Features - Email

Email related features

POP3, SMTP, and IMAP4 servers

WinGate has a comprehensive POP3, SMTP and IMAP4 (version 6.1 or later) server built in. These servers support advanced authentication options, and secure connections for both delivery and reception of mail, allowing you to set up a secure email network accessible over untrusted networks such as the Internet.

Simple yet highly flexible domain and user-based delivery rules allow you to set up a comprehensive variety of scenarios, including:

• Catch-all mailboxes, where all mail for a domain goes to a specific mailbox
• Split domains, where mailboxes for a domain are hosted on more than one different server
• Forwarding domains

The SMTP servers also supports a number of anti-spam measures to reduce inbound spam, and additionally mail received or retrieved can be scanned for viruses using the optional Kaspersky AntiVirus for WinGate component.

Flexible delivery options allow you to specify delivery requirements (such as authentication or secure connection requirements, or different port numbers) on a server by server basis where required.

Per-user restrictions are available, including maximum message sizes, redirecting mail, blocking file attachments per user, or copying mail to multiple recipients.

POP3 mailbox collection

WinGate can retrieve mail from POP3 mailboxes on other servers, and import them into the WinGate mail system for local or remote delivery.

The POP3 retrieval system allows you to parse retrieved emails, and deliver accordingly, or deliver all mail for a mailbox to a specific address.

If you have Kaspersky AntiVirus for WinGate installed and activated on your WinGate email, then retrieved emails will also be scanned for viruses.

Multiple security and authentication options
A range of security options are also available, including secure connection support using STLS, and various authentication methods including:

• plain USER/PASS
• NTLM (used for secure authentication to MS Exchange servers)
• CRAM-MD5
• APOP

By default WinGate will choose the most secure method available on the POP3 server that it is connecting to.

POP3 and SMTP proxies

In addition to the comprehensive POP3 and SMTP servers in WinGate, WinGate includes a POP3 proxy and an SMTP proxy.

The proxies differ from the servers in that they are intended to be connected through rather than connected to. E.g. if you connect to a POP3 server on the Internet, you may choose to connect through the POP3 proxy, and have it scan your email for viruses at the same time.

The SMTP proxy however we do not recommend you use unless you specifically do not wish to use the SMTP server in WinGate, or your license does not give you access to it (version 4.x license or earlier).

The POP3 proxy however is often used, since it is common to need to access a POP3 server on the Internet.

Comprehensive message routing

Secure connections (SSL/TLS)

Flexible delivery options

Attachment blocking

When an email has been received by the SMTP server in WinGate, before the WinGate SMTP server indicates that it will accept responsibility for delivery of the message, it scans it for unacceptable content. Should WinGate find any file attachments in the message that are denied, commonly executable files, then WinGate refuses to accept responsibility for the message.

The administrator can define any number of file extensions that will be denied, and apply this restriction to incoming and/or outbound mail.

Rejecting the message in this way reduces the workload on the server, and can filter out many attachments that are normally associated with viruses, such as executables and script files.

Anti-spam measures

WinGate's SMTP server gives the user a number of options to help prevent unsolicited email from being accepted by WinGate.

To start with, WinGate can use Open Relay Databases (ORDB) which are available on the internet based around a DNS lookup to check whether a computer connecting to WinGate is a known open relay or spammer.

WinGate will also optionally block invalid sender domains (i.e. domains that do not exist, or have specific properties - e.g. the MX record resolves to "localhost" or other disallowed records).

Finally, WinGate uses an SPF-style check if you enable "block spoofed sender addresses". The key difference between this check and SPF, is that SPF requires domains to specify valid senders by publishing an SPF DNS record. Most sites do not have one of these, so SPF is still not widespread enough to be used to verify most domains. WinGate's method - by using a combination of assumptions - can gain a high level of certainty about sites and domains that do not have published SPF records. Inevitably there will be some sites that do not pass WinGate's anti-spoofing checking, so there is a comprehensive white-list option to allow these through.

