After you have configured the Internet services that you want the GWIA to provide in your GroupWise system, you need to take control of the information that flows in and out between your GroupWise system and the Internet.
You can use the GroupWise GWIA’s Access Control feature to configure a user’s ability to send and receive SMTP/MIME messages to and from Internet recipients and to access his or her mailbox from POP3 or IMAP4 email clients. In addition to enabling or disabling a user’s access to features, you can configure specific settings for the features. For example, for outgoing SMTP/MIME messages, you can limit the size of the messages or the sites to which they can be sent. By default, there are no limitations.
Access Control can be implemented at a user, group, post office, or domain level.
Choose from the following information to learn how to set up and use Access Control.
A class of service is a specifically defined configuration of GWIA privileges. A class of service controls the following types of access activities:
Whether SMTP/MIME messages are allowed to transfer to and from the Internet
Whether SMTP/MIME messages are allowed to transfer to and from specific domains on the Internet
The maximum size of SMTP/MIME messages that can transfer to and from the Internet
Whether SMTP/MIME messages generated by GroupWise rules are allowed to transfer to the Internet
Whether IMAP4 clients are allowed to access the GroupWise system
Whether POP3 clients are allowed to access the GroupWise system, and if allowed, how messages to and from POP3 clients are managed by the GroupWise system
The default class of service, which all users belong to, allows incoming and outgoing SMTP/MIME messages, and allows POP3 and IMAP4 access. You can control user access, at an individual, group, post office, or domain level, by creating different classes of service and adding the appropriate members to the classes. For example, you could create a class of service that limits the size of SMTP/MIME messages for a selected individual, group, post office, or domain.
Because you can assign membership at the user, group, post office, and domain level, it is possible that a single user can be a member of multiple classes of service. This conflict is resolved hierarchically, as shown in the following table:
Membership assigned to a user through a... |
Overrides membership assigned to the user through the... |
---|---|
domain |
|
post office |
|
group |
|
user |
|
If a user’s membership in two classes of service is based upon the same level of membership (for example, both through individual user membership), the class that applies is the one that allows the most privileges.
IMPORTANT:The GWIA uses the message size limit set for the default class of service as the maximum incoming message size for your GroupWise system. Therefore, you should set the message size for the default class of service to accommodate the largest message that you want to allow into your GroupWise system. As needed, you can then create other classes of service with smaller message size limits to restrict the size of incoming messages for selected users, groups, post offices, or domains. Methods for restricting message size within your GroupWise system are described in Section 13.3.5, Restricting the Size of Messages That Users Can Send.
Attachments to incoming SMTP messages are included in the mime.822 file, in addition to being attached to the message. Therefore, attachments contribute twice to the size of the overall message. Take this account when determining the maximum incoming message size for your GroupWise system.
In the GroupWise Admin console, connect to the domain of the GWIA.
Browse to and click the GWIA.
Click the Access Control tab, then click Settings.
Click New to display the Create New Class of Service dialog box.
Type a name for the class, then click OK to display the Edit Class of Service dialog box.
On the SMTP Incoming tab, choose from the following options:
Inherit Access: Members of this class of service inherit their SMTP Incoming access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.
Allow Incoming Messages: Enable members of the class of service to receive email messages through the GWIA. You can use the Exceptions option to prevent messages from specific Internet sites.
Prevent Incoming Messages: Prevent email messages coming from the Internet. You can use the Exceptions option to allow messages from specific Internet sites.
NOTE:If a member of the class of service to allow or prevent has an alias, you must also add the member’s alias to the class of service. Ongoing use of aliases is not recommended.
Prevent Messages Larger Than: This option is available only if you chose Allow Incoming Messages or Prevent Incoming Messages. In the case of Prevent Incoming Messages, this option only applies to messages received from Internet sites listed in the Allow Messages From list.
If you want to set a size limit on incoming messages, select the limit.
Internet messages that exceed the limit are not delivered. The sender receives an email message indicating that the message is undeliverable and including the following explanation:
Message exceeds maximum allowed size
IMPORTANT:If you have also set a message size limit for your MTAs, ensure that the MTA message size limit is equal to or greater than the GWIA message size limit. For more information, see Section 22.2.2, Restricting Message Size between Domains.
