E-Mail Proxy

E-mail proxies extend remote e-mail capability to users of Clientless SSL VPN. When users attempt an e-mail session via e-mail proxy, the e-mail client establishes a tunnel using the SSL protocol.

The e-mail proxy protocols are as follows:

POP3S

POP3S is one of the e-mail proxies Clientless SSL VPN supports. By default the Security Appliance listens to port 995, and connections are automatically allowed to port 995 or to the configured port. The POP3 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the POP3 protocol starts, and then authentication occurs. POP3S is for receiving e-mail.

IMAP4S

IMAP4S is one of the e-mail proxies Clientless SSL VPN supports. By default the Security Appliance listens to port 993, and connections are automatically allowed to port 993 or to the configured port. The IMAP4 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the IMAP4 protocol starts, and then authentication occurs. IMAP4S is for receiving e-mail.

SMTPS

SMTPS is one of the e-mail proxies Clientless SSL VPN supports. By default, the Security Appliance listens to port 988, and connections automatically are allowed to port 988 or to the configured port. The SMTPS proxy allows only SSL connections on that port. After the SSL tunnel establishes, the SMTPS protocol starts, and then authentication occurs. SMTPS is for sending e-mail.

Configuring E-Mail Proxy

Configuring e-mail proxy on the consists of the following tasks:

  • Enabling e-Mail proxy on interfaces.
  • Configuring e-mail proxy default servers.
  • Setting AAA server groups and a default group policy.
  • Configuring delimiters.

Configuring E-mail proxy also has these requirements:

  • Users who access e-mail from both local and remote locations via e-mail proxy require separate e-mail accounts on their e-mail program for local and remote access.
  • E-mail proxy sessions require that the user authenticate.

AAA

Configuration > Features > VPN > E-mail Proxy > AAA

This panel has three tabs:

POP3S Tab

Configuration > Features > VPN > E-mail Proxy > AAA > POP3S Tab

The POP3S AAA panel associates AAA server groups and configures the default group policy for POP3S sessions.

Fields

  • AAA server groups—Click to go to the AAA Server Groups panel (Configuration > Features > Properties > AAA Setup > AAA Server Groups), where you can add or edit AAA server groups.
  • group policies—Click to go to the Group Policy panel (Configuration > Features > VPN > General > Group Policy), where you can add or edit group policies.
  • Authentication Server Group—Select the authentication server group for POP3S user authentication. The default is to have no authentication servers configured. If you have set AAA as the authentication method for POP3S (Configuration > Features AAA > VPN > E-Mail Proxy > Authentication panel), you must configure an AAA server and select it here, or authentication always fails.
  • Authorization Server Group—Select the authorization server group for POP3S user authorization. The default is to have no authorization servers configured.
  • Accounting Server Group—Select the accounting server group for POP3S user accounting. The default is to have no accounting servers configured.
  • Default Group Policy—Select the group policy to apply to POP3S users when AAA does not return a CLASSID attribute. The length must be between 4 and 15 alphanumeric characters. If you do not specify a default group policy, and there is no CLASSID, the ASA can not establish the session.
  • Authorization Settings—Lets you set values for usernames that the ASA recognizes for POP3S authorization. This applies to POP3S users that authenticate with digital certificates and require LDAP or RADIUS authorization.

User the entire DN as the username—Select to use the Distinguished Name for POP3S authorization.

Specify individual DN fields as the username—Select to specify specific DN fields for user authorization.

You can choose two DN fields, primary and secondary. For example, if you choose EA, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an e-mail address of johndoe@cisco.com cannot authenticate as John Doe or as johndoe. He must authenticate as johndoe@cisco.com. If you choose EA and O, John Does must authenticate as johndoe@cisco.com and Cisco Systems, Inc.

Primary DN Field—Select the primary DN field you want to configure for POP3S authorization. The default is CN. Options include the following:

DN Field
Definition

Country (C)

The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Common Name (CN)

The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

DN Qualifier (DNQ)

A specific DN attribute.

E-mail Address (EA)

The e-mail address of the person, system or entity that owns the certificate.

Generational Qualifier (GENQ)

A generational qualifier such as Jr., Sr., or III.

Given Name (GN)

The first name of the certificate owner.

