|
Whenever an incoming message is addressed to an unknown local user, SecurityGateway will query the User Verification Sources configured for the user's domain to verify whether or not the unknown address is legitimate. If the address is valid then SecurityGateway will create a user account for that address and attempt to deliver the message to the domain's Domain Mail Servers. If the address is invalid then the message will be rejected. Whenever a new account is created in this manner a welcome message may be emailed to that user, containing a login link for SecurityGateway.
For outbound messages from unknown local users, SecurityGateway will query the domain's User Verification Sources just as it does with inbound messages. Additionally, when a user attempts to authenticate the connection using his or her email address and password, SecurityGateway will pass those authentication credentials to the User Verification Sources. If the user fails authentication then the message will be rejected. If authentication is successful then the message will be accepted for delivery and a SecurityGateway account will be created for that user. For accounts that already exist, SecurityGateway will first check the user's login credentials against the local user database. If no match is found there then the verification sources will be checked.
|
User Verification Sources are queried in the order in which they are listed on the Verification tab of the domain's Properties screen. As soon as either a positive or negative result occurs, SecurityGateway will accept the result and stop querying the sources. For example, if three sources are listed and the first one states that the user doesn't exist, SecurityGateway will accept that result and reject the message without querying the other two sources. However, if a non-fatal error occurs, for example because the verification source is temporarily down, then the message will be rejected with a 4xx error code, indicating that the sender should try again later. |
|
It is crucial that your verification sources are properly configured to verify ONLY valid users. If a verification source were an open relay or had a "catch-all" alias for one of your SecurityGateway domains, then every incoming email to an unknown user would be validated by that source. This would likely result in many erroneous users being created, since most incoming spam would be addressed to invalid users that would be erroneously verified by the source. This could cause the user limit of your Registration Key to be reached very quickly. |
The User Verification Sources page lists one entry per row and has four columns: Description, Server, Port, and Type. The Description column is for a description of the verification source (for example, "Server X at example.com"). The Server column lists the hostname or IP address of the verification source, Port is for the port that each source uses, and Type is the type of the verification source: SMTP Verification (call forward), Active Directory/Exchange, MDaemon (Minger), MDaemon (XML API), LDAP, or Office 365. To edit a verification source, double-click an entry or select it and then click Edit on the toolbar at the top of the page. This will open the Edit User Verification Source screen.
|
All verification types but LDAP support dynamic authentication. When users attempt to authenticate or log in to SecurityGateway, their local SecurityGateway login credentials are first checked, but if they do not exist then the credentials are passed to the Verification Sources for authentication. This allows users to authenticate or log in to their SecurityGateway accounts without having to remember a separate set of credentials specifically for SecurityGateway. AUTH passwords cannot be verified dynamically when the CRAM-MD5 method of authentication is used. |
The toolbar at the top of the page contains the following five options:
New
Click New to open the New User Verification Source screen, used for creating a new verification source. This screen is identical to the Edit User Verification Source screen.
Edit
Use the toolbar's Edit button to open the Edit User Verification Source screen corresponding to the entry currently selected in the list. Alternatively, you can also open the screen by double-clicking an entry.
Delete
To delete one or more verification sources, select the entries from the list and then click Delete. A box will open asking you to confirm the decision to delete the sources. You can select multiple entries by using the Ctrl and Shift keys.
Verify Users
When "-- All --" is selected in the For Domain: drop-down list box, clicking this button will cause SecurityGateway immediately to attempt to verify all users—even those who were already verified at some point in the past. Any users who cannot be verified by the User Verification Source will be deleted (including users who were added manually). When a specific domain is selected in the For Domain: box, SecurityGateway will only attempt to verify that domain's users.
Opens the User Verification Source Options page for activating response caching and for flagging user to be re-verified after a designated amount of time.
Flag users for re-verification after [xx] hours This option helps maintain the user list by periodically asking the verification source if users still exist. After the designated number of hours, verified users are flagged to be re-verified the next time they send or receive email. Disabled users are not deleted. Cache negative responses for [xx] minutes When a query to a verification source shows that an account doesn't exist, this option will cache the result for the designated number of minutes. This helps limit the number of redundant queries made to the verification source. Always query default user verification sources for external aliases When enabled, all unknown addresses will be validated by querying the default user verification source(s). If the user verification source returns that the address is an external alias for a user of a local domain, the local user will be created if necessary and the alias associated with the user. The use of this feature requires at least one default user verification source to be defined.
|
For Domain:
Use the For Domain: drop-down list box to choose which User Verification Sources to display in the list. By default all sources are displayed, but you can choose "-- Default --" to display only those sources which you have designated as default sources (on the Edit User Verification Source dialog) or pick a domain from the list to display only that domain's verification sources.
