load their own set of plug-ins.
Executable name: |
“..\GFI\MailEssentials\Backend\bin\MailEssentials.Backend.Service.exe” |
Service name: |
“gfimesbackend” |
Display name: |
“GFI MailEssentials Backend” |
Default Log On Account: |
Local System |
Dependencies: |
GFI ME Attendant |
Other services depending on it: |
GFI ME Quarantine Action Services |
Programming language: |
C# |
The GFI MailEssentials Backend service hosts the following components:
- Quarantine Digest
- Reporting Auto Purging (ML.DB.Maint.dll)
- Spam Digest
- Reporting Collection
- Malware Quarantine Storage
- Antispam Quarantine Storage
- Reporting UI Backend
- RSS Backend
Plug-ins run by the Attendant remoting plug-in:
..\GFI\MailEssentials\Backend\Data\asettings.xml
Plug-ins running under the remoting functionality:
..\GFI\MailEssentials\Backend\Data\rsettings.xml
Quarantine Digest
The Quarantine Digest is used to send a summary of the spam emails that have been quarantined in the Quarantine Database.
Quarantine Database
This module handles the Quarantine Database access, writing as well as database maintenance.
GFI MailEssentials Legacy Attendant Service
The GFI MailEssentials Legacy Attendant service loads various modules that are required by MailEssentials to operate.
The service should be started at all times.
Executable name: |
"..\GFI\MailEssentials\Antispam\msecatt.exe" |
Service name: |
“gfiasmsecatt” |
Display name: |
“GFI MailEssentials Legacy Attendant” |
Install: |
Via command line using syntax : msecatt –install |
Removal: |
Via command line using syntax : msecatt –remove |
Dependencies: |
No Dependencies |
Programming language: |
C# |
The MailEssentials Legacy Attendant service loads all the modules that are found in [HKEY_LOCAL_MACHINE\SOFTWARE\GFI\MailEssentials\AntiSpam\Attendant] which include:
AuAntiPhish2 module
The Auantiphish2 module is the module that checks for new PURBL URL database on the GFI servers. If a new PURBL URI database is found, it will be automatically downloaded and installed. This module also makes use of the audldownload module which is used to download the PURBL URI database from the GFI servers.
AuSpamScore module
The AuSpamScore module is the module that checks for new SpamRazer updates from the MailShell site. If a new update is available, The AuSpamScore module automatically downloads and installs the database. This module checks the user’s license key to check if he is eligible for the update before checking for the latest updates. This module also makes use of the audldownload module.
Autospamsvc module
The Autospamsvc module is the module that checks for new Bayesian spam database on the GFI servers. If a new Bayesian spam database is found, it will be automatically downloaded and installed. This module will check the user’s license key to verify if he is eligible for the update before checking for the latest Bayesian database. This module also makes use of the audldownload module which is used to download the Bayesian database from the GFI servers.
Note: Updates to the Bayesian spam database are no longer supported. Update servers contain a static version of the database that is already downloaded.
MailMerge module
MailMerge is used to update the Bayesian filter database (weights.bsp). The MailMerge module will check the spam_tmp.tok and ham_tmp.tok files once every 75 minutes. If the tok files have more than 1000 tokens, the MailMerge module will update the information in the database from the tok files.
PFolders module
The PFolders module scans the Public Folders (as configured in the MailEssentials configuration > Anti-spam properties). The scanning interval can be configured from the MailEssentials configuration. This module is only used when MES is installed on the same machine as Microsoft Exchange.
RpFolders module
The RpFolders module scans the IMAP folders (as configured in the MailEssentials configuration > Anti-spam properties). The scanning interval can be configured from the MailEssentials configuration.
UserTimeCount module
The UserTimeCount module is responsible for counting the users retrieved by MailEssentials and counting how many days have passed since MailEssentials (Evaluation) was installed.
GFI POP2Exchange Service
The POP2Exchange service checks for new messages in the POP3 accounts, download them, and sends them to the SMTP server, by submitting them to the Pickup or Replay folder (in Exchange 2010 and above) via the Pickup Submission Module (PickupSM).
If the connection with the POP3 server is through dialup, the service checks the scheduler that contains the hours of the week when the dialup is allowed. The service is configured to dial-up and download mail after successful connection and disconnects when finished downloading. Remote access must be installed with a pre-configured ISP profile in order to use the dial-up features.
When a message is downloaded, it checks if that particular POP3 mailbox is set to send emails to an alternate address or else to send to the local address stored in the ‘To:’ field. If it does not manage to extract the correct information from the ‘To:’ field, it sends the mail to the email address configured in the alternate address. The POP2Exchange service does not send emails using the internet connection established. It uses the internet connection only for receiving emails via POP3.
Executable Name: |
“..\GFI\MailEssentials\Antispam\pop2exch.exe” |
Service name: |
“gfipop2exch” |
Display name: |
“GFI POP2Exchange” |
Install: |
Via command line using syntax : pop2exch –service |
Removal: |
Via command line using syntax : pop2exch -unregserver |
Default Log On Account |
Local System |
Dependencies: |
GFI MailEssentials Legacy Attendant |
Programming language: |
C++ |
If the POP2Exchange functionality is not being used, the POP2Exchange service can be disabled.
GFI MailEssentials Quarantine Action Services
The GFI MailEssentials Quarantine Action Services processes emails that were detected as spam or containing malware and actioned by the scanning engines.
The components hosted by the service are:
- Malware Actioning Services (MEC.QAS.Coordinator)
- Antispam Actioning Services (ASCoordinator)
Executable Name: |
“..\GFI\MailEssentials\ActionServices\bin\MailEssentials.Action.Service.exe” |
Service name: |
“gfimesqashost” |
Display name: |
“GFI MailEssentials Quarantine Action Services” |
Default Log On Account: |
Local System |
Dependencies: |
GFI ME Attendant, GFI ME Backend, Message Queuing |
Other services depending on it: |
none |
Programming language: |
C# |
Quarantine Action Services Coordinator (QASC)
The QASC is one of the important modules which are loaded by the MailEssentials Quarantine Action Services service. The QASC loads its own set of plug-ins, which can be found in <..\MailEssentials\ActionServices\Data\QASC.xml>.
Currently, 7 plugins are loaded by the QASC:
- ForwardMail (FM)
- MovetoExchange (MTEF)
- Save to Disk (SD)
- WriteCSV (LOG)
- Quarantine (QUAR)
- Tagging
- Move to Inbox
The QASC checks the MES MSMQ queues and retrieves information on detected spam emails. The information on the spam emails is passed through all the plug-ins that are loaded by the QASC for actioning.