The Proxy Menu

Select Proxy from the menu bar at the top of the screen.

A proxy is a service on your Endian UTM Appliance that can act as a gatekeeper between clients (e.g. a web browser) and network services (e.g. a web server on the internet). Clients connect to the proxy which in turn can retrieve, cache, filter and potentially block the information from the original server. A proxy is called transparent if all traffic goes through it, of the client’s configuration. Non-transparent proxies hence rely on the collaboration of the client (e.g. the proxy settings of your web browser).

Following is a list of proxies that are available on Endian Firewall. Each proxy can be configured via the links that are in the submenu on the left side of the screen:

• HTTP - configure the web proxy including access policies, authentication, content filter and antivirus
• POP3 - configure the proxy for retrieving mail via the POP protocol, including spam filter and antivirus
• FTP - enable or disable the FTP proxy (check files that are downloaded via FTP for viruses)
• SMTP - configure the proxy for sending or retrieving mail via the SMTP protocol, including spam filter and antivirus
• DNS - configure the caching domain name server (DNS) including anti-spyware

Each section will be explained individually below.

HTTP

Select Proxy from the menu bar at the top of the screen, then select HTTP from the submenu on the left side of the screen.

Configuration

Click on the Enable HTTP Proxy toggle to enable the HTTP proxy (Endian UTM Appliance uses the Squid caching proxy). Once the proxy is up and running, a number of controls appear.

First of all, you can define the way users in each zone (GREEN and, if enabled also ORANGE, BLUE) can access the proxy. Per zone choices are:

not transparent

the proxy server is available to anyone (no need to log in) but you need to configure your browser manually or tell the browser to search for a proxy (WPAD or PAC)

transparent

the proxy server is available to anyone and no browser configuration is needed (HTTP traffic is intercepted and forwarded to the proxy server)

Note

If you want to disable the proxy for a certain zone you must set it to transparent in this zone and add the zone’s subnet to the Bypass transparent proxy from SUBNET/IP/MAC field in the Bypass transparent proxy section.

Some browsers, including Internet Explorer and Firefox, are able to automatically detect proxy servers by using the Web Proxy Autodiscovery Protocol (WPAD). Most browsers also support proxy auto-configuration (PAC) through a special URL. When using an Endian UTM Appliance the URL looks like this: http://<IP OF YOUR FIREWALL>/proxy.pac.

Next, comes a section with global configuration options:

Port used by proxy

the TCP port on which the proxy server (defaults to 8080) is listening for connections

Language of error messages

the language in which error messages are displayed

Visible hostname

the proxy server will assume this as its hostname (will also show at the bottom of error messages)

Email used for notification (cache admin)

the proxy server will show this email address in error messages

Max download size (incoming)

limit for HTTP file downloads in KB (0 means unlimited)

Max upload size (outgoing)

limit for HTTP file uploads (such as used by HTML forms with file uploads) in KB (0 means unlimited)

Then you will find a number of additional options, each in its own panel that can be expanded by clicking on the + icon:

Allowed Ports and SSL Ports

Allowed Ports (from client)

list the TCP destination ports to which the proxy server will accept connections when using HTTP (one per line, comments start with #)

Allowed SSL Ports (from client)

list the TCP destination ports to which the proxy server will accept connections when using HTTPS (one per line, comments start with #)

Log settings

Log enabled

log all URLs being accessed through the proxy (master switch)

Log query terms

also log parameters in the URL (such as ?id=123)

Log useragents

also log useragents, i.e. which web browsers access the web

Log contentfiltering

also log when content is filtered

Firewall logging (transparent proxies only)

have the firewall log web accesses (transparent proxies only)

Bypass transparent proxy

Bypass transparent proxy from SUBNET/IP/MAC

specify sources that are not subject to transparent proxying; give one SUBNET, IP address or MAC address per line

Bypass transparent proxy to SUBNET/IP

specify destinations that are not subject to transparent proxying; give one SUBNET or IP address per line