User quotas and restrictions

If you choose to let WinGate host your users' mailboxes, you can specify individual requirements on the users mailboxes, and email addresses.

You can specify the maximum amount of disk space that a user's mailbox may use.

Furthermore, for any email addresses whether associated with a local mailbox or destined to be forwarded to another server, you can specify additional restrictions, such as blocking attachments, setting a maximum message size, or copying the mail to other local or remote addresses.

Multiple authentication options

Email in WinGate supports a number of authentication options, depending on which user database you are using, or which email clients.

For SMTP reception and delivery to remote SMTP servers WinGate supports:

• SASL PLAIN method
• SASL CRAM-MD5 method
• NTLM method

WinGate's POP3 collection and POP3 server supports:

• USER/PASS method
• APOP method
• SASL PLAIN method
• SASL CRAM-MD5 method
• NTLM method

In addition, the methods for the SMTP server (reception) and POP3 server can be restricted to whether the connection has been secured by STLS or STARTTLS (equivalent for SMTP) or not, thereby removing the vulnerability of insecure authentication methods, by requiring that the connection be encrypted before an insecure method becomes available.

MS Outlook secure authentication

MicroSoft® Outlook only supports one type of secure authentication, which is via NTLM, against an NT database. With WinGate's built in ability to synchronise with such a database, Outlook users can authenticate with WinGate's SMTP and POP3 servers, sending their username and password to WinGate in an encrypted format rather than plain text.

Support for Antivirus data scanning

WinGate includes support for several plug-in components which are available separately. These data scanning components allow you to scan content passing through WinGate proxies. One component is an AntiVirus plugin, called Kaspersky AntiVirus for WinGate (KAVWG). The AntiVirus technology in this plugin is licensed from the well-respected Kaspersky Labs.

Several proxies and services in WinGate support scanning content for viruses using this plugin, these are:

• The SMTP server. This scans all received mail, and mail retrieved using POP3 collection
• The WWW proxy. This scans files as they are downloaded to your browser, and can detect not only files containing viruses (i.e. infected EXEs or ZIP files), but also iFrame exploits, and common attacks against web browsers.
• The POP3 Proxy. If you collect your email from a POP3 server on the Internet through WinGate's POP3 Proxy, you can also scan the email as it is being retrieved for viruses.
• The FTP proxy. Files being downloaded or uploaded can be scanned for viruses.

If a file fails scanning because it contains a virus, it is placed in WinGate's quarantine, where it may be released by the system administrator.

Remote Email Queue Management

With the email tab in GateKeeper you can easily manage several aspects your server mail queues. Functions include:

• Aborting delivery of mail to a domain (domain job)
• Retrying all delivery
• resetting the delivery try count on a domain job
• Deleting or bouncing specific messages from a particular domain job
• previewing messages in the queue

WinGate Features - Connectivity

WinGate has a comprehensive array of features outlined below. They fall into 7 main categories. There are too many features to list below, for a full set, see the help documentation, which is available as a separate download from the download link above. Items in blue have further information available.

Features related to providing Internet connectivity

Network Address Translation (NAT)

NAT stands for Network Address Translation. This system is used to enable machines behind a gateway which use private IP addresses, to access the Internet (which uses public IP addresses).

This works on a packet-by-packet basis. The NAT system receives packets from clients on the local network destined for the Internet. It changes the packets, by replacing the source IP address in the packet with the external IP address of the NAT system. This allows the server on the internet to send packets back. Packets received on external interfaces (i.e. from the Internet) are examined to determine whether they belong to any known connection between a client computer on the LAN and a machine on the Internet. If so, the packet addresses are translated back, and the packet is forwarded on to the client.

This allows two way communications between the clients on the network, and machines on the Internet.

