Emails from local Website Being Rejected -auth login

  • 7025027
  • 03-Mar-2021
  • 15-Sep-2021

Environment

GWAVA (Secure Messaging Gateway) 7
SMG

Situation

After applying update 178, email messages from local website are being rejected.  This is seen most often in form submissions being sent from an email address local to the customer domain.  SMG is rejecting these messages.

Resolution

There are two options available at the domain level, (1) is a subset of (2).  So if (2) is enabled, (1) will not matter.

(1) is essentially inbound anti-spoof.  If the sender claims to be from your domain, and the recipient is also listed in your domain, then authentication is required to continue the SMTP transaction past RCPT.

(2) is full protection.  If the sender claims to be from your domain, then they must have authenticated to continue past the MAIL command.

Both of these require SMTP AUTH to be on at the SMTP interface itself.  On systems that have multiple SMTP interfaces, all interfaces servicing an OU with these options enabled must be configured to provide AUTH as well.  The UI warnings will prompt if there is something in these chains that is not setup correctly.


The authentication is only performed against the auth targets defined for the domain - it will not validate against local SMG users.  In the domain SMTP and LDAP host lists, there is an option for 'Auth'.  This indicates that these hosts can be used to attempt validation for a given user/pass.  At least one of these entries must be configured 
so that we can pass the AUTH request up the chain.  Most, if not all, systems will have this already configured, but whether the remote system will accept our proxied AUTH command is out of the control of SMG.  This could be something that causes problems for some systems.

Also note that authentication works against the OU.  If there are multiple domains within an OU, the authentication can be against any domain within the OU to be considered authenticated.  Authentication does not work across OU's, as there is an implicit and intentional isolation between them.  This is mainly relevant for the purpose of the 
relay options at the SMTP interface, where relay exceptions can be created by AUTH, similar to the allowed IP address ranges.