|
Mail servers use the global Domain Name System to find the network
address of the recipient computer or the recipient mail server. Each domain
(part of the E-mail address after the @ symbol) should have a special
so-called MX-record in the Domain Name System. That record specifies the
name of the computer that actually receives mail for that domain. For example,
MX records can specify that mail for the domain company.com should
be sent to the computer mail.company.com, and mail to the domain
enduser.com should be sent to the computer provider.com.
There can be several MX-records for one domain (with different priority
values). If one (high-priority or primary) computer cannot receive mail,
mail is sent to lower-priority computers (called Back-up Mail Servers).
Back-up mailer servers then try to deliver the message to the primary server.
When the name of the recipient computer is retrieved from the DNS, the
sending mail server consults the DNS again. Now it uses the DNS to convert
the receiving mail server name into its network address. The so-called DNS
A-records contain the pairs that link a computer name to its global Internet
network (IP) address.
When the network address of the recipient mail server is received from
the DNS, the sending mail server opens an SMTP connection to that server
and transfers the message(s). When all messages to that domain are transferred,
the connection is closed.
When a message contains several addresses within the same domain, the
SMTP module can transfer only one copy of the message to the mail server
serving that domain, and that server delivers messages to all recipients
in that domain. But if there are too many addresses, the SMTP module can
break them in several portions and send several copies, each containing
only a portion of the address set.
If there are several messages to one domain, the SMTP module can open
several connections to the mail server serving that domain and send those
messages simultaneously.
If you want to receive messages from the Internet with your own mail
server, you should register your domain name, and ask your provider to register
that name with the Domain Name System. The DNS records should point to the
computer running your mail server.
Use the WebAdmin Interface to configure the SMTP module.
Open the Mail pages in the Settings realm, then open the SMTP pages.
Use the Log setting to specify what kind of information the SMTP module
should put in the Server Log. Usually you should use the Major
(message transfer reports) or Problems (message transfer and non-fatal
errors) levels. But when you experience problems with the SMTP module,
you may want to set the Log Level setting to Low-Level or All
Info: in this case protocol-level or link-level details will be recorded
in the System Log. When the problem is solved, set the Log Level setting
to its regular value, otherwise your System Log files will grow in size
very quickly.
The SMTP module records in the System Log are marked with the SMTPI
tag for incoming connections, with the SMTP tag for outgoing
connections, and with SMTPW tag for connections used to wake up
the back-up server.
If you want to send messages over the Internet, your server should have
a TCP/IP link to the Internet. When a message should be transferred to
some remote host, the SMTP module connects to that host via the TCP/IP
network, and it transfers the message using the SMTP protocol.
- Channels
- This setting (see above) limits the number of outgoing SMTP connections the module is allowed to
open simultaneously.
- Default IP Address
- When CommuniGate Pro receives a message, it can assign one of its local network addresses
to that message, and if the SMTP module needs to send such a message, it will send it via the assigned local address. See the Domains section for more details.
All other messages are sent out via the Default SMTP IP Address. Set this setting to OS Default to let the server OS pick the
proper local network address itself.
- Recipients/Message
- This setting specifies how many recipients can be sent with one message.
If a message has too many recipients, the specified number of recipients is sent,
then the message body is sent, and then the module repeats the sending procedure
with the same message - for the remaining recipient addresses.
- Hide Received Fields
- If this option is selected, the SMTP module modifies all Received header fields
in the messages it sends to non-client network addresses.
Only the time stamp values are left in those fields, while all other field values are replaced with some dummy data.
- Always use EHLO
- If this option is selected, the SMTP module always sends the EHLO command
to remote servers, trying to establish the extended SMTP (ESMTP) protocol.
If this option is not selected, the SMTP module checks the remote server greeting line.
The SMTP module sends the EHLO command only if this line contains the ESMTP word.
When sending messages over the Internet, the SMTP module can forward
them to some other mail server, or it can deliver messages directly to
the recipients, using the DNS MX-records to find the recipient hosts on the Internet.
When the SMTP module sends a message from a Domain with an assigned IP address:
- the connection to the remote server can be made from the Domain IP address, see Domain Settings section
- the module sends the HELO/EHLO command using that Domain name.
If this name does not resolve to the Network IP Address of this CommuniGate Pro Server, some receiving systems may reject SMTP connections coming from your Server.
In this situation you can update the Domain Settings to specify an alternative name to use with the HELO/EHLO command.
When the SMTP module sends a message from a Domain without any assigned IP address:
- the connection to the remote server is made from the Default IP address
- the module sends the HELO/EHLO command using the Main Domain name.
If this name does not resolve to the Network IP Address of this CommuniGate Pro Server, some receiving systems may reject SMTP connections coming from your Server.
In this situation you can update the Default Domain Settings to specify an alternative name to use with the HELO/EHLO command.
