Dear Sirs,
I am trying to work around a problem with SMTP. The office here is a 20+ user office in Thailand which connects to the Aisa office for the parent company in Hong Kong via a SecureClient IPSec VPN tunnel to a CheckPoint FW-1 NG Firewall via a garden variety DSL connection. The DSL router allows all inbound Internet traffic to be transparently redirected to one PC. I have enabled that feature in the router, and all inbound traffic is directed to the Wingate PC. By company policy, all PCs on the network here are connected directly to the DSL router to reach the Lotus Notes server and company applications on the parent company Intranet in Hong Kong. Also by company policy, all PCs have their own SecureClient VPN software which must be enabled whenever a user accesses Lotus Notes or a company applicaton on the corporate intranet. The problem with this is that the Wingate Server is just another node on the same subnet as the other nodes on the network. There is no secure interface. There is no trusted network.
Internet access for all network PCs is via the Wingate server. We use NAT. I have disabled all uneeded services, and we do not have open relay problems. We do, however. have an SMTP relay problem. The whole network is untrusted as the link to the Internet is on the same subnet as all nodes on the network. Wingate properly sees the network as untrusted as there is a single NIC with a default route in the Wingate server. I need to allow the SMTP service to be available to everyone in order to recieve SMTP from the Internet. And I have completely disabled SMTP relay in order to eliminate the server being used by SPAMmers.
I cannot add another NIC to the server and still have everyone connect to the company Intranet directly through the router as company policy requires this. Although I can authenticate users via NTLM, I cannot limit SMTP relay to users as there appears to be no way to enable SMTP relay for users only. I believe I cannot use SMTP relay for users. Therefore, I have users' SMTP server pointed to the ISP's SMTP server in order for them to be able to to send mail. This works wsell when users are in the office. However, When they take their laptops home and connect through various dial-in ISPs or leave the country on sales calls, all are unable to send email as the ISP for the company network will not relay SMTP. This means that users have to change the SMTP server in their email client configuration whenever they access the Internet from another ISP, city or country. It would be useful to use the Wingate SMTP server all the time. Is there anything I am missing here.
SMTP Relay Problem in 6.0
Moderator: Qbik Staff
5 posts
• Page 1 of 1
SMTP Relay Problem in 6.0
by Bob Tucker » Aug 16 04 10:19 pm
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by adrien » Aug 17 04 2:47 am
OK, probably your best bet, is to leave the one WinGate interface as external, but to allow your users to relay out for SMTP, they just need to be trusted.
There are several options for this (apart from connecting on an internal interface).
1. Authentication
2. setting up an assumption for your client IP addresses.
If these addresses have an assumed user associated with them, they will be trusted senders for mail.
Other senders will be untrusted, so inbound mail will work, but untrusted relay will be blocked.
Adrien
There are several options for this (apart from connecting on an internal interface).
1. Authentication
2. setting up an assumption for your client IP addresses.
If these addresses have an assumed user associated with them, they will be trusted senders for mail.
Other senders will be untrusted, so inbound mail will work, but untrusted relay will be blocked.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by Bob Tucker » Aug 17 04 3:54 am
Thank you Adrien,
I apprecaite your answer, and I aprreciate your time and pateince very much. Could you please give me a bit more information. I tried authenication previuosly. I obviously did not set it up cirretly as users could relay but inbound mail would not work. Authentication would be best as users will take their laptops home and on sales calls and access the mail server from the Internet.
Again, Thank you. Any help is appreciated.
With Kindest Regards,
Bob Tucker
I apprecaite your answer, and I aprreciate your time and pateince very much. Could you please give me a bit more information. I tried authenication previuosly. I obviously did not set it up cirretly as users could relay but inbound mail would not work. Authentication would be best as users will take their laptops home and on sales calls and access the mail server from the Internet.
Again, Thank you. Any help is appreciated.
With Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by adrien » Aug 17 04 5:48 am
You're welcome.
