The 20 Minute E-Mail Solution!
TOC PREV NEXT INDEX

Setting SMTP Security Options


You can set who has access to your mail server and control SMTP security in several ways. This section describes how to use the SMTP security options to prevent unwanted access and unwanted mail. See "Security Strategies" in this chapter for information about when to use different security options.

To set any of the options for the SMTP server:

  1. Click the SMTP Security tab. The SMTP Security
    properties appear as shown below..
  2. Select any of the options (described in the following sections) you want to use to set security for the SMTP server.
  3. Click Apply to save your changes. You must stop and restart the service in order for your changes to take effect.

Setting Mail Relay Options

You can use the Mail Relay Options to prevent unauthorized mailings, such as mass promotional mailings (known as spam) from passing through the IMail Server as a relay or gateway. The Relay mail for Addresses option lets you configure IMail Server to only accept mail that originates from local users or that is destined for local users. You can define the systems or range of IP addresses that you want to consider local.

Some Considerations When Setting Relay Options

Consider the following issues when using the "Relay for" options.

Mail Relay Options

Relay mail for anyone. Allows the SMTP server to accept mail from any host that is destined for any other host and re-deliver the mail to the proper host (i.e, relay the mail).

This option is the least secure. It leaves your mail server open to any other SMTP server to use as a mail relay. Some bulk mailers may take advantage of this capability to not only relay mail through your server, but to make it appear as if mail is originating from your server.

Note: If you select this option, your server may be blacklisted for running an open relay. To prevent this, choose Relay mail for addresses. See "Background on SMTP Protocol Security" for more information.

If you are concerned about bulk mailers using the relay function to send mail through your server, you can restrict the addresses for which IMail Server relays mail by using the following options.

Relay mail for Addresses. You can specify the IP address or range of hosts and subnets that you want to relay mail for. IMail Server will consider these addresses to be local. If mail is received from any of the specified addresses, IMail Server will accept the mail that is destined for other hosts. Likewise, IMail Server will accept mail from other hosts that is destined for the specified addresses. To specify the valid IP addresses, click the Addresses button. The Access Control dialog box appears.

  1. Click Add. The Accept as Local dialog box appears.
  2. In the IP Address box, enter the IP address of the computer to be considered local to the IMail Server.

    You need to include the IP addresses of all of your users, because when they send a mail message, the message is relayed through the SMTP server to its destination.

    To add a group of computers, select the Group of Computers option. In the IP Address and Subnet Mask boxes, enter the IP address and subnet mask for the group to be considered local.

    For example, if you have a class C address space of 156.21.50.0, enter a group address of 156.21.50.0 and a subnet mask of 255.255.255.0. This will allow those 254 systems to be considered the same as the local system and they can use the mail server to send mail to the outside world.

  3. Click OK to add the IP address(es) to the list.

    IMail Server will relay mail for all the computers listed.

  4. Click OK to save the changes. Note that you must stop and restart the service for the changes to take effect.

A "non-local" system that attempts to send mail through the IMail Server system will receive the following message:

550 unknown local host %s, not a gateway 

No Mail Relay. The SMTP server will refuse to accept mail destined for other hosts (any host not on the IMail server), unless the user authenticates. If all of your users send and receive mail from the same host that IMail Server is on, or if they use web messaging to access mail, you can select this option. You will still receive mail for local users because a message destined for or originating from the IMail Server host does not use the relay function.

To force users to authenticate with this option, go to the SMTP Security tab and select the No Mail Relay option, and clear the disable SMTP Auth Reporting. No Mail Relay is the best option if you cannot Relay mail for addresses because your users dial up using dynamic IP addresses.

Relay mail for local hosts. This option limits relay access to mail hosts on your IMail Server, by checking the "From" address of incoming mail to assure that it contains a valid IMail Server host name. This must be the name of a host or virtual host, or a valid alias for a host on the IMail Server system. If it is not, the server does not relay the mail. If a host has an alias, you must enter the alias in the accept.txt file located in the IMail top directory.

You can use the accept.txt file in conjunction with this option to make the IMail Server accept the named remote hosts as "local" hosts.

Relay mail for local users. Checks the "From" address of incoming mail and determines that it contains a valid IMail Server host name, then checks that host for the user ID. It does not check user aliases; thus, if a user needs to use an alias for their e-mail address, the alias needs to be in accept.txt. If the host name or User ID is not valid, the server does not relay mail.

You can use the accept.txt file in conjunction with this option to name remote hosts and users that you want IMail Server to accept as local.

You cannot use this option if you are using a "store and forward" setup to relay mail for another server.

Note: Any changes made to the mail relay options will not take effect until the SMTP service is stopped and restarted.

When you use one of the "Relay for" options, you may have users who need to send mail from an IP address not listed. You can do this with IMail Server's support for the SMTP AUTH command. Make sure the remote user selects the "user authorization" option in their mail client. (Note that this feature will be named differently on different clients.) SMTP AUTH authenticates the user ID and password of a user sending mail. This is handled transparently by the mail server and client.

Note: If you are using a client such as Outlook or Eudora, you must select "my server requires authentication". The wording of this option may vary depending on the client used.

Using the accept.txt file. The accept.txt file lets you name remote hosts and users that you want the IMail Server to accept as "local" hosts and users. This file can be used with the Relay for Local Hosts Only and Relay for Local Users Only options.