- Forward to
- When this option is selected, the SMTP module connects
to the specified Forwarding Mail Server (also called a smart host)
and sends all queued messages
to that server. Since the Forwarding Mail Server is usually "close"
to your server, messages leave your system quickly. But this method can
cause additional delays in message delivery, since messages are queued
on the Forwarding Server and those queues can be processed slowly. This method
is recommended when your server is connected to the Internet using a slow
link, or when you use a dial-up link and you want messages to leave your
server as soon as possible to keep the connection time short.
Select the Forward to option and specify the name or the IP address of
the Forwarding Server. The SMTP module will forward all outgoing
messages to that mail server for delivery.
Note: the name of the Forwarding Mail Server should
be the name of the real computer (as specified in an A-type DNS record),
not a mail domain (MX-type) name. While your provider domain name can be provider.com,
the name of the provider mail server can be something like mail.provider.com.
Consult with your provider to get the exact name of the Forwarding Mail Server you can use.
Note: you can specify the IP address of the Forwarding Server instead of its name. You
can also specify several IP addresses, separated with the comma (,) symbol. If an SMTP connection to
the first specified address cannot be established, the SMTP module will try the next specified address.
Note: when configuring a Cluster Backend Server, you
can specify the asterisk (*) symbol in the Forward To setting. In this case, all Cluster
Frontends (specified on the Cluster Settings page) will be used as the Forwarding Mail Servers.
- AUTH Name
- The Forwarding Mail Server should be configured to enable relaying from your
server to any other server on the Internet. Some Forwarding Mail Servers may require
your server to use the AUTH command with a valid name and password parameters before
transferring messages that need to be relayed. In this case you should
enter the AUTH login name and password in the AUTH fields.
This type of configuration is used when your server has a "dynamic IP address", and
receives mail from the same Forwarding Server using the ATRN method.
Usually the username and password used for mail forwarding are the same as the username and
password used for ATRN receiving.
- Directly to Recipients
- When this option is selected, the SMTP module uses
the DNS (Domain Name System) to convert message recipient addresses into
the names and addresses of the receiving hosts. A receiving host can be
the recipient host itself, or a relay host. The information about the proper
relay host is stored in so-called MX records on Domain Name Servers. For
each destination host several records can exist, each record having a priority
value. If the SMTP module fails to connect to the relay host with the highest
priority, other MX records are used and other relay hosts are tried. If
no relay host is available, the message remains in the SMTP queue, and
more attempts to deliver it (and all other messages to the same host) are
made later.
This method allows the system to deliver a message either directly to
the recipient computer or to a relay host that is "very close"
to the recipient computer. Recipients can read your messages almost immediately,
and your messaging system does not rely on any Forwarding Mail Server
performance.
When the Server queue contains several messages to be directed to the
same domain, the SMTP module opens a connection to that domain mail server
and sends messages one by one. If the established connection is slow and
there is a large message in the Queue, other messages would wait too long
before being delivered. You may want to allow the SMTP module to open additional
connections to the same mail server and send other messages in parallel.
- Channels/Host
- Use this setting to limit the number of TCP connection
the SMTP module is allowed to establish with one domain mail server.
- Add Channel after
- When the SMTP module cannot send a single message within this time period, and there are other messages
in the same Queue, the module opens a new parallel connection.
- when Queue size is
- If the SMTP module is sending a message, and there number of unsent messages in the same Queue is equal or
larger than the value of this setting, the module opens a new parallel connection.
If an attempt to deliver a message fails, the SMTP module can delay delivery of that message,
or it can delay delivery of the entire host queue (if a connection with the host could not
be established or an established connection was broken, etc). The Retrying panel allows you
to control how the SMTP module makes attempts to deliver messages:
- Retry Every
- Use this setting to tell the SMTP module when it should
retry to send a message if a connection fails. If you use a Forwarding Mail
Server, this option specifies when the module should retry to connect to
that server if the previous connection failed for any reason. If you use
the Directly to Recipients method, and a connection to some remote host
(domain) fails, all messages directed to that domain will be suspended
for the specified time. Usually SMTP systems suspend messages for 30 minutes.
- for the first .... then Retry
- Use these settings to tell the SMTP module when and how it should
change the retry interval. Usually, you would tell the SMTP module
to increase the retry interval to 1-2 hours after a message has spent more than 2
hours in the queue.
- for
- Use this setting to limit the number of attempts
to deliver a message. If a message cannot be delivered within the specified
period of time, the message is rejected and an error report saying that
the host is unavailable is sent back to the message sender.
- Messages with empty 'Return Paths': for
- This setting specified the alternative Keep Trying value for messages with
empty Return-Paths. These messages are used to report failed or successful delivery,
and they can be discarded from the Queue after fewer attempts.
- Delay Messages
- When a receiving host returns a "temporary failure" (4xx) response for
a message sending command (MAIL FROM, DATA, the "final dot"), this setting specifies
when an attempt to send this message should be repeated.
- Delay Recipient
- When a receiving host returns a "temporary failure" (4xx) response for a message
recipient command (RCPT TO), this setting specifies when an attempt to send the
message to this recipient should be repeated.
