Setting SMTP Security Options

---

You can set who has access to your mail server and control SMTP security in several ways. This section describes how to use the SMTP Security options to prevent unwanted access and unwanted mail. See "Security Strategies" in this chapter for information about when to use different security options.

To set any of the options for the SMTP server:

1. Click the SMTP Security tab. The SMTP Security
   properties appear.
   
2. Select any of the options (described in the following sections) you want to use to set security for the SMTP server.
3. Click Apply to save your changes. Click OK to save your changes and exit the dialog box.

Note: If you make changes to the IP addresses that can use the SMTP server, you must stop and restart the SMTP service for the changes to take effect.

Setting Mail Relay Options

You can use the Mail Relay Options to prevent unauthorized mailings, such as mass promotional mailings (known on the Internet as spam mail) from passing through the IMail Server as a relay or gateway. The Relay mail for option lets you configure IMail Server to only accept mail that originates from local users or that is destined for local users. You can define the systems or address blocks that you want to consider local.

Some Considerations When Setting Relay Options

Consider the following issues when using the "Relay for" options.

• Note that when one of your mail users sends a mail message,
  the message is relayed through the IMail Server. So, you must enter the IP addresses or IP address range of all of your mail user's systems.
• If a user needs to send mail from an unknown IP address, you can have the user select the "user authorization" option in their mail client. When this option is selected, the IMail Server uses the SMTP AUTH command to validate the user's logon user ID and password.
• If you have IMail Server set up to be a backup server for a remote mail server and you want to restrict relay access to your server, use the Relay for Addresses option and specify the address of the host for which IMail Server is a backup server. See "Chapter 3: Configuration" and "Appendix B. Backups" for more information about setting up a backup server.

Relay mail for anyone. Allows the SMTP server to accept mail destined for other hosts and re-deliver that mail to the proper host (i.e, relay the mail). This is the default setting.

This setting leaves your mail server open to any other SMTP server to use as a mail relay. Some bulk mailers may take advantage of this capability to not only relay mail through your server, but to make it appear as if mail is originating from your server. See "Background on SMTP Protocol Security" for more information.

Relay mail for. Allows the SMTP server to accept mail destined for other hosts only if the mail is received from the specified IP addresses (which the mail server will consider to be local addresses).

To specify the valid IP addresses, click the addresses button. The "Access Control" dialog box appears.

1. Click the Add button. The "Accept as Local" dialog box appears.
   
2. In the IP Address box, enter the IP address of the computer to be considered local to the IMail Server.

   To add a group of computers, select the Group of Computers option. In the IP Address and Subnet Mask boxes, enter the IP address and subnet mask for the group to be considered local.

   For example, if you have a class C address space of 156.21.50.0, enter a group address of 156.21.50.0 and a subnet mask of 255.255.255.0. This will allow those 254 systems to be considered the same as the local system and they can use the mail server to send mail to the outside world.

3. Click OK to add the IP address(es) to the list.

   IMail Server will relay mail for all the computers listed.

4. Click OK to save the changes. Note that you must stop and restart the service for the changes to take effect.

A "non-local" system that attempts to send mail through the IMail Server system will receive the following message:

550 unknown local host %s, not a gateway 

No Mail Relay. The SMTP server will refuse to accept mail destined for other hosts, unless the user authenticates. If you use this setting, make sure that "Disable SMTP Auth Reporting" is not selected. This will force users to authenticate.

Note: If you are using a client such as Outlook or Eudora, you must select "my server requires authentication". The wording of this option may vary depending on the client used.

Relay mail for local hosts. Checks the "From" address of incoming mail and determines that it contains a valid IMail Server host name. This must be the name of a host or virtual host, or a valid alias for a host on the IMail Server system. If it is not, the server does not relay the mail. If a host has an alias, you must enter the alias in the accept.txt file.

You can use the accept.txt file in conjunction with this option to make the IMail Server accept the named remote hosts as "local" hosts.

You cannot use this option if you are using a "store and forward" setup to relay mail for another server.

Relay mail for local users. Checks the "From" address of incoming mail and first determines that it contains a valid IMail Server host name, then checks that host for the user ID. It does not check user aliases; thus, if a user needs to use an alias for their e-mail address, the alias needs to be in accept.txt. If the host name or User ID is not valid, the server does not relay mail.

You can use the accept.txt file in conjunction with this option to make the IMail Server accept the named remote hosts and users as "local" hosts and users.

You cannot use this option if you are using a "store and forward" setup to relay mail for another server.

Using the accept.txt file. The accept.txt file lets you name remote hosts and users that you want the IMail Server to accept as "local" hosts and users. This file can be used with the Relay for Local Hosts Only and Relay for Local Users Only options.

To create an accept.txt file:

1. Using Windows Notepad or another editor, create a file and name it accept.txt.
2. Enter one IP address or host name per line. Do not use spaces or punctuation.

   For example, to enter hosts:

   mail1.widget.com
   mail5.foo.com 
   
   

   For example, to enter users:

   fred@mail1.widget.com bob@mail5.foo.com

   The accept.txt file must have an exact match for the respective host or e-mail address. It does not accept wild cards or partial matches.

3. Save the accept.txt file in the location: [IMail Top Directory]\accept.txt

Setting Access to Local Mail Groups

You can use the following options to set access to local mail groups (aliases of type Group) on your mail server. (These options do not affect list-server mailing lists, standard aliases, or program aliases.)

