Access Control

I need help understanding the Access Control settings.
I have 2014 SP1 installed on a SuSE 11 SP3, only one Post Office, Domain, and all agents are on this dedicated server.

I want to lock down incoming messages to specific internet IPs.
We have moved our email security to the cloud, thus the reason for this.
I have made the necessary changes to the DNS Server yesterday and I came in early this morning in hopes of finishing up.
In the GWIA Access Control settings for the Default Class of Service, under SMTP Incoming, I added the IPs that the vendor said we would use under the 'Allow messages from:'

Question: In adding the IPs can I use wildcards for this? For example, if an IP Range is: 10.10.10.20-10.10.10.30, is 10.10.10.2? a valid entry?

I then selected 'Prevent incoming messages', clicked OK until I was all the way out of the gwia settings, then restart the gwia agent.
I sent a test message from my personal (hotmail) account and it was immediately rejected as undeliverable.
(Naturally, I went back in and selected 'Allow incoming messages' until I can get a successful test).

I'm thinking that it might be the wildcard that is not acceptable?
If not, then I don't know what else I need to do.

I saw TID 7006146 - Configure GWIA to only allow inbound SMTP traffic from a specific site.
Which shows: In the Exceptions, "Allow messages from" section , put in an entry of, *@*.*
However, I don't THINK it applies since it lists only GW versions 6 - 8.(?)

Many thanks!

Stan
Parents
  • Hi.

    Am 12.11.2014 13:56, schrieb Demaximis:
    >
    > I need help understanding the Access Control settings.


    Yes. ;)


    > Question: In adding the IPs can I use wildcards for this?


    Answer: You don't and can't use IPs there.

    > I saw TID 7006146 - Configure GWIA to only allow inbound SMTP traffic
    > from a specific site.
    > Which shows: In the Exceptions, "Allow messages from" section , put in
    > an entry of, *@*.*
    > However, I don't THINK it applies since it lists only GW versions 6 -
    > 8.(?)


    It does apply, and is a dead giveaway that access control works based on
    email addresses (only), and not IPs.

    What you're looking for is a job for a firewall. It's outside the scope
    of what GWIA can do.

    CU,
    --
    Massimo Rosen
    Novell Knowledge Partner
    No emails please!
    http://www.cfc-it.de
Reply
  • Hi.

    Am 12.11.2014 13:56, schrieb Demaximis:
    >
    > I need help understanding the Access Control settings.


    Yes. ;)


    > Question: In adding the IPs can I use wildcards for this?


    Answer: You don't and can't use IPs there.

    > I saw TID 7006146 - Configure GWIA to only allow inbound SMTP traffic
    > from a specific site.
    > Which shows: In the Exceptions, "Allow messages from" section , put in
    > an entry of, *@*.*
    > However, I don't THINK it applies since it lists only GW versions 6 -
    > 8.(?)


    It does apply, and is a dead giveaway that access control works based on
    email addresses (only), and not IPs.

    What you're looking for is a job for a firewall. It's outside the scope
    of what GWIA can do.

    CU,
    --
    Massimo Rosen
    Novell Knowledge Partner
    No emails please!
    http://www.cfc-it.de
Children
  • Thanks for the reply.
    It appears that I am confused.

    However, in the GW 2014 admin documentation, under Creating a Class of Service, on page 325 it states:

    "Prevent Messages From: If you chose to allow incoming messages but you want to prevent
    messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the
    Prevent Messages From list.
    Allow Messages From: Conversely, if you chose to prevent incoming messages but you want to
    allow messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the
    Allow Messages From list."

    ...I will look at my firewall, thanks!

  • Massimo, hate to burst your bubble, but access control does work for IP's.



    For whatever reason, the syntax to provide 'wildcarding' of addresses is not *, but you include a range of addrs you want to accept from: ie, 10.10.10.5-100, using a - to specify the range..



    --Morris



    >>> Massimo Rosen<mrosenNO@SPAMcfc-it.de> 11/12/2014 8:48 AM >>>



    Hi.

    Am 12.11.2014 13:56, schrieb Demaximis:

    >
    > I need help understanding the Access Control settings.


    Yes. ;)



    > Question: In adding the IPs can I use wildcards for this?


    Answer: You don't and can't use IPs there.


    > I saw TID 7006146 - Configure GWIA to only allow inbound SMTP traffic
    > from a specific site.
    > Which shows: In the Exceptions, "Allow messages from" section , put in
    > an entry of, *@*.*
    > However, I don't THINK it applies since it lists only GW versions 6 -
    > 8.(?)


    It does apply, and is a dead giveaway that access control works based on
    email addresses (only), and not IPs.

    What you're looking for is a job for a firewall. It's outside the scope
    of what GWIA can do.

    CU,
    --
    Massimo Rosen
    Novell Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • I will give that a try tomorrow and I will report my results.

    Thanks Morris!:)
  • Morris,

    Am 12.11.2014 21:54, schrieb Morris Blackham:
    > Massimo, hate to burst your bubble, but access control does work for IP's.


    Thanks. I get old... :( ;)

    CU,
    --
    Massimo Rosen
    Novell Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • You too!? :rolleyes:

    I made the suggestion changes and I got the same results: Test messages from my hotmail account to my work account weren't being delivered.
    So, I gave up on that "feature" and made settings in our firewall to prevent anything connecting to our mail server (port 25) except for the security servers.

    Stan
  • In article <SFkaw.781$Yv2.538@novprvlin0913.provo.novell.com>, Massimo
    Rosen wrote:
    > Thanks. I get old... :( ;)


    We all do, but I still have more Grey hairs than you do, and Morris a
    few more than I.
    None of us are omniscient, even if we occasionally come across as 'know
    it alls'


    Andy of
    KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!

  • In article <546367EF.56D8.00A3.1@no-mx.forums.novell.com>, Morris
    Blackham wrote:
    > For whatever reason, the syntax to provide 'wildcarding' of
    > addresses is not *, but you include a range of addrs you want
    > to accept from: ie, 10.10.10.5-100, using a - to specify
    > the range..


    Do you know when that got introduced?
    I worked with support way back to get TID 3959034 written to get this
    sort of thing to work and the - didn't work in GW7 era.


    https://www.novell.com/support/kb/doc.php?id=3959034
    needs a bit of updating, but certainly has worked up through GW 2012



    Andy of
    KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!