Exceptions: This option is available only if you chose Allow Incoming Messages or Prevent Incoming Messages.
Prevent Messages From: If you chose to allow incoming messages but you want to prevent messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the Prevent Messages From list.
Allow Messages From: Conversely, if you chose to prevent incoming messages but you want to allow messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the Allow Messages From list.
If you want to allow messages where the user name is blank, add Blank-Sender-User-ID to the Allow Messages From list.
Click SMTP Outgoing, then choose from the following options:
Inherit Access: Members of this class of service inherit their SMTP Outgoing access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.
Allow Outgoing Messages: Allow members of the class of service to send email messages over the Internet. You can use the Exceptions option to prevent messages from being sent to specific Internet sites.
Prevent Outgoing Messages: Prevent members of the class of service from sending email messages over the Internet. You can use the Exceptions option to allow messages to be sent to specific Internet sites.
Prevent Messages Larger Than: This option is available only if you chose Allow Outgoing Messages or Prevent Outgoing Messages.
If you want to set a size limit on outgoing messages, specify the limit.
Exceptions: This option is available only if you chose Allow Outgoing Messages or Prevent Outgoing Messages.
If you chose to allow outgoing messages but you want to prevent messages from being sent to specific Internet sites (IP addresses or DNS hostnames), add the sites to the Prevent Messages To list.
Conversely, if you chose to prevent outgoing messages but you want to allow messages to be sent to specific Internet sites (IP addresses or DNS hostnames), add the sites to the Allow Messages To list.
Allow Replies: This option is available only if you chose Allow Outgoing Messages or Prevent Outgoing Messages.
This option enables the GWIA to send rule-generated replies to messages (such as vacation rule messages).
In addition, you can use the /blockrulegenmsg startup switch to allow some types of rule-generated messages while blocking others.
Exceptions: Click Exceptions to create a list of specific Internet addresses that are handled opposite to the Allow Replies setting.
Allow Forwards: This option is available only if you chose Allow Outgoing Messages or Prevent Outgoing Messages.
This option configures the GWIA to forward rule-generated messages (which can be a security issue).
In addition, you can use the /blockrulegenmsg startup switch to allow some types of rule-generated messages while blocking others.
Exceptions: Click Exceptions to create a list of specific Internet addresses that are handled opposite to the Allow Forwards setting.
Click the IMAP4 tab, then choose from the following options:
Inherit Access: Members of this class of service inherit their IMAP4 access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.
Allow Access: Allow members of the class to send and receive messages with an IMAP4 client.
Prevent Access: Prevent members of the class from sending and receiving messages with an IMAP4 client.
Click the POP3 tab, then choose from the following options:
Inherit Access: Members of this class of service inherit their POP3 access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.
Allow Access: Allow members of the class to download their GroupWise messages to a POP3 client.
Prevent Access: Prevent downloading GroupWise messages to a POP3 client.
Delete Messages from GroupWise Mailbox after Download: This option applies only if you selected Allow Access.
When you use this option, messages downloaded from a GroupWise Mailbox to a POP3 client are moved to the Trash folder in the GroupWise Mailbox.
POP3 client users can enable this option by using the user_name:d login option when initiating their POP session. For more information, see User Name Login Options.
Purge Messages from GroupWise Mailbox after Download: This option applies only if you selected Allow Access.
When you use this option, messages downloaded from a GroupWise Mailbox are moved to the Mailbox’s Trash folder and then emptied, completely removing the messages from the Mailbox.
POP3 client users can enable this option by using the user_name:p login option when initiating their POP session. For more information, see User Name Login Options.
Convert Messages to MIME Format When Downloading: This option applies only if you selected Allow Access.
When you use this option, messages downloaded to a POP3 client are converted to the MIME format.
POP3 client users can enable this option by using the user_name:m login option when initiating their POP session. They can disable it by using the user_name:n login option; this converts messages to RFC-822 format. For more information, see User Name Login Options.
