| Just like the MTA and POA, the GWIA should be configured using ConsoleOne. However, there are many advanced switches for the GWIA that are not mapped to ConsoleOne snap-ins for the GWIA. These switches must be manually added to the GWIA.CFG file. The GWIA object is found under the domain object under the Gateways drop-down list in ConsoleOne. After right-clicking the GWIA object, selecting Properties, and then selecting the GroupWise tab, you should see the Identification property page shown in Figure 10.4. Figure 10.4. The GWIA object Identification property page is where you configure general information about the GWIA 
Along the top are a series of property pages. The GWIA does quite a bit, so more configuration information might be required. Fortunately, each property page (and most of the dialog boxes that can be spawned from those property pages) have Help buttons. The online help for the GWIA is very informative and should keep you on track if you find yourself editing your GWIA without this book at your side. Note Almost all the settings changes you make on the GWIA are held in the GWIA.CFG file, and not in the WPDOMAIN.DB or eDirectory.
Understanding the GroupWise Identification Property Page The Identification page is most likely over to the right, and it's labeled GroupWise. This section starts here because this is the most basic information on the GWIA. This page, shown in Figure 10.4, is where general information about the GWIA is configurable. These fields are common to all GroupWise gateways, which is why some of them might seem a little out of place for the GWIA: Domain.Gateway: This is the GroupWise name of the gateway. In the example in Figure 10.4, the value GWIADOM.WWWGWIA means that the agent belongs to the GWIADOM domain and is named WWWGWIA. Description: This is free text; you can use this for the pager number of the GWIA administrator, or perhaps to warn viewers not to change the GWIA object without permission from the administrator. Subdirectory: This field is populated by a drop-down list. It shows where the queue directories for this gateway reside. In the case of the GWIA, you should pick GWIA (or whatever you named your GWIA subdirectory during installation). This is a subdirectory under the DOMAIN\WPGATE directory. Time Zone: By default, the GWIA has the same time zone as its parent domain. This setting is used to timestamp inbound and outbound SMTP/MIME messages. Database Version: For the GroupWise 7 GWIA, this should be set to 7. Platform: In the example for this chapter, the NLM version of the GWIA was installed, so NetWare Loadable Module is selected. Gateway Type: For the GWIA, the only valid value here is Internet Agent. Obviously, with other gateways, other values would be appropriate. Gateway Alias Type: This field is used to associate this GWIA with user or post office aliases. If you have more than one GWIA, you will need to have more than one gateway alias type, because each GWIA (and each GroupWise gateway) must have its own unique gateway alias type. Gateway aliases can be useful and sometimes very common, particularly for customers who have used GroupWise for a long time. However, there might be some more effective strategies for giving a person an Internet address than using aliasesfor example, by using a free-form Internet address for the user, and then defining nicknames to the user to allow for multiple incoming Internet addresses for one user. See Chapter 16 for more details. Foreign ID: This is the name by which your GroupWise system will be known on the Internet. It is critical that this value match the domain portion of the To line for all messages that are destined to your users. If the GWIA receives a message that is addressed to a domain that does not match one of its foreign domains, the message will be rejected. The Foreign ID field can have several domains on it. The names simply need to be separated by spaces. For example: wwwidgets.com worldwidewidgets.com
The default Internet domain name should be listed first. All others should be listed afterward.
Tip The Foreign ID field can hold only 124 characters. To accommodate more domain names, the GWIA is hard-coded to look in the DOMAIN\WPGATE\GWIA directory for a file called FRGNAMES.CFG. This is an ASCII text file that contains a listing of all the Internet domain names. Each name should be on a line by itself, and the last line of the file should be blank. Here's an example: wwwidgets.com worldwidewidgets.com sales.worldwidewidgets.com newyork.worldwidewidgets.com widgetsoftheworld.com
Note You can also define which Internet domains the GWIA will receive Internet mail as by using Internet addressing. Chapter 16 discusses Internet addressing; you can use IDOMAINs in the place of multiple domain names on the Foreign ID field or in the FRGNAMES.CFG file. Each Internet domain name you define should have a corresponding MX record in your DNS. We certainly prefer to use this option instead of the option of adding all Internet domains to the Foreign ID field or creating the separate FRGNAMES.CFG file, because this way you can also connect specific Internet domains to domains, post offices, or users, as is also described in Chapter 16.
