ArticlesArticles Most Popular ArticlesMost Popular Articles
RSS Feeds
DrillDown Icon Table of Contents
DrillDown Icon 2020 Official Holidays & Support Schedule
DrillDown Icon IMPORTANT: End of Life of SHA1 on Windows Server 2003
DrillDown Icon IMPORTANT: Supported Operating Systems
DrillDown Icon PLEASE READ: Our Update Server IPs Have Changed
DrillDown Icon Support
DrillDown Icon modusGate for Microsoft Azure
DrillDown Icon modusCloud
DrillDown Icon Alleviating Spam – Best Practices
DrillDown Icon directQuarantine Technical Information
DrillDown Icon modusMail & modusGate Technical Information
DrillDown Icon Documentation & Release Information
DrillDown Icon Known Issues (non-release related)
DrillDown Icon Configuration Information
DrillDown Icon modusGate & modusMail
DrillDown Icon modusGate Only
DrillDown Icon How-to: Perform a Backup/Restore on a modusGate Appliance
DrillDown Icon How-to: Integrate modusGate with a PGP Gateway
DrillDown Icon How-to: Reset a ModusGate Appliance to its Original State
DrillDown Icon How-to: Encrypt ModusGate User List Population and Authentication Requests
DrillDown Icon How-to: Install ModusGate v4.4 on Small Business Server 2003
DrillDown Icon Info: Appliance Cannot Access the ModusGate Console or System Health Panel
DrillDown Icon Info: ModusGate Appliance Cannot be Reached after Hooking up to the Network
DrillDown Icon How-To: Configure ModusGate with Specific OpenLDAP Server Attributes
DrillDown Icon How-To: Configure ModusGate with Sun One Open Directory for Sun Email Servers
DrillDown Icon Info: Mailbox Verification vs. Mailbox Authentication
DrillDown Icon How-To: Deactivate the Mimicking of Active Directory’s "Disabled Accounts" in ModusGate
DrillDown Icon Info: Forward Lookup / Pre-auth Options in ModusGate
DrillDown Icon How-To: Change the IIS Port on the ModusGate Appliance
DrillDown Icon How-To: Configure ModusGate with an Exchange/Outlook Junk Email Folder
DrillDown Icon How-To: Deploy ModusGate with Exchange/LDAP Servers
DrillDown Icon How-To: Deploy ModusGate with Groupwise
DrillDown Icon How-To: Deploy ModusGate with Lotus Domino 5 & 6
DrillDown Icon How-To: Deploy ModusGate with Postfix
DrillDown Icon How-To: Deploy ModusGate with Qmail
DrillDown Icon How-To: Deploy ModusGate with Sendmail
DrillDown Icon How-To: Prevent the Accumulation of Invalid User Names with Remote Exchange Server
DrillDown Icon How-To: Test POP3 Authentication with ModusGate
DrillDown Icon Info: Modusadm will not start while installed on Exchange 2013.
DrillDown Icon How-To: Upgrade NEP to modusGate \ modusCloud
DrillDown Icon How-To: Deploy ModusGate with Azure
DrillDown Icon modusMail Only
DrillDown Icon SQL Server Information
DrillDown Icon MySQL Information
DrillDown Icon Security
DrillDown Icon Sieve
DrillDown Icon Spam and False-Positives
DrillDown Icon Statistics and Monitoring Section
DrillDown Icon Web Components
DrillDown Icon Troubleshooting
DrillDown Icon Hardware & OS System Requirements
DrillDown Icon Tools
DrillDown Icon Other Product Technical Information
DrillDown Icon Professional Services
DrillDown Icon Newsletters
  Email This ArticlePrint PreviewPrint Current Article/Category and All Sub-Articles/Categories
 
Info: Mailbox Verification vs. Mailbox Authentication

 

Product: modusGate

Version & Build: All

 

 

This article will explain the differences between the User Population and Quarantine Login Authentication functions of modusGate.  One checks if the mailbox exists, while the other verifies the password.

