Complete Contents
Chapter 1 Getting Started With Netscape Messaging Server
Chapter 2 Configuring IMAP and POP Services
Chapter 3 Configuring SMTP Services
Chapter 4 Managing Mail Users and Mailing Lists
Chapter 5 Managing the Message Store
Chapter 6 Security and Access Control
Chapter 7 Working With SMTP Plugins
Chapter 8 Filtering Unsolicited Bulk Email
Chapter 9 Message Routing
Chapter 10 Monitoring and Maintaining Your Server
Chapter 11 Logging and Log Analysis
Appendix A Command Line Utilities
Appendix B Program Delivery
Appendix C sendmail Migration and Compatibility
Appendix D SNMP MIB
Glossary
Messaging Server Administrator's Guide: Security and Access Control
Previous Next Contents Index Bookshelf


Chapter 6 Security and Access Control

Netscape Messaging Server supports a full range of flexible security features that allow you to keep messages from being intercepted, prevent intruders from impersonating your users or administrators, and permit only specific people access to specific parts of your messaging system.

The Messaging Server security architecture is part of the security architecture of Netscape servers as a whole. It is built on industry standards and public protocols for maximum interoperability and consistency. To implement Messaging Server security policies, therefore, you will need not only this chapter but several other documents as well. In particular, information in Managing Servers with Netscape Console is required for setting up Messaging Server security.

This chapter has the following sections:
About Server Security
Server security encompasses a broad set of topics. In most enterprises, ensuring that only authorized people have access to the servers, that passwords or identities are not compromised, that people do not misrepresent themselves as others when communicating, and that communications can be held confidential when necessary are all important requirements for a messaging system.

 Perhaps because the security of server communication can be compromised in many ways, there are many approaches to enhancing it. This chapter focuses on setting up encryption, authentication, and access control. It discusses the following security-related Messaging Server topics:

 Not all security and access issues related to Messaging Server are treated in this chapter. Security topics that are discussed elsewhere include the following:

 Netscape has produced a large number of documents that cover a variety of security topics. For additional background on the topics mentioned here and for other security-related information, see the Security page on the Netscape DevEdge Web site.


User Password Login
Requiring password submission on the part of users logging into Messaging Server to send or receive mail is a first line of defense against unauthorized access. Messaging Server supports password-based login for its IMAP, POP, and SMTP services.

 IMAP and POP Password Login

By default, users must submit a password to retrieve their messages from a Messaging Server. You enable or disable password login for POP separately from IMAP; see Password-Based Login for instructions.

User passwords can be transmitted from the user's client software to your server as clear text or in encrypted form. If either the client or your server are configured to require password encryption, and if both the client and your server support encryption of the required strength (as explained in Enabling SSL), encryption occurs.

User IDs and passwords are stored in your installation's LDAP user directory. Password security criteria, such as minimum length, are determined by directory policy requirements; they are not part of Messaging Server administration.

 Certificate-based login is an alternative to password-based login. It is discussed in this chapter along with the rest of SSL; see Setting Up Certificate-Based Login.

SMTP Password Login

By default, users need not submit a password when they connect to the SMTP service of a Messaging Server to send a message. You can, however, require password login to SMTP in order to enable authenticated SMTP.

Authenticated SMTP is an extension to the SMTP protocol, in which message-sender authentication accompanies a message, thus permitting the receiver of the message to know that the sender was authenticated by the sender's mail server. Authenticated SMTP is designed for use within a set of trusted servers in which certificate-based authentication is not being employed. For instructions on enabling SMTP password login (and thus Authenticated SMTP), see Authenticated SMTP.

Figure 6.1 summarizes how Authenticated SMTP works. When SMTP password login is enabled, clients and servers follow this process:

  1. When the client connects to its SMTP server to send a message, it first transmits an auth login keyword after its EHLO command to let the server know that authentication should accompany this message.
    2. The client typically requires the user to enter a password only once per session, regardless of how many messages the user sends. A client preference allows the user to specify whether to enable or disable authentication.

  2. When the sending client's server connects to the next server in the chain of transmission, it performs these two tasks related to client authentication:

  3. When the recipient's mail server receives the message, it stores the message in the user's mailbox along with an indication that the sender's name is authenticated.

  4. When the user's mail client retrieves the message, it appends an indication of the authentication to the message header. In the Netscape mail client, the word "Internal" appears next to the authenticated sender's name.
You can use Authenticated SMTP with or without SSL encryption.

Figure 6.1 Message transmission with Authenticated SMTP


Configuring SSL Encryption and Authentication
Messaging Server uses the Secure Sockets Layer protocol for encrypted communications and for certificate-based authentication of clients and servers. See Introduction to SSL (reproduced as an appendix to Managing Servers with Netscape Console) for background information on SSL. SSL itself is based on the concepts of public-key cryptography, described in Introduction to Public-Key Cryptography (also reproduced as an appendix to Managing Servers with Netscape Console).

 If transmission of messages between a Messaging Server and its clients and between the server and other servers is encrypted, there is little chance for eavesdropping on the communications. If connecting clients and servers are authenticated, there is little chance for intruders to impersonate (spoof) them.

 SSL functions as a protocol layer beneath the application layers of IMAP4, POP3, and SMTP. The SSL version of each of these three application protocols (IMAP/SSL, POP/SSL, SMTP/SSL) acts at a specific stage of message communication, as shown in Figure 6.2 for both outgoing and incoming messages.

