For many people, electronic mail is an integral tool for conducting business. Exchanging electronic mail (e-mail) is often the reason sites decide they need to connect to the Internet. Such connections are not without risks, however.
The main protocol for transferring e-mail around the Internet is the Simple Mail Transport Protocol (SMTP). The transfer requests are handled by a message transfer agent, such as the sendmail program used on many IRIX systems. The sendmail program is large and requires many privileges. The Gauntlet design of reductionism does not allow the use of sendmail as a critical security component of the Gauntlet Firewall. The Gauntlet Firewall includes a two-part proxy that securely handles the transfer of SMTP mail between the inside and outside networks.
Employees and companies are expanding the places in which and the types of systems on which they need to read their electronic mail. For a variety of reasons, it is not convenient to run a full mail transfer system using SMTP on these systems. The Post Office Protocol Version 3 (POP3) is one of the protocols that allow a workstation to access a mail server. The POP3 proxy included with the Gauntlet Firewall allows administrators to selectively allow outside hosts to exchange mail with a POP3 mail server through the firewall. The POP3 server should use APOP for authenticating the user.
This chapter discusses the concepts behind the SMTP and POP3 proxies and explains how they work, how to configure the proxy for mail transfer, and how to configure these services to run through the firewall. The chapter consists of the following sections:
The proxy for SMTP is actually two different processes: a client (smap) and daemon (smapd). Together, they provide configurable access control and logging mechanisms. The processes, which run on the firewall, transfer mail between internal and external mail servers, based on rules you supply. You can also configure the message transfer agent that the firewall uses to deliver the messages to other hosts.
The proxies also prevent versions of sendmail on the inside network from talking with versions of sendmail on the outside network. The proxies log all successful and unsuccessful mail connections, and the number of bytes transferred.
The firewall runs the client proxy (smap) as a daemon listening for requests on the standard SMTP port (TCP port 25). When the firewall receives requests for SMTP services on this port, the SMAP client collects the mail from the sender, logs the message, and places the mail in a temporary directory. Periodically, based on a configurable value (by default, every 60 seconds), the daemon (smapd) wakes up and checks if there is any new mail. The smapd daemon checks the headers of the mail for formatting problems. It then calls the configured message transfer agent (usually sendmail in delivery mode) for final delivery.
Both the smap client and the smapd daemon run using a user ID you specify, such as uucp. Rather than running as a root process as sendmail often does, the smap and smapd processes run with as few or as many privileges as you assign. In addition, both programs change their root directory to the transfer directory you specify.
A common configuration is to have one mail hub for the inside network. In this scenario, outside networks know (via DNS) that they should send all mail for the domains (yoyodyne.com) on the inside networks to the firewall (fire-out.yoyodyne.com) itself for processing. An outside host informs the firewall that it has mail. The firewall calls the smap client to handle the request. The smap client collects the mail from the outside host and writes it to a directory (/var/spool/smap) on the firewall.
At some interval (configurable by the system administrator), the smapd daemon awakens and looks for new mail on the firewall. It parses the mail headers and calls sendmail to deliver the messages to the SMTP mail hub on the trusted network. sendmail checks its configuration information, which indicates that it should deliver all internal mail to the internal mail hub (mail.yoyodyne.com). The sendmail program on the firewall transfers the mail to the SMTP service on the mail hub.
To access the SMTP proxy configuration:
Configuring the Gauntlet Firewall involves planning, configuring the firewall, configuring the proxies to enforce your security policy, and enabling the proxy.
When planning SMTP proxy services:
Understand your existing mail configuration: hosts, hubs, and so on.
Plan early to make your DNS changes for mail records. This may require contacting an outside organization providing DNS service, such as an internet service provider (ISP).
 | Note: This step is very important. |
If you wish to allow SMTP traffic through the firewall, you must configure the firewall. The administrative interface writes this information to the sendmail.cf file, which contains information the sendmail program uses to deliver mail to internal systems.
To configure SMTP proxy settings:
In the Mail window, provide information about your SMTP mail settings.
Hostname
Name of the host to which the firewall forwards all e-mail for your domain. Enter a fully qualified host name to forward e-mail to a host inside your firewall for processing.
Enter None if you want the firewall to process and deliver the mail itself. Make sure the /etc/aliases file on the firewall contains information about internal systems.
IP Address
IP address of the internal mail hub.
Postmaster E-Mail Address
Address to which users and systems can send e-mail about mail.
Name of a user, group, or alias who regularly reads this e-mail.
Shorten Sender's Address To Domain Name
Specifies whether the firewall rewrites outgoing e-mail addresses to remove system names from certain lines (such as From: and cc:) in the mail headers.
Select enabled if you want your firewall to modify e-mail addresses in outgoing mail from penny@dimension.yoyodyne.com to penny@yoyodyne.com.
If desired, provide optional information about time-out values and other configuration settings for the SMTP proxy using the SMAP button at the bottom of the Mail window. Refer to the online help for specific information about the available settings. Refer to Chapter 30, “Managing Content Scanning,” for information on configuring content scanning.
Configuring settings consists of these activities:
Advertise the firewall as the mail exchange host for your domain. For more specific information, see IRIX Admin: Networking and Mail.
As long as you are using transparency to pass all packets for outside networks to the firewall (the default Gauntlet configuration), you do not need to configure your internal mail hub or mail agents. Because of the transparency, these systems forward all requests to the firewall.
If you are not using transparency, configure your internal mail hub to use the firewall as a mail forwarder, and direct clients to the internal mail hub. If you do not have an internal mail hub, configure the clients to use the firewall directly as a mail forwarder.
Verify your configuration by sending mail from an inside host to an outside host. Watch the logs on the firewall for error messages.
