In this page you find:
To improve on-line security, the Endian UTM Appliance offers several services combining their abilities with those of the proxy. The sub-menu on the left-hand side of the page grants access to their configuration pages and options, which are summarised as follows:
Each proxy service can be configured and enabled/disabled independently of the other, and will also start any other service required for its proper functioning. For example, when the SMTP proxy is configured and started, also the SMTP service will be started if it is not already running. Therefore, it is required that the SMTP service be configured before using the SMTP proxy.
The HTTP proxy employed in the Endian UTM Appliance is squid, whose primary ability is to cache web requests to speed up future requests of the same page, though it has many more functionalities that allows its seamless integration with the other services described in the remainder of this section. The HTTP proxy settings page is composed of six tabs that organise a myriad of options: Configuration, Access Policy, Authentication, Contentfilter, Antivirus, and AD join
A click on the Enable HTTP Proxy switch enables the HTTP proxy. After some seconds, necessary to start all required services, a number of controls appear in the Configuration tab, grouped into six panels: Each panel has a title, followed by a ? that shows a tooltip, and can be expanded or collapsed by clicking on the or icons located on the left of the labels.
Note
In the New Mini Arm the Cache management panel (see further on) does not appear, therefore some of the option described here will not be available .
The first setting is to select from a drop-down menu how the users in each enabled zone -GREEN, ORANGE, BLUE- can access the proxy (No drop-down menu is available for non-enabled zones):
Note
Some browsers, including Internet Explorer and Firefox, are able to automatically detect proxy servers by using the WPAD. Most browsers also support PAC, through a special URL. When using an Endian UTM Appliance as the proxy server, the URL looks like this: http://<GREENIP>/proxy.pac.
Disabling HTTP proxy per zone
To disable completely the proxy for a certain zone, the zone’s proxy must be set to transparent and the zone’s subnet (whose value can be found in Menubar ‣ Services ‣ DHCP server) must be added to the Bypass transparent proxy from SUBNET/IP/MAC field that shows up when expanding the Bypass transparent proxy panel.
Proxy settings
In the Proxy settings panel there are some global configuration options for the proxy services:
Note
Since cache management is not available in the Mini appliance, the cache admin e-mail address is not present on those appliances.
Allowed ports and ssl ports
Configuration option for the ports the clients are allowed to use when browsing:
Log settings
Configuration option to enable the logging facility and choosing what to log.
Bypass transparent proxy
In this panel some exception to the transparent proxy (see also above) can be defined, i.e., which sources (i.e., clients) and destinations (i.e., remote servers) should be ignored by the proxy, even if it is enabled in that zone.
The destinations that are not subject to the transparent proxy.
Hint
Use CIDR notation to enter subnets.
Cache management
Configuration options for the space occupied on disk by the cache and the size of the objects stored.
Note
Objects whose size does not fall within the above defined ranges will never be stored on disk, but downloaded each time they are requested by some client.
When this option is enabled (i.e., the checkbox is ticked), the proxy will never try to update cached objects from the upstream web server - clients can then browse cached, static websites even after the uplink went down.
Warning
This option proves useful to surf the Internet while the uplink is down, if the page requested has been cached before. However, this option may cause some trouble when trying to refresh a page, even with a working uplink, since the HTTP proxy would always serve the cached page. The only possibility to have a refreshed copy of a web page is in this case to clear the cache of the proxy server.
Upstream proxy
If there is another proxy server in the LAN, it can be contacted before actually requesting the original resource. This panel contains configuration options for the connection between the Endian UTM Appliance and the upstream proxy.
The accesses policies are applied to every client that is connecting through the proxy, regardless of its authentication. An access policy rule is a time-based scheme that permits or prohibits accesses depending on diverse parameters about the user (e.g., the source or destination of the traffic), and the client used or the content downloaded (e.g., the user agent, the mime types, virus scanning, and content filtering).
A list of the already defined rules is displayed on the page. Any rule can specify if the web access is blocked or allowed, and in the latter case a filter type can be activated and selected. The table carries the following information for every rule listed therein: The progressive identification number (#), the name (``), the source and destination interested, the authentication type, if required, the periods in which is active, the user agents matched, and the available actions.
