The Proxy Menu

To improve on-line security, the Endian UTM Appliance offers several services combining their abilities with those of the proxy. The sub-menu on the left-hand side of the page grants access to their configuration pages and options, which are summarised as follows:

  • HTTP - the web proxy: access policies, authentication, content filter, and antivirus utm
  • POP3 - the proxy for retrieving mail: spam filter and antivirus utm
  • FTP - files downloaded via FTP: anti-virus utm
  • SMTP - the proxy for sending or retrieving mail: spam filter and antivirus utm
  • DNS - the caching DNS: anti-spyware utm4i

Each proxy service can be configured and enabled/disabled independently of the other, and will also start any other service required for its proper functioning. For example, when the SMTP proxy is configured and started, also the SMTP service will be started if it is not already running. Therefore, it is required that the SMTP service be configured before using the SMTP proxy.

HTTP utm

The HTTP proxy employed in the Endian UTM Appliance is squid, whose primary ability is to cache web requests to speed up future requests of the same page, though it has many more functionalities that allows its seamless integration with the other services described in the remainder of this section. The HTTP proxy settings page is composed of six tabs that organise a myriad of options: Configuration, Access Policy, Authentication, Contentfilter, Antivirus, and AD join

Configuration utm

A click on the Enable HTTP Proxy switch swoff enables the HTTP proxy. After some seconds, necessary to start all required services, a number of controls appear in the Configuration tab, grouped into six panels: Each panel has a title, followed by a ? that shows a tooltip, and can be expanded or collapsed by clicking on the expand or collapse icons located on the left of the labels.

Note

In the New Mini Arm the Cache management panel (see further on) does not appear, therefore some of the option described here will not be available .

The first setting is to select from a drop-down menu how the users in each enabled zone -GREEN, ORANGE, BLUE- can access the proxy (No drop-down menu is available for non-enabled zones):

not transparent
The proxy server is available to anyone with no need to log in, but the clients need to configure their browser manually or tell the browser to search for a proxy (i.e., using either PAC or the WPAD protocol to set up the browser’s proxy settings).
transparent
The proxy server is available to anyone and no browser configuration is needed: All the HTTP traffic is intercepted and forwarded to the proxy server, that is in charge of retrieving the requested web pages and serve them to the clients.

Note

Some browsers, including Internet Explorer and Firefox, are able to automatically detect proxy servers by using the WPAD. Most browsers also support PAC, through a special URL. When using an Endian UTM Appliance as the proxy server, the URL looks like this: http://<GREENIP>/proxy.pac.

Disabling HTTP proxy per zone

To disable completely the proxy for a certain zone, the zone’s proxy must be set to transparent and the zone’s subnet (whose value can be found in Menubar ‣ Services ‣ DHCP server) must be added to the Bypass transparent proxy from SUBNET/IP/MAC field that shows up when expanding the Bypass transparent proxy panel.

Proxy settings

In the Proxy settings panel there are some global configuration options for the proxy services:

Port used by proxy
The TCP port on which the proxy server is listening for connections, which defaults to 8080.
Error Language
The language in which error messages are displayed, which defaults to the one chosen in Menubar ‣ System ‣ GUI settings.
Visible Hostname used by proxy
The hostname assumed by the proxy server, also reported at the bottom of error messages.
Email used for notification (cache admin)
The email address shown by the proxy server in error messages.
Maximum download size (incoming in KB)
The limit for HTTP file downloads. 0 means unlimited.
Maximum upload size (outgoing in KB)
The limit for HTTP file uploads (e.g., those used by HTML forms with file uploads). 0 means unlimited.

Note

Since cache management is not available in the Mini appliance, the cache admin e-mail address is not present on those appliances.

Allowed ports and ssl ports

Configuration option for the ports the clients are allowed to use when browsing:

Allowed Ports (from client)
The TCP destination ports to which the proxy server will accept connections when using HTTP. One port or one port range per line are accepted, comments are allowed and start with a #.
Allowed SSL Ports (from client)
The TCP destination ports to which the proxy server will accept connections when using HTTPS. One port or port range per line are accepted, comments are allowed and start with a #, ending at the end of the line.

Log settings

Configuration option to enable the logging facility and choosing what to log.

HTTP proxy logging
Log all the URLs being accessed through the proxy. It is a master switch, hence the following four options are enabled and can be configured only if logging is enabled, which is not by default (recall that the more is logged, the more space on the Endian UTM Appliance‘s hard disk is needed).
Query term logging
Log the parameters in the URL (such as ?id=123)
Useragent logging
Log the user agent sent by each browser.
Contentfilter logging
Log when the content of web pages is filtered
Firewall logging (transparent proxies only)
Let the firewall log the outgoing web accesses, i.e., those directed through the RED interface to the Internet. This options only works for transparent proxies.

Bypass transparent proxy

In this panel some exception to the transparent proxy (see also above) can be defined, i.e., which sources (i.e., clients) and destinations (i.e., remote servers) should be ignored by the proxy, even if it is enabled in that zone.

Bypass transparent proxy from SUBNET/IP/MAC
The sources that should not be subject to the transparent proxy.
Bypass transparent proxy to SUBNET/IP

The destinations that are not subject to the transparent proxy.

Hint

Use CIDR notation to enter subnets.

Cache management

Configuration options for the space occupied on disk by the cache and the size of the objects stored.

Cache size on harddisk (MB)
The amount in megabytes that the proxy should allocate for caching web sites on the harddisk.
Cache size within memory (MB)
The amount in megabytes of memory that the proxy should allocate for caching web sites in the system memory.
Maximum object size (KB)
The upper size limit in megabytes of a single object that should be cached.
Minimum object size (KB)
The lower size limit in megabytes of a single object that should be cached.

Note

Objects whose size does not fall within the above defined ranges will never be stored on disk, but downloaded each time they are requested by some client.

Enable offline mode

When this option is enabled (i.e., the checkbox is ticked), the proxy will never try to update cached objects from the upstream web server - clients can then browse cached, static websites even after the uplink went down.