Figure 6.2 Encrypted communications with Messaging Server

 Complete end-to-end encryption of message transmission may require the use of all three SSL-related protocols. Netscape Messaging Server supports all three, but Netscape's messaging client software supports only SMTP/SSL and IMAP/SSL. As Figure 6.2 shows, the result is that Netscape POP clients can encrypt communication when sending messages, but not when receiving them.

Keep in mind that the extra performance overhead in setting up an SSL connection can put a performance burden on the server. In designing your messaging installation and in analyzing performance, you may need to balance security needs against server capacity.

Netscape Messaging Server 4.0 supports only SSL version 3.0.

Note: Because all Netscape servers support SSL, and the interface for enabling and configuring SSL through Netscape Console is nearly identical across all servers, several of the tasks described in this section are documented more completely in the SSL chapter of Managing Servers with Netscape Console. For those tasks, this chapter gives summary information only.

Obtaining Certificates

Whether you use SSL for encryption or for authentication, you need to obtain a server certificate for your Messaging Server. The certificate identifies your server to clients and to other servers.

Managing Internal and External Modules

A server certificate establishes the ownership and validity of a key pair, the numbers used to encrypt and decrypt messages. Your server's certificate and key pair represent your server's identity. They are stored in a certificate database that can be either internal to the server or on an external, removable hardware card (smartcard).

Likewise, the software module that manages the keys and certificates database can be either internal or external. Netscape servers support both internal and external modules that conform to the Public-Key Cryptography System (PKCS) #11 protocol.

 Setting up the server for a certificate involves creating a database for the certificate and its keys and installing a PKCS #11 module. If you do not use an external hardware token, you create an internal database on your server, and you use the internal, default module that is part of Messaging Server. If you do use an external token, you connect a hardware smartcard reader and install its PKCS #11 module.

You can manage PKCS #11 modules, whether internal or external, through Netscape Console. To install a PKCS #11 module, you

 (For more complete instructions, see the chapter on SSL in Managing Servers with Netscape Console.)

 Installing Hardware Encryption Accelerators. If you use SSL for encryption, you may be able to improve server performance in encrypting and decrypting messages by installing a hardware encryption accelerator. An encryption accelerator typically consists of a hardware board, installed permanently in your server machine, plus a software driver. Netscape Messaging Server supports accelerator modules that follow the PKCS #11 protocol. (They are essentially hardware tokens that do not store their own keys; they use the internal database for that.) You install an accelerator by first installing the hardware and drivers as specified by the manufacturer, and then completing the installation--as with hardware certificate tokens--by installing the PKCS #11 module.

 Requesting a Server Certificate

You request a server certificate by opening your server in Netscape Console and running the Certificate Setup Wizard, accessed through the Console menu. Using the Wizard, you

When the email response from the CA arrives, you save it as a text file.

 (For more complete instructions, see the chapter on SSL in Managing Servers with Netscape Console.)

 Creating a Password File

On any Netscape server, when you use the Certificate Setup Wizard to request a certificate, the wizard creates a key pair to be stored in either the internal module's database or in an external database (on a smartcard). The wizard then prompts you for a password, which it uses to encrypt the stored key pair. Only that same password can later be used to decrypt the keys. The wizard does not retain the password nor store it anywhere.

On most Netscape servers for which SSL is enabled, the administrator is prompted at startup to supply the password required to decrypt the key pair. On Messaging Server 4.0, however, to alleviate the inconvenience of having to enter the password multiple times (it is need by at least three server processes), and to facilitate unattended server restarts, the password is read from a password file.

 The password file must be named sslpassword.conf and must be in the directory installDirectory/config/. Entries in the file are individual lines with the format

 
moduleName:password
where moduleName is the name of the (internal or external) PKCS #11 module to be used, and password is the password that decrypts that module's key pair. The password is stored as clear (unencrypted) text.

 Messaging Server 4.0 provides a default version of the password file, with the following single entry (for the internal module and default password):

 Communicator Certificate DB:netscape!

 If you specify anything but the default password when you install an internal certificate, you need to edit the above line of the password file to reflect the password you specified. If you install an external module, you need to add a new line to the file, containing the module name and the password you specified for it.

Important: Because the administrator is not prompted for the module password at server startup, it is especially important that you ensure proper administrator access control to the server and proper physical security of the server host machine and server backups.

Installing the Certificate

Installing is a separate process from requesting. Once the email response to your request for a certificate has arrived and been saved as a text file, run the Certificate Setup Wizard once more to install the file as a certificate. When you run the wizard, you

(For more complete instructions, see the chapter on SSL in Managing Servers with Netscape Console.)

Note: This is also the process you follow to install a CA certificate (described next), which your server uses to determine whether to trust the certificates presented by clients.

Installing Certificates of Trusted CAs

You also use the Certificate Setup Wizard to install the certificates of certificate authorities. A CA certificate validates the identity of the CA itself. Your server uses these CA certificates in the process of authenticating clients and other servers.

If, for example, you set up your enterprise for certificate-based client authentication in addition to password-based authentication (see Setting Up Certificate-Based Login), you need to install the CA certificates of all CAs that are trusted to issue the certificates that your clients may present. These CAs may be internal to your organization or they may be external, representing commercial or governmental authorities or other enterprises. (See Introduction to Cryptography for more details on the use of CA certificates for authentication.)

When installed, Messaging Server initially contains CA certificates for several commercial CAs. If you need to add other commercial CAs or if your enterprise is developing its own CA for internal use (using Netscape Certificate Server), you need to obtain and install additional CA certificates.