- Send Warnings After
- Use these settings to tell the SMTP module when warning messages should be
sent back to the message senders, notifying them about delivery delays.
You can configure your CommuniGate Pro Server SMTP module to use secure
(encrypted) connections when sending messages to remote sites.
- Never
- Select this option if you want the SMTP module to send via an unencrypted channel.
- Wherever possible (low security)
- Select this option if you want the SMTP module to try to use SSL/TLS connections with
remote SMTP servers that support this feature. If the remote server supports the STARTTLS command, the
SMTP module tries to establish a secure (SSL/TLS) connection with that server.
The module does not check the remote server Certificate validity or the Certificate Subject in this case.
If the STARTTLS command or secure connection negotiations fail, the server defaults back to plain-text communication and sends
messages via an unencrypted channel.
Some servers advertise STARTTLS support, but fail to accept SSL/TLS connections. When this option is selected, it is impossible to send E-mail to those servers.
To solve this problem, inform the broken server administrator, and create a Profile with the list of the exception hosts which uses the "Never" option.
- Always (high security)
-
Select this option to enforce secure connections with the remote servers.
When the CommuniGate Pro SMTP module connects to a remote SMTP server,
it checks if that server supports the STARTTLS protocol extension command. Then the SMTP
module uses this command to initiate a secure connection with that server.
The CommuniGate Pro SMTP module checks the validity of the remote server Certificate using
the specified set of the Trusted Certificates.
The remote server Certificate subject must contain the cn (Common Name) field
that matches either the domain name of the remote site, or the name of this relay. This
can often cause a problem, since the domain company.dom may have the MX record
relay1.company.dom, but the computer with the relay1.company.dom address
has the "main" DNS name smtp.company.dom and its Certificate is issued to that
name (its Certificate subject contains smtp.company.dom in the
cn field).
To solve this problem, you should explicitly route all traffic to the
company.dom domain via the smtp.company.dom relay, using the following
Router record:
NoRelay:company.dom = company.dom@smtp.company.dom._via
See the Routing section for more details about SMTP routing.
Note: this feature ensures that messages between your server and a remote server are transferred securely.
To provide complete end-to-end security, you should verify that:
- users submit messages to servers either using a private network, or using TLS/SSL connections over the public Internet (secure SMTP or secure WebMail);
- all mail servers and relays exchange messages either using a private network, or using TLS/SSL connections over the public Internet (secure SMTP);
- users read messages either using a private network, or using TLS/SSL connections over the public Internet (secure POP, IMAP, WebMail).
If the receiving server
does not support the STARTTLS command, or the remote server certificate cannot be validated,
or the remote server certificate Subject does not match the domain or domain relay name, all messages to that domain are rejected,
ensuring that no message is sent via a potentially insecure link.
If your server sends all outgoing mail via a Forwarding Mail Server, the CommuniGate Pro SMTP module does not check the Subject of the Forwarding Server certificate.
- TLS Version
- The highest version of TLS the SMTP module will try to use.
If the connection fails due to TLS handshake problems and the "herever possible" flag is set,
then for the every next attempt the version one step lower will be used.
The final delivery attempt will be done without TLS.
- TLS Client Certificate
- A remote server may request that the sending server additionally authenticates by a certificate.
If the remote server sends certificate request during handshake, it can be handled in three possible ways:
- None
- no client certificate is sent.
- Sender Domain's or None
- if a certificate matching the request is installed in the sending domain, it will be sent; no certificate is sent otherwise.
- Sender or Main Domain's
- if a certificate matching the request is installed in the sending domain, it will be sent; the certificate from the Main Domain is sent otherwise.
If an outgoing connection is made to the port 465 (see Sending to Non-Standard Ports section),
then the SMTP module initiates the secure (SSL/TLS) protocol immediately after establishing a TCP/IP connection.
A Host Profile is an additional named set of the SMTP Module settings. You can have several profiles, for different sets of target hosts.
To create a new Profile, or edit an existing profile, use the WebAdmin Interface to open the Sending settings page of the SMTP module. The page lists names of all created Profiles.
Enter the new Profile name and click the Create Profile button. A new Profile will be created.
Each Profile has a list of domain names to whose hosts the Profile's settings are applied. The specified names can contain a wildcard - the asterisk (*) symbol.
The settings of the SMTP Module are used as default values for the Profile's settings.
The Profiles are checked in the alphabetical order of their names. A domain may be listed in multiple profiles, but only the first matched profile will be used.
By using Profiles you can override the default SMTP module settings for particular target domain or group of domains.
For example, you can assign a domain a dedicated Frowarding Server, with dedicated authentication parameters.
The SMTP protocol is used to receive messages from the Internet and
from the client mailer applications. If you want to receive messages from
the Internet, you need a TCP/IP link to the Internet, and your server domain
name and the IP address should be included into the DNS records.