Configuring the Network Address Property Page Figure 10.5 shows an example of the Network Address property page. Figure 10.5. The GWIA Network Address property page allows you to configure the network address 
The most notable fields on this page are as listed here: TCP/IP Address: Enter the TCP/IP address of the server where the GWIA executes. By default, the GWIA uses the standardized ports for SMTP, POP3, IMAP4, and LDAP services. For example, SMTP uses port 25, POP3 services uses port 110, IMAP services use 143, and so on. These ports are configurable with the GroupWise 7 GWIA in place. Bind Exclusively to TCP/IP Address: This instructs the GWIA to bind to only the TCP/IP address specified in the TCP/IP Address field. If this field is not checked, the GWIA will bind to all TCP/IP addresses on the server where the GWIA is running. HTTP Port: Enter the HTTP port that the GWIA should use to listen for HTTP monitoring of the GWIA. You should also have an HTTP username and an HTTP password assigned in order to secure the use of HTTP monitoring on the GroupWise GWIA. You can configure these from the Optional Gateway Settings property page on the GroupWise tab. The SSL portions of this screen are not discussed in this chapter. Chapter 27, "Securing Your GroupWise System via SSL," gives detailed information on how to enable SSL on the GWIA. Message Transfer: Enter the port that the GWIA should use to listen for messages coming to the GWIA from within the GroupWise system. This feature is new to the GWIA as of GroupWise 7. With this feature, the GWIA no longer receives messages via a queue on the disk; it waits for messages to come into it via communication on the Message Transfer port.
Tip Do not fill in the IPX/SPX Address field; it's of no use.
The TCP/IP address and HTTP port on any agent are used not only by the agent itself, but also by the GroupWise Monitor Agent. The GroupWise Monitor Agent reads this information in order to monitor the GWIA. Configuring the GroupWise Gateway Time Settings Property Page The Gateway Time Settings property page, shown in Figure 10.6, is used to configure the polling intervals and operational cycles for the GWIA. This page is available on the drop-down list of the GroupWise page. Figure 10.6. The GWIA Gateway Time Settings property page enables you to configure the GWIA's polling intervals and operational cycles 
These are the fields on this page: Send/Receive Cycle: This sets the number of seconds that will be split between the GWIA's send and receive cycles. In the example in Figure 10.6, the 120 seconds specified will give the send and receive cycles each 60 seconds to complete processing. If a message file is being processed when the time expires for that process, the process will complete before swapping out. Minimum Run: This sets the minimum amount of time, in seconds, that the gateway will be "awake" after the idle sleep duration has passed. Typically, this is best set at 0, but if you pay more to open a connection to your ISP than to maintain the connection, you might choose to raise this value. This might catch some additional messages and send them on the current connection, rather than opening a new one for them later. Tip A minimum run of more than XX seconds is probably going to be meaningful only in conjunction with dial-up connectivity.
Idle Sleep Duration: This sets the amount of time, in seconds, that the GWIA will "sleep." During this time, messages can be accumulating in the DOMAIN\WPGATE\GWIA\WPCSOUT\GWIA-FID\0-7 directories. This setting allows you to reduce the amount of CPU time spent supporting polling.
Note The GWIA is actually three separate processes in one: the MTP receiver, the gateway, and the daemon. The MTP receiver receives messages from the MTA and queues them up to the gateway. The gateway translates messages from GroupWise format to ASCII and vice versa. The daemon listens on port 25 to receive messages and sends the ASCII files generated for it by the gateway as SMTP messages on the Internet. Although the gateway has an idle sleep duration, the daemon never sleeps.
Snap Shot Interval: This is a sliding window for statistical purposes. The default, 600 seconds, results in 10 minutes of GWIA statistics being shown on the GWIA console. Regardless of the size of this window, it slides forward every 60 seconds.
For most customers, the default gateway time settings are sufficient. Configuring the GroupWise Log Settings Property Page The GroupWise Log Settings Property page looks just like the Log Settings pages for the POA and MTA. The fields on this page are as listed here: Log File Path: By default, this field is blank. GWIA logs are placed in the DOMAIN\WPGATE\GWIA\000.PRC directory. If you choose to keep logs elsewhere, enter the path here. It's not recommended that you configure the GWIA to put logs on a separate server. Performance will suffer, and if the server containing the logs goes down, the GWIA will not function. Logging Level: There are four menu items in this drop-down list: Off: No logging. Normal: The GWIA will track "major" events in the log, but most of the detail will be gone. Verbose: The log will contain useful detail. Although this is not the default, it is the recommended logging level. Diagnostic: This is typically used when troubleshooting the GWIA. It's very detailed and should be run only for troubleshooting purposes.
Max Log File Age: This sets the oldest that any log file on disk can be before being automatically deleted by the GWIA. The default is seven days, and this is typically sufficient. Max Log Disk Space: This sets the maximum amount of disk space that the log files can consume. If the logs reach this limit, the oldest log file is deleted. If you choose to set the maximum log file age beyond seven days, you will want to raise this limit as well to ensure that you actually get to keep your oldest logs for the time you specify.
