9.2 SMTP Authentication Settings

This section describes all of the individual SMTP authentication settings.

9.2.1 Interface Settings

These settings are applied to all SMTP connections regardless of the OU that the email addresses belong to. These settings require admin privileges to define.

Setting	Description	Value(s)
1 - SMTP authentication	Determines the availability of SMTP authentication on this SMTP interface.	Disabled: Authentication is disabled on the SMTP interface. Enabled: Authentication is enabled on the SMTP interface. Enabled when encrypted: Authentication is enabled for encrypted connections on the SMTP interface. Encryption is enabled by connecting to the SSL server or by switching to encrypted mode with the STARTTLS command.
2 - Require authentication	Determines if authentication is required for sending messages.	Enabled: SMTP clients must authenticate to be able to send messages. Attempting to send mail without authenticating is rejected. Disabled: SMTP client do not need to be authenticated to send email.
3 - AUTH IP restriction	Sets the enabled state for AUTH IP filter. Use this option to restrict/allow SMTP clients from accessing the AUTH command by their connecting IP address.	Disabled: IP address filtering is inactive. Allow IP addresses in list: Only the IP addresses listed in AUTH IP filter are able to use SMTP AUTH (Whitelist). Deny IP addresses in list: Only the IP addresses not listed in AUTH IP filter are able to use SMTP AUTH (Blacklist).
4 - AUTH IP filter	Entries in the list are give access to or denied access to SMTP authentication based on the setting in AUTH IP restriction.	Accepts IP addresses, CIDR formatted addresses, wildcards, and regexes.
5 - AUTH userrname restriction	Sets the enabled state for AUTH username filter. Use this option to restrict/allow specific usernames from using SMTP authentication.	Disabled: Username filtering is inactive. Allow usernames in list: Only the username listed in AUTH username filter are able to use SMTP AUTH (Whitelist). Deny usernames in list: Only the usernames not listed in AUTH username filter are able to use SMTP AUTH (Blacklist).
6 - AUTH username filter	Entries in the list have their credentails validated or ignored based on the setting in AUTH userrname restriction.	Accepts plain email addresses, wildcards, and regexes.

IMPORTANT:The following options should only be enabled if you fully understand the consequences of what you are turning on. Blindly enabling these options can lead to disastrous results to your ability to send email, possibly causing listing on blacklists. Relaying is defined as a message that is from a sender outside your system, to a user outside your system.

Setting	Description
7 - Allow relay if authenticated (global)	This settings allows any user that has authentication to relay mail via SMG.
8 - Allow authenticated OU relay	This set of checkboxes enables relaying for individually selected OU's, and interacts with the authenticated state of users from those OU's. When a sender claims to be from an SMG defined domain, but has not authenticated, they are considered external for the purpose of determining relaying status. NOTE:Configuration of relaying is not provided within an OU itself, as this poses a risk to the entire mail system if a tenant is allowed to open up relaying, whether deliberately or by mistake.

Setting

Description

7 - Allow relay if authenticated (global)

This settings allows any user that has authentication to relay mail via SMG.

8 - Allow authenticated OU relay

This set of checkboxes enables relaying for individually selected OU's, and interacts with the authenticated state of users from those OU's. When a sender claims to be from an SMG defined domain, but has not authenticated, they are considered external for the purpose of determining relaying status.

NOTE:Configuration of relaying is not provided within an OU itself, as this poses a risk to the entire mail system if a tenant is allowed to open up relaying, whether deliberately or by mistake.

9.2.2 OU Level Settings

These settings are applied to SMTP connections based on the OU of the sender email address. These settings can be set by OU administrators, and as a result, are restricted in scope to affect only the addresses matching domains within the OU.

It is very important to understand how the scoping works in these settings. These rules always take the sender email address into consideration when decisions are computed. If one of these settings is not working as you expect, you should check the sender domain to see if it is 'owned' by the OU. If the sender is from a different domain than those defined for the OU, then none of the authentication settings will have any effect.

If applicable to your system, typically in single OU systems, it is normally better to define any equivalent settings at the interface. The rules at the interface can be computed earlier in the SMTP transaction. OU level rules need to receive the email addresses before rule conformance can be determined.