Click the Receiving link on any SMTP Settings page to open the SMTP Receiving settings page.
- Channels
- When you specify a non-zero value for this setting,
the SMTP module creates a so-called "listener". The module starts
to accept all SMTP connections that other mail servers establish in order
to send mail to your Server. This setting is used to limit the number of
simultaneous connections the SMTP module can accept. If there are too many
incoming connections open, the module will reject new connections, and
sending mail systems will retry later.
- Listener
- This link allows you to tune the SMTP Listener. You
can specify which TCP ports to use for SMTP incoming connections (by default, the port
25 is used), which local IP addresses to use for incoming connections (all available
addresses are used by default), and which remote addresses should be granted access
to your CommuniGate Pro SMTP Server (by default, all addresses can connect to the
SMTP port).
Note: to allow Microsoft® Outlook Express 4.x users to submit messages
using secure connections, you should configure the SMTP listener to accept connections
on the TCP port 465, and enable the SSL/TLS option for that port.
Note: Netscape® Messenger and modern versions of Microsoft Outlook
and Outlook Express products do not need any special port for
secure communications, since these products use the STARTTLS command to
initiate secure communications after establishing a regular, clear text SMTP connection to
the standard port number 25.
- Advertise AUTH capability
- If a server reports (in its initial EHLO prompt) that it supports SMTP Authentication,
some mailer clients force users to authenticate themselves before sending messages.
If you select the Non-Clients value, and a connection is accepted from
an address included into the Client IP Addresses list, the SMTP module will not report that it
supports the AUTH command. If the Nobody value is selected, the SMTP module never reports that it
supports SMTP AUTH. This option does not disable the SMTP Authentication feature itself.
- Advertise 8BITMIME
- If your Server does not report the 8BITMIME capability, some mailers and servers
will MIME-encode all non-ASCII messages that they send to your Server . This server-side
encoding can cause troubles for many old mail clients. To avoid these troubles, your
Server should report the 8BITMIME capability.
Note:The CommuniGate Pro SMTP module itself never converts non-ASCII messages into the MIME form,
and (according to RFC1652) it should not advertise the 8BITMIME capability.
But the modern Internet is completely 8-bit transparent and clean, so it is safe to enable the Advertise 8BITMIME option, preventing other servers from doing unnecessary 8bit-to-MIME message body conversion.
- Advertise NO-SOLICITING
- Use this setting to specify the Solicitation class keywords your Server is not willing to
accept. See the RFC3865 for more details.
- Verify HELO
- This option specifies if the parameters of HELO/EHLO commands should be verified.
You can tell the module to verify these addresses only for the
connections from network addresses not included into the Client IP Addresses list.
This is useful if:
- many of your clients use mailers that send bogus names in the HELO/EHLO commands;
- your Internet connection is a dial-up one, and you do not want any outgoing (DNS) traffic
to be generated when receiving mail from your own client computers (Client Hosts).
- Verify Return-Path
- Return-Path E-mail addresses (sent using the MAIL FROM protocol commands) are
processed with the Router. If the resulting address is routed to
a remote host (a non-local domain name), this option specifies if the that domain name should be verified.
See the Protection section for more details.
- Check SPF records
- This option tells the SMTP module to verify non-local Return-Path domain names using the SPF DNS records.
- If this option is set to Disabled, the SPF records are not used.
- If this option is set to "Add Header", the SPF records are checked,
and the Received-SPF header field with the SPF record processing result is added to all incoming messages.
- If this option is set to Enabled, the SPF records are checked.
If these records say that messages with the specified Return-Path domain cannot be sent from the sender network (IP) address (the SPF records specify "hard failure" for that address),
the Return-Path is rejected.
In other cases, the Received-SPF header field is added to the message.
- If this option is set to "with DMARC", the SPF records are checked, Return-Path and message body are accepted;
Then if the sender is not authenticated then domain in 'From:' address from the message header is checked; if the domain does not exist (no A nor MX DNS records) the message body is rejected.
Then DMARC record for the domain is checked, if the record is not found then the record for the organizational domain is checked. If the DMARC policy
is "reject" and SPF check result is not "pass" and the message has no DKIM signature which is valid and aligned to the domain, the message body is rejected.
In other cases, the Received-SPF header field is added to the message.
Note: the SPF/DMARC records are not checked for SMTP connections from Client or White Hole network addresses.
Note: If the Verify Return-Path option is set to Nobody, this option is not used.
- Reverse Connect
- This option tells the SMTP module to verify non-local Return-Path addresses by
connecting to the mail servers hosting those addresses and verifying that those servers accept the specified addresses.
If this option is set to Add Header, the addresses that cannot be verified are not rejected.
Instead, the X-Reverse-Check header field containing the verification failure code is added to the message.
Note: Reverse Connect processing is not used for incoming SMTP connections from Client or White Hole network addresses.
Note: If the Verify Return-Path option is set to Nobody, this option is not used.
