[an error occurred while processing this directive]
HP OpenVMS Systems Documentation |
HP TCP/IP Services for OpenVMS
|
Previous | Contents | Index |
Whenever the TCP/IP Services SMTP server disconnects a link with a
client as a result of the Antispam checking, it generates an event
message. You can control the way events are handled using the
procedures in the following sections.
18.6.7.1 Reporting Spam Events
You can customize the SMTP server to report a spam event in the following ways. The SMTP server can:
To configure the way SMTP reports the event, use the SPAM-Action field in SMTP.CONFIG. The legal values are:
You can specify multiple values for the SPAM-Action field. For example:
SPAM-Action: OPCOM, ACCOUNTING |
This example causes both OPCOM and accounting messages to be sent for each spam event. To disable spam event reporting, enter a value of NONE for SPAM-Action in SMTP.CONFIG, as follows:
SPAM-Action: NONE |
When the SMTP server disconnects the link with the client because of the Antispam checking, it sends a message back to the client. The text of the message is controlled by the Security field in SMTP.CONFIG. The legal values for this field are:
You can specify the rejection text message to be sent to the client. The field names for these options end in "-Text", and the values for them must be a single line of text. These fields override the default text associated with the specific spam event.
The following are the fields and default messages for the SECURE option:
The following are the fields and default messages for the FRIENDLY option:
You can change one or more of the default messages by including the field and your message for a value. This will override the default setting for that field. For example:
Unbacktranslatable-IP-Text: Your IP address is unbacktranslatable. SPAMMER! |
SMTP allows you to create a mail message in a file and send it to the SMTP mailer to be delivered with headers you specify. Using SFF, you can create automated tools that compose and send mail messages.
SFF is also useful for forwarding nontext (MIME) files because it
prevents the mailer from encapsulating the MIME and SMTP headers in the
body of a new mail message. In this way, SMTP functions like the
redirect
command on your personal computer.
18.7.1 SFF Security Measures
The ability to create messages with arbitrary headers could be used to spoof message headers. To limit this, SFF adds a Received: header to the headers you supply. This tells you the origin of an attempted spoofed message.
You can invoke SFF from an application or from DCL, as described in the
following sections.
18.7.2 Invoking SFF from an Application
TCPIP$SMTP_MAILSHR.EXE contains a routine called TCPIP$SMTP_SEND_FROM_FILE. This routine is declared as follows:
unsigned int TCPIP$SMTP_SEND_FROM_FILE(infile_name, logfd, log_level) char *infile_name; FILE *logfile_name; int log_level; |
The parameters for this routine are:
To call the routine, link with TCPIP$SMTP_MAILSHR.EXE/SHARE.
18.7.3 Invoking SFF from DCL
The SMTP_SFF command allows you to invoke SFF. To define SMTP_SFF as a foreign command so that you can use it from DCL, enter the following command:
$ SMTP_SFF:==$TCPIP$SYSTEM:TCPIP$SMTP_SFF.EXE |
This command takes UNIX style parameters and passes them to SFF.
The command format is:
SMTP_SFF infile_name [-log logfile_name] [-loglevel log_level] |
The parameters to this command are:
Users can specify an outbound alias that is applied to mail as it is sent and specifies the network address to which a reply will be sent. The outbound alias is defined using the TCPIP$SMTP_FROM logical, which is described in the HP TCP/IP Services for OpenVMS User's Guide.
