Authenticating SMTP Sessions Using Client Certificates

Similar documents
Using LDAP Authentication in a PowerCenter Domain

Configuring and Using the TMM with LDAP / Active Directory

F-Secure Messaging Security Gateway. Deployment Guide

Owner of the content within this article is Written by Marc Grote

Use Enterprise SSO as the Credential Server for Protected Sites

Chapter 10 Encryption Service

LDAP and Active Directory Guide

PGP Desktop LDAP Enterprise Enrollment

Basic Exchange Setup Guide

MailGuard and Microsoft Exchange 2007

VERALAB LDAP Configuration Guide

Important Information

Configuration Manual

Integrating Webalo with LDAP or Active Directory

BarricadeMX. QUICK GUIDE FOR COMMON TASKS Step by step instructions for Getting started with BarricadeMX, version 2.x Fort Systems Ltd 2009

Chapter 7 Managing Users, Authentication, and Certificates

eprism Enterprise Tech Notes

OCS Training Workshop LAB14. Setup

SSL VPN Portal Options

Domains Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc.

Certificate technology on Pulse Secure Access

NETASQ ACTIVE DIRECTORY INTEGRATION

StoneGate SSL VPN Technical Note Adding Bundled Certificates

POP3 Connector for Exchange - Configuration

OneLogin Integration User Guide

Certificate technology on Junos Pulse Secure Access

BUSINESS CLASS POP3 END USER GUIDE TIME WARNER CABLE BUSINESS SERVICES VERSION 1.0, RELEASE 1.2

SonicWALL Security Quick Start Guide. Version 4.6

Configuring Thunderbird with UEA Exchange 2007:

Basic Exchange Setup Guide

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

1 You will need the following items to get started:

Configuration Guide BES12. Version 12.2

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Summary. How-To: Active Directory Integration. April, 2006

Implementing MDaemon as an Security Gateway to Exchange Server

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

escan SBS 2008 Installation Guide

Djigzo S/MIME setup guide

All existing accounts will be listed. 2. Click Add and select Mail to add a new account (see Figure 2). Figure 1. Figure 2

Chapter 3 Authenticating Users

Hansoft LDAP Integration

Exchange Server 2003 Management Pack Guide for Operations Manager 2007

LDAP / SSO Authentication

Smart Card Authentication. Administrator's Guide

Configuration Guide BES12. Version 12.1

Implementation notes on Integration of Avaya Aura Application Enablement Services with Microsoft Lync 2010 Server.

Configuring Sponsor Authentication

Certificate Management

Installing Policy Patrol on a separate machine

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

X.509 Certificate Generator User Manual

How to configure your client

Skipjack Merchant User Guide. Quick Guide. (a supplement to the Merchant User Guide)

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

LDaemon. This document is provided as a step by step procedure for setting up LDaemon and common LDaemon clients.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

Getting Started with Clearlogin A Guide for Administrators V1.01

SharePoint AD Information Sync Installation Instruction

ADFS Integration Guidelines

Section 4 Application Description - LDAP

QUICK START GUIDE. Cisco C170 Security Appliance

1. Open Thunderbird. If the Import Wizard window opens, select Don t import anything and click Next and go to step 3.

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Content Filtering Client Policy & Reporting Administrator s Guide

Manage Licenses and Updates

Configuring Outlook 2010 for Windows

Configuring User Identification via Active Directory

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

1 Introduction. Windows Server & Client and Active Directory.

ACTIVE DIRECTORY WEB SERVICE USER GUIDE LAST UPDATED: January 4, 2013

How to Time Stamp PDF and Microsoft Office 2010/2013 Documents with the Time Stamp Server

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

LDAP Authentication and Authorization

Setup Guide for Exchange Server

How to Logon with Domain Credentials to a Server in a Workgroup

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Aradial Installation Guide

WaveWare Technologies, Inc. We Deliver Information at the Speed of Light

Open Directory. Contents. Before You Start 2. Configuring Rumpus 3. Testing Accessible Directory Service Access 4. Specifying Home Folders 4

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

Settings 1 September 2015

Frequently Asked Questions for New Electric Mail Administrators 1 Domain Setup/Administration

Portal User Guide. Customers. Version 1.1. May of 5

How To Upgrade To Symantec Mail Security Appliance 7.5.5

OFFICE OF KNOWLEDGE, INFORMATION, AND DATA SERVICES (KIDS) DIVISION OF ENTERPRISE DATA

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

Install and Configure Oracle Outlook Connector

CA Performance Center

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

qliqdirect Active Directory Guide

Security Provider Integration LDAP Server

Configuration Guide BES12. Version 12.3

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Transcription:

Authenticating SMTP Sessions Using Client Certificates This chapter contains the following sections: Overview of Certificates and SMTP Authentication, page 1 Checking the Validity of a Client Certificate, page 3 Authenticating a User Using an LDAP Directory, page 4 Authenticating an SMTP Connection Over TLS Using a Client Certificate, page 5 Establishing a TLS Connection from the Appliance, page 5 Updating a List of Revoked Certificates, page 6 Overview of Certificates and SMTP Authentication The Email Security appliance supports the use of client certificates to authenticate SMTP sessions between the Email Security appliance and users mail clients. The Email Security appliance can request a client certificate from a user s mail client when the application attempts to connect to the appliance to send messages. When the appliance receives the client certificate, it verifies that the certificate is valid, has not expired, and has not been revoked. If the certificate is valid, the Email Security appliance allows an SMTP connection from the mail application over TLS. Organizations that require their users to use a Common Access Card (CAC) for their mail clients can use this feature to configure the Email Security appliance to request a certificate that the CAC and ActivClient middleware application will provide to the appliance. You can configure the Email Security appliance to require users to provide a certificate when sending mail, but still allow exceptions for certain users. For these users, you can configure the appliance to use the SMTP authentication LDAP query to authenticate the user. Users must configure their mail client to send messages through a secure connection (TLS) and accept a server certificate from the appliance. 1

How to Authenticate a User with a Client Certificate Authenticating SMTP Sessions Using Client Certificates How to Authenticate a User with a Client Certificate Table 1: How to Authenticate a User with a Client Certificate Do This Define a certificate query for your LDAP server. Create a certificate-based SMTP authentication profile. Configure a listener to use the certificate SMTP authentication profile. Modify the RELAYED mail flow policy to require TLS, a client certificate, and SMTP authentication. More Info Checking the Validity of a Client Certificate, on page 3 Authenticating an SMTP Connection Over TLS Using a Client Certificate, on page 5 Listening for Connection Requests by Creating a Listener Using Web Interface Establishing a TLS Connection from the Appliance, on page 5 How to Authenticate a User with an SMTP Authentication LDAP Query Table 2: How to Authenticate a User with an SMTP Authenticate LDAP Query Do This Define an SMTP authentication query for your server that uses an allowance query string and Bind for the authentication method. Create an LDAP-based SMTP authentication profile. Configure a listener to use the LDAP SMTP authentication profile. Modify the RELAYED mail flow policy to require TLS and SMTP authentication. More Info Authenticating a User Using an LDAP Directory, on page 4 Configuring AsyncOS for SMTP Authentication If the user is not allowed to use LDAP-based SMTP authentication for their connection, you can select whether the appliance rejects the connection or temporarily allows it while logging all activity. Establishing a TLS Connection from the Appliance, on page 5 2

Authenticating SMTP Sessions Using Client Certificates How to Authenticate a User with an LDAP SMTP Authentication Query if the Client Certificate is Invalid How to Authenticate a User with an LDAP SMTP Authentication Query if the Client Certificate is Invalid Table 3: How to Authenticate a User with a Client Certificate or an LDAP SMTP Authentication Query Do This Define an SMTP authentication query for your server that uses an allowance query string and Bind for the authentication method. Define a certificate-based query for your LDAP server. Create a certificate-based SMTP authentication profile Create an LDAP SMTP authentication profile. Configure a listener to use the certificate SMTP authentication profile. 1 Modify the RELAYED mail flow policy to use the following settings: 2 TLS Preferred 3 SMTP authentication required 4 Require TLS for SMTP authentication More Info Authenticating a User Using an LDAP Directory, on page 4 Checking the Validity of a Client Certificate, on page 3 Authenticating an SMTP Connection Over TLS Using a Client Certificate, on page 5 Configuring AsyncOS for SMTP Authentication Listening for Connection Requests by Creating a Listener Using Web Interface Establishing a TLS Connection from the Appliance, on page 5 Checking the Validity of a Client Certificate The Certificate Authentication LDAP query checks the validity of a client certificate in order to authenticate an SMTP session between the user s mail client and the Email Security appliance. When creating this query, you select a list of certificate fields for authentication, specify the User ID attribute (the default is uid ), and enter the query string. For example, a query string that searches for the certificate s common name and serial number may look like (&(objectclass-posixaccount)(caccn={cn})(cacserial={sn}). After you have created the query, you can use it in a Certificate SMTP Authentication Profile. This LDAP query supports OpenLDAP, Active Directory, and Oracle Directory. 3

