Novell Home

Using GroupWise and BorderManager to Prevent Mail Relay

Novell Cool Solutions: Trench
By Keith Branson

Digg This - Slashdot This

Posted: 18 Oct 2002
 

Using other mail hosts as a relay for illegal e-mail is on the increase in the Netherlands, and this problem can affect GroupWise sites just as badly as Exchange sites.

If mail relaying is allowed this can delay valid e-mail traffic and causes irritation at the site receiving the spam mail.

If your customer is open to mail relay and relaying is taking place it is highly possible that they will be blacklisted.

This is an example of a GWIA log entry showing e-mail rejected because of a blacklist entry for the site:

Analyzing result file: rd0748fe.071
06-13-02 08:05:15 0      Command:  mailasia.com
06-13-02 08:05:15 0      Response: 250 ok
06-13-02 08:05:15 0      Command:  HELO mail.customer.nl
06-13-02 08:05:15 0      Response: 250 spf1.hk.outblaze.com 
Hello mail.customer.nl [195.86.35.XXX], pleased to meet you
06-13-02 08:05:15 0      Detected error on SMTP command
06-13-02 08:05:15 0      Command:  MAIL FROM:

06-13-02 08:05:15 0      Response: 553 5.3.0 EMail 
from mailserver at 195.86.35.XXX is refused. The above 
mailserver is blocked by postmaster@outblaze.com.
06-13-02 08:05:15 0      Building undeliverable message

There are several companies or organisations where these blacklists are made up, but a general website that has an engine to check all the common sites is Sam Spade.

Browse down the homepage to the Blackhole window, enter the customer's MX record -- this must be an IP address and not the DNS domain name.

Click on the Blackhole button and the following screen gives a summary of the searched blacklists and a summary of sites where the IP address appears.

Solution

In this document I will handle these GroupWise and BorderManager versions:

GroupWise 4.1
GroupWise 5.x
GroupWise 5.5
GroupWise 6
BorderManager 2.1
BorderManager 3.x

GroupWise 4.1

This is a very old GroupWise version and makes use of the SMTP 4.1 gateway. This version is still found at many smaller Housing Corporations which are not configurable to prevent mail relay.

My only recommendation with this version is update it to GroupWise 5.5 or 6. Or if the customer has only one mail domain name, to protect it with a BorderManager 3.x server running mail proxy.

GroupWise 5.x (Other than 5.5)

These are also older GroupWise versions and offer limited mail relay protection and again I recommend upgrading to a newer version of GroupWise.

In the case af GroupWise 5.2, make sure that following has been done:

1.The GroupWise system NLMs. EXE, NWADMIN snap-ins and client are all upgraded to Support Pack 6.

2. In the sys:system\gwia.cfg file located on the server where the Internet agent is loaded the following entry is present /NOROUTING

3. In nwadmn95.exe - GWIA (located in the GroupWise domain container/object) - details - access control - smtp relay - prevent message relaying is checked

4. in nwadmn95.exe - gwia - access control - default class of service - edit - configure the four pages as follows:

SMTP incoming - Prevent incoming messages
SMTP outgoing - Prevent outgoing messages
SMTP outgoing - Uncheck - Allow rule generated messages
POP3 and IMAP4 - Prevent access

5. Create a new control rule - I usually use the customer's dns name (like getronics.com) and configure it as follows:

SMTP incoming - Allow incoming messages
SMTP outgoing - Allow outgoing messages
SMTP outgoing - check - Allow rule generated messages (only check this option if automatic forwarding of e-mails to an external mail account is allowed by the customer)
POP3 and IMAP4 - Prevent access

6. Click on OK and following this select the post offices button lower right and associate the rule with all GroupWise post offices displayed in the main view. This association means that only e-mail to or from a valid GroupWise post office member is accepted by the GroupWise Internet gateway.

Don't forget that these changes are only activated after unloading and reloading the GWIA. In the case of the GroupWise 5.x Internet agent all e-mails regardless of the mail relay policy are accepted, but if these changes are implemented and active the e-mails are not forwarded to the addressee.