Initials (I)

The first letters of each part of the certificate owner’s name.

Locality (L)

The city or town where the organization is located.

Name (N)

The name of the certificate owner.

Organization (O)

The name of the company, institution, agency, association, or other entity.

Organizational Unit (OU)

The subgroup within the organization.

Serial Number (SER)

The serial number of the certificate.

Surname (SN)

The family name or last name of the certificate owner.

State/Province (S/P)

The state or province where the organization is located.

Title (T)

The title of the certificate owner, such as Dr.

User ID (UID)

The identification number of the certificate owner.

Secondary DN Field—(Optional) Select the secondary DN field you want to configure for POP3S authorization. The default is OU. Options include all of those in the preceding table, with the addition of None, which you select if you do not want to include a secondary field.

IMAP4S Tab

Configuration > Features > VPN > E-mail Proxy > AAA > IMAP4S Tab

The IMAP4S AAA panel associates AAA server groups and configures the default group policy for IMAP4S sessions.

Fields

  • AAA server groups—Click to go to the AAA Server Groups panel (Configuration > Features > Properties > AAA Setup > AAA Server Groups), where you can add or edit AAA server groups.
  • group policy—Click to go to the Group Policy panel (Configuration > Features > VPN > General > Group Policy), where you can add or edit group policies.
  • Authentication Server Group—Select the authentication server group for IMAP4S user authentication. The default is to have no authentication servers configured. If you have set AAA as the authentication method for IMAP4S (Configuration > Features AAA > VPN > E-Mail Proxy > Authentication panel), you must configure an AAA server and select it here, or authentication always fails.
  • Authorization Server Group—Select the authorization server group for IMAP4S user authorization. The default is to have no authorization servers configured.
  • Accounting Server Group—Select the accounting server group for IMAP4S user accounting. The default is to have no accounting servers configured.
  • Default Group Policy—Select the group policy to apply to IMAP4S users when AAA does not return a CLASSID attribute. If you do not specify a default group policy, and there is no CLASSID, the ASA can not establish the session.
  • Authorization Settings—Lets you set values for usernames that the ASA recognizes for IMAP4S authorization. This applies to IMAP4S users that authenticate with digital certificates and require LDAP or RADIUS authorization.

User the entire DN as the username—Select to use the fully qualified domain name for IMAP4S authorization.

Specify individual DN fields as the username—Select to specify specific DN fields for user authorization.

You can choose two DN fields, primary and secondary. For example, if you choose EA, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an e-mail address of johndoe@cisco.com cannot authenticate as John Doe or as johndoe. He must authenticate as johndoe@cisco.com. If you choose EA and O, John Does must authenticate as johndoe@cisco.com and Cisco. Systems, Inc.

Primary DN Field —Select the primary DN field you want to configure for IMAP4S authorization. The default is CN. Options include the following:

DN Field
Definition

Country (C)

The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Common Name (CN)

The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

DN Qualifier (DNQ)

A specific DN attribute.

E-mail Address (EA)

The e-mail address of the person, system or entity that owns the certificate.

Generational Qualifier (GENQ)

A generational qualifier such as Jr., Sr., or III.

Given Name (GN)

The first name of the certificate owner.

Initials (I)

The first letters of each part of the certificate owner’s name.

Locality (L)

The city or town where the organization is located.

Name (N)

The name of the certificate owner.

Organization (O)

The name of the company, institution, agency, association, or other entity.

Organizational Unit (OU)

The subgroup within the organization.

Serial Number (SER)

The serial number of the certificate.

Surname (SN)

The family name or last name of the certificate owner.

State/Province (S/P)

The state or province where the organization is located.

Title (T)

The title of the certificate owner, such as Dr.

User ID (UID)

The identification number of the certificate owner.

Secondary DN Field—(Optional) Select the secondary DN field you want to configure for IMAP4S authorization. The default is OU. Options include all of those in the preceding table, with the addition of None, which you select if you do not want to include a secondary field.

SMTPS Tab

Configuration > Features > VPN > E-mail Proxy > AAA > SMTPS Tab

The SMTPS AAA panel associates AAA server groups and configures the default group policy for SMTPS sessions.

Fields

  • AAA server groups—Click to go to the AAA Server Groups panel (Configuration > Features > Properties > AAA Setup > AAA Server Groups), where you can add or edit AAA server groups.
  • group policy—Click to go to the Group Policy panel (Configuration > Features > VPN > General > Group Policy), where you can add or edit group policies.
  • Authentication Server Group—Select the authentication server group for SMTPS user authentication. The default is to have no authentication servers configured. If you have set AAA as the authentication method for SMTPS (Configuration > Features AAA > VPN > E-Mail Proxy > Authentication panel), you must configure an AAA server and select it here, or authentication always fails.
  • Authorization Server Group—Select the authorization server group for SMTPS user authorization. The default is to have no authorization servers configured.
  • Accounting Server Group—Select the accounting server group for SMTPS user accounting. The default is to have no accounting servers configured.
  • Default Group Policy—Select the group policy to apply to SMTPS users when AAA does not return a CLASSID attribute. If you do not specify a default group policy, and there is no CLASSID, the ASA can not establish the session.
  • Authorization Settings—Lets you set values for usernames that the ASA recognizes for SMTPS authorization. This applies to SMTPS users that authenticate with digital certificates and require LDAP or RADIUS authorization.

User the entire DN as the username—Select to use the fully qualified domain name for SMTPS authorization.

Specify individual DN fields as the username—Select to specify specific DN fields for user authorization.

You can choose two DN fields, primary and secondary. For example, if you choose EA, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an e-mail address of johndoe@cisco.com cannot authenticate as John Doe or as johndoe. He must authenticate as johndoe@cisco.com. If you choose EA and O, John Does must authenticate as johndoe@cisco.com and Cisco. Systems, Inc.

Primary DN Field—Select the primary DN field you want to configure for SMTPS authorization. The default is CN. Options include the following:

DN Field
Definition

Country (C)

The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Common Name (CN)

The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

DN Qualifier (DNQ)

A specific DN attribute.

E-mail Address (EA)

The e-mail address of the person, system or entity that owns the certificate.

Generational Qualifier (GENQ)

A generational qualifier such as Jr., Sr., or III.

Given Name (GN)

The first name of the certificate owner.

Initials (I)

The first letters of each part of the certificate owner’s name.

Locality (L)

The city or town where the organization is located.

Name (N)

The name of the certificate owner.

Organization (O)

The name of the company, institution, agency, association, or other entity.

Organizational Unit (OU)

The subgroup within the organization.

Serial Number (SER)

The serial number of the certificate.

Surname (SN)

The family name or last name of the certificate owner.

State/Province (S/P)

The state or province where the organization is located.

Title (T)

The title of the certificate owner, such as Dr.

User ID (UID)

The identification number of the certificate owner.

Secondary DN Field —(Optional) Select the secondary DN field you want to configure for SMTPS authorization. The default is OU. Options include all of those in the preceding table, with the addition of None, which you select if you do not want to include a secondary field.

Access

Configuration > VPN > E-Mail Proxy > Access

The E-mail Proxy Access screen lets you identify interfaces on which to configure e-mail proxy. You can configure and edit e-mail proxies on individual interfaces, and you can configure and edit e-mail proxies for one interface and then apply your settings to all interfaces. You cannot configure e-mail proxies for management-only interfaces, or for subinterfaces.

Fields

  • Interface—Displays the names of all configured interfaces.
  • POP3S Enabled—Shows whether POP3S is enabled for the interface.
  • IMAP4s Enabled—Shows whether IMAP4S is enabled for the interface.
  • SMTPS Enabled—Shows whether SMTPS is enabled for the interface.
  • Edit—Click to edit the e-mail proxy settings for the highlighted interface.

Edit E-Mail Proxy Access

Configuration > VPN > E-Mail Proxy > Access > Edit E-Mail Proxy Access

The E-mail Proxy Access screen lets you identify interfaces on which to configure e-mail proxy. You can configure e-mail proxies on individual interfaces, and you can configure e-mail proxies for one interface and then apply your settings to all interfaces.

Fields

  • Interface—Displays the name of the selected interface.
  • POP3S Enabled—Select to enable POP3S for the interface.
  • IMAP4S Enabled—elect to enable IMAP4S for the interface.
  • SMTPS Enabled—Select to enable SMTPS for the interface.
  • Apply to all interface—Select to apply the settings for the current interface to all configured interfaces.

