Contents 1 Relay Authenticated Users 1.1 Authentication Flow 1.2 Recipient Flow 1.3 Incoming SMTP Listener 1.4 Outgoing Transport 1.5 Content Flow 1.6 Put all pieces together 1.7 Why it works 1.7.1 Non-Authenticated Users 1.7.2 Authenticated Users

Relay Authenticated Users

This guide is partly deprecated , Recipient flows are now configued per-domain, instead of per-listener. Making it much simpler to configure and understand. To summarize the recipient flow/domain part now is to "add a any-domain", "add a recipient flow, with relay-authenticated and without SPF" and use them together.

The SPG/VSP can be used to scan outbound mail (SMTP Submission) in order to replace and/or protect your mail server or just to prevent outgoing spam from a network (forced SMTP relaying).

The current implementation supports PLAIN and LOGIN authentication, therefore it's recommended to require TLS. This configuration requires "Open Relay Support" in your license (Overview -> Licenses).

Most administrators configure SMTP submission on port 25 or port [587]. The latter one is preferable if possible since many Internet Service Providers are using forced SMTP relaying, and your clients SHOULD submit outbound mail through your mail-server (this is good practice, now and in the future of SPF and DKIM). If you choose to use port 25, you may re-use your existing(?) SMTP listener.

Authentication Flow

The Authentication Flow controls the ESMTP AUTH command. The SPG/VSP have a few authentication methods of user authentication that can be used; SMTP, FILE and LDAP. are available as blocks in the Authentication Flow. In this example we choose External SMTP Authentication, since it requires no additional configuration. It will just forward all authentication requests to your mail server.

Add a new Authentication Flow, that has External SMTP Authentication module activated. Choose your mail server as "Verify Against".

Recipient Flow

The Recipient Flow restricts the SMTP RCPT command. It can look up recipients in SMTP, FILE or LDAP, very much like the Authentication Flow. For all non-authenticated users you only want to accept mail that is destinated for your local mail server, or else you would act as an open relay, which is really bad.

Add a new Recipient Flow that uses some kind of users look-up for non-authenticated users. In this example we choose External SMTP Lookup, since it requires no additional configuration. It will just forward user lookup requests to your mail server.

The default template for a Recipient Flow allows authenticated users to bypass any further "User Lookup". But in order to accept mail from non-authenticated users (everyone that sends you mail) for them the recipient must be verified somehow (that said, if you don't know what to do here just configure External SMTP Lookup). The icon with the two users and the key-lock is used to illustrate that if you are Authenticated you will by-pass any further "User Lookups" and be accepted to whoever you are trying to mail.

Incoming SMTP Listener

This step is partly deprecated, a Recipient Flow is now longer configured to a SMTP listener, but instead to a domain.

As stated above, one may choose to reuse the existing Incoming SMTP Listener that is used for accepting incoming mail or create a new one that uses port 587. Regardless you need to activate some parameters on your Incoming Listener to use the Authentication and Recipient Flow.

You must select your Recipient Flow as "Recipient Flow", and your Authentication Flow as "Authentication Flow" for this SMTP listener, further we have choosen some good default parameters like.

• Users are required to use TLS in order to Authenticate (this prevents unsafe authentications since we only support PLAIN and LOGIN)
• Direct Processing is a very good idea to use when using the SMTP Listener in outbound mode since it gives the users "Direct Feedback" of the SMTP submission.

Outgoing Transport

Since submitted mail are being sent outbound (in most cases), we need to use a transport that has lookup-mx as transportation method. It's very important that you change the MODE of the transport to Outbound or else your license will be exceeded!

Further we also here do some tweaks of the transport.

• Mode is set to Outbound, else your license will be exceeded.
• Retry Delays are set to 15,15,30,60, and Retry Count is set to 4. This will bounce any outbound mail back to the sender within 2 hours of failure.
• DSN (Delivery Status Notifications) is left activate, since we want to notify our authenticated users when the delivery fails.

Content Flow

If you install a fresh 2.0.8 or later (or in some other cases) you will see a default flow for mailflow:2 that is called "Outgoing", this flow is very good for outbound scanning. We provide a screenshot of this flow below so you may replicate it if it's missing.

Put all pieces together

The magic in this configuration happens when you add a match- "any"-domain. A any-domain will match any domain that is not explicit added to your mail-listener. In this case it's all domains that are not in this list (that is all domains except example.org). Perfect for outbound delivery.

• Don't forget to use your "Outbound" Content Flow, and your "lookup-mx" transport.

Why it works

Non-Authenticated Users

• A non-authenticated user send a mail to test@example.org, the recipient is verified against your SMTP server (Recipient Flow) and succeeds, your example.org domain is matched.
• A non-authenticated user send a mail to test@hotmail.com, the recipient is verified against your SMTP server (Recipient Flow) and fails, since the users is not on your local mail server.

Authenticated Users

• A authenticated user send a mail to test@example.com, the recipient is not verified but accepted, the example.com domain is matched against the example domain and is sent to your local server.
  • (In some configuration, not this one but if you don't specify example.org as a domain it will likely be sent outbound and bounce back to your mail server as a incoming mail, this behavior can overridden by a custom script or by using a custom DNS server that states example.org should be delivered to your local mail server, but it is in most cases not really an issue).
• A authenticated user send a mail to test@hotmail.com, the recipient is not verified but accepted, the hotmail.com domain is matched against the any domain and is sent outbound.