Security
Intro
Installation
SysAdmin 
Logs 
Protection 
Security
PKI 
Intercept 
Scalability 
Alerts 
Events 
Data Files 
CLI/API 
Monitors 
Network
Objects
Transfer
Access
RealTime
Services
Directory
Clusters
WebApp
WebMail
Miscellaneous
HowTo
HelpMe
Licensing
The CommuniGate Pro Server ensures that only certain users are allowed to access certain resources.

The CommuniGate Pro Server can authenticate its users, and it can also reject connections from outside of the "client networks".

Authentication Methods

The CommuniGate Pro Server supports both clear-text and secure SASL authentication methods for the following protocols:

These secure methods allow mail clients to send encrypted passwords over non-encrypted and insecure links. If anybody can monitor your network traffic, SASL methods ensure that the real passwords cannot be detected by watching the client-server network traffic.

As an alternative to SASL methods, secure links (SSL/TLS) can be used between the client mailer and the server. When an SSL link is established, the entire network traffic between the server and the client is encrypted, and passwords can be sent in clear text over these secure links.

You can force an account user to use either a SASL authentication method or SSL/TLS links if you enable the Secure Method Required option in the Account Settings. When this option is enabled, the Server rejects all authentication requests that send passwords in the clear text format over insecure links.

The CommuniGate Pro Server supports the following insecure (clear text) SASL authentication methods:

The CommuniGate Pro Server supports the following secure SASL authentication methods:

The CommuniGate Pro Server supports the non-standard NTLM and MSN SASL methods used in Microsoft® products.

The CommuniGate Pro Server supports the following GSSAPI authentication methods:

The CommuniGate Pro supports the secure APOP authentication method (used mostly for the POP protocol), and the insecure "regular login" method for the protocols that support Clear Text Login.

The CommuniGate Pro Server supports the special WebUser authenticaton method.

Use the WebAdmin Interface to open the Obscure page in the Settings realm to switch the Advertise Secure SASL Methods, the Advertise APOP Method, the Advertise MSN SASL Method, and the Advertise NTLM SASL Method options:

Login Security  
Advertise Clear Text methods Advertise APOP method
Advertise Secure SASL methods Advertise MSN SASL method
Advertise GSSAPI method Advertise NTLM SASL method
  Enable WebUser SASL method

Advertise Clear Text methods
In certain situations (for example, when all your Accounts require Secure Authentication methods), you may want to disable this option, so your Server will not advertise the supported non-secure authentication methods.

Advertise Secure SASL methods
In certain situations (for example, when all Accounts use External Autherntication or OS Passwords), you may want to disable this option, so your Server will not advertise the supported secure SASL methods.
Advertise Secure APOP methods
In certain situations (for example, when all Accounts use External Autherntication or OS Passwords), you may want to disable this option, so your Server will not show the special key element on some services (POP, PWD) prompt line, thus disabling the APOP login method.
Advertise GSSAPI methods
You may want to disable this method is you have not set your Server to support GSSAPI methods (for example, you have not specified the Kerberos Keys for the Domains).

Advertise MSN SASL method
Disable this option if you do not want your Server to advertise the non-standard MSN SASL method used in some Microsoft products. The Microsoft Outlook products for various versions of MacOS do not work correctly with the MSN method if more that one account is configured in those products.

Advertise NTLM SASL method
Some Microsoft products send incorrect credentials when they detect that the server supports the NTLM SASL method. While those products then resend the correct credentials, the failed login attempts produce Failure-level Log records and may increase the "failed logins" counter too quicky, so the account becomes "temporarily locked". Disable this option if you do not want your Server to advertise the NTLM SASL method.

Enable WebUser SASL method
This option enables the WebUser authentication method.

Note: these Advertise options control only the session-type services (SMTP, POP, IMAP, ACAP, PWD, FTP), and they do not have any effect on the transaction-type services (HTTP, SIP).

Account Passwords

The CommuniGate Pro Server supports several passwords for each account.

One password is the CommuniGate Pro's "own password ". This password is stored as an element of the Account Settings, and it can be used with the CommuniGate Pro Server only.

The other password is the "OS password". The user may be registered with the Server OS and the CommuniGate Pro Server can check the supplied password against the password set in the Server OS registration information for this user.

An account can have the External Password option enabled. In this case, user authentication is done using any custom authentication program running as a separate process (see below).

The system administrator can enable any set of passwords for any user account. On larger sites, it is better to enable these options using the Server-wide or Domain-wide Default Account Settings.

