config.hlp:

This help file is written for RCVPNL v0.14.  Later revisions may include
functions not descibed here.

As a general note:  Settings changed with RCVPNL are usually not read in
until the SMTPRCV service is restarted.  Please remember that when you
can't get something to behave as expected.

The SMTPRCV control panel has several tabs at the top of the screen that
control different aspects of the SMTPRCV service.  All of the tabs will
be discussed here, and any little nuances these settings may have.

GENERAL:

Reverse DNS incoming IP addresses:  enabling this setting will take the
IP address of the remote server and perform a reverse DNS lookup on it.
The reversed information will be placed where UNVERIFIED would usually
be in the Received: line.  Enabling this setting may slow the performance
of the server if your DNS servers are particularly slow.  Additionally,
Windows has this annoying habit of attempting to resolve the computer name
using NETBIOS if no reverse DNS data is found.  If you see single all caps
names in the place where UNVERIFIED would usually be, this is what happened.

Allow Relaying:  this turns the mail server into a wide open relay.  It will
accept mail for ANY domain.  If your server is on the internet (not behind a
firewall) this setting should NEVER be enabled, since it creates a huge
security hole.  Disabling this will turn your server into a secure server
which rejects any attempts to send mail to any domain not listed as local by
any user that is not under your control.

Mail root directory:  where all the IMS subdirectories are.  This is typically
something like C:\winnt\system32\emwac\mail\

Incoming directory:  this is where the received mail will be written.
Typically this directory is C:\winnt\system32\emwac\mail\incoming\ or if you're
using a filter like SCSMFilter it would look like this:
C:\winnt\system32\emwac\mail\prein\

Import settings: this button reads all the settings it can from the SMTPRS
registry settings AND antirelay.ini.  Note that this button, when pressed,
clears the Local Net List, Local Domain List, and all DNS blacklist
information.


LOCAL:

Local nets:  Turns on bypass of relay checking for nets listed below.

Local net list: add local net lists here in the format of 192.168.0.1/24

Accept mail for: this is the list of domains that SMTPRCV will accept mail for.
This should be a Fully Qualified Domain Name as it would appear in the address
of the recipient.  All addresses not in this list will be subject to the rules
of anti-relay checking.


USER DATABASE:

Verify local address:  This function will turn on 550 type error messages for
non-existant users.  This will prevent your admin mailbox from filling up with
messages addressed to joeblow@mydomain.com where joeblow is a non-existant
user.  This is a very effective method for preventing dictionary attacks
against your mail server.  However, it is not foolproof.  SMTPRCV, like SMTPRS,
doesn't handle multiple domains because of restrictions with the SMTPDS
delivery agent.  So, if you use SMTPRCV to receive mail for multiple domains,
if usera@a.com exists, the mail server will also accept usera@b.com as a valid
address.  I may fix this in the future, but I see this as a minor inconvenience
compared to sorting through tons of misaddressed mail.

Three methods are available for verifying local users.  They are discussed
below.

Use EMWAC IMS mailing list and alias list:  while the IMS implementation is
buggy, there are people (like myself) that use this feature since it works
OK for a small number of users.  If this is the only method you are going to
use, make sure you have the plain username listed as well.  For example, I
use aliasing to point mvanmeet, mvanmmeeteren, and mikev all at the mike
username.  I have 4 entries, mvanmeet=mike, mvanmmeeteren=mike, mikev=mike,
and mike=mike.  The last entry makes sure that things addressed to mike@ get
delivered.

Check NT user database:  This is a new feature recently added, and modified
again with revision 0.42.  You now specify the group you wish to pull the 
users from, and the service will load all the users it finds in this group 
into the list of users to accept mail for.  This function SHOULD work for all
user setting configurations, but to be sure, grab the GETUSERS.ZIP file and 
run it logged in as Administrator on the server to check the functionality.