 

The following are types of mailbox verifications:

  • SMTP
  • SMTP_VRFY
  • Exchange 2000+
  • Exchange 5.5
  • Lotus Domino
  • Open LDAP
  • Disabled
  • Tertiary MTA-Based Authentication


 
The following are for user authentication:

·         SMTP_AUTH

·         Exchange 2000+

·         Exchange 5.5

·         Open LDAP

·         POP3

·         Tertiary MTA-Based Authentication
 


Purpose of Mailbox Verification [Populate User Mailboxes]:

·         To verify the existence of a mailbox on the primary server to avoid sending messages to non-existent mailboxes

·         modusGate can reject messages immediately during dictionary attacks as opposed to passing the messages through to the primary

 

 

Purpose of Mailbox Authentication:

·         Used to permit the WebQuarantine login

·         As modusGate does not store user passwords, a method to authenticate user passwords is required

 

 

 


Mailbox Verification

 

SMTP:

  • All mail servers other than Microsoft™ Exchange & Lots Domino support this method
  • Before delivering a message to a user on the primary server, ModusGate does the following:
     
    ehlo modusgate.yourdomain.com
    mail from: originator@domain.com
    rcpt to: address@yourlocaldomain.com


  • If the originating server replies 550 no such user here, modusGate blocks the message
  • SMTP is the most widely supported method because most servers reject messages destined to a bad mailbox
  • This method does not detect aliases – aliases, therefore, count as mailboxes
     
     

 

SMTP_VRFY:

 

  • This method is similar to SMTP, except it makes use of the VRFY function that exists on most mail servers
  • Also supported by Exchange 5.5 (but not subsequent versions)
  • On many servers, it can help to detect aliases
    • modusGate connects to the main mail server to verify the existence of a mailbox:
       
      ehlo modusgate.yourdomain.com
      vrfy user@yourlocaldomain.com
       
    • If your server returns the following, the feature is supported:

550 no such user here - for invalid users and
250  user@yourlocadomaincom - for valid users

o        ModusGate can detect aliases if the following is successful:
 
VRFY alias@yourlocaldomain.com 
250 realusername@yourlocaldomain.com
 

  • If the target server supports the above, then aliases are detected
     

 

 

 

Exchange 2000+ / Exchange 2003: 

  • modusGate performs an Active Directory lookup to see if the user exists or not via an LDAP Query
  • For more information about this configuration, please see the following article:  How-To: Deploy modusGate with Exchange/LDAP Servers
     
    How-To: Deploy ModusGate with Exchange/LDAP Servers

  • modusGate looks for the user in the AD tree, specifically for these four attributes:
     
    mail:  xyz@yourdomain.com [the email address of the user]

    proxyAddress:  SMTP:jim@yourdomain.com [his alias for xyz@yourdomain.com is jim@yourdomain.com]

    mailnickname: could be anything - the property must exist but the content is not important

    displayname:  could be anything - the property must exist but the content is not important 

  • Aliases are detected with Active Directory lookups
  • Distribution lists do count as mailboxes
     
     

 

Exchange 5.5:

  • This is a special LDAP connector that requires the use of custom attributes for the feature to work properly (see the Exchange Deployment Guide, How-To: Deploy ModusGate with Exchange/LDAP Servers.  Vircom does not usually recommend using Exchange 5.5. LDAP verification because of the requirement for custom attributes via the X400 connectors.
  • We strongly encourage Exchange 5.5 users to use SMTP_VRFY instead
  • To Enable SMTP_VRFY on Exchange 5.5:
    • On the exchange 5.5 server, open the Registry Editor
    • Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange\Parameters
    • Right-click and select New > DWORD value
    • Name the new value EnableVRFY
    • Double-click the EnableVRFY and, at Value data, enter 0x1 (to enable)
  • NOTE:  Administrators consider SMTP_VRFY a security risk because it can generate a list of valid accounts on the domain, which, for example, could give spammers legitimate email accounts to target on your domain.  However, if your main mail server is kept off the public Internet (i.e. only ModusGate is visible to the outside world), this will not be an issue.
  • Once you have Exchange 5.5 SMTP_VRFY enabled, you can configure the panel to use SMTP_VRFY on Port 25
  • Aliases and distribution lists are not detected and will count as mailboxes

 

 

Lotus Domino:

  • Please consult the following the Lotus Deployment document attached to the following article:
     
    How-To: Deploy ModusGate with Lotus Domino 5 & 6

  • Domino supports SMTP_VRFY so you should use this before trying to implement an LDAP-based solution
  • Aliases may not be detected in this situation and may count as mailboxes


OpenLDAP:

  • OpenLDAP is a generic LDAP authentication mechanism that works with many mail servers, assuming an LDAP server is being used
  • However, you should use another method (SMTP or SMTP_VRFY) before trying OpenLDAP (because of the complexity of an LDAP setup)
  • Aliases may not be detected in this situation and may count as mailboxes
     

References:


How-To: Deploy ModusGate with QMAIL 


How-To: Deploy ModusGate with Sendmail


How-To: Deploy ModusGate with PostFix


How-To: Deploy ModusGate with Groupwise 
 

 