To add a new access policy rule, simply click on Add Access policy: A form will open, in which to configure all the parameters:
The type of authentication to apply to the clients. It can be disabled, in which case no authentication is required, group based or user based. One or more users or groups, to which to apply the policy, can then be selected among the existent ones from the list that will show up.
Hint
Authentication is only local, hence before being able to use it, at least one user or group must be created in the Authentication tab.
Time restriction
Decide whether the rule has effect on specific days and/or a time period. By default a rule is always active, but its validity can be limited to either an interval or to some days of the week. By ticking the checkbox, the following options become available:
Select one ore more days of the week.
Hint
To select two or more days, hold the CTRL keys and click the mouse button on the name of the day.
A list of the MIME types of incoming files that should be blocked, one per line. MIME types can only be blocked (i.e., blacklisted) but not allowed (i.e., whitelisted), therefore this option is only available in Deny access policies. This option allows to block any files not corresponding to the company policy (e.g., multimedia files).
New in version 2.3: Multiple content filter profiles. Since version 2.3 of Endian UTM Appliance it is possible to create multiple Contentfilter profiles with different filter and antivirus settings. Since this release it is also possible to whitelist a domain on a per-user or per-source base, by creating an appropriate access policy rule.
The available actions allow to change priority, edit, enable/disable or delete each rule from the list of rules.
The Endian UTM Appliance‘s proxy supports four different authentication types, that are shown in the drop-down menu at the top of the page: Local Authentication (NCSA), LDAP (v2, v3, Novell eDirectory, AD), Windows Active Directory (NTLM) and RADIUS. The NCSA type stores the access credentials on the Endian UTM Appliance, whereas the other methods rely on an external server: In those cases it is mandatory to provide all the necessary information to access that server.
Underneath the drop-down menu from which to select the authentication type, two panels are present. The one above, Authentication settings contains common configuration items, while the one below changes upon the selection of the authentication type, presenting the settings that are peculiar to each method.
Authentication settings
The common items that can be configured in this panel are:
The text shown in the authentication dialog and used as the realm of kerberos or winbind when joining an Active Directory Domain. When Windows Active Directory is used for authentication, the FQDN of the PDC should be used.
Hint
If the server name is localauth and the domain name is example.org, the FQDN is localauth.example.org.
Once the common configuration form have been filled in, depending on the authentication type chosen it is possible to configure the specific settings for the authentication type selected. Local Authentication (NCSA), Windows Active Directory (NTLM), LDAP (v2, v3, Novell eDirectory, AD), RADIUS.
NCSA authentication parameters
When clicking on the manage groups button the management GUI for the groups is opened which consists of a simple list of the existing groups and their members, if any was created, and of an Add NCSA group link to add more groups. A group is created by entering a group name and selecting one or more users that should belong to that group. A user may belong to more than one group.
Warning
While the same user can be legally part of one or more groups, care must be taken that the the groups the user belongs to do not define contrasting access policies. As an example, consider a user member of two groups, one with the policy to allows access to the website www.example.org, while the second group’s policy blocks the access to that web page. In this case, it is not easy to predict whether that user will be granted or not access to the site www.example.org. The management of these issues is left to the designer of the access policies.
Windows Active Directory authentication parameters.
Requirements for the use of NTLM.
In order to be able to use Windows’ native authentication with active directory (NTLM), a few conditions must be satisfied:
Hint
The Endian UTM Appliance clock can be synchronised with the clock of the Active Directory server by issuing the following command from the shell:
net time set -S IP_OF_AD_SERVER
Changed in version 2.3.: Host and DNS proxy entries. Since version 2.3 of the Endian UTM Appliance, it is not necessary to create Host and DNS proxy entries anymore, because they will be auto-generated when the authentication settings are applied.
See also
The setup of a realm using NTLM authentication is described in this tutorial.
NTLM authentication with Windows Vista and Windows 7.
