The 20 Minute E-mail Solution!
TOC PREV NEXT INDEX

Setting SMTP Security Options

You can set who has access to your mail server and control SMTP security in several ways. This section describes how to use the SMTP security options to prevent unwanted access and unwanted mail. See "Security Strategies" in this chapter for information about when to use different security options.

To set any of the options for the SMTP server:

  1. Click the SMTP Security tab. The SMTP Security properties appear as shown below.

  1. Select any of the options (described in the following sections) you want to use to set security for the SMTP server.
  2. Click Apply to save your changes. You must stop and restart the service in order for your changes to take effect.

Setting Mail Relay Options

You can use the Mail Relay Options to prevent unauthorized mailings, such as mass promotional mailings (known as spam) from passing through the IMail Server as a relay or gateway. The Relay mail for Addresses option lets you configure IMail Server to only accept mail that originates from local users or that is destined for local users. You can define the systems or range of IP addresses that you want to consider local.

Consider the following issues when using the "Relay for" options.

Mail Relay Options

Relay mail for anyone. Allows the SMTP server to accept mail from any host that is destined for any other host and re-deliver the mail to the proper host (i.e, relay the mail).

This option is the least secure. It leaves your mail server open to any other SMTP server to use as a mail relay. Some bulk mailers may take advantage of this capability to not only relay mail through your server, but to make it appear as if mail is originating from your server.
Note: If you select this option, your server may be blacklisted for running an open relay. To prevent this, choose Relay mail for addresses. See "Background on SMTP Protocol Security" for more information.

If you are concerned about bulk mailers using the relay function to send mail through your server, you can restrict the addresses for which IMail Server relays mail by using the following options.

Relay mail for Addresses. You can specify the IP address or range of hosts and subnets that you want to relay mail for. IMail Server will consider these addresses to be local. If mail is received from any of the specified addresses, IMail Server will accept the mail that is destined for other hosts. Likewise, IMail Server will accept mail from other hosts that is destined for the specified addresses. If you select Skip AntiSpam Filters, the addresses listed on this dialog will not undergo any spam tests.

To add IP addresses, click Addresses. The Relay Mail for Addresses dialog box appears.


  1. Click Add. The Accept as Local dialog box appears.

  1. Do one of the following:
    • Select Single Computer and enter the IP address of the computer.
    • Select Group of Computers and enter the IP address and subnet mask for the computers.
  2. In the IP Address box, enter the IP address of the computer to be considered local to the IMail Server.
You need to include the IP addresses of all of your users, because when they send a mail message, the message is relayed through the SMTP server to its destination.
To add a group of computers, select Group of Computers. Then, enter the IP Address and Subnet Mask for the group to be considered local.
For example, if you have a class C address space of 156.21.50.0, enter a group address of 156.21.50.0 and a subnet mask of 255.255.255.0. This will allow those 254 systems to be considered the same as the local system and they can use the mail server to send mail to the outside world.
  1. Click OK to add the IP address(es) to the list.
IMail Server will relay mail for all the computers listed.
  1. Click OK to save the changes. Note that you must stop and restart the service for the changes to take effect.

A "non-local" system that attempts to send mail through the IMail Server system receives the following message: 

550 unknown local host %s, not a gateway

No Mail Relay. The SMTP server refuses to accept mail destined for other hosts (any host not on the IMail server), unless the user authenticates. If all of your users send and receive mail from the same host that IMail Server is on, or if they use web messaging to access mail, you can select this option. You will still receive mail for local users because a message destined for or originating from the IMail Server host does not use the relay function.

To force users to authenticate, go to the SMTP Security tab and select No Mail Relay. Also, under the Advanced tab, clear Disable SMTP "AUTH" reporting. No Mail Relay is the best option if you cannot Relay mail for addresses because your users dial up using dynamic IP addresses.

Relay mail for local hosts. This option limits relay access to mail hosts on your IMail Server, by checking the "From" address of incoming mail to assure that it contains a valid IMail Server host name. This must be the name of a host or virtual host, or a valid alias for a host on the IMail Server system. If it is not, the server does not relay the mail. If a host has an alias, you must enter the alias in the accept.txt file located in the IMail top directory.

