How-To: Deploy ModusGate with Sendmail

 

Product: ModusGate

Version & Build: All

 
 

The purpose of this how-to is to outline the recommended configuration to enable ModusGate to communicate properly with your Sendmail server.

 

DISCLAIMER:  Vircom has limited knowledge of Sendmail systems and, therefore, make the following recommendations based on our knowledge of ModusGate and how it functions best.  We are not able to provide support for the Sendmail server itself.  If you require more information about Sendmail, please consult your product manual or visit their Website at www.sendmail.com.

 

 

Step 1 - Configure a domain and define its route(s)

 

Once the ModusGate program has been installed and the services have started, you must enter each domain for which ModusGate will filter mail and configure the route(s).  This is done, manually or by using the wizard, in the ModusGate Console in Connections - Properties - General.  For connection options and examples, please consult the ModusGate Administration Guide.

 

If there is more than one email server for a domain (such as a backup server), then several routes can be created per domain with different priorities.  Any additional routes will be used, in order, if the first email server does not respond.

 

Several domains can be routed to the same email server: enter each domain name and create the same route configuration for each.

 

 

 

Step 2 - Configure the Automatically update user list settings

 

Whenever ModusGate receives a message reception request, it must check whether or not the recipient mailbox is valid in order to either accept and filter the message or to reject it with a notification for the sending mail server.  This process is done through a forward lookup using the Automatically update user list configuration.  These settings also ensure that valid mailbox addresses and aliases are automatically created on the ModusGate server as the messages are received and processed.

 

After entering the domain name, click the Add Route button to access the following configuration settings:

 

NOTE: The recommendation is to use either OpenLDAP or SMTP_VRFY but only if you can make changes to the configuration as outlined below.  If you are unable to make these changes, you may have to use a standard SMTP connection.

 

 

1. SMTP on Port 25

 

This is the default communication method between ModusGate and all types of mail servers.  However, you must note the following:

  • Each valid email address and all aliases are all counted as separate mailboxes
  • Users can have different user settings (one per address)
  • Users will have several WebQuarantines (one per address)
  • Users will receive several Quarantine reports (one per address)

2. SMTP_VRFY on Port 25

 

By default, SendMail does not allow this SMTP command but it can be easily enabled by adding/modifying the line "PrivacyOptions=authwarnings,noexpn,restrictqrun,nobodyreturn,needmailhelo,restrictmailq" in the SendMail file '/etc/sendmail.cf'.

 

 

3.  Exchange 5.5 & 2000+:  To be used with Microsoft Exchange only

 

 

4.  OpenLDAP on Port 389:  This is the preferred option if Sendmail is configured with an OpenLDAP server.  See details below.

 

 

5. Lotus Domino:  Similar to SMTP_VRFY

 

 

6. Disabled (for manual, not automatic mailbox creation) 

 

User mailboxes and aliases must be entered and maintained manually in the ModusGate Console or WebAdmin interface.  This option involves little or no configuration changes and is intended for domains with small mailbox counts and few changes.

 

 

Configure OpenLDAP Settings on Port 389:

 

1. Make sure that the Route mail to host or IP address setting points to the valid email server IP address for that domain

 

2. Enter the IP address of the LDAP server for the domain (ideally the root server) in the field next to Automatically update user list 

 

3. ModusGate must access the LDAP server database by means of a user account that has Read access for all domains on the LDAP server itself.  You can use the rootdn but if this is a security issue, create a new user (on the LDAP server) that has Read capabilities on the LDAP database.

 

Configuration under LDAP Identification:

  • On the LDAP server, open the slapd.conf file (usually located in /usr/local/etc/openldap/slapd.conf)

The slapd.conf file is as follows:

database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /usr/local/var/openldap-data

 

In the Console (under Connections), at the LDAP Identification > Base DN field, enter the domain of the configured LDAP user in the format: dc=example,dc=com

 

 

4. In the Console (under Connections), at the LDAP Identification > User DN field, enter the domain of the configured LDAP user in the format: cn=username,dc=example,dc=com

 

Example of a typical object representing a user account:

dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
uid: john
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/john
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount

 

5. In the Console (under Connections), at the LDAP Identification > Password field, enter the password of the configured LDAP user account.

 

Without a valid LDAP user login, ModusGate rejects all WebQuarantine and WebAdmin login attempts with a temporary error.

 

If experience problems with the configuration, we recommend using a Windows freeware LDAP browser program to test the connection.  Go to http://www.ldapadministrator.com and download the lightweight LDAP Browser 2.6.  It can be run on the ModusGate server to check credentials.  If the LDAP browser login is successful, it displays the LDAP directory contents.

 

 

Step 3 - Configure the Authentication request settings:

 

This setting is used to authenticate WebQuarantine and WebAdmin access.  Users must enter their full email address and password to log in.  ModusGate does not store any passwords so it, therefore, queries the mail or authentication server for validation.

 

The recommended setting to use with Sendmail is either OpenLDAP, SMTP Auth or POP3.

 

 

Alternative methods:

 

1.  SMTP_Auth on Port 25 in base64 coding

 

Please consult the following URL for information about enabling SMTP AUTHENTICATION on a SendMail server: http://www.joreybump.com/code/howto/smtpauth.html

 

 

2.  Exchange 5.5 & 2000+:  To be used with Microsoft only

 

 

3. POP3 on Port 110

 

This is the preferred option as most users are configured to use the POP3 protocol.  Test this with the option Strip domain name* disabled and enable it only if necessary.  Do not forget to click on Apply and Stop and Start all services in the Console.

 

* When using this setting, users are still required to enter their full email address to log into the Web applications but ModusGate will send only the username portion of the address for authentication.

 

 

4. OpenLDAP on Port 389

 

This is the preferred option if Sendmail is configured with an OpenLDAP server and if mailbox validation is already running this setting.

 

  

IMPORTANT:  If there are any firewalls installed between the ModusGate and Sendmail servers, you must allow communication on all ports configured above for the Modus server's IP address.

 

 

LDAP-related Internet pages: 

 

http://www.metaconsultancy.com/whitepapers/ldap.htm

http://www.openldap.org/doc/admin22/quickstart.html

http://www.openldap.org/doc/admin22/slapdconfig.html