WinGate Forums

[rboynton]

We have been seeing issues with folks trying to get to a web page and the "licensing violation" page comes up. when I go to the WG console, I only see three or four users connected. What connections count against the user totals? We have a very busy email server that has constant inbound/outbound connections, but I would not think those would count against us.

[adrien]

Hi

The inbound SMTP is also counted. You can limit the number of receive threads to limit license use.

It's difficult to know where to draw the line with what is counted or not.

Things like

* DNS
* DHCP
* Remote Control Service
* Winsock Redirector Service control channels (WinGate Client)
* anything from localhost or an interface on WinGate

aren't counted.

We don't distinguish by interface though, so external and internal users all use a license.

Regards

Adrien

[rboynton]

The inbound SMTP is also counted.

Wow, our email server has been under attack for some time, so counting the inbound SMTP connections would account for why we are seeing "license violation" notices.

Question: I can understand counting outbound connections to some degree, but why would inbound connections be counted? If WG sees an outbound connection attempt from a valid user, then that should be counted as one. I don't see the logic in counting inbound connections... as they cannot be tied to a valid user. Please help me understand the logic here, please. We have a small number of users, and the appropriate license to match. As such, we do not have more than that number of users connecting concurrently, thus should never exceed our license count. Yet that is not what is happening.

[adrien]

Hi Rick

As I mentioned, it's a tough call to determine what to count.

I know some MS products don't count incoming. But then again their pricing starts a lot higher.

But if we didn't count incoming SMTP, then for $75 you could get an unrestricted email gateway. I just checked pricing for MDaemon, even for a 6 user (that's seats, not concurrent), you're looking at $380. KMS starts at $500 for a 10 seat license.

WinGate isn't a full-blown email / groupware etc service (although we use it inhouse for all mail), but it is an HTTP proxy as well.

So we trade off between keeping it affordable for people who want a small proxy for outbound, vs people who want to run it as an internet-based inbound service.

You can limit your exposure to external inbound mail chewing licenses by restricting the number of threads that will be used for SMTP reception.

Furthermore there are technical implications if we were to do things like count activity on some interfaces or interface types and not others. We don't restrict people's ability to specify the usage of their adapters. Plugins also have licensing requirements as well.

In the end though, I'm open to review it - what would you consider reasonable?

Regards

Adrien

[adrien]

p.s. in terms of the logic.

WinGate for SMTP is a gateway primarily, even though it has POP3 and IMAP4 servers, most people use it to gateway/scan inbound traffic and relay outbound. In this scenario the mail is going through WinGate. As far as WinGate is concerned, all mail received with SMTP is "inbound", and all mail it sends is "outbound", regardless of whether it's coming into or going out of your LAN.

Many people also use it for internet-based users (with auth). We have a few users that use our SMTP server from external with auth so they can relay.

So a user can connect to WinGate on any interface from anywhere and send a mail. We can't just say anything received on an external interface isn't a valid user (many people don't use any user accounts for internal either - so what even is a valid user?), or we get into trouble when people run their WinGate behind a NAT with only one adapter which is internal. Or they set all their interfaces to external.

Because we count licenses per client IP, there are technical difficulties in making the requirement for a session to be licensed dependent on what the session does. Currently the license is aquired when the session is created (if required). In fact inside WinGate, the license is held by the "machine" object and shared by all the sessions from that client IP. We'd have all sorts of problems if we were to try and acquire or release a license "late" say after we evaluated that they weren't a valid external user. At that stage the license count may have been maxed out by some other connections, and there may be no proper way to fail the request within the protocol.

We have a similar customer expectation issue with reverse HTTP proxying. We hope that people understand that inbound service is still service (not only outbound) - WinGate is still providing something, and that people on the Internet using WinGate are still users.

with SMTP though spammers can create a problem, which is why I'm open to reviewing this for SMTP.

[rboynton]

Adrien,

I appreciate your candid responses. Please forgive me for coming across harsh. It was not meant to be so.

I agree that outbound connections should be counted against the license number (originating IP = one user), but that really does not work with inbound connections (especially SMTP). Since the issue seems to be SMTP connections, perhaps that protocol alone ought to be exempted from the license count? I appreciate WG for both the cost, and functionality... not to mention the great support you guys provide via this forum.

[adrien]

Hi Rick

no problem - no offense taken.

I'm just a bit stuck as to how to define an inbound connection for SMTP from WinGate's POV. Intuitively I know what you mean, but from WinGate's perspective it's not clear-cut.

In the end it certainly would be simpler in code to just make SMTP free (unlimited). But I'd need to work through whether that makes sense commercially or not. It seems like giving away a lot. Esp given the direction we are heading in with the mail server's capabilities.

Adrien

[rboynton]

If it was my call, I would exempt inbound SMTP. Inbound port 110 coming through the external interface, sure, that obviously is someone in the cloud connecting to collect their email. Generally, I would think it too difficult to control inbound connections and tie them to a user. Much better, in my opinion, to control outbound connections by tieing it back to an internal IP. Thank you for considering this.

[rboynton]

You can limit your exposure to external inbound mail chewing licenses by restricting the number of threads that will be used for SMTP reception.

Adrien, would you mind letting me know how to do this? We're now constantly running into licensing violations, so I need some way to beat back the SMTP connection attempts. Thanks much.

[labull]

Email - Receiving - Maximum Receive Threads. Default looks like 60.

[rboynton]

Email - Receiving - Maximum Receive Threads. Default looks like 60.

Thanks, Larry. I never considered looking there, as we do not use WG Email (port 25 forwards to our email server). I'll play with that to see what effect it has.

[labull]

Ah, then my thinking is totally incorrect.

You could however use the WG SMTP to forward to you server and that way control how many simultaneous SMTP connections you have.

Larry