Note: The CA certificates automatically provided with Messaging Server are not initially marked as trusted. You need to edit the trust settings before your server can trust client certificates issued by these CAs. See Managing Certificates and Trusted CAs for instructions.

To request and install a new CA certificate, you

 (For more complete instructions, see the chapter on SSL in Managing Servers with Netscape Console.)

 Managing Certificates and Trusted CAs

Your server can have more than one server certificate with which it identifies itself. It can also have any number of certificates of trusted CAs that it uses for authentication of clients.

You can view, edit the trust settings of, or delete any of the certificates installed in your Messaging Server by opening your server in Netscape Console and choosing the Certificate Management Command in the Console menu. For instructions, see the chapter on SSL in Managing Servers with Netscape Console.

 Enabling SSL

You can use Netscape Console to enable SSL and to select the set of encryption ciphers that Messaging Server can use in its encrypted communications with clients.

About Ciphers

A cipher is the algorithm used to encrypt and decrypt data in the encryption process. Some ciphers are stronger than others, meaning that a message they have scrambled is more difficult for an unauthorized person to unscramble.

A cipher operates on data by applying a key--a long number--to the data. Generally, the longer the key the cipher uses during encryption, the harder it is to decrypt the data without the proper decryption key.

When a client initiates an SSL connection with a Messaging Server, the client lets the server know what ciphers and key lengths it prefers to use for encryption. In any encrypted communication, both parties must use the same ciphers. Because there are a number of cipher-and-key combinations in common use, a server should be flexible in its support for encryption. Netscape Messaging Server 4.0 can support up to 6 combinations of cipher and key length.

Table 6.1 lists the ciphers that Messaging Server supports for use with SSL 3.0. The table summarizes information that is available in more detail in Introduction to SSL; please consult that document before making final decisions on what ciphers to support

.

Table 6.1 SSL ciphers for Messaging Server

Cipher
Description
RC4 with 128-bit encryption and MD5 message authentication
The fastest encryption cipher (by RSA) and a very high-strength combination of cipher and encryption key. Suitable only for domestic North American (non-export) use.
Triple DES with 168-bit encryption and SHA message authentication
A slower encryption cipher (a U.S. government-standard) but the highest-strength combination of cipher and encryption key. Suitable only for domestic North American (non-export) use.
DES with 56-bit encryption and SHA message authentication
A slower encryption cipher (a U.S. government-standard) and a moderate-strength combination of cipher and encryption key. Suitable only for domestic North American (non-export) use.
RC4 with 40-bit encryption and MD5 message authentication
The fastest encryption cipher (by RSA) and a lower-strength combination of cipher and encryption key. Suitable for international use.
RC2 with 40-bit encryption and MD5 message authentication
A slower encryption cipher (by RSA) and a lower-strength combination of cipher and encryption key. Suitable for international use.
No encryption, only MD5 message authentication
No encryption; use of a message digest for authentication alone.

Unless you have a compelling reason for not using a specific cipher, you should support them all. However, note that export laws restrict the use of certain encryption ciphers in certain countries. Basically, key lengths of greater than 40 bits can be used only in the United States and Canada. See Export Restrictions on International Sales on the Netscape DevEdge Web site for details. In general, Messaging Server cannot use the higher-strength encryption for any communication with international versions of client software.

Turning On SSL and Selecting Ciphers

If your Messaging Server has an installed server certificate, SSL is enabled as long as one or more encryption ciphers is selected. (Most are on by default.) Thus you can effectively enable or disable SSL communications by selecting or deselecting encryption ciphers. Follow these steps:

  1. In Netscape Console, open the Messaging Server whose cipher settings you want to modify.

  2. Click the Configuration tab in the left pane.

  3. Select the Services folder.

  4. Select the Encryption tab in the right pane. The Encryption Configuration form opens.

  5. Click the boxes to select the encryption cipher or ciphers that you want your server to support. To disable SSL completely, deselect all ciphers.
See Encryption Configuration Tab for a complete description of the contents of that form.

Setting Up Certificate-Based Login

In addition to password-based authentication, Netscape servers support authentication of users through examination of their digital certificates. In certificate-based authentication, the client establishes an SSL session with the server and submits the user's certificate to the server. The server then evaluates whether the submitted certificate is genuine. If the certificate is validated, the user is considered authenticated.

To set up your Messaging Server for certificate-based login:

  1. Obtain a server certificate for your server. (See Obtaining Certificates for details.)

  2. Run the Certificate Setup Wizard to install the certificates of any trusted certificate authorities that will issue certificates to the users your server will authenticate. (See Installing Certificates of Trusted CAs for details.)
    3. Note that, as long as there is at least one trusted CA in the server's database, the server requests a client certificate from each connecting client.

  3. Turn on SSL. (See Enabling SSL for details.)

  4. (Optional) Edit your server's certmap.conf file so that the server appropriately searches the LDAP user directory based on information in the submitted certificates.
    5. Editing the certmap.conf file is not necessary if the email address in your users' certificates matches the email address in your users' directory entries, and if you do not need to optimize searches or validate the submitted certificate against a certificate in the user entry.

    For details of the format of certmap.conf and the changes you can make, see the SSL chapter of Managing Servers with Netscape Console.

Once you have taken these steps, when a client establishes an SSL session so that the user can log in to IMAP, the Messaging Server requests the user's certificate from the client. If the certificate submitted by the client has been issued by a CA that the server has established as trusted, and if the identity in the certificate matches an entry in the user directory, the user is authenticated and access is granted (depending on access-control rules governing that user).

