This section describes all of the individual SMTP authentication settings.
These settings are applied to all SMTP connections regardless of the OU that the email addresses belong to. These settings require admin privileges to define.
Setting |
Description |
Value(s) |
---|---|---|
1 - SMTP authentication |
Determines the availability of SMTP authentication on this SMTP interface. |
|
2 - Require authentication |
Determines if authentication is required for sending messages. |
|
3 - AUTH IP restriction |
Sets the enabled state for AUTH IP filter. Use this option to restrict/allow SMTP clients from accessing the AUTH command by their connecting IP address. |
|
4 - AUTH IP filter |
Entries in the list are give access to or denied access to SMTP authentication based on the setting in AUTH IP restriction. |
Accepts IP addresses, CIDR formatted addresses, wildcards, and regexes. |
5 - AUTH userrname restriction |
Sets the enabled state for AUTH username filter. Use this option to restrict/allow specific usernames from using SMTP authentication. |
|
6 - AUTH username filter |
Entries in the list have their credentails validated or ignored based on the setting in AUTH userrname restriction. |
Accepts plain email addresses, wildcards, and regexes. |
IMPORTANT:The following options should only be enabled if you fully understand the consequences of what you are turning on. Blindly enabling these options can lead to disastrous results to your ability to send email, possibly causing listing on blacklists. Relaying is defined as a message that is from a sender outside your system, to a user outside your system.
Setting |
Description |
---|---|
7 - Allow relay if authenticated (global) |
This settings allows any user that has authentication to relay mail via SMG. |
8 - Allow authenticated OU relay |
This set of checkboxes enables relaying for individually selected OU's, and interacts with the authenticated state of users from those OU's. When a sender claims to be from an SMG defined domain, but has not authenticated, they are considered external for the purpose of determining relaying status. NOTE:Configuration of relaying is not provided within an OU itself, as this poses a risk to the entire mail system if a tenant is allowed to open up relaying, whether deliberately or by mistake. |
These settings are applied to SMTP connections based on the OU of the sender email address. These settings can be set by OU administrators, and as a result, are restricted in scope to affect only the addresses matching domains within the OU.
It is very important to understand how the scoping works in these settings. These rules always take the sender email address into consideration when decisions are computed. If one of these settings is not working as you expect, you should check the sender domain to see if it is 'owned' by the OU. If the sender is from a different domain than those defined for the OU, then none of the authentication settings will have any effect.
If applicable to your system, typically in single OU systems, it is normally better to define any equivalent settings at the interface. The rules at the interface can be computed earlier in the SMTP transaction. OU level rules need to receive the email addresses before rule conformance can be determined.
Setting |
Description |
Value(s) |
---|---|---|
9 - Require inbound SMTP domain authentication |
This setting determines the authentication requirements for SMTP clients that issue a MAIL FROM command for this domain and a RCPT TO command for this domain. For example, if the domain identity is 'opentext.com', and the SMTP client issues the commands 'MAIL FROM:<sender@opentext.com>' and 'RCPT TO:<recip@opentext.com>', this setting becomes valid. In the same case, if the SMTP client issues the command 'MAIL FROM:<user@external.com>, then the setting becomes redundant.The test for authentication requirement is computed when the client issues the RCPT TO command. |
NOTE:Depending on how your mail system is implemented, this setting can be used to require authentication even if AUTH is not enabled. This can be used to prevent address spoofing, due to the inability of a client being able to authenticate. The result of this is that all attempts to spoof mail will fail. |
10 - Require SMTP Sending domain authentication |
Determines whether authentication is required for clients that send a MAIL FROM command for any domains defined within this OU.This setting is similar to Require inbound SMTP domain authentication, differing only in the scope of the restriction. This setting only tests the MAIL FROM command for conformance to the rule, which is more restrictive. |
|
11 - Match AUTH user with FROM address |
When enabled, the email address provided in the MAIL FROM command must match the authenticated username.Using this option prevents internal users from sending messages on behalf of other users.This setting applies to all automatically provisioned addresses for the domain, and to internal users of the domain that are configured for Enable for SMTP Auth.The comparison is case insensitive. Ie. ADMIN@company.com will match admin@company.com. |
|
12 - SMTP IP authentication exception mode |
