Mailtraq has excellent resources to prevent unauthorized relaying of messages (discussed here), but there are situations when you do want to allow relaying. This KB article explains how to configure the SMTP service so that only authorized relaying can take place.
Why would you want to allow relaying?
You need to allow relaying when the sender is outside your local area network. Typical situations are when a company representative is on the road, someone needs to work from home, or you need to allow a remote office to email to through your corporate email server - Mailtraq.
Normal 'Safe' Relaying Configuration:
The setting is configured on the SMTP Service, Relaying tab.
From the Mailtraq Console, choose Options, Services, then the SMTP service, click Properties, and the Relaying tab.
Mailtraq uses the LAN settings you entered in the Installation Wizard when you installed Mailtraq to know who it is normally safe to relay: those machines with IP addresses that are within your Local Area Network. You can confirm those entries by going to Options | Server | LAN and checking they are correct.
The safe setting is created automatically by Mailtraq, and will look like this:
Allowing Relay - POP before SMTP
Change the safe setting above by selecting
[x] Relay for machines recently collecting POP3 mail
You will see that the dialog changes as some options become 'grayed out'.
Enable this option to permit connecting clients to authenticate themselves for relaying purposes by making a successful POP3 connection to a User Mailbox which is hosted on Mailtraq.
After authentication, users can relay for approximately five minutes. This facility is often referred to as POP-before-SMTP.
This is the simplest method and does not affect local senders.
Many email clients, such as Outlook 2003 (in the example illustrated) and Outlook 2007, can automatically perform a POP3 collection before sending. There is a 'Get-before-Send' extension available for Thunderbird. Otherwise, users can manually do a 'send and receive' shortly before sending a message.
Allowing Relay - SMTP Auth
Change the safe setting in the Mailtraq dialog above by selecting
[x] Use SMTP User Authentication
You will see that the dialog changes as some options become 'grayed out'.
This method is more secure, but also a little more involved to set as it also affects all local users as well as the remote users.
If this SMTP AUTH option is enabled, all connecting clients - local or remote - must authenticate to relay mail through this SMTP service instance (see 'Tip 3' below).
Authentication is performed using the user's username and password on the Properties Tab tab of the User Properties Dialog, accessed via User Manager. The "Relay Mail beyond this server" control on the Privileges Tab of the User Properties Dialog must also be enabled. Two authentication methods are provided, CRAM-MD5 and plain LOGIN.
Each email client connection must authenticate using 'Username and Password' before mail can be sent.
The example shows the 'More Settings' dialog from Outlook 2003. Other email clients have similar options.
Allowing Relay - Trusted IP Address
In certain circumstances you may want to always allow emails to be relayed through Mailtraq from a trusted IP address, in which case it can be added to the LAN definition at the firewall. Remember though, that unless SMTP Authentication is enabled in Mailtraq, the IP address of the sending client is the only factor which can be used to discriminate between authorised and unauthorised relaying.
Configuration Tips
1.) You may need to adjust your main router/firewall/NAT to allow external access to
Port 110 - POP3
Port 143 - IMAP
Read about Mailtraq's own Firewall here ...
2.) You will see that there are two other 'boxes' in the Relaying tab:
Always allow relaying from these senders
Tick the checkbox to enable this facility and enter the addresses of remote hosts which are always permitted to relay mail through this instance of the SMTP Service. The default for this option is unchecked because it is inherently insecure and should only be enabled if access to this instance of the SMTP service is restricted to non-Internet hosts via its Access Control Tab.
Always allow relaying to these recipients
Tick the checkbox to enable this facility and enter the addresses of remote or local recipient mail hosts to which any sender is always permitted to relay mail via this instance of the SMTP Service. The default for this option is unchecked. Use of this option should be carefully monitored to ensure that mail is forwarded only to authorised hosts and that the recipient hosts also do not relay, which would cause your installation of Mailtraq to be included unwittingly in an unauthorised relay chain.
3.) If you need to work in a 'hybrid' environment - typically where nearly all your users are within the LAN, with just a few needing to relay from outside - then you may add another SMTP service on Port 587 set to use SMTP Authenication.
Port 587 is a standard port for authenticated connections, however you may need to adjust your main router/firewall/NAT to allow external access.
Your remote users will need to configure their email client to use an SMTP server on Port 587 instead of the normal default of Port 25.