Logging is your friend on the GWIA, particularly if you enable real-time blacklists, as explained later, in the section "Configuring the GWIA Access Control Property Pages." Configuring the GroupWise Optional Gateway Settings Property Page Figure 10.7 shows the Optional Gateway Settings page. This page is the same for all GroupWise gateways; there are options here that do not apply to the GWIA. The Directory Sync/Exchange field, for instance, is not supported by the GWIA. Figure 10.7. The GWIA Optional Gateway Settings property page 
The other fields on this page are as covered here: Accounting: If this field is set to Yes, the GWIA creates an accounting file, ACCT, in the 000.PRC directory, which describes all traffic it processes. This file is emailed each day to the user specified as the Accountant under the Gateway Administrators property page. Convert Status to Messages: This setting does not apply to the GWIA. Outbound Status Level: Set this to Undeliverable so that users get a message if they send mail to an invalid address. You can customize the status messages that users get by configuring the STATUSxx.XML file in the GWIA's root directory under the DOMAIN\WPGATE directory. Enable Recovery: This setting allows the GWIA to restart itself or attempt to reconnect to a foreign host if a connection is interrupted. Retry Count: The GWIA does not read this value; it has hard-coded values it complies with for retries. Retry Interval: The GWIA does not read this value; it has hard-coded values it complies with for retries. Failed Recovery Wait: The GWIA does not read this value; it has hard-coded values it complies with for retries. Network Reattach Command: Populate this field with a command line or with the filename of a batch file for mapping drives to reattach the GWIA to a domain file server. It applies only to the GWIA running on a Windows server. If the GWIA is running on a NetWare server, use the Reattach Settings property page. The Linux GWIA does not use the Network Reattach Command either. Correlation Enabled: Set this to Yes. Correlation is needed for the GWIA to send back undeliverable messages if needed. Correlation Age: Keep the default of 14 days. HTTP Settings: This area has two options:
Tip The HTTP information on any GroupWise agent is used not only by the agent itself but also by the GroupWise Monitor Agent. The Monitor Agent reads this information in order to monitor the particular agent.
Your GWIA will work just fine if you do not configure this screen, but we recommend that you do fine-tune the settings mentioned in this section. Configuring the GroupWise Gateway Administrators Property Page To make your GWIA RFC-compliant with established SMTP protocols, you must specify a postmaster for the GWIA. From the GroupWise Gateway Administrators property page, you can specify the postmaster of your GroupWise system. Here is an explanation of the various administrator roles: Operator: Administrators specified as operators will receive certain kinds of GWIA errors in their mailboxes. Accountant: Administrators with this role will receive gateway accounting and statistical logs each day. Postmaster: Administrators with this role will receive any message that comes in to the GWIA addressed to postmaster@GWIA Foreign ID, for example, postmaster@wwwidgets.com. Foreign Operator: This role has no GWIA-related functionality. With other gateways, it allows you to specify a user on a foreign mail system who can email certain commands to the gateway. This field is very useful for gateways that provide direct connectivity between GroupWise and third-party mail systems.
Defining a postmaster is good Internet protocol. Defining an operator is also a good practice. GroupWise Gateway Aliases Property Page The Gateway Aliases property page, shown in Figure 10.8, provides a listing of the users who have a gateway alias associated with this GWIA. This is a great feature for determining which user has which gateway alias. Figure 10.8. The GWIA Gateway Aliases property page 
There is nothing to configure on this property page; it's strictly an informational page. Chapter 16 talks more about using gateway aliases for the GWIA. Consult Chapter 16 before using aliases widely, because most customers will want to avoid gateway aliases for reasons explained there. SSL Settings Property Page The SSL Settings page is where you set up the PKI components for SSL encryption. Utilizing SSL is explained fully in Chapter 27. Configuring the SMTP/MIME Settings Property Page A whole lot of configuration control is offered through the SMTP/MIME Settings property pages. This is where you govern address handling, message formatting, SMTP dial-up, and other assorted SMTP/MIME-related communications settings. First we will look at the SMTP/MIME Settings property page, as shown in Figure 10.9. Figure 10.9. The GWIA SMTP/MIME Settings property page 
This page has nine fields that govern some global settings: Enable SMTP Service: This box must be checked before users can send or receive Internet email messages through this GWIA. If you unchecked this box, the GWIA would no longer listen for SMTP sessions on TCP port 25. Number of SMTP Send Threads: This sets the number of server processes, or threads, that will be devoted to SMTP send operations. This setting affects the GWIA's daemon process. If the GWIA runs out of threads (that is, all of them are busy), messages waiting to be sent to Internet recipients will have to wait until a thread is freed up. Most of our customers have this value set to 100. Number of SMTP Receive Threads: sets is the number of server processes that will be devoted to SMTP receive operations. When a sendmail host on the Internet tries to communicate with the GWIA, one receive thread will be dedicated to managing that communication. If no threads are available, the sendmail host will determine