The Proxy Menu¶

To improve on-line security, the Connect Switchboard offers several services combining their abilities with those of the proxy. The sub-menu on the left-hand side of the page grants access to their configuration pages and options, which are summarised as follows:

HTTP - the web proxy: Access policies, authentication, content filter, SSL support (HTTPS), and antivirus.
POP3 - the proxy for retrieving e-mails: spam filter and antivirus.
SMTP - the proxy for sending e-mails: spam filter and antivirus.
DNS - the caching DNS: anti-spyware

Each proxy service can be configured and enabled/disabled independently of the other, and will also start any other service required for its proper functioning. For example, when the SMTP proxy is configured and started, also the SMTP service will be started if it is not already running. Therefore, it is required that the SMTP service be configured before using the SMTP proxy.

A proxy server is a system, located between a client (who requests a web page or some resource) and the outside networks with the purpose to catch all the client’s requests, retrieve the requested resources, and transmit them to the client. The main advantage of a proxy server is its ability to cache (i.e., to store locally) all the pages that have been requested, making future requests of the same pages faster.

The HTTP(S) proxy architecture

Since the release 5.0 of the Connect Switchboard, a lighter, but more powerful architecture for the HTTP proxy has been implemented and deployed.

The previous HTTP proxy architecture was based on the so called proxy chaining, that is, whenever a client requested a remote resource, that had not been cached before, a 5 step process took place:

The HTTP proxy -squid- sent a GET request to the server, receiving an HTML page as answer.
The whole HTML page was sent to the content filtering daemon -dansguardian- and analysed.
Dansguardian then sent the page to the antivirus daemon -havp- and analysed for virus and other malware.
Finally, if no virus or malicious content was found, the whole HTML page was sent back to squid, otherwise an HTML error message (“error page”) would have replaced the original page.
squid saved the HTML page (or the error page) for future requests, and delivered it the client that originally requested the HTML page.

The major drawback -and bottleneck- of this architecture is its resource intensiveness. The whole HTML page, indeed, sequentially moved through the whole chain, step by step with no possibility to speed up the process. The HTML page was received from squid and sent to dansguardian to be analysed for content. At this point, even if the content filter found malicious content, meaning that the page could not be served to the client requesting it, the HTML page continued to go down the chain to the havp, then back to squid. Only at this point squid sent an error page to the original client.

Therefore, it was decided to tackle this problem differently, adopting an entirely new approach that ensures more reliability and is far less resource consuming. The HTTP proxy in now backed up by an ICAP server and, while this might at a first sight represent a more complex architecture, it represents a significant performance improvement.

In a nutshell ICAP is a protocol, defined in RFC 3507, that allows to manipulate the content of a web page and serve it back to the client. While this ability can be exploited in several ways, in Connect Switchboard it is deployed with c-icap, to provide content filtering analysis and anti-virus scan of remote resources (HTML pages, but also audio, video, and text documents, images).

Thanks to c-icap, there are two areas whose performances were boosted:

From squid to c-icap:

c-icap receives two parallel request from the HTTP proxy
between cicap and the daemons.

See also

More information about ICAP along with its specifications can be found on the icap forum web page.

HTTP¶

In this page you find:

The HTTP proxy employed in the Connect Switchboard is squid, whose primary ability is to cache web requests to speed up future requests of the same page, though it has many more functionalities that allows its seamless integration with the other services described in the remainder of this section. The HTTP proxy settings page is composed of a number of tabs that organise all available options: Settings (opened by default), Zones, Access Policy, Authentication, Web Filter, and HTTPS Proxy.

Settings ¶

A click on the Enable the HTTP Proxy grey switch starts the HTTP proxy.

Transparent and Non Transparent Proxy.

A transparent proxy is a proxy system combined with a gateway: Besides retrieving and caching resources, a transparent proxy allows to carry out many useful operations on the web page or resource that the client is requesting: To filter its contents, to scan it and look for viruses, or even to block information, combining different services running on the gateway. Moreover, all these activities are accomplished without requiring the user to configure in any way the client she is using.

Non-transparent proxies on the contrary, rely on the collaboration of the client to be used (e.g., configuring the proxy settings on the web browser), requiring that the user specify by hand the location of the proxy in the setting of the browser, or she will not be able to access the Internet.

See also

The configuration of a transparent proxy is explained in this tutorial Transparent HTTP Proxy Basic Setup.

In this panel there are some global configuration options for the proxy services:

Port used by proxy: The TCP port on which the proxy server is listening for connections, which defaults to 8080.
Error Language: The language in which error messages are displayed, which defaults to the one chosen in Menubar ‣ System ‣ GUI settings.
Visible Hostname used by proxy: The hostname assumed by the proxy server, also reported at the bottom of error messages.

Email used for notification: The email address shown by the proxy server in error messages.
Maximum incoming download size (KB): The limit for HTTP file downloads. 0 means unlimited.
Maximum outgoing download size (KB): The limit for HTTP file uploads (e.g., those used by HTML forms with file uploads). 0 means unlimited.
Keep the original source IP address in not-transparent mode.: This option affects all the zones that are configured as non-transparent mode. When ticked, all the packets coming from the proxy will keep some information of the requester (client): Its IP address and the zone/interface from which the traffic originated.

Allowed ports ¶

Configuration option for the ports the clients are allowed to use when browsing:

Allowed Ports: The TCP destination ports to which the proxy server will accept connections when using HTTP. Enter either a single port (From Port) or a range (Fill also the To (Optional)….
Allowed SSL Ports: The TCP destination ports to which the proxy server will accept connections when using HTTPS. Enter either a single port (From Port) or a range (Fill also the To (Optional)….

Logging settings ¶

Configuration options to enable the logging facility and choosing what to log.

Enable HTTP proxy logging: Log all the URLs being accessed through the proxy. It is a master switch, hence the following four options are enabled (click on an option to toggle its current value).

Hint

(recall that the more is logged, the more space on the Connect Switchboard‘s hard disk is needed).
Log query terms: Log the parameters in the URL (such as ?id=123).
Log user agents: Log the user agent sent by each browser.
Log content filtering: Log when the content of web pages is filtered.
Log outgoing connections: Let the firewall log the outgoing web accesses, i.e., those directed through the RED interface to the Internet. This options only works for transparent proxies.