The HTTP Proxy in the Endian UTM Appliance uses negotiated NTLMv2, while both Windows Vista and Windows 7 allow by default only straight NTLMv2. As a result, a client installing those operating systems may fail to authenticate to the HTTP proxy even when supplying the correct credentials. The following changes to the client configuration are required to correctly authenticate:
- Start ‣ gpedit.msc (run as administrator)
- Go to: Computer configuration ‣ Windows Settings ‣ Security Settings ‣ Local Policies ‣ Security Options
- Find the configuration option Network Security: LAN MANAGER Authentication Level
- Select the value “Send LM * NTLM - use NTLMv2 session security if negotiated”
After applying these changes the client browser should correctly authenticate using the AD Login Name / Credentials for the HTTP Proxy.
LDAP authentication parameters.
RADIUS authentication parameters.
The Endian UTM Appliance‘s Content Filter abilities are based on the DansGuardian Open Source content filter engine, that uses three filtering techniques which can be defined per filter profile.
The first one is called PICS, a W3C Recommendation that uses metadata to rate and label webpages, with the purpose of selecting similar contents from disparate sources. In particular, one of the most used application of PICS is to help and ease parental control over web pages that are not suitable for children. The second one is based on an advanced phrase weighting system, which analyses the text of web pages and calculates a score for each page. The last method uses a huge blacklist of categorised URLs and domains: All the URLs requested by a client are looked up in this list and are only served if they are not found.
A profile is needed to be able to use the content filter. There is a Default profile available, which allows access to every web page and cannot be deleted. Additional profiles can easily be created that exploit all the three dansguardian’s filtering techniques, augmented with the possibility to define custom white- and blacklists. Profiles are needed in the definition of an Access policy , so access policies requiring specific profiles should be created only after that profile.
Note
When web filtering by phrases (Content Filtering) is active, web pages are blocked when those categories of phrases are found “inside the page”. This behaviour results in a more aggressive blocking strategy at the price of potentially incurring in a higher rate of false positive matches.
The page is divided in two parts: On the upper side scheduling options appear, to select between a hourly, daily, weekly or monthly update of the rules, along with a the Update button, that upon clicking, immediately starts the download of new rules, if available.
On the lower side, there is the list of the existing profiles with a Create a profile link above it. When clicked, the link is replaced by the Profile Editor, that is used to configure a new profile, with the list of existing profiles shifting to the bottom of the page. The following settings can be defined:
The next settings come in form of panels, that can be expanded or collapsed by clicking on the or icons to the left of their title. On the far right, a small arrow shows if the contained items are all, none, or partially allowed. Those arrows can be clicked to quickly toggle the status of all the contained items.
Content Filtering
If no phraselist has yet been downloaded, a hyperlink allows to immediately start the download from the Endian Network, or from the daemon’s home pages if the Endian UTM Appliance has not been registered.
Configure the content filter using phrase analysis. The tags used to rate a page are divided into a number of categories, expandable by clicking on the icon. Within each category, a tag can be either blocked or allowed by clicking on the arrow icon beside it.
New in version 2.5: Global toggles.
Clicking on the arrow next to the panel’s title toggles all the categories at once, while clicking on the one next to each category name blocks or allows all the included tags.
Phrase analysis requires much more computing power than other technologies (PICS and URL blacklist). To disable this filtering technique, all categories can be marked as allowed.
URL Blacklist
Like in the case of the content filtering box above, if no phraselist has yet been downloaded, a hyperlink allows to immediately start the download from the Endian Network, or from the daemon’s home pages if the Endian UTM Appliance has not been registered.
Accepted domains in Content Filter white-/blacklists
Domains can be written using wildcards with the following rules:
Examples:
More elaborated example with white- and blacklists:
Into whitelist write: google.com
Into blacklist write: **
Resulting behaviour: all the google.com subdomains are allowed and all the other domains are blocked.
Configure the content filtering using URL comparison. The tag used to rate an URL page are divided into a number of categories, expandable by clicking on the icon. Within each category, it is possible to either block or allow a tag by clicking on the arrow icon beside it.
New in version 2.5: Global toggle: Clicking on the arrow next to the panel’s title toggles all the categories at once, on the one next to each category name blocks or allows all the included tags.
Custom black- and white lists
Content filtering may cause both false positives and false negatives, hence list domains that should always be blocked or allowed can be entered here. This policy will be applied regardless of the results of the content filter’s analysis.
Changed in version 2.5: Removed the Enable logging option.