Use Plugin 1 alias list:  This is the preferred method for doing user
verification.  When this is enabled, SMTPRCV loads all the names it finds
in the specified file as a user list.  The names may be in the standard
plugin1 format, IE: "mikev@mydomain.com","mike@mydomain.com".  SMTPRCV will
add both mikev and mike to the valid user name list.  Unlike Plugin1, there
is no limitation on the length of this file.  You can use as many entries as
you want.  Also, you don't have to necessarily use the plugin1 config file.
If, for example, you have more than one plugin1.dat file, you can just
concatonate them and use that file for your SMTPRCV user list.  Or you can
simply create a file with user names without a Fully Qualified Domain Names
in a list.  For example, to simply receive mail for usera and userb, the
sample user list file would look like this:

usera
userb

Note that the names are not case sensitive.  All three of these local user
verification methods may be used in any combination.  The alias list is
the fastest and most trouble free.


POPAUTH:

Do POPAUTH IP address verification:  Enabling this setting will allow remote
users not in your local subnets to send mail as if they were.  The SMRPRCV
service will take the incoming IP address and verify that the user is a valid
"roaming" user by scanning for the IP address in the POP3 log file (you
obviously must have POP3 logging turned on in the IMS control panel for this
to work correctly).  Your remote users must check mail before sending, or they
will get the same "554 relaying denied" message a non-user would get trying to
send mail to a non-local domain.

Log Directory:  This is where the POP3 logs are stored.  This will typically
look like this: c:\winnt\system32\emwac\mail\pop3log\

IP Authorized for:  The length of time the remote user has to send mail after
checking mail.  I recommend 30 minutes, but you can tailor this to your
specific needs.


ACCEPT/REJECT:

These lists allow you to accept blindly or refuse to accept mail from any mail
server or subnet you wish.  Network addresses are added in x.x.x.x/mask format.
The rejection notice is what appears in the 550 response given to the remote
when RCPT TO: or DATA commands are issued.  These lists take precedence over
the DNS blacklists, and the whitelist takes precedence over the blacklist.

DNS BLACKLISTS:

You can reject mail at the SMTP level based on incoming IP address using the
SMTPRCV service.  The IP address of the incoming connection is looked up in
a database of IP addresses using a DNS style query.  There is much debate on
the proper use of these lists, and I will direct you to
http://www.mail-abuse.org for a complete discussion on the use of these black
lists.  All I will discuss here is the proper format for entering servers in
the control panel.

Enable DNS blacklists:  This turns on or off blacklist checking.  Note that if
your network connection is slow, using blacklist checking may impose a
significant speed penalty.

DNS Blacklist server:  This column contains the suffix of the DNS query made
on the incoming IP address.  In other words, if you specify
blackholes.mail-abuse.org here, incoming IP address a.b.c.d would be DNS
queried as d.c.b.a.blackholes.mail-abuse.org  If ANY address is returned, the
ip address is considered blacklisted.  You can specify your own DNS server as
well should you wish to maintain your own deny list.

Access Denied response:  If the incoming IP address is listed at a server
specified in the list, and the IP address is not specified in localnets or
verified by POPAUTH, all commands issued to the server by the remore client
will result in 554 access denied, <message> where message is the message
specified in this column.  You can use %s to insert the incoming IP address.
Example, if a.b.c.d is listed and your response message is
Please see <http://maps.vix.com/cgi-bin/lookup?%s> the remote would get a
554 access denied, Please see <http://maps.vix.com/cgi-bin/lookup?a.b.c.d>
Most mail clients will report this back to the sender, so he can see why
he could not send mail to your server.

LOGGING:

Log Incoming Messages:  This turns on the logging on incoming messages in
the same format used by SMTPRS.

Log Non-existent user rejections and relay attempts:  This turns on whether
or not relay attempts are recorded in the inlog.  The above function must be
turned on for this to work.

Log Directory:  Where log files are written.  This is typically something like:
c:\WINNT\System32\EMWAC\MAIL\inlog\



MISCELLANIOUS NOTES:

The incoming IP address is checked in the following order to maximize speed for
local users:

1) if IP is in local subnet, then user is local, skip the rest of the checks
2) if IP is POPAUTH'd, then user is local, skip the rest of the checks
3) Check the whitelist/blacklist settings, if in either, skip rest of checks
4) Check DNSBL servers for IP, in order of the list in control panel