Allow remote mail to local groups. When selected, the SMTP server accepts mail addressed to a group that has been defined using the IMail Client application. The SMTP server re-sends the message to users in the group.

Allow remote view of local groups. When selected, the SMTP server allows a remote host to execute an SMTP "EXPN" command to show all users in a group that has been defined using IMail Client.

Note: The settings described above do not affect mail to list-server mailing lists. Aliases of type Group are affected. You must have the "Allow remote mail to local groups" option enabled for a Group alias to work

Validating Incoming Mail

You can use the following options to check that incoming mail was sent from a valid user mail account or to deny access to specified mail addresses. IMail Server will always include the IP address of the source of a message in the message header.

Refuse NULL <> Senders. If enabled, IMail Server refuses to accept mail if there is no address specified in the MAIL FROM line of an incoming message (the null address (<>) is used). Allowing no address in the MAIL FROM line makes it easier for spam mailers to send bulk mail to your users. However, note that RFC 822 requires that mail servers accept mail that has no address in the FROM line.

Note that Microsoft Exchange uses the null address for messages from the postmaster, so selecting this option disables the ability of IMail Server users to receive mail from Exchange postmasters.

Check valid sender. If enabled, IMail Server requires that the user mail address (user@host) is specified in the MAIL FROM or REPLY-TO line of an incoming mail message. Note that a null address (< >) in the MAIL FROM line is handled separately by enabling or disabling the Refuse NULL < > Senders option.

Auto-deny possible hack attempts. If more than 512 characters are sent during anything but the SMTP DATA command, the remote IP address is temporarily put in the "deny access" (Control Access) file until you stop and restart the service and then disconnects. Sending more than 512 characters in anything but the SMTP DATA command will look like an attempt to "hack" in to your server. You will not see the address in the "deny access" list, but it is reported in the log file.

Disable SMTP `VRFY' command. The SMTP VRFY command is used to verify a user ID on a host - as such it can be used from a remote host to test for valid user IDs. If you select this option, when IMail Server receives an SMTP VRFY request, it returns the message: 252 Cannot VRFY user

Note: Do not select the Disable SMTP VRFY command when using "peer" IMail Servers. A peer server needs to use this command to verify a user that is on the other peer. See "Setting Up "Peer" IMail Servers" for more information.

Edit kill file. The kill file lets you specify a mail address or a particular mail host that you do not want to accept mail from.
To specify a mail address or host in the kill file, click the
Edit kill file button.

The file kill.lst appears in the Windows Notepad. In the kill.lst file, enter one entry per line in either of the following formats:

userid@host 
@host 

For example, to deny access from a user mail account, you could enter: fred@widget.com To deny access to all users from the mail host widget.com, you can enter: @widget.com.

IMail Server checks the incoming message's MAIL FROM: <user@host> line. When it receives mail from an address listed in the kill file, IMail Server returns the message:

501 unacceptable mail address 

The kill.lst resides in the IMail directory and applies to the primary host and all virtual hosts.

Setting Access to the SMTP Server

You can specify an IP address or set of IP addresses that are either granted access to the SMTP server or denied access. Systems that do not have access to the SMTP server system will not be allowed to connect. This is useful when you know the IP address(es) of a mail sender that is unauthorized to use your mail server.

Note that, in most cases, you would not use this option to specify the addresses that you want to grant access, because you don't know every host on the Internet that wants to send mail to your users.

To deny access to a specific computer or group of computers:

1. Click Control access. The Access Control dialog box appears.
2. Select the Granted Access option.
3. Click the Add button. The Deny Access On dialog box is displayed.
4. In the IP Address box, enter the IP address of the computer to be denied access to the SMTP server.

   To deny access to a group of computers, select the Group of Computers option. In the IP Address and Subnet Mask boxes, enter the IP address and subnet mask for the group to be denied. For example, if you have a class C address space of 156.21.50.0, enter a group address of 156.21.50.0 and a subnet mask of 255.255.255.0. This denies access to those 254 systems.

5. Click OK to add the IP address(es) to the list.

   Access will be granted to all computers except those listed.

6. Click OK to save the changes. Note that you must stop and restart the service for the changes to take affect.

To grant access to a specific computer or group of computers:

1. Click Control access. The Access Control dialog box appears.
2. Select the Denied Access option.
3. Click the Add button. The Grant Access On dialog box appears.
4. In the IP Address box, enter the IP address of the computer to be granted access to the SMTP server.

To grant access to a group of computers, select the Group of Computers option. In the IP Address and Subnet Mask boxes, enter the IP address and subnet mask for the group. For example, if you have a class C address space of 156.21.50.0, enter a group address of 156.21.50.0 and a subnet mask of 255.255.255.0. This grants access to those 254 systems.

1. Click OK to add the IP address(es) to the list. Access is denied to all computers except those listed.
2. Click OK to save the changes. Note that you must stop and restart the service for the changes to take effect.

Copying Inbound and Outbound Mail

On the SMTP Security tab, you can set an option to send a copy of every inbound and outbound message to a specified mailbox.

1. In the Copy All Mail options, in the Mail address box, enter the full e-mail address to send a copy of each message to.
2. Turn on the Enable option to enable copying of all mail.

   If you want to turn off the Copy All Mail feature, make sure the Enable option is turned off.

3. Click Apply to save your changes.

Ipswitch, Inc. http://www.ipswitch.com

©Ipswitch 2001 IMail Server Support Center