Cache management

Cache size on harddisk (MB)

specify the amount of memory the proxy should allocate for caching web sites on the harddisk (in megabytes)

Cache size within memory (MB)

specify the amount of memory the proxy should allocate for caching web sites in the system memory (in megabytes)

Maximum object size (MB)

specify the upper size limit of objects that should be cached (in megabytes)

Minimum object size (MB)

specify the lower size limit of objects that should be cached (in megabytes)

Enable offline mode

if this option is on, the proxy will never try to update cached objects from the upstream webserver - clients can then browse cached, static websites even after the uplink went down

Clear cache

if this button is clicked the cache of the proxy is flushed.

Do not cache these domains

in this textarea you can specify which domains should not be cached (one domain per line)

Upstream proxy

Upstream proxy

use this option to make your Endian UTM Appliance‘s proxy connect to another (upstream) proxy; specify the upstream proxy as “host:port”

upstream username / password

if authentication for the upstream proxy is required you can specify the credentials here

Username / client IP forwarding

forward the username / client IP address to the upstream proxy

Click the Save button to confirm and save the configuration changes. Do not forget to click the Apply button to restart the proxy for the changes to become active.

Authentication

Endian UTM Appliance‘s proxy supports four different authentication types: Local Authentication (NCSA), LDAP (v2, v3, Novell eDirectory, AD), Windows Active Directory (NTLM) and Radius. Each of these types needs different configuration parameters and is described below. However, the global configuration parameters are:

Authentication realm

this text will be shown in the authentication dialog and will be used as realm for kerberos/winbind when joining an Active Directory Domain (use FQDN of PDC when Windows Active Directory is used for authentication).

Number of Authentication Children

the maximum number of authentication processes that can run simultaneously

Authentication cache TTL (in minutes)

the time in minutes authentication data should be cached

Number of different IPs per user

the maximum number of IP addresses from which a user can connect to the proxy simultaneously

User / IP cache TTL (in minutes)

the time in minutes an IP address will be associated with the logged in user

The following parameters are available for local authentication.

manage users

When clicking on this button the user management interface will be opened.

manage groups

When clicking on this button the user management interface will be opened.

Min password length

Here you can set the minimum password length for local users.

The following parameters are available for LDAP authentication.

LDAP server

the IP address or fully qualified domain name of your LDAP server

Port of LDAP server

the port on which the server is listening

Bind DN settings

the base distinguished name, this is the start point of your search

LDAP type

here you can choose whether you are using an Active Directory server, a Novell eDirectory server, an LDAP version 2 server or an LDAP version 3 server

Bind DN username

the fully distinguished name of a bind DN user, the user must have permission to read user attributes

Bind DN password

the password of the user

user objectClass

the bind DN user must be part of this objectClass

group objectClass

the bind DN group must be part of this objectClass

The following parameters are available for Windows authentication.

Domainname of AD server

the active directory domain you want to join (use FQDN)

Join Domain

click here to join the domain (first the authentication settings needs to be saved and applied)

PDC hostname

the hostname of the primary domain controller

PDC IP address

the IP address of the primary domain controller (needed to create the required DNS entries / settings)

BDC hostname

the hostname of the backup domain controller

BDC IP address

the IP address of the backup domain controller (needed to create the required DNS entries / settings)

In order to be able to use Windows’ native authentication with active directory (NTLM) you have to make sure that a few conditions are met: - The authentication settings need to be saved and applied before trying to join the domain. - The firewall must join the domain. - The system clocks on the firewall and on the active directory server have to be in sync. - The realm must be a fully qualified domain name. - The PDC hostname has to be set to the netbios name of the Active Directory server.

Since version 2.3 of Endian UTM Appliance it is not necessary to create Host and DNS proxy entries anymore. They will be auto-generated when the authentication settings are applied.

The following parameters are available for Radius authentication.

