Absent Member.
Absent Member.
1741 views

Cannot seem to override the Default Class of Service

I have configured a server for IMAP and POP3 access. On the GWIA for this server, I have configured a new class of service that gives the specified user accounts (Groupwise authentication) access to POP3, IMAP, SMTP Incoming, and SMTP outgoing.

The Default Class of Service which contains Everyone allows SMTP Incoming and SMTP Outgoing. If I prevent SMTP Incoming, SMTP outgoing, users who are in the new IMAP/POP3 class of service can no longer connect by using SMTP. This behavior occurs even though they are members of the new class of service which allows this.
The documentation says that if the user entries are at the same level (the user level in this case (everyone versus individual groupwise accounts)), the least restrictive setting should take precedence.
On this particular GWIA, I would like to restrict SMTP connections to only the members of the particular class of service (to limit the authenticated spam attack vector). However, it does not seem possible.
I would really appreciate any help pointing me in the right direction. Not sure what I am missing here.

Thank you very much!

Dennis
Labels (2)
Tags (1)
0 Likes
9 Replies
Micro Focus Expert
Micro Focus Expert

Hi Dennis,

Have you tried the "Test" option on your class of service to see what exactly is applying to a user assigned to your created class of service?

Details on how to do this here: http://www.novell.com/documentation/gw8/gw8_admin/data/a2zz2fk.html#a2zzdna

Let us know.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Absent Member.
Absent Member.

Yes, thank you. I tried that. With the default class of service disabling SMTP and the new IMAP COS enabling SMTP, the test shows that I have the rights to send and receive SMTP messages. However, after the GWIA restarts, the imap client (Mac Mail) can no longer connect to the server.
I was wondering whether this could be related to some setting on the post office server (Netware) or if there is something simple that I have missed.
The SMTP settings on the GWIA are configured to use port 25 with SSL allowed. The firewall is configured to forward 465 to port 25 on the GWIA.
Mac Mail is configured for an authenticated connection using port 465.
This seems to have some (one) of the symptoms of a damaged GWIA database because there does not seem to be a connection attempt on the post office server. However, I think that if the database was damaged, the connection would not work when the default class of service allows SMTP.
I will try validating the database anyway.
Thank you for your help!

Dennis
0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Dennis,

Definatly do a database validation - issues can creep in on systems that have been upgraded in particular.

Let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Absent Member.
Absent Member.

The database validation shows no errors.

Thank you
0 Likes
Absent Member.
Absent Member.

Dennis,

from reading your postings, I cannot determine if there's a misunderstanding in the concept of classes of service. Check the conflict resolution table here:
http://www.novell.com/documentation/gw8/gw8_admin/data/a2zz2fk.html

As a rule of thumb, I always leave the default class untouched. I then add users (or POs) to a new class of service which will restrict the user's abilities.

Uwe


--
Novell Knowledge Associate
Please don't send me support related e-mail unless I ask you to do so.
0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Dennis,

Let me make a suggestion if I may?

Reset your default class of service back to its defaults.
Create a new class of service denying what you want to deny to "everybody" - add all your domains to this COS.
Create a distribution list and add, as members, everybody on the exception list eg SMTP allowed
Create a new class of service and assign it to the distribution list and enable the relevant services.

The distribution list makes future management of such things easier, hence my suggestion!

Let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Absent Member.
Absent Member.

OH.
Wow. Sorry. I have been thinking of it in reverse. Forbidding everything in the Default COS and then enabling it with new COS's. I will try this right away.

Thank you very much!
0 Likes
Absent Member.
Absent Member.

Thank you all for your help with this. Your instructions worked perfectly.
For some reason, the information at http://www.novell.com/documentation/gw8/gw8_admin/data/a2zz2fk.html seems to have confused me. Specifically, the following paragraph:
If a user’s membership in two classes of service is based upon the same level of membership (for example, both through individual user membership), the class that applies is the one that allows the most privileges


I really appreciate all your help with this.
Thank you !

Dennis
0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Dennis,

So glad that you came right with this. Thanks for letting us know - that way we all learn.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.