Warning
When whitelisting a domain, always make sure that all the necessary domains required for that site to work correctly be whitelisted as well. An example:
However, the maps.google.com site does not work as expected, because it tries to get data (e.g., content or scripts) from other google servers like mt0.google.com, mt1.google.com and so on. Indeed, mt*.google.com are the domains that host the pictures for the maps, which can not be reached due to the 1. rule. Therefore, for the maps.google.com site to work flawlessly, also the mt*.google.com sites have to explicitly be whitelisted.
Accepted URLs in Antivirus
URLs can be defined using wildcards with the following rules, which differ only slightly from those employed in the content filter lists:
Examples:
The next two lines are handy to whitelist the Windowsupdate domain:
This tab contains configuration options for the virus scanner engine (ClamAV or Sophos) used by the HTTP proxy.
Changed in version 2.5-armel: Removed Sophos. The Sophos Antivirus is not available for the ARM architecture, therefore it is not available on the New Mini Arm, on which HAVP uses the Clamav antivirus.
On the bottom of the page, a small box informs on the last update: The date, time, and how many signatures were downloaded. This is the same information that is shown in Menubar ‣ Services ‣ Antivirus Engine.
In this section it is possible to supply the credentials required to join the Active Directory Server, an operation that is only possible if in the Authentication tab the option Windows Active Directory (NTLM) has been selected.
This page contains configuration options for the spamassassin mail filter and how it should manage the e-mails recognised as spam.
On this page, by ticking the appropriate checkboxes, a few global configuration settings of the POP3 proxy can be enabled.
This page allows to configure how the POP3 proxy should proceed when it finds a spam e-mail.
Note
Even when an email has been marked as spam, it will be delivered to the original recipient. Indeed, not delivering it would break RFC 2821, which states that once an email is accepted, it must be delivered to the recipient.
To detect spam e-mails using pyzor (in short: spam e-mails are converted to a unique digest message that can be used to identify further analogous spam e-mails).
Warning
Activating this option might considerably slow down the POP3 proxy!
The settings can be saved by clicking on the Save Button.
Encrypted e-mails.
The Endian UTM Appliance is unable to scan the e-mails sent through a POP3 SSL connection since it is an encrypted channel.
Therefore, to allow a client to use POP3 over SSL it is necessary to appropriately configuring it and to disable the encryption from the client to the Endian UTM Appliance. Encryption should be disabled (i.e., do not use SSL), but the port for POP3 traffic in plain text changed from the default 110 to 995.
After setting this configuration, the connection from the client to the Endian UTM Appliance will remain in plain text, but it will use port 995, making the Endian UTM Appliance setup an encrypted POP3 over SSL connection from it to the POP3 server.
The FTP proxy is available only as a transparent proxy in the zones that have been enabled and allows for scanning the files downloaded via FTP to search for viruses. The Endian UTM Appliance employs frox as FTP proxy.
Note
Only connections to the standard FTP port (21) are redirected to the proxy. This means that if a client is configured to use the HTTP proxy also for the FTP protocol, settings for the FTP proxy will be bypassed.
A few options can be configured in this page:
FTP proxy and FTP client’s active and passive mode.
The Endian UTM Appliance supports transparent FTP proxying with frox if and only if it is directly connected to the Internet.
Problems may also arise when the FTP transparent proxy is enabled and there is a NAT device between the Endian UTM Appliance and the Internet. In this setup, any FTP connection to a remote FTP site will be blocked until it times out, and in the logs will appear messages like:
Mon Mar 2 11:32:02 2009 frox[18450] Connection timed out when
trying to connect to <your ftp client ip>
Mon Mar 2 11:32:02 2009 frox[18450] Failed to contact client data port
To overcome this problems, the ftp client should be configured to use passive mode (PASV) as transfer mode, and a rule under Menubar ‣ Firewall ‣ System access must be created, that allow the traffic on ports 50000 to 50999 for the NAT device. For security reasons, though, these ports should be enabled only if necessary. To understand the motivation of this setup, here is the description in more details of how active and passive modes work and how they interact with the FTP proxy.
The active mode requires that the server (in our case, the FTP proxy) initiate the data connection to the client. However, a NAT device between the clients and the proxy causes the connection from the server to never reach the client. For this reason the client must use the passive mode.
