Protection
You should read this section only if your SMTP module is set to receive
messages via TCP/IP.
The Internet is flooded with soliciting E-mail messages distributed to
millions of E-mail addresses. These messages are known as "spam".
Spammers fill your user mailboxes with a huge amount of unwanted messages,
not only overloading the Internet and your Server resources, but making
mail retrieval very slow and difficult for your users.
In order to distribute their messages to thousands and even millions
E-mail addresses, spammers try to use any SMTP mail server on the internet
as a relay: they deliver one copy of the message to each mail server requesting
that it routes the message to 100 addresses. This practice not only overloads
your Server resources, but it places you at risk to be recognized as a spammer
(since messages come from your server).
Specifying the Server Own Users
If your SMTP module can accept incoming TCP connections from POP and
IMAP mailers, you may want to specify the IP addresses of your users: messages
received from the specified IP addresses will be market as "local".
If, for example, your CommuniGate Fax module does not allow "non-local
users" to send faxes to long-distance numbers, this restriction will
not apply to messages submitted from the listed IP addresses. Such messages
can be sent to any fax number, as if submitted directly with the CommuniGator
client application.
Open the SMTP Service Settings and click the Our Users button. The dialog
box appears and allows you to enter the IP addresses of your POP and IMAP
users:
.dmg/Serious Software/CommuniGate/CommuniGate-SMTP-30/Documentation/SMTP/OwnUsers.gif/OwnUsers.gif)
- Each line can contain either one address in the form:
- 12.34.56.78
- or a range of addresses in the form:
- 12.34.50.01-12.34.59.99
Usually, you would put the address range for your entire LAN here. If
you have a branch office that should have access to all the CommuniGate
features without any restriction, such as your local users do, then you
should put the addresses of the branch office LAN (or of the mail server
on that LAN) into this list, too.
All messages received from the addresses included into the Our Users
list are marked as submitted by "local" users.
All messages received with the SMTP module via AppleTalk are marked as
submitted by "local" users.
Verifying Return-Path Addresses
-
If your SMTP module can accept incoming TCP connections, your server
can be used by spammers as a mail relay engine: they can distribute their
messages all over the world using your server. To protect your site from
spammers, the SMTP module can verify the Return-Path address (specified
with the Mail From SMTP command) of incoming messages.
When the Verify Return-Path option is selected in the SMTP Service Settings,
the SMTP module parses the message Return-Path (Mail From) addresses, and
the module refuses to receive a message if:
- the Return-Path domain name is an empty string (no domain specified);
- the Return-Path address is routed (via the Server Router) to the ERROR
address;
- the Domain Name System does not have neither MX nor A records for the
Return-Path domain (an unregistered domain);
- the Domain Name System has an MX record for the Return-Path domain,
but it points to an A-record that does not exist (a faked domain);
The SMTP module uses the CommuniGate Router after
it parses the Mail From address. If that address is an address of a local
user, or the address is known (rerouted) with the Router, the Mail From
address is accepted. This eliminates Domain Name System calls for the addresses
"known" to the Server.
The addresses routed to ERROR are rejected, so you can specify
"bad" addresses and domains in the Router.
- Examples:
- If you do not want to accept mail from any address in the offenderdomain.com
domain, put the following line into the Router settings:
offenderdomain.com = error
- or
<*@offenderdomain.com> = error -
- If you do not want to accept mail from all addresses strating with
"promo" in the offenderdomain.com domain, put the following line
into the Router settings:
<promo*@offenderdomain.com> = error
If the Return-Path domain cannot be verified because the Domain Name
Server that keeps that domain records is not available, the module refuses to accept
the message, but instead of a "permanent" error code the module
returns a "temporary" error code to the sending system. The sending
system will try again later.
Blacklisting Offenders
If your SMTP module can accept incoming TCP connections, your server
can be used by spammers as a mail relay engine: they can distribute their
messages all over the world using your server. They can also send a lot
of soliciting messages to your clients. To protect your site from the known
spammer sites, you can put the IP addresses of the offending hosts into
the SMTP Black List.
