Using MailCleaner as an Outgoing Relay

MailCleaner Support
Added about 1 month ago

It is possible to use MailCleaner as a relay for your domains' outgoing mail. You may wish to do this to keep the IP of your mail server private if it is publicly addressable, or to have proper reverse DNS if it is not publicly addressable.

Note that there are currently limited advantages to using MailCleaner as an outgoing relay from a filtering perspective. Since MailCleaner currently has no outgoing mail quarantine, it does not do any proper spam filtering. The only filtering will be scanning with ClamAV and the settings from pages:

Configuration->SMTP->Connection controls (eg. allowed IPs, blocked senders, etc.)
Configuration->SMTP->Resource controls (eg. rate limits, size limits, etc.)

Also note that Fail2Ban will apply to the the sources of the outgoing mail unless they are explicitly whitelisted, so these IPs can be blocked due to invalid recipient requests or failed authentication attempts. Having these blocks be possible is good in the event that an account is compromised, but you would need to be vigilant to address an innocuous listing.

Configuring Outgoing Relaying

There are two primary methods for configuring MailCleaner as an outgoing relay. Either you can allow all mail from a specific IP (or CIDR range; typically your mail server(s) or gateway(s)), or by allowing users to authenticate directly to MailCleaner. It is generally recommended that you use the former to have users authenticate directly with your mail server, just use MailCleaner as a SmartHost, then block authenticated relaying.

Allow relaying by IP/Hostname:

You can allow IPs, CIDR blocks or our DNS shorthands from:

Configuration->SMTP->Connection control->Allow external relaying for these hosts

By default, this will allow senders from those hosts to relay mail on behalf of any domain hosted by MailCleaner. You can optionally allow relaying for unlisted domains, but this is not recommended. Because this method does not perform any other checks for the legitimacy of those connections, it is intended that you restrict this to hosts that do their own form of authentication (ie. your mail server) or which do not allow for user control over message generation (ie. a web/application server).

Once this is enabled, you can configure the listed host to use MailCleaner as a SmartHost/relay according to that product's documentation.

Per-domain user authentication

Within the domain configuration wizard:

Configuration->Domains->[select or create domain]

you first need to set up an authentication source from the 'User authentication' page. Once you have verified that a set of credentials work, you can advance to the 'Outgoing relay' page. From there, you can simply allow relaying.

Note that if users are directly relaying through MailCleaner, your internal mail server will not have a log of these transactions. If you still have users using the POP3 protocol, these messages will also not get pushed to their outbox on that server for syncing. This option is only recommended if you have users who do not have access to port 587 on your mail server, such as if it is on a different private network with no VPN.

Security recommendations

Although you could configure both methods for the same domain, it is recommended that you treat these either/or options. This is especially recommended if you enable host-based relaying. In that case you should ensure that authenticated relaying is disabled in the domain's settings to prevent external authentication attempts from guessing a password.

In any case, it is recommened that you disable SMTP Authentication on port 25 from:

Configuration->SMTP->SMTP Checks->Block authenticated relaying on port 25

In the case that you are using the host-based relaying, it will not be authenticated, so this will not matter. In the case that you are using authenticated relaying, you should configure it to use port 587. Since port 25 must be enabled to receive incoming mail, having it advertise that authentication is available will ensure that you end up seeing thousands of authentication attempts per day from botnets. If even if do domains have authenticated relaying enabled, this still eats up unnecessary resources and clogs up the logs. By setting up all of your authenticated users to use port 587 you will not see nearly as many malicious authentication attempts, but you can also restrict access on the port entirely to only the IPs/CIDR ranges that should be making legitimate authentication attempts.

Outgoing mail deliverability tips

To ensure that outgoing mail has the best possible chance to reach the final destination, see Deliverability Tips.

Monitoring relayed messages

Relayed messages are counted in the statistics from Monitoring->Status. They can also be found in Management->Tracing where the internal user that you search by will show up in the 'Sender address' field.

If you would like some more high-level insight into the frequency and sources of relayed mail, you can get a summary on a per-node basis with the commandline tool /usr/mailcleaner/bin/ Use with the -h flag for usage instructions. These includes filtering by sender address, the option to provide counts for each sender/recipient pair and the option to list all of the Exim message IDs.