Each service in FTGate is controlled by a security policy. The policy specifies the top level control of the service. In the Policy you can specify, by IP address and range, the authentication and relay options available to users of your server.
By default there are three policies, users can create further policies as required:
LAN security Policy
By default this policy is used by all services that are normally accessed
by the LAN users (POP3 Post Office Protocol V3 (A message retrieve protocol)
IMAP4 Internet Message Access Protocol V4 (A message retrieve protocol)
LDAP Local directory services
WebMail A browser based interface whith which to access mail
Connector A service used by FTGate to connect the replciator client, SolSight
and any other Floosietek groupware utilities. A service used by FTGate to connect the replciator client, SolSight
and any other Floosietek groupware utilities.
) which can be considered to be trusted connections.
WebAdmin A browser based interface for configuring FTGate
Policy
By default this is used by the WebAdmin . A separate policy is
used for WebAdmin to reduce the possibility that a configuration mistake
will lock the administrator out of the WebAdmin interface. Extreme caution
should be used when changing this policy.
Global Security Policy
By default this policy is used by all SMTP Simple Mail Transfer Protocol (A message send protocol)
services, it contains settings that are suitable for machines connecting
from the internet and are not from trusted sources.
Each service that uses a policy has the same security settings. Thus an address banned in a specific policy is banned in all services that use that policy. Each service may only use one policy but a policy can be shared among more than one service.
A policy consists of two parts; An address list, that specifies how different IP addresses should be handled, and a group of settings for each service type.
The addresses are selected in order of priority, the priority is simply the number of bits set in the mask field. Thus if an address matches two entries, the one with the most bits set in the mask will be used.
The following describes the flags used in the Address fields:
|
Flag |
Name |
Function |
|
PA |
Permit Access |
If this flag is set an IP address has access, otherwise it is rejected. |
|
AA |
Automatic Authentication |
If this flag is set the connection is assumed to be authenticated. For SMTP it is the equivalent of a successful AUTH command sequence having been completed. It will not effect service that require a login See: Sign In. ote that setting this flag on the WAN address range of the Global security policy will make your server an Open Relay A mail server which will relay all mail from any source. This type of server usually becomes blacklisted quickly as its serices will be subverted by spammers trying to cover their tracks. Open relays are a very bad thing ! |
|
AS |
Permit SMTP Autentication |
This flag permits machines in this address range to issue SMTP AUTH commands and authenticate against the server. If the flag is clear NO machines in this range can authenticate. |
|
AM |
Permit Authentication by mailbox access |
This flag checks to see if any valid logins to either POP3/IMAP have occurred in the last 5 minutes, if so the connection is assumed to be authenticated. |
|
AR |
Allow Relaying |
This flag enables authenticated users to relay mail through the server. If this flag is clear then machines in this address range will NEVER relay. |
|
RBL Real time Blackhole Lists: a list of mail server that are considered sources of SPAM by the list owner |
Reject connections with RBL entries. |
This flag causes all connections from within the specified address range to be validated against the RBL server list specified elsewhere. If the address is found the connection will be rejected. |
|
BAN |
Allow Addresses to be blacklisted. |
If this flag is set, any connections that attempt a detectable DOS attack will be auto banned |
|
LL |
Limit login attempts/ SMTP Errors |
If this flag is set IP addresses will be prevented from trying multiple login attempts (default 5). This protects against attempts at brute force password breaking. Each bad login is counted from each specific address regardless of the service type. So if I do bad login's for 2xPOP3, 2xIMAP and 1xSMTP I get banned. This option also triggers protection against SMTP bad addresses. If this option is enabled the sending client/server will be banned after the specified number of bad recipients. The ban period is defined elsewhere in the policy. |
|
BL |
Blacklisted Address |
If this flag is set the address is considered aggressively blacklisted. This flag is usually only set by the autoban option (above). Connections from blacklisted addresses are automatically denied. |
|
PTR A term used for the reverse pointer record in a DNS system. This allows a server to determine the name of a computer from its IP address. |
Reject connection with invalid DNS Domain Name Server: A server that answers queries regarding the names and addresses on the internet. PTR records |
This option will check that the IP address of the connected computer has a valid PTR record. |
|
HE |
Validate HELO command is valid |
This option validates the HELO domain and ensures that it is correctly formatted and it is not an IP address. |
|
GL |
Use greylist |
See: Greylisting |
|
SPF Sender Policy Framework: A system utilising DNS servers to validate that a given IP address is authorised to send mail for a specific domain |
Validate senders address against domains SPF data |
This option will validate the senders email address against the SPF records for the domain of the sender. If the address is not in the valid range then the message will be rejected. If a domain does not publish SPF data then the message will be accepted. |