4.3 SMTP Interface

The SMTP Interface Manager is used to configure and manage the SMTP interfaces in the Micro Focus Secure Messaging Gateway system. This interface controls the configuration of the SMTP for capturing messages to be scanned. Mainly, this is designed for use with multiple organizations and should not be changed if only running a single organization system.

If a serviced organization needs an exclusive SMTP, this is where to add and configure the new interface and tie it to the organization.

While configuring the new SMTP system, be sure to configure all desired fields. Before an organization can be selected to be tied to the SMTP, the organization must be created and configured on the 'Manage Organizations' page.

Create a new Interface by clicking Add New.

Host server: Select the host server

Stats module: Select the Statistics engine

Serviced OU set: Select the OU to service

Scan failure action: Select the action to take on failure:

Delay messages (451)
Allow messages (250)
Reject messages (554)

License Failsafe mode: Select the action to take when a license issue occurs: Delay Messages (451), Allow Messages (250), or Reject Messages (554).

Notes: Enter notes about the module, if desired.

Server

Enable SMTP server (plain): The SMTP server can we disabled here. Default, enabled.

SMTP server listen address: What IP address the SMTP server will listen on

SMTP source bind address: What IP address the SMTP server will bind to

Max inbound connections: Limit the number of inbound connections. Default, 256.

DSN template file: Delivery Status Notification template file location. The template can be created in System Management | Templates

Keep spool files: For support use. Save spool files to disk in /opt/gwava/gwsmtp/private/ Need to clean up manually. Default, disabled.

External Delivery

Connection Security: Set the security protocol.

None (Default)
auto
tls
ssl

Line Limit: How many lines to allow. Default, 1000.

Use relay server: Enable to use a SMTP relay server.

Relay targets:

SMTP Host Server: Enter the IP address or Hostname of the SMTP to use.

Priority: Enter the priority, 1 is highest.

Security: Select the security protocol used by the SMTP relay.

none
auto
tls
ssl

Authentication: Select the authentication protocol used by the SMTP relay.

None
auto
plain
login
cram-md5

Username: Enter the SMTP relay username, if needed.

Password: Enter the SMTP relay password, if needed.

Line Limit: Limit the number of lines to send, default 1000.

SSL

If the module's SSL settings are left blank the local server SSL configuration settings will be used, if configured. Enabling the SSL settings in the module will override the server SSL configuration. This allows specific localized SSL settings for the individual module.

Enable TLS: Use TLS for security. Default disabled.

Enable SMTP server (SSL): Use SSL for SMTP. Default disabled.

SMTP server listen address (SSL): Enter the IP address of the SMTP server.

Max inbound connections: Limit the number of inbound connections. Default, 256.

SSL certificate file: Enter the path to the file on the Micro Focus Secure Messaging Gateway server.

SSL certificate chain file: Enter the path to the file on the Micro Focus Secure Messaging Gateway server.

SSL key file: Enter the path to the file on the Micro Focus Secure Messaging Gateway server.

SSL cipher list: Enter a list of ciphers to use.

For example, to enter a list of strong ciphers to use, in the SSL Cipher List field, paste:

EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4

These may need to be modified if a sender you want to receive from is not secure, but it is recommended to have the sender upgrade their system to something secure, rather than reducing the security of your system.

Ciphers can be tested at the SSL-Tools website .

SSL protocol disable: You may select which security protocol(s) are used by SMG. Check the box to disable a protocol. Default SSLv2 disabled (checked), SSLv3 disabled (checked), TLSv1 disabled (checked), TLSv1.1 enabled (unchecked), TLSv1.2 enabled (unchecked).

SSL pass phrase: Enter the path to the file on the Micro Focus Secure Messaging Gateway server.

Protocol

Enable inbound timeouts: Default enabled.

Client connection timeout (sec): Default 15 seconds.

Client protocol timeout (sec): Default 5 seconds.

Client DATA command timeout (sec): Default 10 seconds.

Client DATA payload timeout (sec): Default 10 seconds.

TLS negotiation timeout (sec): Default 15 seconds.

TLS fail recovery timeout (sec): Default 2 seconds.

Enable outbound timeouts: Default enabled.

Server connection timeout (sec): Default 60 seconds.

Server protocol timeout (sec): Default 60 seconds.

Server DATA timeout (sec): Default 60 seconds.

SMTP banner: Enter a banner for the SMTP, this is required by some email systems to approval connections. The best practice is to enter the external fully qualified domain name of the server so when confirming the connection you know where it is. For example, mail.example.com

SMTP host domain: This will be pre-populated with the domain of the SMTP server is associated with.