Warning

This option proves useful to surf the Internet while the uplink is down, if the page requested has been cached before. However, this option may cause some trouble when trying to refresh a page, even with a working uplink, since the HTTP proxy would always serve the cached page. The only possibility to have a refreshed copy of a web page is in this case to clear the cache of the proxy server.

Clear cache
When this button is clicked, the cache of the proxy is erased.
Do not cache these destinations
The domains whose resources should never be cached.

Upstream proxy

If there is another proxy server in the LAN, it can be contacted before actually requesting the original resource. This panel contains configuration options for the connection between the Endian UTM Appliance and the upstream proxy.

Upstream proxy
Tick this checkbox to enable an upstream proxy and show more options. When enabled, before retrieving a remote web page that is not already in its cache, the Endian UTM Appliance‘s proxy contacts the upstream proxy it to ask for that page.
Upstream server
The hostname or IP address of the upstream server.
Upstream port
The port on which the proxy is listening on the upstream server.
Upstream username / password
If authentication for the upstream proxy is required, specify the credentials here
Client username forwarding
Tick the checkbox to forward the username to the upstream proxy.
Client IP forwarding
Tick the checkbox to forward the client IP address to the upstream proxy.

Access policy utm

The accesses policies are applied to every client that is connecting through the proxy, regardless of its authentication. An access policy rule is a time-based scheme that permits or prohibits accesses depending on diverse parameters about the user (e.g., the source or destination of the traffic), and the client used or the content downloaded (e.g., the user agent, the mime types, virus scanning, and content filtering).

A list of the already defined rules is displayed on the page. Any rule can specify if the web access is blocked or allowed, and in the latter case a filter type can be activated and selected. The table carries the following information for every rule listed therein: The progressive identification number (#), the name (``), the source and destination interested, the authentication type, if required, the periods in which is active, the user agents matched, and the available actions.

To add a new access policy rule, simply click on Add Access policy: A form will open, in which to configure all the parameters:

Source Type
The sources of the traffic to which this rule applies. It can be <ANY>, a zone, a list of networks, IP addresses or MAC addresses.
Destination Type
The destinations of the traffic to which this rule will be applied. This can be either <ANY>, a zone, or a list of networks, IP addresses, or domains.
Authentication

The type of authentication to apply to the clients. It can be disabled, in which case no authentication is required, group based or user based. One or more users or groups, to which to apply the policy, can then be selected among the existent ones from the list that will show up.

Hint

Authentication is only local, hence before being able to use it, at least one user or group must be created in the Authentication tab.

Time restriction

Decide whether the rule has effect on specific days and/or a time period. By default a rule is always active, but its validity can be limited to either an interval or to some days of the week. By ticking the checkbox, the following options become available:
Active days

Select one ore more days of the week.

Hint

To select two or more days, hold the CTRL keys and click the mouse button on the name of the day.

Start hour, Stop hour, Start minute, Stop minute
To fine-tune the interval of the day during which the access policy is active, select the start and end times from the drop-down menus.
Useragents
The allowed clients and browsers, as identified by their user agent, i.e., their identification string.
Mimetypes

A list of the MIME types of incoming files that should be blocked, one per line. MIME types can only be blocked (i.e., blacklisted) but not allowed (i.e., whitelisted), therefore this option is only available in Deny access policies. This option allows to block any files not corresponding to the company policy (e.g., multimedia files).

Note

The list of the available MIME types can be found in the /etc/mime.types file on any Linux box, on the official IANA web page, and also in RFC 2045 and RFC 2046.

Access policy
Select whether the rule should allow or deny the web access from the drop-down menu . If set to Deny, the Mimetypes option above is activated.
Filter profile
This drop-down menu, available when the Access policy has been set to Allow access, allows to select what type of check should the rule perform. Available options are: none for no check and virus detection only to scan only for viruses. Moreover, if any content filter profile has been created (see below), it can be applied to the rule.
Policy status
Whether the rule is enabled or disabled. Disabled rules will not be applied, the default is to enable the rule.
Position
The place where the new rule should be inserted: Lower positions have higher priority.

New in version 2.3: Multiple content filter profiles. Since version 2.3 of Endian UTM Appliance it is possible to create multiple Contentfilter profiles with different filter and antivirus settings. Since this release it is also possible to whitelist a domain on a per-user or per-source base, by creating an appropriate access policy rule.

The available actions allow to change priority, edit, enable/disable or delete each rule from the list of rules.

Authentication utm

The Endian UTM Appliance‘s proxy supports four different authentication types, that are shown in the drop-down menu at the top of the page: Local Authentication (NCSA), LDAP (v2, v3, Novell eDirectory, AD), Windows Active Directory (NTLM) and RADIUS. The NCSA type stores the access credentials on the Endian UTM Appliance, whereas the other methods rely on an external server: In those cases it is mandatory to provide all the necessary information to access that server.

Underneath the drop-down menu from which to select the authentication type, two panels are present. The one above, Authentication settings contains common configuration items, while the one below changes upon the selection of the authentication type, presenting the settings that are peculiar to each method.

Authentication settings

The common items that can be configured in this panel are:

Authentication realm

The text shown in the authentication dialog and used as the realm of kerberos or winbind when joining an Active Directory Domain. When Windows Active Directory is used for authentication, the FQDN of the PDC should be used.

Hint

If the server name is localauth and the domain name is example.org, the FQDN is localauth.example.org.

Number of Authentication Children
The maximum number of authentication processes that can run simultaneously.
Authentication cache TTL (in minutes)
The time in minutes during which the authentication data should be cached, before being deleted.
Number of different IPs per user
The maximum number of IP addresses from which a user can connect to the proxy simultaneously.
User / IP cache TTL (in minutes)
The time in minutes an IP address is associated with the logged in user.

Once the common configuration form have been filled in, depending on the authentication type chosen it is possible to configure the specific settings for the authentication type selected. Local Authentication (NCSA), Windows Active Directory (NTLM), LDAP (v2, v3, Novell eDirectory, AD), RADIUS.