RADIUS server

the address of the RADIUS server

Port

the port on which the RADIUS server is listening

Identifier

an additional identifier

Shared secret

the password to be used

Access policy

The access policy is applied to every client that is going through the proxy, regardless of its authentication. Access policy rules are time-based access policies based on source, destination, authentication, useragents, mimetypes and virus scanning / content filtering.

You can view your own rules in the Rule list. Any rule can specify if web access is blocked or allowed, in this last case you can activate and select a filter type. To add a new rule just click on Create a rule and the following settings can be performed:

Source

Here you can choose the sources to which this rule will be applied. This can be either <ANY>, a Zone, a list of Network/IP or MAC addresses (one address per line).

Destination

Here you can choose the destinations to which this rule will be applied. This can be either <ANY>, a Zone, a list of Network/IP addresses (one address per line) or a list of domains (one domain per line).

Authentication

Here you can choose to which authenticated users this rule should be applied. This can choose whether you want to create a group based or a user based rule. One or more users / groups, to which the policy will be applied, can then be selected

Time restriction

Specify whether the rule has effect on specific days and/or a time period.

Useragents

From this list you can choose allowed clients and browsers.

Mimetypes

If mimetypes of incoming files should be blocked add them to this list (one per line). Mimetypes can only be blocked and not allowed (whitelisted), therefore this option is only available in Deny access policies. This allows you to block files not corresponding to the company policy (for example multimedia files).

Access policy

Specify whether you want the rule to allow web access or to deny it.

Filter profile

Choose antivirus scan only to create a rule which only scans for viruses, choose content filter only to create a rule which analyzes the content of web pages and filters it according to the settings of the chosen Content filter profile. If you choose unrestricted no checks will be performed.

Policy status

Specify if the rule is enabled or disabled. Disabled rules will not be applied.

Position

Specify where to place the new rule. Smaller numbers have higher priority.

Since version 2.3 of Endian UTM Appliance it is possible to create multiple Contentfilter profiles with different filter and antivirus settings. Since this release it is also possible to whitelist e.g. a domain just for a certain user/source by creating an access policy rule.

You can then change priority, edit, enable/disable or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

Content filter

To be able to use the content filter, you have to use a Contentfilter profile in an access policy rule. Endian UTM Appliance‘s Content Filter (DansGuardian) uses three filtering techniques which can be defined per filter profile.

The first is called PICS (Platform for Internet Content Selection). It is a specification created by W3C that uses metadata to label webpages to help parental control. The second is based on an advanced phrase weighting system, it analyzes the text of web pages and calculates a score for each page. The last method uses a huge blacklist of categorized URLs and domains. All requested URLs are looked up in this list and are only served if they are not found.

The screen is divided into a general configuration section and a section where the specific filtering policy can be chosen.

Activate antivirus scan

Enable both the content filter (Dansguardian) and the antivirus proxy (HAVP).

Enable logging

Log blocked requests.

Platform for Internet Content Selection

Enable parental control based on PICS metadata.

Max. score for phrases

Specify the maximum score level of a trustworthy page (50-300). You can tune this level: if children browse the web through Endian Firewall you should set a value around 50, for teenagers it should be 100 and for young adults 160.

Content Filter

This section allows filter configuration based on phrase analysis. You can block or allow a category of sites by clicking on the icon beside it. Subcategories are shown when clicking on the + icon.

URL Blacklist

This section allows configuration of filtering based on URL comparison. You can block or allow a category of sites by clicking on the icon beside the category name. Subcategories are shown by clicking on + icon.

Custom black and white lists

Content filtering may cause false positives and false negatives - here you can list domains that should always be blocked or allowed regardless of the results of the content filter’s analysis.

Phrase analysis requires much more computing power than other technologies (PICS and URL blacklist). If you wish to disable this filtering technique you can mark all categories as allowed in the Content Filter section.