GroupWise 5.5 (including Enhancement pack)

In the case of GroupWise 5.5, you can take the following actions:

1.The GroupWise system NLMs. EXE, NWADMIN snap-ins and client are upgraded to GroupWise 5.5 supportpack 5 or the GWIA is updated to the version in patch fgwia55g.exe or enhancement pack supportpack GWEPSP4E.EXE these are obtainable at the time of writing from support.novell.com

2. In the sys:system\gwia.cfg file located on the server where the Internet agent is loaded the following entry is present /NOROUTING

3. In nwadmn32.exe - GWIA (located in the GroupWise domain container/object) - details - access control - smtp relay - prevent message relaying is checked

4. in nwadmn32.exe - gwia - access control - default class of service - edit - configure the four pages as follows:

SMTP incoming - Prevent incoming messages
SMTP outgoing - Prevent outgoing messages
SMTP outgoing - Uncheck - Allow rule generated messages
POP3 and IMAP4 - Prevent access

5. Create a new control rule - I use usually the customer's dns name (like getronics.com) and configure it as follows:

SMTP incoming - Allow incoming messages
SMTP outgoing - Allow outgoing messages
SMTP outgoing - check - Allow rule generated messages (only check this option if automatic forwarding of e-mails to an external mail account is allowed by the customer)
POP3 and IMAP4 - Prevent access

6. Click on OK and following this associate the rule with all GroupWise post offices. This association means that only e-mail to or from a valid GroupWise post office member is accepted by the GroupWise Internet gateway.

Don't forget that these changes are only activated after unloading and reloading the GWIA. In the case of the GroupWise 5.x Internet agent all e-mails regardless of the mail relay policy are accepted,but if these changes are implemented and active the e-mails are not forwarded to the addressee.

GroupWise 6

In the case of GroupWise 6, the default mail relay setting in ConsoleOne - GWIA - Details - Access control - SMTP relay - Prevent message relaying works perfectly and no further action is required. The difference here is no e-mail destined for another mail system sent from an external source is accepted, it is rejected on the RCPT TO:<email address> SMTP command.

I can only recommend installing GroupWise 6 Support Pack 1 as this fixes many other problems and bugs.

BorderManager 2.1

BorderManager 2.1 has no Mail proxy option and therefore anti-mail relay configuration must occur at the GroupWise Internet Agent level.

BorderManager 3.x

For BorderManger versions 3.0, 3.5, 3.6 and 3.7 I recommend the following, if mail proxy is being used.

1. Install the latest BorderManager Support Pack and proxy patch. Be warned! BorderManager 3.5 and 3.6 mail proxy can only support one DNS domain, so for sites with more than one domain (like Getronics.com and Getronics.nl) I recommend not using the BorderManager Mail proxy and either installing the Internet gateway on the BorderManager server or using the Network Address Translator on the BorderManager server to route all e-mail traffic between the Internet gateway and the Internet.

BorderManager 3.0

Install Support Pack 3 for BM3.0 (BM30SP3.EXE) available from support.novell.com. The only anti-mail relay measure possible for this BorderManager version is in the access control rules.

Create the following three access control rules in the NWADMN32.EXE - BorderManager server object - Access control rules:

(I'm using Getronics.com as the customer's DNS domain:)

(1) Action: Allow
Access Type: Port 
Origin Server Port:25
Source: Internal IP GWIA Host Address or Range
Destination: Any 

This rule blocks all spam or relay requests, but allows outgoing traffic from the Internet agent (GWIA) through the Mail proxy.

(2) Action: Allow 
Access Type: Application Proxy
Service: Mail Proxy
Source: Any 
Destination: Getronics.com 

This rule allows forwarding of mail through the proxy addressed to any users@getronics.com If there are more domains configured for this mail system create a further rule type 2s for each domain name, ensure that these rules are placed in the rule list above rule type 3.

(3) Action: Deny
Access Type: Application Proxy
Service: Mail Proxy
Source Any 
Access: SMTP 
Destination: Any 

This rule blocks all other SMTP traffic.

Note: Don't forget for this to work the access control rules must be activated on the "BorderManager setup button."

BorderManager 3.5 and 3.6:

Install the latest patches.

In the readme files of both 3.5 and 3.6 Support Pack files is important information about mail proxy.

After installing the Support Pack for your version of BorderManager, edit the sys:etc\proxy.cfg file and add the following information underneath the exixting settings:

(Again I will use Getronics.com as the home DNS domain.)

[BM Mail Proxy]
BM_Domain=getronics.com
BM_Incoming_Relay=0
BM_Proxy_Domain=mail-proxy.getronics.com

These settings have the following meaning:

BM_Domain

This is self explanatory, it's the DNS domain name of the customer (i.e. Getronics.com) This setting is normally only necessary if the domain name is not configured in de mail proxy settings in NWADMN32.exe. I recommend including it in the proxy.cfg file regardless of this fact.

BM_Incoming_Relay=0

This setting determines if mail relay is allowed or not 0= no 1 = yes, its a piece of cake!

BM_Proxy_Domain

This is the name sent by the BorderManager mail proxy in response to an SMTP "HELO" command i.e. mail.getronics.com

Handy mail relay sites:

Keith Branson
Senior Technical Support Specialist
Back Office Support
Getronics Infrastructure Solutions BV.

If you have any questions you may contact Keith at Keith.Branson@Getronics.com


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell