D-Link NetDefendOS User Manual page 450

disabled, it is a copy of the predefined Service object called smtp. Predefined Service objects
could be used but this is not recommended.
• Associate the new SMTP ALG object with the newly created Service object.
• Create an IP Rule object that that uses the relevant Service and that has the appropriate
source and destination filters. This could be one of the following options:
i. For mail being uploaded to the server from clients using SMTP, an IP rule is required
where the source will be the clients and the destination will be the mail server.
ii. For mail being sent to the server from the public Internet, an IP rule is required where
the destination is the mail server and the source is the Internet. If the mail server does
not have its own public IP address, this will require a SAT IP rule and an ALLOW IP rule to
translate a public IP address to the private address of the server.
iii. For mail from clients being forwarded out to the public Internet by the mail server, an IP
rule is required where the server is the source and the Internet is the destination.
• Associate the Service object with the IP rule.
The most common use for the SMTP ALG is to examine the email traffic that is flowing to a mail
server from the public Internet and this is described in the example given later. However, it can
be possible for malware to infect either protected clients and/or a mail server in which case an
SMTP ALG can be used to monitor mail traffic that is flowing from clients and/or being relayed by
the mail server out on the public Internet.
SMTP ALG Options
Key options of the SMTP ALG are:
• Email rate limiting
A maximum allowable rate of email messages can be specified. This rate is calculated on a per
source IP address basis. In other words, it is not the total rate that is of interest but the rate
from a certain email source.
This is a very useful feature to have since it is possible to put in a block against either an
infected client or an infected server sending large amounts of malware generated emails.
• Email size limiting
A maximum allowable size of email messages can be specified. This feature counts the total
amount of bytes sent for a single email which is the header size plus body size plus the size of
any email attachments after they are encoded. It should be kept in mind that an email with,
for example, an attachment of 100 Kbytes, will be larger than 100 Kbytes. The transferred size
might be 120 Kbytes or more since the encoding which takes place automatically for
attachments may substantially increase the transferred attachment size.
The administrator should therefore add a reasonable margin above the anticipated email size
when setting this limit.
• Email address blacklisting
A blacklist of sender or recipient email addresses can be specified so that mail from/to those
addresses is blocked. The blacklist is applied after the whitelist so that if an address matches a
whitelist entry it is not then checked against the blacklist.
• Email address whitelisting
450
Chapter 6: Security Mechanisms