To create an accept.txt file, do the following:

  1. Using Windows Notepad or another editor, create a file and name it accept.txt.
  2. Enter one IP address or host name per line. Do not use spaces or punctuation.

    For example, to enter hosts:

    mail1.widget.com
    mail5.foo.com 
    
    

    For example, to enter users:

    fred@mail1.widget.com bob@mail5.foo.com

    The accept.txt file must have an exact match for the respective host or e-mail address. It does not accept wild cards or partial matches.

  3. Save the accept.txt file in the following location: [IMail Top Directory]\accept.txt

Setting Access to Local Mail Groups

You can use the following options to set access to local mail groups (aliases of type Group) on your mail server. (These options do not affect list-server mailing lists, standard aliases, or program aliases.)

Allow remote mail to local groups. When selected, the SMTP server accepts mail addressed to a group that has been defined using IMail Administrator. The SMTP server re-sends the message to users in the group.

Allow remote view of local groups. When selected, the SMTP server allows a remote host to execute an SMTP "EXPN" command to show all users in a group that has been defined using IMail Client.

Note: The settings described above do not affect mail to list-server mailing lists. Group aliases are affected. You must have the Allow remote mail to local groups enabled for a group alias to work.

Validating Incoming Mail

You can use the following options to check that incoming mail was sent from a valid user mail account or to deny access to specified mail addresses. IMail Server will always include the IP address of the source of a message in the message header.

Check valid sender. If enabled, IMail Server requires that the user's mail address (user@host) is specified in the MAIL FROM or REPLY-TO line of an incoming mail message. Note that a null address (< >) in the MAIL FROM line is handled separately by enabling or disabling the Refuse NULL < > Senders option.

Auto-deny possible hack attempts. If more than 512 characters are sent during anything but the SMTP DATA command, the remote IP address is temporarily put in the "deny access" (Control Access) file until you stop and restart the service. Sending more than 512 characters in anything but the SMTP DATA command will look like an attempt to "hack" in to your server. You will not see the address in the "deny access" list, but it is reported in the log file.

Disable SMTP `VRFY' command. The SMTP VRFY command is used to verify a user ID on a host - as such it can be used from a remote host to test for valid user IDs. If you select this option, when IMail Server receives an SMTP VRFY request, it returns the message: 252 Cannot VRFY user

Note: Do not select the Disable SMTP VRFY command when using "peer" IMail Servers. A peer server needs to use this command to verify a user that is on the other peer. See "Setting Up "Peer" IMail Servers" for more information.

Edit kill file. The SMTP kill file lets you specify a mail address or a particular mail host that you do not want to accept mail from.
To specify a mail address or host in the kill file, click the
Edit kill file button.

The file kill.lst appears in Windows Notepad. In the kill.lst file, enter one entry per line in either of the following formats:

IMail Server checks the incoming message's MAIL FROM: <user@host> line. When it receives mail from an address listed in the SMTP kill file, IMail Server returns the message:

501 unacceptable mail address 

The kill.lst resides in the IMail top directory and applies to the primary host and all virtual hosts.

Setting Access to the SMTP Server

You can specify an IP address or set of IP addresses that are either granted access to the SMTP server or denied access. Systems that do not have access to the SMTP server system will not be allowed to connect. This is useful when you know the IP address(es) of a mail sender that is unauthorized to use your mail server.

Note that, in most cases, you would not use this option to specify the addresses that you want to grant access, because you don't know every host on the Internet that wants to send mail to your users.

To deny access to a specific computer or group of computers:

  1. Click Control access. The Access Control dialog box appears.
  2. Select Granted Access.
  3. Click Add. The Deny Access On dialog box is displayed.
  4. In the IP Address box, enter the IP address of the computer to be denied access to the SMTP server.

    To deny access to a group of computers, select Group of Computers. In the IP Address and Subnet Mask boxes, enter the IP address and subnet mask for the group to be denied. For example, if you have a class C address space of 156.21.50.0, enter a group address of 156.21.50.0 and a subnet mask of 255.255.255.0. This denies access to those 254 systems.

  5. Click OK to add the IP address(es) to the list.

    Access will be granted to all computers except those listed.

  6. Click OK to save the changes. Note that you must stop and restart the service for the changes to take affect.

To grant access to a specific computer or group of computers:

  1. Click Control access. The Access Control dialog box appears.
  2. Select Denied Access.
  3. Click Add. The Grant Access On dialog box appears.
  4. In the IP Address box, enter the IP address of the computer to be granted access to the SMTP server.

To grant access to a group of computers, select the Group of Computers option. In the IP Address and Subnet Mask boxes, enter the IP address and subnet mask for the group. For example, if you have a class C address space of 156.21.50.0, enter a group address of 156.21.50.0 and a subnet mask of 255.255.255.0. This grants access to those 254 systems.

  1. Click OK to add the IP address(es) to the list. Access is denied to all computers except those listed.
  2. Click OK to save the changes. Note that you must stop and restart the service for the changes to take effect.

Copying Inbound and Outbound Mail

On the SMTP Security tab, you can set an option to send a copy of every inbound and outbound message to a specified mailbox.

  1. In the Copy All Mail options, in the Mail address box, enter the full e-mail address to send a copy of each message to.
  2. Turn on the Enable option to enable copying of all mail.

    If you want to turn off the Copy All Mail feature, make sure the Enable option is turned off.

  3. Click Apply to save your changes.


Ipswitch, Inc.
http://www.ipswitch.com
TOC PREV NEXT INDEX
©Ipswitch 2001