High Performance on File Size Calculations: This option applies only if you selected Allow Access.
POP3 clients calculate the size of each message file before downloading it. Enable this option if you want to assign a size of 1 KB to each message file. This eliminates the time associated with calculating a file’s actual size.
POP3 client users can enable this option by using the user_name:s login option when initiating their POP session. For more information, see User Name Login Options.
Number of Days Prior to Today to Get Messages From: This option applies only if you selected Allow Access.
Select the number of days to go back to look for GroupWise Mailbox messages to download to the POP3 client. The default is 30 days.
POP3 client users can override this option by using the user_name:t=x login option when initiating their POP session. For more information, see User Name Login Options.
Maximum Number of Messages to Download: This option applies only if you selected Allow Access.
Select the maximum number of messages a user can download at one time from a GroupWise Mailbox to a POP3 client. The default is 100 messages.
POP3 client users can override this option by using the user_name:l=x login option when initiating their POP session. For more information, see User Name Login Options.
Click OK to display the Select GroupWise Object dialog box.
Select Domains, Post Offices, Groups, or Users to display the list you want.
In the list, select the domain, post office, group, or user that you want, then click OK to add the object as a member in the class.
You can Control+click or Shift+click to select multiple objects.
To add additional domains, post offices, groups, or users as members of the class of service, select the class of service, then click Add to display the Select GroupWise Object dialog box.
Click OK to add the new class of service to the list.
Click Save, then click Close to return to the main Admin console window.
In the GroupWise Admin console, browse to and click the GWIA.
Click the Access Control tab, then click Settings to display the Class of Service list.
To edit a class of service, click the name of a class of service.
To view the membership of a class of service, highlight the class of service.
Click Save, then click Close to return to the main Admin console window.
If you created multiple classes of service, you might not know exactly which settings are being applied to a specific object (domain, post office, group, or user) and which class of service the setting is coming from. To discover an object’s settings, you can test the object’s access.
In the GroupWise Admin console, browse to and click the GWIA.
Click the Access Control tab, then click Settings.
Click Test to display the Select GroupWise Object dialog box.
Select Domains, Post Offices, Groups, or Users to display the list you want. For example, if you want to see what access an individual user has, select Users.
In the list, select the object you want to view, then click View Access.
The tabs show the access control settings for SMTP Incoming, SMTP Outgoing, IMAP4, and POP3 as they are applied to that user, group, post office, or domain.
To view the source for a specific setting, select the setting in the Setting box.
When you are finished, click OK.
The Access Control database stores the information for the various classes of service you have created. If any problems occur with a class of service, you can validate the database to check for errors with the records and indexes contained in the database. If errors are found, you can recover the database.
The Access database, gwac.db, is located in the domain\wpgate\gwia folder.
In the GroupWise Admin console, connect to the domain of the GWIA.
Browse to and click the GWIA.
Click the Access Control tab, then click Database Management.
Click Validate Now.
After the database has been validated, click OK.
If errors were found, see Recovering the Database below.
If you encountered errors when validating the database, you must recover the database. During the recovery process a new database is created and all intact records are copied to the new database. Some records might not be intact, so you should check the classes of services to see if any information was lost.
In the GroupWise Admin console, connect to the domain of the GWIA.
Browse to and click the GWIA.
Click the Access Control tab, then click Database Management.
Click Recover Now.
Click OK.
Check your class of service list to ensure that it is complete.
The GWIA includes the following features to help you protect your GroupWise system and users from unwanted email:
Organizations such as SpamCop provide lists of IP addresses that are known to be open relay hosts or spam hosts. If you want to use free blacklist services such as these, or if you subscribe to fee-based services, you must define the blacklist addresses for these services. The GWIA then uses the defined services to ensure that no messages are received from blacklisted hosts. The following sections provide information to help you define blacklist addresses and, if necessary, override a host address included in a blacklist.
NOTE:If you want to configure the GWIA to block a specific IP address or DNS hostname, add the address or hostname to a class of service. For more information, see Section 29.5.1, Controlling User Access to the Internet. The Blacklist feature configures the GWIA to use blacklist services that provide real-time lists of many sites that are known to be bad.