There are several points to note about NAT systems:

• They typically do not provide much analysis of data content, since the packets are at a low level, any one packet does not normally provide a lot of information on which to base analysis, and the accumulation of data that would be required to fully analyse data could likely create vulnerabilities for systems. Things like requiring authentication are therefore very difficult.
• Because the amount of work required to translate packet addresses is small, the performance is typically very good.
• The configuration required for local network clients is small normally

Application proxies (WWW, FTP etc)

WinGate Internet Client

The WinGate Internet Client is a piece of client software that may be installed on client computers on your LAN to provide enhanced access to the Internet through WinGate.

The client is installed into the windows sockets system which is used by applications such as browsers and email clients to access network services (i.e. make connections to servers, send and receive data etc). By hooking into this system, the WinGate Client is able to redirect connections and data transfers through WinGate's Winsock Redirection Service out onto the Internet.

This makes the client computer appear to be directly connected to the Internet, and means that client applications do not need to be configured to use a proxy server.

Network Address Translation is also a way of gaining internet connectivity for client machines without having to configure client software to use proxies, or install any software. However the WinGate Internet Client has some extra features and other advantages including:

• The WinGate Internet Client also handles user authentication, independently of internet applications the user may be running.
• In many cases client software thinks its IP address is the external IP address of the gateway, so when running an application that transmits this IP address, it will often transmit the external IP address of the gateway. also if the application chooses to listen on a port, this is also redirected to WinGate. This allows several applications to run using the WinGate client which otherwise will not work through a normal NAT system.
• Information is gathered about the application that is running - this becomes visible in GateKeeper, and can be used in policies to block applications from running on client computers.

Circuit-level proxies (SOCKS / WRP)

Transparent proxying

Transparent proxying is where connections made through WinGate on specified ports, are intercepted by a proxy server in WinGate.

This provides several benefits:

• The client applications (e.g. web browsers, or email clients), do not need to know about the existence of the proxy server, so there are no per-application setup requirements on your client machines. Clients are simply configured to use WinGate as their default gateway (standard NAT configuration), or use the WinGate Internet Client or SOCKS protocol.
• The benefits of the proxy server in terms of access control, policy enforcement, logging and auditing, and performance benefits (e.g. HTTP caching) come into play.
• Users cannot circumvent policy by avoiding going through the WinGate proxies, since the proxy intercepts the traffic outside of the user's control.

Several of WinGate's proxy services support transparent proxying: The WWW Proxy, SMTP and POP3 servers and proxies, and FTP proxy all support interception of connections in this way. Multiple ports may be intercepted by any of these proxies.

Connections are intercepted whether they are made by NAT, through the SOCKS service, or the WRP service. This means all traffic of a type may be forced through the application proxy, where the administrator then has the maximum control, and ability to specify policy in a single location.

Dial on demand

WinGate contains a dialer manager, that can access and control all dial up connections on the PC, be they through a traditional dial up to an ISP, an ADSL modem, or even AOL, as well as multiple instances of each.

WinGate can be configured so that if you have one ADSL connection and one dial up modem, it will attempt to use the ADSL first, and should that not succeed, then WinGate will fail over to the dial up connection, so that your users can always access the internet when needed.

You can also configure and assign access rights to each dial up connection profile in WinGate. In this way you can support multiple dialup accounts, and restrict access to each of those profiles.

Multiple simultaneous internet connections

You can use multiple Internet connections at the same time with WinGate, thereby increasing your system throughput. On a per-proxy basis in WinGate, you can specify multiple methods of using these multiple connections as well.

for instance you could:

• Specify that the WWW Proxy uses all your available internet connections
• Specify that another proxy uses only one of the connections, but if that becomes unavailable, to fail over to the next one

WinGate monitors connections for availability, including remote gateways, so even if your Internet connections go through another router or a device such as a DSL/NAT device, you can still keep track of it.

WinGate's gateway selection features also allows you to specify on a per service basis which gateway will be used, so if you had a combination of multiple DSL/NAT devices, network gateways, modems, etc, you could still specify which connections go through which gateway, even if they are on the same physical ethernet segment.