When whitelisting a domain always make sure to whitelist all necessary domains for that site to work as well. An example:

• google.com is blocked, which means all subdomains of google.com are blocked as well
• maps.google.com is whitelisted so you can access it
• maps.google.com does not work like it should because it tries to get data from other google servers
• you will have to whitelist these domains (e.g. mt0.google.com) as well

Click on Save to save the settings of a content filter profile.

You can then edit or delete each rule from the list by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

Antivirus

In this section you can configure the virus scanner engine (ClamAV, since version 2.3 Sophos Antivirus is also available) used by the HTTP proxy.

Max. content scan size

Specify the maximum size for files that should be scanned for viruses.

Do not scan the following URLs

A list of URLs that will not be scanned for viruses (one per line).

Click on Save to save the settings of the virus scanner engine.

AD join

In this section you can join the Active Directory Server. This is only possible when Authentication is set to Windows Active Directory (NTLM).

POP3

Select Proxy from the menu bar at the top of the screen, then select POP3 from the submenu on the left side of the screen. In this section you can configure the POP3 (incoming mail) proxy.

Global settings

On this page you can configure the global configuration settings of the POP3 proxy. You can enable or disable the POP3 proxy for every zone. It is also possible to enable the Virus scanner and the Spam filter for incoming emails. If you want to log every outgoing POP3 connection you can enable the Firewall logs outgoing connections checkbox.

Spam filter

On this page you can configure how the POP3 proxy should react once it finds a spam email.

Spam subject tag

Here you can specify a prefix for the spam email’s subject.

Required hits

This option defines how many hits are required for a message to consider it spam. The default value is 5.

Enable message digest spam detection(pyzor)

If you want to detect spam using message digests you can enable this option. Note that this might slow down your POP3 proxy.

White list

Here you can whitelist sender email-addresses (one address per line). It is also possible to whitelist whole domains by using wildcards, e.g. *@example.com.

Black list

Here you can blacklist sender email-addresses (one address per line). It is also possible to blacklist whole domains by using wildcards, e.g. *@example.com.

FTP

Select Proxy from the menu bar at the top of the screen, then select FTP from the submenu on the left side of the screen.

The FTP (File Transfer Protocol) proxy is available only as transparent proxy, this allows scanning for viruses on FTP downloads.

Note

Only connections to the standard FTP port (21) are redirected to the proxy. This means that if you configure your clients to use the HTTP proxy also for the FTP protocol, this FTP proxy will be bypassed!

You can enable the transparent FTP proxy on the GREEN zone and on the other enabled zones (ORANGE, BLUE).The following options can be configured (confirm the settings by clicking Save).

Firewall logs outgoing connections

Show outgoing connections in the firewall log.

Bypass the transparent Proxy

Specify sources (left panel) or destinations (right panel), that are not subject to transparent FTP proxying. Always specify one subnet, IP address or MAC address per line. Endian UTM Appliance supports transparent FTP proxying with frox if and only if it is directly connected to the internet.

If you have another NATing firewall or router between Endian UTM Appliance and the internet, frox does not work because it uses an active FTP upstream.

SMTP

Select Proxy from the menu bar at the top of the screen, then select SMTP from the submenu on the left side of the screen.

The SMTP (simple mail transfer protocol) proxy can relay and filter email traffic as it is being sent towards email servers.

The scope of the SMTP proxy is to control and optimize SMTP traffic in general and to protect your network from threats when using the SMTP protocol. The SMTP (Simple Mail Transport Protocol) protocol is used whenever an email is sent by your mail client to a remote mail server (outgoing mail). It will also be used if you have your own mail server running on your LAN (GREEN interface) or your DMZ (ORANGE interface) and are allowing mails to be sent from the outside of your network (incoming requests) through your mail server. The SMTP proxy configuration is split into several subsections.