Bypass transparent proxy ¶

In this panel some exception to the transparent proxy can be defined: which sources (i.e., clients) and destinations (i.e., remote servers) should be ignored by the proxy, even if it is enabled in that zone.

Bypass transparent proxy from (SUBNET or IP or MAC): The sources that should not be subject to the transparent proxy. Entries can be single IP addresses, subnets, or MAC Addresses.
Bypass transparent proxy to (SUBNET or IP): The destinations that are not subject to the transparent proxy. Entries can be single IP addresses or subnets.

Hint

Use CIDR notation to enter subnets.

Cache management ¶

Configuration options for the space occupied on disk by the cache and the size of the objects stored.

Cache size within memory (MB): The amount in megabytes of memory that the proxy should allocate for caching web sites in the system memory.
Cache size on hard disk (MB): The amount in megabytes that the proxy should allocate for caching web sites on the hard disk.
Minimum object size (KB): The lower size limit in megabytes of a single object that should be cached.
Maximum object size (KB): The upper size limit in megabytes of a single object that should be cached.
Do not cache this destination: The resources downloaded from these sites will never be stored in the cache. Entries can be domain names or single IP addresses (without subnet).

Note

Objects whose size does not fall within the above defined ranges will never be stored in the cache on disk, but downloaded each time they are requested by a client.

Enable offline mode: When this option is enabled, the proxy will never try to update cached objects from the remote web server, therefore clients will be able to browse cached, static websites even after the uplink went down.

Warning

This option proves useful to surf the Internet while the uplink is down, if the page requested has been cached before. However, this option may cause some trouble when trying to refresh a page, even with a working uplink, since the HTTP proxy would always serve the cached page. The only possibility to have a refreshed copy of a web page is in this case to clear the cache of the proxy server.
Clear cache: Click on the clear cache button to immediately erase the cache on disk.

Upstream proxy ¶

If there is another proxy server in the LAN, it can be contacted before actually requesting the original resource. This panel contains configuration options for the connection between the Connect Switchboard and the upstream proxy.

Use upstream proxy: Tick this checkbox to enable an upstream proxy and show more options. When enabled, before retrieving a remote web page that is not already in its cache, the Connect Switchboard‘s proxy contacts the upstream proxy to ask for that page.

Upstream server: The IP address of the upstream proxy server.
Upstream port: The port on which the proxy service runs on the server.
Upstream user: The username to connect to the proxy server, if needed.
Upstream password: The password to connect to the proxy server, if needed.
Forwarding IP address: Tick the checkbox to forward the client IP address to the upstream proxy
Forward username: Tick the checkbox to forward the username to the upstream proxy.

Zones ¶

Select how the users can access the proxy in each enabled zone. Click on the icon to the right-hand side of each zone and select any of these option from the drop-down menu that will appear.

not transparent: The proxy server is available to anyone with no need to log in, but the clients need to configure their browser manually or tell the browser to search for a proxy (i.e., using either PAC or the WPAD protocol to set up the browser’s proxy settings).
transparent: The proxy server is available to anyone and no browser configuration is needed: All the HTTP traffic is intercepted and forwarded to the proxy server, that is in charge of retrieving the requested web pages and serve them to the clients.
transparent (keep original source IP address): This configuration is very similar to the previous option, with the only difference that every packet that leaves the proxy keeps some of the client’s original information: Its IP address, plus the zone and interface from which the traffic originated.
inactive: The proxy is not active for that zone.

Note

Some browsers, including Internet Explorer and Firefox, are able to automatically detect proxy servers by using WPAD. Most browsers also support PAC, through a special URL. When using an Connect Switchboard as the proxy server, this URL looks like this: http://<GREENIP>/proxy.pac.

Access policy ¶

The accesses policies are applied to every client that is connecting through the proxy, regardless of its authentication. An access policy rule is a time-based scheme that permits or prohibits accesses depending on diverse parameters about the user (e.g., the source or destination of the traffic), and the client used or the content downloaded (e.g., the user agent, the mime types, virus scanning, and content filtering).

A list of the already defined rules is displayed on the page. Any rule can specify if the web access is blocked or allowed, and in the latter case a filter type can be activated and selected.

The policies are evaluated from top to bottom, therefore their order is important: you can reorder them bu using the up and down arrows on the right-hand side of each rule.

To add a new access policy rule, simply click on Add policy: A form will open, in which to configure all the parameters, organised in tabs.

Details ¶

Name: Give the policy a unique name.
Enabled: Tick the checkbox to enable or disable the rule. Disabled rules will not be applied, the default is to enable the rule.
Policy: Select whether the rule should allow or deny the web access from the drop-down menu . When set to Deny access, the Mimetypes option in the Filtering tab is activated.
Filter type: This drop-down menu allows to select what type of check should the rule perform. Available options are: none for no check and virus detection only to scan only for viruses. Moreover, if any content filter profile has been created (see below), it appears as an option and can be selected and applied to the rule.

Authentication ¶

Authentication type: The type of authentication to apply to the clients. It can be None, in which case no authentication is required, group based or user based. One or more groups or users, to which to apply the policy, can then be selected among the existent ones from the list that will show up.

Hint

Authentication is only local, hence before being able to use it, at least one user or group must be created in the Authentication tab.

Filtering ¶

Source Type: The sources of the traffic to which this rule applies. It can be <ANY>, a zone, a list of networks, IP addresses or MAC addresses.
Destination Type: The destinations of the traffic to which this rule will be applied. This can be either <ANY>, a zone, or a list of networks, IP addresses, or domains.
User agents: The allowed clients and browsers, as identified by their user agent, i.e., their identification string.
Mimetypes: A list of the MIME types of incoming files that should be blocked, one per line. MIME types can only be blocked (i.e., blacklisted) but not allowed (i.e., whitelisted), therefore this option is only available in Deny access policies. This option allows to block any files not corresponding to the company policy (e.g., multimedia files).

