Configuration of a multiple domain system

  • 7021039
  • 28-Jun-2017
  • 18-Aug-2017

Environment

GWAVA 4.51 build 3+

Situation

How do I configure multiple domains to be handled by GWAVA?

Resolution

Starting with GWAVA 4.51 build 3 there is a new configure domains page dedicated to telling GWAVA how to talk to your various domains. These settings apply for GWAVA QMS, GWAVA Relay, and GWAVA SMTP. A brief explanation of each option will follow. These settings are crucial for proper operation of an SMTP scanner. If you are using a different scanner type the domains still need to be configured for proper operation of QMS and so that digests and notifications go to the correct location.

1) Viewing the new domains page
Log into the GWAVA Management console as admin (http://<IP>:49282)
The configure domains screen is found under server management (For GWAVA6 located under Server/Interface Management).
2) Adding Internet/email domains
To add a domain simply type in the domain and click add.
As an example 'gwava.com' will be added. Each of your domains should be added and configured individually.
Once each of your domains have been added click the save changes disk. Any changes you make from this point forward are specific for that domain.

3)
Adding SMTP servers for each domain
Now that the domain has been added we need to know which mail servers receive mail for that domain.
Simply add the hostname or IP address for each SMTP server that can receive mail for that domain and then press the green plus to the right.

Click the save changes disk.
4) Setting encryption level for SMTP servers
If greater security is required and the internal servers support it you can set the encryption level to TLS or SSL. This simply controls how we will deliver mail to the internal server
For each server you can change the encryption level and then click the save icon.
5) Setting failover order for SMTP servers
You can also control which mail server we send to by default. If that server goes down we will failover to the next server listed. If it doesn't matter which server the mail goes to you can leave the order at 0. The lower the number the higher the priority the server has and we will send to it first.
For example I want all my mail to go to mail.gwava.com and then if something is wrong I want GWAVA to failover to 192.168.5.50. I will set the priority of 192.168.5.50 to 5 since it is a higher number and will be sent to second (just like MX records).

6) Setting SMTP server roles
Another option for these SMTP servers is to specify their role. Because this domains list is shared amongst each GWAVA module you can tell QMS to authenticate user logins to one server and then receive mail on the other. The server role setting supercedes the order setting.
As an example, you could set mail.gwava.com to only receive mail and 192.168.5.50 to Receive mail/authenticate. Given these settings, QMS will authenticate users using SMTP auth against 192.168.5.50 and never try to authenticate against mail.gwava.com. Mail delivery will still be the same as in step 5.

7) Setting authentication information
For each server (if necessary) you can specify an SMTP user's authentication information. In 99% of cases you will not need to do this.

At this point I have my SMTP servers for the domain gwava.com set up. For each domain you will want to follow steps 3-7 to configure the SMTP servers.
8) Adding LDAP servers for each domain (optional)
As an alternative to authenticating QMS users via SMTP AUTH and validating users with the servers in the SMTP server list an LDAP server can be used instead. Generally this isn't necessary.
To add the server simply put in the hostname or IP address in and set the encryption level and click the green plus.
--Note-- At the time this document was written LDAP encryption is not available, but it will be coming in the later builds of GWAVA.
--Note-- If you choose to configure LDAP without encryption you may need to disable the TLS requirement on your LDAP server.
9) LDAP authentication information
This setting is only necessary if you want to use LDAP to authenticate users for QMS or if your LDAP server doesn't allow anonymous Bind.
For the username it must be the full LDAP username including context.
example eDirectory: 'cn=admin,o=robtain'
example Active Directory: 'cn=Administrator,cn=Users,dc=exg,dc=robtain,dc=com'
 --Note-- Active directory requires that a search base be provided for the Bind to work
10) Setting the DN Search base
This specifies where in the LDAP tree you want to begin your search for objects.
For eDirectory this can be left blank, but could be filled in if you want to set a starting point in your LDAP tree (example: ou=users,o=gwava).
For Active Directory you must specify a search base (example: cn=Users,dc=exg,dc=robtain,dc=com).

11) Setting search fields
By default most LDAP servers (including eDirectory and Active Directory) have an attribute applied to an object of the type "mail" which contains the object's or user's email address. If you have email addresses for users stored under an attribute other than mail you can specify the possible attributes by separating them with commas. Most of the time this is not necessary.
As an example we can set our LDAP server to search for the attributes mail and secondarymail.

12) Setting failover for LDAP servers
The same rules apply here as the SMTP servers in step 5. If you have specified multiple LDAP servers you have failover available to you.
You can repeat steps 8-12 to add additional LDAP servers, if necessary, for each domain.

Now that all of the SMTP/LDAP server information is in place we can make a few decisions to control authentication, recipient validation, and how the information will be stored.



13) Default domain
The default domain Identifies the selected domain to be used when generating or detecting user accounts on this server which do not contain domain information.
If you have multiple domains, simply, select the radio button next to the default domain for your highest traffic domain. This does not affect mail flow or authentication in any way.
14) Server scope
If you have a GWAVA system network (multiple GWAVA servers), you can make each domain specific to one server or have the information be shared amongst all of the servers.
Generally selecting Global will be just fine.
15) Recipient validation method
When an SMTP scanner is in use it is necessary to reject email to recipients that do not exist. To verify that a user exists the SMTP scanner can query the SMTP server or the LDAP server. The default of 'SMTP server list' is recommended if the SMTP servers will reject invalid recipients already, otherwise, use the LDAP option.
16) Recipient authentication method
When a user tries to authenticate to QMS, we authenticate them against their current email address plus their current email password. This can be accomplished using the SMTP server list (SMTP AUTH) or by using their LDAP login. The default of 'SMTP server list' is recommended if SMTP Auth is supported by the SMTP servers in the list. LDAP should be used if you want to use their LDAP (eDirectory/Active Directory) passwords instead of their email user password.
To conclude our example, we will use the SMTP servers to validate the existence of users and the LDAP server to verify a user's credentials when logging in to QMS. Below is the final configuration for the domain gwava.com making full use of the available options.

Additional Information

This article was originally published in the GWAVA knowledgebase article ID 1679.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.