|
|
|
|
Value: IP address or host name
The <Host> element identifies the verification server. If there is more than one <Host> element, each is expected to serve the same set of data. One reason to have multiple <Host> elements is for high-availability.
For example, you can specify an LDAP primary server as one <Host> and its mirror in another. Another application of multiple hosts is to spread the load across many verification servers. However, if you have a domain where different verification servers send different data, then you do not need multiple <Host> entries in your verifier. Use a <Multi> verifier instead.
At least one <Host> element is required by <LDAP>, <Postfix>, <RcptTo>, <DataBase>, <POP3> and <Communigate> verifiers. When used with a DataBase <Vendor> of SQLite (testing only), the value of any <Host> element is ignored. The <Host> element is not valid in the <Multi> parent.
Each <Host> element contains a host-name or IP address followed by an optional colon and TCP port number. If the port number is not given, a default port number is assumed. See the table below for default ports.
The attributes of the <Host> element offer connection controls. These attributes are secure, allowInsecureAuth, and defaultRouteMatch/defaultRouteNoMatch.
attribute: secure
Value: true/false, starttls, trystarttls
When the secure attribute is set to true, the connection between the verifier and the verification server is encrypted. The starttls uses Transport Layer Security (TLS) for authentication requests. If TLS is not supported the request fails. The trystarttls attribute attempts to use TLS for authentication requests. If TLS is not supported, communication with the verification server is not encrypted.
The following table summarizes default port numbers for various types of verifiers, depending on the value of the secure attribute.
Type |
Default Clear Port |
Default Secure Port |
LDAP |
389 |
636 |
Communigate1 |
106 |
106 |
MySQL DB2 |
3306 |
3306 |
PostgreSQL DB2 |
5432 |
5432 |
SQLite DB |
N/A |
N/A |
Postfix/RcptTo |
25 |
465 |
POP3 |
995 |
110 |
1 Note that Communigate verifiers cannot listen on both a secure and an insecure port. The Communigate administrator selects the port. The standard practice for a Secured Communigate server is to run it on port 106. On Mac OS X, Communigate CLI's default port is 8106. Therefore use <hostname>:8106 when connecting to a Communigate verifier running OSX.
2 Note that the default port number for a <DataBase> verifier depends upon the verifier <Vendor> element.
attribute: allowInsecureAuth
Value: true/false
The allowInsecureAuth attribute controls the sending of authentication requests through clear text. When "true", authentication requests can be sent unencrypted. When "false", authentication requests sent unencrypted fail. The default value is true.
attribute: defaultRouteMatch
attribute: defaultRouteNoMatch
Value: regular expression
The defaultRouteMatch and defaultRouteNoMatch attributes are used to remove a specific <Host> element from consideration based on the default route of the appliance. This feature is used to allow a single verifier definition to be replicated to hosts both behind a customer firewall (such as an appliance) and outside the customer's firewall (such as a Vx appliance).
The defaultRouteMatch attribute contains a regular expression that must match the default route of the appliance. If it does not match, the host is not considered at all when establishing connections to the servers defined in the <Host> elements. Likewise, the defaultRouteNoMatch attribute exists to omit a host from consideration if its regular expression argument matches the default route.
<Host> Element Example
Consider the following verifier example:
<Vrfy version = "101.4635"
name = "My LDAP Verifier"
uid = "64378E86-A459-11DD-1273-09173F13E4C5">
<LDAP>
<Host defaultRouteMatch="12\.32\.1\.[0-9]+">10.111.1.12</Host>
<Host defaultRouteNoMatch="12\.32\.1\.[0-9]+">112.11.64.244</Host>
</LDAP>
</Vrfy>
Using this verifier, if the command ip route|grep default, returns:
default via 118.221.76.126 dev eth0
then connections will only be made to 112.11.62.244. However if the same command returns:
default via 12.32.1.1 dev eth0
then connections will only be made to 10.111.1.12.