- Require STARTTLS
- This option is applied to messages with Return-Path addresses not belonging to any Domain created on this Server.
If the SMTP connection is established from the specified address (Client, non-Client, etc.) and the connection is not secured using SSL/TLS encryption,
the Return-Path and the message itself is rejected.
For messages with Return-Path addresses belonging to some Domain created on this Server, this functionality is controlled using the Domain Settings.
If a message sender (the message Return-Path specified with the MAIL FROM protocol command) is
a local Object - an Account, or a Group, or a Mailing List in a local Domain,
that Domain is opened, and its SMTP Force AUTH
option is checked.
If this option is enabled, the message will be rejected if the client mailer has not sent the SMTP AUTH command first.
The option value specifies for which sending mailer IP addresses this feature should be used.
Note: this option checks for the "fixed" Client IP Addresses only - it does
not pay attention to the "temp-client" addresses added with the Process as a Client Address feature.
Note: use this option carefully. Some users may use different mail relays
to submit their messages with their CommuniGate Pro Account names as the message Return-Paths.
If this option is enabled and those messages are directed to your Server, they will be rejected,
because mail relay servers are not able to authenticate the senders on your Server.
Note: most mailers will send the AUTH command only when the server advertises its SMTP
AUTH capability. Make sure that your server does advertise it (see above).
- Message Size Limit
- This setting tells the module to reject all incoming messages that are larger than the specified limit.
- Message Recipients Limit
- This setting limits the number of recipients for each incoming message. Specifying a
lower value makes your server less attractive for spammers.
- Non-Client Sender: Limits
- Use this option to specify a time period and the limit on the number of message recipients. For
each non-client IP address the SMTP module counts all messages coming from that IP address, and all
recipients specified for those messages. If the total number of all recipients specified during the
set time period exceeds the set limit, new recipients are rejected with a temporary code, forcing the
sending server to retry sending messages to those recipients later.
If a sender has completed a successful SMTP AUTH operation that allows the sender to relay via the
CommuniGate Pro server, the recipients sent via that connection are not counted.
This setting can be used to protect your Server from spammers that send one message or a batch of
messages to a large number of users of your system. On the other hand, if a large number of your users
is subscribed to some mailing list, this option can cause delays for messages coming from that list.
- Non-Client Sender: Delay Prompt
- Use this option to specify the delay time between the moment when an SMTP connection is accepted from a non-client
address and the moment when the Server responds with an initial prompt. This delay can be used to force
spam-sending programs to disconnect from your Server. Normal servers should still be able to transfer
mail, as the RFC2821 standard requires them to wait 5 minutes for the initial prompt, and most servers
do wait at least 3 minutes.
When this setting has a non-zero value, the Server checks if any data line has been received from the sender
before the initial SMTP prompt is sent. If the sender has sent some data without waiting for an initial Server prompt,
an error message is returned to the sender and the connection is closed.
The Prompt Delay is introduced only for connection made to the port 25.
Note: if you start to use long Prompt Delays, expect to see your Server using
much more SMTP Input channels, as each SMTP transaction becomes longer.
- Non-Client Sender: Disconnect
- Use this option to specify how many protocol errors the SMTP module should detect before
it drops the connection with the sender. This feature protects your Server from spammers that try
various E-mail addresses (dictionary attack), causing "unknown account" errors.
The SMTP module places the network addresses of disconnected senders into the Temporarily Blocked Addresses
list. The SMTP module rejects new connections from the Temporarily Blocked Addresses.
Note: the module does not block a "failed sender" network address if
that address is a Client IP Address (specified explicitly or via DNS)
or if that address is a White Hole Address.
When an incoming recipient address (RCPT TO) command addresses a local Account,
the Account Domain settings can instruct the SMTP Module
to check the current status of that Account.
If E-mail to the Account can not be delivered immediately (Account is over quota, etc.),
the recipient address is rejected with a "temporary failure" (4xx) response code.
If your Server has a dial-up link, its domain name should have at least one
additional DNS MX record, specifying a "back-up" mail server
(usually, your ISP mail server). When your Server is off-line, all messages
directed to your domain(s) are sent to that back-up mail server.
The back-up mail server tries to deliver collected messages to your
server. Usually, the retry period is 30 minutes, so your system should
stay on-line for at least that period of time in order to receive messages
from the back-up server.
To avoid this delay, the SMTP module can be configured to send the Remote
Queue Starting ("ETRN") command to the back-up server. When the
back-up server receives that command, it immediately starts to send the
collected messages to your Server.
- Send Wakeups
- Use these settings to specify the address of the Back-up Server, and to
specify how often the Remote Queue Starting command should be sent.
Note: the name of the back-up server should be the name of the
real computer (as specified in an A-type DNS record), not a mail domain
name. While your provider domain name can be provider.com,
the name of the provider mail server can be something like mail.provider.com.
Consult with your provider to get the exact name of your back-up server,
or just examine the DNS MX records for your domain: your back-up server
is specified with the MX record that has the priority next to your own Server
MX Record priority.
