Security Policies
Each service in FTGate is controlled by a security policy. The policy specifies the top level control of the service. In the Policy you can specify, by IP address and range, the authentication and relay options available to users of your server.
By default there are three policies, users can create further policies as required:
-
LAN security Policy
By default this policy is used by all services that are normally accessed by the LAN users (POP3 IMAP4 LDAP WebMail Connector ) which can be considered to be trusted connections.
-
WebAdmin Policy
By default this is used by the WebAdmin . A separate policy is used for WebAdmin to reduce the possibility that a configuration mistake will lock the administrator out of the WebAdmin interface. Extreme caution should be used when changing this policy.
-
Global Security Policy
By default this policy is used by all SMTP services, it contains settings that are suitable for machines connecting from the internet and are not from trusted sources.
Each service that uses a policy has the same security settings. Thus an address banned in a specific policy is banned in all services that use that policy. Each service may only use one policy but a policy can be shared among more than one service.
A policy consists of two parts; An address list, that specifies how different IP addresses should be handled, and a group of settings for each service type.
The addresses are selected in order of priority, the priority is simply the number of bits set in the mask field. Thus if an address matches two entries, the one with the most bits set in the mask will be used.
The following describes the flags used in the Address fields:
|
Flag |
Name |
Function |
|
PA |
Permit Access |
If this flag is set an IP address has access, otherwise it is rejected. |
|
AA |
Automatic Authentication |
If this flag is set the connection is assumed to be authenticated. For SMTP it is the equivalent of a successful AUTH command sequence having been completed. It will not effect service that require a login. ote that setting this flag on the WAN address range of the Global security policy will make your server an Open Relay |
|
AS |
Permit SMTP Autentication |
This flag permits machines in this address range to issue SMTP AUTH commands and authenticate against the server. If the flag is clear NO machines in this range can authenticate. |
|
AM |
Permit Authentication by mailbox access |
This flag checks to see if any valid logins to either POP3/IMAP have occurred in the last 5 minutes, if so the connection is assumed to be authenticated. |
|
AR |
Allow Relaying |
This flag enables authenticated users to relay mail through the server. If this flag is clear then machines in this address range will NEVER relay. |
|
RBL |
Reject connections with RBL entries. |
This flag causes all connections from within the specified address range to be validated against the RBL server list specified elsewhere. If the address is found the connection will be rejected. |
|
BAN |
Allow Addresses to be blacklisted. |
If this flag is set, any connections that attempt a detectable DOS attack will be auto banned |
|
LL |
Limit login attempts/ SMTP Errors |
If this flag is set IP addresses will be prevented from trying multiple login attempts (default 5). This protects against attempts at brute force password breaking. Each bad login is counted from each specific address regardless of the service type. So if I do bad login’s for 2xPOP3, 2xIMAP and 1xSMTP I get banned. This option also triggers protection against SMTP bad addresses. If this option is enabled the sending client/server will be banned after the specified number of bad recipients. The ban period is defined elsewhere in the policy. |
|
BL |
Blacklisted Address |
If this flag is set the address is considered aggressively blacklisted. This flag is usually only set by the autoban option (above). Connections from blacklisted addresses are automatically denied. |
|
PTR |
Reject connection with invalid DNS PTR records |
This option will check that the IP address of the connected computer has a valid PTR record. |
|
HE |
Validate HELO command is valid |
This option validates the HELO domain and ensures that it is correctly formatted and it is not an IP address. |
|
GL |
Use greylist |
See: Greylisting |
|
SPF |
Validate senders address against domains SPF data |
This option will validate the senders email address against the SPF records for the domain of the sender. If the address is not in the valid range then the message will be rejected. If a domain does not publish SPF data then the message will be accepted. |