 There is no need to disallow password-based login (see Password-Based Login) to enable certificate-based login. If password-based login is allowed (which is the default state), and if you have performed the tasks described in this section, both password-based and certificate-based login are supported. In that case, if the client establishes an SSL session and supplies a certificate, certificate-based login is used. If the client does not use SSL or does not supply a certificate, the server requests a password.

For more details on setting up your entire installation of Netscape servers and clients to use certificate-based authentication, see Single Sign-On Deployment Guide.


Configuring Administrator Access to Messaging Server
This section describes how to control the ways in which server administrators can gain access to Messaging Server. Administrative access to a given Messaging Server and to specific Messaging Server tasks occurs within the context of delegated administration. Delegated administration is a feature of all Netscape servers; it refers to the capability of an administrator to provide other administrators with selective access to individual servers and server features. For an overview of delegated administration, see the chapter on delegating server administration in Managing Servers with Netscape Console.

Note: Most tasks described in this section are common to all Netscape servers, and are therefore described fully only in the chapter on delegating server administration in Managing Servers with Netscape Console. This chapter briefly summarizes the tasks.

Hierarchy of Delegated Administration

When you install the first Netscape server on your network, the installation program automatically creates a group in the LDAP user directory called the Configuration Administrators group. By default, the members of the Configuration Administrators group have unrestricted access to all hosts and servers on your network.

The Configuration Administrators group is at the top of an access hierarchy, such as the following, that you can create to implement delegated administration for Messaging Server:

  1. Configuration administrator. The "super user" for the network of Netscape servers. Has complete access to all resources.

  2. Domain administrator. The configuration administrator typically creates one or more other groups, each with more restricted access. For example the configuration administrator might create a Domain Administrators group and give it access to all server for a specific administrative domain in the network. (An administrative domain is the set of hosts and servers on the network that share the same user directory for looking up account information.)

  3. Server administrator. A domain administrator might create groups to administer each type of server. For example, a Messaging Administrators group might be created to administer all Messaging Servers in an administrative domain or across the whole network. Members of that group have access to all Messaging Servers (but no other servers) in that administrative domain.

  4. Task administrator. Finally, any of the above administrators might create a group, or designate an individual user, with restricted access to a single Messaging Server or a set of Messaging Servers. Such a task administrator is permitted to perform only specific, limited server tasks (such as starting or stopping the server only, or accessing logs of a given service).
Netscape Console provides convenient interfaces that allow an administrator to

 Providing Access to the Server as a Whole

To give a user or group permission to access a given instance of Messaging Server, you

(For more complete instructions, see the chapter on delegating server administration in Managing Servers with Netscape Console):

 Once you have set up the list of individuals and groups that have access to the particular Messaging Server, you can then use ACIs, as described next, to delegate specific server tasks to specific people or groups on that list.

 Restricting Access to Specific Tasks

An administrator typically connects to a server to perform one or more administrative tasks. Common administrative tasks are listed in the Messaging Server Tasks form in Netscape Console (see Figure 1.12).

By default, access to a particular Messaging Server means access to all of its tasks. However, each task in the Task form can have an attached set of access-control instructions (ACIs). The server consults those ACIs before giving a connected user (who must already be a user with access permissions to the server as a whole) access to any of the tasks. In fact, the server displays in the Tasks form only those tasks to which the user has permission.

 If you have access to a Messaging Server, you can create or edit ACIs on any of the tasks (that is, on any of the tasks to which you have access), and thus restrict the access that other users or groups can have to them.

 To restrict the task access that a connected user or group can have, you

(For more complete instructions, see the chapter on delegating server administration in Managing Servers with Netscape Console):

 For example, suppose you want to create a group of administrators responsible for log analysis, and you also have an individual (Miranda) who is responsible for filtering out unsolicited bulk email (UBE). You can

  1. create a group called Logging Admins and add the appropriate people to it

  2. use Set Access Permissions for the Netscape Console Configuration window to give both Logging Admins and Miranda access to the Messaging Server

  3. use Set Access Permissions for the Messaging Server Tasks form to place ACIs on the various tasks, making sure that the Logging Admin group sees (and thus has access to) only the logging-related tasks, and that Miranda sees only the UBE filter-configuration task
ACIs and how to create them are described more fully in the chapter on delegating server administration in Managing Servers with Netscape Console.


Configuring Client Access to TCP Services
Messaging Server supports sophisticated access control on a service-by-service basis for its TCP-based services (IMAP, POP, and SMTP), so that you can exercise far-ranging and fine-grained control over which users can gain access to your server.

 If you are managing messaging services for a large enterprise or an Internet service provider, these capabilities can help you to exclude spammers and DNS spoofers from your system and improve the general security of your network. For control of spam mail (unsolicited bulk email) specifically, see also Chapter 8, Filtering Unsolicited Bulk Email.

Note: If controlling user access is not an important issue for your enterprise, you do not have to create any of the filters described in this section. If minimal access control is all you need, see the section Mostly Allowing for instructions on setting it up.

How Client Access Filters Work

The Messaging Server access-control facility for TCP clients is an implementation of the TCP wrapper concept. A TCP wrapper is a program that listens at the same port as the TCP daemon it serves; it uses access filters to verify client identity, and it gives the client access to the daemon if the client passes the filtering process. The design of the Messaging Server TCP wrapper is based on the Unix Tcpd access-control facility (created by Wietse Venema) and the identd service (described in Internet draft RFC 1413).