The ETRN command can be used to release your domain queue on a remote backup server
only if your server has a static IP address.
If your server has a dynamic IP address, the ETRN method does not work, since
the backup server does not know the IP address your server is using, and the backup server
is not able to open a connection to your server.
If your server uses a dynamic IP address, it should use the On-demand Mail Relaying method to retrieve mail from the backup server.
When On-demand Mail Relaying method is used, your server connects to the backup server,
authenticates itself, and then it issues the ATRN command. Then the servers exchange
their roles and the backup server starts to send your server your domain mail via the same channel.
This eliminates a need for the backup server to open a connection to your server.
Since the backup server does not open a connection itself, it has to verify that the server
that sends the ATRN command and wants to retrieve your domain mail is really your server. Your
server should provide some name and password that should be accepted by the remote server and that
should allow your server to issue the ATRN command.
Consult the remote server administrator to learn the name and the password your server should send
before sending the ATRN command.
- Use ATRN
- select this option to use the ATRN (On-demand Mail Relaying) method instead of the ETRN method.
- AUTH Name and Password
- this pair of strings is sent to the remote server using the AUTH command. The access rights
granted to this login name on the remote server should allow your server to use the ATRN command.
The CommuniGate Pro SMTP module uses the AUTH CRAM-MD5 authentication method to send
passwords in an encrypted form. If the remote server does not support the CRAM-MD5 method, the
clear-text AUTH LOGIN method is used.
If your backup server does not support On-demand Mail Relaying, you should use the
Unified Domain-Wide Account method implemented with the Remote Poll module.
The RFC2645 suggests to use the special TCP port number 366 to provide the ATRN services.
If your backup mail server provides the ATRN services on that port (or on any port other that
the standard SMTP port 25), you should specify the port number in the Send Wakeups To setting field.
Use the colon symbol to separate the server name and the port number:
mail.provider.dom:366
You can use secure communications with the backup server if you include the backup server
name into the Send Encrypted list.
When the backup server name is specified, the SMTP Settings page displays the Wake Up Now button.
Click that button to initiate a wakeup session immediately.
The SMTP module implements the LMTP protocol. It supports this protocol on all its ports,
and it is not required to configure additional ports just to support LMTP.
The SMTP module switches to the LMTP mode when it receives the LHLO LMTP command.
The CommuniGate Pro Server can be used as a back-up mail server for
dial-up systems. Dial-up systems receiving mail via SMTP expect their back-up
servers to receive and keep all their messages when these systems are off-line.
When a dial-up system connects to the Internet again, it connects to its
back-up mail server and either issues the special Remote Queue Starting command
(ETRN, RFC1985), or sends a dummy E-mail message to a special address on
the back-up server.
When your server receives the ETRN command, it tries to send out
all messages collected for the host specified as the ETRN command parameter.
This method allows a dial-up system to get its messages immediately,
instead of waiting for your server to make the next attempt to deliver
the collected messages.
The SMTP module supports the ETRN command, so CommuniGate Pro can be used as a back-up
mail server. No special setting is required, since this feature is always enabled.
The SMTP module uses the Router to process the ETRN
parameter (domain name). It adds the wakeup fictitious user name to that domain
to get a regular E-mail address wakeup@etrn-parameter and runs it through the
Router. If the address is routed to an SMTP host, the SMTP module releases (wakes up) that host queue.
If you have routed the domain client.com to mail.client.com in your Router
Table, all mail to the client.com domain will be kept in the mail.client.com queue. Since
the ETRN command parameter is processed with the Router, too, the ETRN client.com command
will correctly release the mail.client.com queue.
In a Dynamic Cluster environment, the ETRN command received by any cluster
member releases domain queues on all cluster members.
When the SMTP module receives the ATRN command, it checks that the connected party has
authenticated itself. Then the module releases the specified domain queue and sends all its messages
directly via this (already established) connection. No special settings is required to enable
the ATRN feature of the CommuniGate Pro SMTP module. There are some notes about the ATRN implementation:
- Only one ATRN command parameter is allowed.
- The name of the domain queue to be released should match the name of the authenticated user. If you
want to allow a dial-up client host to release the domain.dom queue, you should create
the domain.dom Account in the CommuniGate Pro Main Domain, and the client host should authenticate
itself using the domain.dom as the login name and the domain.dom Account password as the password.
- If the ATRN command does not have a parameter, the name of the authenticated user is used as the name of
the queue to be released.
- The domain name used in the ATRN command must be included into the Hold Mail for Domains list.
The ATRN command parameter (if any) is processed in the same way the
ETRN command parameter is processed.
The RFC2645 suggests to use the special TCP port number 366 to provide the ATRN services. CommuniGate Pro
SMTP module provides the ATRN services on all ports its Listener is using.
To comply with the RFC2645 standard, you may want to add the port 366 to the SMTP Listener settings.