Authenticating a User Using an LDAP Directory Authenticating SMTP Sessions Using Client Certificates See LDAP Queries for more information on configuring LDAP servers. Select System Administration > LDAP. Create a new LDAP profile. See Creating LDAP Server Profiles to Store Information About the LDAP Server for more information. Check the Certificate Authentication Query checkbox. Enter the query name. Enter the query string to authenticate the user s certificate. For example, (&(objectclass=user)(cn={cn})). Enter the user ID attribute, such as samaccountname. Step 7 Authenticating a User Using an LDAP Directory The SMTP Authentication LDAP query has an Allowance Query String that allows the Email Security appliance to check whether the user s mail client is allowed to send mail through the appliance based on the user s record in the LDAP directory. This allows users who don t have a client certificate to send mail as long as their record specifies that it s allowed. You can also filter out results based on other attributes. For example, the query string (&(uid={u})( (!(caccn=*))(cacexempt=*)(cacemergency>={t}))) checks to see if any of the following conditions are true for the user: CAC is not issued to the user ( caccn=* ) CAC is exempt ( cacexempt=* ) the time period that a user may temporarily send mail without a CAC expires in the future ( cacemergency>={t} ) See Configuring AsyncOS for SMTP Authenticationfor more information on using the SMTP Authentication query. Step 7 Select System Administration > LDAP. Define an LDAP profile. See Creating LDAP Server Profiles to Store Information About the LDAP Server for more information. Define an SMTP authentication query for the LDAP profile. Check the SMTP Authentication Query checkbox. Enter the query name. Enter the string to query for the user s ID. For example, (uid={u}). Select LDAP BIND for the authentication method. Step 8 Enter an allowance query string. For example, (&(uid={u})( (!(caccn=*))(cacexempt=*)(cacemergency>={t}))). Step 9 4

Authenticating SMTP Sessions Using Client Certificates Authenticating an SMTP Connection Over TLS Using a Client Certificate Authenticating an SMTP Connection Over TLS Using a Client Certificate The certificate-based SMTP authentication profile allows the Email Security appliance to authenticate an SMTP connection over TLS using a client certificate. When creating the profile, you select the Certificate Authentication LDAP query to use for verifying the certificate. You can also specify whether the Email Security appliance falls back to the SMTP AUTH command to authenticate the user if a client certificate isn t available. For information on authenticating an SMTP connection by using LDAP, see Configuring AsyncOS for SMTP Authentication. Step 7 Step 8 Step 9 Select Network > SMTP Authentication. Click Add Profile. Enter the name for the SMTP authentication profile. Select Certificate for the Profile Type. Click Next. Enter the profile name. Select the certificate LDAP query you want to use with this SMTP authentication profile. Note Do not select the option to allow the SMTP AUTH command if a client certificate is not available. Click Finish. Establishing a TLS Connection from the Appliance The Verify Client Certificate option in the RELAYED mail flow policy directs the Email Security appliance to establish a TLS connection to the user s mail application if the client certificate is valid. If you select this option for the TLS Preferred setting, the appliance still allows a non-tls connection if the user doesn t have a certificate, but rejects a connection if the user has an invalid certificate. For the TLS Required setting, selecting this option requires the user to have a valid certificate in order for the appliance to allow the connection. To authenticate a user s SMTP session with a client certificate, select the following settings: TLS - Required Verify Client Certificate Require SMTP Authentication 5

Updating a List of Revoked Certificates Authenticating SMTP Sessions Using Client Certificates Note Although SMTP authentication is required, the Email Security appliance will not use the SMTP authentication LDAP query because it is using certificate authentication. To authenticate a user s SMTP session using the SMTP authentication query instead of a client certificate, select the following settings for the RELAYED mail flow policy: TLS - Required Require SMTP Authentication If you require the Email Security appliance to ask for a client certificate from certain users while allowing LDAP-based SMTP authentication from others, select the following settings for the RELAYED mail flow policy: TLS - Preferred Require SMTP Authentication Require TLS to Offer SMTP Authentication Updating a List of Revoked Certificates The Email Security appliance checks a list of revoked certificates (called a Certificate Revocation List) as part of its certificate verification to make sure that the user s certificate hasn t been revoked. You keep an up-to-date version of this list on a server and the Email Security appliance downloads it on a schedule that you create. Go to Network > CRL Sources. Enable CRL checking for SMTP TLS connections: a) Click Edit Settings under Global Settings. b) (Optional) Select the Global Settings checkbox if you want to select all options: CRL check for inbound SMTP TLS. CRL check for outbound SMTP TLS CRL Check for Web Interface c) Select the checkbox for either CRL check for inbound SMTP TLS, CRL check for outbound SMTP TLS or CRL Check for Web Interface options. 6

