3.6 File Server
3.6.2 Group Work Areas
The group work areas are network shares that can be acceded by SMB or by NFS clients. You can create network shares in any Work Area. After creating a network share you have to define the correspondent access permissions.
When inserting a Group Work Area you have to first choose the workarea were the share will be created (Figure 3.20) and fill in the following fields:
• Name: Name of the share folder. Try to avoid spaces, characters with accents and punctuation;
• Description: Share description. It’s a optional field;
• Administrator: Share administrator’s email. It’s a optional field;
• Browseable: If Yes it will appear in the server browse list. If No the share will became hidden;
• Recycle bin: Enables the use of a recycle bin;
3.6 File Server 35
Figure 3.17: Work Areas - Summary
• Name of the recycle bin folder: If you choose to enable the previous option, you can set in this field the folder that will be used as a recycle bin.
Two examples can be viewed at (Figure 3.21) and (Figure 3.22).
Access Permissions
After creating a Group Work Area you have to give permissions to the users in order to have access to the network share. This is done by first clicking at the share name as shown at Figure 3.23.
There are 3 different types of permissions:
• None: No access to the share. Users have no access to open a share folder of a workstation;
• Read Only: Users have access to share folders and its files. Nevertheless, they are not allowed to change these files;
• Read/Write: Users have access to share folders and its files and are allowed to change files and save changes.
Permissions are given to individual users or user groups (Figure 3.24). Users groups are defined in IPBrick.I Group Management.
For example, in order to create a share folder for users belonging to a commer-cial department you have to do the following steps:
Figure 3.18: Work Areas - List
• Create group ”Dept Financeiro”, in Group Management and add the users of this department to the group.
• Create an area called ”Financeiro” in Work Areas Group Work Areas.
• Give read and write permissions to the group ”Dept Financeiro”. The other groups have either reading permissions or no access to this area.
⇒ Note: When defining user group permissions any change in the General group leads to changes for all the other groups. This happens because all users introduced in IPBrick are part of General group.
⇒ Note: A deleted share is no more available for users. All files in this share are moved to an administrative share called BackupX (X representing the number of the work area where the share was created, 1 or 2) that you find in the same Work Area. Only useres belonging to the IPBrick Administrators group have access to this administrative folder. You can access this share from a Windows station. Therefore you have to do the following steps:
• Press the keys [Win]+[R] at the same time
• Write \\ipbrick\backup1 and press ”OK” (share that exist in Workarea 1) All files and folders deleted in these administrative share are definitively deleted in IPBrick.
3.6 File Server 37
Figure 3.19: Work Areas - Summary of Individual Areas
3.6.3 Kaspersky
Kaspersky Antivirus for Samba Server (file server) is already installed in IP-Brick. After inserting a valid license (Figure 3.25), Kaspersky Antivirus for Samba Server is activated and displays the interface with the following links:
• Update: After the license expiration you should renew with a new license file;
• Delete: Removes the license;
• Configure: It provides you a general Anti-Virus configuration option;
• Work areas: Antivirus behavior in work areas;
• Statistics: Interface with specific statistics about the file server Anti-Virus.
Configuration General settings:
• Notify from the address: Sender that will make the notifications;
Figure 3.20: Work Areas - List
• Notify to the address: Email address that will receive notifications.
Object settings:
• Directory exclusion mask: Directories that will be analyzed;
• File exclusion mask: Files that will be analyzed;
• Packed Files: If you choose this item, this type of file will be analyzed;
• Archives: If you choose this item, this type of file will be analyzed;
• Auto-extraction files: If you choose this item, this type of file will be analyzed;
• Email database: If you choose this item, this type of file will be analyzed;
• Text format email: If you choose this item, this type of file will be ana-lyzed.
Scan settings:
• Cure: If activated, detected virus will be automatically removed;
• Use heuristic: If activated, virus can be detected through the analysis of the code with characteristics and behavior similar to a virus;
3.6 File Server 39
Figure 3.21: Work Areas - Group - Insert with recycle bin
• Usar IChecker: If the file was not modified since the last time that was checked, there will be no new analysis for this file.