Run mail in verbose mode and send mail to a bouncing service, which will automatically generate a reply:
dimension-23: mail -v bouncer@bbnplanet.com Subject: Test After Configuring Mail and the Gauntlet Firewall This is a test. .
The verbose mode ensures that you see the details of the delivery. The bouncer service sends you a return message shortly.
If you need to test header rewriting or other custom configurations, start sendmail in debug mode using the -bt option.
The firewall and the smap and smapd proxies for SMTP traffic are transparent to the user.
The POP3 proxy is an application-level gateway that provides configurable access control, authentication, and logging mechanisms. The POP3 proxy, which runs on the firewall, transfers mail between external workstations and internal mail servers, based on rules you supply:
source IP address
source hostname
destination IP address
destination hostname
user name
Using these options, you can configure your firewall to allow specific hosts on outside networks to exchange mail with an internal mail server via POP3. An employee working with a laptop PC running Windows needs to read mail while traveling. They can use a mail user agent (such as Eudora Pro) on the laptop to collect their mail from the mail server inside the perimeter. The proxy uses the APOP command (part of the POP3 protocol) for strong authentication. The proxy logs all successful and unsuccessful mail connections, and the number of bytes transferred.
You can configure the POP3 proxy to allow inside workstations to exchange mail with POP3 servers outside the perimeter. However, according to most security policies (including the Gauntlet Firewall default), this is not considered a good idea. The POP3 protocol assumes that the SMTP proxy has already checked the formatting in the headers of incoming mail messages. In addition, allowing POP3 clients to communicate with outside mail servers adds another level of complexity. It bypasses the central control center of the inside mail hub, which rewrites addresses and enforces other company policies. Your mail server should be behind the firewall on the inside network. All POP3 clients on the inside network can collect their mail from this mail server.
The firewall runs the POP3 proxy (pop3-gw) as a daemon listening for requests on the standard POP3 port (TCP port 110). When the firewall receives requests for POP3 services on this port, the proxy checks its configuration information and determines whether the initiating host has permission to use POP3 services. If the host does not have permission, the proxy logs the connection and displays an error message.
If the host has permission, the POP3 proxy authenticates the user using APOP and logs the connection. The proxy then passes the message on to the POP3 server on the internal mail hub, and authenticates on behalf of the user using APOP. The proxy remains active until either side terminates the connection.
The default configuration allows outside hosts to connect to an internal mail server to collect mail. The firewall itself cannot run a POP3 server, because the POP3 proxy is running on the standard POP3 port.
To access the POP3 proxy configuration:
Configuring the Gauntlet Firewall involves planning, configuring the proxy to enforce your security policy, creating APOP accounts for users who will need to authenticate, and enabling the proxy.
When planning POP3 proxy settings, determine your policies for:
source and destination addresses
user access to POP3
To configure POP3 proxy settings, provide information about your POP3 mail settings in the POP3 Mail and Proxy Configuration window.
POP3 Server Location | IP address of the system running your POP3 server. |
If you are using APOP authentication, which is the recommended and default configuration, you must create a user authentication entry for each user who will access the POP3 proxy.
To create user authentication entries:
Create user authentication entries for each user. You can use the same user ID and have different passwords for different types of authentication. For example, you can use a strong authentication mechanism for other access, and APOP authentication for POP3 access.
Provide information about the APOP password. Check the Set Pop3 Password box to indicate that you want to create an APOP password. Enter the new APOP password, then reenter the same new password in the Verify field.
Make a note of the POP3 password as you need to enter this value on the POP3 server and provide it to the user.
To enable the POP3 proxy service:
In the Mail window, click Pop3.
In the POP3 window, click Enable Pop3.
Click OK.
Add the POP3 configuration to the service groups you want to use the POP3 proxy.
Before exiting the Gauntlet Firewall Manager, save and apply your changes.
The firewall enables the POP3 proxy the next time you reboot.
You must configure your internal POP3 mail server so that it accepts requests for service from the firewall.
To configure your internal POP3 mail server:
Configure your POP3 mail server to accept POP3 requests from the firewall. If you need to specify an IP address, remember to use the internal IP address for the firewall.
Ensure that the POP3 mail server is using the POP3 port (110).
Configure your POP3 mail server to support APOP.
Configure the APOP password for each user. Use the same APOP password that you specified when creating user authentication entries on the firewall.
Because the POP3 proxy requires authentication, users need to follow different procedures to use POP3 services.
To retrieve electronic mail using POP3 with authentication:
Configure the mail user agent and set the name of the POP3 server to the firewall.
Retrieve mail, causing the user agent to connect to the firewall.
Authenticate to the proxy by supplying your APOP password.
Continue as though the firewall were not there.
| Note: The order of these steps may differ for different user agents. |
The example below shows a user working on an outside network who needs to retrieve mail from the mail server on the inside network.
First, the user configures the mail reader to get mail via POP3 from the firewall. The following figure shows the configuration window for Eudora Pro for Windows, a popular mail application.
John, working on his laptop (cavalier.yoyodyne.com) at home, configures his mail reader to connect to the firewall (fire-out.yoyodyne.com) to get his mail.
Next, John retrieves his mail. As part of the connection, the proxy requests authentication information from the user agent, which prompts the user. After authenticating, the proxy transfers the request to the internal POP3 mail server (mail.yoyodyne.com), authenticates using the value stored on the firewall, and retrieves his mail.
You have multiple POP3 servers within your organization, all behind the same firewall. If you want to direct different users to each POP3 server, use the POP3 proxy in this configuration. It is not necessary to modify the configuration on the firewall
To access different POP3 servers, enter your user name when prompted to authenticate. Use this format:
user%pop3server@firewall |
user specifies the user name in the firewall's authentication system.
pop3server specifies the name of the POP3 server.
firewall specifies the name of the firewall.