NCSA authentication parameters

NCSA user management
When clicking on the manage users button the management GUI for the users is opened, which consists of a simple list of the existing users, if any was created, and of an Add NCSA user link to add more users. A user is added by entering username and password in the form, and can later be either edited or deleted.
NCSA group management

When clicking on the manage groups button the management GUI for the groups is opened which consists of a simple list of the existing groups and their members, if any was created, and of an Add NCSA group link to add more groups. A group is created by entering a group name and selecting one or more users that should belong to that group. A user may belong to more than one group.

Warning

While the same user can be legally part of one or more groups, care must be taken that the the groups the user belongs to do not define contrasting access policies. As an example, consider a user member of two groups, one with the policy to allows access to the website www.example.org, while the second group’s policy blocks the access to that web page. In this case, it is not easy to predict whether that user will be granted or not access to the site www.example.org. The management of these issues is left to the designer of the access policies.

Min password length
The minimum length for the local user’s password.

Windows Active Directory authentication parameters.

Domainname of AD server
The active directory domain to join. The server’s FQDN should be used.
Join AD Domain
Click on the join domain button to join the domain. This action should be done only after the authentication settings have been saved and applied.
PDC hostname of AD server, PDC IP address of AD server
The hostname and the IP address of the PDC. Both hostname and IP address are needed to create the DNS entry.
BDC hostname of AD server and BDC IP address of AD server
The hostname and the IP address of the BDC, if any. Both hostname and IP address are needed to create the DNS entry.

Requirements for the use of NTLM.

In order to be able to use Windows’ native authentication with active directory (NTLM), a few conditions must be satisfied:

  • The authentication settings need to be saved and applied before trying to join the domain.
  • The Endian UTM Appliance must join the domain.
  • The system clocks on the Endian UTM Appliance and on the active directory server must be synchronised.
  • The authentication realm must be a FQDN.
  • The PDC hostname has to be set to the netbios name of the Active Directory server.

Hint

The Endian UTM Appliance clock can be synchronised with the clock of the Active Directory server by issuing the following command from the shell:

net time set -S IP_OF_AD_SERVER

Changed in version 2.3.: Host and DNS proxy entries. Since version 2.3 of the Endian UTM Appliance, it is not necessary to create Host and DNS proxy entries anymore, because they will be auto-generated when the authentication settings are applied.

See also

The setup of a realm using NTLM authentication is described in this tutorial.

NTLM authentication with Windows Vista and Windows 7.

The HTTP Proxy in the Endian UTM Appliance uses negotiated NTLMv2, while both Windows Vista and Windows 7 allow by default only straight NTLMv2. As a result, a client installing those operating systems may fail to authenticate to the HTTP proxy even when supplying the correct credentials. The following changes to the client configuration are required to correctly authenticate:

  1. Start ‣ gpedit.msc (run as administrator)
  2. Go to: Computer configuration ‣ Windows Settings ‣ Security Settings ‣ Local Policies ‣ Security Options
  3. Find the configuration option Network Security: LAN MANAGER Authentication Level
  4. Select the value “Send LM * NTLM - use NTLMv2 session security if negotiated”

After applying these changes the client browser should correctly authenticate using the AD Login Name / Credentials for the HTTP Proxy.

LDAP authentication parameters.

LDAP server
The IP address or FQDN of the LDAP server.
Port of LDAP server
The port on which the server is listening. The default value is 389.
Bind DN settings
The base distinguished name, this is the start point of the search.
LDAP type
This drop-down menu allows the choice of the type of the authentication server among Active Directory, Novell eDirectory, LDAP version 2, or LDAP version 3.
Bind DN username
The fully distinguished name of a bind DN user, which must have the permission to read user attributes
Bind DN password
The password of the bind DN user.
user objectClass
The objectClass that the bind DN user must belong to.
group objectClass
The objectClass that the bind DN group must belong to.

RADIUS authentication parameters.

RADIUS server
The IP address or URL of the RADIUS server.
Port of RADIUS server
The port on which the RADIUS server is listening.
Identifier
An additional identifier.
Shared secret
The password to be used.

Content filter utm

The Endian UTM Appliance‘s Content Filter abilities are based on the DansGuardian Open Source content filter engine, that uses three filtering techniques which can be defined per filter profile.

The first one is called PICS, a W3C Recommendation that uses metadata to rate and label webpages, with the purpose of selecting similar contents from disparate sources. In particular, one of the most used application of PICS is to help and ease parental control over web pages that are not suitable for children. The second one is based on an advanced phrase weighting system, which analyses the text of web pages and calculates a score for each page. The last method uses a huge blacklist of categorised URLs and domains: All the URLs requested by a client are looked up in this list and are only served if they are not found.

A profile is needed to be able to use the content filter. There is a Default profile available, which allows access to every web page and cannot be deleted. Additional profiles can easily be created that exploit all the three dansguardian’s filtering techniques, augmented with the possibility to define custom white- and blacklists. Profiles are needed in the definition of an Access policy , so access policies requiring specific profiles should be created only after that profile.

Note

When web filtering by phrases (Content Filtering) is active, web pages are blocked when those categories of phrases are found “inside the page”. This behaviour results in a more aggressive blocking strategy at the price of potentially incurring in a higher rate of false positive matches.

The page is divided in two parts: On the upper side scheduling options appear, to select between a hourly, daily, weekly or monthly update of the rules, along with a the Update button, that upon clicking, immediately starts the download of new rules, if available.

On the lower side, there is the list of the existing profiles with a Create a profile link above it. When clicked, the link is replaced by the Profile Editor, that is used to configure a new profile, with the list of existing profiles shifting to the bottom of the page. The following settings can be defined:

Profile name
The name given to the profile.
Activate antivirus scan
Enable both the content filter (DansGuardian) and the HAVP.
Platform for Internet Content Selection
Enable parental control based on PICS metadata.
Max. score for phrases
Specify the maximum PICS score of a trustworthy page within the range 50-300. The smaller the value, the less are the pages shown, i.e., a page has a low score if its view is suitable for everyone. Suggested values are around 50 for children, around 100 for teenagers, and around 160 for young adults.

The next settings come in form of panels, that can be expanded or collapsed by clicking on the expand or collapse icons to the left of their title. On the far right, a small arrow shows if the contained items are all, none, or partially allowed. Those arrows can be clicked to quickly toggle the status of all the contained items.