Note

The list of the available MIME types can be found in the /etc/mime.types file on any Linux box, on the official IANA web page, and also in RFC 2045 and RFC 2046. Use the name of the MiME type to add them, for example text/plain.

Time restriction ¶

Enable time restriction

Decide whether the rule has effect on specific days and/or a time period. By default a rule is always active, but its validity can be limited to either an interval or to some days of the week.

By ticking the checkbox, the following options become available:

Start hour, Stop hour

To fine-tune the interval of the day during which the access policy is active, write the start and end times, including minutes, from these drop-down menus.

Enable for the following days

Select one ore more days of the week by clicking on each of them in the drop-down menu.

Authentication ¶

The Connect Switchboard‘s proxy supports four different authentication types, that are shown in the drop-down menu at the top of the page: Local Authentication (NCSA), LDAP, Windows Active Directory (NTLM) and RADIUS. The NCSA type stores the access credentials on the Connect Switchboard, whereas the other methods rely on an external server: In those cases it is mandatory to provide all the necessary information to access that server.

Underneath the drop-down menu from which to select the authentication type, options are split in two parts. The one above, Authentication settings contains common configuration items, while the one below changes upon the selection of the authentication type, presenting the settings that are specific to each method.

Authentication settings ¶

The common items that can be configured in this panel are:

Authentication realm: The text shown in the authentication dialog and used as the realm of kerberos or winbind when joining an Active Directory Domain. When Windows Active Directory is used for authentication, the FQDN of the PDC should be used.

Hint

If the server name is localauth and the domain name is example.org, the FQDN is localauth.example.org.
Number of Authentication Children: The maximum number of authentication processes that can run simultaneously.
Authentication cache TTL (in minutes): The time in minutes during which the authentication data should be cached, before being deleted.
Number of different IPs per user: The maximum number of IP addresses from which a user can connect to the proxy simultaneously.
User / IP cache TTL (in minutes): The time in minutes an IP address is associated with the logged in user.

Once the common configuration form have been filled in, depending on the authentication type chosen it is possible to configure the specific settings for the authentication type selected. Local Authentication (NCSA), LDAP, Windows Active Directory (NTLM), RADIUS.

NCSA specific settings ¶

NCSA users

A list of the existing users, if any was created.

Click Add user to add more users and provide a username and password in the form.

NCSA groups

A list of the existing groups, if any was created.

Click Add group to add more groups. A group is created by entering a group name and selecting one or more users that should belong to that group. A user may belong to more than one group.

Warning

While the same user can be legally part of one or more groups, care must be taken that the the groups the user belongs to do not define contrasting access policies. As an example, consider a user member of two groups, one with the policy to allows access to the website www.example.org, while the second group’s policy blocks the access to that web page. In this case, it is not easy to predict whether that user will be granted or not access to the site. The management of these issues is left to the designer of the access policies.

Min password length

The minimum length for the local user’s password, which is by default 7 characters long.

LDAP specific settings ¶

LDAP server: The IP address or FQDN of the LDAP server.
Port of LDAP server: The port on which the server is listening. The default value is 389.
LDAP base distinguished name: The base distinguished name, this is the start point of the search.
LDAP type: This drop-down menu allows the choice of the type of the authentication server among Active Directory Server, LDAP v3 server, LDAP v2 server, or Novell eDirectory Server.
Bind DN username: The fully Distinguished Name of a user, which must have the permission to read user attributes
Bind DN password: The password of the bind DN user.
user objectClass: The objectClass that the bind DN user must belong to.
group objectClass: The objectClass that the bind DN group must belong to.

NTLM specific settings ¶

PDC IP address: The IP address of the PDC.
PDC hostname: The hostname the PDC.

Note

Both hostname and IP address are needed to create the DNS entry to access the Primary Domain Controller.

BDC IP address: The IP address of the PDC.
BDC hostname: The hostname the PDC.
Join AD Domain: Enter the Active Directory’s domain.
Domain name for legacy systems: Write here the domain name if the Active Directory is on a Windows 2000 or older system.
Join ADS: Click this button to test the connection with the AD.

New in version 5.0.

Note

Both hostname and IP address are needed to create the DNS entry to access the Backup Domain Controller.

Requirements for the use of NTLM.

In order to be able to use Windows’ native authentication with active directory (NTLM), a few conditions must be satisfied:

The authentication settings need to be saved and applied before trying to join the domain.
The Connect Switchboard must join the domain.
The system clocks on the Connect Switchboard and on the active directory server must be synchronised.
The authentication realm must be a FQDN.
The PDC hostname has to be set to the netbios name of the Active Directory server.

Hint

The Connect Switchboard clock can be synchronised with the clock of the Active Directory server by issuing the following command from the shell:

net time set -S IP_OF_AD_SERVER

See also

The setup of a realm using NTLM authentication is described in this tutorial.

NTLM authentication with Windows Vista and Windows 7.

The HTTP Proxy in the Connect Switchboard uses negotiated NTLMv2, while both Windows Vista and Windows 7 allow by default only straight NTLMv2. As a result, a client using one of these operating systems may fail to authenticate to the HTTP proxy even when supplying the correct credentials. The following changes to the client configuration are required to correctly authenticate:

Start ‣ gpedit.msc (run as administrator)

Go to: Computer configuration ‣ Windows Settings ‣ Security Settings ‣ Local Policies ‣ Security Options

Find the configuration option Network Security: LAN MANAGER Authentication Level

Select the value “Send LM * NTLM - use NTLMv2 session security if negotiated”

After applying these changes the client browser should correctly authenticate using the AD login name for the HTTP Proxy.

RADIUS specific settings ¶

RADIUS server: The IP address or URL of the RADIUS server.
Port of RADIUS server: The port on which the RADIUS server is listening. Defaults to 1645.
RADIUS Identifier: An additional identifier.
RADIUS Shared secret: The password to be used.

Content Filter ¶

The Connect Switchboard's content filter abilities are based on the BitDefender URL filtering solution, that uses two filtering techniques which can be customised for each filter profile.

