HOW TO: Use Mail Proxies with PGP Universal Server

Article:HOWTO77028  |  Created: 2012-05-18  |  Updated: 2013-06-20  |  Article URL http://www.symantec.com/docs/HOWTO77028
Article Type
How To


Subject


Overview

Mail proxies control how your PGP Universal Server handles the email traffic in your environment.  When an email comes into PGP Universal Server, the server determines where the traffic came from and where it is going using the mail proxies and processes the email correctly.
Mail Proxy does not apply for Symantec Encryption Management Server–generated messages like Daily Status Email, Symantec Encryption Web Email Protection notifications (formerly known as PGP Web Messenger), bounce notifications as these emails use either Mail route or DNS .
PGP Universal Server accepts up to 30 proxy connections per second.
With the Mail Proxies page, you can create new POP, IMAP, and SMTP proxies, and edit existing proxies to match your security requirements.
Creating New or Editing Existing Proxies
You can add or edit the following types of proxies:
·         POP. The POP protocol is available only for internal placements. The POP protocol is used by email clients to retrieve email messages from a mail server.
·         IMAP. The IMAP protocol is also available only for internal placements. The IMAP protocol is also used by email clients to retrieve email messages from a mail server.
·         SMTP. The SMTP protocol is available for internal or gateway placements. With an internal placement, you can only create or edit an Outbound SMTP proxy. With a gateway placement, you can create or edit an Outbound, Inbound, or Unified SMTP proxy.
Creating or Editing a POP/IMAP Proxy
To create or edit a POP/IMAP proxy
1.     To edit an existing POP or IMAP proxy, click the name of the proxy you want to edit in the Proxy column of the Mail Proxies page.
The Edit Mail Proxy page appears.
2.     To create a new POP or IMAP proxy, click Add Proxy on the Mail Proxies page and select POP or IMAP, as appropriate, from the Protocol menu.
The Add Mail Proxy: POP or IMAP page appears.
3.     In the Connector 1 field, in the Local Connector section, select the interface for the local connector for this proxy from the drop-down menu.
The interfaces available are those configured on the Network Settings page (System > Network).
4.     In the Port field, select the appropriate port.
The default for POP is 110 and for IMAP is 143. The default for POPS (secure POP) is 995 and for IMAPS (secure IMAP) is 993.
5.     In the Security menu, select one of the following:
·         STARTTLS Allow. Allows the security of the connection to be upgraded to TLS through negotiation when communications begin. The email client must support STARTTLS for the upgrade to occur.
·         STARTTLS Disable. STARTTLS is not allowed for this connection.
·         STARTTLS Require. Requires that the connection is secured by TLS. Select this option if you are confident that all the email clients connecting to this local connector support upgrading the security to STARTTLS.
·         SSL. Uses SSL to protect the connection between the email client and PGP Universal Server.
6.     Click Restrict Access to enhance the security of this local connector by restricting access by IP address.
7.     On the Access Control for Connector dialog box, select the Enable Access Control for Connector check box.
8.     Select Hostname/IP or IP Range.
·         In the Hostname/IP field, type a hostname or IP address, and then click Add. What you type here appears in the Block or Allow field. If you type a hostname such as example.com, the name resolves to an IP address.
·         In the IP Range fields, type starting and ending IP addresses of an IP address range, and then click Add. What you type here appears in the Block or Allow field below.
·         In the Block or Allow field, select Block these addresses or Allow only these addresses, as appropriate, for the IP addresses or ranges in the box below.
9.     To remove an IP address or range from the box, select it, and then click Remove.
10. Click Save when you have configured the appropriate access control restrictions.
The Access Control for Connector dialog box disappears.
11. In the Mail server field, in the Proxy Peer section, type the mail server from which the email clients attempt to retrieve their messages.
This is the mail server from which the email clients retrieve their messages directly, if the PGP Universal Server is not between the flow of email traffic.
12. In the Port field, select the appropriate port.
The default for POP is 110 and for IMAP is 143. The default for POPS (secure POP) is 995 and for IMAPS (secure IMAP) is 993.
The port number automatically changes based on your selection from the Security menu.
13. In the Security menu, select one of the following:
·         STARTTLS Attempt. Allows the security of the connection to be upgraded to TLS through negotiation when communications begin. The mail server must support STARTTLS for the upgrade to occur.