Content Filtering

If no phraselist has yet been downloaded, a hyperlink allows to immediately start the download from the Endian Network, or from the daemon’s home pages if the Endian UTM Appliance has not been registered.

Configure the content filter using phrase analysis. The tags used to rate a page are divided into a number of categories, expandable by clicking on the expand icon. Within each category, a tag can be either blocked or allowed by clicking on the arrow icon beside it.

New in version 2.5: Global toggles.

Clicking on the arrow next to the panel’s title toggles all the categories at once, while clicking on the one next to each category name blocks or allows all the included tags.

Phrase analysis requires much more computing power than other technologies (PICS and URL blacklist). To disable this filtering technique, all categories can be marked as allowed.

URL Blacklist

Like in the case of the content filtering box above, if no phraselist has yet been downloaded, a hyperlink allows to immediately start the download from the Endian Network, or from the daemon’s home pages if the Endian UTM Appliance has not been registered.

Configure the content filtering using URL comparison. The tag used to rate an URL page are divided into a number of categories, expandable by clicking on the expand icon. Within each category, it is possible to either block or allow a tag by clicking on the arrow icon beside it.

New in version 2.5: Global toggle: Clicking on the arrow next to the panel’s title toggles all the categories at once, on the one next to each category name blocks or allows all the included tags.

Custom black- and white lists

Content filtering may cause both false positives and false negatives, hence list domains that should always be blocked or allowed can be entered here. This policy will be applied regardless of the results of the content filter’s analysis.

Changed in version 2.5: Removed the Enable logging option.

Warning

When whitelisting a domain, always make sure that all the necessary domains required for that site to work correctly be whitelisted as well. An example:

  1. google.com is blocked, which means all sub-domains of google.com are blocked as well
  2. maps.google.com is whitelisted and can be can accessed

However, the maps.google.com site does not work as expected, because it tries to get data (e.g., content or scripts) from other google servers like mt0.google.com, mt1.google.com and so on. Indeed, mt*.google.com are the domains that host the pictures for the maps, which can not be reached due to the 1. rule. Therefore, for the maps.google.com site to work flawlessly, also the mt*.google.com sites have to explicitly be whitelisted.

Antivirus utm

This tab contains configuration options for the virus scanner engine (ClamAV or Sophos) used by the HTTP proxy.

Changed in version 2.5-armel: Removed Sophos. The Sophos Antivirus is not available for the ARM architecture, therefore it is not available on the New Mini Arm, on which HAVP uses the Clamav antivirus.

Max. content scan size
The maximum size for files that should be scanned for viruses.
Do not scan the following URLs
A list of URLs that should not be scanned for viruses, one per line.

On the bottom of the page, a small box informs on the last update: The date, time, and how many signatures were downloaded. This is the same information that is shown in Menubar ‣ Services ‣ Antivirus Engine.

AD join utm

In this section it is possible to supply the credentials required to join the Active Directory Server, an operation that is only possible if in the Authentication tab the option Windows Active Directory (NTLM) has been selected.

Username of ADS admin
The username of the Active Directory Server.
Password of ADS admin
The password of Active Directory Server. It is not shown by default, but it can be displayed by ticking the checkbox on the right of the text field.

POP3 utm

This page contains configuration options for the spamassassin mail filter and how it should manage the e-mails recognised as spam.

Global settings utm

On this page, by ticking the appropriate checkboxes, a few global configuration settings of the POP3 proxy can be enabled.

Enabled on Green, Enabled on Blue, Enabled on Orange
Enable the POP3 e-mail scanner on the GREEN, BLUE, and ORANGE zone, respectively. They appear only if the corresponding zones are enabled.
Virus scanner
Activate the virus scanner.
Spam filter
Enable spam filtering on the e-mails.
Firewall logs outgoing connections
Let all the outgoing connections be logged by the firewall.

Spam filter utm

This page allows to configure how the POP3 proxy should proceed when it finds a spam e-mail.

Note

Even when an email has been marked as spam, it will be delivered to the original recipient. Indeed, not delivering it would break RFC 2821, which states that once an email is accepted, it must be delivered to the recipient.

Spam subject tag
The prefix that will be added to the subject of the e-mail recognised as spam.
Required hits
The number of hits required for a message to be considered as spam.
Activate support for Japanese emails
Tick this checkbox to activates support for Japanese character sets in e-mails to search for Japanese spam.
Enable message digest spam detection (pyzor)

To detect spam e-mails using pyzor (in short: spam e-mails are converted to a unique digest message that can be used to identify further analogous spam e-mails).

Warning

Activating this option might considerably slow down the POP3 proxy!

White list
A list of e-mail addresses or whole domains, specified using wildcards, e.g., *@example.com, one address per line. E-mails sent from these addresses and domains will never be checked for spam.
Black list
A list of e-mail addresses or whole domains, specified using wildcards, e.g., *@example.com, one address per line. E-mails sent from these addresses and domains will always be marked as spam.

The settings can be saved by clicking on the Save Button.

Encrypted e-mails.

The Endian UTM Appliance is unable to scan the e-mails sent through a POP3 SSL connection since it is an encrypted channel.

Therefore, to allow a client to use POP3 over SSL it is necessary to appropriately configuring it and to disable the encryption from the client to the Endian UTM Appliance. Encryption should be disabled (i.e., do not use SSL), but the port for POP3 traffic in plain text changed from the default 110 to 995.

After setting this configuration, the connection from the client to the Endian UTM Appliance will remain in plain text, but it will use port 995, making the Endian UTM Appliance setup an encrypted POP3 over SSL connection from it to the POP3 server.

FTP utm

The FTP proxy is available only as a transparent proxy in the zones that have been enabled and allows for scanning the files downloaded via FTP to search for viruses. The Endian UTM Appliance employs frox as FTP proxy.

Note

Only connections to the standard FTP port (21) are redirected to the proxy. This means that if a client is configured to use the HTTP proxy also for the FTP protocol, settings for the FTP proxy will be bypassed.