Warning

In order to download mail from a remote mailserver with your local mail clients, the POP3 or IMAP protocol will be used. If you want to protect that traffic too, you have to enable the POP3 proxy in Proxy, POP3. Scanning of IMAP traffic is currently not supported. With the mail proxy functionality, both sorts of traffic (incoming and outgoing mail) can be scanned for viruses, spam and other threats. Mail will be blocked if necessary and notices will be sent to both the receiving user and the administrator. With the possibility to scan incoming mail, the mail proxy can handle incoming connections and pass the mail to one or more internal mail servers. This allows you to have your own mail servers running behind the firewall without the need of port forwards.

Configuration

The is the main configuration section for the SMTP proxy. It contains the following options:

active GREEN, BLUE, ORANGE and RED

This enables the SMTP proxy in order to accept requests on port 25.

transparent mode GREEN, BLUE, ORANGE

If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need to change the configuration on your clients.

Then you will find a number of additional options, each in its own panel that can be expanded by clicking on the + icon:

In general the Spam settings section gives you the ability to configure spamassassin and amavisd-new which are used to filter out spam. SpamAssassin provides several means of detecting spam. It has a score tally system where large numbers of inter-related rules fire off and total up a score to determine whether a message is spam or not.

Filter mail for spam

Check this box if you would like to filter spam emails. If checked the spam filter options will be shown. Black-, White- and Greylists can be configured in the Proxy ‣ SMTP ‣ Black- & Whitelists section.

Activate commtouch for spam filtering (optional)

Check this box if you would like to use the commtouch anti-spam engine to filter the emails.

Choose spam handling

Choose between:

• move to default quarantine location: spam mails will be moved to the default location on the harddrive (in /var/amavis/virusmails)
• move to custom quarantine location: you can specify a custom location on the harddrive to which spam mails will be moved
• send to quarantine email address: spam mails will be forwarded to a custom email address you specify
• mark as spam: mail will be marked as spam before it is delivered

Spam subject

Here you can specify a prefix for the subject of marked spam emails.

Email used for spam notifications (spam admin)

Here you can provide an email-address that will receive a notification for each spam email that is processed.

Spam tag level

If SpamAssassin’s spam score is greater than this number X-Spam-Status and X-Spam-Level headers are added to the email.

Spam mark level

If SpamAssassin’s spam score is greater than this number mails are tagged with the Spam subject and an X-Spam-Flag header.

Spam quarantine level

Mails that exceed this spam score will be moved to the quarantine.

Send notification only below level

Send notification emails only if the spam score is below this number.

Activate greylisting for spam

Check this box if you want to enable greylisting.

Delay for greylisting (sec)

The greylisting delay in seconds can be a value between 30 and 3600.

Note

While most simple spam mails such as well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is absolutely necessary to always train the spam filter in order to reach a personalized and stronger filter (bayes).

Virus settings is one of the main sections of the SMTP proxy module. Four different actions can be performed when a mail that contains a virus is received. It is also possible to configure an email address for notifications.

Scan mail for virus

Check this box if you would like to filter emails for viruses. If checked the virus options will be shown.

Choose virus handling

Choose between:

• move to default quarantine location: mails containing virus will be moved to the default location on the harddrive (in /var/amavis/virusmails)
• move to custom quarantine location: mails containing a virus will be moved to the specified location on the harddrive
• send to quarantine email address: mails containing virus will be forwarded to the specified email address
• pass to recipient (regardless of bad contents): mail containing virus will be delivered normally

In the File settings section the SMTP proxy also allows you to block files with certain file extensions which may be attached to mails. Mails which contain such attachments will be recognized and the selected action will be performed for the respective mail.

Block files by extension

Check this box if you would like to block mails that contain attached files with certain extensions. If checked the file extension options will be shown.

Choose handling of blocked files

Choose between:

• move to default quarantine location: mails containing blocked files will be moved to the default location on the harddrive (in /var/amavis/virusmails)
• move to custom quarantine location: mails containing blocked files will be moved to the specified location on the harddrive
• send to quarantine email address: mails containing blocked files will be forwarded to the specified email address
• pass to recipient (regardless of bad contents): mails containing blocked files will be delivered normally

Choose filetypes to block (by extension)

You can select one or more file extensions to be blocked. In order to select multiple files press the control key and click on the desired entries with your mouse.