that the GWIA is busy or not responding and will retry the transmission according to its own configured preferences. Most of our customers have this value set to 100. Because receiving messages is considered to be a higher priority than sending messages, the GWIA will "steal" threads from the Send Threads option, rather than rejecting connections just because it does not have enough receive threads. Hostname/DNS "A Record" Name: This is the name of the GWIA, as it is known on the Internet. Populate this field with a valid DNS name only. This is the name that will be returned to any SMTP service that connects into port 25 on the GWIA. If this name does not match a valid DNS name, you might have problems receiving mail if other SMTP sendmail hosts do reverse-DNS lookups on your GWIA's IP address. Relay Host for Outbound Messages: Some administrators can expose only a very few machines to the Internet through their firewalls. In cases like this, you can configure the GWIA to relay all outbound SMTP/MIME messages through another machine. Populate this field with the IP address or DNS name of the relay host (for example, unixmailer.wwwidgets.com). Scan Cycle for Send Directory: This sets the interval, in seconds, at which the SMTP send threads will poll the SMTP send directory for messages to be transmitted to Internet hosts. Bind to TCP/IP Address at Connection Time: The TCP/IP address noted here is the one on the Network Address property page discussed earlier in this chapter. If a server has multiple IP addresses, the GWIA will send messages using the address defined in the Network Address field. When hosts on the Internet do a reverse-DNS lookup, it is important that the GWIA is sending messages using the IP address that matches its publicly defined DNS A record. The GWIA listens for inbound messages on all IP addresses. Use 7 Bit Encoding for All Outbound Messages: When the GWIA sends messages, by default it uses an encoding format called 8-bit MIME. Many older hosts on the Internet cannot understand 8-bit MIME. The GWIA should be able to determine this, and the GWIA will automatically change to sending the message in 7-bit MIME format. If your GWIA is not doing this well, recipients of messages from your GWIA might complain of garbled messages from your GWIA. If this is the case, checking this option will generally resolve this problem. Maximum Number of Hours to Retry a Deferred Message: When the GWIA gets a 4XX-level SMTP error, this setting determines how long the GWIA will retry sending the message before giving up, and sending an undeliverable status message to the original recipient. The default is 96 hours. If you set the maximum to 0, senders will immediately get a message from the GWIA reporting that the GWIA cannot send to the Internet host, if the GWIA has a 4XX-type error. Using the option Intervals to Retry a Deferred Message, GWIA can be configured on how it manages retries. So if you were to use the factory default settings of 20,40,60,240 minutes, here is what would happen. Imagine that the GWIA tries to send to another Internet mailer on the Internet. But the GWIA reports a 450 Host Down error in its log file. The GWIA will move the message to the DOMAIN\WPGATE\GWIA\DEFER directory and then requeue the message to the DAEMON process on the GWIA after 20 minutes has passed. If the message fails, the GWIA will wait another 40 minutes and try again. If after another 40 minutes the GWIA cannot send the message, it will try to send the message again in 60 minutes. If after another 60 minutes the GWIA cannot send the message, it will retry after 240 minutes (four hours), and then try again after another four hours, until it has tried for 96 hours (four days). The only piece of this algorithm you can change is for how long the GWIA will continue retrying. If you set Maximum Number of Hours to Retry a Deferred Message to 0, senders will immediately get a message back from the GWIA reporting that the GWIA cannot send to the Internet host, if the GWIA has a 4XX-type error. For example, if the GWIA reports a 450 Host Down error, the GWIA will send a message to the sender indicating that the Internet host is down. The default settings for the GWIA might not be the best for your environment. Perhaps you will want to increase threads, or you might not want the GWIA to retry a message for four days. Do Not Publish GroupWise Information on an Initial SMTP Connection: If there is a check mark on this choice, the GWIA will not announce that it is a GroupWise Internet gateway as it usually does. This feature was added for security reasons.
Configuring the SMTP/MIME Address Handling Property Page The Address Handling property page (see Figure 10.10) is generally a place where you make settings, and then leave them as they are. Figure 10.10. The SMTP/MIME Address Handling property page 
The settings on this page are as listed here: Addressing Style: The Ignore GroupWise Internet Addressing setting allows the administrator to revert to old-style GroupWise address parsing at the GWIA level only. When you use this option, all replies to Internet mail must go back out the same GWIA they came in. Also, if you use this option, the GWIA will receive mail only to domains defined in the Foreign ID field. It will not read the IDOMAIN list of domain names from the domain database. Also, the GWIA will not try to resolve recipient addresses to the newer formats Internet addressing provides, such as First.Last, Last.First, and the free-form Internet address you can define on the GroupWise user ID. Leave this box unchecked unless you have been told to check it by Novell technical support. By default, this setting is unchecked.
Note Checking the Ignore GroupWise Internet Addressing option enables the /DIA switch in the GWIA.CFG file. For a complete discussion of Internet addressing, refer to Chapter 16.
