Customizing SmartActions E-mail Security on the K2 Server
In 2016, Microsoft stopped producing spam definition updates for SmartScreen spam filtering in Outlook and Exchange Server, therefore the Exchange Spam Confidence Level (SCL) header has become obsolete. Microsoft says most customers using Exchange Server (on-premises) have either added Exchange Online Protection (EOP) or use a 3rd-party filtering service or appliance to sanitize their mail flow. For more information see the following Microsoft articles:
Nintex recommends customers set spamSecurity="off" and follow Microsoft's recommendations. Having the spamSecurity attribute set to anything else while in a hybrid Exchange environment or only using Exchange Online, will cause email issues when using SmartActions.
Use this topic to customize your email security. You can configure these settings in the "%ProgramFiles%\K2\Host Server\Bin\K2HostServer.exe.config" XML file.
Email communication usually happens between authenticated Exchange Servers. When unauthenticated servers are used, any time K2 and the user are not communicating with the same Exchange Server, you must set up email security when configuring SmartActions. Find the settings in the configuration > messageBus > system element of the K2HostServer.exe.config file as in this example.
Example code:
<messageBus>
<system self="K2:DENALLIX\K2Service" enableListeners="True" allowAmbiguity="true">
<security spamSecurity="InternalMail">
<authorizedDomains>
<add domain="*.denallix.com" />
<add domain="*.google.com" />
<add domain="*.gmail.com" />
<add domain="*.live.com" />
</authorizedDomains>
</security>
</system>
. . .
Description of the XML elements
The system element has three attributes and contains the security sub-element.
System element attributes | Description | Notes |
---|---|---|
self | Holds the fully qualified name (FQN) for the account that the K2 server uses to send SmartAction emails. In most cases the K2 service account is in the same domain as the server. system self="[security label]:[FQN]\[Service Account Name]" |
|
enableListeners | Enabled by default if Exchange Autodiscover is present on the domain and SmartActions is configured. Changing this Boolean value requires a server restart. | The default value is True |
allowAmbiguity | When true, enables support for environments where there are two different labels that contain the same user email address. | The default value is false |
Ambiguity Configuration
You can configure the K2 environment to allow for multiple labels to use the same provider or have the same email address across multiple labels.
The following logic applies to this scenario:
- Get all the users under all the labels which match the incoming email address.
- Alphabetically sort the returned list of users according to their label.
- Place the default label first in the list.
- Attempt to action the worklist item using the ordered list of FQNs (fully qualified names).
The result is that the user receives an email notification for each of their email addresses that the K2 server finds across multiple labels. When they action an email for any label, no further actions are available for that task.
Shown below is the ambiguity configuration setting which is set to true by default. When true, the logic above applies. To disable, set the flag to false.
Example code:
. . .
<system self="K2:DENALLIX\K2Service" enableListeners="True" allowAmbiguity="true">
</system>
. . .
The security element has one attribute, spamSecurity, and contains the authorizedDomains sub-element.
The spamSecurity attribute settings
The spamSecurity attribute leverages the Exchange Spam Confidence Level (SCL) header to reject messages from unauthenticated users. The value of the spamSecurity attribute can be either one of the constants listed here or an integer.
Setting Description | |
---|---|
InternalMail (SCL -1) | Only mail sent to the Exchange Server by an authenticated account controlled by the Exchange Server receives this SCL rating |
Low | SCL 0 |
High | SCL 1 |
Custom value | An integer greater than -1 |
Off | Disables the SCL Header rejection feature. No messages will be rejected as the SCL header is being completely ignored. |
Security considerations
An incoming e-mail has no effect if the K2 server cannot authenticate it and associate its serial number with a valid process instance.
These two examples show the opposite extremes of security settings.
High level SPAM security example
. . .
<security spamSecurity="InternalMail">
<authorizedDomains>
<add domain="*.denallix.com" />
</authorizedDomains>
</security>
. . .
The low level security disables mail security and exposes the network to attack.
The authorizedDomains sub-element
SmartAction security uses the receive header of incoming email to confirm that it passed through trusted domains and blocks messages that do not. You can add to the list of trusted domains using the authroizedDomains attribute of SmartActions security as in this example.
Example code:
<messageBus>
<system self="K2:DENALLIX\K2Service" enableListeners="True" allowAmbiguity="true">
<security spamSecurity="InternalMail">
<authorizedDomains>
<add domain="*.denallix.com" />
<add domain="*.google.com" />
<add domain="*.gmail.com" />
<add domain="*.live.com" />
</authorizedDomains>
</security>
</system>
. . .