Setting	Description	Value(s)
9 - Require inbound SMTP domain authentication	This setting determines the authentication requirements for SMTP clients that issue a MAIL FROM command for this domain and a RCPT TO command for this domain. For example, if the domain identity is 'opentext.com', and the SMTP client issues the commands 'MAIL FROM:<sender@opentext.com>' and 'RCPT TO:<recip@opentext.com>', this setting becomes valid. In the same case, if the SMTP client issues the command 'MAIL FROM:<user@external.com>, then the setting becomes redundant.The test for authentication requirement is computed when the client issues the RCPT TO command.	Not Required: Senders from this domain do not need to be authenticated to send to this domain. Required when SMTP interface AUTH is enabled: Authentication is required according to the conditions mentioned in the description if SMTP Authentication is enabled on the SMTP interface. Required always: Authentication is required according to the conditions mentioned in the description. NOTE:Depending on how your mail system is implemented, this setting can be used to require authentication even if AUTH is not enabled. This can be used to prevent address spoofing, due to the inability of a client being able to authenticate. The result of this is that all attempts to spoof mail will fail.
10 - Require SMTP Sending domain authentication	Determines whether authentication is required for clients that send a MAIL FROM command for any domains defined within this OU.This setting is similar to Require inbound SMTP domain authentication, differing only in the scope of the restriction. This setting only tests the MAIL FROM command for conformance to the rule, which is more restrictive.	Enabled: SMTP clients that claim to be from a domain within this OU must authenticate to be able to send messages. All attempts to send mail without authenticating will be rejected. Disabled: The setting has no effect.
11 - Match AUTH user with FROM address	When enabled, the email address provided in the MAIL FROM command must match the authenticated username.Using this option prevents internal users from sending messages on behalf of other users.This setting applies to all automatically provisioned addresses for the domain, and to internal users of the domain that are configured for Enable for SMTP Auth.The comparison is case insensitive. Ie. ADMIN@company.com will match admin@company.com.
12 - SMTP IP authentication exception mode	Works in conjunction with SMTP IP authentication exceptions to define IP address exceptions to AUTH requirements. If entries exist in SMTP IP authentication exceptions, exceptions are activated. An empty list in SMTP IP authentication exceptions deactivates the exception mode.Where an SMTP client would have its RCPT TO command rejected due to authentication requirements, this setting overrides the rejection if the connecting IP address matches an entry in SMTP IP authentication exceptions.The core purpose of this setting is to allow senders from specific IP addresses to send from this domain into the SMG system, bypassing anti-spoofing measures that have been configured.	Allow: The addresses in the SMTP IP authentication exceptions list are not subjected to authentication based addressing restrictions. Deny: Addresses that do not match the SMTP IP authentication exceptions list are not subjected to authentication based addressing restrictions.
13 - SMTP IP authentication exceptions	A list of IP address matches used by SMTP IP authentication exception mode.	The formate of addresses may be raw IP address, CIDR format, widlcards, or regexes.
14 - SMTP AUTH username restriction	Works in conjunction with SMTP AUTH username filter to restrict the names that can be used for SMTP authentication.During the SMTP AUTH command, the given username is compared to the entries in the SMTP AUTH username filter. If the entry matches, the authentication verification proceeds. If the entry does not match, the authentication attempt is ignored and the authentication attempt is rejected.It is important to understand that the username referred to in this feature is the authenticating username (AUTH command), and not the sender address (MAIL FROM). Although the authenticating username and sender email address are commonly the same, this is just coincidental. Confusing these details can lead to expectation problems in what the address restriction is applying to.	Disabled: Authentication restrictions will not be applied. Allow usernames in list: Entries that match the authenticating user that belongs to this OU will be allowed to authenticate. Deny usernames in list: Entries that do not match the authenticating user that belongs to this OU will be allowed to authenticate.
15 - SMTP AUTH username filter	A list of pattern matches used by SMTP AUTH username restriction. The username that is tested against this list must belong to the OU that the rule is defined, by way of address formatted usernames. If a restricted address belongs to a different OU, it will not match this list. For example, defining anybody@* in an OU that hosts the domain company.com will match anybody@company.com, but not anybody@widgets.com.	The format of entries in this list may be plain text, wildcards or regexes.