When several passwords are enabled for an account, the Server first checks the CommuniGate (internal) password, then the OS password, and then tries to use the External Authentication program. If at least one of these passwords matches the password presented with the client application, the application is granted access to that account.

CommuniGate Passwords

CommuniGate passwords are strings stored in the Account Settings. Password strings can be stored in the clear-text format or in encoded format. The Password Encryption Account Setting specifies the encryption to use when the account password is updated. When this setting is changed, the currently stored password is not re-encrypted.

When the U-crpt Password Encryption option is selected, the CommuniGate passwords are stored using the standard Unix crypt routine. If the UB-crpt Password Encryption option is selected, an enchanced Blowfish-based encryption is used.
U-crpt and UB-crpt methods implement a one-way encryption. As a result, the Server cannot decrypt them into their original (clear text) form, and it cannot use them for secure (SASL) Authentication Methods. Use these encryption methods only if you need compatibility with legacy password strings, but cannot use the OS passwords - it is usually more important to support "on-the-wire" security (using SASL methods), rather then "on-the-disk" security (using one-way password encryption methods).

U-crpt passwords can contain special prefixes. These prefixes allow you to import passwords encypted using other password encryption methods. See the Migration section for more details.

If the CommuniGate Password is absent or empty, it cannot be used to log into the account even if the Use CommuniGate Password option is enabled. But if the user has logged in using the OS Password or the External Authentication method, the user can specify (update) the Account CommuniGate Password. This feature can be used to migrate users from legacy mail systems where you can not compose the list of accounts with non-crypted user passwords.

OS Passwords

When the Server checks the OS password, it composes the username string using the account OS User Name setting. When the default setting * is used, the composed OS user name is the same as the account name. By changing the OS User Name settings you can use different OS usernames for accounts in different CommuniGate Pro domains.

Server Operating System Notes about OS Passwords
Microsoft Windows 95/98/ME OS does not support passwords, the Use OS Password option does not work.
Microsoft Windows 200x/XP/NT The Windows NT domain authentication system is used. The Windows account used to run the CommuniGate Pro Messaging Server should have the Act as part of the operating system privilege.

The --BatchLogon command line option can be used to tell the Server to use the LOGON_BATCH authentication method (if the option is not present, the LOGON_NETWORK method is used).

The Server checks if the composed OS user name contains the percent (%) symbol. If the symbol is found, the part of the name before that symbol is used as the Windows account name, and the part after that symbol is used as the Windows domain name.
If Accounts in the company1.dom CommuniGate Pro domain have the OS User Name setting set to *%comp1, then the OS user name for the CommuniGate Pro Account joe will be joe%comp1, and the CommuniGate Pro Server will use the Windows LogonUser API to try to authenticate the mail client as the Windows user joe in the Windows domain comp1.

Unix-based systems The passwd and shadow or other OS-supported authentication mechanisms are used.
OS/400 systems The user profile authentication mechanisms are used.
OpenVMS systems The supplied user name and password strings are converted to uppercase, and then the OpenVMS authentication mechanisms are used.
BeOS OS does not support passwords, the Use OS Password option does not work.

The OS passwords are one-way-encrypted passwords. As a result, they cannot be used for Secure Authentication Methods.

Kerberos Authentication

The CommuniGate Pro Server supports the Kerberos authenitcation method. The Kerberos method is based on the "tickets" that client applications send to the server. These tickets are issued by Kerberos authorities (Key Distribution Centers, KDC) that share a common "key" with the Server. See the Kerberos documentation for the details.

To support Kerberos Authentication, you need to add Kerberos Server key(s) to the CommuniGate Pro Server, on the per-domain basis. Create a server "principal" in your KDC database. The principal name should be equal to the name of CommuniGate Pro Domain or one of its Domain Aliases. Export the created key as a keytab file.

Open the Domain Settings using the CommuniGate Pro WebAdmin Interface, and follow the Security and Kerberos links. The list of Domain Kerberos Keys will be displayed:

 RealmPrincipal IssuedVersionType
REALM1.COM(3)imap/domain1.com19-05-2004 17:36:336RC4-HMAC
REALM1.COM(3)imap/domain1.com21-05-2004 17:32:359DES-MD5
REALM1.COM(3)imap/domain1.com24-05-2004 12:41:5510DES-MD5
REALM1.COM(3)imap/domain1.com24-05-2004 17:33:2713DES-CRC32

Each Domain can have several Kerberos Keys. To add Keys, click the browser file-select button and select the keytab file exported from KDC. Click the Import Keys button to add keys from the file to the set of the Domain Kerberos Keys.