Inbound Settings: The Expand Distribution Lists on Incoming Messages check box allows for some very powerful functionality. If Expand Distribution Lists on Incoming Messages is checked, Internet users can send to distribution lists on your GroupWise system. They will need to know the name of the list, and would simply address their message to groupname@host. For example, to send to the CorpUsers distribution list on our sample system, an Internet email user would address the message to corpusers@wwwidgets.com. The GWIA would then expand the address of the message, adding each of the mailboxes listed under the CorpUsers distribution list.
You should consult Chapter 16 before making changes on most of the settings on this page. Configuring the SMTP/MIME Dial-Up Settings Property Page Later in this chapter, there's a section called "Configuring Dial-Up Internet Access" that talks about how to use the Dial-Up Settings page. Configuring the SMTP/MIME ESMTP Settings Property Page ESMTP stands for extended SMTP. The ESMTP protocol is a special protocol through which enhancements to the SMTP protocol, called service extensions, can be created. The GWIA supports ESMTP service extensions. Some of the ESMTP extensions that the GWIA supports are the following: DSN DSN is short for Delivery Status Notification. This protocol is described in the Internet RFC 1894. By enabling this protocol, the GWIA can confirm to the sender that the sender's message was delivered to the intended recipient. Before the DSN protocol, the GWIA would report only problems getting a message to its recipient's host. The sender had to assume that the recipient got the message, because the sender never got a response back saying that it was or wasn't received. With the DSN Hold Age option, you select the number of days that you want the Internet Agent to retain information about the external sender so that status updates can be delivered to the sender. The default hold age of four days causes the sender information to be retained for four days. If the Internet Agent does not receive delivery status notification from the receiving SMTP server within that time period, it deletes the sender information and the sender does not receive any delivery status notification. Note A DSN Hold Age of four days is plenty generous. Generally, you will not want to increase the DSN Hold Age over four days. The Delivery Status Notification pointer messages are kept in the ...\WPGATE\GWIA\DSNHOLD directory. If you ever go out to this directory and see a bunch of files, don't let this alarm you. You should not see files older than the DSN Hold Age you specified. If you do, you can delete those files.
STARTTLS The GWIA supports sending messages over the Internet via SSL. This is a rather new protocol, and the GWIA will send SSL encrypted messages only to SMTP hosts that will receive via the STARTTLS protocol. The STARTTLS protocol is described in RFC 2487. Chapter 27 talks about how to enable STARTTLS on the GWIA. AUTH When this feature is enabled, the GWIA can allow other SMTP gateways to authenticate before sending mail. This is useful if you have relaying disabled. Anyone that authenticates is allowed to relay off the GWIA. At the end of this chapter there is discussion of the GWAUTH.CFG, which is what enables support for the AUTH functionality of the GWIA. Configuring the SMTP/MIME Message Formatting Property Page From the Message Formatting page, you set the inbound and outbound settings for conversion of messages to and from GroupWise format. The Inbound Settings portion has two available fields for you to edit: Number of Inbound Conversion Threads: This sets the maximum number of server processes the GWIA will devote to converting messages from SMTP/MIME format to GroupWise format. This setting affects the GWIA's gateway process, and not its daemon process. GroupWise View Name for Incoming Messages: This sets the name of the view (the embedded name, not the actual filename) that the GroupWise client will be told to use when displaying a message that was received from the Internet. This field should not be edited unless you are designing your own views with the GroupWise SDK. GroupWise views are the *.VEW files in a post office OFVIEWS\WIN directory. Use this feature if you want all inbound Internet mail to be displayed using a custom view file from the GroupWise client. You can add a note to the view that says this file was received from the Internet as an SMTP message or something to this effect, if you want.
Tip If you change the name of the view from Internet to something else, users cannot use the anti-spam capabilities in the GroupWise client. This is because the GroupWise client identifies mail that came from the Internet by looking for the view type of Internet.
Under Outbound Settings, you have a few more fields to focus on. These settings are more likely to have an effect on your users' Internet email experience: Number of Outbound Conversion Threads: This sets the maximum number of server processes the GWIA will devote to converting messages from GroupWise format to SMTP/MIME format. This setting affects the GWIA's gateway process, and not its daemon process. Default Message Encoding: There are two options here. Basic RFC-822 is the older message format. MIME is the newer standard, and it is generally more efficient when binary files (executables, images, and so on) need to be transmitted. When RFC-822 encoding is selected, binary attachments must be encoded in the 7-bit uuencode format. The UUEncode All Text Attachments option will force text attachments to also be encoded.
Note If your users complain that people that they send Internet email to cannot read the messages they send, you might investigate whether enabling RFC-822 encoding on all messages resolves this issue.