Email used for blocked file notifications (file admin)

Whenever an email with an attachment that is blocked due to its file extension is found, a notification email is sent to this address.

Block files with double extension

If you enable this option, files with double extensions will be blocked since these files are usually created to harm computers (blocked double extensions are composed of any extension followed by .exe, .com, .vbs, .pif, .scr, .bat, .cmd or .dll).

You need to configure the email domains for which the server should be responsible. You can add the list of domains in the Proxy, SMTP, Incoming domains section.

Bypass transparent proxy

Bypass transparent proxy from SUBNET/IP/MAC

specify sources that are not subject to transparent proxying; give one SUBNET, IP address or MAC address per line

Bypass transparent proxy to SUBNET/IP

specify destinations that are not subject to transparent proxying; give one SUBNET or IP address per line

To save and apply the settings you must click on the Save button.

Black- & Whitelists

You can create custom black- and whitelists by adding entries to the fields in the Accepted mail (Black- & Whitelists) section to explicitely block (blacklist) or allow (whitelist) certain senders, recipients, IP addresses or networks.

Whitelist sender

Mails from these addresses or domains will always be accepted.

Blacklist sender

Mails from these addresses or domains will never be accepted.

Whitelist recipient

Mails to these addresses or domains will always be accepted.

Blacklist recipient

Mails to these addresses or domains will never be accepted.

Whitelist client

Mails that have been sent from these IP addresses or hosts will always be accepted.

Blacklist client

Mails that have been sent from these IP addresses or hosts will never be accepted.

Examples for recipient/sender black- and whitelists:

• whitelist a domain(with subdomains):

  example.com

• whitelist only subdomains:

  .example.com

• whitelist a single address:

  info@example.com

  admin@example.com

Examples for client black- and whitelists:

• whitelist a domain/IPs:

  example.com

  192.168.100.0/24

An often used method to block spam e-mails are so called Realtime Blacklists (RBL). These lists are created, managed and updated by different organisations. If a domain or a sender IP address is listed in one of the blacklists, emails from it will be refused without further notice. This saves more bandwith than the RBL of the antispam module, since here mails will not be accepted and then handled, but dismissed as soon as a listed IP address is found.

bl.spamcop.net

This RBL is based on submissions from its users (www.spamcop.net).

zen.spamhaus.org

This list replaces sbl-xbl.spamhaus.org and contains the Spamhaus block list as well as Spamhaus’ exploits block list and its policy block list.

cbl.abuseat.org

The CBL takes its source data from very large spamtraps. It only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc.) that have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.

dul.dnsbl.sorbs.net

This contains a list of Dynamic IP Address ranges (www.au.sorbs.net).

ix.dnsbl.manitu.net

A publicly available DNS blacklist which is permanently regenerated from the IP blacklist and the spam hash table of the spam filter NiX Spam.

dsn.rfc-ignorant.org

This is a list which contains domains or IP networks whose administrators choose not to obey to the RFCs, the standards of the net (www.rfc-ignorant.org).

Warning

Sometimes it can happen that IP addresses have been wrongly listed by an RBL operator. If this should happen, it may negatively impact on your communication to the extent that mail will be refused without the possibility to recover it. You also have no direct influence on the RBLs.

Note

Advanced users can modify the list by editing the file /var/efw/smtpscan/RBL (use /var/efw/smtpscan/default/RBL as draft).

You can create greylisting whitelists by adding entries for every recipient, IP address or network.

Whitelist recipient

You can whitelist email-addresses or whole domains in this textarea, e.g. test@|endian.com| or the domain endian.com (one entry per line).

Whitelist client

You can whitelist a mailserver’s address here. This means that all emails coming from this server’s address will not be checked for spam (one entry per line).

