Access

ISMail uses a number of access methods to make it easy send, receive, and retrieve messages, but at the same time, keep unauthorized users out.

Several of these methods can also be used to reduce the quantity of unwanted messages (also see Anti-Spam).

Access Control Methods

The access control methods, and the mail operations they apply to are shown in the table below.

Definitions of each Access Control Method and Mail Operation are followed by explanations of how these Access Control Methods apply to the Mail Operations.

Access Control Method:
Send
[SMTP]
Receive
[SMTP]
Retrieve
[POP/IMAP]
IP Address (Trusted)
x
x
 
IP Address (Blocked)
x
x
 
Whitelist
 
x
 
BlackList
 
x
 
Reverse DNS Check
 
x
 
Internet Filter (RBL)
 
x
 
SMTP Authentication
x
 
 
Account Login
x
  
x
Greylist
 
x
 

Access Control Method Definitions:

Account Login: valid POP3 and IMAP4 logins (username/password). These logins must always be supplied to retrieve messages. Account logins can also be used to authenticate for sending messages, although this is not recommended due to possible router compromises (SMTP Authentication is recommended). In the case of POP3, the user remains authenticated for up to 1 hour after receiving email. After this period, another login is required to re-authenticate. In the case if IMAP4, the user remains authenticated so long as the IMAP session is active.

Trusted IPs: IP addresses from which messages can always be received or sent since the IP is pre-authenticated.

Blocked IPs:IP addresses from which no connections will be accepted. Blocked IPs are useful for refusing connections from known mail abusers at fixed (static) IP addresses.

Whitelist: IP addresses, domains, or accounts from which messages will always be accepted.

Blacklist: IP addresses, domains, or accounts from which messages will never be accepted.

Reverse DNS Check: lookup of hostname using the IP of the system connecting to the mail server. If hostname is not found, then messages will not be accepted.

Internet Filter (RBL): optional internet services which keep track of the IP addresses of known mail abusers and open relay systems (open relays are mail servers that anyone can use to send messages without any authorization). Filters are supplied by third parties, typically on a subscription basis. Each filter has a domain name, which is used to check the IP address of a message sender to see if messages should be handled or not. Filters use sender's IP address together with the domain name of the filter service to check for a match.

SMTP Authentication: a valid login to the SMTP server will authenticate a sender. SMTP Authentication uses SASL (Simple Authentication and Security Layer) with PLAIN, LOGIN, NTLM, or the CRAM-MD5 protocol.

Important Note: the LOGIN protocol sends login information unencrypted to SMTP and is, therefore, not recommended for general use. However, LOGIN is used by several popular mail clients and is enabled by default. See SMTP Authentication for more details.

Greylist: the IP address, sender, and recipient of a message must be 'known' or the message is temporarily refused. If the sender retries withing the Greylist timing limits, the message will be accepted.

Mail Operation Definitions:

  • Send: transmit a message to an email account in a domain not on the local server
  • Receive: accept a message for an email account in a domain on the local server
  • Retrieve: read a message in an email account in a domain on the local server
Sending Messages

A message originator must be authenticated to send a message. This prevents unauthorized originators from using ISMail.

Authentication is done using:

  • an Account login
  • a Trusted IP address, or
  • SMTP Authentication

Messages sent when an Account login is used may only be sent for a certain period of time until another Account login is required (for POP3, this may be up to one hour). This reduces the chance that the authenticated sender's IP address can be re-used by a different (and un-authenticated) sender, which can happen if the authenticated sender has a dynamic IP address (e.g. dial-up modem) and gives up that address (e.g. hangs up).

Messages originating from a Trusted IP address can be sent at any time without restriction as the IP address of the sender authenticates the sender.

Messages sent using SMTP Authentication can be sent at any time without restriction as email clients authenticate each time a connection is made to the mail server in order to send a message.

Receiving Messages

Messages are accepted (or refused) from a message originator based on the following rules. If the message:

  • is from an IP on the 'Trusted IP' list, it is accepted
  • is from an IP on the 'Blocked IP' list, it is refused
  • matches a system Whitelist entry, it is accepted
  • matches a system Blacklist entry, it is refused
  • is from an IP which does not have a Reverse DNS host name, it is refused
  • is not passed by the Greylist filter, it is refused
  • is directed to an unknown Account, it is refused (unless Account 'nobody' is defined; that Account can be used to collect all mail to unknown Accounts)
  • is directed to the 'postmaster' Account on any local Domain, it is accepted
  • is received from an authenticated originator, it is accepted
  • is received from any other originator and there are no Filters, it is accepted

In addition:

  • if one or more Filters (RBLs) are used and the originator's IP address is found on one of the Filter's lists, any messages from that originator are refused

Although these rules may seem complicated, they work reasonably well in the default configuration and allow additional administrative control.

