SECTION D - MAIL HANDLING

1. I have heard that sendmail has all sorts of security holes. Does CEQURUX Firewall/VPN use sendmail, and if so, is this safe?

   CEQURUX Firewall/VPN uses sendmail to deliver individual mail messages, but not to receive mail; this is handled by a separate MTA which is run in a chrooted environment, with a third daemon handling the passing of mail between the receiver and sendmail. This eliminates almost all of the risks usually associated with sendmail. If you need even more security, you can configure the firewall to use an external smart host, which means all outgoing mail will be sent (using sendmail) to the smart host only, which must then pass it on.

2. Does CEQURUX Firewall/VPN prevent external users from using it as a mail relay for spam?

   Yes, CEQURUX Firewall/VPN will only accept mail from the outside which is addressed to users in your domain or in one of the virtual domains for which you have configured it to receive mail. Should you for some reason want to allow mail relaying, it can be enabled by adding a line:

   can_relay 2

   to the /usr/local/custom/recvmail.ini file. Use the command `man recvmail' for more details about mail relaying.

3. What other ways can CEQURUX Firewall/VPN be used to prevent spam mail?

   CEQURUX Firewall/VPN has a number of anti-spam features that can be configured:

   • You can restrict the set of recipients for whom mail will be accepted
   • Alternatively, you can specify a set of recipients for whom mail will not be accepted
   • You can block mail from particular hosts
   • You can use Paul Vixie's Mail Abuse Prevention System real-time blacklist to block hosts
   • or some other RBL to block hosts
   • You can specify hosts or domains to block, and the blocking will be done if the mail client host, client host's nameserver, sender, or any `Received from' headers match any of these hosts or domains
   • You can block senders whose addresses cannot be replied to due to no A or MX records.

4. Can a standard disclaimer be attached to the contents of every outgoing mail message?

   Yes, one can have the firewall add a standard disclaimer to the end of each outgoing mail message.
   To do this, you need to create a file in the /var/spool/post directory which contains the text of the disclaimer message.
   Next, edit or create the file /usr/local/custom/recvmail.ini, and add a line of the form:

   disclaimer filename

   where filename is the name of the file containing the disclaimer text (just the filename, not the full path).
   Don't forget to run fwadmin -A to save the changes.
   
   

5. Can CEQURUX Firewall/VPN handle mail for domains other than the principal domain?

   Yes, by creating virtual mail domains.

6. Is an internal mail server required, or can the firewall be used as the mail server?

   You do not need a mailserver. If your users are on hosts that can accept SMTP connections (typically UNIX hosts), you can use mail postboxes; alternatively you can create POP3 maildrops on the firewall and allow your users to retrieve their mail from the firewall using POP3 clients.

7. My ISP handles all the mail for our users, who retrieve the mail using POP/IMAP. Can CEQURUX Firewall/VPN handle this?

   Yes. Simply create POP3/IMAP gateways or proxies. You can also disable the mail subsystem on the firewall for added security.

8. We have had some outgoing mail bounce with an error message `I/O error'. What does this mean?

   It usually means that the remote destination host has no available disk space left.

9. How do I obtain a username and password for the Sophos antivirus system?

   For a 30-day evaluation username and password, click here to go to the request form.
   Complete and submit this form, taking note of the following:
   For No. of workstations select none.
   In the no. of servers field, select the number of firewalls you have.
   Operating system is UNIX.

   If you wish to purchase a licence, follow these steps:
   Click here to go to the Sophos quotation form. Complete and submit this form, taking note of the following:
   In the no. of servers field, select the number of firewalls you have.
   Server platform is UNIX - FreeBSD/Intel.
   For No. of workstations select none.
   Select the applicable period of licence you require.
   In the Additional notes section, fill in: SAVI libraries for CEQURUX firewall/VPN.

10. Where can I alter the timeouts for deferred mail warnings and bounces?

    The timeout for a deferred mail to be returned to it's sender can be set with fwadmin or remadmin, but the timeout for a warning message involves a customisation.
    Edit or create the following files in /usr/local/custom/ on the firewall:

    sendmail.DEFINITIONS.incoming
    sendmail.DEFINITIONS.local
    sendmail.DEFINITIONS.outgoing

    Insert into these files the following line:

    define(`confMESSAGE_TIMEOUT', xy/xy)

    The first instance of 'xy' is for the 'return to sender' timeout and the second one is for the 'warning' timeout.
    Remember that whatever you have set for the first timeout will override what you have set using fwadmin or remadmin.
    Time is given as a tagged number, with `s' being seconds, `m' being minutes, `h' being hours, `d' being days, and `w' being weeks. For example, `1h30m' or `90m' would both set the timeout to one hour thirty minutes.

    Example: define(`confMESSAGE_TIMEOUT', 5d/10m)

    The above example would send a warning after 10 minutes advising the sender thet the mail could not be delivered. If the mail is still undelivered after 5 days, it will be returned to the sender.

11. How do I display the full headers of a message in my mail client?

    Eudora

    • Open the message.
    • Under the title bar are four options.
      The second from the left is a box which says Blah, Blah, Blah.
      Click on that to display the full headers.

    Hotmail

    • Go into Options, Preferences, and choose Message headers.
    • Choose the Full option to display Received: headers. Advanced will display that as well as MIME headers.

    Lotus Notes:

    • Open the message.
    • Click on Actions, then Delivery information.
      The headers will appear in the lower box.

    Microsoft Outlook:

    • Display the message.
    • Under the View menu, select Option.
      You will see the headers in a box at the bottom of the window.

    Microsoft Outlook Express:

    • Display the message.
    • Under the File menu, select Properties.
    • In the Properties window, select the Details tab.

    Mozilla Mail:

    • Display the message.
    • Under the View menu, select Message Source.

    Netscape Mail:

    • Select Options from the menu bar.
      Listed as an option is Show Headers. Choose full headers.

    Novell Groupwise:

    • Open the message
    • In the message window select File,then Attachments and then View.
    • Select the Mime.822 attachment