With passive mode, the ftp client is required to initiate the connection to the server (again, the FTP proxy) using a dynamic port, which has been negotiated through the control connection. The ftp proxy listens to that port, but the system access firewall needs to allow traffic to that port.
Since multiple concurrent data connections can try to access the the ftp proxy, it is necessary to allow connections for a whole port range, Therefore all the ports reserved for passive data connections (i.e., 50000-50999) need to be allowed by the system access firewall.
Changed in version 2.5-armel: Removed Commtouch since there is no Commtouch’s version for ARM platforms.
The SMTP proxy can relay and filter e-mail traffic when it is sent from the clients to the mail servers.
The purpose of the SMTP proxy is to control and optimise the SMTP traffic and to protect the local networks from threats when using the SMTP protocol. SMTP is used whenever an e-mail is sent from a local e-mail client to a remote mail server, that is, for the outgoing e-mails. It will also be used if an mail server is running on the LAN (i.e., within the GREEN zone) or DMZ (ORANGE zone) and the e-mails can be sent from outside the local network (incoming requests) through t hat mail server, that is, when clients are allowed to send e-mails from the RED interface.
In order to download mail from a remote mailserver to a local e-mail client, the POP3 or IMAP protocol are used. In order to protect that traffic too, enable the POP3 proxy in Menubar ‣ Proxy ‣ POP3.
Warning
Scanning of IMAP traffic is currently not supported.
With the e-mail proxy functionality, both incoming and outgoing e-mail traffic can be scanned for viruses, spam, and other threats. E-mails are blocked if necessary and in that case both the receiving user and the administrator are notified. With the possibility to scan incoming e-mails, the e-mail proxy can handle incoming connections from the RED interface and pass the e-mail to one or more internal mail servers. Hence, it is possible to run an own mail server behind the firewall without the need to define appropriate port forwarding rules.
The SMTP proxy configuration is split into five or six tabs (depending on the availability of Commtouch), each one tailored to one aspects of the SMTP proxy.
This is the main configuration page for the SMTP proxy. The SMTP proxy can be enabled by clicking on the toggle switch . When enabled, for each active zone can be chosen whether the SMTP proxy should be active, inactive, or transparent:
Additional options are available, grouped in four panels that can be expanded by clicking on the icon.
Spam settings
In this panel there is the possibility to configure the software applications used by Endian UTM Appliance to recognise and filter out spam, configuring the following options:
Enable the use of the commtouch anti-spam engine to filter the e-mails.
Note
Commtouch is not available on the ARM architecture.
There are three actions that can be carried out on e-mails that have been recognised as spam:
Changed in version 2.5: The possibility to specify a custom location in which to store spam e-mails has been removed.
Note
While most simple and well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is absolutely necessary to always train the spam filter in order to reach a personalised and stronger filter (bayes).
Virus settings
In this panel a few options can be configured to manage any virus found.
There are three or four available actions (depending on the type of Endian UTM Appliance) that can be carried out on e-mails that have been recognised as spam. They are the same as in the Spam settings above:
Changed in version 2.5: The possibility to specify a custom location in which to store e-mails containing viruses has been removed.
File settings
This panel contains settings to block any files attached to an e-mail depending on their extension. Whenever those file extensions are found in any attachment, the selected action will be performed.
There are three or four available actions (depending on the type of Endian UTM Appliance ) that can be carried out on e-mails that have blocked (They are the same as in the previous Spam settings and Virus settings boxes):
Changed in version 2.5: The possibility to specify a custom location in which to store e-mails containing blocked files has been removed.
The file extensions to be blocked.
Hint
Hold down the CTRL key and click on the left mouse button to select multiple extensions.
Enable the blocking of any file with a double extension.
Note
Files with double extensions are usually malicious files which may appear as inoffensive images or documents, but when they are clicked, an application is executed that has the purpose to harm a computer or steal personal data. A file with a double extensions is exactly like a normal file, but whose name (e.g., image.jpg) is followed by .exe, .com, .vbs, .pif, .scr, .bat, .cmd or .dll (e.g., image.jpg.exe).
It is necessary to configure the e-mail domains for which each local server should be responsible. The list of combinations domain-SMTP server can be defined under Menubar ‣ Proxy ‣ SMTP ‣ Incoming domains.