The first one consists of an advanced method of web pages categorisation, based on their content, while the second method uses a combination of white- and blacklists URLs and domains: All the URLs requested by a client are looked up in this list and are only served if they are found in the whitelist.

Note

If the system has not yet been registered to Endian Network, the URL filter lists can not be downloaded. In this case, an informative message appears: By clicking on it, the registration form will open.

A filter is needed to be able to use the content filter. There is a default profile available, which allows access to every web page and should never be deleted. Additional profiles, that are needed when defining new access policies, can easily be created.

On the page, there is a list of the existing profiles, accompanied by a remark and by the available actions.

Above the table, there is a New filter link: When clicked, the link is replaced by the filter editor, that is used to configure a new profile. The following settings can be defined:

Details ¶

Profile name: The name given to the profile.
Activate antivirus scan: Enable the antivirus in the content filter.

Filters ¶

Click General Use, Adult content and Productivity to open drop-down menus and add categories of pages that will be taken into account by the web filter.

Black and whitelists ¶

In these textfields, personalised lists of web pages can be added.

Allow for the following sites: Web pages that are whitelisted, i.e., always served to the client.
Block for the following sites: Web pages that are blacklisted, i.e., never served to the client.

Content filtering may cause both false positives and false negatives, hence list domains that should always be blocked or allowed can be entered here. This policy will be applied regardless of the results of the content filter’s analysis.

HTTPS Proxy ¶

New in version 5.0.5: URL Filtering option.

In this page it is possible to configure the HTTPS proxy server and the way it intercepts and applies content filtering to SSL-encrypted traffic, i.e., traffic through the 443 port.

The page is initially divided in three panels, the first one to choose the operating mode of the HTTPS proxy, the other related to the certificate needed in the Decrypt and scan mode.

HTTPS proxy operating mode

Choose form the drop-down menu how the proxy should analyse the HTTPS encrypted traffic. The following options are available:

Disabled. The HTTPS proxy will not analyse the traffic.
URL filtering only. In this modality, described below, the HTTP proxy will only apply content filtering to the pages, but not decrypt them.
Full. The HTTPS proxy will decrypt and fully inspect the pages.

Once the modality has been chosen, click on Save, then on the Apply button in the green callout.

The URL Filtering mode

The URL Filtering mode allows to apply content filtering to HTTPS pages in a less invasive way compared to the Decrypt and scan mode; it is also easier to deploy, but it can be less effective. In details, this are the differences from the Decrypt and scan mode:

No need to install certificates on the clients. This means that the traffic will not be decrypted.
As a consequence, there will be no antivirus check on the HTTPS pages.
When a page is blocked by the proxy, the browser will receive a Connection refused error message.
Whitelists and Blacklists for both the HTTPS and HTTP Proxies are defined in the Access policy and Content Filter tabs.

To correctly allow the URL Filtering mode to operate, the clients using the proxy must be configured to use the Connect Switchboard as their DNS server. If they do not, then the DNS Proxy must be enabled on the Connect Switchboard for all the zones that use the HTTP(S) Proxy.

When enabled as Decrypt and scan mode, squid will intercept all clients’ requests and forward them to the remote server, like in the case of HTTP requests. The only difference is that for HTTPS requests, an intermediate certificate is needed for the client to connect via HTTPS to the Connect Switchboard, which then can deliver the request, retrieve the remote resource, control it, and then send it to the client who requested it.

The following additional options are available for this mode:

Remote certificates acceptance policy

This option controls how the Connect Switchboard accepts the certificates from the remote server. The following values are available:

Accept every certificate. The proxy server accepts all certificates, even invalid ones, and then re-encrypts the connection to the client using a trusted, on-the-fly generated, certificate.
Show warning for untrusted certificates.The proxy server accepts all certificates, but when it encounters an invalid one, it re-encrypts the connection to the client with an invalid, on-the-fly generated, certificate. In this way the client can decide whether to trust or not the remote server.
Block connections using untrusted certificates. The proxy server will block connections to remote servers that use invalid HTTPS certificates.

Forward HTTPS connections directly to the Upstream proxy

When this option is used, the HTTPS traffic will be managed directly by the upstream proxy, otherwise it is managed by the Connect Switchboard.

When the entry is an IP address, HTTPS traffic directed to that IP will not pass from the HTTPS proxy. When the entry is a domain name, like e.g., www.example.org only that site will be bypassed. However, when using a dot . at the beginning of a domain name, also the traffic to all of its subdomains will be allowed. Some examples include:

93.184.216.119   allow only IP https://93.184.216.119/
www.example.org  allow only site https://www.example.org/
.example.org     allow all sites ending with .example.org, like e.g.,
                   https://www.example.org/index.html
                   https://mail.example.org/mail.html
                   https://www.news.example.org/news.html

Bypass the following destinations: Write in the textfield the IP address or domain names of remote web sites that should be not be checked by the HTTPS proxy, one per line.

The two panels at the bottom are used only for the Decrypt and scan mode and allow to manage the certificate that will be used by the Connect Switchboard.

Warning

The upload or the creation of a new certificate implies to invalidate any previously uploaded or created certificate. It will also be necessary to deploy the new certificate to all the clients.

Upload proxy certificate: To use an existent certificate, click on Browse…, choose the certificate on the local hard disk, then click on Upload to copy the certificate to the Connect Switchboard.
Create a new certificate: To create a new certificate from scratch, click on this button. A confirmation dialog box appears, requiring a confirmation. Click on OK to proceed or on Cancel to close the dialog box and go back.

After the certificate has been uploaded or created, a new option in the form of a hyperlink will appear next to the Upload proxy certificate label:

Download HTTPS proxy certificate: Click this hyperlink to download the certificate, which will be needed by the the clients.

See also

In the knowledge base these tutorials are available:

How to set up the HTTPS proxy (only decrypt and scan mode),

URL Filtering For The HTTPS Proxy and

POP3¶

In this page you find:

POP3: Global settings
- Zone Settings
- Global Settings
Spam filter

This page contains configuration options for the spamassassin mail filter and how it should manage the e-mails recognised as spam.

POP3: Global settings ¶

On this page the POP3 proxy can be enabled/disabled for each network zone as well as the global configuration options.

