The 4.4 release “lofty” is all about fixing bugs, boost existing features, and improve performance and memory management in the Halon script engine. And like macOS “High Sierra”, it’s fully baked.
The unusually long changelog contains many small improvements. We’ve given the pre/post-delivery script a slight overhaul. It’s now possible to tailor the bounce behaviour via the the SetDNS() function. Additionally, we’ve added $action and $context, as well as functions to set MAIL/RCPT parameters. Finally, the SetSouceIP() enables you to choose an IPv4 and IPv6 address pair, which is a great when you want to provide customers with a private IPv4 and IPv6 or if you want to use diverse address pools.
The improved “Listen on” directive on the Server > SMTP listener page enables more fine-grained control over listen ports and IPs; such as listening on different ports for different IPs.
Quirks and fun trivia
We recently revised our LDAP implementation, and realised that our own syntax and mechanism for failover between hosts is rather superfluous, since OpenLDAP supports that natively. Consequently, we adopted the standard LDAP URI’s in our configuration, and existing configurations will be automatically migrated.
While we support the PROXY protocol (v1) that passes client source IP information from load balancers, we thought it was mostly as HAProxy thing. Apparently, it’s used by many other load balancers such as Amazon ELB, Citrix Netscaler, and F5 BIG-IP. Most of them implements the version 1 (which is human readable), but there is a second version of the protocol that’s binary-packed, and have a quite smart feature: its magic string (protocol identification) is \x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A which translates into literal "\r\n\r\nQUIT\r\n", a string chosen specifically to case an error and disconnect against servers not supporting this protocol. Clever!
If you have a IPv6 only datacenter, but still want to process IPv4 clients, you can do so with a SIIT-DC gateway which uses IPv4-mapped-IPv6 addresses. In Halon, you can use SIIT-DC while still performing IPv4 reputation (such as DNSBL), by extracting and setting the IPv4 address in the CONNECT script. If that doesn’t make the point that we’re very scriptable, then what does?
If you ever had problems signing in to a Halon using Firefox, it can be because a recent change in how “secure cookies” are handled. When signing in over HTTPS, we set the secure cookie flag, which forbids the cookie to be send over a unencrypted HTTP connection to the same host. That is all great, but if you then try to sign in over HTTP (for whatever reason) Firefox will not be able to login because there is already a cookie for that domain with the secure flag and it cannot be replaced, nor accessed. We addressed this by using different cookie names for HTTP and HTTPS. Regardless of this fix, you should not use HTTP when administering your Halon hosts.
Mölndals Stad (Mölndal municipality) has approximately 5000 employees and 10 000 students. In 2010 the IT department decided that 15 000 inboxes needed a new spam protection.
Anders Westerberg, now Head of IT Security in Mölndal, had built an open-source based solution that worked well. But for Annika Samuelsson, Head of IT development and maintenance, it was clear that they could not go on using a solution that only one person knew how to operate. Together with Anders she investigated possible replacements that could fulfill their wishes, and Halon caught their eye. The Halon software was then newly introduced to the market, and they saw an advantage in the company being open to a dialogue around how the product could be tailored to fit their needs.
The focus was of course on abiding by laws and regulations. Email sent to Mölndal municipality becomes public record and must be archived, even if it’s just spam. Stopping the email before it enters their system saves them that burden, and it’s also the procedure recommended by the organisation SKL (Municipalities and Country Councils of Sweden). Before implementing Halon, Annika and her team handled all spam quarantine, something that is now in the past. With the ”bulk” feature, an email manager will get a report on all blocked unsolicited email.
– The result is very satisfying, says Annika Samuelsson
Introducing Halon was a quick process, and even though most of the work was done in-house they received some help from Halon support staff to do the fine tuning. Since becoming a customer, they have reached out a few times to address spam issues.
– There have been incidents where we get spam that passes through the filter. But it’s always been very easy to get in touch with Halon and resolving the issues. Once it was actually as easy as a misunderstanding on which users that could report spam.
Mölndal municipality are subject to public procurement, and regularly has to compare their system to market competitors. But they have yet to find a product that solves their problems as effectively and smooth as Halon.
– We feel very comfortable with what Halon provides us, and we would definitively recommend it to other governmental businesses.