Authentication

Configuration > Features > VPN >E-mail Proxy > Authentication

This panel lets you configure authentication methods for e-mail proxy sessions.

Fields

POP3S/IMAP4S/SMTPS Authentication—Let you configure authentication methods for each of the e-mail proxy types. You can select multiple methods of authentication.

  • AAA—Select to require AAA authentication. This option requires a configured AAA server. The user presents a username, server and password. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other.
  • Certificate—Certificate authentication does not work for e-mail proxies in the current ASA software release.
  • Piggyback HTTPS—Select to require piggyback authentication.

This authentication scheme requires a user to have already established a Clientless SSL VPN session. The user presents an e-mail username only. No password is required. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other.

SMTPS e-mail most often uses piggyback authentication because most SMTP servers do not allow users to log in.

Note IMAP generates a number of sessions that are not limited by the simultaneous user count but do count against the number of simultaneous logins allowed for a username. If the number of IMAP sessions exceeds this maximum and the Clientless SSL VPN connection expires, a user cannot subsequently establish a new connection. There are several solutions:

- The user can close the IMAP application to clear the sessions with the ASA, and then establish a new Clientless SSL VPN connection.
- The administrator can increase the simultaneous logins for IMAP users (Configuration > Features > VPN > General > Group Policy > Edit Group Policy > General).
- Disable HTTPS/Piggyback authentication for e-mail proxy.

  • Mailhost—(SMTPS only) Select to require mailhost authentication. This option appears for SMTPS only because POP3S and IMAP4S always perform mailhost authentication. It requires the user’s e-mail username, server and password.

Default Servers

Configuration > Features > VPN > E-mail Proxy > Default Servers

This panel lets you identify proxy servers to the ASA. Enter the IP address and port of the appropriate proxy server.

Fields

  • POP3S/IMAP4S/SMTPS Default Server—Let you configure a default server, port and non-authenticated session limit for e-mail proxies.
  • Name or IP Address—Type the DNS name or IP address for the default e-mail proxy server.
  • Port—Type the port number on which the ASA listens for e-mail proxy traffic. Connections are automatically allowed to the configured port. The e-mail proxy allows only SSL connections on this port. After the SSL tunnel establishes, the e-mail proxy starts, and then authentication occurs.

For POP3s the default port is 995, for IMAP4S it is 993, and for SMTPS it is 988.

  • Enable non-authenticated session limit—Select to restrict the number of non-authenticated e-mail proxy sessions.

E-mail proxy connections have three states:

1. A new e-mail connection enters the “unauthenticated” state.

2. When the connection presents a username, it enters the “authenticating” state.

3. When the ASA authenticates the connection, it enters the “authenticated” state.

This feature lets you set a limit for sessions in the process of authenticating, thereby preventing DOS attacks. When a new session exceeds the set limit, the ASA terminates the oldest non-authenticating connection. If there are no non-authenticating connections, the oldest authenticating connection is terminated. The does not terminate authenticated sessions.

Delimiters

Configuration > Features > VPN > E-mail Proxy > Delimiters

 

This panel lets you configure username/password delimiters and server delimiters for e-mail proxy authentication.

Fields

  • POP3S/IMAP4S/SMTPS Delimiters—Let you configure username/password and server delimiters for each of the e-mail proxies.

Username/Password Delimiter—Select a delimiter to separate the VPN username from the e-mail username. Users need both usernames when using AAA authentication for e-mail proxy and the VPN username and e-mail username are different. Users enter both usernames, separated by the delimiter you configure here, and also the e-mail server name, when they log in to an e-mail proxy session.

Note Passwords for Clientless SSL VPN e-mail proxy users cannot contain characters that are used as delimiters.

Server Delimiter—Select a delimiter to separate the username from the name of the e-mail server. It must be different from the VPN Name Delimiter. Users enter both their username and server in the username field when they log in to an e-mail proxy session.

For example, using : as the VPN Name Delimiter and @ as the Server Delimiter, when logging in to an e-mail program via e-mail proxy, the user would enter their username in the following format: vpn_username:e-mail_username@server.