In the GroupWise Admin console, browse to and click the GWIA.
Click the Access Control tab, then click Blacklists.
The Blacklist Addresses list displays the addresses of all blacklists that the GWIA checks when it receives a message from another SMTP host. The GWIA checks the first blacklist and continues checking lists until the sending SMTP host’s IP address is found or all lists have been checked. If the sending SMTP host’s IP address is included on any of the blacklists, the message is rejected. If you have the GWIA’s logging level set to Verbose, the log file includes information about the rejected message and the referring blacklist.
This list corresponds with the GWIA’s /rbl switch.
Click Add to display the New Blacklist Address dialog box.
For example, for SpamCop, you would use the following address:
bl.spamcop.net
Type the blacklist address in the Address box, then click OK to add the address to the Blacklist Addresses list.
If you have multiple blacklists in the Blacklist Addresses list, use the up-arrow and down-arrow to position the blacklists in the order you want them checked. The GWIA checks the blacklists in the order they are listed, from top to bottom.
Click Save, then click Close to return to the main Admin console window.
In some cases, a blacklist might contain a host from which you still want to receive messages. For example, goodhost.com has been accidentally added to a blacklist but you still want to receive messages from that host.
You can use the SMTP Incoming Exceptions list on a class of service to override a blacklist. For information about editing or creating a class of service, see Creating a Class of Service.
If you want to block specific hosts yourself rather than use a blacklist (in other words, create your own blacklist), you can configure a class of service that prevents messages from those hosts. You do this on the GWIA object’s Access Control Settings tab by editing the desired class of service to add the hosts to the Prevent Messages From exception list on the SMTP Incoming tab. For example, if you wanted to block all messages from badhost.com, you could edit the default class of service to add badhost.com to the list of prevented hosts.
You can also create a list of hosts that you always want to allow messages from, so you can create your own white list.
For information about editing or creating a class of service, see Creating a Class of Service.
The GroupWise Admin console creates a blocked.txt file in the domain/wpgate/gwia folder that includes all the hosts that have been added to the Prevent Messages From exceptions list for the default class of service (see Section 29.5.1, Controlling User Access to the Internet).
You can manually edit the blocked.txt file to add or remove hosts. To maintain consistency for your system, you can also copy the list to other GWIA installations.
To manually edit the blocked.txt file:
Open the blocked.txt file in a text editor.
Add the host addresses.
The entry format is:
address1 address2 address3
where address is either a hostname or an IP address. You can block on any octet. For example:
IP Address |
Blocks |
---|---|
*.*.*.34 |
Any IP address ending with 34 |
172.16.*.34 |
Any IP address starting with 172.16 and ending with 34 |
172.16.10-34.* |
Any IP address starting with 172.16 and any octet from 10 to 34 |
You can block on any segment of the hostname. For example:
Hostname |
Blocks |
---|---|
provo*.novell.com |
provo.novell.com provo1.novell.com provo2.novell.com |
*.novell.com |
gw.novell.com (but not novell.com itself) |
There is no limit to the number of IP addresses and hostnames that you can block in the blocked.txt file
Save the file as blocked.txt.
Multiple unsolicited messages (sometimes called a mailbomb or spam) from the Internet can potentially harm your GroupWise messaging environment. You can use the settings on the SMTP/MIME Security Settings tab to help protect your GroupWise system from malicious or accidental attacks.
To configure the SMTP security settings:
In the GroupWise Admin console, browse to and click the GWIA.
Click the SMTP/MIME tab, then click Security Settings.
Fill in the fields:
Reject if PTR Record Does Not Exist: This setting lets you prevent messages if the sender’s host is not authentic.
When this setting is turned on, the GWIA refuses messages from a smart host if a DNS reverse lookup shows that a PTR record does not exist for the IP address of the sender’s host.
When this setting is turned off, the GWIA accepts messages from any host, but displays a warning if the initiating host is not authentic.
This setting corresponds with the GWIA’s /rejbs switch.