As part of its processing, the Messaging Server TCP client access-control system performs (when necessary) the following analyses of the socket end-point addresses:

The system compares this information against access-control statements called filters to decide whether to grant or deny access. For each service, separate sets of Allow filters and Deny filters control access. Allow filters explicitly grant access; Deny filters explicitly forbid access.

 When a client requests access to a service, the access-control system compares the client's address or name information to each of that service's filters--in order--using these criteria:

 The filter syntax described here is flexible enough that you should be able to implement many different kinds of access-control policies in a simple and straightforward manner. You can use both Allow filters and Deny filters in any combination, even though you can probably implement most policies by using almost exclusively Allows or almost exclusively Denies.

The following sections describe filter syntax in detail and give usage examples.The section Creating Access Filters with Netscape Console gives the procedure for creating access filters.

Filter Syntax

Filter statements contain both server information and client information. The server information can include the name of the service, names of hosts, and addresses of hosts. The client information can include host names, host addresses, and user names. Both the server and client information can include wildcard names or patterns.

The very simplest form of a filter is

 
service: hostSpec
where service is the name of the service (such as smtp, pop, or imap) and hostSpec is the host name, IP address, or wildcard name or pattern that represents the client requesting access. When a filter is processed, if the client seeking access matches hostSpec, access is either allowed or denied (depending on which type of filter this is) to the service specified by service. Here are two examples:

 
imap: roberts.newyork.airius.com
pop: ALL
If these are Allow filters, the first one grants the host roberts.newyork.airius.com access to the IMAP service, and the second one grants all clients access to the POP service. If they are Deny filters, they deny those clients access to those services. (See Wildcard Names for descriptions of wildcard names such as ALL.)

Either the server or the client information in a filter can be somewhat more complex than this, in which case the filter has the more general form of

 
serviceSpec: clientSpec
where serviceSpec can be either service or service@hostSpec, and clientSpec can be either hostSpec or user@hostSpec. user is the user name (or a wildcard name) associated with the client host seeking access. Here are two examples:

 
smtp@mailServer1.airius.com: ALL
imap: srashad@xyz.europe.airius.com
If these are Deny filters, the first filter denies all clients access to the SMTP service on the host mailServer1.airius.com. The second filter denies the user srashad at the host xyz.europe.airius.com access to the IMAP service. (See Server-Host Specification and Client User-Name Specification for more information on when to use these expanded server and client specifications.)

Finally, at its most general, a filter has the form

 
serviceList: clientList
where serviceList consists of one or more serviceSpec entries, and clientList consists of one or more clientSpec entries. Individual entries within serviceList and clientList are separated by blanks and/or commas.

In this case, when a filter is processed, if the client seeking access matches any of the clientSpec entries in clientList, then access is either allowed or denied (depending on which type of filter this is) to all the services specified in serviceList. Here is an example:

 
pop, imap: .europe.airius.com .newyork.airius.com
If this is an Allow filter, it grants access to both POP and IMAP services to all clients in either of the domains europe.airius.com and newyork.airius.com. (See Wildcard Patterns for information on using a leading dot or other pattern to specify domains or subnets.)

Wildcard Names

You can use the following wildcard names to represent service names, host names or addresses, or user names:

Wildcard Name
Explanation
ALL
The universal wildcard. Matches all names.
LOCAL
Matches any local host (one whose name does not contain a dot character). However, if your installation uses only canonical names, even local host names will contain dots and thus will not match this wildcard.
UNKNOWN
Matches any user whose name is unknown, or any host whose name or address is unknown.

Use this wildcard name carefully:
KNOWN
Matches any user whose name is known, or any host whose name and address are known.

Use this wildcard name carefully:
DNSSPOOFER
Matches any host whose DNS name does not match its own IP address.

Wildcard Patterns

You can use the following patterns in server or client addresses:

EXCEPT Operator

The access-control system supports a single operator. You can use the EXCEPT operator to create exceptions to matching names or patterns when you have multiple entries in either serviceList or clientList. For example, the expression

list1 EXCEPT list2
means that anything that matches list1 is matched, unless it also matches list2.

Here is an example:

 
ALL: ALL EXCEPT isserver.airius.com
If this were a Deny filter, it would deny access to all services to all clients except those on the host machine isserver.airius.com.

 EXCEPT clauses can be nested. The expression

 
list1 EXCEPT list2 EXCEPT list3
is evaluated as if it were

 
list1 EXCEPT (list2 EXCEPT list3)
Server-Host Specification

You can further identify the specific service being requested in a filter by including server host name or address information in the serviceSpec entry. In that case the entry has the form 

service@hostSpec
You may want to use this feature when your Messaging Server host machine is set up for multiple internet addresses with different internet host names. If you are a service provider, you can use this facility to host multiple domains, with different access-control rules, on a single server instance.

 Client User-Name Specification

For client host machines that support the identd service as described in RFC 1413, you can further identify the specific client requesting service by including the client's user name in the clientSpec entry in a filter. In that case the entry has the form

user@hostSpec
where user is the user name as returned by the client's identd service (or a wildcard name).

 Specifying client user names in a filter can be useful, but keep these caveats in mind:

 The user-name lookup capability can in some cases help you guard against attack from unauthorized users on the client's host. It is possible in some TCP/IP implementations, for example, for intruders to use rsh (remote shell service) to impersonate trusted client hosts. If the client host supports the ident service, you can use user-name lookups to detect such attacks. See Allowing Only Identified Users for an example and discussion.

