Axigen is the mail server platform underpinning SmartXHosting's email services, and a widely-used UK business mail platform in its own right. This article documents the security policies, hardening defaults, and UK-specific configurations applicable to Axigen deployments — both self-hosted and managed.
Axigen is a Romania-based mail server platform developed by Axigen Messaging (now part of GFI Software). Deployed globally, popular among European hosters — including SmartXHosting's UK email infrastructure. Comparable to Microsoft Exchange but with different architecture, pricing model, and operational characteristics.
Key technical characteristics:
For UK businesses: Axigen provides mail-platform functionality comparable to Microsoft 365 but with UK/EU data residency options and different pricing.
Axigen ships with secure-by-default configurations:
For UK SMEs deploying Axigen: defaults meet reasonable baseline. Additional hardening for specific threats or regulations.
Axigen transport security configuration:
Configuration via web admin or configuration file. For UK compliance audits, document TLS configuration and ciphers for inclusion in security posture evidence.
Axigen authentication options:
Default policies for UK deployments:
Granular access controls within Axigen:
Axigen integrates multiple anti-spam layers:
Tuning: conservative (favour delivery; less aggressive filtering) to aggressive (stricter filtering, occasional false positives). UK SMEs typically start conservative, tighten based on observed spam volumes.
Axigen's encryption posture:
For UK businesses needing stronger encryption (healthcare, legal), supplement with S/MIME or secure portal for sensitive content.
Axigen supports:
UK GDPR retention: configure retention periods aligned with organisational policy; UK-specific 6-7 years for business records typical. Test restore procedures regularly.
Audit logs in Axigen:
Retention: configurable. UK compliance minimum 12 months typically; regulated sectors 7+ years.
Log export: syslog, JSON, custom formats. Integration with SIEM systems (Splunk, Elastic, etc.) supported.
Axigen security update cadence:
Testing: major upgrades typically test in staging before production. Documented rollback plan for failed upgrades.
For UK businesses using Axigen (directly or via SmartXHosting):
Axigen signs outbound messages per configured domain with RSA-2048 or Ed25519 key. Selectors rotatable via admin. DNS records generated by platform for customer to publish.
Inbound messages evaluated against sender's DMARC record. Configurable actions: deliver, mark, quarantine, reject. Logs support downstream DMARC analysis.
Internal reputation scoring complements external RBLs. Persistent abusive sources auto-blocked.
Behavioural analysis detects:
Alerts to admin; automated temporary lockout for high-confidence events.
Basic outbound filtering:
For comprehensive DLP, integrate external tool.
Beyond technical controls, operational security for UK Axigen deployments:
A production Axigen deployment for UK businesses typically follows a tiered architecture. Edge MX hosts handle inbound SMTP on port 25 with connection-time filtering (SPF, RBL, greylisting, rate limits). Internal relay nodes process authenticated submissions on port 587 after identity verification and apply outbound DKIM signing. Mailbox storage nodes hold IMAP/POP3 data on encrypted volumes (LUKS or cloud-provider equivalent). A front-door HTTPS layer serves webmail and the admin console, typically behind a WAF that terminates TLS with a certificate rotating every 90 days via ACME.
For SmartXHosting's Axigen estate, all four tiers sit in UK data centres with an EU failover region for disaster recovery. MX records resolve to a small pool of edge IPs with forward-confirmed reverse DNS (FCrDNS) and IPv6 parity — both increasingly checked by Microsoft and Google as part of their 2024-2025 sender reforms. The submission layer runs Axigen's native rate limiter on top of fail2ban-style IP throttles, so a compromised user account triggers a sub-second cap well before abuse propagates.
High-availability pairing uses Axigen's cluster mode in active/active configuration with shared storage. Failover happens in under 10 seconds for a clean host loss and without manual intervention. The admin plane is accessible only from a management VLAN reachable over a bastion with MFA — UK support staff authenticate with WebAuthn hardware keys. No admin credentials traverse the public internet unencrypted.
When reviewing an Axigen deployment (internal audit, due diligence, ICO enquiry response), these are the configuration items that matter most:
ruf addresses pointed at a monitoring mailbox.testssl.sh or the Mail Hardener TLS check.Document these values in your security posture evidence pack. The ICO's guidance on appropriate organisational and technical measures under UK GDPR Article 32 looks at exactly this kind of configuration discipline when it assesses a data controller's maturity after a breach.
Legal services. Solicitors and barristers' chambers in London, Manchester, and Edinburgh typically pair Axigen with S/MIME for client-privileged correspondence, Mail Hardener reporting for audit trails, and external archiving for the seven-year retention requirement under SRA record-keeping rules. Auto-forwarding to external addresses is disabled by default; partners requiring remote access use Axigen's webmail or ActiveSync with MFA instead of POP-to-Gmail workarounds that used to be common.
Healthcare. UK private healthcare providers (dental chains, physiotherapy groups, private GPs) operating alongside NHS.net require Axigen configurations that honour the Data Security and Protection Toolkit (DSPT). Configuration items: DKIM on every outbound, DMARC at quarantine minimum, TLS enforced for all NHS-bound traffic (MTA-STS enforce mode with nhs.net exemption carved for mixed-estate interim periods), audit logs retained seven years, and a documented incident-response runbook naming a Caldicott Guardian as escalation contact.
Public administration. Parish councils, housing associations, and small local authorities using Axigen via SmartXHosting's public-administration-email offering get a hardened baseline: G-Cloud-aligned data residency, UK-only support access, anti-phishing rules tuned for gov.uk impersonation attempts, and integration with the NCSC Mail Check service for periodic external validation.
Retail and e-commerce. Axigen deployments behind a Shopify or Magento storefront mainly need transactional-mail hygiene: dedicated sending subdomain (e.g. mail.example.co.uk) separated from the human mailbox domain, strict DMARC on both, and warm-up schedules when migrating from a different ESP. PCI DSS 4.0 obligations around cardholder data limit what retail staff can include in email — Axigen's DLP patterns for PAN detection cover the minimum obligation.
Financial services. FCA-regulated firms (IFAs, wealth managers, specialist lenders) must satisfy SYSC 9 record-keeping and, for SMCR-certified staff, must retain all business communications. Axigen journals every message to a WORM-backed archive, typically a third-party service such as Mimecast Archive or Smarsh, reached via SMTP relay. Platform-side controls disable client-side delete-from-sent-items manipulation and retain server-side copies regardless.
UK businesses moving to Axigen from Microsoft 365 or Google Workspace typically face a 2-4 week migration window. The technical path is straightforward — IMAP sync via tools such as imapsync or Axigen's own migration wizard moves historical mail, calendars, and contacts. What trips projects is the authentication-stack cutover.
Recommended sequence:
mail-new.example.co.uk). Publish DKIM DNS entries alongside the legacy provider's records — the selectors will differ so they coexist without conflict.p=quarantine within two weeks, then to p=reject after 30 days of clean aggregate reports.A common UK-specific hazard: HMRC online services still occasionally send notifications from legacy sending infrastructure that fails modern authentication checks. Whitelisting HMRC's sending ranges at the anti-spam layer avoids genuine correspondence landing in quarantine during Self Assessment season.
When a compromised mailbox is detected — whether by Axigen's behavioural detection or by an external alert from a recipient — the operational playbook has a narrow critical window, typically the first 30 minutes.
Axigen's log retention supports this flow provided the logs-retention setting is at least 90 days. Shorter retention windows (30 days or less) are a false economy — a breach discovered in week five is effectively invisible to forensics.
| Aspect | Axigen (via SmartXHosting) | Microsoft 365 | Google Workspace |
|---|---|---|---|
| Data residency | UK/EU | Configurable; EU available | Configurable; EU available |
| CLOUD Act exposure | None (non-US ownership) | Yes | Yes |
| Cost per user | Competitive | Higher | Higher |
| Integration ecosystem | Smaller | Vast | Vast |
| Admin complexity | Moderate | High | High |
| UK support | Yes, direct from provider | Partner-dependent | Partner-dependent |
| Regulatory alignment | UK GDPR native | Compliant with effort | Compliant with effort |
Q: Is Axigen as mature and stable as Microsoft Exchange?
A: Yes for mainstream features. Exchange has more extensive extensibility ecosystem; Axigen is typically simpler and easier to manage. Both are production-proven.
Q: Does Axigen support modern authentication (OAuth, SAML)?
A: Yes. Integrates with identity providers for SSO. Native OAuth support for compatible clients.
Q: Can UK businesses self-host Axigen?
A: Yes — licensed directly from Axigen. Alternatively, managed via UK partners (SmartXHosting and others). Self-hosting requires in-house infrastructure expertise.
Q: How does Axigen handle high availability?
A: Cluster support with active/active or active/passive configurations. Failover within seconds for most scenarios. Multi-region deployment possible.
Q: Is Axigen certified for UK public sector?
A: SmartXHosting's Axigen deployment meets G-Cloud eligibility criteria. Specific sector certifications (e.g. NHS DSPT) may require additional configuration and audit.
Q: How often are Axigen security patches released?
A: Regular releases monthly typically. Critical security updates emergency-released. Managed deployments (SmartXHosting) apply patches transparently.
Q: Does Axigen support UK-specific anti-spam lists?
A: Supports any DNS-based RBL globally. UK-specific RBLs integrated if available. Mail Hardener and similar UK-focused services integrated via standard interfaces.
Q: Can Axigen integrate with UK government mail standards?
A: Yes — supports NCSC-required authentication (SPF, DKIM, DMARC, MTA-STS, DANE). Configurable to meet specific sector requirements.
Q: Is there UK-specific documentation for Axigen?
A: SmartXHosting provides UK-customer documentation via their knowledge base. Axigen's own documentation is international but applicable to UK deployments.
Q: What is the typical UK Axigen customer profile?
A: Small-to-mid UK businesses valuing UK data residency, EU GDPR alignment, and predictable pricing. Non-US-owned infrastructure preference. UK public sector bodies meeting G-Cloud criteria.