To remove Keys, mark the Keys using checkboxes and click the Delete Marked button.

Domain Administrators can Add or Remove Kerberos Keys only if they have the KerberosKeys Access Right.

When the Server receives a Kerberos Ticket, it extracts the Server Name ("sname") from the Ticket. If the Server Name has only 1 component (domain.dom), this component is used as the target Domain name (ticket-domain-name). If the Server Name has 2 or more components (service/domain.dom), then the second component is used. The Server then builds a fictitious E-mail address LoginPage@ticket-domain-name and tries to route this address. This is the same routing mechanism as one used for finding the target Domain for HTTP requests.

If the target Domain is found, the Server looks for the proper key in the list of the Kerberos Keys for that Domain. If the Key is found, and the Ticket and Authorization info can be decrypted with that Key, the user is authenticated. The name of the account is taken from the Client Name specified in the Ticket. That name must be a "simple" name, i.e. it cannot contain @ or % symbols.

CommuniGate Pro adds the name of the target Domain to the retrieved user name and uses the resulting E-mail address as the name of the Account to open.

Note: The Kerberos Authentication mechanism does NOT run the resulting user name via the Router. If it would use the Router, a name in one Domain could be routed to a name in a different Domain, so the Kerberos Keys valid for one Domain would provide access to Accounts in a different Domain. As a side effect, the Account Aliases cannot be used in Kerberos tickets.

In order to be able to login using the Kerberos Authentication method, the user's Account should have the Use Kerberos option enabled.

Integrating with Microsoft Active Directory

You may want to use Microsoft Active Directory as your Kerberos Key Distribution Center (KDC). Follow these steps:

  • create an Active Directory account cgatepro (you may want to use a different name)
  • use the Microsoft ktpass utility to export keys:
    ktpass -princ service/domainName@REALMNAME -mapuser cgatepro -pass password -out keytab.data -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST
    where
    service
    is the name of the CommuniGate Pro service you want to use: imap for IMAP and MAPI, HTTP for Web browsers.
    domainName
    is the name of the CommuniGate Pro Domain your Kerberos users should log into
    REALMNAME
    is the name of the Kerberos Realm - the Active Directory domain name with which you want to authenticate
    password
    is the password to assign to the cgatepro account.

    Note: because of the bugs in the Windows 2000 Active Directory, it is recommended to use the -kvno 0 parameter when using the ktpass command on that platform.
  • Import the resulting keytab.data file into the CommuniGate Pro Domain Kerberos settings, as specified above.

See the Microsoft Knowledge Base artcile Q324144 for more details.

If you want to use Kerberos Authentication (Single Sign-on) with Microsoft browsers, please read the "HTTP-Based Cross-Platform Authentication via the Negotiate Protocol" article in the Microsoft documentation set (MSDN).

External Authentication

The CommuniGate Pro Server can use an external Helper program for user authentication. That program should be created by your own technical staff and it can implement authentication mechanisms required at your site but not supported directly with the CommuniGate Pro Server.

The program name and its optional parameters should be specified using the WebAdmin Helpers page. Open the General page in the Settings realm, and click the Helpers link:
External Authentication
Log: Program Path:
Time-out: Auto-Restart:

See the Helper Programs section to learn the meaning of these options. The External Authentication module System Log records are marked with the EXTAUTH tag.

If the External Authentication program is not running, all External Authentication requests are rejected.

The External Authenitcator Interface protocol is based on the generic Helper Protocol.

This manual describes the External Authenitcator Interface Version 7.

When a user should be authenticated using the clear text method, the Server sends the following command:
nnnnnn VRFY (mode) name@domain password [loginAddress]
where:

nnnnnn
a unique sequence number for this request
mode
the name of the service (IMAP, POP, FTP, etc.) that requested this authentication operation.
This parameter can be absent if the request has been received from an unnamed Server component.
If the service name is specified, it is enclosed into the parenthesis.
name
user account name
domain
user account domain name
password
password string to verify. If the password contains special symbols, the password is encoded as a quoted String.
loginAddress
the network address from which the user logs in.
This parameter can be absent if the password is checked by an internal Server component.
If the parameter is specified, it is enclosed into square brackets.

When a user should be authenticated using a secure SASL method, the following command is sent:
nnnnnn SASL(method) (mode) name@domain password key [loginAddress]
where:

method
the name of the secure SASL method used (CRAM-MD5, APOP)
key
the challenge string sent to the client mailer. If the challenge contains special symbols, it is encoded as a quoted String.