Nordic Domain Days will be part of the long-running and very popular Internet Days (Internetdagarna) organised by IIS, the registry for .se and .nu, smack in the middle of beautiful Stockholm, Sweden. Join more than 2500 people all passionate about the internet, sharing their knowledge and expanding their network.
Meet and network with your peers in the domain name industry, with a focus on the interaction between registries, registrars, resellers and service providers. Representatives from both local country code and international registries will be present. Add to that some of the largest registrars in northern Europe (and the world) and you have the Nordic domain industry event!
Hang out with some of the brightest minds from around the domain and hosting industry including registries, registrars, resellers and service providers. Enjoy a fantastic social event at a great location with a perfect opportunity to build and renew your network. Halon is one of the sponsors for the social event, so come and party with us!
Each year the ETIS Community Gathering brings together European telecommunication professionals to share knowledge and best practices in a trusted environment. The theme of the ETIS Community Gathering 2017 is ‘Shaping the Digital Ecosystem of the Future’.
Halon co-founder Jonas Falck will be speaking about DANE, SMTP STS and more, together with senior software engineer Erik Lax.
The meeting is this year held on October 5-6 in Tallinn, Estonia. ETIS believes that Estonia, the first country to allow online voting in a general election, is a perfect place for a debate on the ‘Digital Ecosystem of the Future’, and we agree. It has the world’s fastest broadband speeds and holds the record for start-ups per person.
Its 1.3 Million citizens pay with their mobile phones, have their health records stored in the digital cloud, and file their annual tax return online in 5 min. Moreover Estonia will be holding the presidency of the EU council in the second half of 2017. Therefore ETIS invites relevant parties and start-ups to discuss lessons learned in e-Estonia.
Last week brought Per Stenman and Anders Berggren of Halon to San Francisco and Palo Alto, as a part of the Scale Global program. Sunny California offered meetings with VC’s, entrepreneurs, coaches, and even a celebrity that we can not disclose.
Hello San Francisco, we’ve missed you!
Sharon Chang, Partner at AndreesenHorowitz
Food is necessary, so is instagramming.
Huggy Rao, Atholl McBean Professor of Organizational Behavior at Stanford Graduate School of Business.
SC Moatti, Managing Partner at Mighty Capital.
Tristan Kromer, Lean Startup Coach.
Cindy Alvarez, Principal design researcher at Microsoft. Halon co-founder Anders Berggren visiting 500 Startups.
No trip to the US without getting a decent steak.
Maxime Prades, VP of Product Management at Algolia and Gustaf Alströmer, Partner at Y Combinator.
We are glad to welcome Mexico into the circle of countries that have been visited by TES, and if you work in the email industry/cloud/telco in Mexico, please join us on September 28th.
Trusted Email Services, TES, was launched as an industry effort to raise awareness around email security threats and promote the deployment of innovative technologies to address them, including encryption and DNS-based mechanisms such as DNSSEC, DANE and DNS filtering.
The discussion will deliver an insight into how internet service providers and software companies adopting TES guidelines and best practices can secure and qualify their services, comply with recent legal requirements (GDPR) and establish enduring customer relationships.
Thanks to the sponsorship of Open-Xchange and to the efforts of the local partner CITI, this will be the first TES event ever in Central America, trying to build awareness among Mexican telcos and ISPs on email transport issues, current attacks and possible solutions based on open standards.
International speakers will address the audience, prompting the usual discussion and exchange of experiences, which will be followed by a friendly networking event with drinks and food. To allow for a meaningful and useful discussion, seating for this event will be limited to 20 participants. Want to join? Please send an email to [email protected] as soon as possible.
Halon has been chosen to participate in the growth acceleration program Scale Global. During the period of September 2017 to January 2018, Halon and seven other companies will get help with the transition from nailing the product to scaling their business. The program rests on three pillars; workshops, coaches and Silicon Valley.
The companies will be working together on a number of workshops, one of them being a one-week stay in Silicon Valley, having meetings with partners at AndreessenHorowitz and True Ventures, Gustaf Alströmer (partner at Y Combinator), Cindy Alvarez from Microsoft and Maxime Prades of Algolia, to mention a few.
Time-of-click protection adds an extra layer of security to protect email users from accessing malicious content. Attacks including malware, ransomware and phishing are becoming more common and more sophisticated with every day, along with users keeping more sensitive information.
