E-Mail Transport Settings

The configuration options for E-Mail transport settings consist of smtp client and server settings, accepted domains, transport rules to internal mail servers and settings for transmission and network security as well as trusted networks.

SMTP Settings are used to integrate the REDDOXX Appliance into your network.

  1. Set the Full Qualified domain Name in Server Settings (e.g. mail.mydomain.com)
  2. We urgently recommend using a host name which can be resolved via a reverse DNS query (PTR entry), if no smart host (mail relay) is used
  3. If required, adapt the TCP port for the SMTP connections of the REDDOXX Appliance.The default standard value is "25"
  4. Choose, if the appliance has to disconnect the communication when the sending server reached the maximum of invalid recipients per mail (the default is 0, so the function is disabled)
    If the appliance receives a mail with invalid recipients exceeding the configured value, the sending IP is moved to the dynamic IP Blacklist
  5. If desired, you may use tls (encrypted transmissions), here it is possible to select your own ssl certificate (if available)
  6. When SMTP-Auth is enabled, mails coming from the internet can be treated as outbound mails if the connection to the appliance was authenticated with a username and password.
    That means, a home office co-worker can send mails via the company’s common mail server (this appliance) but without being inside the company’s network, via VPN.
    Recipient addresses will be automatically added to the address whitelist, if a sender authenticated with SMTP Auth.
    To use SMTP Auth, the sender needs to authenticate with login and password.
    The login consists of username and realm.
    When der is a local user named "test" the login would be test@local.
    When der is an ad user "cclippy" in the realm "msad" the login would be cclippy@msad.
  7. For security reasons, the STMP-Auth over tls can be enabled, when using the above SMTP-Auth, so that a SMTP-Auth connection is forced to be encrypted via tls.
  8. Configure the values for maximum message size, connection timeouts and maximum connections
  9. Additionally, the appliance may reject new connections, if the maximum amount of connections are reached.
  10. Select, whether the Dynamic IP Blacklist function should be used by the appliance (this requires a spamfinder license).
    If enabled, the email gets validated already during the SMTP link connection, if the sending IP address is blacklisted on one of the configured rbl blacklists.
    Hereby If the sending IP address is on a black list, the connection will disconnect immediately to protect the appliance towards spam attacks.
    A requirement for this is, that the mails gets delivered directly and not via your relay
    The RBL blacklist queries are cached and viewable under "Network resctrictions" for 7 days.
  11. Confirm the configuration with "Apply Settings"

  1. Switch to the Client Settings tab
  2. Here you can also configure to use tls and choose how long the outgoing queue tries to deliver mails until they get deleted in case of an unsuccesful delivery and if outgoing e-mails are to be send via a relay.
  3. If a relay is used and needs a tcp port other than 25, the portnumber can be provided after the relay server address (e.g. my.mailserver.com:587)
  4. In the advanced options, the connection timeout, general timeout and maximum connections can be adjusted
    Use these settings with caution as they are configured automatically by the appliance performance
  5. Confirm the configuration with "Apply Settings"

  1. Switch to "AntiSpoofing", if Emails with spoofed sender addresses should be directly rejected in the smtp connection.
    Exceptions for sender addresses can be configured (e.g. Webshops), one address per line.
  2. Confirm the configuration with "Apply Settings"
    Please activate anti spoofing for the desired local domains
    There should not be any filter profile that uses antispoofing (else the exception address would be filtered again)

  1. Switch to the BATV (Bounce address tag validation)
  2. Enable the BATV if needed (a spamfinder license is required) and enter sender address restrictions (BATV Exceptions) for the filter if applicable
  3. Finish the configuration with "Apply Settings" and restart the SMTP Server and SMTP Client services

Description to BATV:
Another method to send spam is called bounce address spoofing.
Hereby an email with a spoofed sending address (e.g. your address) is sent to a mail server with an unknown recipient.
The mail server first takes over the mail and proofs the deliverability.
If the recipient does not exist, the mails server bounces back the email.
Due to that the sender had used your email address you will get this bounce mail which includes beside the error message the original spam.
The BATV-Function proofs an incoming email, if a corresponding email was sent out before.
If not, the mail will not be accepted during the SMTP connection and also will not be queued.

The BATV filter does not work properly anymore together with MS Exchange Server since version 2007 because the Exchange Server do not reply anymore a Message Disposition
Notification (MDN, e.g. out-of-office) to the envelope sender address (Mail From) but to the Return Path from the Mail Header, which does no contain a BATV signature at all.
At the receiving side (original sender) a REDDOXX will catch this MDN with the BATV filter.

It is required that all outgoing mails are sent via the REDDOXX appliance.

Via the Local Internet Domains (Local Domains), you can create new internal e-mail domains for which the REDDOXX Appliance is allowed to receive emails.
It also possible and recommended to use the recipient verify check via ldap, so the appliance can check on incoming mails if the recipient is existing.
This is an important feature to prevent your company from receiving spam to non existent addresses.