·         STARTTLS Disable. STARTTLS is not allowed for this connection.
·         STARTTLS Require. Requires that the connection be secured by TLS. Select this option if you are confident that the mail server connecting to this local connector supports upgrading the security to STARTTLS.
·         SSL. Uses SSL to protect the connection between PGP Universal Server and the mail server.
14. Click Save.
Creating or Editing an Outbound SMTP Proxy
An Outbound SMTP proxy can be configured for either an internal placement or a gateway placement of your PGP Universal Server
In an internal placement, the Outbound SMTP proxy proxies messages that are sent by your internal email users to the local mail server for delivery to the intended recipient.
In a gateway placement, the Outbound SMTP proxy proxies messages that are sent by your outward-facing mail server to the Internet on the way to the intended recipient.
To create or edit an Outbound SMTP proxy
1.     To edit an existing Outbound SMTP proxy, click the name of the proxy you want to edit in the Proxy column of the Mail Proxies page.
The Edit Mail Proxy page appears.
2.     If you are creating a new Outbound SMTP proxy, click Add Proxy on the Mail Proxies page, select SMTP from the Protocol menu, and then select Outbound from the SMTP Proxy Type in the Proxy Peer section.
The Add Mail Proxy: SMTP page appears.
3.     In the Connector 1 field, in the Local Connector section, select the interface for the local connector for this proxy from the drop-down menu.
The interfaces available are those configured on the Network Settings page (System > Network).
4.     In the Port field, select the appropriate port.
The default port for SMTP is 25. The default for SMTPS (secure SMTP) is 465.
5.     In the Security menu, select one of the following:
·         SSL. Uses SSL to protect the connection between the email client and PGP Universal Server.
·         STARTTLS Allow. Allows the security of the connection to be upgraded to TLS through negotiation when communications begin. The email client must support STARTTLS for the upgrade to occur.
·         STARTTLS Disable. STARTTLS is not allowed for this connection.
·         STARTTLS Require. Requires that the connection be secured by TLS. Select this option if you are confident that all email clients connecting to this local connector support upgrading the security to STARTTLS.
6.     Click Restrict Access to enhance the security of this local connector by restricting access by IP address. This step is optional depending on your environment.
7.     On the Access Control for Connector dialog box, select the Enable Access Control for Connector check box. This step is optional depending on your environment.
8.     Select Hostname/IP or IP Range. This step is optional depending on your environment.
·         In the Hostname/IP field, type a hostname or IP address, then click Add. What you type here appears in the Block or Allow field below. If you type a hostname such as example.com, the name resolves to an IP address.
·         In the IP Range fields, type starting and ending IP addresses of an IP address range, then click Add. What you type here appears in the Block or Allow field below.
·         In the Block or Allow field, select Block these addresses or Allow only these addresses, as appropriate, for the IP addresses or ranges in the box below.
9.     To remove an IP address or range from the box, select it, and then click Remove.
10. Click Save when you have configured the appropriate access control restrictions.
The Access Control for Connector dialog box disappears.
11. In the Proxy Peer section, select one of the following:
·         Send mail directly to recipient mailserver. When selected, the outgoing email messages coming from your internal email users are sent to the recipient mail server after processing by PGP Universal Server as per the appropriate policies.
·         Proxy mail to SMTP server. When selected, the outgoing email messages from your internal email users are sent to the device you specify after processing by PGP Universal Server as per the appropriate policies.
12. If you select Proxy mail to SMTP server, in the Hostname field, type the hostname or IP address of the device you want outgoing email messages to be sent to after processing by PGP Universal Server.
13. In the Port field, select the appropriate port. The default port for SMTP is 25. The default port for SMTPS (secure SMTP) is 465. The port number automatically changes based on your selection from the Security menu.
14. In the Security menu, select SSL, STARTTLS Attempt, STARTTLS Disable, or STARTTLS Require. These are the same options available for the Security menu in the Local Connector section.
15. Click Save.
Creating or Editing an Inbound SMTP Proxy
The Inbound SMTP proxy processes email traffic coming into your network from the Internet. An Inbound SMTP proxy can be configured only for a PGP Universal Server in a gateway placement.
To create or edit an Inbound SMTP proxy
