Environment
GWAVA (Secure Messaging Gateway) 7
SMG
Situation
After applying update 178, email messages from local website are
being rejected. This is seen most often in form submissions
being sent from an email address local to the customer
domain. SMG is rejecting these messages.
Resolution
There are two options available at the domain level, (1) is a
subset of (2). So if (2) is enabled, (1) will not
matter.
(1) is essentially inbound anti-spoof. If the sender
claims to be from your domain, and the recipient is also listed in
your domain, then authentication is required to continue the SMTP transaction past RCPT.
(2) is full protection. If the sender claims to be from
your domain, then they must have authenticated to continue past the
MAIL command.
Both of these require SMTP AUTH to be on at the SMTP interface
itself. On systems that have multiple SMTP interfaces, all
interfaces servicing an OU with these options enabled must be configured to provide AUTH as well. The
UI warnings will prompt if there is something in these chains that is not setup correctly.
The authentication is only performed against the auth targets
defined for the domain - it will not validate against local SMG
users. In the domain SMTP and LDAP host lists, there is an option for 'Auth'. This indicates that these
hosts can be used to attempt validation for a given
user/pass. At least one of these entries must be
configured
so that we can pass the AUTH request up the chain. Most,
if not all, systems will have this already configured, but whether
the remote system will accept our proxied AUTH command is out of the control of SMG. This could be
something that causes problems for some systems.
Also note that authentication works against the OU. If
there are multiple domains within an OU, the authentication can be
against any domain within the OU to be considered authenticated. Authentication does not work across OU's,
as there is an implicit and intentional isolation between
them. This is mainly relevant for the purpose of
the
relay options at the SMTP interface, where relay exceptions
can be created by AUTH, similar to the allowed IP address
ranges.