Support for servers behind firewall

WinGate supports several ways to allow access to servers on your LAN from the Internet. These are:

• Redirect the port for incoming connections to your LAN-based server using the ENS
• Create a TCP or UDP mapping proxy to accept connections, and connect through to your LAN-based server
• On some proxies in WinGate, the non-proxy request configuration allows you to specify an internal server to forward requests to

The simplest method is the first one, redirecting using the ENS (shown in screen shot). With this option, you also have the option to not translate source IP - this means that the server on your LAN can learn the original IP address of the client on the Internet connecting to it.

The second method was the original method introduced in WinGate 1.0 in 1995, and is retained for compatibility. Because it is effectively using a proxy server, it has more control over policy than the above ENS-based method.

The third method is also an old one, however because the forwarding is handled by a proxy specific to the protocol being used, it has the most flexibility in terms of access control. For instance, if you use the WWW Proxy to forward inbound connections to an internal web server, you can also enforce authentication, or special policies.

Support for multiple connection types

Because of the architecture of WinGate, it is to a large extent network-hardware-independent. This means that it supports most types of network connection that is supported by the operating system.

WinGate proxies will work with any interface that has an IP address, this means any connection. The WinGate ENS driver supports any NDIS-based miniport, and NDISWAN connection.

Furthermore, WinGate's dial on demand capabilities allows it to control any dialup connection that is accessible through Windows dialup networking. Custom support for AOL dialup, and Hughes DirecWay (formerly DirecPC) satellite connections is also included.

AOL / DirecPC connections

WinGate Features - Connectivity

WinGate has a comprehensive array of features outlined below. They fall into 7 main categories. There are too many features to list below, for a full set, see the help documentation, which is available as a separate download from the download link above. Items in blue have further information available.

Features related to providing Internet connectivity

Network Address Translation (NAT)

NAT stands for Network Address Translation. This system is used to enable machines behind a gateway which use private IP addresses, to access the Internet (which uses public IP addresses).

This works on a packet-by-packet basis. The NAT system receives packets from clients on the local network destined for the Internet. It changes the packets, by replacing the source IP address in the packet with the external IP address of the NAT system. This allows the server on the internet to send packets back. Packets received on external interfaces (i.e. from the Internet) are examined to determine whether they belong to any known connection between a client computer on the LAN and a machine on the Internet. If so, the packet addresses are translated back, and the packet is forwarded on to the client.

This allows two way communications between the clients on the network, and machines on the Internet.

There are several points to note about NAT systems:

• They typically do not provide much analysis of data content, since the packets are at a low level, any one packet does not normally provide a lot of information on which to base analysis, and the accumulation of data that would be required to fully analyse data could likely create vulnerabilities for systems. Things like requiring authentication are therefore very difficult.
• Because the amount of work required to translate packet addresses is small, the performance is typically very good.
• The configuration required for local network clients is small normally

Application proxies (WWW, FTP etc)

WinGate Internet Client

The WinGate Internet Client is a piece of client software that may be installed on client computers on your LAN to provide enhanced access to the Internet through WinGate.

The client is installed into the windows sockets system which is used by applications such as browsers and email clients to access network services (i.e. make connections to servers, send and receive data etc). By hooking into this system, the WinGate Client is able to redirect connections and data transfers through WinGate's Winsock Redirection Service out onto the Internet.

This makes the client computer appear to be directly connected to the Internet, and means that client applications do not need to be configured to use a proxy server.

Network Address Translation is also a way of gaining internet connectivity for client machines without having to configure client software to use proxies, or install any software. However the WinGate Internet Client has some extra features and other advantages including:

• The WinGate Internet Client also handles user authentication, independently of internet applications the user may be running.
• In many cases client software thinks its IP address is the external IP address of the gateway, so when running an application that transmits this IP address, it will often transmit the external IP address of the gateway. also if the application chooses to listen on a port, this is also redirected to WinGate. This allows several applications to run using the WinGate client which otherwise will not work through a normal NAT system.
• Information is gathered about the application that is running - this becomes visible in GateKeeper, and can be used in policies to block applications from running on client computers.