A few options can be configured in this page:

Enabled on GREEN, Enabled on BLUE, Enabled on ORANGE
Enable the FTP proxy on each zone. Only available on the activated zones.
Firewall logs outgoing connections
Log the outgoing connections in the firewall.
Bypass the transparent Proxy from Source
Allow some sources (left text area) or destinations (right text area) under the corresponding labels not to be subject to the FTP proxy scanning.

FTP proxy and FTP client’s active and passive mode.

The Endian UTM Appliance supports transparent FTP proxying with frox if and only if it is directly connected to the Internet.

Problems may also arise when the FTP transparent proxy is enabled and there is a NAT device between the Endian UTM Appliance and the Internet. In this setup, any FTP connection to a remote FTP site will be blocked until it times out, and in the logs will appear messages like:

Mon Mar  2 11:32:02 2009 frox[18450] Connection timed out when
 trying to connect to <your ftp client ip>
Mon Mar  2 11:32:02 2009 frox[18450] Failed to contact client data port

To overcome this problems, the ftp client should be configured to use passive mode (PASV) as transfer mode, and a rule under Menubar ‣ Firewall ‣ System access must be created, that allow the traffic on ports 50000 to 50999 for the NAT device. For security reasons, though, these ports should be enabled only if necessary. To understand the motivation of this setup, here is the description in more details of how active and passive modes work and how they interact with the FTP proxy.

The active mode requires that the server (in our case, the FTP proxy) initiate the data connection to the client. However, a NAT device between the clients and the proxy causes the connection from the server to never reach the client. For this reason the client must use the passive mode.

With passive mode, the ftp client is required to initiate the connection to the server (again, the FTP proxy) using a dynamic port, which has been negotiated through the control connection. The ftp proxy listens to that port, but the system access firewall needs to allow traffic to that port.

Since multiple concurrent data connections can try to access the the ftp proxy, it is necessary to allow connections for a whole port range, Therefore all the ports reserved for passive data connections (i.e., 50000-50999) need to be allowed by the system access firewall.

SMTP utm

Changed in version 2.5-armel: Removed Commtouch since there is no Commtouch’s version for ARM platforms.

The SMTP proxy can relay and filter e-mail traffic when it is sent from the clients to the mail servers.

The purpose of the SMTP proxy is to control and optimise the SMTP traffic and to protect the local networks from threats when using the SMTP protocol. SMTP is used whenever an e-mail is sent from a local e-mail client to a remote mail server, that is, for the outgoing e-mails. It will also be used if an mail server is running on the LAN (i.e., within the GREEN zone) or DMZ (ORANGE zone) and the e-mails can be sent from outside the local network (incoming requests) through t hat mail server, that is, when clients are allowed to send e-mails from the RED interface.

In order to download mail from a remote mailserver to a local e-mail client, the POP3 or IMAP protocol are used. In order to protect that traffic too, enable the POP3 proxy in Menubar ‣ Proxy ‣ POP3.

Warning

Scanning of IMAP traffic is currently not supported.

With the e-mail proxy functionality, both incoming and outgoing e-mail traffic can be scanned for viruses, spam, and other threats. E-mails are blocked if necessary and in that case both the receiving user and the administrator are notified. With the possibility to scan incoming e-mails, the e-mail proxy can handle incoming connections from the RED interface and pass the e-mail to one or more internal mail servers. Hence, it is possible to run an own mail server behind the firewall without the need to define appropriate port forwarding rules.

The SMTP proxy configuration is split into five or six tabs (depending on the availability of Commtouch), each one tailored to one aspects of the SMTP proxy.

Configuration utm

This is the main configuration page for the SMTP proxy. The SMTP proxy can be enabled by clicking on the toggle switch swoff. When enabled, for each active zone can be chosen whether the SMTP proxy should be active, inactive, or transparent:

active
The SMTP proxy is enabled for the zone and accepts requests on port 25.
transparent mode
If the transparent mode is enabled, all requests to destination port 25 will be intercepted and forwarded to the SMTP proxy without the need to change the configuration on the clients. This option is not available for the RED zone.
inactive
The SMTP proxy is not enabled for that zone.

Additional options are available, grouped in four panels that can be expanded by clicking on the expand icon.

Spam settings

In this panel there is the possibility to configure the software applications used by Endian UTM Appliance to recognise and filter out spam, configuring the following options:

Filter mail for spam
Enable the mail spam filter and allows the configuration of additional options that will appear below.
Commtouch spam engine

Enable the use of the commtouch anti-spam engine to filter the e-mails.

Note

Commtouch is not available on the ARM architecture.

Choose spam handling

There are three actions that can be carried out on e-mails that have been recognised as spam:

  • move to default quarantine location: The spam e-mails will be moved to the default location.
  • send to quarantine email address: Spam e-mails are forwarded to a custom e-mail address that can be specified in the Spam quarantine email address textbox that will appear upon selecting this option.
  • mark as spam: The e-mail is marked as spam before delivery.

Changed in version 2.5: The possibility to specify a custom location in which to store spam e-mails has been removed.

Spam subject
A prefix applied to the subject of all e-mails marked as spam.
Email used for spam notifications (spam admin)
The e-mail address that will receive a notification for each processed spam e-mail.
Spam tag level
If SpamAssassin’s spam score is greater than this number, the X-Spam-Status and X-Spam-Level headers are added to the e-mail.
Spam mark level
If SpamAssassin’s spam score is greater than this number, the Spam subject and X-Spam-Flag headers are added to the e-mail.
Spam quarantine level
Any e-mail that exceed this spam score will be moved to the quarantine location.
Send notification only below level
Send notification e-mails only if the spam score is below this number.
Spam filtering
Enable spam greylisting and show the next option.
Delay for greylisting (sec)
The greylisting delay in seconds can be a value between 30 and 3600.
Japanization
Tick this box to activate the support for Japanese character sets in e-mails and filter Japanese spam e-mails.

Note

While most simple and well known spam messages and mail sent by known spam hosts are blocked, spammers always adapt their messages in order to circumvent spam filters. Therefore it is absolutely necessary to always train the spam filter in order to reach a personalised and stronger filter (bayes).

