Simple Security: A GroupWise/SMTP Connection
Getting Internet email to your LAN in a secure way does
imply the existence of a TCP/IP firewall. In fact, if
you run another
protocol on your LAN, such as IPX/SPX or VINES, it is
possible to use a
translating gateway as a "mail courier" so
that only mail protocols are
dispatched. This effectively leaves the rest of your
network secure --
even if you use TCP/IP on your LAN.
Imagine two couriers exchanging top-secret packages.
Ideally, as the
manager of the courier agency, you would want these
couriers to speak
different languages, so that all they could do is exchange
not communicate in any other way.
This method can be a good one if you don't have funds
for a firewall,
the expertise to build one yourself, or even if you're
suspicious of the
complexity of a firewall. As Chesnick and Bellovin observe
and Internet Security (Addison Wesley, 1994): "All
programs are buggy. .
. . Large programs are even buggier than their size
would indicate. . .
. A security relevant program has security bugs. . .
. Exposed machines
should run as few programs as possible; the ones that
are run should be
as small [and simple] as possible."
Using a small and simple application gateway is certainly
a much better
choice than plugging your mission-critical TCP/IP network
Internet. For example, our outside-world Web server
has no business
being on our LAN; instead, it is on our Internet segment,
and it will
We use WordPerfect Office's (now Novell's GroupWise)
SMTP (Simple Mail
Transfer Protocol) Gateway product as our mail gateway.
configurable to run SPX/IPX on one interface and TCP/IP
effectively rendering routing of packets between the
external networks impossible. The internal daemon software
TCP/IP's socket 25 (mail) through its internal parser,
and out the other
end as its own proprietary format. The GroupWise product
to other SMTP gateways (see Figure 1).
Again, only mail is handled by this gateway. To do anything
have to get another type of gateway or install a firewall.
of gateways, such as NOV*IX for NetWare, handle a similar
web clients, etc.) The nice thing about this setup is
that even if the
gateway is compromised through a software bug or malicious
only likely danger is bogus mail -- annoying but hardly
We purchased a copy of the WordPerfect Office SMTP Gateway,
to be installed on a standalone PC. We salvaged an IBM
running at 16MHz, with 4Mb of memory. To prepare it
installation, we installed the requisite two network
cards: one Pronet
10 card (a proprietary 10Mb token-ring technology) and
one IBM 16MB
Token-Ring card. No hard drive was required because
we planned to run
most of the drivers, daemons, and programs off the Novell
The TCP/IP software we used with the gateway was Novell's
which runs under Novell's ODI drivers. Because the Pronet
10 card was
using a .obj (linked) version of IPX, we were a little
leery of using it
with the ODI drivers, but everything worked out fine.
We used Novell's
NETX to bootstrap the workstation, and loaded everything
the ODI drivers and the TCP/IP) from the fileserver.
(See Figure 2 for
We structured the NetWare setup as follows. The machine
loads IPX and
NETX from the floppy drive, and logs into the network.
No password is
required, so unattended reboots are possible. We used
SYSCON to set a
station restriction for the login, effectively limiting
login to the SMTP gateway's MAC address and IPX network
use the MAC address of the TCP/IP card!) Additionally,
we used SYSCON to
add the login to the group MACHINES typically used
in our local login
scripts to avoid "Press Any Key To Continue"
prompts, and so forth. The
only trustee rights given were access to the WordPerfect
directory (e.g., F:\WPDOMAIN) and the login's home directory
mapped as the root of the H: drive).
We then set up the login's home directory. Because nobody
else on the
LAN needed or wanted to access the SMTP gateway's network
put them right in this directory. This was also done
reasons; nobody was likely to reconfigure or update
these files if they
were sitting in what was clearly a home directory, not
We couldn't install LAN WorkPlace to a network drive,
which was fairly
aggravating. However, we worked around the problem by
installing it to a
hard drive, then moving it to its network home.
Don't be tempted to not give the workstation TCP/IP
software a default
router (sounds great at first no router, nobody gets
in or out,
right?), or you will be in trouble once it's time to
send or receive
mail. Again, Figure 1 shows that running TCP/IP to this
workstation/gateway's external NIC is, in fact, okay
Although pinging the Internet from a workstation connected
to your LAN
is somewhat terrifying, remember that this is a workstation,
router or a server. And, although TCP/IP must not be
loaded or bound to
the internal LAN card, it is right and proper for it
to work on the
Once the gateway had the protocols working on each card,
the mail translation (gateway/daemon) software. We were
discover that the WPO SMTP gateway installed just fine
to a network
drive. It does, however, want to reside beneath the
primary WPO Domain
directory. In our case, this was F:\WPDOMAIN, so we
installed it to
F:\WPDOMAIN\SMTP40. The installation program was quick
Before we fired up the gateway, however, the WordPerfect
Administration program (ad.exe) needed to be told about
the new gateway
so that it could update all of its distributed databases.
