Mailtraq - the Complete Email Server
   

Enstar for Mailtraq email server sales & support
Making world-class Internet technology affordable  

Search for:

Advanced search

KB05111702 Remote users (Allowing controlled Relaying)

Mailtraq has excellent resources to prevent unauthorized relaying of messages (discussed here), but there are situations when you do want to allow relaying. This KB article explains how to configure the SMTP service so that only authorized relaying can take place.

Why would you want to allow relaying?

You need to allow relaying when the sender is outside your local area network. Typical situations are when a company representative is on the road, someone wants to use their smartphone for email, someone needs to work from home, or you need to allow a remote office to email to through your corporate email server - Mailtraq.

Normal 'Safe' Relaying Configuration:

The setting is configured on the SMTP Service, Relaying tab.

From the Mailtraq Console, choose, Services, then the SMTP service, click Properties, and the Relaying tab.

The safe setting is created automatically by Mailtraq, and will look like this:

How does Mailtraq know where the sender is?
Mailtraq uses the LAN settings you entered in the Installation Wizard when you installed Mailtraq to know who it is normally safe to relay: those machines with IP addresses that are within your Local Area Network. You can confirm those entries by going to Options | Server | LAN and checking they are correct.

Choose Strong User Passwords

SMTP-Auth relies on sensible passwords being assigned to users.

Care should be taken to follow the best password advice, and particularly pay attention to test User accounts that may have been used during the original set up. 

For example: a user called 'test' with a password of '123456', or 'admin' with 'password'  and so on are  very easily guessed and could be exploited.


Allowing Relay - SMTP Auth

Best practice method
Add a new dedicated SMTP service with tight security for your remote or external users.

How-to

Step 1: Create a new SMTP service in Mailtraq

Add another (new) SMTP service on Port 587 set to use SMTP Authenication.
Port 587 is a standard port for authenticated connections.

Change the default setting in the Mailtraq new SMTP Relaying-tab by selecting

[x] Use SMTP User Authentication

You will see that the dialog changes as some options become 'greyed out'.

It is recommended that a new SMTP service is created on Port 587 and configured as described, because using SMTP Auth will affect all local users as well as the remote users as  all connecting clients - local or remote - must authenticate to relay mail (send mail outside Mailtraq). So you don't normally do this on the default Port 25.

'Authenticate'
Authenticate means that the email client must log in with a valid username and password combination. Be sure to choose sensible passwords for your user accounts. Mailtraq has excellent Dictionary Attack Prevention, but you should ensure that the passwords you have assigned are not easily guessable in one or two tries. Here is some old but still valid advice on password selection.

Firewall
You will also need to adjust your router/firewall/NAT to allow external access on Port 587 with Port Forwarding to the Mailtraq machine.  

Port Forwarding
This KB article gives advice on Port Forwarding and NAT:  KB06020901 - Read how here...

Black Lists
You may need to adjust the Black Lists-tab on your new SMTP service to Uncheck 

[ ] Reject non-local senders claiming to be local    Read how here...

Spam Controls
You normally do not enable anti-spam systems (Greylisting, SpamAsassin etc) on this service because the sender has authenticated to prove that they can be trusted. 

Step 2: Set your Email client to use the new service

Your remote users will need to configure their email client to use an SMTP server on Port 587 instead of the normal default of Port 25. 

Remember - when this SMTP AUTH option is enabled, all connecting clients - local or remote - must authenticate to relay mail through this SMTP service instance.

Authentication is performed using the user's username and password on the Properties Tab tab of the User Properties Dialog, accessed via User Manager. The "Relay Mail beyond this server" control on the Privileges Tab of the User Properties Dialog must also be enabled. Two authentication methods are provided, CRAM-MD5 and plain LOGIN.

Each email client connection must authenticate using 'Username and Password' before mail can be sent.

 

Set Outgoing server (SMTP)
The example shows the 'More Settings' dialog from Outlook 2007.

In the 'Outgoing Server-tab' you must check the box:

[x] My outgoing server (SMTP) requires authentication.

Do not check the Require SPA box which is MS Exchange only.

 

In the 'Advanced-tab' you must change the default entry to:

Outgoing server (SMTP):  [587]

 

Other email clients have similar options.

 

 


Alternative method

Allowing Relay - POP before SMTP
If you  are unable to use the SMTP-Auth method described above, then you can modify the settings in your regular SMTP service on Port 25. This is the simplest method and does not affect local senders.

Change the default safe setting by selecting

[x] Relay for machines recently collecting POP3/IMAP

You will see that the dialog changes as some options become 'grayed out'. 
How does it work?
After authentication, users can relay for approximately five minutes. This facility is often referred to as POP-before-SMTP.

Email client configuration
Many email clients, such as Outlook 2003 (in the example illustrated) and Outlook 2007, can automatically perform a collection before sending.

There is a 'Get-before-Send' extension available for Thunderbird.

Otherwise, users can manually do a 'send and receive' shortly before sending a message.

 

 


Configuration Tips

1.) You may need to adjust your main router/firewall/NAT to allow external access to
     Port 110 - POP3
     Port 143 - IMAP
     Port 587 - SMTP Auth
     Read about Mailtraq's own Firewall here ...

2.) You will see that there are two other 'boxes' in the Relaying tab:

Always allow relaying from these senders
Use the checkbox to enable this facility and enter the addresses of remote hosts which are always permitted to relay mail through this instance of the SMTP Service. The default for this option is unchecked because it is inherently insecure and should only be enabled if access to this instance of the SMTP service is restricted to non-Internet hosts via its Access Control Tab.

Always allow relaying to these recipients
Use the checkbox to enable this facility and enter the addresses of remote or local recipient mail hosts to which any sender is always permitted to relay mail via this instance of the SMTP Service. The default for this option is unchecked. Use of this option should be carefully monitored to ensure that mail is forwarded only to authorised hosts and that the recipient hosts also do not relay, which would cause your installation of Mailtraq to be included unwittingly in an unauthorised relay chain.

3.) Using a dedicated SMTP service on Port 587
If you need to work in a 'hybrid' environment - typically where nearly all your users are within the LAN, with just a few needing to relay from outside - then you may add another SMTP service on Port 587 set to use SMTP Authenication.
Port 587 is a standard port for authenticated connections, however you may need to adjust your main router/firewall/NAT to allow external access.
Your remote users will need to configure their email client to use an SMTP server on Port 587 instead of the normal default of Port 25.

It is not usual to enable anti-spam controls on this SMTP service. These users will be authenticated as trusted users and normally do not need to have anti-spam controls on their messages.

Allowing Relay - Trusted IP Address
In certain circumstances you may want to always allow emails to be relayed through Mailtraq from a trusted IP address, in which case it can be added to the LAN definition at the firewall. Remember though, that unless SMTP Authentication is enabled in Mailtraq, the IP address of the sending client is the only factor which can be used to discriminate between authorised and unauthorised relaying.

 


Keywords: kb smtp
Mailtraq Highlights...
 SMTP Server     Mailtraq SMTP email server video IMAP Server     Mailtraq IMAP email Server video
 POP3 Server     Mailtraq POP3 email server video Proxy Server     Mailtraq proxy email server video
 Webmail Server     Mailtraq webmail email server video Mailing-list Server     Mailing list email server video
 Groupware Services     Mailtraq groupware email services video Spam and Virus control     Spam and virus control email server video

 

   Copyright © 2003 - 2011 Enstar Ltd, Enstar LLC & Fastraq Ltd. All rights reserved. Privacy policy.
   Mailtraq® is a registered trademark of Fastraq Limited.