Mail Gateway
From Halon Security
In order for the SPG to handle a domain it must be known, that is the domain has to be defined on the incoming listener on which the sender uses. If something does not work as intended you may find this section about Mail Troubleshooting interesting.
Contents |
Incoming
The section incoming allows users to configure mail listeners (recievers), and display the incoming queue. The incoming queue lists messages that are awaiting processing by the mailscanner process.
Incoming SMTP Listeners Tab
An incoming SMTP listener is a server object, bound to listen (accept connections on) either all addresses configured on an appliance, or just a few addresses. They are pre-configured to listen on TCP-port 25, since it is the mail delivery (SMTP) port by definition. A listener only accepts a message if it's recipient address' domain is configured on the appliance, and assigned to that specific listener.
If a mail message is sent to a listener, which accepted it, it is placed in the incoming queue, available at Mail Gateway → Incoming Queue section of the Web Administration. The incoming queue is continuously processed by the mail scanner, according to the assigned process flow.
IP Filtering / Access Control
If an "Access Control" is used, a connection must be allowed by the Access Control flow before it's accepted. The Access Control flow allows IP-based filtering of SMTP connections. Access Controls are configured under Security → Access Control. They and provide a lots of features like rate control, black and white list, DNSBL. and GlobalView.
SASL Authentication
You may require users to authenticate before they will be able to send mail outbound (or inbound) just like a SMTP server. Since there is no user database in the SPG/VSP we provide ways to externally authenticate users using: SMTP Forwarding Authentication, LDAP, FTP/FILE or HTTP. We support PLAIN and LOGIN authentications.
This is a two step process. In the AUTH Flow, the users tries to authenticate, and if succeeded you may process his email differently in the RCPT Flow. Below follows an example for SMTP Forwarding Authentication only for you to understand that process behind it, you are normally not required to use scripting modules to achieve this since it can be done using other modules.
AUTH Flow:
// SMTP Forwarding Authentication
if (smtp_lookup_auth("mailtransport:1", $saslusername, $saslpassword) == 1)
{
echo "$saslusername successfully SMTP authenticated";
Accept();
}
Reject("You failed ($saslusername)");
RCPT Flow:
// Only allow if user is authenticated
if ($saslauthed)
Accept();
else
Reject("This server require authentication");
SMTP Forwarding Authentication
SMTP Forwarding Authentication work in the way that it's using an existing mailtransport (lookup-mx is not supported) and tries to authenticate itself usign the provided username and password.
Example
Script:
if (smtp_lookup_auth("mailtransport:1", $saslusername, $saslpassword) == 1)
{
echo "$saslusername successfully SMTP authenticated";
Accept();
}
LDAP Authentication
LDAP Authentication works i the way that is tries to bind user the provided username and password.
Example
Script:
if (in_ldap("ldap:4", $saslusername, array("username"=>"$saslusername@halon.se","password"=>$saslpassword))==100)
{
echo "$saslusername successfully LDAP authenticated";
Accept();
}
FILE Authentication
File Authentication can be used to lookup the username/password in a file.
Example
Upload a file called accounts.txt to the FTP with the following content...
username1:password1 username2:password2 username3:password3
Script:
if (count($info=in_file($saslusername,"file://accounts.txt", ":")) == 2 and $info[1] == $saslpassword)
{
echo "$saslusername successfully FILE authenticated";
Accept();
}
HTTP Authentication
HTTP Authentication can be used to lookup the username/password against a web service.
Example
if (http("http://test.example.org/smtp_authentication.php?username=$1&password=$2", 10, $saslusername, $saslpassword) == "OK")
{
Accept();
}
Recipient Flows
In the recipient flow, you may at an early stage check SPF record, lookup users against LDAP etc. If no "Recipient Flow" has been configured for a listener, it accepts mail messages to all users on the domains assigned to it. The appliance can however look up specific users on a domain, by issuing either LDAP or a text file or Mail Listener flow. The "Recipient Flow" field is available under the "Advanced Options" of the "Incoming SMTP Listener" tab.
Recipient Flow
If you want to have a more specific user control, you may use Mail Listener flow which gives you full access to the HSL language. Including function such as SPF and smtp_lookup_rcpt.