Actions Settings: Defines what the Anti-Virus will do with infected and sus-pecting files or with warnings
• Remove: Removes the file;
• Inalterable: Doesn’t make any action on the file;
• Move: Moves the file.
Notification settings: Defines what notifications the Anti-Virus will do about infected and suspecting files or with warnings.
• Notify user through winpopup: Notification using the Windows net send command;
• Notify user through email;
• Notify administrator through email.
To change settings click on Modify. You can see the configuration interface at Figure 3.26 and Figure 3.27.
Figure 3.22: Work Areas - Group - Insert without recycle bin
Workareas
By default, work areas are verified when they are opened and closed. You can set for each share if it will be protected, or not, and if it will be verified when users open and/or close files, like shown at Figure 3.28.
Statistics
Several statistics are displayed in this interface:
• Virus Statistics in period: Options to display present graphic in Virus Statistics (Figure 3.29):
– Start: The starting date for statistics;
– View: Can be set in hours, days, months or years;
– Repetition: Scale of the graphic horizontal axis;
– Group: It enables you to group data, depending on the chosen view
• V´ırus statistics: The display can be filtered by: Infected files, protected, corrupted, errors and files where disinfection failed;
• Virus list: Can be organized by Virus name/Number of occurrences (Fig-ure 3.30).
3.7 E-Mail 41
Figure 3.23: Work Areas - Group - Management
3.7 E-Mail
Email is the most used network service in Internet, increasingly replacing tradi-tional mail and fax. The protocol that is used to send electronic messages is SMTP (Simple Mail Transfer Protocol) that runs on gate 25 TCP. It enables email sending for one or several recipients and is implemented by MTA (Mail Transfer Agents).
IPBrick MTA is Qmail2.
SMTP is only capable of sending messages, being necessary to users the use of an email client that supports the protocols aiming to download messages from servers POP3/IMAP.
IPBrick’s Email section is composed by:
• Configure;
• Queue Management;
• Users Management;
• Mailing Lists;
• Kaspersky Anti-Virus;
2http://cr.yp.to/qmail.html
Figure 3.24: Work Areas - Group - Users Access
• Kaspersky Anti-Spam.
3.7.1 Configure
An important concept about the email server configuration is open relay. A server that works in open relay processes messages between senders and recipients out of the server domain, that actually can even be non-existent. Obviously, IP-Brick doesn’t work as open relay, only forwarding Internet emails to domains that are explicitly indicated.
Is is important to mention four very simple and decisive concepts in the E-mail configuration:
1. Locally delivered domains: E-mail addresses with destination to the IP-Brick server itself, that is, the associated e-mail accounts are in the local network. E-mails that are in the queue and whose recipient is one of these domains are not sent to another server in order to be delivered. The domains served by the machine have to be correctly configured in each DNS domain server. That is, the ”E-mail servers” of these domains have to be configured to this machine.
2. Authorized relay domains: IPBrick forwards all the messages that have
3.7 E-Mail 43
Figure 3.25: Workareas - Kaspersky Licence
their domains in this list and will be accepted by the server to a queue list.
Messages to other recipients that don’t belong to this domains won’t be accepted by the server (please see 3.
3. Relay networks definitions: IPBrick relays to any domain as long as the e-mail is sent from his corresponding internal network. If there are different internal IP networks it is necessary to add these networks to the list. This way all machines in the networks are able to send e-mails to other domains using IPBrick as a relay server. The Other networks (Internet IP’s) could use this SMTP server but only with TLS authentication. So someone in Internet that want to use the IPBrick’s SMTP to send email is forced to authenticate with his LDAP username/password;
4. SMTP Routes: SMTP routes are configured when you want e-mails to follow a certain way (server) in order to find their recipient. Normally, a SMTP route is defined by default (showing the SMTP route and leaving the Domain empty).When the server is not correctly registered with the IP name in the Internet DNS, you have to define a SMTP route. In this route it should be either the server responsible for the forward of company e-mails or the SMTP server of the ISP used by firms to access the Internet. This configuration is
3Only e-mails from the Internet respecting these rules are processed. IPBrick is not configured as open-relay.