If the password is accepted, the External Authernticator should return a positive response:
nnnnnn OK

If the password was not accepted, a negative response should be returned:
nnnnnn ERROR optional-error-message

If the password is accepted, and there is an authentication response to be returned to the client, a positive response with a quoted string should be returned:
nnnnnn RETURN "authentication-response"

SASL password verification requires that the External Authenticator program correctly implements all supported SASL methods and algorithms. Alternatively, the External Authenticator program can return the user plain text password, making the Server verify the password and calculate necessary authentication responses. The user plain text password should be returned as a quoted string:
nnnnnn PLAIN "plain-text-password"

Sample session (I: - server commands sent to the program standard input, O: - responses the program writes to its standard output):

I: 00001 INTF 1
O: 00001 INTF 1
I: 00010 VRFY user1@domain1.com dsyui134
O: 00010 OK
I: 00011 VRFY (IMAP) user2@domain2.com jskj23#45 [10.0.3.4]
O: 00011 ERROR incorrect password
I: 00012 SASL(CRAM-MD6) user4@domain2.com hdkj547812329394055 <pop-23456@mydomain.com> [10.0.1.4]
I: 00013 VRFY (IMAP) user2@domain2.com "jskj23\"45"
O: 00013 OK
O: 00012 ERROR unsupported SASL method
I: 00014 SASL(DIGEST-MD5) user4@domain2.com 012345 "user:qop:zz:mmm:uri" [10.0.1.4]
O: 00014 RETURN "0123456789AAAA"
I: 00015 SASL(DIGEST-MD5) user4@domain2.com 012345 "user:qop:zz:mmm:uri" [10.0.1.4]
O: 00015 PLAIN "my$$password"

The External Authentication program can be used to process unknown names, too. For example, the program can consult an external database, check if the user exists in that database, create an Account, Alias, Group, Mailing List, or Forwarder using the CommuniGate Pro CLI/API, and return a positive response to the Server. In this case, CommuniGate Pro will re-try to open a domain object with the specified name.

To check an unknown name, the Server sends the following command:
nnnnnn NEW name@domain relayType
where:

relayType
[MAIL] if the command is sent as a part of mail-type routing process,
[LIVE] if the command is sent as a part of realtime-type routing process,
[ACCESS] if the command is sent as a part of access-type routing process.
name@domain
the full name of the addresses unknown local object.

If the program sends the OK response, the Server tries to find the name object in the domain Domain again.

If the program sends the ROUTED address response, the Server takes the supplied address response and restarts the Router procedure with this address. The routed address gets a "can Relay" attribute, unless it is specified with the [NORELAY] prefix.

If the program sends the FAILURE response, the Server Router returns a "temporary internal error" code (this code causes SMTP module to return a 4xx error code, not a permanent 5xx error code).

If the program sends any other response, the Server Router returns the "unknown user account" error.

Sample session:

I: 00010 NEW user1@domain1.com [MAIL]
O: 00010 ERROR this account is not known
I: 00011 NEW user2@domain2.com [MAIL]
I: 00012 NEW user3@domain2.com [ACCESS]
O: 00012 OK
O: 00011 ROUTED [NORELAY] userX@domain2.com

The Consult External Authenticator Domain Setting tells the Server to use the External Authenticator program when an unknown name is addressed.

Sample External Authentication programs and scripts can be found at the http://www.stalker.com/CGAUTH/ site.

Account Name Harvesting

Some spammers use 'brute force' attacks on mail systems, sending random names and passwords to system POP, IMAP, and other access ports. If the system sends different error messages for the "unknown account" and "incorrect password" situations, the attacker can harvest a large portion of the system account names and then use those names for spam mailings.

To prevent this type of attack, you may want to enable the Hide Unknown Account messages option, located on the Obscure page in the WebAdmin Settings realm:

Login Security
 Hide Unknown Account messages
Suspend Account after   failed logins within 
Hide Unknown Account messages
If this option is enabled, the Server does not send the Unknown Account and Incorrect Password error messages. Instead, both messages are replaced with the Incorrect Account Name or Password error message.

Account Password Attacks

The CommuniGate Pro server can temporarily disable all types of login operation for an Account that has seen too many incorrect login attempts. The Login Security panel shown above allows you to specify a time period and the number of incorrect login attempts that a user or users can make before the Account is disabled for login operations. The Account is re-enabled after the same period of time.

