The configuration options in the e-mail transport settings include SMTP receive and transport policies, external domain policies, accepted domains, forwarding to internal mail servers, connection security settings and trusted networks.
Via the local networks you determine - from which hosts - or from which networks - e-mails may be sent via the REDDOXX.
If there is a mail relay or a firewall with an SMTP server service or a POP3 collector service in front of your REDDOXX Appliance that first accepts the e-mails, it must NOT be in the local networks, otherwise neither a validation for spam can take place nor a recipient check is possible.
The following steps are necessary to configure Local Networks:
Click on Add Network
Enter a descriptive name
Enter the IP address of the local network or a single host in CIDR format.
Via the Local Internet Domains, you can create internal e-mail domains for which the REDDOXX Appliance is to receive e-mails.
In addition, it is possible to set up a recipient check so that the Appliance can check whether the recipient exists when an e-mail is received.
The check then takes place via the recipients known to the appliance (locally created or synchronised via LDAP).
In this way, spam to non-existent addresses in the company can be filtered out.
The following steps are necessary to create a Local Internet Domain (steps 4-12 are optional):
Click on Add Domain
Specify the domain for which you want to receive e-mails.
Select whether to use the recipient validation (Activate recipient validation).
For domains located at Microsoft 365, "enable Hosted Exchange support" can be activated here, so that the appliance then recognises from the DKIM signature of the e-mail,
that it is an outgoing e-mail (even without a Trusted Network entry for the Microsoft 365 networks).
The prerequisite for this is that DKIM must be activated for the domain (https://security.microsoft.com/dkimv2).
Save the settings with "save
Optionally, you can configure in the DKIM tab that outgoing e-mails are provided with a DKIM signature.
First select "Select DKIM key" and add a new DKIM key with Add Key.
Specify the domain, the selector (e.g. just a simple "v1") and the DKIM private key (or create one via Generate new key on the appliance).
Click on "Create" to complete the creation of the DKIM key.
You can now create further DKIM keys for other domains / selectors and finally select one from the list via "Select key".
Set the DNS TXT entry on your domain accordingly and then check in the appliance with "Update status" whether the DNS settings can be read out correctly.
Only then should you click on "Enable DKIM" and close the dialogue with "Save".
Do not activate DKIM until the DNS settings have been set and are working (otherwise, receiving systems that support DKIM and receive a DKIM-signed e-mail from the appliance could reject the e-mails).
In the External Domain Policies, guidelines for the connection to specific domains are defined.
Here, one or more public certificates of the remote station can be selected, the TLS behaviour as well as a possible user authentication can be required.
The settings are only necessary for a few communication partners, who then also provide the corresponding certificates in advance.
External Domain Policies have priority over SMTP Transport Policies and also serve to protect against accidental misconfiguration of SMTP Transport Policies for certain domains.
To use the MTLs policies, the appropriate SMTP Receive Connector must be set to request the client certificate (Request Client certificate in TLS Settings).
If you need to comply with certain connection-specific security requirements for one or more communication partners, proceed as follows:
Click on "Add policy
In the General tab, enter a name and description for the policy and specify the domains for which this policy is to be used.
In the Outbound Policy and Inbound Policy tabs, implement the required security policies of the communication partner.
Select whether TLS is to be used and to what extent a certificate check must take place. You can choose between:
Accept any certificate (no validation)
Accept any valid certificate (Accept any valid certificate)
Accept the connection if a certificate in the chain matches one of the listed certificates.
Accept the connection if the certificate matches one of the listed certificates.
Select whether a user logon is required for the connection.
Add the certificates provided by the communication partner (these must be imported in advance in the Public TLS Certificates area).
Adjust the settings for the (Default, or Migrated) Receive Connector, which is bound to all interfaces and port 25 by default.
In cluster operation, "Any" must be used, otherwise mail reception cannot function in the event of a failover.
You can add more connectors, but make sure that each receive connector can only be bound to one network device.
You can configure the host name, TLS settings, authentication parameters as well as SPF, DKIM, DMARC.
To use SMTP Auth, the sender needs to authenticate with login and password.
The login consists of username and realm.
When der is a local user named "test" the login would be test@local.
When der is an ad user "cclippy" in the realm "msad" the login would be cclippy@msad.