Bypass transparent proxy
In the last panel custom lists of domains can be defined for which the transparent proxy should be disabled.
In this page there are four panels: Three allow the definition of several custom black- and whitelists, while the fourth allows to select and use existing RBL.
Examples for recipient/sender black- and whitelists:
Entire (sub-)domains can be white- or blacklisted as follows:
Examples for client black- and whitelists:
Accepted mail (Black- & Whitelists)
In the first panel any number of domains, sub-domains, or single e-mail addresses to be white- or blacklisted can be entered. For both of the lists any number of senders, recipients, and clients can be entered in the appropriate textareas, as follows:
Realtime Blacklist (RBL)
An often used method to block spam e-mails are so called RBL, whose use can be configured in the second panel. These lists are created, managed, and updated by different organisations with the purpose to identify as quickly as possible new SMTP server used to send spam and block them. If a domain or sender IP address appears in one of the blacklists, e-mails sent from it will be rejected without further notice. The use of RBL saves bandwidth, since the mails will not be accepted and then handled like legitimate e-mails, but rather dismissed as soon as the sender’s IP address or domain is found in any blacklist. The Endian UTM Appliance uses many different RBL, which are divided into IP-based and domain-based. The blacklist that belong on each category are shown by clicking on the small icon, and can be enabled or disabled by clicking on the red or green arrow on top of the list, or individually. The homepage of the various organisations that compile the lists is reachable by clicking on the list’s name. Among the blacklist installed, there are:
This is a list which contains domains or IP networks whose administrators choose not to obey to the RFCs, the standards of the net.
Note
The rfc-ignorant.org site has been shutdown its service on the 30th of November 2012 (see the announcement), but its content has been inherited by people at http://www.rfc-ignorant.de/. Their work, however, does not seem to have yet produced working RBLs as of today (June 2013).
Warning
Sometimes it can happen that IP addresses or domains have been wrongly listed by an RBL operator. If this should happen, it may negatively impact communications, since even legitimate e-mails from those domains will be refused without the possibility to recover it. Since there is no possibility to directly influence the RBLs, it is necessary to take into account the policies applied from the organisations that manage the RBLs before using them. Endian is not responsible for any e-mail that might be lost using the RBLs.
Note
Advanced users can modify the list from the CLI, editing the /var/efw/smtpscan/settings file, and modify the RBL variable.
Changed in version 2.5: In previous version, the file to modify was /var/efw/smtpscan/RBL, with the file /var/efw/smtpscan/default/RBL to be used as draft).
Spam greylisting
In the third panel, greylisting whitelists can be created by adding entries for every recipient, IP address or network in the two textareas. To the items in the whitelist will not be applied any greylisting
Greylisting
Greylisting is a method used by a MTA to verify whether an e-mail is legitimate by rejecting it a first time and waiting for a second dispatch of the same e-mail. If the e-mail is not received anymore the sender is considered as a spam source. The idea behind greylisting is that any mass spam bot will not try to resend any rejected e-mail, so only valid e-mails would be resent.
Spam (Black- & Whitelists)
Finally, in the last panel, explicit black- and whitelists for the spam filter are defined.
When incoming mail has been enabled (i.e., clients outside the RED interface can send e-mails from a local SMTP server) and e-mails to be sent should be forwarded to an mail server behind the Endian UTM Appliance - usually set up in the ORANGE zone - it is necessary to declare the domains to be accepted by the SMTP proxy and to which of the e-mail servers the incoming mail should be forwarded. It is possible to specify multiple mail servers behind the Endian UTM Appliance for different domains.
The page presents a list of domains along with the mailserver responsible for each of them, if any has been defined. To add a new domain, click on the Add a domain button: A simple form will open, in which the combination domain-mailserver can be created.
The new entry will be shown at the bottom of the list.
This option allows to send a BCC of an e-mail to a given e-mail address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list show the direction, the address and the BCC address, if any. To add a new mail route, click on the Add a Mail Route button. In the form that opens these options can be configured:
Warning
Neither the sender nor the recipient will be notified of the copy being sent to a third party. In most countries it is highly illegal to read other people’s private messages, so please do not misuse nor abuse of this feature.
