advertisement
5
Message Security
SMTP Mail Access
The Mail Access screen allows you to configure features that provide security when the system is accepting mail during an SMTP connection.
To configure your SMTP mail access settings:
1. Select Configuration > Mail > Access .
User Guide 91
Message Security
Specific Access Patterns
Specific Access Patterns can be used to search for patterns in a message for filtering during the
SMTP connection. See “Specific Access Patterns” on page 94 for detailed information on
configuring these filters.
Pattern Based Message Filtering
Enable this option to use Pattern Filters to reject or accept mail based upon matches in the
message envelope, header, or body. See “Pattern Filters” on page 137 for detailed information on
configuring Pattern Filters.
Maximum recipients per message
Set the maximum number of recipients accepted per message. A very large amount of recipients means the message is more likely to be spam or bulk mail. The default is set to 1000.
Maximum recipients reject code
Allows administrators to define other errors to return instead of the default “452 Error: too many recipients” error, such as permanently rejecting the connection “554”.
Maximum message size
Set the maximum message size (in bytes) that will be accepted by the system. The default is
10240000 bytes. Note that processing large messages decreases mail processing performance.
The Attachment Size Limit option configured in Security > Content Control > Attachment
Control is also set to 10240000 bytes, and the threshold will be exceeded if the attachment size is close to the attachment size limit. We recommend that you set the Maximum Message Size value to at least 1.5 times the value of the Attachment Size Limit option. When attachments are sent with most email messages, the message size grows considerably due to the encoding methods used. The maximum message size should be set accordingly to accommodate attachments. Attachments are sent base64 encoded, not in their binary form. Base64 encoding can increase the size of a file to up to 140% of its original size. This means that a 9MB attachment is actually 13MB in size, and would exceed a message size limit of 10MB. The additional overhead caused by base64 encoding should be considered when deciding a maximum message limit.
Minimum Queue Free Space (Cluster Primary Only)
This option only appears on a Cluster Primary system and allows administrators to set the minimum amount of free space in kilobytes that is required in the queue file system to receive messages. If the system has less than the specified free space, messages will be rejected with a
“452: Insufficient system storage” error. This value must at minimum be greater than 1.5 times the specified Maximum message size , and at maximum 50 GB. The default value is automatically calculated for clusters with all the same hardware, and this configuration is replicated across all cluster systems. In a cluster that contains systems of different types of hardware, you must set this value to 20% of the total System Data Storage Area space available according to the cluster member with the least space. This information can be obtained via Activity > Status > Status &
Utility on the cluster member. For example, if the cluster system with the least amount of System
Data Storage Area space has 10 GB available, then set this value to 2097152 KB (2 GB).
The Minimum Queue Free Space value is not synchronized via Centralized Management.
Maximum Unknown recipients per message
This value determines how many unknown recipients are allowed in the message before it will be rejected by the system. A high number of unknown recipients indicates the message is likely spam or a denial of service attempt.
92 WatchGuard XCS
User Guide
Message Security
Maximum Unknown recipients reject code
This value indicates the SMTP reject code to use when the maximum unknown recipients value is exceeded. This should be set to either “421” (temporary reject) or “554” (permanent reject).
SMTP Authenticated Relay
This feature allows authenticated clients to use the system as an external mail relay for sending mail. For example, you may have remote users who need to send mail via this system. Clients must use a login and password to authenticate to the system before being allowed to relay mail.
These accounts can be local or they can be authenticated via LDAP.
LDAP SMTP Authentication
SMTP authentication can also be performed via an LDAP directory server. Select the check box to enable LDAP Authenticated Relay, and select the link to configure its options. This feature can also be configured via Configuration > LDAP > Relay
SMTP Banner
The SMTP banner is exchanged during the HELO/EHLO session of an SMTP connection. This banner contains identifying information for your mail server which can be used as information to launch attacks against the system. This option allows you to customize the SMTP banner and also remove the system’s hostname by using the Domain only option.
Queue Monitoring
The Queue Monitoring feature allows administrators to modify the system’s behavior depending on how large the incoming mail queue is. Delivery of queued mail can be given higher priority than receiving new mail when a certain threshold is reached to process the current mail queue faster. At the maximum threshold, incoming requests can be temporarily rejected to allow the queue to process current messages first.
Select the Monitor Mail Queue Size option to enable incoming queue thresholds.
Minor Queueing — If the active queue size reaches this threshold, the system will slightly increase the priority of mail delivery over mail receiving.
Medium Queueing — If the active queue size reaches this threshold, the system will significantly increase priority of mail delivery over mail receiving.
Significant Queueing — If the active queue size reaches this threshold, the system will temporarily reject any new mail and notify the system administrator.
2. Click Apply .
93
Message Security
Specific Access Patterns
Specific Access Patterns are always enabled by default and can be used to either accept or reject mail during an SMTP connection. These rules override all others. Use these special cases to allow email where it would be otherwise blocked, or to block email when it would otherwise be allowed. Specific access patterns allow an administrator to respond to local filtering requirements such as the following:
Allowing other systems to relay mail through the system
Rejecting all messages from specific systems
Allowing all messages from specific systems (effectively trusting the server)
When you specify a Specific Access Pattern rule, it can take one of the following forms:
IP Address — The system will match the IP address such as, 192.168.1.10, or you can use a more general address form such as 192.168 that will match anything in that address space. For the Client
Access parameter, the system also supports CIDR (Classless Inter-Domain Routing) format so that administrators can specify a pattern for a network such as 192.168.0.0/24.
Domain Name — The system will match the supplied domain name, such as example.com, with any subdomain such as mail.example.com, sales.mail.example.com and so on.
Address — The system will match an exact email address, such as [email protected], or a more general rule such as @example.com.
To add a new Specific Access Pattern:
1. Select Configuration > Mail > Access .
2. Click Add Pattern .
94
3. In the Pattern field text box, enter a mail address, IP address, hostname, or domain name.
Client Access — Specify a domain, server hostname, or IP address. This item is the most reliable and may be used to block spam as well as trust clients.
HELO Access — Specify either a domain or server name.
Envelope-From Access — Specify a valid email address.
Envelope-To Access — Specify a valid email address.
Only the Client Access parameter can be relied upon since spammers can easily forge all other message properties. These parameters can be useful for trusting purposes.
WatchGuard XCS
advertisement
Related manuals
advertisement