Circuit-level proxies (SOCKS / WRP)

Transparent proxying

Transparent proxying is where connections made through WinGate on specified ports, are intercepted by a proxy server in WinGate.

This provides several benefits:

• The client applications (e.g. web browsers, or email clients), do not need to know about the existence of the proxy server, so there are no per-application setup requirements on your client machines. Clients are simply configured to use WinGate as their default gateway (standard NAT configuration), or use the WinGate Internet Client or SOCKS protocol.
• The benefits of the proxy server in terms of access control, policy enforcement, logging and auditing, and performance benefits (e.g. HTTP caching) come into play.
• Users cannot circumvent policy by avoiding going through the WinGate proxies, since the proxy intercepts the traffic outside of the user's control.

Several of WinGate's proxy services support transparent proxying: The WWW Proxy, SMTP and POP3 servers and proxies, and FTP proxy all support interception of connections in this way. Multiple ports may be intercepted by any of these proxies.

Connections are intercepted whether they are made by NAT, through the SOCKS service, or the WRP service. This means all traffic of a type may be forced through the application proxy, where the administrator then has the maximum control, and ability to specify policy in a single location.

Dial on demand

WinGate contains a dialer manager, that can access and control all dial up connections on the PC, be they through a traditional dial up to an ISP, an ADSL modem, or even AOL, as well as multiple instances of each.

WinGate can be configured so that if you have one ADSL connection and one dial up modem, it will attempt to use the ADSL first, and should that not succeed, then WinGate will fail over to the dial up connection, so that your users can always access the internet when needed.

You can also configure and assign access rights to each dial up connection profile in WinGate. In this way you can support multiple dialup accounts, and restrict access to each of those profiles.

Multiple simultaneous internet connections

You can use multiple Internet connections at the same time with WinGate, thereby increasing your system throughput. On a per-proxy basis in WinGate, you can specify multiple methods of using these multiple connections as well.

for instance you could:

• Specify that the WWW Proxy uses all your available internet connections
• Specify that another proxy uses only one of the connections, but if that becomes unavailable, to fail over to the next one

WinGate monitors connections for availability, including remote gateways, so even if your Internet connections go through another router or a device such as a DSL/NAT device, you can still keep track of it.

WinGate's gateway selection features also allows you to specify on a per service basis which gateway will be used, so if you had a combination of multiple DSL/NAT devices, network gateways, modems, etc, you could still specify which connections go through which gateway, even if they are on the same physical ethernet segment.

Support for servers behind firewall

WinGate supports several ways to allow access to servers on your LAN from the Internet. These are:

• Redirect the port for incoming connections to your LAN-based server using the ENS
• Create a TCP or UDP mapping proxy to accept connections, and connect through to your LAN-based server
• On some proxies in WinGate, the non-proxy request configuration allows you to specify an internal server to forward requests to

The simplest method is the first one, redirecting using the ENS (shown in screen shot). With this option, you also have the option to not translate source IP - this means that the server on your LAN can learn the original IP address of the client on the Internet connecting to it.

The second method was the original method introduced in WinGate 1.0 in 1995, and is retained for compatibility. Because it is effectively using a proxy server, it has more control over policy than the above ENS-based method.

The third method is also an old one, however because the forwarding is handled by a proxy specific to the protocol being used, it has the most flexibility in terms of access control. For instance, if you use the WWW Proxy to forward inbound connections to an internal web server, you can also enforce authentication, or special policies.

Support for multiple connection types

Because of the architecture of WinGate, it is to a large extent network-hardware-independent. This means that it supports most types of network connection that is supported by the operating system.

WinGate proxies will work with any interface that has an IP address, this means any connection. The WinGate ENS driver supports any NDIS-based miniport, and NDISWAN connection.

Furthermore, WinGate's dial on demand capabilities allows it to control any dialup connection that is accessible through Windows dialup networking. Custom support for AOL dialup, and Hughes DirecWay (formerly DirecPC) satellite connections is also included.