Depending on the email client your users are using, there are several options. If you are for instance using Outlook, or Outlook express, then WinGate 6.0 supports NTLM authentication in the SMTP server, and POP3 server, also if you want your users to use secure connections, you can do that as well. To use NTLM authentication for your email clients, you need to be using the Windows user database in WinGate (rather than WinGate's built-in user database). Other clients would need to use SASL PLAIN or CRAM-MD5 methods. PLAIN works with both types of user database, but CRAM-MD5 will only work if you are using the WinGate user database.
Authentication in WinGate mail is a bit simpler than other WinGate proxies, since it doesn't require configuration of policies to get users to authenticate.
If you currently have inbound mail working for your domain, I take it therefore that you have a local domain configured on that machine. This then will mean that WinGate will treat received mail destined for this domain as local mail, rather than mail to be relayed. Therefore both trusted and untrusted senders can deliver such mail to WinGate.
The only missing piece of the puzzle then is to let your users that you want to be trusted gain the trust of the server by authentication.
This should be simply a matter of
a) making sure the relevant authentication options are available in the security tab in WinGate Email.
b) making sure you are using the relevant user database in WinGate for the type of authentication you wish to use.
If you want to make secure connections (i.e. SSL or TLS) then you would need to
1. Generate a certificate under Server Certificates. Make sure the value you give for "Name or Server" matches the name that clients will use to connect to your server. Wildcards are also possible. For instance our certificate is generated with the name *.qbik.com.
2. If your clients are outlook clients, they don't support TLS (negotiated secure connection) only straight SSL connections (connect then secure). You would need to go into the POP3 server (not proxy), select bindings, add a policy, and select the adapter, choose to override the port, choose 995 (I think this is the standard secure POP3 port), select "use SSL", and select the certificate you created in 1. above. Then the POP3 server will be a secure server on this port.
3. Repeat a similar process for the SMTP server, but on the port you wish to use for secure SMTP connections.
Adrien
Depending on the email client your users are using, there are several options. If you are for instance using Outlook, or Outlook express, then WinGate 6.0 supports NTLM authentication in the SMTP server, and POP3 server, also if you want your users to use secure connections, you can do that as well. To use NTLM authentication for your email clients, you need to be using the Windows user database in WinGate (rather than WinGate's built-in user database). Other clients would need to use SASL PLAIN or CRAM-MD5 methods. PLAIN works with both types of user database, but CRAM-MD5 will only work if you are using the WinGate user database.
Authentication in WinGate mail is a bit simpler than other WinGate proxies, since it doesn't require configuration of policies to get users to authenticate.
If you currently have inbound mail working for your domain, I take it therefore that you have a local domain configured on that machine. This then will mean that WinGate will treat received mail destined for this domain as local mail, rather than mail to be relayed. Therefore both trusted and untrusted senders can deliver such mail to WinGate.
The only missing piece of the puzzle then is to let your users that you want to be trusted gain the trust of the server by authentication.
This should be simply a matter of
a) making sure the relevant authentication options are available in the security tab in WinGate Email.
b) making sure you are using the relevant user database in WinGate for the type of authentication you wish to use.
If you want to make secure connections (i.e. SSL or TLS) then you would need to
1. Generate a certificate under Server Certificates. Make sure the value you give for "Name or Server" matches the name that clients will use to connect to your server. Wildcards are also possible. For instance our certificate is generated with the name *.qbik.com.
2. If your clients are outlook clients, they don't support TLS (negotiated secure connection) only straight SSL connections (connect then secure). You would need to go into the POP3 server (not proxy), select bindings, add a policy, and select the adapter, choose to override the port, choose 995 (I think this is the standard secure POP3 port), select "use SSL", and select the certificate you created in 1. above. Then the POP3 server will be a secure server on this port.
3. Repeat a similar process for the SMTP server, but on the port you wish to use for secure SMTP connections.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by Bob Tucker » Aug 17 04 5:22 pm
Dear Adrien,
Thank you again for your assistance. It was exactly what I needed. I do appreaciate your time.
With Kindest Regards,
Bob Tucker
Thank you again for your assistance. It was exactly what I needed. I do appreaciate your time.
With Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 4 guests