Disabled:
 

  • As there is no verification, you need to populate the users in advance in modusGate
  • This option exists in the event that there is no way to verify the existence of a mailbox
  • Example: target mail server is an Exchange Server behind layered firewalls and the Administrator dos not want to expose the LDAP / Active-Directory port
  • In those cases, the only option is to pre-populate the server and set the Do not delete flag for these mailboxes to true
  • You can mass-create mailboxes using the mailbox.exe command-line tool:
     
    mailbox -create jim@yourlocaldomain.com 0
    mailbox -create joe@yourlocaldomain.com 0
    mailbox -create bill@yourlocaldomain.com 0


  • To set the Do not delete flag
     
    mailbox -set jim@yourlocaldomain.com GateManualNotSync 1
    mailbox -set joe@yourlocaldomain.com GateManualNotSync 1
    mailbox -set bill@yourlocaldomain.com GateManualNotSync 1


  • Note that this method does not fix the problem with mailbox authentication for the WebQuarantine login
  • Users may not be able to log into WebQuarantine but may be able to use the Quarantine reports (because Modus does not keep passwords locally)
     
     

Tertiary MTA-Based Authentication:

 

  • Because passwords are not kept locally with disabled mailboxes, WebQuarantine login is impossible unless you can use POP3 or SMTP_AUTHENTICATION
  • If this is not possible, you can use ModusMail-L, a lightweight version of ModusMail
  • ModusMail-L, with no spam scanning, is used solely to store users and passwords
  • Install the software on an older PC (Pentium, 400Mhz, 192MB RAM, minimum) and populate the mail server using mailbox.exe
  • You can also set passwords which would be independent from the password system you use internally
  • This ensures a very secure authentication system
     
    maildomain -create yourlocaldomain.com
    mailbox -create jim@yourlocaldomain.com 0
    mailbox -pass jim@yourlocaldomain.com thepassword
    mailbox -create joe@yourlocaldomain.com 0
    mailbox -pass joe@yourlocaldomain.com thepassword

     
  • Point mail flow to the primary server and mailbox population/authentication to the ModusMail-L PC (STMP or SMTP_VRFY)
  • If IIS is installed on the Modus-L PC, when users want to change their passwords, they could do so by going to http://<ip-of-modusL>/webadmin
     

 

 

Mailbox Authentication


SMTP_AUTH:

  • The preferred authentication method in most cases
  • Most mail servers support some form of SMTP authentication for relaying purposes
  • In this case, modusGate can proxy the request
  • The only complication is that modusGate usually passes the full username@domain.com during the SMTP Authentication transaction
    • If your primary mail server does not support this, enable the option  Strip Domain name from authentication requests which leaves the username during the authentication attempt
    • To enable this, go to Connections – Properties – General
  • This method can only be used for Exchange 2000/2003 but you can use Active Directory lookups


 
Exchange 2000+:

  • modusGate performs an Active Directory lookup to see if it can bind to the user via an LDAP Query
  • A failed bind usually occurs when the password does not match
  • For more information about this configuration, please see the following article:
     
    How-To: Deploy ModusGate with Exchange/LDAP Servers
     
     


Exchange 5.5:

  • This is is a special LDAP connector that requires the use of custom attributes for the feature to work properly
  • Vircom does not usually recommend using Exchange 5.5. LDAP verification because of the requirement for custom attributes via the X400 connectors 
  • We strongly encourage Exchange 5.5 users to use SMTP_ AUTH instead
     
     

OpenLDAP:

  • OpenLDAP is a generic LDAP authentication mechanism that works with many mail servers, assuming an LDAP server is being used
  • However, you should use another method (SMTP_AUTH) before trying OpenLDAP (because of the complexity of an LDAP setup)

 

References:


How-To: Deploy ModusGate with QMAIL 


How-To: Deploy ModusGate with Sendmail


How-To: Deploy ModusGate with PostFix


How-To: Deploy ModusGate with Groupwise 


 


 
POP3:

  • An alternative to using SMTP_AUTH
  • You need to be running a POP3 server
  • You may need to enable the Strip Domain name from authentication requests for this to work properly
    • To enable this, go to Connections – Properties – General
       


 
Tertiary MTA-Based Authentication:

  • Please refer to the Mailbox Verification section for complete details
  • After implementing this solution, use SMTP_AUTH

 

Modified 5/2/2008
Keywords: SMTP SMTP_VRFY OpenLDAP POP3 Exchange Lotus Domino
Article ID: 1556