Virus settings

In this panel a few options can be configured to manage any virus found.

Scan mail for virus
Enable filtering of e-mails for viruses and to reveal the additional virus filter options.
Choose virus handling

There are three or four available actions (depending on the type of Endian UTM Appliance) that can be carried out on e-mails that have been recognised as spam. They are the same as in the Spam settings above:

  • move to default quarantine location: any e-mail containing virus will be moved to the default location.
  • send to quarantine email address: e-mails containing virus are forwarded to a custom e-mail address that can be specified in the Virus quarantine email address textbox that will appear upon selecting this option.
  • pass to recipient (regardless of bad contents): e-mail containing virus will be delivered normally.

Changed in version 2.5: The possibility to specify a custom location in which to store e-mails containing viruses has been removed.

Email used for virus notifications (virus admin)
The e-mail address that will receive a notification for each processed e-mail containing virus.

File settings

This panel contains settings to block any files attached to an e-mail depending on their extension. Whenever those file extensions are found in any attachment, the selected action will be performed.

Block files by extension
Activate the extensions-based filtering on files and reveal the additional virus filter options.
Choose handling of blocked files

There are three or four available actions (depending on the type of Endian UTM Appliance ) that can be carried out on e-mails that have blocked (They are the same as in the previous Spam settings and Virus settings boxes):

  • move to default quarantine location: mails containing blocked files will be moved to the default location.
  • send to quarantine email address: mails containing blocked files are forwarded to a custom e-mail address that can be specified in the Email used for blocked file notifications textbox that will appear upon selecting this option.
  • pass to recipient (regardless of blocked files): mails containing blocked files will be delivered normally

Changed in version 2.5: The possibility to specify a custom location in which to store e-mails containing blocked files has been removed.

Choose filetypes to block (by extension)

The file extensions to be blocked.

Hint

Hold down the CTRL key and click on the left mouse button to select multiple extensions.

Email used for blocked file notifications (file admin)
The e-mail address that will receive a notification for each processed e-mail containing blocked attachments.
Block files with double extension

Enable the blocking of any file with a double extension.

Note

Files with double extensions are usually malicious files which may appear as inoffensive images or documents, but when they are clicked, an application is executed that has the purpose to harm a computer or steal personal data. A file with a double extensions is exactly like a normal file, but whose name (e.g., image.jpg) is followed by .exe, .com, .vbs, .pif, .scr, .bat, .cmd or .dll (e.g., image.jpg.exe).

It is necessary to configure the e-mail domains for which each local server should be responsible. The list of combinations domain-SMTP server can be defined under Menubar ‣ Proxy ‣ SMTP ‣ Incoming domains.

Bypass transparent proxy

In the last panel custom lists of domains can be defined for which the transparent proxy should be disabled.

Bypass transparent proxy from SUBNET/IP/MAC
E-mails sent from these sources are not subject to the transparent proxy.
Bypass transparent proxy to SUBNET/IP
E-Mails sent to these destinations are not subject to the transparent proxy.

Black- & Whitelists utm

In this page there are four panels: Three allow the definition of several custom black- and whitelists, while the fourth allows to select and use existing RBL.

Accepted mail (Black- & Whitelists)

In the first panel any number of domains, sub-domains, or single e-mail addresses to be white- or blacklisted can be entered. For both of the lists any number of senders, recipients, and clients can be entered in the appropriate textareas, as follows:

Whitelist sender
All the e-mails sent from these addresses or domains will be accepted. This is the e-mail From: field.
Blacklist sender
All the e-mails sent from these addresses or domains will be rejected. This is the e-mail From: field.
Whitelist recipient
All the e-mails sent to these addresses or domains will be accepted. This is the e-mail To: field.
Blacklist recipient
All the e-mails sent to these addresses or domains will be rejected. This is the e-mail To: field.
Whitelist client
All the e-mails sent from these IP addresses or hosts will be accepted.
Blacklist client
All the e-mails sent from these IP addresses or hosts will be rejected.

Realtime Blacklist (RBL)

An often used method to block spam e-mails are so called RBL, whose use can be configured in the second panel. These lists are created, managed, and updated by different organisations with the purpose to identify as quickly as possible new SMTP server used to send spam and block them. If a domain or sender IP address appears in one of the blacklists, e-mails sent from it will be rejected without further notice. The use of RBL saves bandwidth, since the mails will not be accepted and then handled like legitimate e-mails, but rather dismissed as soon as the sender’s IP address or domain is found in any blacklist. The Endian UTM Appliance uses many different RBL, which are divided into IP-based and domain-based. The blacklist that belong on each category are shown by clicking on the small expand icon, and can be enabled or disabled by clicking on the red or green arrow on top of the list, or individually. The homepage of the various organisations that compile the lists is reachable by clicking on the list’s name. Among the blacklist installed, there are:

bl.spamcop.net
A blacklist based on submissions from its users.
zen.spamhaus.org
This list replaces the old sbl-xbl.spamhaus.org and contains the Spamhaus block list as well as Spamhaus’ exploits block list and its policy block list.
cbl.abuseat.org
The CBL takes its source data from very large spamtraps. It only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (e.g., HTTP, socks, AnalogX, wingate etc.) that have been abused to send spam, worms, viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, without doing open proxy tests of any kind.
[name].dnsbl.sorbs.net and rhsbl.dnsbl.sorbs.net
Several blacklists are supplied from this organisation (replace [name] with safe, relays, etc), and can be activated individually or all together by enabling the dsnbl.sorbs.net blacklist.
uceprotect.net
Lists that hold domains of known spam sources for at most seven days. After this period, domains are delisted, but subsequent violations cause the application of more restrictive policies.
dsn.rfc-ignorant.org

This is a list which contains domains or IP networks whose administrators choose not to obey to the RFCs, the standards of the net.

Note

The rfc-ignorant.org site has been shutdown its service on the 30th of November 2012 (see the announcement), but its content has been inherited by people at http://www.rfc-ignorant.de/. Their work, however, does not seem to have yet produced working RBLs as of today (June 2013).