Reject If PTR Record Does Not Match Sender’s Greeting: Configure the GWIA to reject messages from sending SMTP hosts where the sending host's PTR record does not match the information that the SMTP host sends out when it is initially contacted by another SMTP host. If the information does not match, the sending host might not be authentic.
Flag Messages with an Invalid PTR Record as Junk Mail: Allow messages from unidentified sources to be handled by users' Junk Mail Handling settings in the GroupWise client rather than by being rejected by the GWIA. This gives users more control over what they consider to be junk mail.
Enable Mailbomb Protection: Mailbomb protection is turned off by default. You can turn it on by selecting this option.
Mailbomb Threshold: When you enable Mailbomb protection, default values are defined in the threshold settings. The default settings are 30 messages received within 10 seconds. You can change the settings to establish an acceptable security level.
Any group of messages that exceeds the specified threshold settings is entirely discarded. If you want to prevent future mailbombs from the mailbomb sender, identify the sender’s IP address (by looking at the GWIA’s console) and then modify the appropriate class of service to prevent mail being received from that IP address (Access Control > Settings). For more information, see Creating a Class of Service.
The time setting corresponds with the GWIA’s /mbtime switch. The message count setting corresponds with the /mbcount switch.
Click Save, then click Close to return to the main Admin console window.
For additional protective startup switches, see Section 34.4.13, Mailbomb and Spam Security.
In the GroupWise Admin console, browse to and click the GWIA.
Click the SMTP/MIME tab, then click Junk Mail.
Select Flag Any Messages, then specify the strings in the text box.
Anti-spam services use different indicators to mark potential spam. One might use a string of asterisks; the more asterisks, the greater the likelihood that the message is spam. Another might use a numerical value; the higher the number, the greater the likelihood that the message is spam. The following samples are taken from MIME headers of messages:
X-Spam-Results: ***** X-Spam-Status: score=9
Based on these samples, examples are provided below of lines that you could add to the list to handle the X-Spam tags found in the MIME headers of messages coming into your system.
Example: X-Spam-Results: *****
This line marks as spam any message whose MIME header contained an X-Spam-Results tag with five or more asterisks. Messages with X-Spam-Results tags with fewer than five asterisks are not marked as spam.
Example: X-Spam-Status: Yes
This line marks as spam any message whose MIME header contained the X-Spam-Status tag set to Yes, regardless of the score.
Example: X-Spam-Status: score=9 X-Spam-Status: score=10
These lines marks as spam any message whose MIME header has the X-Spam-Status tag set to Yes and had a score of 9 or 10. X-Spam-Status tags with scores less than 9 are not marked as spam.
You can add as many lines as necessary to the list to handle whatever message tagging your anti-spam service uses.
Click Save, then click Close to return to the main Admin console window.
The list is saved in the xspam.cfg file in the domain\wpgate\gwia folder. As described above, each line of the xspam.cfg file identifies an “X” header field that your anti-spam service is writing to the MIME header, along with the values that flag the message as spam. The GWIA examines the MIME header for any field listed in the xspam.cfg file. When a match occurs, the message is marked for handling by the GroupWise client Junk Mail Handling feature.
The GWIA supports SMTP host authentication for both outbound and inbound message traffic.
For outbound authentication to other SMTP hosts, the GWIA requires that the remote SMTP hosts support the AUTH LOGIN authentication method. To set up outbound authentication:
Include the remote SMTP host’s domain name an authentication credentials in the gwauth.cfg file, located in the domain\wpgate\gwia folder. The format is:
domain_name authuser authpassword
For example:
smtp.novell.com remotehost novell
If you have multiple SMTP hosts that require authentication before they accept messages from your system, create an entry for each host. Ensure include a hard return after the last entry.
If you want to allow the GWIA to send messages only to SMTP hosts listed in the gwauth.cfg file, use the following startup switch:
/forceoutboundauth
With the --forceoutboundauth switch enabled, if a message is sent to an SMTP host not listed in the gwauth.cfg file, the sender receives an Undeliverable message.