Works in conjunction with SMTP IP authentication exceptions to define IP address exceptions to AUTH requirements. If entries exist in SMTP IP authentication exceptions, exceptions are activated. An empty list in SMTP IP authentication exceptions deactivates the exception mode.Where an SMTP client would have its RCPT TO command rejected due to authentication requirements, this setting overrides the rejection if the connecting IP address matches an entry in SMTP IP authentication exceptions.The core purpose of this setting is to allow senders from specific IP addresses to send from this domain into the SMG system, bypassing anti-spoofing measures that have been configured. |
|
13 - SMTP IP authentication exceptions |
A list of IP address matches used by SMTP IP authentication exception mode. |
The formate of addresses may be raw IP address, CIDR format, widlcards, or regexes. |
14 - SMTP AUTH username restriction |
Works in conjunction with SMTP AUTH username filter to restrict the names that can be used for SMTP authentication.During the SMTP AUTH command, the given username is compared to the entries in the SMTP AUTH username filter. If the entry matches, the authentication verification proceeds. If the entry does not match, the authentication attempt is ignored and the authentication attempt is rejected.It is important to understand that the username referred to in this feature is the authenticating username (AUTH command), and not the sender address (MAIL FROM). Although the authenticating username and sender email address are commonly the same, this is just coincidental. Confusing these details can lead to expectation problems in what the address restriction is applying to. |
|
15 - SMTP AUTH username filter |
A list of pattern matches used by SMTP AUTH username restriction. The username that is tested against this list must belong to the OU that the rule is defined, by way of address formatted usernames. If a restricted address belongs to a different OU, it will not match this list. For example, defining anybody@* in an OU that hosts the domain company.com will match anybody@company.com, but not anybody@widgets.com. |
The format of entries in this list may be plain text, wildcards or regexes. |
Setting |
Description |
---|---|
16 - SMTP target host Auth passthrough |
To perform automated authentication for users on your email system, this checkbox tells SMG that it can use this host to perform login tests against an SMTP server. When an SMTP client attempts to authenticate to the SMG SMTP server, SMG will lookup the authenticating username. The internal SMG user database is looked up first, and if not found, and the authentication username is an email address, then SMG will look up the OU database for a matching domain. If the username belongs to a domain, and an SMTP target host is configured with the ‘Auth’ checkbox enabled, SMG will contact the SMTP server and test the credentials against the SMTP server to verify the user. NOTE:Authentication, username and password fields of the domain SMTP hosts are unrelated to client authentication validation. Making changes to those fields will have no effect on SMTP client authentication (They are used for sending email to the server if it requires authentication for mail delivery). |
17 - LDAP target host Auth passthrough |
To perform automated authentication for users on your email system, this checkbox tells SMG that it can use this host to perform login tests against an LDAP server. When an SMTP client attempts to authenticate to the SMG SMTP server, SMG will lookup the authenticating username. The internal SMG user database is looked up first, and if not found, and the authentication username is an email address, then SMG will look up the OU database for a matching domain. If the username belongs to a domain, and an LDAP target host is configured with the 'Auth' checkbox enabled, SMG will contact the LDAP server and test the credentials against the LDAP server to verify the user. NOTE:The username and password fields of the domain LDAP hosts are unrelated to client authentication validation. Making changes to those fields will have no effect on SMTP client authentication (They are used for user validation if required to gain privileges on the LDAP server). |
Setting |
Description |
Value(s) |
---|---|---|
18 - Enable for SMTP Auth |
Internal SMG users can be configured to be used in the SMTP authentication process. By default, this setting is off. The setting will be unavailable if the management mode is set to 'Domain provisioning', which indicates that the user was auto-generated and will be authenticated remotely to the configured target system.This setting is useful to provide a single user name that can be used to grant privileges to send email within your system without needing to have the user exist in your email system.A typical use case for this feature is for devices such as printers that use email for notification. For convenience, a single username can be used for all devices on the network. |
|
Setting |
Description |
---|---|
19 - Limit by authenticated state |
Enable this option in a policy criteria to determine whether the policy should be used, based on the authenticated state of the connecting client. |
20 - Authentication state |
Select the authenticated state of the message being scanned to decide whether to use this policy. |