Environment
GWAVA 4.51 build 3+
Situation
How do I configure multiple domains to be handled by GWAVA?
Resolution
Starting with GWAVA 4.51 build 3 there is a new
configure domains page dedicated to telling GWAVA how to talk to your
various domains. These settings apply for GWAVA QMS, GWAVA Relay, and
GWAVA SMTP. A brief explanation of each option will follow. These
settings are crucial for proper operation of an SMTP scanner. If you are
using a different scanner type the domains still need to be configured
for proper operation of QMS and so that digests and notifications go to
the correct location.
1) Viewing the new domains page
3) Adding SMTP servers for each domain
6) Setting SMTP server roles
11) Setting search fields
Now that all of the SMTP/LDAP server information is in place we can make a few decisions to control authentication, recipient validation, and how the information will be stored.
13) Default domain
1) Viewing the new domains page
Log into the GWAVA Management console as admin (http://<IP>:49282)2) Adding Internet/email domains
The configure domains screen is found under server management (For GWAVA6 located under Server/Interface Management).
To add a domain simply type in the domain and click add.
As an example 'gwava.com' will be added. Each of your domains should be added and configured individually.
Once each of your domains have been added click the save changes disk. Any changes you make from this point forward are specific for that domain.
3) Adding SMTP servers for each domain
Now that the domain has been added we need to know which mail servers receive mail for that domain.4) Setting encryption level for SMTP servers
Simply add the hostname or IP address for each SMTP server that can receive mail for that domain and then press the green plus to the right.
Click the save changes disk.
If greater security is required and the internal servers support it you can set the encryption level to TLS or SSL. This simply controls how we will deliver mail to the internal server5) Setting failover order for SMTP servers
For each server you can change the encryption level and then click the save icon.
You can also control which mail server we send to by default. If that server goes down we will failover to the next server listed. If it doesn't matter which server the mail goes to you can leave the order at 0. The lower the number the higher the priority the server has and we will send to it first.
For example I want all my mail to go to mail.gwava.com and then if something is wrong I want GWAVA to failover to 192.168.5.50. I will set the priority of 192.168.5.50 to 5 since it is a higher number and will be sent to second (just like MX records).
6) Setting SMTP server roles
Another option for these SMTP servers is to specify their role. Because this domains list is shared amongst each GWAVA module you can tell QMS to authenticate user logins to one server and then receive mail on the other. The server role setting supercedes the order setting.7) Setting authentication information
As an example, you could set mail.gwava.com to only receive mail and 192.168.5.50 to Receive mail/authenticate. Given these settings, QMS will authenticate users using SMTP auth against 192.168.5.50 and never try to authenticate against mail.gwava.com. Mail delivery will still be the same as in step 5.
For each server (if necessary) you can specify an SMTP user's authentication information. In 99% of cases you will not need to do this.8) Adding LDAP servers for each domain (optional)
At this point I have my SMTP servers for the domain gwava.com set up. For each domain you will want to follow steps 3-7 to configure the SMTP servers.
9) LDAP authentication informationAs an alternative to authenticating QMS users via SMTP AUTH and validating users with the servers in the SMTP server list an LDAP server can be used instead. Generally this isn't necessary.
To add the server simply put in the hostname or IP address in and set the encryption level and click the green plus.
--Note-- At the time this document was written LDAP encryption is not available, but it will be coming in the later builds of GWAVA.
--Note-- If you choose to configure LDAP without encryption you may need to disable the TLS requirement on your LDAP server.
This setting is only necessary if you want to use LDAP to authenticate users for QMS or if your LDAP server doesn't allow anonymous Bind.10) Setting the DN Search base
For the username it must be the full LDAP username including context.
example eDirectory: 'cn=admin,o=robtain'
example Active Directory: 'cn=Administrator,cn=Users,dc=exg,dc=robtain,dc=com'--Note-- Active directory requires that a search base be provided for the Bind to work
This specifies where in the LDAP tree you want to begin your search for objects.
For eDirectory this can be left blank, but could be filled in if you want to set a starting point in your LDAP tree (example: ou=users,o=gwava).
For Active Directory you must specify a search base (example: cn=Users,dc=exg,dc=robtain,dc=com).
11) Setting search fields
By default most LDAP servers (including eDirectory and Active Directory) have an attribute applied to an object of the type "mail" which contains the object's or user's email address. If you have email addresses for users stored under an attribute other than mail you can specify the possible attributes by separating them with commas. Most of the time this is not necessary.12) Setting failover for LDAP servers
As an example we can set our LDAP server to search for the attributes mail and secondarymail.
The same rules apply here as the SMTP servers in step 5. If you have specified multiple LDAP servers you have failover available to you.
You can repeat steps 8-12 to add additional LDAP servers, if necessary, for each domain.
Now that all of the SMTP/LDAP server information is in place we can make a few decisions to control authentication, recipient validation, and how the information will be stored.
13) Default domain
The default domain Identifies the selected domain to be used when generating or detecting user accounts on this server which do not contain domain information.14) Server scope
If you have multiple domains, simply, select the radio button next to the default domain for your highest traffic domain. This does not affect mail flow or authentication in any way.
If you have a GWAVA system network (multiple GWAVA servers), you can make each domain specific to one server or have the information be shared amongst all of the servers.15) Recipient validation method
Generally selecting Global will be just fine.
When an SMTP scanner is in use it is necessary to reject email to recipients that do not exist. To verify that a user exists the SMTP scanner can query the SMTP server or the LDAP server. The default of 'SMTP server list' is recommended if the SMTP servers will reject invalid recipients already, otherwise, use the LDAP option.16) Recipient authentication method
To conclude our example, we will use the SMTP servers to validate the existence of users and the LDAP server to verify a user's credentials when logging in to QMS. Below is the final configuration for the domain gwava.com making full use of the available options.When a user tries to authenticate to QMS, we authenticate them against their current email address plus their current email password. This can be accomplished using the SMTP server list (SMTP AUTH) or by using their LDAP login. The default of 'SMTP server list' is recommended if SMTP Auth is supported by the SMTP servers in the list. LDAP should be used if you want to use their LDAP (eDirectory/Active Directory) passwords instead of their email user password.
Additional Information
This article was originally published in the GWAVA knowledgebase article ID 1679.