menus, we created a new gateway in the primary domain
(in our case,
Chat) with the following attributes:
WP NAME: SMTP
FOREIGN NAME: wpo.co.chatham.ga.us
GATEWAY ALIAS TYPE: SMTP
We set the Administrator accounts to point to the appropriate
userids. WPO allows you to use different WPO accounts
Operator, and Accountant. Postmaster, as you would expect,
account that deals with external gateways, inquiries,
and some bounced
mail. Operator gets notified when "hard errors"
occur, such as gateways
or networks going down, and Accountant receives daily
We exited the ad.exe program, wrote an smtp.bat script,
SMTP user's login script (Figure 3) to call the batch
bootup, and rebooted the gateway. For particulars on
interface's TCP/IP, see Figure 4.
Amazingly enough, everything worked the first time!
everything worked the second time, once we realized
that we had
forgotten to add the gateway machine to our DNS (Internet
Services) database. Once the DNS was rebuilt, test mail
sent from a
workstation on our LAN to my buddy Jim at
But our amazement was short-lived. That method of writing
addresses gets old very quickly. And we could just imagine
support calls from the various users of WordPerfect
Office: "How many
parentheses? Do the quotes go on the outside or on the
comes first, CHAT or SMTP? What's this SMTP thingy anyway?
I thought we
had Internet mail!"
Fortunately, WPO is easily configurable and supports
passthrough addressing." Using the ad.exe program,
we created a new
domain, with a TYPE of "Foreign," and a DOMAIN
NAME of "Internet." Then
we edited our primary domain, Chat, to link it to our
new SMTP gateway.
We selected "Message Server Configuration,"
then "Network Links." At the
Domain Connections dialog box, we selected the new domain
that we had
made, "Internet," and chose "Edit Link."
At the "How" dialog, we chose
"Gateway," then "SMTP." At first,
I made the mistake of assuming that
this would propagate throughout the subdomains. Not
so. You must do this
for all of your subdomains.
After reconfiguring, I could send mail to Jim with the
Once the process of outgoing mail was sound and simple
to use, we
examined the refinement of incoming mail. Mail from
the outside to:
would work just fine unless the user had special characters
name. Unfortunately for us, most of our users do in
fact have what the
SMTP gateway considers to be "special characters,"
that is, underscores.
For example, our WPO administrator initially set my
J_FELDMAN. This means that external users have to send
J#U#FELDMAN@wpo.co.chatham.ga.us. The WPO gateway treats
(#) similarly. A few frustrating phone calls with vendors,
spell out our usernames, convinced us that this method
was not going to
Fortunately, WPO also supports "Native SMTP Gateway
Aliases." From the
ad.exe program, we selected the domain to which the
user belonged, hit
Enter on the user's name to edit that user, and clicked
Aliases" in the Edit User dialog box. From the
Gateway dialog box, we
created a new alias with type SMTP. We entered the user's
at the "Native Gateway Address." For example,
for myself, I chose the
domain CHAT, the user J_FELDMAN, and entered "jonathan"
for the Native
You can also define aliases to the SMTP Gateway, which
allows you to
define system-wide aliases for external addresses. For
include aliases for the City of Savannah. Simply Edit
the SMTP gateway
object in the ad.exe program, and create a user. Name
whatever you want the system-wide alias to be. You can
add other fields,
such as phone number or job title, that users of the
WPO system can
Then, select "Gateway Alias." Select "Create."
Select a type of SMTP,
then enter the external user's Internet address. For
example, for Jim, I
would create a user in the SMTP gateway object called
"Jimbo," with a
Gateway alias type of "SMTP" and a Native
Gateway alias of
Since we implemented this system, another department,
not on our LAN,
but connected to the Internet, has jumped aboard the
bandwagon, and has implemented the freeware "Mercury/Pegasus"
system for NetWare. This functions very much like the
Now, although we use totally incompatible NetWare email
the common ground of the Internet, we can exchange mail
Pegasus and WordPerfect Office have automatic uuencoding
of binary attachments, so we can exchange files in addition
little missives. This capability has helped not only
phone tag to this remote site, but helped with various
efforts as well.
About the Author
Jonathan Feldman works with UNIX and NetWare at the
Government in Savannah, Georgia. He likes to keep things
simple so that
even he can understand them. When he is not chasing
around with his
18-month-old son, he likes to write, grow roses with
his lovely wife,
and play guitar with his bare feet. He is reachable
via email at