Authenticating SMTP Sessions Using Client Certificates Authenticating a User s SMTP Session With a Client Certificate Step 7 Step 8 Step 9 0 d) Submit your change. Click Add CRL Source. Enter a name for the CRL source. Select the file type. This can be either ASN.1 or PEM. Enter the URL for the primary source for the file, including the filename. For example, https://crl.example.com/certs.crl Optionally, enter the URL for a secondary source in case the appliance cannot contact the primary source. Specify a schedule for downloading the CRL source. Enable the CRL source. Authenticating a User s SMTP Session With a Client Certificate Go to System Administration > LDAP to configure an LDAP server profile.s Define a certificate query for the LDAP profile. a) Enter the query name. b) Choose the certificate fields to authenticate, such as the serial number and common name. c) Enter the query string. For example, (&(caccn={cn})(cacserial={sn})). d) Enter the user ID field, such as uid. e) Submit your changes. Go to Network > SMTP Authentication to configure a Certificate SMTP authentication profile. a) Enter the profile name. b) Select the certificate LDAP query you want to use. c) Do not select the option to allow the SMTP AUTH command if a client certificate is not available. d) Submit your changes. Go to Network > Listeners to configure a listener to use the certificate SMTP authentication profile that you created. Modify the RELAYED mail flow policy to require TLS and a client certificate, as well as require SMTP authentication. Note Although SMTP authentication is required, the Email Security appliance will not use the SMTP AUTH command because it is using certificate authentication. The Email Security appliance will require a client certificate from the mail application to authenticate the user. 7

Authenticating a User s SMTP Session with the SMTP AUTH Command Authenticating SMTP Sessions Using Client Certificates Authenticating a User s SMTP Session with the SMTP AUTH Command The Email Security appliance can use the SMTP AUTH command to authenticate a user s SMTP session instead of a client certificate. If you user is not allowed to use SMTP AUTH for their connection, you can select whether the appliance rejects the connection or temporarily allows it while logging all activity. Go to System Administration > LDAP to configure an LDAP server profile. Define an SMTP authentication query for the LDAP profile. a) Enter the query name. b) Enter the query string. For example, (uid={u}). c) Select LDAP Bind for the authentication method. d) Enter an allowance query string. For example, (&(uid={u})( (!(caccn=*))(cacexempt=*)(cacemergency>={t}))). e) Submit your changes. Go to Network > SMTP Authentication to configure an LDAP SMTP authentication profile. a) Enter the profile name. b) Select the SMTP authentication LDAP query you want to use. c) Select the Check with LDAP if user is allowed to use SMTP AUTH Command and choose to monitor and report the user s activity. d) Submit your changes. Go to Network > Listeners to configure a listener to use the LDAP SMTP authentication profile that you created. Modify the RELAYED mail flow policy to require TLS and SMTP authentication. Authenticating a User s SMTP Session with Either a Client Certificate or SMTP AUTH This configuration requires the Email Security appliance to ask for a client certificate from users with a client certificate while allowing SMTP AUTH for users without one, or who cannot use one for sending email. Any attempt to use the SMTP AUTH command by a user who is not allowed will be prohibited. Go to System Administration > LDAP to configure an LDAP server profile. Define an SMTP authentication query for the profile. a) Enter the query name. b) Enter the query string. For example, (uid={u}). c) Select LDAP Bind for the authentication method. d) Enter an allowance query string. For example, (&(uid={u})( (!(caccn=*))(cacexempt=*)(cacemergency>={t}))). Define a certificate query for the LDAP profile. a) Enter the query name. 8

Authenticating SMTP Sessions Using Client Certificates Authenticating a User s SMTP Session with Either a Client Certificate or SMTP AUTH b) Choose the client certificate fields to authenticate, such as the serial number and common name. c) Enter the query string. For example, (&(caccn={cn})(cacserial={sn})). d) Enter the user ID field, such as uid. e) Submit your changes. Step 7 Go to Network > SMTP Authentication to configure an LDAP SMTP authentication profile. a) Enter the profile name. b) Select the SMTP authentication LDAP query you want to use. c) Select the Check with LDAP if user is allowed to use SMTP AUTH Command and choose to reject the connection. d) Enter a custom SMTP AUTH response. For example, 525, Dear user, please use your CAC to send email. e) Submit your changes. Configure a Certificate SMTP authentication profile. a) Enter the profile name. b) Select the certificate LDAP query you want to use. c) Select the option to allow the SMTP AUTH command if a client certificate is not available. d) Select your LDAP SMTP authentication profile for the appliance to use if the user does not have a client certificate. e) Submit your changes. Go to Network > Listeners to configure a listener to use the certificate SMTP authentication profile you created. Modify the RELAYED mail flow policy to select the following options: TLS Preferred SMTP authentication required Require TLS for SMTP Authentication Step 8 9

Authenticating a User s SMTP Session with Either a Client Certificate or SMTP AUTH Authenticating SMTP Sessions Using Client Certificates 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information