MailEnable Enterprise Guide
SMTP - Security

Setting

Description

Sender email domain must be local or resolvable through DNS

This option checks the domain of the SMTP envelope address to make sure it is a valid domain. The domain either has to be configured in MailEnable, or it has to be able to be resolved through DNS. If not then the message will fail with a permanent error.

This can help reduce spam from senders making up email domains for send attempts.

Authenticated senders must use address from their postoffice

If this is selected, users who are authenticating to send email must configure their email client with an email address that valid for their postoffice. This option is helps force clients to use a legitimate email address, thereby reducing the possibility of spam.

Hide IP addresses from email headers

By default, the IP address of a client connecting is displayed in the header of an email message. If the network has its own IP range which is to remain hidden to receivers of emails, this option will replace the IP address with 127.0.0.1

Disable all catchalls

Catchalls for domains will cause the email server to collect a lot more email and can cause the server to relay spam (i.e. if the server redirects a catchall to a remote email address). This option will stop all catchalls from working.

Allow domain literals

MailEnable will allow inbound emails to be formatted as user@[IP Address], such as user@[192.168.3.10]. MailEnable will accept emails for any of the IP address that have been configured on the server. If using NAT, or to accept extra IP addresses which are not configured on the server, select the Advanced… button. This will allow these extra IP addresses to be entered.

Restrict the number of recipients per email

It is possible to restrict the number of recipients per incoming email. Allowing a large number of recipients per message may help with sending to contact lists via email clients, but it also raises the benefit to spammers, as they can save on bandwidth and can send through more messages in a shorter amount of time.

Limit number of recipients per hour to This setting sets how many recipients can be sent to on a hourly basis.
PTR Record Check

If an inbound connection has not been authenticated, MailEnable will look up to see if there is a PTR DNS entry for the connecting IP address. MailEnable will not validate whether the entry is valid, it will check to see if one exists. Local IP addresses are not checked for PTR entries. There are three options available for the check:

Setting Description
Never reject senders Does not perform any PTR checks on connections.
Reject senders without PTR If a remote server is sending to the SMTP service, and does not authenticate, then the email will be rejected if the IP address does not have a PTR record.
Refer to System Spam Filter This will mark the message as not having a PTR record. The Spam Protection filter will then be able to rank the inbound message for spam prevention.

 

Address Spoofing:

Address spoofing is where the user sends an email using an email address that is not mapped to the mailbox they are authenticating as. The option checks the SMTP envelope sender, not the headers of the email. i.e. it checks the email address used in the SMTP conversation (the MAIL FROM address). Enabling this can help identify sources of spam, and force users to only use their own email addresses.

Anyone can spoof sender addresses:

If this is selected, anyone sending email through the server can use an email address which matches a domain configured on the server, even if they do not authenticate.

Authenticated senders cannot impersonate:

If this is selected only users who are authenticating to send email can use an email address that has a domain that is configured on the server.

Authorized connections can spoof sender addresses:

If this option is selected it will allow authenticated and any privileged IP address within the SMTP privileged IP's list to send email using an address containing a domain configured on the server.

Use alternate welcome message

When an email client or other mail server connects to MailEnable, a one line welcome message is displayed. By default, this indicates that the server is running MailEnable software, and shows the version of the software. If this option is enabled, it is possible to customize the welcome message. There are also two variables that can be used in the welcome text that will be replaced. These are:

%LOCALDOMAIN% - this will be replaced with the SMTP domain from the SMTP options

%TIME% - this will be replaced with the current time on the server

Drop a connection when the failed number of commands or recipients reaches

Most email clients will recognize error codes returned by the mail server for an invalid recipient or similar. But some spammers and bulk email utilities may not recognize these errors and keep trying to send. By enabling this option, MailEnable will drop the client connection. It is recommended not to use a low value (5 for example), as some valid web scripts will not check the return codes either – but these will only produce a small number of failed commands.

Add to denied IP addresses if this number is reached

If a connection has reached the disconnection limit, it is possible to automatically add the IP address of the client to the SMTP Access Control list. Be aware that if enabling this option, the Access Control list can grow and adversely affect the performance of the SMTP service. Therefore it is recommended to check the Access Control list regularly.

EHLO Blocking This option allows you to drop connections if they send a specific string in the SMTP EHLO command. For example, a common spam bot will use EHLO ylmf-pc. So entering ylmf-pc will drop these connections.

 

 

 


© MailEnable Pty. Ltd. All Rights Reserved.