1.     To edit an existing Inbound SMTP proxy, click the name of the proxy you want to edit in the Proxy column of the Mail Proxies page.
The Edit Mail Proxy page appears.
2.     To create a new Inbound SMTP proxy, click Add Proxy on the Mail Proxies page, select SMTP from the Protocol menu, and then select Inbound from the SMTP Proxy Type in the Proxy Peer section.
The Add Mail Proxy: SMTP page appears.
3.     In the Connector 1 field, in the Local Connector section, select the interface for the local connector for this proxy from the drop-down menu.
The interfaces available are those configured on the Network Settings page (System > Network).
4.     In the Port field, select the appropriate port.
The default port for SMTP is 25 and for SMTPS (secure SMTP) is 465.The port number automatically changes based on your selection from the Security menu.
5.     In the Security menu, select one of the following:
·         STARTTLS Allow. Allows the security of the connection to be upgraded to TLS throughnegotiation when communications begin. The external MTA must support STARTTLS for the upgrade to occur.
·         STARTTLS Disable. STARTTLS is not allowed for this connection.
·         STARTTLS Require. Requires that the connection be secured by TLS. Select this option if you are confident that all the devices connecting to this local connector support upgrading the security to STARTTLS.
·         SSL. Uses SSL to protect the connection between the external MTA sending and PGP Universal Server.
6.     Click Restrict Access to enhance the security of this local connector by restricting access by IP address. This step is optional depending on your environment.
7.     On the Access Control for Connector dialog box, select the Enable Access Control for Connector check box. This step is optional depending on your environment.
8.     Select Hostname/IP or IP Range. This step is optional depending on your environment.
·         In the Hostname/IP field, type a hostname or IP address, and then click Add. What you type here appears in the Block or Allow field below. If you type a hostname such as example.com, the name resolves to an IP address.
·         In the IP Range fields, type starting and ending IP addresses of an IP address range, then click Add. What you type here appears in the Block or Allow field below.
·         In the Block or Allow field, select Block these addresses or Allow only these addresses, as appropriate, for the IP addresses or ranges in the box below.
9.     To remove an IP address or range from the box, select it then click Remove.
10. Click Save when you have configured the appropriate access control restrictions.
The Access Control for Connector dialog box disappears.
11. In the Mailserver field, in the Proxy Peer section, in the Hostname field, type the hostname or IP address of the device you want incoming email messages to be sent to after processing by PGP Universal Server.
Under most circumstances, this should be your outward-facing mail server.
12. In the Port field, select the appropriate port. The default port for SMTP is 25 and for SMTPS (secure SMTP) is 465. The port number automatically changes based on your selection from the Security menu.
13. In the Security menu, select SSL, STARTTLS Attempt, STARTTLS Disable, or STARTTLS Require. These are the same options available for the Security menu in the Local Connector section.
14. Click Save.
Creating or Editing a Unified SMTP Proxy
The Unified SMTP proxy is a single proxy that includes the properties of both the Inbound SMTP proxy and the Outbound SMTP proxy. In fact, you can individually configure one Inbound and one Outbound SMTP proxies and achieve the same result as with the Unified SMTP proxy.
The Unified SMTP proxy can only be configured for a PGP Universal Server in gateway placement.
With the Unified SMTP proxy, all mail traffic arrives on the same local connectors. This means that you do not need a second IP address for your PGP Universal Server, which you would need if you created separate Inbound and Outbound SMTP proxies.
The PGP Universal Server checks the source IP addresses of all incoming mail traffic on its local connectors and decides the traffic fits one of these two categories:
·         The mail traffic is coming from an IP address on the Designated Source IPs list. This traffic is, therefore, an outbound traffic coming from an internal mail server, and is processed as such. Messages are encrypted and/or signed as per the applicable policy, but not decrypted or verified.
·         The mail traffic is coming from an IP address not on the Designated Source IPs list. This traffic is thus inbound traffic coming from the Internet, and is processed as such. Messages are decrypted and verified, but not encrypted or signed.
To create or edit a Unified SMTP proxy
1.     To edit an existing Unified SMTP proxy, click the name of the proxy you want to edit in the Proxy column of the Mail Proxies page.
The Edit Mail Proxy page appears.
