Cover V05, I02
Article
Figure 1
Figure 2
Figure 3
Figure 4

feb96.tar

Simple Security: A GroupWise/SMTP Connection

Jonathan Feldman

Getting Internet email to your LAN in a secure way does not necessarily imply the existence of a TCP/IP firewall. In fact, if you run another protocol on your LAN, such as IPX/SPX or VINES, it is possible to use a translating gateway as a "mail courier" so that only mail protocols are dispatched. This effectively leaves the rest of your network secure -- even if you use TCP/IP on your LAN.

Imagine two couriers exchanging top-secret packages. Ideally, as the manager of the courier agency, you would want these couriers to speak different languages, so that all they could do is exchange packages and not communicate in any other way.

This method can be a good one if you don't have funds for a firewall, the expertise to build one yourself, or even if you're suspicious of the complexity of a firewall. As Chesnick and Bellovin observe in Firewalls and Internet Security (Addison Wesley, 1994): "All programs are buggy. . . . Large programs are even buggier than their size would indicate. . . . A security relevant program has security bugs. . . . Exposed machines should run as few programs as possible; the ones that are run should be as small [and simple] as possible."

Using a small and simple application gateway is certainly a much better choice than plugging your mission-critical TCP/IP network into the Internet. For example, our outside-world Web server has no business being on our LAN; instead, it is on our Internet segment, and it will stay there.

We use WordPerfect Office's (now Novell's GroupWise) SMTP (Simple Mail Transfer Protocol) Gateway product as our mail gateway. It is configurable to run SPX/IPX on one interface and TCP/IP on another, effectively rendering routing of packets between the internal and external networks impossible. The internal daemon software routes TCP/IP's socket 25 (mail) through its internal parser, and out the other end as its own proprietary format. The GroupWise product works similarly to other SMTP gateways (see Figure 1).

Again, only mail is handled by this gateway. To do anything else, you have to get another type of gateway or install a firewall. (Other types of gateways, such as NOV*IX for NetWare, handle a similar procedure for web clients, etc.) The nice thing about this setup is that even if the gateway is compromised through a software bug or malicious design, the only likely danger is bogus mail -- annoying but hardly threatening.

Implementation

We purchased a copy of the WordPerfect Office SMTP Gateway, which needed to be installed on a standalone PC. We salvaged an IBM PS/2 80386 running at 16MHz, with 4Mb of memory. To prepare it for the installation, we installed the requisite two network cards: one Pronet 10 card (a proprietary 10Mb token-ring technology) and one IBM 16MB Token-Ring card. No hard drive was required because we planned to run most of the drivers, daemons, and programs off the Novell fileserver.

The TCP/IP software we used with the gateway was Novell's LanWorkplace, which runs under Novell's ODI drivers. Because the Pronet 10 card was using a .obj (linked) version of IPX, we were a little leery of using it with the ODI drivers, but everything worked out fine. We used Novell's NETX to bootstrap the workstation, and loaded everything else (including the ODI drivers and the TCP/IP) from the fileserver. (See Figure 2 for boot sequence.)

We structured the NetWare setup as follows. The machine loads IPX and NETX from the floppy drive, and logs into the network. No password is required, so unattended reboots are possible. We used SYSCON to set a station restriction for the login, effectively limiting the no-password login to the SMTP gateway's MAC address and IPX network number. (Don't use the MAC address of the TCP/IP card!) Additionally, we used SYSCON to add the login to the group MACHINES typically used in our local login scripts to avoid "Press Any Key To Continue" prompts, and so forth. The only trustee rights given were access to the WordPerfect Office Domain directory (e.g., F:\WPDOMAIN) and the login's home directory (which we mapped as the root of the H: drive).

We then set up the login's home directory. Because nobody else on the LAN needed or wanted to access the SMTP gateway's network drivers, we put them right in this directory. This was also done for security reasons; nobody was likely to reconfigure or update these files if they were sitting in what was clearly a home directory, not a public repository.

We couldn't install LAN WorkPlace to a network drive, which was fairly aggravating. However, we worked around the problem by installing it to a hard drive, then moving it to its network home.

Don't be tempted to not give the workstation TCP/IP software a default router (sounds great at first no router, nobody gets in or out, right?), or you will be in trouble once it's time to send or receive mail. Again, Figure 1 shows that running TCP/IP to this workstation/gateway's external NIC is, in fact, okay and necessary. Although pinging the Internet from a workstation connected to your LAN is somewhat terrifying, remember that this is a workstation, not a router or a server. And, although TCP/IP must not be loaded or bound to the internal LAN card, it is right and proper for it to work on the external card.

Once the gateway had the protocols working on each card, we installed the mail translation (gateway/daemon) software. We were gratified to discover that the WPO SMTP gateway installed just fine to a network drive. It does, however, want to reside beneath the primary WPO Domain directory. In our case, this was F:\WPDOMAIN, so we installed it to F:\WPDOMAIN\SMTP40. The installation program was quick and painless.