Filter Examples

The examples in this section show a variety of approaches to controlling access. In studying the examples, keep in mind that Allow filters are processed before Deny filters, the search terminates when a match is found, and access is granted when no match is found at all.

The examples listed here use host and domain names rather than IP addresses. Remember that you can include address and netmask information in filters, which can improve reliability in the case of name-service failure.

 Mostly Denying

In this case, access is denied by default. Only explicitly authorized hosts are permitted access.

The default policy (no access) is implemented with a single, trivial deny file:

ALL: ALL

This filter denies all service to all clients that have not been explicitly granted access by an Allow filter. The Allow filters, then, might be something like these:

ALL: LOCAL @netgroup1

ALL: .acme.com EXCEPT externalserver.acme.com

The first rule permits access from all hosts in the local domain (that is, all hosts with no dot in their host name) and from members of the group netgroup1. The second rule uses a leading-dot wildcard pattern to permit access from all hosts in the acme.com domain, with the exception of the host externalserver.acme.com.

Mostly Allowing

In this case, access is granted by default. Only explicitly specified hosts are denied access.

The default policy (access granted) makes Allow filters unnecessary. The unwanted clients are listed explicitly in Deny filters such as these:

ALL: externalserver.acme.com, .airius.asia.com

ALL EXCEPT pop: contractor.acme.com, .airius.com

The first filter denies all services to a particular host and to a specific domain. The second filter permits nothing but POP access from a particular host and from a specific domain.

Allowing Only Identified Users

You can use the following Deny filter to exclude all users but those known to a client host's identd service:

ALL: UNKWOWN@ALL

The filter denies all services to all unknown users from all domains.

You could write a more specific Deny filter, with a clientSpec entry of UNKNOWN@host. When it receives a request from host, the access-control system then uses the ident service on host to find out whether that host actually sent the request and what the user name of the requestor is. If the host responds that the sending user is unknown, that may be evidence of an attack. (However, note also that, if the client's host does not support the identd service, all requestors will match the UNKNOWN@host filter.)

 Employing user-name lookups in Allow filters is less trustworthy. Suppose you write an Allow filter with a clientSpec entry of KNOWN@host. Because an intruder can spoof both the client connection and the ident lookup, a match with the KNOWN@host filter is not strong evidence of absence of spoofing. Furthermore, if the client system has been compromised (as noted earlier), ident may return false information.

 See Client User-Name Specification for more information.

Denying Access to Spoofed Domains

You can use the DNSSPOOFER wildcard name in a filter to detect host-name spoofing. When you specify DNSSPOOFER, the access-control system performs forward or reverse DNS lookup to verify that the client's presented host name matches its actual IP address. Here is an example for a Deny filter:

ALL: DNSSPOOFER

This filter denies all services to all remote hosts whose IP addresses don't match their DNS host names.

Controlling Access to Virtual Domains

If your messaging installation uses virtual domains, in which a single server instance is associated with multiple IP addresses and domain names, you can control access to each virtual domain through a combination of Allow and Deny filters. For example, you can use Allow filters like

ALL@msgServer.domain1.com: @.domain1.com

ALL@msgServer.domain2.com: @.domain2.com

...

coupled with a Deny filter like

ALL: ALL

Each Allow filter permits only hosts within domainN to connect to the service whose IP address corresponds to msgServer.domainN.com. All other connections are denied.

Denying an Individual User

If you must deny access to an especially notorious individual user, the most general Deny filter you can apply is the following:

ALL: badUser@ALL

This filter cannot, of course, guard against the same person attempting to gain access under a different user name.

Creating Access Filters with Netscape Console

You create and edit Allow and Deny filters through a separate Netscape Console separately for each service. Follow these steps to create filters:

  1. In Netscape Console, open the Messaging Server that you want to create access filters for.

  2. Click the Configuration tab.

  3. Open the Services folder in the left pane and select IMAP, POP, or SMTP beneath the Services folder.

  4. Click the Access tab in the right pane.
    5. The Access form is displayed. The Allow and Deny fields in the form show the existing Allow and Deny filters for that service. Each line in the field represents one filter. For either of the fields, you can any of the following actions:

See IMAP Access Tab, POP Access Tab, and SMTP Access Tab for complete descriptions of the contents of those forms.

For a specification of filter syntax and a variety of examples, see the next section, Filter Syntax. For additional examples, see Filter Examples.


Interface Reference: Security and Access Control
This section describes the Netscape Console interface elements that allow you to configure security settings and access control for Messaging Server. See Managing Servers with Netscape Console for information on using Netscape Console to manage Messaging Server and other servers.
Encryption Configuration Tab
You use the form accessed through this tab to enable SSL and to select the encryption ciphers that your Messaging Server uses for communication with clients.

For more information, see also Enabling SSL.

The Encryption Configuration form has the following elements:

 Cipher Settings. Click one or more of these checkboxes to permit the use of the specified encryption ciphers. Click a previously checked box to disable the specified cipher. See About Ciphers for more information about these ciphers.

SSL is enabled if one or more of these ciphers is checked and your server has an installed server certificate.

Note: Export versions of Netscape Messaging Server may not support all ciphers available on Domestic U.S. versions.

Action Buttons

Save. Click this button to save any settings you have made in the Encryption Configuration form.

Reset. Click this button to return the form to the settings it displayed when you opened it (unless you have previously clicked Save, in which case the form returns to the settings it had when you last clicked Save).

 Help. Click this button to display online help (this document) that describes the Encryption Configuration form.
IMAP Access Tab
You use the form accessed through this tab to control user access to the IMAP service.