Zone Settings ¶

The status for the POP3 proxy is displayed for all of the configured default network zones GREEN, BLUE, and ORANGE. To add any additional zones which were configured you can click the Add new Zone button in the top right. To enable/disable the POP3 proxy service for any given zone, simply click the Edit icon actedit and check/uncheck the Enable checkbox.

Global Settings ¶

Scan for virus: Enable virus scanning for POP3 traffic.
Spam filter: Enable spam filtering for the POP3 traffic.
Intercept SSL/TLS encrypted connections: When the checkbox is ticked, also connections over SSL/TLS (POP3S) are scanned for spam and viruses (if enabled).
Firewall logs outgoing connections: Enables firewall logging for outgoing POP3 connections.

Spam filter ¶

This page allows to configure how the POP3 proxy should proceed when it finds a spam e-mail.

Note

Even when an email has been marked as spam, it will be delivered to the original recipient. Indeed, not delivering it would break RFC 2821, which states that once an email is accepted, it must be delivered to the recipient.

Spam subject tag: The prefix that will be added to the subject of the e-mail recognised as spam.
Add spam report to mail body: Tick the checkbox to replace, in each spam e-mail, the body of the original e-mail with a report of the spamassassin daemon with the reasons why the e-mail had been marked as spam.
Required hits: The number value here refers to the required spam score for a message to be considered as spam. The default setting is 5 which is widely considered to be the industry threshold and is recommended for most users.

Note

The spam score lower than 5 will likely result in more false positives (valid email marked as spam) whereas a value higher than 5 will likely result in more false negatives (spam email not marked).
Activate support for Japanese emails: Tick this checkbox to activate support for Japanese character sets in e-mails to search for Japanese spam.
Enable message digest spam detection (pyzor): Tick the checkbox to process spam e-mails using pyzor (in short, spam e-mails are converted to a unique digest message that can be used to identify further analogous spam e-mails).

Warning

The activation of this option might considerably slow down the POP3 proxy!
White list: A list of e-mail addresses or whole domains, specified using wildcards, one per line. E-mails sent from these addresses and domains will never be checked for spam.
Black list: A list of e-mail addresses or whole domains, specified using wildcards, one per line. E-mails sent from these addresses and domains will always be marked as spam.

Note

To wildcard a whole domain use the following syntax: *@example.com

The settings can be saved by clicking on the Save Button.

Encrypted e-mails.

The Connect Switchboard is unable to scan the e-mails sent through a POP3 SSL connection since it is an encrypted channel.

Therefore, to allow a client to use POP3 over SSL it is necessary to appropriately configure it and to disable the encryption from the client to the Connect Switchboard. Encryption should be disabled (i.e., do not use SSL), but the port for POP3 traffic in plain text changed from the default 110 to 995.

After setting this configuration, the connection from the client to the Connect Switchboard will remain in plain text, but it will use port 995, making the Connect Switchboard setup an encrypted POP3 over SSL connection from it to the POP3 server.

SMTP¶

In this page you find:

Settings
Zones
Domains
Antispam
Antivirus
File blocking
Authentication
Black and whitelists
Domain routing
Mail routing
Smart host

The SMTP proxy can relay and filter e-mail traffic when it is sent from the clients to the mail servers.

Note

While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.

The purpose of the SMTP proxy is to control and optimise the SMTP traffic and to protect the local networks from threats when using the SMTP protocol. SMTP is used whenever an e-mail is sent from a local e-mail client to a remote mail server, that is, for the outgoing e-mails. It will also be used if an mail server is running on the LAN (i.e., within the GREEN zone) or DMZ (ORANGE zone) and the e-mails can be sent from outside the local network (incoming requests) through t hat mail server, that is, when clients are allowed to send e-mails from the RED interface.

In order to download mail from a remote mailserver to a local e-mail client, the POP3 or IMAP protocol are used. In order to protect that traffic too, enable the POP3 proxy in Menubar ‣ Proxy ‣ POP3.

Warning

Scanning of IMAP traffic is currently not supported.

With the e-mail proxy functionality, both incoming and outgoing e-mail traffic can be scanned for viruses, spam, and other threats. E-mails are blocked if necessary and in that case both the receiving user and the administrator are notified. With the possibility to scan incoming e-mails, the e-mail proxy can handle incoming connections from the RED interface and pass the e-mail to one or more internal mail servers. Hence, it is possible to run an own mail server behind the firewall without the need to define appropriate port forwarding rules.

The SMTP proxy configuration options are grouped into tabs, each for a different part of the SMTP proxy.

Settings ¶

This is the main configuration page for the SMTP proxy.

Enable the SMTP proxy: Tick the checkbox to enable the SMTP proxy.
Quarantine retention time: The number of days that the e-mail will be stored in the special quarantine location on the Connect Switchboard before being automatically deleted.

Hint

The e-mails stored in the quarantine can be managed in the mail-quarantine, located at Menubar ‣ Services ‣ Mail Quarantine.
Bypass transparent proxy from (SUBNET or IP or MAC): E-mails sent from these sources are not subject to the transparent proxy.
Bypass transparent proxy to (SUBNET or IP): E-Mails sent to these destinations are not subject to the transparent proxy.
Require SMTP HELO: When this checkbox is ticked, the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session.
SMTP HELO name: The hostname to send with the SMTP EHLO or HELO command. The default value used is the REDIP, but a custom hostname in FQDN format can be supplied.

Hint

Use the hostname of the domain’s MX.

HELO/EHLO and hostname

Almost all mail servers require that clients connecting via SMTP announce themselves with a valid hostname along with the HELO/EHLO, or they drop the connection. However, the Connect Switchboard uses its own hostname in order to announce to foreign e-mail servers, which is sometimes not publicly valid within the global DNS.

If that is the case, another custom hostname in FQDN format can be configured under Menubar ‣ Proxy ‣ SMTP ‣ Advanced ‣ Mail server settings ‣ SMTP Helo Name, that can be understood by the remote mail server.