With an additional time-of-click protection, Halon will classify links in email every time it’s clicked, before allowing or denying the user to visit it. This means that if the scammer waits two minutes or two months with infecting the site, the user will still be protected when he or she chooses to click the link. It’s the extra layer of security that won’t allow you to visit infected websites by way of a link in an email protected by Halon.
On-premise or hosted cloud
Front/backend architecture for high availability
Multi-tenant with companies and users
Multiple detection engines
Google Safe Browsing
Optional click history
Time-of-click protection is an add-on to Halon SMTP software, and we recommend that you extend your license to include it. Pricing is set per user, with volume-based discount. If you are already a Halon customer, contact your sales representative, or send us an email for your quote.
We have done two new releases of Halon since last time we updated the blog with release matters. In Halon 4.1 “teamy”, released just before this summer, we introduced modules. A month later we followed up with 4.2 “classy” that added proper object orientation to the language (which works great in combination with modules). It spawned a few rewrites of our script examples (modules) to reflect this awesomeness. We initially added instance and class methods and variables (static), and in 4.3 “cody” we added the private keyword to functions and variables as well.
private $name = "Dr Who?";
$this->name = $name;
return "Hello ".$this->name";
static function ...()
We’ve created a lot of modules and script examples. Some of those, such as the PostgreSQL and MongoDB modules, rely heavily on byte packed data structures. In order to better support those, we’ve added built-in functions such as pack() and unpack(). Upcoming modules and rewrites will also benefit from the new TLSSocket() class.
Here are some new additions to our module collection:
Other notable features from the changelog includes
FreeBSD 11.1 and new quarterly packages
sha2 hash functions
Added status and NDR codes to Reject, Defer and Deliver functions
SetTLS support CA name verification
DLP engine now support file hashes of SHA2-256 and SHA2-512
Added $sourceip variable to post-delivery script to easily determine which IP address that was used to send the mail
Geek out corner
One major change that only we can see and fully appreciate is the (both automated and manual) code migration to C++11 (and forward), using the truly awesome clang-tidy tool.
On another note; while we researched pack and unpack implementations by looking at other languages’ documentation (such as PHP, Perl and Python), we found a bug in PHP, which was fixed in 7.2, and backported to 7.1.9. The overall consensus of syntax and conventions amongst languages regarding how pack and unpack should work seems to reflect and mimic Perl.
“In a language with an automatic garbage collection mechanism, it would be difficult to deterministically ensure the invocation of a destructor, and hence these languages are generally considered unsuitable for RAII [Resource Acquisition Is Initialization]” – Wikipedia on destructors
MongoDB does unlike many other databases use little endian and not big endian (network byte order) in its wire protocol. This will let you send and receive data structures in native machine endian (for most people) since both x86 and amd64 use this convention. I highly recommend reading up on the fun historic trivia about endianness.
Want more in-depth info on the new releases? Get in touch with the support team.
Ensuring high deliverability in email is no walk in the park. As a high-volume sender of email, there are many things to take in consideration, especially with cybercriminals keeping a fast pace in innovation.
Make no mistake, deliverability is of highest importance to anyone sending email, let alone the high volume senders. When you get the information from your servers that a certain percent of sent emails were accepted by the receiving servers you still have no idea what happened after that. No confirmation of emails actually reaching inbox means they might just as well be laying in the spam folder. The SMTP transaction is logged as ”250 OK” as long as the server didn’t reject the email. To make matters even worse, different ISP’s may treat email differently, putting more responsibility on the sender to do their homework as neat as possible.
Pay attention to encryption, as it no longer is as security measure only for the selected few, but becoming the standard. TLS/SSL and DANE are your friends and will keep your information private.
Be protective of your IP addresses reputation, they can make or break your deliverability. ISP’s acts as proxies for recipients, meaning they will take reputation very seriously. Take in consideration that sending unsolicited email may harm your IP reputation, and authenticating your email with SPF, DKIM, and DMARC will help keep out scammers who are most often ahead of ISP’s and senders technology.
Halon is a flexible security and operations platform for in-transit email. It enables companies that build and operate large-scale
email services to offer competitive features by rapid implementation, and to lower costs of maintenance through
reliable deployment and reduced complexity.