54.2 Blocking Unwanted Email from the Internet

The GWIA includes the following features to help you protect your GroupWise system and users from unwanted email:

54.2.1 Real-Time Blacklists

Organizations such as SpamCop provide lists of IP addresses that are known to be open relay hosts or spam hosts. If you want to use free blacklist services such as these, or if you subscribe to fee-based services, you must define the blacklist addresses for these services. The GWIA then uses the defined services to ensure that no messages are received from blacklisted hosts. The following sections provide information to help you define blacklist addresses and, if necessary, override a host address included in a blacklist.

NOTE:If you want to configure the GWIA to block a specific IP address or DNS hostname, add the address or hostname to a class of service, as described in Section 54.1, Controlling User Access to the Internet. The Blacklist feature configures the GWIA to use blacklist services that provide real-time lists of many sites that are known to be bad.

Defining a Blacklist Address

  1. In ConsoleOne, right-click the GWIA object, then click Properties.

  2. Click Access Control > Blacklists to display the Blacklists page.

    Blacklists page

    The Blacklist Addresses list displays the addresses of all blacklists that the GWIA checks when it receives a message from another SMTP host. The GWIA checks the first blacklist and continues checking lists until the sending SMTP host’s IP address is found or all lists have been checked. If the sending SMTP host’s IP address is included on any of the blacklists, the message is rejected. If you have the GWIA’s logging level set to Verbose, the log file includes information about the rejected message and the referring blacklist.

    This list corresponds with the GWIA’s /rbl switch.

  3. Click Add to display the New Blacklist Address dialog box.

    New Blacklist Address dialog box

    For example, for SpamCop, you would use the following address:

    bl.spamcop.net
    
  4. Type the blacklist address in the Address box, then click OK to add the address to the Blacklist Addresses list.

  5. If you have multiple blacklists in the Blacklist Addresses list, use the up-arrow and down-arrow to position the blacklists in the order you want them checked. The GWIA checks the blacklists in the order they are listed, from top to bottom.

  6. Click OK to save your changes.

Overriding a Blacklist

In some cases, a blacklist might contain a host from which you still want to receive messages. For example, goodhost.com has been accidentally added to a blacklist but you still want to receive messages from that host.

You can use the SMTP Incoming Exceptions list on a class of service to override a blacklist. For information about editing or creating a class of service, see Section 54.1.2, Creating a Class of Service.

54.2.2 Access Control Lists

If you want to block specific hosts yourself rather than use a blacklist (in other words, create your own blacklist), you can configure a class of service that prevents messages from those hosts. You do this on the GWIA object’s Access Control Settings page by editing the desired class of service to add the hosts to the Prevent Messages From exception list on the SMTP Incoming tab. For example, if you wanted to block all messages from badhost.com, you could edit the default class of service to add badhost.com to the list of prevented hosts.

You can also create a list of hosts that you always want to allow messages from, so you can create your own white list.

For information about editing or creating a class of service, see Section 54.1.2, Creating a Class of Service.

54.2.3 Blocked.txt File

ConsoleOne creates a blocked.txt file that includes all the hosts that have been added to the Prevent Messages From exceptions list for the default class of service (see Section 54.1, Controlling User Access to the Internet).

You can manually edit the blocked.txt file to add or remove hosts. To maintain consistency for your system, you can also copy the list to other GWIA installations.

To manually edit the blocked.txt file:

  1. Open the blocked.txt file in a text editor.

  2. Add the host addresses.

    The entry format is:

    address1
    address2
    address3
    

    where address is either a hostname or an IP address. You can block on any octet. For example:

    IP Address

    Blocks

    *.*.*.34

    Any IP address ending with 34

    172.16.*.34

    Any IP address starting with 172.16 and ending with 34

    172.16.10-34.*

    Any IP address starting with 172.16 and any octet from 10 to 34

    You can block on any segment of the hostname. For example:

    Hostname

    Blocks

    provo*.novell.com

    provo.novell.com provo1.novell.com provo2.novell.com

    *.novell.com

    gw.novell.com (but not novell.com itself)

    There is no limit to the number of IP addresses and hostnames that you can block in the blocked.txt file

  3. Save the file as blocked.txt.

54.2.4 Mailbomb (Spam) Protection

Multiple unsolicited messages (sometimes called a mailbomb or spam) from the Internet can potentially harm your GroupWise messaging environment. You can use the settings on the SMTP Security page to help protect your GroupWise system from malicious or accidental attacks.

To configure the SMTP security settings:

  1. In ConsoleOne, right-click the GWIA object, then click Properties.

  2. Click SMTP/MIME > Security Settings.

    SMTP/MIME Security Settings property page
  3. Fill in the fields:

    Reject if PTR Record Does Not Exist: This setting lets you prevent messages if the sender’s host is not authentic.

    When this setting is turned on, the GWIA refuses messages from a smart host if a DNS reverse lookup shows that a PTR record does not exist for the IP address of the sender’s host.

    When this setting is turned off, the GWIA accepts messages from any host, but displays a warning if the initiating host is not authentic.

    This setting corresponds with the GWIA’s /rejbs switch.

    • Reject If PTR Record Does Not Match Sender’s Greeting: Select this option if you want the GWIA to reject messages from sending SMTP hosts where the sending host's PTR record does not match the information that the SMTP host sends out when it is initially contacted by another SMTP host. If the information does not match, the sending host might not be authentic.