Enable Quoted Printable Text Line Wrapping: This check box allows you to select the quoted printable MIME standard for text line wrapping. If this is not checked, outbound messages will wrap text according to the Line Wrap Length setting that follows this one. Line Wrap Length for Message Text on Outbound Mail: This sets the number of characters after which the GWIA inserts a soft return. This prevents messages entered with no returns from appearing all on the same line. Of course, the recipient's mailer might need to be "told" to respect the soft-return character. Enable Flat Forward: This check box tells the GWIA to strip out empty messages in which there is no message body, but just an attached message. So, for example, if USERA forwards a message to USERB, without composing a message body, the message body USERB sees will be the forwarded message. This feature is especially helpful to people who receive messages to devices such as pagers. In previous versions we needed to use the corresponding switch in the GWIA.CFG called /flatfwd. Disable Mapping X-Priority Fields: This check box tells the GWIA not to map X-Spam flags to emails so that the messages go to a user's Junk Mail folder. This feature and Junk Mail are discussed more in Chapter 25, "Configuring a Spam/Junk Mail Control Solution."
Configuring the SMTP/MIME Junk Mail Property Page Chapter 25 talks about how to incorporate the features of the Junk Mail property page into your overall Spam/Junk Mail control scheme. Configuring the SMTP/MIME Scheduling Property Page The GWIA SMTP/MIME Scheduling property page is used to define the times of the day and days of the week that the GWIA will process SMTP/MIME messages. Scheduling cannot be employed for POP3, IMAP4, or LDAP services. If those services are enabled, the GWIA will attempt to provide them all the time, regardless of the settings made on the Scheduling property page. The Scheduling property page is especially useful when configuring the GWIA for dial-up access to the Internet, using the SMTP/MIME Dial-up Settings property page. Configuring the SMTP/MIME Security Settings Property Page Security is an important part of any Internet strategy. Because the GWIA is normally exposed to the Internet when receiving messages, it is critical that it be protected against certain kinds of attacks. The SMTP Security Settings dialog box in Figure 10.11 allows you to defend the GWIA from two kinds of common email attacks: identity spoofing and mailbombs. Figure 10.11. The GWIA SMTP/MIME Security Settings property page allows you to protect against spam and mailbombs 
The settings on this page are as listed here: Reject Mail If Sender's Identity Cannot Be Verified: This setting prevents the GWIA from accepting email from anonymous sendmail hosts. Although some legitimate email is routed in this manner, spammers often use anonymous mailers. The GWIA will perform a reverse-DNS lookup on the name of the sendmail host to verify that its given name is in the DNS tables on the Internet. If it cannot find the name, it will not accept mail from this host. Although it might seem logical to enable Reject Mail If Sender's Identity Cannot Be Verified, enabling this feature might cause your system to reject email from legitimate hosts. The reason for this is that the site sending to your GWIA might not have defined the A record of its SMTP mailing host. This problem is evidence of a lack of correct DNS configuration, but alas, the world isn't perfect. Enable Mailbomb Protection: If this option is checked, the GWIA will use the mailbomb thresholds to prevent a single host from tying up the GWIA inbound threads with a mass mailing. Some mass mailings are actually designed not to deliver large numbers of messages, but to tie up the receiving host. The default mailbomb threshold of 30 messages received in 10 seconds is typically sufficient to identify a mailbomb attack before any harm is done.
If you need to enable a spam solution for the GWIA, be sure to see Chapter 25. Configuring the SMTP/MIME Timeouts Property Page Each of the fields on the Timeouts property page is populated with the number of minutes (not seconds) that the GWIA will wait before timing out on a particular operation. This timeout can be due to a noisy line, an unresponsive host, or some other loss of connectivity. Configuring the SMTP/MIME Undeliverables Property Page The Undeliverables property page is where you instruct the GWIA how to handle inbound messages that cannot be delivered. Note The destination mail host handles undeliverable messages that are outbound. That host can choose to reply, forward the message to the configured postmaster, or simply discard the message. As a GroupWise administrator, you have no control over how other email administrators choose to handle undeliverable email. Be aware that these options were used with older versions of GroupWise but do not work anymore with version 6.x or higher.
These are the settings on this page: Amount of Original Message to Return to Sender When Message Is Undeliverable: This sets the amount of the original message, in kilobytes, that will be returned to the sender if the message cannot be delivered. Typically, it is not necessary for a sender to have more than a few lines of his or her message to identify it. This allows you to save a little bit of bandwidth. Forward Undeliverable Inbound Messages to Host: If you are operating a heterogeneous mail system, you might have a single DNS name but multiple mail hosts. If the GWIA is the default inbound mail host, you can configure it to forward any undeliverable messages to another mail host on your system. This other mail host might then find the desired recipient of the email message. This option is useful when you are using Novell's NetMail mail system with the same domain name as your GroupWise users. Move to Problem Directory: If this option is checked, undeliverable messages are placed in the GWPROB directory of the GWIA subdirectory.
Note The GWPROB directory is not purged automatically. You will have to purge it manually on occasion.
Send to Postmaster: If this option is checked, the user who has been configured as the postmaster will receive the full text (and attachments) of any undeliverable messages. This allows the postmaster to straighten out addressing problems, as well as to manually forward messages to the correct recipients. If neither of the previous two options is checked, problematic messages are simply discarded.