2.     If you are creating a new Unified SMTP proxy, click Add Proxy on the Mail Proxies page, select SMTP from the Protocol menu, and then select Unified from the SMTP Proxy Type in the Proxy Peer section.
The Add Mail Proxy: SMTP page appears.
3.     In the Connector 1 field, in the Local Connector section, select the interface for the local connector for this proxy from the drop-down menu.
The interfaces available are those configured on the Network Settings page (System > Network). If you want more interfaces to be available for your proxies, you need to configure them on the Network Settings page.
4.     In the Port field, select the appropriate port.
The default port for SMTP is 25 and for SMTPS (secure SMTP) is 465.
The port number automatically changes based on your selection from the Security menu.
5.     In the Security menu, select one of the following:
·         STARTTLS Allow. Allows the security of the connection to be upgraded to TLS through negotiation when communications begin. The external MTA must support STARTTLS for the upgrade to occur. The default port is 25.
·         STARTTLS Disable. STARTTLS is not allowed for this connection. The default port is 25.
·         STARTTLS Require. Requires that the connection be secured by TLS. Select this option if you are confident that all devices connecting to this local connector support upgrading the security to STARTTLS. The default port is 25.
·         SSL. Uses SSL to protect the connection between the external MTA and PGP Universal Server. The default port is 465.
6.     Click Restrict Access to enhance the security of this local connector by restricting access by IP address. This step is optional depending on your environment.
7.     On the Access Control for Connector dialog box, select the Enable Access Control for Connector check box. This step is optional depending on your environment.
8.     Select Hostname/IP or IP Range. This step is optional depending on your environment.
·         In the Hostname/IP field, type a hostname or IP address, and then click Add. What you type here appears in the Block or Allow field below. If you type a hostname such as example.com, the name will be resolved to an IP address.
·         In the IP Range fields, type starting and ending IP addresses of an IP address range, then click Add. What you type appears in the Block or Allow field below.
·         In the Block or Allow field, select Block these addresses or Allow only these addresses, as appropriate, for the IP addresses or ranges in the box below.
9.     To remove an IP address or range from the box, select it then click Remove.
10. Click Save when you have configured the appropriate access control restrictions.
The Access Control for Connector dialog box disappears.
11. In the Designated Source IPs list, add the internal mail server(s) that sends mail traffic to PGP Universal Server that is outbound for the Internet.
12. To add the IP address of a mail server, click the plus sign icon, type the IP address, then click Save.
The Unified SMTP proxy considers all mail traffic coming from IP addresses on this list to be outbound for the Internet, and processes it accordingly.
13. Select one of the following:
·         Send mail directly to recipient mailserver. When selected, the outgoing email messages coming from your internal email users will be sent to the recipient mail server after processing by the PGP Universal Server per the appropriate policies.
·         Send all outbound mail to relay. When selected, the outgoing email messages from your internal email users will be sent to the device you specify after processing by the PGP Universal Server per the appropriate policies.
14. If you selectSend all outbound mail to relay, in the Hostname field, type the hostname or IP address of the device you want outgoing email messages to be sent to after processing by PGP Universal Server.
15. In the Port field, select the appropriate port. The default port for SMTP is 25. The default port for secure SMTP is 465. The port number automatically changes based on your selection from the Security menu.
16. In the Security menu, select SSL, STARTTLS Attempt, STARTTLS Disable, or STARTTLS Require. These are the same options available for the Security menu in the Local Connector section.
17. In the Mailserver field, for Hostname, type the hostname or IP address of the device you want incoming email messages to be sent to after processing by PGP Universal Server.
18. Under most circumstances, this should be your outward-facing mail server.
19. In the Port field, select the appropriate port. The default port for SMTP is 25 and for SMTPS (secure SMTP) is 465. The port number automatically changes based on your selection from the Security menu.
20. In the Security menu, select SSL, STARTTLS Attempt, STARTTLS Disable, or STARTTLS Require. These are the same options available for the Security menu in the Local Connector section.
21. Click Save.
 
 


Article URL http://www.symantec.com/docs/HOWTO77028


Terms of use for this information are found in Legal Notices