To disable outbound alias processing (preventing the use of the TCPIP$SMTP_FROM logical), define the following system logical:
$ DEFINE/SYSTEM TCPIP$SMTP_PROHIBIT_USER_HEADERS 1 |
To isolate an SMTP problem, follow these steps:
Use the ANALYZE MAIL command to verify the correspondence of the SMTP queues with SMTP control files. This command does the following:
The following examples show how to use the ANALYZE MAIL command:
TCPIP> ANALYZE MAIL /REPAIR /CONFIRM %TCPIP-E-ANA_SUP_BADIICGSIZE, Problem: Bad initial inode cell group size: bad_value Solution: Will be replaced by default size: good_value CONFIRM [Y/N/G]: |
TCPIP> ANALYZE MAIL DRAKE %TCPIP-I-ANA_RUNING, ANALYZE runs on node DODO %TCPIP-I-ANA_NOENTR, no queue entry found for file NEST3$:[DRAKE]93042311394417_DRAKE.UCX_DODO;1 %TCPIP-I-ANA_COMPLE, ANALYZE completed on node DODO %TCPIP-I-ANA_FEPAIR, found 0 file-queue entry pairs %TCPIP-I-ANA_DELQEN, deleted 0 queue entries %TCPIP-I-ANA_FILNOQ, found 1 files with no queue entries %TCPIP-I-ANA_FILHLD, holding 0 files in directory %TCPIP-I-ANA_FILDEL, deleted 0 files from the Postmaster directory %TCPIP-I-ANA_SUBFIL, submitted 0 files to the generic queue %TCPIP-I-ANA_FILACE, encountered 0 file access errors %TCPIP-I-ANA_NONCFF, found 0 non-unknown files in Postmaster directory %TCPIP-I-ANA_FILCOR, found 0 corrupted CF files in Postmaster directory |
TCPIP> ANALYZE MAIL DRAKE /REPAIR /DELETE=BEFORE=24-NOV-1999 |
The operational speed of the SMTP Antispam feature depends on the relative health of the DNS server. A malfunctioning DNS server can slow the operation of SMTP Antispam checking.
The Post Office Protocol (POP) server and the Simple Mail Transfer Protocol (SMTP) server software work together to provide reliable mail management in a client/server environment.
The POP server acts as an interface to the mail repository. It accepts and stores mail messages for you, even when your client system is not connected, and forwards those messages to you at your request. POP is used mostly by PC clients to ensure that mail is received and retained even when the system is not connected to the network.
After the POP server is enabled on your system, you can modify the default characteristics by defining logical names.
This chapter reviews key POP concepts and describes:
The POP server is an implementation of the Post Office Protocol Version 3 server (the public domain IUPOP3 server) specified in RFC 1725.
The POP server is intended to be used as a mail repository for:
With POP, mail is delivered to a shared mail server, and a user periodically downloads unread mail. Once delivered, the messages are deleted from the server.
The POP server is assigned port 110, and all POP client connections are made to this port.
The following sections review the POP process and describe how the
TCP/IP Services software implements POP. If you are not familiar with
POP, refer to RFC 1725 or introductory POP documentation for more
information.
19.1.1 POP Server Process
The POP server is installed with SYSPRV and BYPASS privileges and runs in the TCPIP$POP account, which receives the correct quotas from the TCPIP$CONFIG procedure. The POP server is invoked by the auxiliary server.
The POP server uses security features provided in the protocol and in the OpenVMS operating system, as well as additional security measures. These methods provide a secure process that minimizes the possibility of inappropriate access to a user's mail file on the served system.
You can modify the POP server default characteristics and implement new
characteristics by defining the system logical names outlined in
Section 19.3.
19.1.2 How to Access Mail Messages from the POP Server
To access mail messages from the POP server, you configure a user name and password, or the POP shared secret-password string, into your client mail application.
Your client system opens the TCP connection and attempts to access the server by entering applicable POP commands such as USER (user name) and PASS (password), or APOP (shared secret password). In addition, POP supports the UID command, which some POP clients use, where the UID (user identification) that POP creates for each mail message is a concatenation of the user name and the date of arrival.
Once your client system opens the TCP connection, the POP server issues the following greeting:
+OK POP server ready TCPIP V5.1 [hostname and IP_Address] |
By default, the POP server reads mail from the user's OpenVMS NEWMAIL
folder. If you do not instruct the POP server to delete the mail, the
server either moves the mail to the MAIL folder (if the logical name
TCPIP$POP_USE_MAIL_FOLDER is defined) or keeps it in the NEWMAIL folder
(if the logical name TCPIP$POP_LEAVE_IN_NEWMAIL is defined). These
logical names are described in Section 19.3.
19.1.3 How the POP Server Initiates and Manages a TCP Connection
The POP server starts the service by listening on TCP port 110. The client initiates a connection when it wants to make use of the POP service. The POP server sends either a greeting message confirming the connection (a message with the +OK prefix) or a message that the connection was not successful (a message with the -ERR prefix).
POP permits only two user name and password authorization attempts per TCP connection. After the second failure, POP closes the connection. Once connected, the client and server exchange commands and responses.
When the POP server detects a blocked TCP connection, it suspends
output to the connection for 2 seconds to allow it to unblock. Upon
retry, if the connection is still blocked, the POP server waits 4
seconds before trying again, and so on up to 32 seconds. If the
connection is still blocked after 32 seconds, the POP server shuts down
the connection and sends an error message to the log file, allowing
other client connections to continue to operate.