Reject invalid hostname: Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname.
Always BCC to address: An e-mail address here that will receive a BCC of each message that goes through the SMTP proxy.
Mail template language: The language in which error messages should be sent, among those available: English, German, Italian, and Japanese.
Enable DSN on zones: Choose from the available zones those which will send a bounce message (i.e., a DSN message) to undeliverable e-mails or to e-mails that can not be correctly sent. In other words, it will be possible to receive delivery notification messages of emails only from zones that have been selected here.
Require Recipient address verification: Enable the check for a valid recipients address before sending the message.
Reject invalid recipient (non-FQDN): Reject the request when the RCPT TO address is not in FQDN form, as required by the RFC 821.
Reject unknown recipient domain: Reject the connection if the domain of the recipient e-mail address has no DNS A or MX record.
Reject invalid sender (non-FQDN): Reject the connecting client if the hostname supplied with the HELO or EHLO command is not a FQDN as required by the RFC 821.
Reject sender from unknown domains: Reject the connection if the domain of the sender e-mail address has no DNS A or MX record.
Hard error limit number: The maximum number of errors a remote SMTP client is allowed to produce without delivering mail. The SMTP Proxy server disconnects once this limit is exceeded (default 20).
Maximum email content size: Enter the maximum size in bytes allowed for a single e-mail message.

Troubleshooting STMP proxy.

When the message “Mail for xxx loops back to myself” appears in the log file, it is indicative of a misconfiguration in the custom SMTP HELO name on the appliance, that is the same as the hostname of the internal mailserver to which the incoming e-mail should be forwarded.

In that case the SMTP connection received from the internal mailserver will contain an hostname (the one in the HELO line from the SMTP Proxy setting), that is the same as the hostname of the internal mailserver, hence the internal mailserver believes to send and receive the same e-mail, producing the error message.

Possible solutions include:

To change the hostname of the internal mailserver.
To create a new publicly valid A Record within the DNS zone which also points to the Connect Switchboard and use this hostname as the HELO line within the SMTP Proxy.
To use the numeric IP Address of the uplink as the HELO line.

See also

A step by step guide to set up a basic e-mail proxy can be found here.

Zones ¶

For each zone defined. Choose the proxy mode by clicking on the icon on the right-hand side and select either option:

Enabled: The SMTP proxy is enabled for the zone and accepts requests on port 25.
Transparent: If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need to change the configuration on the clients. This option is not available for the RED zone.
Disabled: The SMTP proxy is not enabled for that zone.

Domains ¶

The page presents a list of domains along with the mailserver responsible for each of them, if any has been defined. To add a new domain, click Add domain: A simple form will open, in which the combination domain-mailserver can be created.

Domain: The domain the mailserver is responsible for.
Mail server: The domain name or IP address of the mailserver.

The new entry will be shown at the bottom of the list.

Antispam ¶

In this tab there is the possibility to configure the software applications used by Connect Switchboard to recognise and filter out spam, configuring the following options:

Enable mail spam filtering

Tick the checkbox to enable the antispam filter and to allow the configuration of additional options that will appear below.

Spam handling

These actions can be carried out on e-mails that have been recognised as spam:

Move to default quarantine location: The spam e-mails will be moved to the default location.
Send to quarantine email address: Spam e-mails are forwarded to a custom e-mail address that can be specified in the Spam quarantine email address textbox that will appear upon selecting this option.
Mark as spam: The e-mail is marked as spam before delivery.
Drop email: The spam e-mail is immediately deleted.

Send quarantine email to

The email address to which the quarantined email will be forwarded.

Note

This option appears only when Send to quarantine email address is selected in the Spam handling option.

Spam email subject

A prefix applied to the subject of all e-mails marked as spam.

Notify spam email to: The e-mail address that will receive a notification for each processed spam e-mail.
Tag as spam: If SpamAssassin’s spam score is greater than this number, the X-Spam-Status and X-Spam-Level headers are added to the e-mail.
Send in quarantine: Any e-mail that exceed this spam score will be moved to the quarantine location.
Mark as spam: If SpamAssassin’s spam score is greater than this number, the Spam subject and X-Spam-Flag headers are added to the e-mail.
Send notification only below level: Send notification e-mails only if the spam score is below this number.
Enable graylisting for spam: Enable spam greylisting (see box below).
Delay for greylisting: The greylisting delay can be a value between 30 and 3600 seconds.
Add spam report to email body: Tick the checkbox to add a report to the body of e-mails that are recognised as spam.
Activate the support for Japanese emails: Tick this checkbox to activate the support for Japanese sets in e-mails and filter Japanese spam e-mails.

Note

While most simple and well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is necessary to always train the spam filter in order to reach a personalised and stronger (bayesian) filter.

Spam Greylisting

Spam greylisting is a method used by a MTA to verify whether an e-mail is legitimate by rejecting it a first time and waiting for a second dispatch of the same e-mail. If the e-mail is not received anymore the sender is considered as a spam source. The idea behind greylisting is that any mass spam bot will not try to resend any rejected e-mail, so only valid e-mails would be resent.

Antivirus ¶

In this tab appear options to configure how to manage any virus found in the emails processed.

Scan mail for virus

Enable filtering of e-mails for viruses and to show the additional options.

Virus handling

There are three or four available actions (depending on the type of Connect Switchboard) that can be carried out on e-mails that have been recognised as spam. They are the same as in the Spam settings above:

Move to default quarantine location: any e-mail containing virus will be moved to the default location.
Send to quarantine email address: e-mails containing virus are forwarded to a custom e-mail address that can be specified in the Virus quarantine email address textbox that will appear upon selecting this option.
Pass to recipient (regardless of bad contents): e-mail containing virus will be delivered normally.
Drop email: The e-mail containing virus is immediately deleted.

Send virus quarantine emails to

The email address to which the quarantined email will be forwarded.

Note

This option appears only when Send to quarantine email address is selected in the Virus handling option.

Notify virus to: The e-mail address that will receive a notification for each processed e-mail containing virus.
Send virus notifications from address: The e-mail address that will appear as sender of the notification.
Notify recipients about emails containing viruses: Tick the checkbox to send the original recipients of the e-mail a notification that the e-mail was blocked.
Send notifications only to addresses of configured incoming domains: Tick the checkbox to send a notification only to recipients whose domain is configured in the Domains (see Proxy ‣ SMTP ‣ Domains).