It is important that you create an undeliverable mail strategy, and configure it using the settings on the SMTP/MIME Undeliverables property page. Configuring the SMTP/MIME Junk Mail Property Page The Junk Mail property page is really just an editor for the xspam.cfg file. Following is a short explanation of the Junk Mail feature. You can use the Flag Any Messages That Contain x-spam-flag option to flag messages for handling by the client Junk Mail Handling feature if they contain x-spamflag=yes in the MIME header. This will create the xspam.cfg file in the domain\wpgate\gwia directory. Each line of the xspam.cfg file identifies an "X" header field that your anti-spam service is writing to the MIME header, along with the values that flag the message as spam. The Internet Agent examines the MIME header for any field listed in the xspam.cfg file. When a match occurs, the message is marked for handling by the GroupWise client Junk Mail Handling feature. More information can be found in Chapter 25. Configuring the LDAP Settings Property Page The LDAP Settings property page, shown in Figure 10.12, allows you to configure the LDAP service provided by the GWIA. To complete configuration of the LDAP service, however, you must also choose Allow Access from the LDAP Public Settings property page, which is on the Access Control tab. From the LDAP Public Settings page, you can also limit which fields on a user's address information are visible to a client's LDAP address lookup query against your GWIA. Figure 10.12. The GWIA LDAP Settings property page 
The settings that you can configure on this page are as listed here: Enable LDAP Service: This must be checked for the GWIA to be able to provide LDAP service to browsers and email clients. Number of LDAP Threads: This sets the maximum number of server processes that will be devoted to handling LDAP requests. LDAP Context: Set a Search Root, which for the GroupWise LDAP directory doesn't really do anything. This setting is required for LDAP clients to be able to speak in LDAP to the GWIA; for example, o=wwwidgets. For users, the Search Root entry in your users' browsers' or email clients' LDAP setup information must match the string you have in the LDAP Context field. (Search Root is the term used by Netscape Communicator. Search Base is the term used by MS Outlook Express.) LDAP Referral URL: This setting allows you to define a secondary LDAP server to which you can refer queries that the GWIA was unable to resolve. Obviously, the secondary LDAP server would be configured and managed separately from the GWIA. For this feature to work, the client performing the LDAP lookup to the GWIA must support the tracking of referral URLs.
The LDAP feature of the GWIA isn't very robust, so you might want to consider a different LDAP directory solution, such as eDirectory. Configuring the POP3/IMAP4 Settings Property Page If you want your users to be able to use a POP3 or IMAP4 email client to access their GroupWise messages, you will need to begin by enabling POP3 and IMAP4. To complete configuration of the POP3 and IMAP4 service, however, you must allow POP3 and/or IMAP4 access from the Access Control property page, described a little later in this chapter. From this page, you can configure the following: Enable POP3 Service: This option must be checked before the GWIA will respond to POP3 requests from email clients. Number of Threads for POP3 Connections: This sets the maximum number of server processes that the GWIA will devote to servicing POP3 mailbox connections. Each connection will tie up one thread, but connections are usually cleared fairly quickly. A small number of threads can support a large user community, depending on how often users download email via POP3. Number of Threads for POP3 SSL Connections: This sets the maximum number of server processes that the GWIA will devote to servicing secure POP3 mailbox connections. Each connection will tie up one thread, but connections are usually cleared fairly quickly. A small number of threads can support a large user community, depending on how often users download email via POP3. Enable Intruder Detection: This new GroupWise 7 feature allows the GWIA to piggyback the intruder detection engine if it is enabled at a GroupWise post office. Intruder detection is enabled under the Client Access Settings of a GroupWise post office object. This setting corresponds to the GWIA.CFG switch /popintruderdetect. Enable IMAP4 Service: This must be checked before the GWIA will respond to IMAP4 requests from email clients. Number of Threads for IMAP4 Connections: This sets the maximum number of server processes that the GWIA will devote to servicing IMAP4 mailbox connections. Each connection will take up one thread, and connections are more latent than POP3 connections are. This is due to the fact that with IMAP4, the user mailbox always exists on the server, and the client must rerequest items that the user wants to reread. Number of Threads for IMAP4 SSL Connections: This sets the maximum number of server processes that the GWIA will devote to servicing secure IMAP4 mailbox connections. Each connection will take up one thread, and connections are more latent than POP3 connections are. This is due to the fact that with IMAP4, the user mailbox always exists on the server, and the client must rerequest items that the user wants to reread. Maximum Number of Items to Read (in Thousands): This is yet another method you can employ to reduce the processing tasks on the GWIA. Keeping the setting at 0 means that there is no maximum. The corresponding setting in the GWIA.CFG is /imapreadlimit.