19.1.4 How the POP Server Handles Foreign Message Formats
POP contains minimal support for mail messages that contain foreign
formats. Such messages are usually binary and therefore are not
transferred to the POP client. Instead, the POP server transfers the
message headers, along with a brief message instructing the user to log
in and extract the foreign message into a file. Foreign messages are
moved into your MAIL folder; they are never deleted by the POP server.
19.1.5 How the POP Server Authorizes Users
Table 19-1 outlines the methods the POP server process uses to authorize user access.
Method | Description |
---|---|
Shared secret-password string |
Most secure POP server access method. Initiated by the client system
through the APOP command.
Allows a user to become authorized by the POP server without the need to send a password over the network. Eliminates a potential path for unauthorized users to obtain a password and break into the system. POP requires a shared secret string from any user who wants to read mail using the APOP authorization method. For information about creating the shared secret string, see the HP TCP/IP Services for OpenVMS User's Guide. |
User name and password |
Least secure POP server access method. Initiated by the client system
through the USER and PASS commands.
The POP server authorizes the client to access the desired mailbox based on receipt of a valid user name and password.
|
OpenVMS SYSUAF settings on user accounts |
Access to the POP server is not permitted if:
|
Ability to disable the USER and PASS commands | Allows the system manager to use the APOP authorization method for all POP clients, the more secure means of user authorization. When you disable the USER and PASS commands (by defining the logical name TCPIP$POP_DISUSERPASS), the POP server responds to the commands with a failure message. |
Mail message headers sent by the POP server must conform to the standard specified for SMTP in RFC 822. Because many of the messages received on an OpenVMS system are not in the SMTP format (for example, DECnet mail or mail from another message transport system), the POP server builds a new set of headers for each message based on the OpenVMS message headers.
The headers on mail messages forwarded by the POP server are as follows:
POP Message Header | Obtained From |
---|---|
Date: | Arrival date of message. Changed to UNIX format. |
From: | OpenVMS message From: field. Rebuilt to ensure RFC 822 compatibility. See Section 19.1.6.1. |
To: | OpenVMS Mail To: field. Not rebuilt. |
CC: | OpenVMS Mail CC: field. Not rebuilt. |
Subject: | OpenVMS Mail Subj: field. Not rebuilt. |
X-VMS-From: | OpenVMS Mail From: field. Not rebuilt. |
X-POP3-Server: | Server host name and POP version information. Sent only if logical name TCPIP$POP_SEND_ID_HEADERS is defined. |
X-POP3-ID: | Message UID. Sent only if logical name TCPIP$POP_SEND_ID_HEADERS is defined. |
The POP server sends these message headers to the POP client unless all of the following conditions are true:
Note that the POP server checks the SMTP configuration database to
ensure that it has been configured with the qualifier
/OPTION=TOP_HEADERS so that headers print at the top of the message. If
the POP logical name TCPIP$POP_IGNORE_MAIL11_HEADERS is defined, the
SMTP option TOP_HEADERS must also be set. If not, the POP server issues
a warning in the log file and does not acknowledge the
TCPIP$POP_IGNORE_MAIL11_HEADERS definition.
19.1.6.1 How POP Rebuilds the OpenVMS Mail From: Field
The most important message header is the From: header, because it can be used as a destination address if a reply is requested from the POP client. Therefore, the POP server rebuilds the OpenVMS Mail From: field in compliance with RFC 822 before sending the header to the POP client.
The different types of addresses that can appear in the OpenVMS Mail From: field are as follows:
Address Type | Address Format |
---|---|
SMTP | SMTP%" legal-address," where legal-address is an address that is compliant with RFC 822 and is commonly in the user@domain format |
DECnet | node::username |
User name | username |
DECnet address within quotation marks | node::"user@host" |
Cluster-forwarding SMTP address | node::SMTP% "user@domain" |
A host name is local if one of the following is true:
Some POP client systems are confused by the use of personal names when you attempt to reply to a mail message or when the name contains commas or other special characters. If you define the TCPIP$POP_PERSONAL_NAME logical name outlined in Section 19.3, make sure you test the configuration carefully with your POP client systems.
The following sections describe how POP rebuilds the message From: field for each type of address.
Previous | Next | Contents | Index |