The IP Shield, located under the Security » Security Settings » Sender Authentication menu, is a list of domain names and matching IP addresses that will be checked during the MAIL From command during the SMTP session. An SMTP session claiming to be from someone at one of the listed domains will be honored only if it is coming from one of the associated IP addresses. For example, suppose your domain name is example.com and your local LAN computers use IP addresses in the range from 192.168.0.0 to 192.168.0.255. With this information you can setup the IP Shield to associate the domain name example.com with the IP address range 192.168.0.* (wildcards are allowed). Thus anytime a computer connects to your SMTP server and states, "MAIL FROM <someone@example.com>", the SMTP session will continue only if the connecting computer has an IP address within the required range from 192.168.0.0 to 192.168.0.255.
Enable IP Shield
Clear this checkbox if you wish to disable the IP Shield. The IP Shield is enabled by default.
Domain name
Enter the domain name that you wish to associate with a specific IP address range. You can also use the $LOCALDOMAIN$ macro to cover all local domains (including gateways). If you use this macro it will not be necessary to keep the IP Shield up to date when local domains or gateways change. By default, entries are added to the IP Shield associating all reserved IP address ranges with $LOCALDOMAIN$.
IP address
Enter the IP address that you wish to associate with a domain name. You must enter this address in dotted decimal form.
Add
Click the Add button to add the domain and IP address range to the listing.
Remove
Click this button to remove the selected entries from the listing.
Do not apply IP Shield to messages sent to valid local users
Click this option if you want only those messages that are destined for a non-local user or invalid local user to be checked for a domain/IP match. This will prevent others from posing as one of your local users in order to relay their mail through your server, but it will save resources by not checking messages that are addressed to your users. If you enable both this option and the IP Shield honors aliases option below, messages to valid aliases will be accepted as well.
Do not apply IP Shield to authenticated sessions
When this control is active, the IP Shield restrictions will not apply to authenticated users. Mail will be accepted from an authenticated user regardless of the IP address from which he or she connects. Further, when a user doesn't authenticate and access is refused, the message returned to the SMTP client will be "Authentication required" in order to give the user a clue that he can fix the problem by configuring the mail client to use authentication before sending a message. This option is enabled by default.
Do not apply IP Shield to Trusted IPs
When this control is active, the IP Shield will not be applied when the connection is from a Trusted IP address. This option is enabled by default.
IP Shield honors aliases
Enable this option if you want the IP Shield to honor address aliases when checking domain/IP address shields. The IP Shield will translate an alias to the true account to which it points and thus honor it if it passes the shield. Without this option enabled, the IP Shield will treat each alias as if it is an address independent of the account that it represents. Thus, if an alias' IP address violates an IP Shield then the message will be refused. This option is mirrored on the Settings screen of Aliases — changing the setting here will be reflected there.
If you want incoming messages that are addressed to valid aliases to be exempt from IP Shielding then click both this option and the Do not apply IP Shield to messages sent to valid local users option above.
Check FROM header address against IP Shield
Check this box if you want the IP Shield to compare the address taken from the message's FROM header in addition to that taken from the SMTP MAIL value. This option is disabled by default.
Using this option could cause problems with certain types of messages, such as those coming from mailing lists. It should therefore be enabled only if you are sure you need it. |