File blocking ¶

This tab contains settings to block any files attached to an e-mail depending on their extension. Whenever those file extensions are found in any attachment, the selected action will be performed.

Block files by extension

Activate the extensions-based filtering on files and reveal the additional virus filter options.

Blocked files handling

There are three available actions that can be carried out on e-mails that have blocked (They are the same as in the previous Spam settings and Virus settings tabs):

Move to default quarantine location: e-mails containing blocked files will be moved to the default location.
Send to quarantine email address: e-mails containing blocked files are forwarded to a custom e-mail address that can be specified in the Notify blocked files as and Notify blocked files as textboxes that will appear upon selecting this option.
Pass to recipient (regardless of blocked files): e-mails containing blocked files will be delivered normally

Notify blocked files as: The e-mail address that will appear as the sender of the notifications for each processed e-mail containing blocked attachments.
Notify blocked files to: The e-mail address that will receive the notification.

Note

These option and the previous one only appear if Send to quarantine email address as been selected for the blocked files handling option above.
File extensions to block: Enter the file extensions that will be blocked by the SMTP proxy, one at the time, then click the green + on the right-hand side.

Hint

Each extension must be preceded by a dot, for example .exe.
Block archives that contain blocked filetypes: Tick the checkbox to block every archive that contains files with a blocked extension.

Hint

If Program (.exe) has been chosen as one filetype to block, any .zip, .tar.gz, or another archive containing a file ending in .exe will be blocked.
Block files with double extension: Enable the blocking of any file with a double extension, like exe.jpg or bat.jpg. When ticked, the next option will appear.
Block files with double extensions ending in: In this textarea it is possible to write, one per line, all the extensions that should be blocked when they appear as the second extension of a file. It is necessary to provide at least one in the textarea, otherwise it has no effect. No wildacards are allowed.

Hint

The entry .jpg will block any file with extensions exe.jpg or bat.jpg, but will allow files with extensions jpg.exe, jpg.bat.

Note

Files with double extensions are usually malicious files which may appear as inoffensive images or documents in a file browser, but when they are clicked, an application is executed that has the purpose to harm a computer or steal personal data. A file with a double extensions is exactly like a normal file, but whose name (e.g., image.jpg) is followed by other extensions like .exe, .com, .vbs, .pif, .scr, .bat, .cmd or .dll (e.g., image.jpg.exe).

Authentication ¶

This tab contains configuration options for the IMAP server that should be used for authentication when sending e-mails. These settings are especially important for SMTP incoming connections that are opened from the RED zone. The following settings can be configured:

Activate SMTP authentication with IMAP server: Tick this checkbox to enable IMAP authentication and to show additional options.
IMAP authentication address: The domain or IP address of the IMAP server.
IMAP authentication port: The port on which the IMAP server is listening, defaults to 143 for plain IMAP or 993 for IMAP over SSL.
Number of authentication daemons: How many concurrent logins are possible through the Connect Switchboard.

Black and whitelists ¶

In this tab there are a few panels which allow the definition of several custom blacklists and whitelists and to select and use existing RBL.

Sender ¶

Whitelisted: All the e-mails sent from these addresses or domains will be accepted. This is the e-mail From: field.
Blacklisted: All the e-mails sent from these addresses or domains will be rejected. This is the e-mail From: field.

Recipients ¶

Whitelisted: All the e-mails sent to these addresses or domains will be accepted. This is the e-mail To: field.
Blacklisted: All the e-mails sent to these addresses or domains will be rejected. This is the e-mail To: field.

Client ¶

Whitelisted: All the e-mails sent from these IP addresses or hosts will be accepted.
Blacklisted: All the e-mails sent from these IP addresses or hosts will be rejected.

Spam ¶

Whitelisted: All the e-mails sent from these IP addresses or hosts will be accepted.
Blacklisted: All the e-mails sent from these IP addresses or hosts will be rejected.

Realtime Blacklist (RBL)¶

An often used method to block spam e-mails are so called RBL, whose use can be configured in the second panel. These lists are created, managed, and updated by different organisations with the purpose to identify as quickly as possible new SMTP server used to send spam and block them. If a domain or sender IP address appears in one of the blacklists, e-mails sent from there will be rejected without further notice. The use of RBL saves bandwidth, since the mails will not be accepted and then handled like legitimate e-mails, but rather dismissed as soon as the sender’s IP address or domain is found in any blacklist. The Connect Switchboard uses many different RBL, which are divided into IP-based and domain-based. The blacklist that belong on each category are shown by clicking on the small icon, and can be enabled or disabled by clicking on the red or green arrow on top of the list, or individually. The homepage of the various organisations that compile the lists is reachable by clicking on the list’s name.

Warning

Sometimes it can happen that IP addresses or domains have been wrongly listed by an RBL operator. If this should happen, it may negatively impact communications, since even legitimate e-mails from those domains will be refused without the possibility to recover it. Since there is no possibility to directly influence the RBLs, it is necessary to take into account the policies applied from the organisations that manage the RBLs before using them. Endian is not responsible for any e-mail that might be lost using the RBLs.

Among the blacklist installed, there are:

bl.spamcop.net: A blacklist based on submissions from its users.
zen.spamhaus.org: This list contains the Spamhaus block list as well as Spamhaus’ exploits block list and its policy block list.
cbl.abuseat.org: The CBL takes its source data from very large spamtraps. It only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (e.g., HTTP, socks, AnalogX, wingate etc.) that have been abused to send spam, worms, viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.
[name].dnsbl.sorbs.net and rhsbl.dnsbl.sorbs.net: Several blacklists are supplied from this organisation (replace [name] with safe, relays, spam, and zombie), and can be activated individually or all together by enabling the dsnbl.sorbs.net blacklist.
uceprotect.net: Lists that hold domains of known spam sources for at most seven days. After this period, domains are delisted, but subsequent violations cause the application of more restrictive policies.