If "Reject mails with invalid DKIM signature" is checked, the rejection of signatures that cannot be validated is enforced.
Incorrectly signed and unsigned emails (for whose domain a DKIM signature is provided) are rejected, while emails with valid DKIM signature as well as unsigned emails (for whose domain no DKIM signature is provided) are allowed.
In the RBL filter settings, the filter lists are defined and, if necessary, also exceptions for e-mail relays, if incoming e-mails are sent via a relay that is not to be checked against the RBL filter.
The name of the relay can be determined via the header of the e-mail (Received from).
Current recommendations for the RBL filter lists can be found in the FAQ.
It is recommended to use a local DNS server, as some blacklist filters do not provide correct results when using public DNS servers.
If the IP address of a sender is on one of the RBL filter lists, this IP is placed in the list of IP address filters. and communication is rejected for 24 hours. After that, the system checks again whether the sender is on a blacklist.
Switch to the AntiSpoofing tab if e-mails with fake senders are to be rejected directly during the SMTP connection setup.
Sender addresses (e.g. for webshops) can be stored as exceptions, one address per line.
In the Limits section you can specify the number of maximum parallel connections, the size of the e-mail, the recipients and the number of invalid recipients.
The Internal SMTP connector cannot be adjusted, as it is intended for communication between the services.
Here the sender / recipient filtering in the Addresses field in connection with the smarthost settings from the Transport field is used to define where e-mails are to be forwarded to.
In addition, TLS settings, authentication and the FQDN that is sent via a Helo command can be set here.
In the Transport section, the option "Resolve Domain Part as Hostname" can also be activated, the appliance then attempts to determine an IP address for the domain part of the e-mail (e.g. as A or CNAME record) if no MX record can be found for the host
The rules are processed in order
For each local domain, the transport to a SmartHost (internal mail server) should be configured accordingly, as otherwise the default transport policy would apply without an explicit rule and the mails would be forwarded to the MX via DNS (which would then lead to a mail loop).
In addition, transport rules can be created for other domains that are to be used differently from a DNS query.
If E-Mails with the message "Received an unexpected EOF or 0 bytes from the transport stream" can not be delivered, the receiving server does not support the current SSL algorithms.
In this case (this is especially true for outdated Exchange 2013 servers) a transport rule for the destination domain with deactivated TLS must be used.
The filter settings are used to explicitly block or allow SMTP connections.
Depending on the netmask, a single host or a complete network can be configured here.
The list of blocked IP addresses is automatically filled by the used RBL filters if the function is used in the SMTP receive connectors.
The SMTP connection setup is blocked directly if an IP from the blocked list wants to communicate with the appliance.
This is particularly advantageous in the case of spam attacks, as the appliance no longer has to carry out validations.
If an IP with which communication is desired appears in the blacklist settings, this entry can be edited and changed from a blacklist to a whitelist entry.
The following steps are necessary to create a blacklist or whitelist entry for blocked or authorised IP addresses:
Select the appropriate tab depending on whether you want to add a permitted (whitelist) or blocked (blacklist) address.
Click on Add
Enter the values for network (in CIDR notation), validity period and description.
Accept the settings with "Save
Use the "Flush RBL filters" button to delete all automatically created blacklist entries at once.
This is particularly advantageous if a large provider with several IP addresses was on a blacklist for a short time.
The POP3 and POP3s Proxy is used to retrieve POP3 mailboxes via mail clients.
The appliance acts as an intermediary, accepts the clients' requests (and login data) and then performs the login to the actual POP3 mailbox.
Existing e-mails in the POP3 mailbox are then retrieved (and deleted from the mailbox), checked against spam and archived on the appliance and transmitted the next time they are retrieved by the client.
transmitted by the client the next time it is retrieved.
Further information on the concrete procedure can be found in the Quick Start Guide.
The following steps are necessary to set up the POP3 and POP3s proxy:
Activate the desired service(s) via Enable POP3 / POP3s as well as the corresponding interface under which the services are to be accessible.
Switch to the TLS Settings tab.
Select a TLS certificate. available in the appliance (otherwise POP3s is not available and in POP3 mode only access with deactivated TLS mode is possible).
Select the desired TLS mode in the POP3 proxy (disabled, STARTTLS optional or STARTTLS required).
Activate the desired TLS protocols (default are TLS 1.2 and TLS 1.3).