LDAP (Deprecated: Use Recipient Flows)
If one or more matches are returned from the LDAP query the recipient is accepted. It's possible to test LDAP profiles using the "LDAP Look Up" tool among the tools on the Diagnostics page in the Web Interface. In order to use LDAP as a recipient database, you must first configure a LDAP profile. LDAP profiles are found under Mail Gateway → LDAP. If you need help to configure various parameters check out our LDAP Howto.
Text File (Deprecated: Use Recipient Flows)
If you cannot use LDAP for recipient lookup, we also provide the ability to use a text file. These text files are found on the FTP server in the SPG gateway. In the path mail/mail_server__1_recipient_access.txt on the FTP; where "1" is the ID of the mail listener for which this should be applied. Each recipient should be on a line of its own. The syntax is;
| Address | Action (optional) | Explanation |
|---|---|---|
| Address | empty same as OK | Accept the recipient |
| Address | OK | Accept the recipient |
| Address | REJECT | Reject the recipient |
| Address | DEFER | Fail the recipient (may trigger a retry later) |
A example file may look like this
test@example.org test2@example.org OK test3@example.org DEFER
There is no need to restart anything, as soon as the file is changed (new file uploaded) it will be used by the system.
Domains
In order for an incoming SMTP listener to know which domains to relay for, domain objects needs to be defined and associated with a listener. Even when using LDAP or a text file as recipient database for the incoming listener, domains are still required since the mailscanner (employing the process flows) needs to know which one to use. A so-called "any" domain is available, if no domain-related associations shall be made.
Domains Tab
A domain is the core of the mail configuration, it connects all parts together (incoming, flow, transport) in a unique combination of incoming and domain. That means that you can have the same domain defined multiple times on different incoming listeners. The search of the domain to use is narrowed down by searching for the most specific listeners and then domain to use; a defined IP is matched before "any", same goes for domains, a defined domain is matched before "any".
Domain Alias Tab
The relationship between domain alias and parent domain is that the domain alias inherit all settings from the parent domain. Also, quarantine users with equal names will be automatically joined between the alias and parent domain.
Process Flows
Process Flows Tab
Quarantine
Instead of delivering a suspect SPAM message to the user, it can be put in quarantine. A quarantine is a web based mail system, where the user can log in and recover possible genuine messages before they are deleted permanent.
Branding
For information about how to apply branding on the quarantine read [this document].
Quarantine Tab
Retention Policy
Since mail can not and should not be stored in the Quarantine forever, you may want to apply a retention policy. A retention policy states when a mail should be deleted from the Quarantine or when a user should be defered (that is when a user is denied to receive more mail until he has cleaned up his quarantine, or the age parameter has done it for him). The syntax for a policy is;
| Parameter | Value | Default | Action | Explanation |
|---|---|---|---|---|
| age | seconds | no default | Delete Message | If a quarantined message is older than "age" |
| size | bytes | no default | Defer User | If the total size of his quarantine exceeds, defer all new mails |
| count | number | no default | Defer User | If the total count of messages in his quarantine exceeds, defer all new mails |
| warnlevel | number | 90 | Warn User | If the quarantine has reached the number percentage of current resouces, (size or count) warn user to empty quarantine. |
All these parameters may be combined, like the example below;
age=604800,count=1000,size=10485760
It's always recommended to use an "age" parameter in order to let the system clean up the system for you. If a user is defered and he cleans up his quarantine he will be accepted again within 15 minutes.
Outgoing
The outgoing section contains SMTP transport configuration and monitoring. An SMTP transport is handled by the queueprocessord service, responsible for delivering mail upon the Deliver() script function; e.g. the mail was neither deleted or quarantined.
Outgoing SMTP Transport Tab
The final step in the process of processing mail is the delivery. If you are using the SPG for inbound delivery you should provide the IP-address of your receiving mail server, since it's very likely the MX record points to the SPG, and anything else would cause a mail loop. If you're using the SPG for outbound delivery, you probably want to use the "Use MX Record" feature.