    • Flag Messages with an Invalid PTR Record as Junk Mail: Select this option to allow messages from unidentified sources to be handled by users' Junk Mail Handling settings in the GroupWise client rather than by being rejected by the GWIA. This gives users more control over what they consider to be junk mail.

    Enable Mailbomb Protection: Mailbomb protection is turned off by default. You can turn it on by selecting this option.

    Mailbomb Threshold: When you enable Mailbomb protection, default values are defined in the threshold settings. The default settings are 30 messages received within 10 seconds. You can change the settings to establish an acceptable security level.

    Any group of messages that exceeds the specified threshold settings is entirely discarded. If you want to prevent future mailbombs from the mailbomb sender, identify the sender’s IP address (by looking at the GWIA’s console) and then modify the appropriate class of service to prevent mail being received from that IP address (Access Control > Settings). For more information, see Section 54.1.2, Creating a Class of Service.

    The time setting corresponds with the GWIA’s /mbtime switch. The message count setting corresponds with the /mbcount switch.

  4. Click OK to save the changes.

For additional protective startup switches, see Section 59.6.13, Mailbomb and Spam Security.

54.2.5 Customized Spam Identification

  1. In ConsoleOne, right-click the GWIA, then click Properties.

  2. Click SMTP/MIME > Junk Mail.

    Junk Mail property page
  3. Select Flag Any Messages, then specify the strings in the text box.

    Anti-spam services use different indicators to mark potential spam. One might use a string of asterisks; the more asterisks, the greater the likelihood that the message is spam. Another might use a numerical value; the higher the number, the greater the likelihood that the message is spam. The following samples are taken from MIME headers of messages:

    X-Spam-Results: ***** X-Spam-Status: score=9

    Based on these samples, examples are provided below of lines that you could add to the list to handle the X-Spam tags found in the MIME headers of messages coming into your system.

    Example: X-Spam-Results: *****

    This line marks as spam any message whose MIME header contained an X-Spam-Results tag with five or more asterisks. Messages with X-Spam-Results tags with fewer than five asterisks are not marked as spam.

    Example: X-Spam-Status: Yes

    This line marks as spam any message whose MIME header contained the X-Spam-Status tag set to Yes, regardless of the score.

    Example: X-Spam-Status: score=9 X-Spam-Status: score=10

    These lines marks as spam any message whose MIME header has the X-Spam-Status tag set to Yes and had a score of 9 or 10. X-Spam-Status tags with scores less than 9 are not marked as spam.

    You can add as many lines as necessary to the list to handle whatever message tagging your anti-spam service uses.

  4. Click OK to save your list of strings.

The list is saved in the xspam.cfg file in the domain\wpgate\gwia directory. As described above, each line of the xspam.cfg file identifies an “X” header field that your anti-spam service is writing to the MIME header, along with the values that flag the message as spam. The GWIA examines the MIME header for any field listed in the xspam.cfg file. When a match occurs, the message is marked for handling by the GroupWise client Junk Mail Handling feature.

54.2.6 SMTP Host Authentication

The GWIA supports SMTP host authentication for both outbound and inbound message traffic.

Outbound Authentication

For outbound authentication to other SMTP hosts, the GWIA requires that the remote SMTP hosts support the AUTH LOGIN authentication method. To set up outbound authentication:

  1. Include the remote SMTP host’s domain name an authentication credentials in the gwauth.cfg file, located in the domain\wpgate\gwia directory. The format is:

    domain_name   authuser   authpassword
    

    For example:

    smtp.novell.com   remotehost   novell
    
  2. If you have multiple SMTP hosts that require authentication before they accept messages from your system, create an entry for each host. Make sure to include a hard return after the last entry.

  3. If you want to allow the GWIA to send messages only to SMTP hosts listed in the gwauth.cfg file, use the following startup switch:

    /forceoutboundauth
    

    With the --forceoutboundauth switch enabled, if a message is sent to an SMTP host not listed in the gwauth.cfg file, the sender receives an Undeliverable message.

Inbound Authentication

For inbound authentication from other SMTP hosts, you can use the --forceinboundauth startup switch to ensure that the GWIA accepts messages only from SMTP hosts that use the AUTH LOGIN authentication method to provide a valid GroupWise user ID and password. The remote SMTP hosts can use any valid GroupWise user ID and password. However, for security reasons, we recommend that you create a dedicated GroupWise user account for remote SMTP host authentication.

54.2.7 Unidentified Host Rejection

You can have the GWIA reject messages from unidentified sources. The GWIA refuses messages from a host if a DNS reverse lookup shows that a “PTR” record does not exist for the IP address of the sender’s host.

If you choose not to have the GWIA reject messages from unidentified hosts, it accepts messages from any host, but it displays a warning if the sender’s host is not authentic.

To configure the GWIA to reject messages from unidentified hosts:

  1. In ConsoleOne, right-click the GWIA object, then click Properties.

  2. Click SMTP/MIME > Security Settings to display the Security Settings page.

    Security Settings page
  3. Turn on the Reject Mail if Sender’s Identity Cannot Be Verified option.

    This setting corresponds with the GWIA’s --rejbs switch.

  4. Click OK to save your changes.