Highlighted
Demaximis Absent Member.
Absent Member.
1855 views

Access Control

I need help understanding the Access Control settings.
I have 2014 SP1 installed on a SuSE 11 SP3, only one Post Office, Domain, and all agents are on this dedicated server.

I want to lock down incoming messages to specific internet IPs.
We have moved our email security to the cloud, thus the reason for this.
I have made the necessary changes to the DNS Server yesterday and I came in early this morning in hopes of finishing up.
In the GWIA Access Control settings for the Default Class of Service, under SMTP Incoming, I added the IPs that the vendor said we would use under the 'Allow messages from:'

Question: In adding the IPs can I use wildcards for this? For example, if an IP Range is: 10.10.10.20-10.10.10.30, is 10.10.10.2? a valid entry?

I then selected 'Prevent incoming messages', clicked OK until I was all the way out of the gwia settings, then restart the gwia agent.
I sent a test message from my personal (hotmail) account and it was immediately rejected as undeliverable.
(Naturally, I went back in and selected 'Allow incoming messages' until I can get a successful test).

I'm thinking that it might be the wildcard that is not acceptable?
If not, then I don't know what else I need to do.

I saw TID 7006146 - Configure GWIA to only allow inbound SMTP traffic from a specific site.
Which shows: In the Exceptions, "Allow messages from" section , put in an entry of, *@*.*
However, I don't THINK it applies since it lists only GW versions 6 - 8.(?)

Many thanks!

Stan
Labels (1)
Tags (2)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Access Control

Hi.

Am 12.11.2014 13:56, schrieb Demaximis:
>
> I need help understanding the Access Control settings.


Yes. 😉


> Question: In adding the IPs can I use wildcards for this?


Answer: You don't and can't use IPs there.

> I saw TID 7006146 - Configure GWIA to only allow inbound SMTP traffic
> from a specific site.
> Which shows: In the Exceptions, "Allow messages from" section , put in
> an entry of, *@*.*
> However, I don't THINK it applies since it lists only GW versions 6 -
> 8.(?)


It does apply, and is a dead giveaway that access control works based on
email addresses (only), and not IPs.

What you're looking for is a job for a firewall. It's outside the scope
of what GWIA can do.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Demaximis Absent Member.
Absent Member.

Re: Access Control

Thanks for the reply.
It appears that I am confused.

However, in the GW 2014 admin documentation, under Creating a Class of Service, on page 325 it states:

"Prevent Messages From: If you chose to allow incoming messages but you want to prevent
messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the
Prevent Messages From list.
Allow Messages From: Conversely, if you chose to prevent incoming messages but you want to
allow messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the
Allow Messages From list."

...I will look at my firewall, thanks!
0 Likes
mblackham Absent Member.
Absent Member.

Re: Access Control


Massimo, hate to burst your bubble, but access control does work for IP's.



For whatever reason, the syntax to provide 'wildcarding' of addresses is not *, but you include a range of addrs you want to accept from: ie, 10.10.10.5-100, using a - to specify the range..



--Morris



>>> Massimo Rosen<mrosenNO@SPAMcfc-it.de> 11/12/2014 8:48 AM >>>



Hi.

Am 12.11.2014 13:56, schrieb Demaximis:

>
> I need help understanding the Access Control settings.


Yes. 😉



> Question: In adding the IPs can I use wildcards for this?


Answer: You don't and can't use IPs there.


> I saw TID 7006146 - Configure GWIA to only allow inbound SMTP traffic
> from a specific site.
> Which shows: In the Exceptions, "Allow messages from" section , put in
> an entry of, *@*.*
> However, I don't THINK it applies since it lists only GW versions 6 -
> 8.(?)


It does apply, and is a dead giveaway that access control works based on
email addresses (only), and not IPs.

What you're looking for is a job for a firewall. It's outside the scope
of what GWIA can do.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Demaximis Absent Member.
Absent Member.

Re: Access Control

I will give that a try tomorrow and I will report my results.

Thanks Morris!:)
0 Likes
Knowledge Partner
Knowledge Partner

Re: Access Control

Morris,

Am 12.11.2014 21:54, schrieb Morris Blackham:
> Massimo, hate to burst your bubble, but access control does work for IP's.


Thanks. I get old... 😞 😉

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Demaximis Absent Member.
Absent Member.

Re: Access Control

You too!? :rolleyes:

I made the suggestion changes and I got the same results: Test messages from my hotmail account to my work account weren't being delivered.
So, I gave up on that "feature" and made settings in our firewall to prevent anything connecting to our mail server (port 25) except for the security servers.

Stan
0 Likes
Knowledge Partner
Knowledge Partner

Re: Access Control

In article <546367EF.56D8.00A3.1@no-mx.forums.novell.com>, Morris
Blackham wrote:
> For whatever reason, the syntax to provide 'wildcarding' of
> addresses is not *, but you include a range of addrs you want
> to accept from: ie, 10.10.10.5-100, using a - to specify
> the range..


Do you know when that got introduced?
I worked with support way back to get TID 3959034 written to get this
sort of thing to work and the - didn't work in GW7 era.


https://www.novell.com/support/kb/doc.php?id=3959034
needs a bit of updating, but certainly has worked up through GW 2012



Andy of
KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Access Control

In article <SFkaw.781$Yv2.538@novprvlin0913.provo.novell.com>, Massimo
Rosen wrote:
> Thanks. I get old... 😞 😉


We all do, but I still have more Grey hairs than you do, and Morris a
few more than I.
None of us are omniscient, even if we occasionally come across as 'know
it alls'


Andy of
KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.