When a host with an address included into the Black List connects to
your server and tries to submit a message, it gets an error message from
your SMTP module and mail from that host is not accepted.
To enter data into the Black List, open the SMTP Service Settings dialog
box and click the Black Listed button. A dialog box appears and allows
you to enter the IP addresses of the offending hosts:
.dmg/Serious Software/CommuniGate/CommuniGate-SMTP-30/Documentation/SMTP/BlackList.gif/BlackList.gif)
- Each line can contain either one address in the form:
- 12.34.56.78
- or a range of addresses in the form:
- 12.34.50.01-12.34.59.99
There are several Web sites on the Internet that maintain the lists
of known spammers. A special section
on the Stalker Software Web site lists the addresses of the hosts that
abused the mail servers at Stalker Software, Inc. and its subsidiaries.
Using DNS-based Blacklisting
-
It is difficult to keep the Server "blacklist" current. So-called
RBL (Realtime Blackhole List) services can be used to check if an IP address
is known as a source of spam.
Some ISPs have their own RBL servers running, but any RBL server known
to have a decent blacklist can be used with your CommuniGate SMTP module.
Consult with your provider about the best RBL server available.
To use an RBL server, select the Use RBL at option
and enter the exact domain name (not the IP address!) of that
server. Now, when the SMTP module accepts a connection from an IP address
aaa.bbb.ccc.ddd and this address is not listed in the Blacklisted
and Client Hosts lists, the module composes a fictitious domain name ddd.ccc.bbb.aaa.rbl-server-name,
where rbl-server-name is the domain name of the RBL server you have specified.
The SMTP module then tries to "resolve" this name into an
IP address. If this operation succeeds and the retrieved IP address is
127.0.0.2, then the aaa.bbb.ccc.ddd address is considered to be blacklisted.
Note: this option results in an additional DNS (Domain Name System)
operation and thus it can cause delays in processing of incoming connections.
Restricted Relaying
If your SMTP module can accept incoming TCP connections, your server
can be used by spammers as a mail relay engine: they can distribute their
messages all over the world using your server. To protect your site from
spammers, the system can restrict its relaying functionality.
If all your users employ the CommuniGator application, or other AppleTalk-based
mailers, simply select the Do not Serve Strangers option.
If you have POP and/or IMAP users, put the IP addresses they connect
from into the Own Users dialog box
and select the Restricted Relaying option.
If your Server acts as a back-up mail server for other hosts, or if
your Server is used as a forwarding ("foreign") mail server for
dial-up some client hosts, open the SMTP Service Settings and click the
Client Hosts button. A dialog box appears and allows you to enter the IP
addresses of these client systems.
Note: your should not repeat the addresses entered in the Our
Users box: mail from those addresses can always be relayed.
If you have dial-up or LAN users that use POP and IMAP mailers and you
do not want the server to consider them "Own Users", enter the
range of the IP addresses they use into the Clients Host dialog box, not
into the Our Users dialog box.
.dmg/Serious Software/CommuniGate/CommuniGate-SMTP-30/Documentation/SMTP/ClientHosts.gif/ClientHosts.gif)
Now, when a message is received with the SMTP module via TCP/IP, and
the sender IP address is not found neither in the Client Hosts nor in the
Own Users list, the message is marked as being received "from a stranger".
If this message should be relayed by your server to some other host on
the Internet, and that host is not listed in the Client Hosts list either,
the message is rejected.
As a result, servers and workstations included into the Client Hosts and
Own Users
lists can use your server to send (relay) messages to anybody on the Internet,
and any message from the Internet can be relayed to any listed address.
But any message coming from an unlisted system and directed to some other
unlisted system will be rejected. This will prohibit spammers from using
your server as a mail relay.
Since this functionality can affect your legitimate users if you do
not specify their IP addresses correctly, the Restricted Relaying option
is available in the SMTP Service Settings. The "stranger-to-stranger" messages are rejected only if this option is selected.