For compatibility with legacy Microsoft Exchange servers, the TURN SMTP command is
supported, too. It is processed in the same way as the ATRN command without a parameter, and
it requires authentication, too. The name of the queue to release is the same as the name of the
authenticated user.
The SMTP module supports an alternative wakeup method: a dial-up system can
send any message to domainName-wakeup@serverDomain to release the
domainName message queue. The serverDomain name should be the Main Domain name of the
CommuniGate Pro Server.
In a Dynamic Cluster environment, the Wakeup E-mail received by any cluster
member releases domain queues on all cluster members.
You can ask the SMTP module to hold mail for certain hosts in its queue, and not
to try to deliver that mail until the receiving server issues the ETRN command or
sends a wake-up E-mail. This can be useful if the receiving server is on a symmetric
dial-on-demand line and its provider brings the link up automatically when there is
any traffic for that receiving server.
The situation when the SMTP module receives a message from a remote system and then
sends that message to some other host is called relaying.
To avoid Server abuse, some relay restrictions can be specified.
- Relay to any IP Address
- See the Protection chapter for the information about this setting.
If the Nobody option is selected, relaying is still possible for authenticated users.
- Relay to Client IP Addresses
- See the Protection chapter for the information about this setting.
- Relay to Hosts We Backup
- This option allows the SMTP module to relay messages to any domain, if the MX records
for that domain includes this CommuniGate Pro Server name (its Main Domain name) as a back-up mail relay.
- Accept Wakeups
- This option tells the SMTP module to accept ETRN commands and wake-up E-mail messages either from anybody,
or only from the hosts included into the Client IP Addresses list, or from no host at all.
Since the ATRN command, unlike ETRN, requires authentication, the ATRN command is always accepted from any address.
- Hold Mail for Domains
- When the SMTP module builds a queue for one of the domains (hosts) listed in this field,
it immediately places that queue "on hold", waiting for the ETRN/ATRN command or any other external
action that releases that queue. This method should be used for the sites that receive mail
via your server, and that want to receive it only when they issue the ETRN/ATRN command.
The specified names can contain a wildcard - the asterisk (*) symbol.
You may want to send messages for some of your CommuniGate Pro Domains via Local IP Addresses assigned
to those Domains. See the Domain Settings section for more details.
If a message is to be delivered to the hostName host via a particular
12.34.56.78 Local IP Address, the message is not placed into the hostName
SMTP queue. Instead, the Server places it into the @12.34.56.78|hostName SMTP queue.
This technique allows the Server to process messages from different Domains independently. If the IP
Address of one of your Domains is blacklisted by remote hosts (because that Domain users
have abused the mail system), messages to the same remote hosts from other Domains will not be delayed or
rejected.
If the hostname name is included into the Hold Mail for Domains list,
the Server never adds the @12.34.56.78| prefix, so all messages to that host are always enqueued
into a single queue, and that queue can be used with the ATRN command.
The ETRN command releases not only the hostname queue, but all hostName queues with
preferred IP prefixes (@12.34.56.78|hostName queues).
You may want to enable SMTP receiving on the port 587. Sessions established to that port are processed differently:
- Connections are not rejected when the Reserved for Clients limit is reached.
- The AUTH capabilities are always advertised.
- Messages (the MAIL FROM commands) are accepted only after successful authentication.
When a Blacklisted host
connects to the SMTP module, the module does not reject a connection.
Instead, it receives the MAIL FROM
SMTP command, and starts to process the recipient (RCPT TO) addresses sent
from the blacklisted host. The module adds the domain blacklisted to
each recipient address received from a blacklisted host, i.e. the received
address user@domain is converted into user%domain@blacklisted.
Then the address is processed with the Router as usual. If the Router Table
does not contain special rules for the blacklisted domain, the
address is rejected with a special error code.
The default Router Table contains the following line:
<blacklist-admin*@blacklisted> = postmaster
All messages from blacklisted hosts sent to the blacklist-admin
address in any domain, are routed to the postmaster, so these messages
are accepted. This "white hole" feature allows
the blacklisted host users to contact the postmaster on your server if they
want to discuss the blacklisting issue. If you remove this line from the Router
Table, no address will be accepted from blacklisted hosts.
When rejecting addresses sent from blacklisted hosts, the SMTP module
verifies if the blacklist-admin@blacklisted address can be routed
with the Router. If the Router Table contains such records (a default one
or a different one), the error code sent back to the blacklisted host explains
that mail to blacklist-admin@serverdomain name is accepted
even from that blacklisted site.
If you want to provide a "white hole" feature, but you do not
want the information about the white-hole address to be included into the
error code, simply use a different name for the "white hole" address.
- Example:
- <abuse*@blacklisted> = postmaster
The following table contains samples of SMTP sessions established from a blacklisted
host. The host commands are marked with C:, the SMTP module responses are
marked with S:.