Setting	Description
16 - SMTP target host Auth passthrough	To perform automated authentication for users on your email system, this checkbox tells SMG that it can use this host to perform login tests against an SMTP server. When an SMTP client attempts to authenticate to the SMG SMTP server, SMG will lookup the authenticating username. The internal SMG user database is looked up first, and if not found, and the authentication username is an email address, then SMG will look up the OU database for a matching domain. If the username belongs to a domain, and an SMTP target host is configured with the ‘Auth’ checkbox enabled, SMG will contact the SMTP server and test the credentials against the SMTP server to verify the user. NOTE:Authentication, username and password fields of the domain SMTP hosts are unrelated to client authentication validation. Making changes to those fields will have no effect on SMTP client authentication (They are used for sending email to the server if it requires authentication for mail delivery).
17 - LDAP target host Auth passthrough	To perform automated authentication for users on your email system, this checkbox tells SMG that it can use this host to perform login tests against an LDAP server. When an SMTP client attempts to authenticate to the SMG SMTP server, SMG will lookup the authenticating username. The internal SMG user database is looked up first, and if not found, and the authentication username is an email address, then SMG will look up the OU database for a matching domain. If the username belongs to a domain, and an LDAP target host is configured with the 'Auth' checkbox enabled, SMG will contact the LDAP server and test the credentials against the LDAP server to verify the user. NOTE:The username and password fields of the domain LDAP hosts are unrelated to client authentication validation. Making changes to those fields will have no effect on SMTP client authentication (They are used for user validation if required to gain privileges on the LDAP server).

Setting

Description

16 - SMTP target host Auth passthrough

To perform automated authentication for users on your email system, this checkbox tells SMG that it can use this host to perform login tests against an SMTP server.

When an SMTP client attempts to authenticate to the SMG SMTP server, SMG will lookup the authenticating username. The internal SMG user database is looked up first, and if not found, and the authentication username is an email address, then SMG will look up the OU database for a matching domain. If the username belongs to a domain, and an SMTP target host is configured with the ‘Auth’ checkbox enabled, SMG will contact the SMTP server and test the credentials against the SMTP server to verify the user.

NOTE:Authentication, username and password fields of the domain SMTP hosts are unrelated to client authentication validation. Making changes to those fields will have no effect on SMTP client authentication (They are used for sending email to the server if it requires authentication for mail delivery).

17 - LDAP target host Auth passthrough

To perform automated authentication for users on your email system, this checkbox tells SMG that it can use this host to perform login tests against an LDAP server.

When an SMTP client attempts to authenticate to the SMG SMTP server, SMG will lookup the authenticating username. The internal SMG user database is looked up first, and if not found, and the authentication username is an email address, then SMG will look up the OU database for a matching domain. If the username belongs to a domain, and an LDAP target host is configured with the 'Auth' checkbox enabled, SMG will contact the LDAP server and test the credentials against the LDAP server to verify the user.

NOTE:The username and password fields of the domain LDAP hosts are unrelated to client authentication validation. Making changes to those fields will have no effect on SMTP client authentication (They are used for user validation if required to gain privileges on the LDAP server).

Setting	Description	Value(s)
18 - Enable for SMTP Auth	Internal SMG users can be configured to be used in the SMTP authentication process. By default, this setting is off. The setting will be unavailable if the management mode is set to 'Domain provisioning', which indicates that the user was auto-generated and will be authenticated remotely to the configured target system.This setting is useful to provide a single user name that can be used to grant privileges to send email within your system without needing to have the user exist in your email system.A typical use case for this feature is for devices such as printers that use email for notification. For convenience, a single username can be used for all devices on the network.	Disabled: This user cannot be used for SMTP authentication. Enabled for any sender address: This user can be used for authentication, and can issue a MAIL FROM command using any email address permitted by the OU. Addressing permissions for the OU are defined by the parent OU, ensuring that permission elevation cannot be self-assigned. Enabled for matching sender address: This user can be used for authentication, and it may only issue a MAIL FROM command that matches the user name. For this functionality to work, the username must be an email address. Address matches are case insensitive.

Setting	Description
19 - Limit by authenticated state	Enable this option in a policy criteria to determine whether the policy should be used, based on the authenticated state of the connecting client.
20 - Authentication state	Select the authenticated state of the message being scanned to decide whether to use this policy.