Mail Gateway

This document is about the Web Administration's Mail Gateway sections. The mail gateway sections are available in both the SPG and VSP, since they are per definition; mail gateways.

Contents 1 Block chart overview 2 Sections of the Mail Gateway administration 2.1 Incoming SMTP Listeners 2.1.1 Direct processing 2.1.2 Connection-level protection 2.1.3 SSL/TLS Support 2.1.4 SASL Authentication 2.2 Domains 2.2.1 Domains Tab 2.2.2 Recipient Flows 2.2.3 Domain Alias Tab 2.3 Mail Content Flows 2.3.1 Custom Icon on Script Blocks 2.4 Quarantine 2.5 LDAP 2.6 Logging and History

Block chart overview

The SPG/VSP are specialized mail (SMTP) gateway products, which focuses around the problem of assuring that every genuine e-mail is delivered, while preventing attacks, spam and viruses. Below is a chart that outlines which part of the H/OS 2 operating system is involved during each stage of an SMTP session.

SMTP	Flow	Configured per	HSL script	Process	Description
connect	Flows > IP Policy	Domains > Incoming	IP Policy	ippolicyd	Handling IP packets, like a scripted firewall. Used mainly to block spam on connection level.
AUTH LOGIN	Flows > Authentication	Domains > Incoming	Mail Authentication	mailpolicyd	Used if client tries to authenticate (SASL). Used mainly to provide transparent authentication for outgoing mail filtering.
RCPT TO	Flows > Recepient	Domains	Mail Recipient	mailpolicyd	Filtering accounts (MAIL FROM/RCPT TO combinations) in order to control relaying, prevent backscattering, check SPF, etc. A flow is configured (chosen) per recipient domain.
DATA	Flows > Content	Domains	Mail Content	mailscand	Processing the actual mail message, doing spam and virus detection, adding headers such as DKIM, etc. A flow is configured (chosen) per recipient domain.
N/A	Domains > Transport	Domains	Mail Transport	mailqueued	Delivering queued messages. The script is used to determine what is to be done if a delivery fails. The transport is chosen per recipient domain, or overridden by the content flow.

Sections of the Mail Gateway administration

The following sections describe each of the mail gateway sections, found in the Web Administration.

Incoming SMTP Listeners

The section incoming allows users to configure mail listeners (recievers), and display the incoming queue. The incoming queue lists messages that are awaiting processing by the mailscanner process. A mail listener is essentially a mail server, listening to a port (usually 25).

An incoming SMTP listener is a server object, bound to listen (accept connections on) either all addresses configured on an appliance, or just a few addresses. They are pre-configured to listen on port 25, since it is the mail delivery (SMTP) port by definition. A listener only accepts a message if it's recipient address' domain is configured on the appliance, and assigned to that specific listener.

Direct processing

Normally, a message is scanned "inline", in order for you to reject it (give an error message like "550 We think this is spam" response). However, by disabling direct processing, messages can be placed in the incoming queue, available at Mail Gateway → Activity → Incoming tab. The incoming queue is continuously processed by the mailscanner, according to the assigned mail content flow.

Connection-level protection

If a IP Policy is used, a connection must be allowed by the IP Policy flow before it's accepted; providing connection-level filtering. IP Policies are configured on Security → IP Policy, providing lots of features such as rate control, black and white list, DNSBL and GlobalView.

GlobalView is a subscription service, that typically stop more that 80% spam on connection level. This means that the spammer does not even get to talk to the appliance; it is instantly blocked. GlobalView also protects against botnets and other threats.

SSL/TLS Support

To activate TLS, goto Mail Gateway → Incoming and activate the advanced option "Support TLS" for your incoming listener. Read more about the use of TLS and PKI.

You may also use TLS for outgoing traffic, see TLS Certificates Section.

SASL Authentication

Mail Gateway SASL documentation.

Domains

In order for an incoming SMTP listener to know which domains to relay for, domain objects needs to be defined and associated with a listener. Even when using LDAP or a text file as recipient database for the incoming listener, domains are still required since the mailscanner (employing the process flows) needs to know which one to use. A so-called "any" domain is available, if no domain-related associations shall be made.

Domains Tab

A domain is the core of the mail configuration, it connects all parts together (incoming, flow, transport) in a unique combination of incoming and domain. That means that you can have the same domain defined multiple times on different incoming listeners. The search of the domain to use is narrowed down by searching for the most specific listeners and then domain to use; a defined IP is matched before "any", same goes for domains, a defined domain is matched before "any" (just like an IP routing table).

Recipient Flows

In the recipient flow, you may at an early stage check SPF record, lookup users against LDAP etc. If no "Recipient Flow" has been configured for a listener, it accepts mail messages to all users on the domains assigned to it. The appliance can however look up specific users on a domain, by issuing either LDAP or a text file or Mail Recipient flow. Recipient flows are chosen per domain; but the default "SPF and Recipient" flow is very good, and can usually be chosen for all domains.

Domain Alias Tab

The relationship between domain alias and parent domain is that the domain alias inherit all settings from the parent domain. Also, quarantine users with equal names will be automatically joined between the alias and parent domain.

Mail Content Flows

Mail Content Flows are selected per domain, on the "Domains" section. They process the mail, once the mail data (the SMTP command "DATA") is available. Hence, mail content flows have more parameters available than for example IP Policy Flows, which only has a IP packet object to operate on.

Objects (modules) in a mail content flow can be added, removed or re-ordered. If the pre-defined objects prove insufficient, you can use the "Script" module to write your own HSL code, with the commands available in the Core and Mail Content extension.

Custom Icon on Script Blocks

In the first comment specify an icon using --webui-icon=http://url.

// My first block --webui-icon=http://example.org/images/internet-mail.png

echo "Hello World";

Quarantine

The quarantine temporary store messages in order for end-users to release them.

LDAP

LDAP documentation.

Logging and History

Mail Gateway logging documentation.