Router
Table | |
|---|
SMTP
protocol |
C: MAIL FROM: user@host
S: 250 user@host sender accepted
C: RCPT TO: somebody@somehost
S: 591 Your host [10.1.1.1] is blacklisted. No mail will be accepted
C: RCPT TO: abuse@somehost
S: 591 Your host [10.1.1.1] is blacklisted. No mail will be accepted
C: RCPT TO: blacklist-admin@somehost
S: 591 Your host [10.1.1.1] is blacklisted. No mail will be accepted
....
|
|---|
| |
Router
Table |
<abuse*@blacklisted> = postmaster |
|---|
SMTP
protocol |
C: MAIL FROM: user@host
S: 250 user@host sender accepted
C: RCPT TO: somebody@somehost
S: 591 Your host [10.1.1.1] is blacklisted. No mail will be accepted
C: RCPT TO: abuse@somehost
S: 250 abuse%somehost@blacklisted will leave Internet
C: RCPT TO: blacklist-admin@somehost
S: 591 Your host is blacklisted. No mail will be accepted
....
|
|---|
| |
Router
Table |
<blacklist-admin*@blacklisted> = postmaster |
|---|
SMTP
protocol |
C: MAIL FROM: user@host
S: 250 user@host sender accepted
C: RCPT TO: somebody@somehost
S: 591 Your host [10.1.1.1] is blacklisted. Send your questions to blacklist-admin@mycompany.com.
C: RCPT TO: abuse@somehost
S: 591 Your host [10.1.1.1] is blacklisted. Send your questions to blacklist-admin@mycompany.com.
C: RCPT TO: blacklist-admin@somehost
S: 250 blacklist-admin%somehost@blacklisted will leave Internet
....
|
|---|
The SMTP module immediately (on the first Router call) accepts
messages addressed to domain name-wakeup local addresses. When these messages
are enqueued into the SMTP module queue, they are processed as wake-up requests
for the domain name domain message queue.
The SMTP module also immediately accepts all addresses with IP-address domains, i.e.
with domain names like [xx.yy.zz.tt]. Please note that the Router
adds brackets to the IP-address domain names that do not have them, and the Router changes the
IP addresses of local domains to those domain names. The Router performs these operations
before calling the modules.
The SMTP module immediately accepts addresses that have domain parts ending with the ._smtp suffix.
This suffix is processed in the same way as the ._via suffix.
The SMTP module immediately accepts addresses that have domain parts ending with the ._smtpq suffix.
This suffix is processed in the same way as the ._relay suffix.
On the final call, the SMTP module accepts mail to any domain if that domain name contains
at least one dot (.) symbol. If the Forward option is selected, all these addresses
are rerouted to the specified Forwarding Server domain.
Before accepting an address, the SMTP module checks if the address does not contain any @ symbol,
but contains one or several % symbols. In this case, the rightmost % symbol is changed to the @ symbol.
Some mail servers can be configured to receive incoming SMTP mail on a non-standard port.
The CommuniGate Pro SMTP module can send messages to those servers, if the domain part of an
E-mail address contains the port number or is routed to an address that includes the port number.
Use the ._relay or ._via
suffix with the port number: domain.port._relay.
The SMTP module will not use the domain MX records in this case, it will try to resolve the
domain name directly into an IP address. Sample Router record:
secret.communigate.ru = mail.communigate.ru.26._relay
The Monitors realm of the WebAdmin Interface allows
Server Administrators to monitor the SMTP module activity. The SMTP Monitor section contains three
pages - the Delivery (sending) page, the Waiting page, and the Receiving page.
The Delivery page displays the active outgoing SMTP connections:
- ID
- This field contains the numeric ID of the outgoing SMTP session. In the CommuniGate Pro Log, this session records are marked with the
SMTP-nnnnn flag, where nnnnn is the session ID.
- Target
- This field contains the target Queue name (which normally matches the destination hostname).
- Messages
- This field contains the number of messages in the destination Queue.
- Status
- This field contains the operation in progress.
- Running
- If there is an SMTP operation in progress, this field contains the time since operation started.
- Message, Size, Return-Path
- If there is a message being sent to the destination host, these fields contain its ID, size and Return-Path, respectively.
The Receiving page displays the incoming SMTP connections:
- ID
- This field contains the numeric ID of the incoming SMTP session. In the CommuniGate Pro Log, this session records are marked with the
SMTPI-nnnnn flag, where nnnnn is the session ID.
- Source
- This field contains the IP address the sender has connected from.
The (TLS) mark indicates that the SSL/TLS encryption is being used.
- Account
- This field contains the name of the client Account, if the sender had authenticated.
- Status
- This field contains the operation in progress.
- Running
- If there is an SMTP operation in progress, this field contains the time since operation started.
- Size, Return-Path, Recipient
- If there is a message being received, these fields contain its size, Return-Path or a recipient address, respectively.
If the sender had connected to port 587 (SMTP Submit), the connection row is displayed with a green background.
SMTP activity can be monitored using the CommuniGate Pro Statistic Elements.
|