Before we fired up the gateway, however, the WordPerfect Office Administration program (ad.exe) needed to be told about the new gateway so that it could update all of its distributed databases. Using the menus, we created a new gateway in the primary domain (in our case, Chat) with the following attributes:

DOMAIN: Chat
WP NAME: SMTP
FOREIGN NAME: wpo.co.chatham.ga.us
DIRECTORY: SMTP40
GATEWAY ALIAS TYPE: SMTP

We set the Administrator accounts to point to the appropriate WPO userids. WPO allows you to use different WPO accounts for Postmaster, Operator, and Accountant. Postmaster, as you would expect, is the account that deals with external gateways, inquiries, and some bounced mail. Operator gets notified when "hard errors" occur, such as gateways or networks going down, and Accountant receives daily notification of message statistics.

We exited the ad.exe program, wrote an smtp.bat script, modified the SMTP user's login script (Figure 3) to call the batch program upon bootup, and rebooted the gateway. For particulars on the external interface's TCP/IP, see Figure 4.

Amazingly enough, everything worked the first time! Well, okay, everything worked the second time, once we realized that we had forgotten to add the gateway machine to our DNS (Internet Domain Name Services) database. Once the DNS was rebuilt, test mail sent from a workstation on our LAN to my buddy Jim at chat.smtp:("jreich@decbert.ece.cmu.edu") actually got there!

But our amazement was short-lived. That method of writing email addresses gets old very quickly. And we could just imagine fielding the support calls from the various users of WordPerfect Office: "How many parentheses? Do the quotes go on the outside or on the inside? Which comes first, CHAT or SMTP? What's this SMTP thingy anyway? I thought we had Internet mail!"

Refinement

Fortunately, WPO is easily configurable and supports "simplified passthrough addressing." Using the ad.exe program, we created a new domain, with a TYPE of "Foreign," and a DOMAIN NAME of "Internet." Then we edited our primary domain, Chat, to link it to our new SMTP gateway.

We selected "Message Server Configuration," then "Network Links." At the Domain Connections dialog box, we selected the new domain that we had made, "Internet," and chose "Edit Link." At the "How" dialog, we chose "Gateway," then "SMTP." At first, I made the mistake of assuming that this would propagate throughout the subdomains. Not so. You must do this for all of your subdomains.

After reconfiguring, I could send mail to Jim with the address:

Internet: jreich@decbert.ece.cmu.edu

Once the process of outgoing mail was sound and simple to use, we examined the refinement of incoming mail. Mail from the outside to:

user@wpo.co.chatham.ga.us

would work just fine unless the user had special characters in his/her name. Unfortunately for us, most of our users do in fact have what the SMTP gateway considers to be "special characters," that is, underscores. For example, our WPO administrator initially set my username as J_FELDMAN. This means that external users have to send mail to J#U#FELDMAN@wpo.co.chatham.ga.us. The WPO gateway treats number signs (#) similarly. A few frustrating phone calls with vendors, trying to spell out our usernames, convinced us that this method was not going to work.

Fortunately, WPO also supports "Native SMTP Gateway Aliases." From the ad.exe program, we selected the domain to which the user belonged, hit Enter on the user's name to edit that user, and clicked on "Gateway Aliases" in the Edit User dialog box. From the Gateway dialog box, we created a new alias with type SMTP. We entered the user's external alias at the "Native Gateway Address." For example, for myself, I chose the domain CHAT, the user J_FELDMAN, and entered "jonathan" for the Native Gateway Address.

You can also define aliases to the SMTP Gateway, which allows you to define system-wide aliases for external addresses. For example, we include aliases for the City of Savannah. Simply Edit the SMTP gateway object in the ad.exe program, and create a user. Name this "pseudo-user" whatever you want the system-wide alias to be. You can add other fields, such as phone number or job title, that users of the WPO system can view.

Then, select "Gateway Alias." Select "Create." Select a type of SMTP, then enter the external user's Internet address. For example, for Jim, I would create a user in the SMTP gateway object called "Jimbo," with a Gateway alias type of "SMTP" and a Native Gateway alias of "jreich@decbert.ece.cmu.edu."

Other Applications

Since we implemented this system, another department, not on our LAN, but connected to the Internet, has jumped aboard the IPX-to-IP bandwagon, and has implemented the freeware "Mercury/Pegasus" email system for NetWare. This functions very much like the system detailed above.

Now, although we use totally incompatible NetWare email systems, through the common ground of the Internet, we can exchange mail freely. Both Pegasus and WordPerfect Office have automatic uuencoding and uudecoding of binary attachments, so we can exchange files in addition to cute little missives. This capability has helped not only eliminated some phone tag to this remote site, but helped with various troubleshooting efforts as well.

About the Author

Jonathan Feldman works with UNIX and NetWare at the Chatham County Government in Savannah, Georgia. He likes to keep things simple so that even he can understand them. When he is not chasing around with his 18-month-old son, he likes to write, grow roses with his lovely wife, and play guitar with his bare feet. He is reachable via email at jonathan@co.chatham.ga.us.


 

© 2002 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com