Granting Access Rights to Users

In order to control, monitor, and maintain the CommuniGate Pro Server, one Postmaster account is usually enough. But you may want to allow other users to connect to the CommuniGate Pro Server: for example, you may want to allow an operator to monitor the Logs, but you do not want to grant that operator all Postmaster access rights.

You should be logged in as the Postmaster, or you should have the "Can Modify Access Rights" right in order to assign access rights.

To grant access rights to a user and/or to revoke those rights, open that user Account (the Account Setting page), and click the Access Rights link. The Access Rights page will appear.

The page lists all Access Rights and the rights granted to the selected user are marked.

The following access rights can be granted only to the users (accounts) in the main domain:

Can Modify Access Rights (unlimited access):
This setting specifies if the user is allowed to modify Access Rights of CommuniGate Pro users. If some users are granted this right, they can access all Server settings and pages (i.e., all other rights are granted, too).
Can Modify User Accounts
This setting specifies if the user is allowed to create, remove and delete Accounts and Domains, and to change Account and Domain Settings.
Can Modify Server Settings
This setting specifies if the user is allowed to change configurations of CommuniGate Pro services (SMTP, POP, Router, etc.).
Can Monitor Server
This setting specifies if the user is allowed to view Server Logs, to monitor Server Queues, etc.

The following access rights can be granted to users in any domain:

Can Modify This Domain and its Account Settings:
This setting specifies if the user is allowed to create, remove and delete Accounts within its own domain, and to change some of the Domain Settings. You usually assign this right to a user ("domain master") who will manage the domain.

Initially, the user Postmaster in the main domain has the Unlimited Access right.

Select the desired Access Rights and click the Update button.

The Access Rights are stored in one file for each domain, the Access.settings file stored in the Settings subdirectory of the domain directory. This makes it easy to check to whom the Server administration rights are granted.

Restricting Access

If you do not plan to support mobile users, you may want to restrict access to the Server accounts. Use the following option on the Protection page:

Reject all Logins from Non-Client Addresses
When this option is selected, all "login" operations (needed for POP, IMAP, WebUser Interface, ACAP, PWD, etc.) are accepted only from the Server computer itself, and from the Client IP Addresses.

When an access module accepts a connection from an unlisted network address, and this option is selected, the module sends an error code to the client application, and the connection is closed immediately. Links with the rest of the Internet will be used only for mail Transfer and access to Personal Web Sites.

When this option is selected, the SMTP AUTH operation can be used only if a client mailer or server connects from the network address included into Client Addresses list.

Note: Before you enable this option, make sure that the address you are using is included into the Client Addresses list: otherwise you will immediately lose access to the Server.

You can also specify the access restrictions on the lower (TCP) connection level. For each service (module), open the Listener page and specify the addresses the service (module) should or should not accept connections from. If a connection comes from an address that is not included into the Grant list or is included into the Deny list, the connection is closed immediately, and no module-level operations are performed.

Impersonating

The CommuniGate Pro Server supports impersonating - a login mode when the credentials are supplied for one Account (the Authentication Account), while a different Account (the Authorisation Account) is being opened.

Impersonating is supported for PLAN and GSSAPI Authentication methods.

When Impersonating is used, the Server checks if the authentication Account credentials are valid, and if the requested service is allowed for that Account. It also checks if the Authentication Account has the CanImpersonate Domain access right.

Using the WebUser Authentication Method

The CommuniGate Pro Server supports the special WebUser authenticaton method. This method uses the session ID of a WebUser session instead of the account password. The method is useful for CGI programs and scripts. This method is disabled by default (see above).

The WebUser SASL method works only for programs running on the same Server computer, or for programs running on other servers in the CommuniGate Pro Cluster.

The method is a SASL method and requires "immediate" parameters in the authentication protocol command. The first parameter is the account name, the second parameter, separated with the space symbol, is the WebUser session ID.
The WebUser authenitcaiton operation for the PWD module is:

AUTH WEBUSER userName session-ID

The WebUser authenitcaiton operation for the IMAP module is:
AUTH WEBUSER bindata
where bindata are base64-encoded parameter data:
userName session-ID

If the user john@doe.dom has an open WebUser Session with the 114-bXaKw92JK1pZVB5taj1r ID, then the PWD command:

AUTH WEBUSER john@doe.dom 114-bXaKw92JK1pZVB5taj1r
opens the john@doe.dom account in this PWD session.
CommuniGate® Pro Guide. Copyright © 1998-2005, Stalker Software, Inc.