Retrieving Messages

To retrieve messages, an email client program must always supply an Account login. Message retrieval is not affected by the Trusted IPs or Blocked IPs lists.

The message retrieval login protocol supports both plaintext and CRAM-MD5 encryption. If CRAM-MD5 encryption is used, account names and passwords are sent from the email client program in an encrypted format for security.

Setting Access Configuration Options

The 'Access' menu tab in the ISMail Configuration sheets is used to set the mail server access configuration options.

IP Addresses (Trusted IPs) List

To add one or more IP addresses:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Click 'Add Range' in the Trusted IPs box.
  4. Enter the IP address(es). IP addresses may be specific values (e.g. 1.2.3.4), ranges (e.g. 1.2.3.4-12), or 'wildcards' (e.g. 1.2.3.*). Ranges specify all IPs within the specified limits (including the limits themselves). Wildcards specify the full range of values, 0-255, for each octet).
  5. Click ''Apply'.

To remove an IP address, select the IP address (or range) and click 'Remove Range'.

IP Addresses (Blocked IPs) List

To add one or more IP addresses:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Click 'Add Range' in the Blocked IPs box.
  4. Enter the IP address(es). IP addresses may be specific values (e.g. 1.2.3.4), ranges (e.g. 1.2.3.4-12), or 'wildcards' (e.g. 1.2.3.*). Ranges specify all IPs within the specified limits (including the limits themselves). Wildcards specify the full range of values, 0-255, for each octet).
  5. Click 'Apply'.

To remove an IP address, select the IP address (or range) and click 'Remove Range'.

System Whitelist / Blacklist

To edit the system Whitelist or Blacklist

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Click 'Whitelist/Blacklist' in the Blocked IPs box.
  4. Under the Whitelist (or Blacklist) box, click 'Add'
  5. Enter an IP address, domain name, or account name and click 'OK'.

Internet Filters (RBLs)

To add a Filter:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab
  3. Click one of the 'Filter' checkboxes.
  4. Enter the domain name of the Filter service.
  5. Click ''Apply'.

To remove a Filter, uncheck the 'Filter' checkbox.

Reverse DNS Checking

To enable Reverse DNS checking:
  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Select the 'Reverse DNS Required' checkbox.
  4. Click 'Apply'.

To disable Reverse DNS checking:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Deselect the 'Reverse DNS Required' checkbox.
  4. Click 'Apply'.

SMTP Authentication

To use SMTP Authentication to authenticate,:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'. Select the 'Access' tab.
  2. Select one or more of the SMTP Authentication checkboxes.
  3. Click 'Apply'.

Account Login (for authentication)

To enable the Account Login for authentication:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Select the Account Login checkbox.
  4. Click 'Apply' .

To disable the Account Login for authentication:

  1. Select the 'Access' tab.
  2. Clear the Account Login checkbox.
  3. Click 'Apply' .

Warning: if the ISMail machine is behind a network address translation (NAT) system, account logins should be disabled, since all connections to ISMail may be assigned the same IP address; in other words a valid login can cause ISMail to be an 'open relay'. SMTP Authentication is the recommended method of account authentication.

Greylist

To enable Greylisting:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Select the Greylist checkbox.
  4. Click 'Apply' .

To disable Greylisting:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Deelect the Greylist checkbox.
  4. Click 'Apply' .

To modify Greylisting parameters:

  1. Right-click the ISMail Manager program icon located in the lower-right portion of the screen (notification area of system tray), and select 'Open'.
  2. Select the 'Access' tab.
  3. Click the Options button next to the Greylist checkbox.
  4. Set the Initial Block Period (in minutes) to the length of time that messages from 'unknown' sources should be refused. The default is 60 minutes, which is long enough for many internet filters to pickup 'bad' IP addresses.
  5. Set the Block Record Lifetime (in minutes) to the length of time that 'unknown' sources should have (beyond the Initial Block Period) to retransmit a message that was temporarily refused by the Greylist filter. The default is 4 hours, which is long enough for nearly all legitimate mail servers to retry a message which was temporarily refused by the Greylist filter.
  6. Set The Pass Record Lifetime (in days) ot the length of time that messages from 'known' sources should be accepted by the Greylist filter. The default is 36 days, which will allow monthly messages (that are sent on the same day of the month) to continue to be delivered without being temporarily refused.