The RBLs are grouped into two lists: IP based and Domain based RBLs. Enter some letter in the underneath text box (Search value…) of either list to filter the available RBLs, then click each item that match your search. To activate all the RBLS in one box, click Select all.

Domain routing ¶

The page shows a list of domains along with the smarthost responsible for delivering the e-mails’ to or from those domains. The information shown by the list are the same that shall be provided when adding a new domain.

To add a new domain, click Add route: A simple form will open, in which the combination domain-mailserver can be created. In the Detail tab these option are available.

Direction: Decide whether the rule will be applied to the domain associated with the e-mail-‘s sender or recipient.
Domain: The domain this mailserver is responsible for.
Outgoing IP: Choose from the drop-down menu the IP address of the uplink through which the e-mails will be sent.

In the Smarthost tab all option for the smarthost are available, which are the same that are in the Smart host configuration.

Rule’s priority in Domain Routing

Suppose you have set up two rules for domain routing: One with domain mydomain.com as the sender and uplink main as the route, and a second one with domain example.org as the receiver and uplink secondary as the route. What happens to an email that is sent from server foo.mydomain.com to a user on bar.example.org? The answer can be found in how the Connect Switchboard‘s MTA, postfix, processes the e-mails’ sending rules: It first reads all the rules involving the sources, then the rules involving the recipient. Thus, the e-mail that is sent from foo.mydomain.com to bar.example.org will be routed through through the secondary uplink.

Mail routing ¶

This option allows to send a BCC of an e-mail to a given e-mail address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list show the direction, the address and the BCC address, if any, and the available actions.

To add a new mail route, click Add route button. In the form that opens these options can be configured:

Direction: Select from the drop-down menu whether the mail route should be defined for the Sender or Recipient of the e-mail.
Mail address: Depending on the direction chosen, this will be the e-mail address of the recipient or sender to which the route should be applied.
BCC address: The e-mail address which are the recipient of the copy of the e-mails.

Warning

Neither the sender nor the recipient will be notified of the copy being sent to a third party. In most countries it is highly illegal to read other people’s private messages, so please neither misuse nor abuse of this feature.

Smart host ¶

In this tab a smarthost can be activated and configured. If the SMTP server has a dynamic IP address, for example when using an ISDN or an ADSL dialup Internet connection, there can be some troubles sending e-mails to other mail servers, since that IP address might have been blacklisted in some RBL (see Black- & Whitelists above) and therefore the remote mailserver might refuse the e-mails. Hence, it becomes necessary to use a smarthost for sending e-mails.

Activate smarthost for delivery: Tick this checkbox to enable a smarthost for delivering e-mails and to show additional options.
Smarthost address: The IP address or hostname of the smarthost.
Smarthost port: The port on which the smarthost is listening, defaults to 25.
Smarthost requires authentication: Tick this checkbox if the smarthost requires authentication. The next three extra options are then shown.
Authentication method: The authentication methods required by the smarthost: PLAIN, LOGIN, CRAM, and DIGEST-MD5 are supported. Select the method or methods supported by the smarthost or click Select all in case all are accepted.
Username: The username used for authentication on the smarthost.
Password: The password used for authentication on the smarthost.

DNS¶

The DNS proxy is a proxy server that intercepts DNS queries and answers them, without the need to contact a remote DNS server each time it is necessary to resolve an IP address or a hostname. When a same query is often repeated, caching its results locally may sensibly improve performances. The available settings for the DNS proxy are grouped into three pages.

DNS Proxy configuration¶

Zone Settings¶

A few options for the DNS proxy can be configured in this page.

The status for the DNS proxy is displayed for all of the configured default network zones GREEN, BLUE, and ORANGE. To add any additional zones which were configured you can click the Add new Zone button in the top right. To enable/disable the DNS proxy service for any given zone, simply click the Edit icon actedit and check/uncheck the Enable checkbox.

Global Settings¶

Specific sources and destinations can be set up to bypass the proxy by filling in their values in the two text areas.

Bypass from (subnet / IP address / MAC address): Allow the sources written in the corresponding text area not to be subject to the DNS proxy. The sources can be specified as IP addresses, networks, or MAC addresses.
Bypass to (subnet / IP address): Allow the destinations written under the corresponding text area not to be subject to the DNS proxy. The destinations can be specified as IP addresses or networks.

DNS Routing¶

This page allows to define a custom nameserver for a given domain. In other words, all DNS query for that domain will be redirected to the corresponding nameserver to retrieve the correct resolution.

Domains and name server

A new domain - nameserver combination can be added by clicking on the Add new custom name server for a domain button. When adding an entry, the following options are available:

Domain Name: The domain for which to use the custom nameserver.
IP Address: The IP address of the nameserver to use.
Remark: An additional comment.

Local domains for system services¶

Here are displayed the domains and corresponding IP addresses used for system services (e.g. HTTP or SMTP proxy). The entries here are ones added by the Endian system automatically in order to allow a service to work properly.

Anti-spyware¶

This page presents configuration options about the reaction of the Connect Switchboard when asked to resolve a domain name that is known to be either used to propagate spyware or that serves as phishing site. The service is based on a list of malicious domains maintained by phishtank and when a client behind the Connect Switchboard tries to access one of these domain, he will be redirected to a blackhole (non-existent) domain. To activate the service, click on the grey switch Disabled. The following options will appear:

Whitelist domains: Domain names that are entered in the textarea below are never treated as spyware targets, regardless of the list’s content, and therefore will resolve to their correct IP address.

Note

In case a site has wrongly been blacklisted or if access to a site must always be allowed, regardless of possible false positives, enter its domain name here to allow access to it. Examples could include, for example, operating system update servers, antivirus update servers or other critical services.
Blacklist domains: Domain names that are entered in the textarea below are always treated as spyware targets, regardless of the list’s content
Spyware domain list update schedule: The update frequency of the spyware domain list. Possible choices are Daily, Weekly, and Monthly.

Note

To download updated signatures, the system must be registered to Endian Network and option Disable signature updates if uplink is online (Network ‣ Uplinks, see section Uplinks) must be disabled on every configured uplink.