Sample configuration is shown in the following document: LDAP connectivity of the REDDOXX Appliance

The following steps are required to add a local Internet domain (the steps 5-10 are optional):

  1. Select Add Domain
  2. Enter the name of the domain for that you want to receive emails
  3. Choose if the antispoofing filter should be activated for the domain
    make sure to add the antispoofing filter to the filterprofile as well, when profile based filtering should be used instead of smtp based filtering
  4. Select if archiving should be disabled for the domain
    If it is set to be disabled, the Default Policies are adjusted accordingly.
  5. Switch to the LDAP tab
  6. If the autocreate user and recipient validation is desired, enter the credentials for your ldap connection
  7. You can also use SSL for a secure ldap connection
  8. Choose if the feature for recipient validation should be used and if the recipient validation check is to be done via the local database (all existing users on the appliance) or ldap
  9. Configure the autocreate user option if desired and select from the configured logon realms with the drop down list.
  10. Additionally select a user from the selection list to whom you want to assign all email aliases, which are not assigned to somebody right now.
    Especially this is helpful for all public folders and distribution list addresses.
    Now on all incoming Emails to a public folder address this email alias will be assigned to the selected user.
    After that the filter profile will be assigned to that email alias and the email will be validated. The selected user has access to his queues and can maintain the filtered mails.
  11. Switch to the CISS tab and if ciss is to be used, enter a personal signature.
    This optional signature is attached to the message text which the REDDOXX Appliance sends to the sender in case of a CISS challenge.
    It can be entered separately for each domain.
    You can also select the CISS Theme you created for this domain.
  12. Confirm the configuration with "Save"

Via the trusted networks you define from which host or networks emails may be sent via the REDDOXX Appliance.

If there is a mail relay or a firewall with an SMTP server service or a POP3 collector service before your REDDOXX Appliance, which receives the emails first, do NOT add this to the trusted networks, because no spam validation or recipient validation and user auto creation would be possible.

The following steps are required to configure trusted networks:

  1. Select "Add Network"
  2. Enter the IP Address for a local network or a single host
  3. Enter the corresponding netmask, single Hosts (internal mailservers) have to be configured with 255.255.255.255 as network mask
  4. Confirm the settings with "Save"
  5. Restart the service SMTP Server to apply the changes

If changes to local networks are made (via Edit Network or Delete Network) it is also required to restart the service SMTP Server.

Via the Transport Rules, you can define the e-mail server where emails are forwarded to for the registered domains.
These Transport rules are used for incoming and outgoing mailtraffic.

For incoming mail, the following applies: If the domain of an e-mail is not registered here, the target server is determined via a DNS lookup on the configured DNS server.

For outgoing mail, the following applies: If the domain of an e-mail is not registered here, a smtp relay is used, if it is configured in the appliance.
If no smtp relay is configured, the target server is determined via a DNS lookup on the configured DNS Server.

The following steps are required to configure E-Mail Transport Rules:

  1. Select "Add"
  2. Enter the name of the domain and the corresponding IP Address for the Target Server
  3. Confirm the Settings with "Save"

The Transport Rules can be changed and deleted at any time.

To avoid a mail Loop, you should configure a Transport rule for each Domain that is configured in the local Domains.
If you have a Local Domain configured that has no Transport rule to an internal Mail Server, the Target Server would be determined via DNS, this causes the Mail to go in Loop (as !!! the MX Record will Point usually to the appliance again) and will be sent again to the appliance.

The Network restrictions are used to explicit allow or decline smtp connections depending on the netmask a single host or a network may be configured here.

The blacklist gets automatically filled if the dynamic ip blacklist function in the SMTP Settings is enabled.
The SMTP connection will be rejected directly if a server listed in the IP blacklist tries to communicate with the appliance.
Especially upon massive spam attacks, this is very usefull, as the appliance does not need to validate those mails any further.

If an IP is listed in the Blacklist Settings for a server that should be allowed to communicate with the appliance, a whitelist entry hast to be created for this host.
To allow this host, the netmask cannot be the same as in the Blacklist, because the dynamic IP Blacklist filter would override the whitelist entry again.
It is recommended to set the netmask for the allowed ip to 255.255.255.0 (large companies usually use more than one mailserver, so setting only 255.255.255.255 as netmask would not resolve the problem).

The following steps are required to create a blacklist or whitelist entry for disallowed or allowed IP Addresses:

  1. Switch to the the corresponding tab, depending if a allowed (Whitelist) or disallowed (Blacklist) Address is to be configured
  2. Select "Add"
  3. Provide the Settings for Network, Netmask, validation and comment
  4. Confirm the settings with "Save"

With the Button "Flush DynIP Blacklist entries", all blacklist entries that have been added by the Dyn IP Blacklist filter can be deleted at once.
This is especially helpful, if a provider with many IP addresses has been listed on a Blacklist.