For more information about setting up POP3 or IMAP4 access for your users, refer to the section "Configuring Access Control," later in this chapter. Configuring the Server Directories Settings Property Page Some third-party software requires that you configure the Server Directories Settings property page that the GWIA uses to process SMTP/MIME messages. Otherwise, the defaults work fine. The settings you can configure on this page are discussed here: Conversion Directory: This path becomes the GWIA's "work" directory. By default, this is found at domain\WPGATE\GWIA\000.PRC\GWWORK. The GWIA uses this directory to store temporary files used during message conversion. SMTP Queues Directory: This path becomes the parent directory for the SMTP SEND, RECEIVE, and RESULT directories, which are the input and output queues for the SMTP inbound and outbound threads. Advanced: Clicking this button brings up the SMTP Service Queues Directory dialog box. This dialog box is used for trapping messages between the SMTP daemon and the gateway. If you populate this field with a path, all inbound and outbound messages will be dropped in subdirectories of this directory. They will remain there until another process moves them to the appropriate SMTP queue directory. An example of third-party software that will require that you use this field is Guinevere from GWAVA (www.gwava.com). Typically, these directories are located under the domain directory, in the GWIA structure under WPGATE.
Generally, you should keep the default settings on this property page unless you are implementing third-party software. Configuring the GWIA Access Control Property Pages The GWIA Access Control property pages are used to configure blacklists (spam blocking) POP3, LDAP, IMAP4, and SMTP relay access for the GWIA. These property pages (except the Blacklist feature) allow for the creation of classes of service and memberships. Each membership can be assigned to one or more classes of service. This property page is explained and utilized in the section "Configuring Access Control," later in this chapter. Using the Access Control Test Property Page The GWIA Access Control Test property page allows you to test the memberships and classes of service created with the Access Control property page. The display can be changed to include domains, post offices, distribution lists, or users. Clicking View Access displays a dialog box that shows the GWIA access allowed for the selected object. The Access Control Test property page is used in an example later in this chapter. Using the Access Control Blacklists Property Page Chapter 25 talks about how to configure the Blacklist (RBL) feature of the GWIA. Read this chapter for instructions on how to configure the settings on this page. Using the Access Control SMTP Relay Settings Property Page The Relay Settings page allows you to define whether your GWIA is an open relay. It also lets you define exceptions to allow specific hosts to relay or not relay off your GWIA. You can also use the Access Control settings to define relay exceptions. An example of this is given later in this chapter. Using the Access Control LDAP Public Settings Property Page See the section "Configuring the LDAP Settings Property Page" earlier in this chapter for how you should use the Public Settings page. Using the Access Control Database Management Property Page The GWIA does not use the domain database for access control. The access control database is called GWAC.DB, and it's in the DOMAIN\WPGATE\GWIA directory. Thus, a separate tool has been provided for maintaining and repairing the GWIA access control database. You can configure the following options from this page: Validate Now: This button checks the physical structure of the database, essentially making sure that all records can be read correctly. Clicking Validate Now displays a live validation window that shows the validation process's progress. Recover Now: The recover option should be used only after the validation report has been generated and reviewed. Recovery is not a perfect process. If records have been damaged and cannot be read, they cannot be regenerated. They will be removed, and the new, recovered access database will not re-create the removed records. Any addresses you define in the blacklist section of the GWIA are not written to the GWAC.DB file. These setting are contained in BLOCKED.TXT.
The Access Control features of the GWIA make the GWIA very flexible. Be sure to utilize these features of the GWIA to control the maximum message size that users can send on the Internet, or the maximum size of Internet messages your GWIA will receive. Understanding the Reattach Settings Property Page First off, this page applies only to the GWIA when it runs on the NetWare platform. When the GroupWise GWIA acts as a POP3 or IMAP4 server, it must access the POP3/IMAP4 user's mailbox. In the Post Office Links property page, the links to post offices can be UNC or TCP/IP. The TCP/IP link is generally preferred, but if UNC is chosen, the GWIA must log in to the server using a user ID and password in the fields in this property page. The settings on this page are as listed here: Tree: This is the name of the eDirectory tree that the GWIA is logging in to. Context: This is the eDirectory context for the user the GWIA will attempt to connect as. User ID: This is the eDirectory user object that the GWIA will attempt to connect as. Password: This is the password that the GWIA will use when logging in. We highly recommend that if you do enable POP3/IMAP4 on the GWIA, you allow the GWIA to connect to post offices only via TCP/IP connection, not via a UNC path connection.
Most customers will not have to use the settings on this page. Using the Post Office Links Property Page The Post Office Links property page is used to define the connection between the GWIA and each of the post offices to which it must connect to provide users with POP3 or IMAP4 access. As recommended in the preceding text, you should configure your GWIA to talk to your POAs via a TCP/IP client/server link to the POA. Tip If you do not intend to enable POP3 or IMAP4 features on your GWIA, don't worry about configuring the link to the post offices.
|