Postmaster email: Enter the email address of the SMTP domain postmaster.

Custom EHLO responses: Enter custom EHLO responses, if desired.

Forwarded EHLO/HELO domain: Enter the forwarded domain.

Disable A-record fallback: Default disabled.

SMTP Authentication: Default disabled.

Enable SIZE limit: Default enabled.

SIZE limit (bytes): Default 40000000.

NOOP interval (sec): Enter how long a “no operation” should last. Default 30 seconds.

Exploit Detection

Enable drop on invalid commands: Default enabled.

Max allowable invalid commands: Default 5.

Enable address hiding on dictionary attack: Default enabled.

Max failed addresses before hiding: Default 3.

Relay/Host Protection

Restrict relaying: Default enabled.

Allowed relay sources: Add the system's SMTP relay. Default "127.0.0.1", "10.*", "172.16.0.0/12", "192.168.*.".

Allow Relay: Enable to allow relaying. Default, enabled.

Skip Connection Tests: Enable to skip the connection test. Default enabled.

Allow relay if authenticated: Default disabled.

Connection Drop Services

Delayed rejection state: Default No delay. In a multi-tenant system, it is especially important that this be set to DATA so that all recipient OUs are received and tracked in Message Tracker.

No delay
HELO/EHLO: Wait until the HELO/EHLO command is sent.
STARTTLS: Wait until the STARTTLS command is sent.
MAIL FROM: Wait until the MAIL FROM command is sent.
RCPT TO: Wait until the RCPT TO command is sent.
DATA: Wait until the DATA command is sent.

Report rejections to SMTP: Default enabled.

Enable RBL: Default enabled.

RBL server configuration

RBL Server

sbl-xbl.spamhaus.org (Default)
bl.spamcop.net (Default)

Skip Local IP: Default enabled.

RBL hit action

Reject connection (554)
Delay connection (421) (Default)

Enable IP reputation service: Default enabled.

Reject IP reputation match: Default enabled.

4xx on IP reputation tmpfail: Default enabled.

IP reputation host address: Default 127.0.0.1.

Enable SPF: Default disabled.

Treat ~all as -all: Default disabled.

IP address rejection: Enter IP address(es) to be rejected. One address per line.

Message Tracking Services

A storage location must be selected when this feature is enabled. Data may be stored in the default OU or in the owning (sender and/or recipient) OU.

At least one Message Tracking filter must be configured in the Policy Manager for this to work or only SMTP tracking data will be able to be gathered.

Enable message tracking: Default disabled.

Store in default OU: Default disabled.

Default OU for message tracking: Set to root, or if in a multi-tenant system to the default OU.

Store in owning OU: Default disabled. If enabled, the Connection Drop Services “Delayed rejection state” must be set to DATA to insure that all recipients are received.

Track only if NOT tracked by the scan engine: Default disabled.

Track only if connection dropped: Default disabled.

Denial of Service Protection

Enable DoS functionality: Default enabled.

Scanner Fault Tolerance

Priority influence: Influence Priority Message filter engine: 1 is highest.

Address Transformation

Create address transformation rules from the Module Management | Address Transformation Manager page Address Transformation Manager.

Available transformation rules: A list of available transformation rules to the interface. Select from the drop-down menu.

You can remove or override the direction and address selections here.

Diagnostic

Enable client IP address override: Default disabled.

Client override IP address: Enter the IP address to override.

Retain decoded message files: For support use. When enabled copies of the message files will be saved to /opt/gwava/gwvsmpt/../tmp. For troubleshooting use only. If left enabled the hard drive will be filled. Default, disabled.

Retain raw message files: For support use. When enabled copies of the message files will be saved to /opt/gwava/gwvsmpt/../tmp For troubleshooting use only. If left enabled the hard drive will be filled. Default, disabled.

Average session time (seconds): Statistics about the sessions.

Average scan time (seconds): Statistics about the scans.

4.3.1 SMTP Module Troubleshooting

There are some troubleshooting actions you can take to resolve issues.

Outgoing “Pending” Messages

With GroupWise systems, users may experience “pending” status for messages sent to the Internet. If email was working before enabling SMG and the GWIA log shows:

"Attempting to connect to <SMG hostname>"

"Send Failure: 420 TCP read error"

A simple test is to telnet to the SMG and attempt sending an email from the telnet session. If there SMZG responds with 220 and no banner.

The issue would be that the GWIA requires an SMTP banner from SMG.

Configure the SMTP interface | Protocol and add an SMTP banner, for example, “GroupWise SMG server”.