You can create black- and whitelists for the spam filter by adding entries here.

Whitelist sender

You can whitelist email-addresses or whole domains in this textarea from being detected as spam, e.g. test@|endian.com| or the domain endian.com (one entry per line).

Blacklist sender

You can blacklist email-addresses or whole domains in this textarea, which will then be detected as spam, e.g. test@|endian.com| or the domain endian.com (one entry per line).

Save the settings and restart the SMTP Proxy by clicking the Save button.

Incoming domains

If you have enabled incoming mail and would like to forward that mail to a mail server behind your Endian UTM Appliance - usually set up in the GREEN or ORANGE zone - you need to declare the domains which will be accepted by the SMTP proxy and to which of your mail servers the incoming mail should be forwarded. It is possible to specify multiple mail servers behind Endian UTM Appliance for different domains. It is also easily possible to use Endian UTM Appliance as a backup MX.

Domain

The domain this mailserver is responsible for.

Mailserver IP

The IP address of the mailserver.

To add a domain click the Add button. To apply the changes the SMTP proxy has to be restarted by clicking on the Save changes and restart button. Existing entries can be edited and deleted by clicking on the respective icon (as described in the legend at the bottom of the page).

Mail Routing

This option allows you to send a blind carbon copy (BCC) to a specified email address. This option will be applied to all emailsthat are sent to the specified recipient address or are sent from the specified sender address.

Direction

Specify whether you want to apply this copying process for a certain Sender or Recipient.

Mail address

Here you specify the mail address of the recipient or sender (depending on what you have chosen above).

BCC address

The mail address where you want to send the copy of the emails.

The mail route is saved by clicking on the Add mail route button. Existing entries can be changed or deleted by clicking on the respective icons which are explained in the legend at the bottom of the page.

Warning

Neither the sender nor the recipient will be notified of the copy. In most countries of this planet it is highly illegal to read other people’s private messages. Do not abuse this feature.

Advanced

On this page you can configure the advanced settings of the SMTP proxy. In the Smarthost section the following options can be configured:

Activate smarthost for delivery

Check this box if you want to use a smarthost to deliver emails. If checked the additional options are shown.

Smarthost address

Here you can enter the address of the smarthost.

Smarthost port

Here you can enter the port of the smarthost (default is 25).

Smarthost requires authentication

Check this box if the smarthost requires authentication. If checked the additional options are shown.

Smarthost username

This username is used for authentication.

Smarthost password

This password is used for authentication

Choose authentication method

Here you can choose the authentication methods that are supported by your smarthost. PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5 are supported.

Note

If you have a dynamic IP address because you are using an ISDN or an ADSL dialup internet connection you might get problems sending mails to other mail servers. More and more mail servers check whether your IP address is listed as a dynamic IP address and therefore might refuse your emails. Hence it could be necessary to use a smarthost for sending emails.

Note

A smarthost is a mail server which your SMTP proxy will use as outgoing SMTP server. The smarthost needs to accept your emails and relays them for you. Normally you may use your provider’s SMTP server as smarthost, since it will accept to relay your emails while other mail servers may not.

In the IMAP Server for SMTP authentication section you can configure which IMAP server should be used for authentication when sending emails. Most of all this is important for SMTP connections that are opened from the RED zone. The following settings can be configured:

Activate SMTP authentication with IMAP server

Check this box if you want to enable IMAP authentication. If checked additional options are revealed.

IMAP authentication server

Here you can enter the address of the IMAP server.

IMAP authentication port

Here you can enter the port of the IMAP server (default is 993).

Choose number of authentication daemons

This setting defines how many concurrent logins should be possible through your Endian UTM Appliance.

In the Mail server settings section additional parameters of the SMTP server can be defined. The options are:

Require SMTP HELO

If this is enabled the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session.

Reject invalid hostname

Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname.

SMTP HELO name

The hostname to send with the SMTP EHLO or HELO command. The default value is the IP of RED. Specify a hostname or IP address.