Figure 3.26: Workareas - Kaspersky - Configure 1/2
necessary because certain e-mail servers make additional verifications of the sending server authenticity. If they can’t resolve the server name into the corresponding IP address (reverse DNS check), the mail may be deleted or sent back as SPAM. In case no SMTP route is used the server tries to send the mails in the queue by his own. With the help of the DNS registrations he tries to find the recipients directly in the Internet.
Each e-mail configuration option has a link to Insert new entries (Figure 3.31).
The domains for local delivery (domains with IPBrick serves) and relay (do-mains which IPBrick forwards) can be edited and/or deleted. The exception is the domain whose name is the same as that of the machine in the local networks or that of the local domain in the relay.
⇒ Note: To make IPBrick relay e-mails to another server that has the ac-counts, the firm base domain has to be retreated from the domains served by IPBrick, since it is a domain served by IPBrick by default.
By default IPBrick only forwards email messages that come from is private network. If there are different internal IP networks, they should be added to let them send messages.
There are two different types of SMTP routes:
3.7 E-Mail 45
Figure 3.27: Workareas - Kaspersky - Configure 2/2
Figure 3.28: Workareas - Kaspersky
1. FQDN4 of the route server. For example: smtp.exchange.telepac.pt.
2. IP address of the route server. Please give attention to the brackets 195.22.133.45.
In the following you are given two examples of configurations, one with an IP for a specific domain and another configuration for the same domain with the FQDN:
4Fully Qualified Domain Name
Figure 3.29: Workareas - Kaspersky - Statistics 1/2
Figure 3.30: Workareas - Kaspersky - Statistics 2/2
First Example:
Domain : abzas.miz SMTP route : 195.22.133.45 Second Example:
Domain : abzas.miz
SMTP route : smtp.exchange.telepac.pt
3.7 E-Mail 47
Figure 3.31: E-mail - Configure
An important configuration is that of a machine relaying e-mails. Whenever you add in this situation a SMTP route by default (without indicating the domain) you have to add another SMTP route to forward e-mails do the internal e-mail server. In the following you can see an example of such a configuration.
In this configuration IPBrick is relaying all the e-mails comming to an internal e-mail server called accounts. IPBrick have a second route to deliver all the mail to the Internet by the smarthost smtp.isp.pt:
Domain: domain.com
SMTP route: accounts.domain.com Domain:
SMTP route: smtp.isp.pt
3.7.2 Definitions
There is a link called Definitions (see Figure 3.32 and Figure 3.33) to define characteristics of the e-mail server:
• Message maximum size: It’s the global message maximum size of a sending message
Value by default: unlimited.
• Maximum time to hold the message in the server: Maximum time the message will be in mail queue
Value by default: 604800 seconds (7 days)
• Maximum number for simultaneous SMTP connections: Number of con-nections that the server can support
Value by default: 20
• Incoming message timeout: Maximum time to receive a single message in server. If reached it will timeout
Value by default: 1200 seconds
• Outgoing message timeout: Maximum time to send a single message. If reached it will timeout
Value by default: 1200 seconds
• Reject emails from invalid domains: The server will reject incoming mail if the sender’s domain MX record don’t exist, so it will be invalid.
Default value: Yes
• Reject emails from invalid servers: The server will reject incoming mail if the sender’s FQDN don’t have a reverse DNS record.
Default value: No
In this interface it is even possible to define permissions of sending and receiving e-mails:
• Valid internal recipients: This list is important to fill in order to pro-tect the server from a mailbomb attack. Here should be listed all the internal valid email addresses. If the list is empty all the internal recipients will be accepted (Figure 3.34);
• Invalid senders: A list with e-mail addresses that are not allowed to send email ((Figure 3.35).