Security Policies

Each service in FTGate is controlled by a security policy. The policy specifies the top level control of the service. In the Policy you can specify, by IP address and range, the authentication and relay options available to users of your server.

By default there are three policies, users can create further policies as required:

  • LAN security Policy
    By default this policy is used by all services that are normally accessed by the LAN users (POP3 IMAP4 LDAP WebMail  Connector ) which can be considered to be trusted connections.
     

  • WebAdmin Policy

    By default this is used by the WebAdmin . A separate policy is used for WebAdmin to reduce the possibility that a configuration mistake will lock the administrator out of the WebAdmin interface. Extreme caution should be used when changing this policy.
     

  • Global Security Policy

    By default this policy is used by all SMTP services, it contains settings that are suitable for machines connecting from the internet and are not from trusted sources.

Each service that uses a policy has the same security settings. Thus an address banned in a specific policy is banned in all services that use that policy. Each service may only use one policy but a policy can be shared among more than one service.

A policy consists of two parts; An address list, that specifies how different IP addresses should be handled, and a group of settings for each service type.

The addresses are selected in order of priority, the priority is simply the number of bits set in the mask field. Thus if an address matches two entries, the one with the most bits set in the mask will be used.

The following describes the flags used in the Address fields:

Flag

Name

Function

PA

Permit Access

If this flag is set an IP address has access, otherwise it is rejected.

AA

Automatic Authentication

If this flag is set the connection is assumed to be authenticated. For SMTP it is the equivalent of a successful AUTH command sequence having been completed. It will not effect service that require a login. ote that setting this flag on the WAN address range of the Global security policy will make your server an Open Relay

AS

Permit SMTP Autentication

This flag permits machines in this address range to issue SMTP AUTH commands and authenticate against the server. If the flag is clear NO machines in this range can authenticate.

AM

Permit Authentication by mailbox access

This flag checks to see if any valid logins to either POP3/IMAP have occurred in the last 5 minutes, if so the connection is assumed to be authenticated.

AR

Allow Relaying

This flag enables authenticated users to relay mail through the server. If this flag is clear then machines in this address range will NEVER relay.

RBL

Reject connections with RBL entries.

This flag causes all connections from within the specified address range to be validated against the RBL server list specified elsewhere. If the address is found the connection will be rejected.

BAN

Allow Addresses to be blacklisted.

If this flag is set, any connections that attempt a detectable DOS attack will be auto banned

LL

Limit login attempts/ SMTP Errors

If this flag is set IP addresses will be prevented from trying multiple login attempts (default 5). This protects against attempts at brute force password breaking. Each bad login is counted from each specific address regardless of the service type. So if I do bad login’s for 2xPOP3, 2xIMAP and 1xSMTP I get banned.

This option also triggers protection against SMTP bad addresses. If this option is enabled the sending client/server will be banned after the specified number of bad recipients. The ban period is defined elsewhere in the policy.

BL

Blacklisted Address

If this flag is set the address is considered aggressively blacklisted. This flag is usually only set by the autoban option (above). Connections from blacklisted addresses are automatically denied.

PTR

Reject connection with invalid DNS PTR records

This option will check that the IP address of the connected computer has a valid PTR record.

HE

Validate HELO command is valid

This option validates the HELO domain and ensures that it is correctly formatted and it is not an IP address.

GL

Use greylist

See: Greylisting

SPF

Validate senders address against domains SPF data

This option will validate the senders email address against the SPF records for the domain of the sender. If the address is not in the valid range then the message will be rejected. If a domain does not publish SPF data then the message will be accepted.

DRDisable RoutingThis option will prevent the routing table rewriting addresses when messages are received. This allows the routing table to be targeted at specific IP address ranges.