Always BCC address

Optionally you can enter an email address here that will receive a blind carbon copy of each message that goes through the SMTP proxy.

Choose mailtemplate language

The language in which error messages should be sent.

Recipient address verification

Check if the recipients address is valid before sending the message.

Choose hard error limit

The maximum number of errors a remote SMTP client is allowed to produce without delivering mail. The SMTP Proxy server disconnects once this limit is exceeded (default 20).

Choose maximal email contentsize

The maximum size a single message is allowed to have.

In the Spam prevention section additional parameters of the SMTP server can be defined. The options are:

Reject invalid recipient (non-FQDN)

Reject the request when the RCPT TO address is not in fully-qualified domain name form, as required by the RFC.

Reject invalid sender (non-FQDN)

Reject the connecting client if the hostname supplied with the HELO or EHLO command is not a fully-qualified domain name as required by the RFC.

Reject unknown recipient domain

Reject the connection if the domain of the recipient email address has no DNS A or MX record.

Reject sender from unknown domain

Reject the connection if the domain of the sender email address has no DNS A or MX record.

The settings are saved and applied by clicking on the Save button.

Commtouch

New in version 2.3.

On this page you can configure the settings of the Commtouch anti-spam engine. The following options can be configured:

Enable spamassassin shortcircuit

Check this box if you want to skip spamassassin if commtouch marks a message as spam.

Ignore IPs/Networks

Here IPs and networks which should not be checked by commtouch can be defined.

In the SPAM tag level section the following options can be configured:

CONFIRMED

Every email with a tag level above this value will be recognized as spam (between -10 and 10).

BULK

Every email with a tag level above this value will be identified as bulk mail (between -10 and 10).

SUSPECTED

Every email with a tag level above this value will is suspected to contain spam (between -10 and 10).

UNKNOWN

Emails with a tag level below this value will be classified as unknown (between -10 and 10).

NONSPAM

Emails with a tag level below this value will be recognized as non-spam mails(between -10 and 10).

The settings are saved and applied by clicking on the Save button.

DNS

Select Proxy from the menu bar at the top of the screen, then select DNS from the submenu on the left side of the screen.

In this section you can change the settings for the DNS proxy. It is divided into three subpages.

DNS proxy

On this page you can enable the transparent DNS proxy for the GREEN, ORANGE and BLUE zones (if they are active). You can also define for which source addresses the proxy will be bypassed in the lower left textarea. These sources can be IP addresses, addresses of subnets and MAC addresses (one per line). In the lower right textarea you can enter destinations for which the proxy is bypassed. In this textarea IP addresses and addresses of subnets can be entered. To save the settings you must click on the Save button.

Custom nameserver

On this page you can add custom nameservers for specific domains. You can add a new custom nameserver by clicking on the Add new custom name server for a domain link. To change an existing entry you have to click on the pencil icon in its row. Clicking on a trash can icon will delete the custom nameserver in that row. The following details can be saved for custom nameservers:

Domain

The domain for which you want to use the custom nameserver.

DNS Server

The IP address of the namserver.

Remark

An additional comment you might want to save.

Anti-spyware

On this page you can configure how your Endian UTM Appliance should react if a domain name has to be resolved that is known to be used by spyware. The options that can be set are:

Enabled

If enabled these requests will be redirected to localhost.

Redirect requests to spyware listening post

If this is enabled the requests will be redirected to the spyware listening post instead of localhost.

Whitelist domains

Domain names that are entered here are not treated as spyware targets regardless of the list’s content.

Blacklist domains

Domain names that are entered here are always treated as spyware targets regardless of the list’s content

Spyware domain list update schedule

Here you can specify how often the spyware domain list should be updated. Possible values are Hourly, Daily, Weekly and Monthly. By moving the mouse cursor over the respective question mark you can see when exactly the updates will be performed.

The settings are saved and applied by clicking on the Save button.