For more information, see also

 The IMAP Access form has the following elements:

 Allow Filters

Allow. This field displays Allow filters--access-control rules that permit access to the IMAP service. Any IMAP client that matches any of the Allow filters in this field is allowed IMAP access. You can edit the contents of this field by clicking the Add button, or by selecting a line in this field and then clicking Edit or Delete.

Add. Click this button to open a window (see IMAP Allow Filter Window) that allows you to add a new Allow filter to the Allow field.

Edit. Click this button to open a window (see IMAP Allow Filter Window) that allows you to edit the Allow filter that is currently highlighted in the Allow field.

Delete. Click this button to delete the Allow filter that is currently highlighted in the Allow field.

 Deny Filters

Deny. This field displays Deny filters--access-control rules that deny access to the IMAP service. Any IMAP client that matches any of the Deny filters in this field is denied IMAP access. You can edit the contents of this field by clicking the Add button, or by selecting a line in this field and then clicking either Edit or Delete.

Add. Click this button to open a window (see IMAP Deny Filter Window) that allows you to add a new Deny filter to the Deny field.

Edit. Click this button to open a window (see IMAP Deny Filter Window) that allows you to edit the Deny filter that is currently highlighted in the Deny field.

Delete. Click this button to delete the Deny filter that is currently highlighted in the Deny field.

 Action Buttons

Save. Click this button to save any settings you have made in the IMAP Access form.

Reset. Click this button to return the form to the settings it displayed when you opened it (unless you have previously clicked Save, in which case the form returns to the settings it had when you last clicked Save).

 Help. Click this button to display online help (this document) that describes the IMAP Access form.
IMAP Allow Filter Window
You use this window to add or edit Allow filters, the rules by which clients are permitted to access the IMAP service.

For more information, see also

 The IMAP Allow Filter window has the following elements:

 ALLOW filter. Use this field to enter a new IMAP Allow filter or edit the one currently being displayed. A typical Allow filter has the format

 
serviceSpec:clientSpec
where serviceSpec is generally the name of the service to be accessed (imap in this case), and clientSpec is typically a host name, domain name, or wildcard name or pattern. Clients that match the information in clientSpec are to be allowed access to the service specified in serviceSpec.

 For a complete syntax description, see Filter Syntax.

Examples. This non-editable field displays examples of IMAP Allow filters. For additional examples, see Filter Examples.

Action Buttons

OK. Click this button to save the entry or the edits you have made in the ALLOW filter field.

Cancel. Click this button to cancel the entry or edit, leaving the set of IMAP Allow filters unchanged.

 Help. Click this button to display online help (this document) that describes the IMAP Allow Filter window.
IMAP Deny Filter Window
You use this window to add or edit Deny filters, the rules by which clients are explicitly excluded from access to the IMAP service.

For more information, see also

 The IMAP Deny Filter window has the following elements:

 DENY filter. Use this field to enter a new IMAP Deny filter or edit the one currently being displayed. A typical Deny filter has the format

 
serviceSpec:clientSpec
where serviceSpec is generally the name of the service to be denied (imap in this case), and clientSpec is typically a host name, domain name, or wildcard name or pattern. Clients that match the information in clientSpec are to be prevented from accessing the service specified in serviceSpec.

 For a complete syntax description, see Filter Syntax.

Examples. This non-editable field displays examples of IMAP Deny filters. For additional examples, see Filter Examples.

Action Buttons

OK. Click this button to save the entry or the edits you have made in the DENY filter field.

Cancel. Click this button to cancel the entry or edit, leaving the set of IMAP Deny filters unchanged.

 Help. Click this button to display online help (this document) that describes the IMAP Deny Filter window.
POP Access Tab
You use the form accessed through this tab to control user access to the POP service.

For more information, see also

 The POP Access form has the following elements:

 Allow Filters

Allow. This field displays Allow filters--access-control rules that permit access to the POP service. Any POP client that matches any of the Allow filters in this field is allowed POP access. You can edit the contents of this field by clicking the Add button, or by selecting a line in this field and then clicking either Edit or Delete.

Add. Click this button to open a window (see POP Allow Filter Window) that allows you to add a new Allow filter to the Allow field.

Edit. Click this button to open a window (see POP Allow Filter Window) that allows you to edit the Allow filter that is currently highlighted in the Allow field.

Delete. Click this button to delete the Allow filter that is currently highlighted in the Allow field.

 Deny Filters

Deny. This field displays Deny filters--access-control rules that deny access to the POP service. Any POP client that matches any of the Deny filters in this field is denied POP access. You can edit the contents of this field by clicking the Add button, or by selecting a line in this field and then clicking either Edit or Delete.

Add. Click this button to open a window (see POP Deny Filter Window) that allows you to add a new Deny filter to the Deny field.

Edit. Click this button to open a window (see POP Deny Filter Window) that allows you to edit the Deny filter that is currently highlighted in the Deny field.

Delete. Click this button to delete the Deny filter that is currently highlighted in the Deny field.

 Action Buttons

Save. Click this button to save any settings you have made in the POP Access form.

Reset. Click this button to return the form to the settings it displayed when you opened it (unless you have previously clicked Save, in which case the form returns to the settings it had when you last clicked Save).

 Help. Click this button to display online help (this document) that describes the POP Access form.
POP Allow Filter Window
You use this window to add or edit Allow filters, the rules by which clients are permitted to access the POP service.