For inbound authentication from other SMTP hosts, you can use the --forceinboundauth startup switch to ensure that the GWIA accepts messages only from SMTP hosts that use the AUTH LOGIN authentication method to provide a valid GroupWise use name and password. The remote SMTP hosts can use any valid GroupWise user name and password. However, for security reasons, we recommend that you create a dedicated GroupWise user account for remote SMTP host authentication.
You can use the --rejbs switch to have the GWIA reject messages from unidentified sources. The GWIA refuses messages from a host if a DNS reverse lookup shows that a “PTR” record does not exist for the IP address of the sender’s host.
By default, the GWIA does not reject messages from unidentified hosts. It accepts messages from any host, but it displays a warning if the sender’s host is not authentic.
The GWIA can supply accounting information for all messages, including information such as the message’s source, priority, size, and destination.
The accounting file is an ASCII-delimited text file that records the source, priority, message type, destination, and other information about each message sent through the gateway. The file, which is updated daily at midnight (and each time the GWIA restarts), is called acct and is located in the xxx.prc folder. If no accountant is specified for the gateway in the GroupWise Admin console, the file is deleted and re-created each day. Follow the steps below to set up accounting.
You can select one or more GroupWise users to be accountants. Every day at midnight, each accountant receives an accounting file (acct) that contains information about the messages the gateway sent that day.
In the GroupWise Admin console, browse to and click the GWIA.
On the GroupWise tab, click Administrators.
Click Add, browse for and select the user you want to add, then click OK to add the user to the list of administrators.
Select the user in the list of administrators, then click Accountant.
Click Save, then click Close to return to the main Admin console window.
In the GroupWise Admin console, browse to and click the GWIA.
Click the GroupWise tab, then click Optional Settings.
Set Accounting to Yes.
Set Correlation Enabled to Yes.
Click Save, then click Close to return to the main Admin console window.
The following is an Accounting file entry for a single event. Each field in the entry is described below.
O,1/25/2014,21:58:39,3DE29CD2.14E:7:6953, Mail,2,Provo,Research,jsmith,48909,Meeting Agenda,Provo,GWIA,sde23a9f.001,MIME,hjones@novell.com,1,2,11388,0
Field |
Example |
Description |
---|---|---|
Inbound/Outbound |
O |
Displays I for inbound messages and O for outbound messages |
Date |
1/25/2014 |
The date the message was processed. |
Time |
21:58:39 |
The time the message was processed. |
GroupWise message ID |
3DE29CD2.14E:7:6953 |
The unique GroupWise ID assigned to the message. |
GroupWise message type |
Mail message, appointment, task, note, or phone message for outbound messages. Unknown for inbound messages. |
|
GroupWise message priority |
2 |
High priority = 1 Normal priority = 2 Low priority = 3 |
GroupWise user’s domain |
Provo |
The domain in which the GroupWise user resides. |
GroupWise user’s post office |
Research |
The post office where the GroupWise user’s mailbox resides. |
GroupWise user’s ID |
jsmith |
The GroupWise user name. For outbound messages, the GroupWise user is the message sender. For inbound messages, the GroupWise user is the message recipient. |
GroupWise user’s account ID |
48909 |
The GroupWise user name. |
Message subject |
Meeting Agenda |
The message’s Subject line. Only the first 32 characters are displayed. |
Gateway domain |
Provo |
The domain where the GWIA resides. |
Gateway name |
GWIA |
The GWIA’s name. |
Foreign message ID |
sde23a9f.001 |
A unique ID for outbound messages. The identifier before the period (sde23a9f) uniquely identifies a message. The identifier after the period (001) is incremented by one for each message sent. |
Foreign message type |
MIME |
The message type (MIME, etc.) |
Foreign user’s address |
hjones@novell.com |
The foreign user’s email address. For inbound messages, the foreign user is the message sender. For outbound messages, the foreign user is the message recipient. |
Recipient count |
1 |
The number of recipients. |
Attachment count |
2 |
The number of attached files. The total count includes the message. |
Message size |
11388 |
The total size, in bytes, of the message and its attachments. |
Other |
0 |
Not used. |
You can use the Monitor Agent to generate a report based on the contents of this file. For more information, see Section 85.3.10, Gateway Accounting Report.