You can use the accept.txt file in conjunction with this option to make the IMail Server accept the named remote hosts as "local" hosts.

Relay mail for local users. Checks the "From" address of incoming mail and verifies that it contains a valid IMail Server host name, then checks the host for the user ID. It does not check user aliases. If a user needs to use an alias for their e-mail address, the alias must be in accept.txt. If the host name or User ID is not valid, the server does not relay mail.

You can use the accept.txt file in conjunction with this option to name remote hosts and users that you want IMail Server to accept as local.

You cannot use this option if you use a "store and forward" setup to relay mail for another server.

Note: Any changes made to the mail relay options will not take effect until the SMTP service is stopped and restarted.

When you use one of the "Relay for" options, you may have users who need to send mail from an IP address not listed. You can do this with IMail Server's support for the SMTP AUTH command. Make sure the remote user selects the "user authorization" option in their mail client. (Note that this feature will be named differently on different clients.) SMTP AUTH authenticates the user ID and password of a user sending mail. This is handled transparently by the mail server and client.
Note: If you are using a client such as Outlook or Eudora, you must select "my server requires authentication". The wording of this option may vary depending on the client used.

Using the accept.txt file. The accept.txt file lets you name remote hosts and users that you want the IMail Server to accept as "local" hosts and users. This file can be used with the Relay for Local Hosts Only and Relay for Local Users Only options.

To create an accept.txt file, do the following:

  1. Using Windows Notepad or another editor, create a file and name it accept.txt.
  2. Enter one IP address or host name per line. Do not use spaces or punctuation.
For example, to enter hosts: 
mail1.widget.com
mail5.foo.com
For example, to enter users: 
fred@mail1.widget.com 
bob@mail5.foo.com
The accept.txt file must have an exact match for the respective host or e-mail address. It does not accept wild cards or partial matches.
  1. Save the accept.txt file in the following location: [IMail Top Directory]\accept.txt

Setting Access to Local Mail Groups

You can use the following options to set access to local mail groups (aliases of type Group) on your mail server. (These options do not affect list-server mailing lists, standard aliases, or program aliases.)

Allow remote mail to local groups. When selected, the SMTP server accepts mail addressed to a group that has been defined using IMail Administrator. The SMTP server re-sends the message to users in the group.

Allow remote view of local groups.

Validating Incoming Mail

You can use the following options to check that incoming mail was sent from a valid user mail account or to deny access to specified mail addresses. IMail Server will always include the IP address of the source of a message in the message header.

Check valid sender. If enabled, IMail Server requires that the user's mail address (user@host) is specified in the MAIL FROM or REPLY-TO line of an incoming mail message.

Auto-deny possible hack attempts. If more than 512 characters are sent during anything but the SMTP DATA command, the remote IP address is temporarily put in the "deny access" (Control Access) file until you stop and restart the service. Sending more than 512 characters in anything but the SMTP DATA command will look like an attempt to "hack" in to your server. You will not see the address in the "deny access" list, but it is reported in the log file.

Disable SMTP `VRFY' command. The SMTP VRFY command is used to verify a user ID on a host - as such it can be used from a remote host to test for valid user IDs. If you select this option, when IMail Server receives an SMTP VRFY request, it returns the message: 502 Command not implemented
Note: Do not select the Disable SMTP VRFY command when using "peer" IMail Servers. A peer server needs to use this command to verify a user that is on the other peer. See "Setting Up Peering" for more information.

Edit kill file. The SMTP kill file lets you specify a mail address or a particular mail host that you do not want to accept mail from. To specify a mail address or host in the kill file, click Edit kill file.

The file kill.lst appears in Windows Notepad. In the kill.lst file, enter one entry per line in either of the following formats:

IMail Server checks the incoming message's MAIL FROM: <user@host> line. When it receives mail from an address listed in the SMTP kill file, IMail Server returns the message: 

501 unacceptable mail address

The kill.lst resides in the IMail top directory and applies to the primary host and all virtual hosts.


Ipswitch, Inc.
http://www.ipswitch.com
TOC PREV NEXT INDEX
©Ipswitch 2004