Warning

Sometimes it can happen that IP addresses or domains have been wrongly listed by an RBL operator. If this should happen, it may negatively impact communications, since even legitimate e-mails from those domains will be refused without the possibility to recover it. Since there is no possibility to directly influence the RBLs, it is necessary to take into account the policies applied from the organisations that manage the RBLs before using them. Endian is not responsible for any e-mail that might be lost using the RBLs.

Note

Advanced users can modify the list from the CLI, editing the /var/efw/smtpscan/settings file, and modify the RBL variable.

Changed in version 2.5: In previous version, the file to modify was /var/efw/smtpscan/RBL, with the file /var/efw/smtpscan/default/RBL to be used as draft).

Spam greylisting

In the third panel, greylisting whitelists can be created by adding entries for every recipient, IP address or network in the two textareas. To the items in the whitelist will not be applied any greylisting

Whitelist recipient
All E-mail addresses or whole domains written in this textarea, e.g. test@example.com or example.com are considered “safe”, i.e., the e-mail received from them will not be checked for spam.
Whitelist client
All the mailserver’s address in this textarea are considered “safe”, i.e., all the e-mails coming from this server’s address will not be checked for spam.

Greylisting

Greylisting is a method used by a MTA to verify whether an e-mail is legitimate by rejecting it a first time and waiting for a second dispatch of the same e-mail. If the e-mail is not received anymore the sender is considered as a spam source. The idea behind greylisting is that any mass spam bot will not try to resend any rejected e-mail, so only valid e-mails would be resent.

Spam (Black- & Whitelists)

Finally, in the last panel, explicit black- and whitelists for the spam filter are defined.

Whitelist sender
E-mail addresses or whole domains can be whitelisted in this textarea (i.e., they will never be detected as spam), like e.g. test@example.com or the domain example.com.
Blacklist sender
E-mail addresses or whole domains can be blacklisted in this textarea (i.e., they will always be detected as spam), like e.g. test@example.com or the domain example.com.

Incoming domains utm

When incoming mail has been enabled (i.e., clients outside the RED interface can send e-mails from a local SMTP server) and e-mails to be sent should be forwarded to an mail server behind the Endian UTM Appliance - usually set up in the ORANGE zone - it is necessary to declare the domains to be accepted by the SMTP proxy and to which of the e-mail servers the incoming mail should be forwarded. It is possible to specify multiple mail servers behind the Endian UTM Appliance for different domains.

The page presents a list of domains along with the mailserver responsible for each of them, if any has been defined. To add a new domain, click on the Add a domain button: A simple form will open, in which the combination domain-mailserver can be created.

Domain
The domain this mailserver is responsible for.
Mailserver IP
The IP address of the mailserver.

The new entry will be shown at the bottom of the list.

Mail Routing utm

This option allows to send a BCC of an e-mail to a given e-mail address and is applied to all the e-mails sent either to a specific recipient or from a specific sender address. The list show the direction, the address and the BCC address, if any. To add a new mail route, click on the Add a Mail Route button. In the form that opens these options can be configured:

Direction
Select from the drop-down menu whether the mail route should be defined for a sender or recipient of the e-mail.
Mail address
Depending on the direction chosen, this will be the e-mail address of the recipient or sender to which the route should be applied.
BCC address
The e-mail address which are the recipient of the copy of the e-mails.

Warning

Neither the sender nor the recipient will be notified of the copy being sent to a third party. In most countries it is highly illegal to read other people’s private messages, so please do not misuse nor abuse of this feature.

Advanced utm

In the last page of the SMTP proxy configuration there are advanced settings options available, grouped in four panels, that can be shown or hidden by clicking on the expand or collapse icons on the left of the panel title.

Smarthost configuration

In the first panel a smarthost can be activated and configured. If the SMTP server has a dynamic IP address, for example when using an ISDN or an ADSL dialup Internet connection, there can be some troubles sending e-mails to other mail servers, since that IP address might have been blacklisted in some RBL (see Black- & Whitelists above) and therefore the remote mailserver might refuse the e-mails. Hence, it becomes necessary to use a smarthost for sending e-mails.

Smarthost for delivery
Tick this checkbox to enable a smarthost for delivering e-mails and to show additional options.
Smarthost address
The address of the smarthost.
Smarthost port
The port on which the smarthost is listening, defaults to 25.
Smarthost requires authentication
Tick this checkbox if the smarthost requires authentication. The next three extra options are then shown.
Smarthost username
The username used for authentication on the smarthost.
Smarthost password
The password used for authentication on the smarthost.
Choose authentication method
The authentication methods required by the smarthost: PLAIN, LOGIN, CRAM-MD5, and DIGEST-MD5 are supported. More methods can be chosen by holding the CTRL key pressed and clicking on each of the desired methods.

Note

In a few words, a smarthost is a mailserver used by the SMTP proxy as the outgoing SMTP server. The smarthost needs to accept the e-mails and relays them. Normally, the provider’s own SMTP server is used as the smarthost, since it will accept to relay the e-mails, while other mailservers would not.

IMAP Server for SMTP authentication

This panel contains configuration options for the IMAP server that should be used for authentication when sending e-mails. These settings are especially important for SMTP incoming connections that are opened from the RED zone. The following settings can be configured:

Activate SMTP authentication with IMAP server
Tick this checkbox to enable IMAP authentication and to show additional options.
Choose number of authentication daemons
How many concurrent logins are possible through the Endian UTM Appliance.
IMAP authentication server
The address of the IMAP server.
IMAP authentication port
The port on which the IMAP server is listening, defaults to 143 for plain IMAP or 993 for IMAP over SSL.

Mail server settings

In this panel, additional parameters of the SMTP server can be defined.