AOL / DirecPC connections

Features - Administration

Administrative features

Remote Administration

Using GateKeeper, the remote administration and management tool for WinGate, you can monitor and control Internet usage, and administer your gateway from remote locations.

Logging and user auditing

WinGate contains a comphrensive logging subsystem, which can record data in two different formats, database and text file, as well as store this information 3 different ways:

• Firstly there is per Service logging, which can record all session information that goes through each of the services / proxies that WinGate runs, such as WWW, FTP or SMTP.
• Secondly, there is per User logging, or Auditing, where all activity for specific users can be monitored and stored, for review at a later date. As well as all session information from all services, user authentications and data usage are also logged.
• Finally, there is History logging, which is a global database of all traffic which has passed through WinGate, and with the use of GateKeeper's History pane the last 2000 entries can be displayed, for quick and easy access to what has just happened on your server.

User accounting

WinGate offers per user accounting, ideal for Network Administrators and Internet Cafes alike.

WinGate keeps track of such information as bytes sent to client, bytes recieved for client, and seconds online, as well as allowing user specified rates (charges) for each type.

Through a combination of this user accounting and WinGate policies, users can be restricted in their internet access, when they have spent too long online, or reached a download limit, for example.

Real-time activity monitoring

Real time activity monitoring is a feature of WinGate which allows you, when connected to WinGate with GateKeeper to view all activity of WinGate in real time. This includes client machines connected to the internet, machines on the internet connecting back to WinGate services, or internal maintenance tasks and system activity.

As well as being able to view activity in real time, you can also control it. If you see activity you do not like, you can terminate it. There are also simple shortcuts to blocking similar access in the future, such as:

• Blacklisting the IP address
• Banning the URL
• Disabling the user account

Scheduler

WinGate has a built-in scheduler that allows you to define tasks that will be performed on a regular basis or specific date and time. A large number of internal WinGate functions may be triggered in this way including:

• WinGate maintenance activities, such as rolling over log files etc
• enabling and disabling of user accounts
• Starting or stopping of WinGate services
• Purging the HTTP cache
• Executing command lines (e.g. external batch files or scripts)
• Dialing an internet connection
• plus others

You may run multiple tasks with any particular scheduled event that you define, and using GateKeeper you can force a scheduled event to be processed at any time. The progress of these events is displayed in the System Activity area of the activity panel in GateKeeper

Centralised WinGate Client configuration

DHCP Services

DHCP is a means for networked computers to get their TCP/IP networking settings from a central server. Importantly, DHCP assigns IP addresses and other TCP/IP configuration parameters automatically.

WinGate DHCP is different from other DHCP servers, in that it can even figure out what IP addresses to allocate without the administrator having to predefine pools of addresses (scopes). It can also figure out how to set the clients' gateway and several other parameters too, which means that not even the administrator needs to be a TCP/IP expert to operate the WinGate DHCP server.

Full manual override of all automatic settings is also available in order to allow administrators to cater for their specific requirements.

Traffic monitoring

WinGate allows you to monitor all traffic coming in to or going out of the WinGate machine.

Traffic information is displayed on a per-interface basis, thus allowing you to see how much traffic is coming in to the WinGate machine from your LAN, as well as how much is going out to the internet, and with what level of performance.

Secure Remote Command-line access

WinGate provides access to the command shell processor on NT based operating systems (Windows NT, Windows 2000, Windows XP, and Windows 2003). This allows you to remotely and securely run multiple instances of the cmd.exe command interpreter on the remote server, allowing you to remotely perform operations such as:

• creation and deletion of files on the server
• modifications to the server route table using route.exe
• Check connectivity from the server using ping.exe or tracert.exe
• Reboot the server or other servers using Shutdown.exe
• Connect to network resources on the LAN connected to the server

Plus most applications that will run from the command line.

You can choose the user account that the cmd.exe process is executed in, and the input and output is transferred over the encrypted GateKeeper control channel, providing security.