Email Gateway Considerations
This guide is intended as a 'best practice' guide for email sending and receiving from ClearOS. It assumes that you are using the SMTP Server app for mail and is the usual situation for Zarafa -OR- Cyrus on ClearOS. The service which handles the delivery of mail to and from your site is called Postfix.
What Postfix does
The Postfix service handles incoming mail and outgoing mail. There are several points of incoming and outgoing mail to this system. In many ways, this works similar to the veins and arteries near the human heart. Inbound mail can be inbound to Postfix on it's way to be sent OUTBOUND!
Postfix can accept mail from some vectors including but not limited to:
- Incoming mail from DNS resolved lookups of MX records (the most typical meaning).
- Incoming mail from 'store and forward' host performing and MX backup. (this service is available from ClearCenter if you host your domain with ClearCenter).
- Incoming mail from IMAP/MIME store like Zarafa or Cyrus (sending mail from your email client is an INCOMING mail to Postfix).
- Incoming mail from SPAM or anti-virus subsystem after it has been checked.
- Incoming mail from hosts authenticated on the internet or local LAN
- Incoming mail from relay hosts on local subnets or devices using ClearOS as their SMTP gateway locally (ie. scan-to-email copiers and local servers and devices).
Postfix can send mail out certain vectors including but not limited to:
- Outgoing mail to DNS resolved hosts.
- Outgoing mail to a 'smart host' or ISP mail gateway.
- Outgoing mail to IMAP/MIME store like Zarafa or Cyrus (receiving mail from your email client is an OUTGOING mail to Postfix to your email information store).
- Outgoing mail to internal SPAM or anti-virus subsystem before it has been checked.
Requirements for sending and receiving Internet mail
Email is typically transmitted over the internet via port 25. Your firewall should have this port open if you want to receive email. Additionally, your ISP must ALSO allow your host to receive port 25 traffic. From other hosts on the internet you can test this by 'telnet'ing to port 25.
Additionally, port 25 has to be available on outbound connections as well. ClearOS will, by default, allow port 25 traffic originating on the server to flow to the Internet. However, your provider may block your ability to send SMTP out from your server. One way to test this is to see if you can telnet to port 25 on a mail server on the internet. The following is an example of a connection from a ClearOS server to one of Google's Gmail servers:
[root@clearos-server ~]# telnet gmail-smtp-in.l.google.com 25 Trying 126.96.36.199... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP uh1si7933785pab.94 - gsmtp quit 221 2.0.0 closing connection uh1si7933785pab.94 - gsmtp Connection closed by foreign host.
Anti-spam and Anti-virus
ClearOS has the capability of stopping spam and anti-virus. ClearOS will scan mail without regard to the direction that the mail is going. This means that both your incoming and OUTGOING emails will be scanned for viruses and spam.
The Internet thinks I'm sending spam
While operating an email server you may get flagged as a site for sending spam. Usually this occurs because your location is in FACT sending spam. There are a number of reasons why this occurs. Among them:
- Hosts behind your ClearOS server are infected with spam-bots or other malicious software that are programmed to relay spam.
- ANSWER: This is the most typical cause in my experience. The symptoms for this will be that your mailq does not have any email in it that is bad and you are still getting blocked. Using command line tools such as 'iptraf' can help you narrow down your search for the culprit who likely needs a good virus scan or even a rebuild of their OS from scratch. You can prevent this from happening easily by creating an 'Egress Firewall' rule which prevents port 25 traffic.
- Hosts that use your ClearOS server are infected and using the ClearOS server to send spam.
- ANSWER: This scenario is easily diagnosed by looking at your 'mailq' and 'iptraf' data. You can also look at your maillog file and determine the culprit.
- A hacker has discovered the username and password for a user on your network and is using and authenticated SMTP relay connection to send spam.
- Using strong passwords when using SMTP Authentication is strongly encouraged. Changing the password of the affected user is part of the solution. You should also check their computer for keyloggers or trojans.
- A misconfiguration of your network or firewall is allowing your server to be used as a relay.
- This is highly unusual. Be sure that you have the proper roles for your network interfaces and that any relays for public IP addresses are properly scoped.