ME020450 - TIP: How to force all traffic inbound to authenticate when using an external filtering service for inbound mail


In order for all mail inbound to come from an external mail filter/proxy server and to reject any direct inbound traffic from other sources, all connections need to be forced to authenticate.  This will ensure that the only people that can send to (or through) the server are authenticated senders.


When using the Enterprise version from version 3.5 onwards you can configure this on a server or post office level using the following settings in the Administration MMC snap in.

To enable at server level:

ME Admin MMC->Servers->Localhost->Connectors->SMTP Properties->Advanced TAB

Inbound Authentication = Require Authentication for all connections

To enable at post office level:

ME Admin MMC->Servers->Localhost->Connectors->SMTP Properties->Advanced TAB

Inbound Authentication = Authentication determined by Post Office

Now you need to enable it for each domain where this authentication needs to be enabled.

ME Admin MMC->Messaging Manager->Post Offices->[Post Office Name] Properties->Restrictions TAB

Any emails to this postoffice must come from authenticated connections = Enabled

For earlier versions of MailEnable you can configure this setting for the server level by registry switch.

The registry key that forces this authentication is below. Beware that this may mean that you have to change web pages that send through MailEnable SMTP to authenticate when sending;

Configure the following registry key;
HKEY_LOCAL_MACHINE->Software->Mail Enable->Mail Enable->Connectors->SMTP
Add a DWORD to this branch with a value of 1 - "Ignore Local Addresses"
These settings for MailEnable will force all inbound connections to authenticate even if they are simply sending to the server.  The setting will force all senders to your server to authenticate.  Do not forget to add the IP of the remote mail filter/proxy server(s) as an authenticated sender by adding the IP to the relay list.
The above scenario prevents non-authenticated connections from sending you email directly, and you will only accept email from your authenticated clients and the antispam gateway (you need to allow the IP address of the gateway to relay).
NOTE: The above registry setting has been introduced into version 3.5 as a configurable option within the SMTP "Advanced SMTP" settings window within the "inbound authentication" section. 

Product:MailEnable (ME-Any Pro-Any Ent-Any)
Keywords:Postini SPAM spam filter proxy cant send to server relay external inbound mail
Class:TIP: Product Tip
Revised:Wednesday, May 4, 2016