In the last page of the SMTP proxy configuration there are advanced settings options available, grouped in four panels, that can be shown or hidden by clicking on the or icons on the left of the panel title.
Smarthost configuration
In the first panel a smarthost can be activated and configured. If the SMTP server has a dynamic IP address, for example when using an ISDN or an ADSL dialup Internet connection, there can be some troubles sending e-mails to other mail servers, since that IP address might have been blacklisted in some RBL (see Black- & Whitelists above) and therefore the remote mailserver might refuse the e-mails. Hence, it becomes necessary to use a smarthost for sending e-mails.
Note
In a few words, a smarthost is a mailserver used by the SMTP proxy as the outgoing SMTP server. The smarthost needs to accept the e-mails and relays them. Normally, the provider’s own SMTP server is used as the smarthost, since it will accept to relay the e-mails, while other mailservers would not.
IMAP Server for SMTP authentication
This panel contains configuration options for the IMAP server that should be used for authentication when sending e-mails. These settings are especially important for SMTP incoming connections that are opened from the RED zone. The following settings can be configured:
Mail server settings
In this panel, additional parameters of the SMTP server can be defined.
HELO/EHLO and hostname
Almost all mail servers require that clients connecting via SMTP announce themselves with a valid hostname along with the HELO/EHLO, or they drop the connection. However, the Endian UTM Appliance uses its own hostname in order to announce to foreign e-mail servers, which is sometimes not publicly valid within the global DNS.
If that is the case, another custom hostname can be configured under Menubar ‣ Proxy ‣ SMTP ‣ Advanced ‣ Mail server settings ‣ SMTP Helo Name, that can be understood by the remote mail server.
Instead of a custom hostname, even a numeric IP address within brackets (e.g., [192.192.192.192]) can be supplied, which should be the REDIP address.
Spam prevention
Finally, in this last panel additional parameters for the spam filter can be defined, by ticking one or more of the four checkboxes.
Troubleshooting STMP proxy.
When the message “Mail for xxx loops back to myself” appears in the log file, it is indicative of a misconfiguration in the custom SMTP HELO name on the appliance, that is the same as the hostname of the internal mailserver to which the incoming e-mail should be forwarded.
In that case the SMTP connection received from the internal mailserver will contain an hostname (the one in the HELO line from the SMTP Proxy setting), that is the same as the hostname of the internal mailserver, hence the internal mailserver believes to send and receive the same e-mail, producing the error message.
Possible solutions are:
- Change the hostname of the internal mailserver.
- Create a new publicly valid A Record within the DNS zone which also points to the Endian UTM Appliance and use this hostname as the HELO line within the SMTP Proxy.
- Use the numeric IP Address of the uplink as the HELO line.
See also
A step by step guide to set up a basic e-mail proxy can be found here.
Changed in version 2.5-Arm: Removed as it is not available on the ARM architecture
This page includes configuration settings for the anti-spam engine. The following options can be configured:
In the SPAM tag level section the following options can be configured. The valid values for each option are between -10 and 10 included.
The DNS proxy is a proxy server that intercepts DNS queries and answers them, without the need to contact a remote DNS server each time it is necessary to resolve an IP address or a hostname. When a same query is often repeated, caching its results locally may sensibly improve performances. The available settings for the DNS proxy are grouped into three tabs.
A few options forthe DNS proxy can be configured in this page.
Specific sources and destinations can be set up to bypass the proxy by filling in their values in the two textareas. In the textarea on the left-hand side, sources can be specified as IP addresses, networks, or MAC addresses, whereas in the textarea on the right-hand side, the destinations can be specified as IP addresses or networks.
Changed in version 2.5: Renamed from ‘Custom Nameserver’
On this page there is a list of custom nameservers that should be used for a given domain, to which new combinations nameserver/domain can be added by clicking on the Add new custom nameserver for a domain link. When adding an entry, a few values can be entered for the various options available:
Changed in version 2.5-20130102: the DNS blacklist
This page presents configuration options about the reaction of the Endian UTM Appliance when asked to resolve a domain name that is known to be used to propagate spyware. The options that can be set are:
Note
Older version of the anti-spyware module used a different engine to block DNS requests, therefore another option was available:
Enter search terms or a module, class or function name.