GreenArrow Engine
Change Log
- Historic (Pre-4.200.0) Change Log
Getting Started
- GreenArrow Concepts
- Hardware Requirements
- Supported Linux Distributions
- SSH Access
- Co-Existing With Other Software
- Firewall Configuration
- Installation Guide
- Email Concepts and Terminology
- Docker
FAQs
- Know Before You Buy
- - Administration and Configuration
  - Authentication
  - Bounce Management
  - Clustering, HA, and Containerization
  - Encryption
  - Complaint FBLs
  - Installation
  - IP Warming
  - Message Submission
  - Mail Routing and Traffic Shaping
  - Pricing, Account Relationship, and Support
  - Proxy Servers
  - Queue Management
  - Reporting, Monitoring and Logging
  - Security & Access Control
  - Software Updates
  - System Requirements
  - Throughput
- Chrome Mixed Content Compatability Guide
- GreenArrow Engine and AWS
- Common Error Messages
- Message Delivery
- Modifications and Customizations
- Pausing and Dumping Queues
- Direct Database Access
- Getting Started with Email Injection
- Creating a Drop Route
- Time Zones
- First Steps After Installing
- GreenArrow Components
- Getting Started with Event Notification
- Logging SMTP Sessions in GreenArrow
- Find Message Delivery Attempt Information
- Time Synchronization Services
- Ticket Portal Guide
- Internally Created Messages
Configuration
- Configuration File
- General Settings
- Performance Tuning
- Adding a New Domain
- Adding a New IP Address
- Adding A New Whitelabeled Cloud Domain
- IPs Authorized to Relay
- License Key
- URL Domains
- Secret Constants
- Processing Events on Dedicated Servers
- Managing GreenArrow Monitor SeedList
- Proxy Protocol
- Replace Content Domain
- Link Replacements
User Management
- Two-Factor Authentication
- Users for Email Injection
Email Authentication
- DKIM
- SPF and Sender ID
- Configuring a New From Address Domain
- Email Authentication for ESPs
Injecting Mail
- SimpleMH Injection
- Raw Injection
- - Raw Injection Headers
  - PHPMailer Raw Injection Example
- Injecting Mail with HTTP Submission API
- Local Injection Options
- Message Archive
- QMQP
- QMQP Streaming Protocol
- Speed Considerations
- Obscured Email Addresses
Delivering Mail
- VirtualMTAs
- Throttling
- - Updating Throttle Settings on the Command Line
  - Updating Throttle Settings in SQL
- Dynamic Delivery
- Retry Schedule
- Internal DNS Cache
- Recipient MX Selection
- Pausing Domains
Incoming Email
- Incoming Email Domains
- Aliased Incoming Email Domains
- Bounce Mailboxes
- Spam Complaint Mailboxes
- Email Forwarders
- SMTP AUTH and POP3 Email Users
- DNSBLs and RBLs
Bounces and Spam Complaints
- Bounce Processor Concepts
- Bounce Processor Configuration
- Spam Complaint Processor
- Feedback Loops
- - Yahoo's transition from ReturnPath
- Lite Bounce Processor
Reporting
- Send Statistics Overview Page
- Send Statistics Pages
- Send Statistics Integration
- Dynamic Delivery Statistics
- Disk Queue Summary
- Stats API
- Local Delivery Attempt Status Messages
- Remote Delivery Attempt Error Messages
- hvmail_report Command
- Delivery Attempt Log (Deprecated)
- Delivery Attempt Message Formats
- Delivery Event Processed Logfile Format
- Remote Delivery Status Log
- hvmail_generate_email_report Command
- hvmail_get_possible_spamtrap_hits Command
- Service Logs
- GreenArrow Status Command
- Remote Connections
- Disk Queue Messages
Event Notification System
- Types of Events
- Events Table Maintenance
- Event Processor
- Testing The Event Notification System
- Legacy Event Notification
GreenArrow Cluster
- GreenArrow Proxy
- GreenArrow Configuration
- Cooperative Throttling
- SMTP Connection Proxying
- Instance Drain
- Kubernetes Reference Architecture
- Sync Config
- Troubleshooting
GreenArrow Cloud
- Routes API
Network Services
- HTTP Server
- PostgreSQL
- POP3 Server
- SMTP Services
- Disabling SMTP-AUTH Username Logging
- TLS Certificate Configuration
- TLS Encryption for SMTP
- Legacy Services
- - Legacy Recursive DNS Server
Server Management and Backups
- Administering GreenArrow Without root Access
- GreenArrow Updates
- GreenArrow Downgrades
- Convert CentOS to Alma Linux
- Debian Updates
- PostgreSQL 16 Update
- Server Management
- System Administration
- Persistence Path Mode
- Managed Backups
- Unmanaged Backups
- Restoring Backups
- - Recover from Database Corruption
- Server Migrations
- Server Monitoring
- Metrics Server Integration
- fail2ban Integration
- Stopping and Starting GreenArrow Engine
- greenarrow Command
- Bounce Recovery
- - December 2020 Gmail Outages
- Disk Usage
- - Delete SimpleMH Clicks and Opens
- Troubleshooting Disk Space Issues
- Moving GreenArrow to a New Partition
- Email Address Retention
- High Availability Cluster
- - High Availability Cluster Administration
  - Self Managed High Availability Clusters
- Legacy Maintenance Commands
APIs
- Stats API
- - Send Status API
  - Disk Queue Summary API
- HTTP Submission API
- Configuration API
- Running Custom Code During Delivery Attempts
Third Party Integrations
- Amazon SES Integration
- Interspire Email Marketer Integration
- Ongage Integration
- Oracle Cloud Infrastructure Email Delivery Integration
- SendGrid Integration
- SMTP Relay Service Integration
Support Contact Info

Security & Access Control

Table of Contents
What access restrictions are available for the GreenArrow platform?
What access does GreenArrow require for support/maintenance?

What access restrictions are available for the GreenArrow platform?

Access restrictions can be applied at several different levels.

Users

User accounts can be restricted in what they can do on the platform, both in the configuration file and through the Engine UI

Two-Factor Authentication

GreenArrow supports two-factor authentication with the Time-based one-time password algorithm.

Source IP

Access to the UI and API can be limited by IP address, using the allow_ui_api_access configuration directive.

Firewall

GreenArrow can be placed behind a firewall.

Some of GreenArrow’s features require incoming access from the public internet, such as HTTP access for click/open tracking (if you are using that) and incoming SMTP access to accept incoming asynchronous bounce email messages.

We provide documentation regarding what firewall ports need to be open for access to given services.

Some customers setup a separate GreenArrow cluster to process incoming asynchronous bounces and handle click/open redirection, apart from a cluster of outgoing MTAs. This allows the outgoing MTAs to be completely isolated behind a firewall.

HTTP/HTTPS Filtering

If you are using GreenArrow for click/open tracking, you can use a reverse HTTP/HTTPS proxy to isolate GreenArrow from the Internet.

This document describes what URIs need to be exposed for engagement tracking to work (if you’re using that feature in GreenArrow).

What access does GreenArrow require for support/maintenance?

If you are an on-premises customer, we do not require any access to your systems; however, it can make it easier for our support team to assist you with troubleshooting complex issues if we have access to your server.

We have a few options for opening access, including direct SSH access, hopping through a reverse SSH tunnel, or using VPN access you provide to us. It also can be helpful for us to have login access to your Engine and Studio UIs, if appropriate. That said, we have supported major customers without any direct access to their systems.

Reporting, Monitoring and Logging

Software Updates

Copyright © 2012–2026 GreenArrow Email