Retry and Give Up
If the SPG failed to deliver a mail it will be queued for a delivery at a later time depending on the "Retry Delay" and "Retry Count" settings. Once the Retry Count is exceeded the SPG can either Generate a DSN (see the "Generate DSN" feature) or just discard the mail and do no further actions. The RFC for SMTP propagates long delays and large retry counts; that is since the SMTP protocol is a very old protocol and back in the days of dial-up internet mail servers was not always online, so large values prevented mails from being lost and that they had to be resent all the time.
We think it's a good idea to lower these values to have at most 1-2 days before giving up. If you know your mail server will be down for more you can always pause the delivery process in the SPG; and once the server is back online you can continue like nothing happened.
Values are given in minutes.
Outbound Delivery
If you are using the SPG for outbound delivery, it's recommended to use a very small "Retry Delay" (eg. 1,3,5) and "Retry Count" (eg. 3) and use the "Generate DSN" feature in order to notify the sending client that we failed to deliver the mail within minutes.
TLS Certificates
While delivering mail you may choose to use TLS, in order for TLS to prevent a man-in-the-middle attacks you should use "Require and Verify", this verification requires you to install the remote public certificate on your system. Goto Security -> Certificates and install a new "Remote Certificate" containing the public certificate. You may fetch a certificate using [OpenSSL] (warning, this is not a secure way to obtain a certificate if you already is affected by a man-in-the-middle attack) instead you should extract the certificate from the original certificate installed on the server, but that is not covered in this documentation.
openssl s_client -starttls smtp -connect smtp.google.com:25 -showcerts
Use the first "-----BEGIN CERTIFICATE-----" section.
Outgoing Queue Tab
The outgoing queue consists of mail that has been scanned by the mail scanning process and are ready for delivery. This queue is what the queue processing processes is handling, once the "next retry" is reached it will give the delivery another try. If a mail is stuck in this queue is might be because.
* The mail server is down * The mail server has a virus/spam protection that denies the delivery * The mail server has a more strict policy (that can be. "sender domain must exists")
If your queue gets filled up with mail that cannot be delivered to the mail server, it might be a good idea to lower the "Retry Count" since the chance of that the mail will be accepted in the near future is not very likely.
SASL Authentication
Some server/relay servers require you to authenticate yourself using SASL in order by be able to send outbound mail. We support CRAM-MD5, LOGIN and PLAIN authentication. Username and Password are specified for each outgoing transport.
LDAP
If you're using Microsoft Exchange or Icewarp/Merak a LDAP profile may look like this.
| Parameter | Value | Exchange (IAS) Example | IceWarp/Merak/OpenLDAP |
|---|---|---|---|
| Name | User defined name | My LDAP | My LDAP |
| Server Address | Address of LDAP Server | 10.0.0.5 | 10.0.0.5 |
| Username (DN) | Distinguished Name | cn=username, ou=company, dc=example, dc=org | cn=admin, dc=root |
| Password | Password | mysecretpassword | mysecretpassword |
| Search Base (DN) | Distinguished Name | dc=example, dc=org | dc=root |
| Query Filter | Query Filter | (proxyAddresses=smtp:%s) | (mail=%s) |
Logging and History
Activity
Incoming Queue
The Incoming Queue consists of mail that has not yet been scanned by the mail scanning process. This queue can receive mail much faster than the mail scanning process can process mail, helping the SPG to handle large bursts of mail messages. Once the storage is getting full, it will start to defer messages until the SPG has delivered and removed messages.
Outgoing Queue
The Outgoing Queue consists of mail that has been scanned by the mail scanning process but not yet delivered. Once the mail has been delivered it will be moved to the History. If a mail cannot be delivered the reason can be shown by pressing the explanation mark button.
History
This page shows messages that has been delivered, in combination with some information about spam score etc etc. By pressing the "Show in log" button it will be found in the log.
Logging
This will show the log for a message, spawn over the mailscanner and queueprocessor. Syntax is messageid, messageid:queueid or just queueid.
| Syntax | Example | Description |
|---|---|---|
| messageid | 43de929d-cc22-11dd-90ef-0048546ae42b:432360 | Searches for a message id |
| messageid:queueid | 43de929d-cc22-11dd-90ef-0048546ae42b:432360 | Searches for a message and a specific queue id |
| queueid | 432360 | Searches for a queue id |
| /<regexp>/ | /127\.0\.0\.1/ | Searches using a Regular Expression |