 For more information, see also

 The POP Allow Filter window has the following elements:

 ALLOW filter. Use this field to enter a new POP Allow filter or edit the one currently being displayed. A typical Allow filter has the format

 
serviceSpec:clientSpec
where serviceSpec is generally the name of the service to be accessed (in this case, pop), and clientSpec is typically a host name, domain name, or wildcard name or pattern. Clients that match the information in clientSpec are to be allowed access to the service specified in serviceSpec.

 For a complete syntax description, see Filter Syntax.

Examples. This non-editable field displays examples of POP Allow filters. For additional examples, see Filter Examples.

Action Buttons

OK. Click this button to save the entry or the edits you have made in the ALLOW filter field.

Cancel. Click this button to cancel the entry or edit, leaving the set of POP Allow filters unchanged.

 Help. Click this button to display online help (this document) that describes the POP Allow Filter window.
POP Deny Filter Window
You use this window to add or edit Deny filters, the rules by which clients are explicitly excluded from access to the POP service.

For more information, see also

 The POP Deny Filter window has the following elements:

 DENY filter. Use this field to enter a new POP Deny filter or edit the one currently being displayed. A typical Deny filter has the format

 
serviceSpec:clientSpec
where serviceSpec is generally the name of the service to be denied (in this case, pop), and clientSpec is typically a host name, domain name, or wildcard name or pattern. Clients that match the information in clientSpec are to be prevented from accessing the service specified in serviceSpec.

 For a complete syntax description, see Filter Syntax.

Examples. This non-editable field displays examples of POP Deny filters. For additional examples, see Filter Examples.

Action Buttons

OK. Click this button to save the entry or the edits you have made in the DENY filter field.

Cancel. Click this button to cancel the entry or edit, leaving the set of POP Deny filters unchanged.

 Help. Click this button to display online help (this document) that describes the POP Deny Filter window.
SMTP Access Tab
You use the form accessed through this tab to control client access to the SMTP service.

For more information, see also:

 The SMTP Access form has the following elements:

 Allow Filters

Allow. This field displays Allow filters--access control rules that permit access to the SMTP service. Any SMTP client that matches any of the Allow filters in this field is allowed SMTP access. You can edit the contents of this field by selecting a line in this field and then clicking one of the following three buttons.

Add. Click this button to open a window (see SMTP Allow Filter Window) that allows you to add a new Allow filter to the Allow field.

Edit. Click this button to open a window (see SMTP Allow Filter Window) that allows you to edit the Allow filter that is currently highlighted in the Allow field.

Delete. Click this button to delete the Allow filter that is currently highlighted in the Allow field.

 Deny Filters

Deny. This field displays Deny filters--access control rules that deny access to the SMTP service. Any SMTP client that matches any of the Deny filters in this field is denied SMTP access. You can edit the contents of this field by selecting a line in this field and then clicking one of the following three buttons.

Add. Click this button to open a window (see SMTP Deny Filter Window) that allows you to add a new Deny filter to the Deny field.

Edit. Click this button to open a window (see SMTP Deny Filter Window) that allows you to edit the Deny filter that is currently highlighted in the Deny field.

Delete. Click this button to delete the Deny filter that is currently highlighted in the Deny field.

 Action Buttons

Save. Click this button to save any settings you have made in the SMTP Access form.

Reset. Click this button to return the form to the settings it displayed when you opened it (unless you have previously clicked Save, in which case the form returns to the settings it had when you last clicked Save).

 Help. Click this button to display online help (this document) that describes the SMTP Access form.
SMTP Allow Filter Window
You use the SMTP Allow Filter window to add or edit Allow filters, the rules by which clients are permitted to access the SMTP service.

For more information, see also

 The SMTP Allow Filter window has the following elements:

 Allow filter. Use this field to enter a new SMTP Allow filter or edit the one currently being displayed. A typical Allow filter has the format

 
serviceSpec:clientSpec
where serviceSpec is generally the name of the service to be accessed (smtp in this case), and clientSpec is typically a host name, domain name, or wildcard name or pattern. Clients that match the information in clientSpec are to be allowed access to the service specified in serviceSpec.

 For a complete syntax description, see Filter Syntax.

Examples. This non-editable field displays examples of SMTP Allow filters. For additional examples, see Filter Examples.

Action Buttons

OK. Click this button to save the entry or the edits you have made in the ALLOW filter field.

Cancel. Click this button to cancel the entry or edit, leaving the set of SMTP Allow filters unchanged.

 Help. Click this button to display online help (this document) that describes the SMTP Allow Filter window.
SMTP Deny Filter Window
You use the SMTP Deny Filter window to add or edit Deny filters, the rules by which clients are explicitly excluded from access to the SMTP service.

For more information, see also

 The SMTP Deny Filter window has the following elements:

 Deny filter. Use this field to enter a new SMTP Deny filter or edit the one currently being displayed. A typical Deny filter has the format

 serviceSpec:clientSpec

 where serviceSpec is generally the name of the service to be accessed (smtp in this case), and clientSpec is typically a host name, domain name, or wildcard name or pattern. Clients that match the information in clientSpec are to be allowed access to the service specified in serviceSpec.

 For a complete syntax description, see Filter Syntax.

Examples. This non-editable field displays examples of SMTP Deny filters. For additional examples, see Filter Examples.

Action Buttons

OK. Click this button to save the entry or the edits you have made in the DENY filter field.

Cancel. Click this button to cancel the entry or edit, leaving the set of SMTP Deny filters unchanged.

 Help. Click this button to display online help (this document) that describes the SMTP Deny Filter window.

 

© Copyright 1998 Netscape Communications Corporation