Require SMTP HELO
When this checkbox is ticked, the connecting client must send a HELO (or EHLO) command at the beginning of an SMTP session.
Reject invalid hostname
Reject the connecting client when the client HELO or EHLO parameter supplies an invalid hostname.
SMTP HELO name
The hostname to send with the SMTP EHLO or HELO command. The default value is the REDIP, but a custom hostname or IP address can be supplied.
Always BCC to address
An e-mail address here that will receive a BCC of each message that goes through the SMTP proxy.
Choose mailtemplate language
The language in which error messages should be sent.
Recipient address verification
Enable the check for a valid recipients address before sending the message.
Choose hard error limit
The maximum number of errors a remote SMTP client is allowed to produce without delivering mail. The SMTP Proxy server disconnects once this limit is exceeded (default 20).
Choose maximal email contentsize
The maximum size allowed for a single e-mail message. Several predefined values can be selected from the drop-down menu. Choosing the custom email contentsize option reveals the next option.
Custom maximum email contentsize (in KB)
The maximum size in mega bytes of the e-mail that will be accepted by the SMTP server.

HELO/EHLO and hostname

Almost all mail servers require that clients connecting via SMTP announce themselves with a valid hostname along with the HELO/EHLO, or they drop the connection. However, the Endian UTM Appliance uses its own hostname in order to announce to foreign e-mail servers, which is sometimes not publicly valid within the global DNS.

If that is the case, another custom hostname can be configured under Menubar ‣ Proxy ‣ SMTP ‣ Advanced ‣ Mail server settings ‣ SMTP Helo Name, that can be understood by the remote mail server.

Instead of a custom hostname, even a numeric IP address within brackets (e.g., [192.192.192.192]) can be supplied, which should be the REDIP address.

Spam prevention

Finally, in this last panel additional parameters for the spam filter can be defined, by ticking one or more of the four checkboxes.

Reject invalid recipient (non-FQDN)
Reject the request when the RCPT TO address is not in FQDN form, as required by the RFC 821.
Reject invalid sender (non-FQDN)
Reject the connecting client if the hostname supplied with the HELO or EHLO command is not a FQDN as required by the RFC 821.
Reject unknown recipient domain
Reject the connection if the domain of the recipient e-mail address has no DNS A or MX record.
Reject sender from unknown domains
Reject the connection if the domain of the sender e-mail address has no DNS A or MX record.

Troubleshooting STMP proxy.

When the message “Mail for xxx loops back to myself” appears in the log file, it is indicative of a misconfiguration in the custom SMTP HELO name on the appliance, that is the same as the hostname of the internal mailserver to which the incoming e-mail should be forwarded.

In that case the SMTP connection received from the internal mailserver will contain an hostname (the one in the HELO line from the SMTP Proxy setting), that is the same as the hostname of the internal mailserver, hence the internal mailserver believes to send and receive the same e-mail, producing the error message.

Possible solutions are:

  • Change the hostname of the internal mailserver.
  • Create a new publicly valid A Record within the DNS zone which also points to the Endian UTM Appliance and use this hostname as the HELO line within the SMTP Proxy.
  • Use the numeric IP Address of the uplink as the HELO line.

See also

A step by step guide to set up a basic e-mail proxy can be found here.

Commtouch utm

Changed in version 2.5-Arm: Removed as it is not available on the ARM architecture

This page includes configuration settings for the anti-spam engine. The following options can be configured:

Enable commtouch
Enables the commtouch antispam engine. This option is available only if commtouch is installed on the Endian UTM Appliance.
Enable spamassassin shortcircuit
Check this box to skip spamassassin whenever Commtouch marks a message as spam.
Ignore IPs/Networks
Here IPs and networks which should not be checked by commtouch can be defined.

In the SPAM tag level section the following options can be configured. The valid values for each option are between -10 and 10 included.

CONFIRMED
Every e-mail with a tag level above this value will be recognised as spam.
BULK
Every e-mail with a tag level above this value will be identified as bulk mail.
SUSPECTED
Every e-mail with a tag level above this value will is suspected to contain spam.
UNKNOWN
E-Mails with a tag level below this value will be classified as unknown.
NONSPAM
E-Mails with a tag level below this value will be recognised as non-spam mails.

DNS utm4i

The DNS proxy is a proxy server that intercepts DNS queries and answers them, without the need to contact a remote DNS server each time it is necessary to resolve an IP address or a hostname. When a same query is often repeated, caching its results locally may sensibly improve performances. The available settings for the DNS proxy are grouped into three tabs.

DNS proxy utm4i

A few options forthe DNS proxy can be configured in this page.

Transparent on Green, Transparent on Blue, Transparent on Orange
Enable the DNS proxy as transparent on the GREEN, BLUE, and ORANGE zone, respectively. They appear only if the corresponding zones are enabled.

Specific sources and destinations can be set up to bypass the proxy by filling in their values in the two textareas. In the textarea on the left-hand side, sources can be specified as IP addresses, networks, or MAC addresses, whereas in the textarea on the right-hand side, the destinations can be specified as IP addresses or networks.

DNS Routing utm4i

Changed in version 2.5: Renamed from ‘Custom Nameserver’

On this page there is a list of custom nameservers that should be used for a given domain, to which new combinations nameserver/domain can be added by clicking on the Add new custom nameserver for a domain link. When adding an entry, a few values can be entered for the various options available:

Domain
The domain for which to use the custom nameserver.
DNS Server
The IP address of the nameserver.
Remark
An additional comment.

Anti-spyware utm4i

Changed in version 2.5-20130102: the DNS blacklist

This page presents configuration options about the reaction of the Endian UTM Appliance when asked to resolve a domain name that is known to be used to propagate spyware. The options that can be set are:

Enabled
The requests are redirected to localhost. In other words, the remote site will neither be contacted nor reachable.
Whitelist domains
Domain names that are entered here are not treated as spyware targets, regardless of the list’s content.
Blacklist domains
Domain names that are entered here are always treated as spyware targets, regardless of the list’s content
Spyware domain list update schedule
The update frequency of the spyware domain list. Possible choices are`Daily`, Weekly, and Monthly. By moving the mouse cursor over the respective question mark, the exact time of the update execution is shown.

Note

Older version of the anti-spyware module used a different engine to block DNS requests, therefore another option was available:

Redirect requests to spyware listening post
When this option is enabled, the requests are redirected to the spyware listening post instead of localhost, providing useful information to the companies that fight malware and spyware. For more information, follow the link that is shown on the GUI.