Chapter 3: Quick Start Up Main page Chapter 5: Configuring Mail Delivery Agents 

4 Configuring Mail Transfer Agent

figure images/nodeworx/nw-email-mta.png
Figure 4.1 The NodeWorx Mail Transfer Agent Configuration Page

4.1 SMTP Server Status Toggles

The Primary SMTP Server Settings box displays the service status and activity toggles for qmail-smtp (incoming) and qmail-send (outgoing). It also details the current qmail version and the primary port that SMTP operates over, which should always be 25. The Authentication Mode allows you to change between several modes, each of which uses either SMTP-AUTH, TLS, or both.
  • SMTP-AUTH is the standard SMTP authentication mode, requiring a username (the mailbox ID, user@domain.tld) and a password. SMTP-AUTH can be made optional, but must not be required over port 25 or your server would be unable to receive mail from other MTAs.
  • TLS, Transport Layer Security, is a cryptographic protocol that ensures secure communications. TLS requires an SSL certificate on the domain being logged into. The SSL certificate doesn’t need to be signed by a CA, but end-users will likely receive a security alert when the domain of the server being connected to and the cryptographic certificate don’t match or are not verifiable through a CA. This will happen when using a self-signed cert or the user connects through their own domain instead of the SSL certificate’s domain.
The Alternate SMTP Server Settings area displays the service status toggles for a secondary smtp server. Occasionally hosts want an alternate SMTP service which requires TLS, hence we provide the ability to set up a secondary SMTP server on port 587. In addition, hosts can enforce SMTP-AUTH since the secondary SMTP server will not be used to recieve mail from the outside. Finally, hosts don’t necessarily need to use port 587 - they can elect to use a different port which might be useful if one has ISP port restrictions.

4.2 Server Options

These are the “global” server options so to speak. All MTA operators should at least check these settings for correctness.
Mail Server Hostname (FQDN) This box allows you to change the name that your server uses to identify itself to other MTAs. As a caution, MTAs typically refuse mail from servers whose Mail Server FQDN doesn’t match the reverse DNS entry of the sending machine’s IP.
Default Domain The default domain appended to any address that doesn’t include a domain portion. For example, a user sending “FROM fred” instead of “FROM fred@domain.tld” will have this appended in place of their actual domain.

4.3 Bounce Options

Bouncing is when a user sends an email and it gets rejected or is determined undeliverable, the system notifies by sending the message back to the user notifying them of failure. The act of the message being sent and then being returned to the sender is analogous to a check bouncing and being returned to the check writer - You send something out and it comes back. Hence the name.
Bounce From The username that your server uses to return bad messages.
Bounce Host The domain that your server uses to return bad messages. Combined with the above produces a complete email address, user@host.
Double Bounce Messages If a message bounces, and is returned to a bad mail address, typically qmail will simply destroy or ignore the message without telling anyone. If you’d like a mailbox to gather information on incidents like that, however, enable Double Bounce here.
Double Bounce To The username on the local server of the mailbox that you wish to receive double-bounce messages.
Double Bounce Host The domain name of the double-bounce user above.

4.4 SMTP Inbound Options

SMTP Greeting This is the text shown to other MTAs when they connect to your server’s instance of SMTP.
Inbound Connections (max) The maximum number of concurrent incoming connections per SMTP server. If you have both incoming servers enabled, this number will be effectively doubled. [K][K]This value changes the tcpserver setting of the ucspi-tcp suite which is used to launch the program.
Timeout The amount of time, in seconds, until qmail-smtp closes a connection. Resets every time the server receives data.
Message Size Maximum file size for any incoming message, including attachments. Worth noting here is that it takes processor time, memory, bandwidth, and storage space to process very large email messages. This is somewhat dangerous in a shared environment, where you want to be fair to all e-mail users using your server.

4.5 MTA Level Outbound and Inbound E-Mail Address Blacklists

The MTA level blacklists allow you to block e-mail addresses at a very low level (SMTP-level on incoming, qmail-inject level on outgoing) so they are denied before further processing takes place.

4.5.1 Realtime (SBL) Blacklists

Realtime Server Black Lists are extensive databases of known unsolicited bulk mail providers. Attaching one or more Realtime SBL to your server can increase its efficiency at preventing spam, though excessive list additions might slow down mail transfer significantly.

4.6 SMTP Outbound Options

Outbound Connections (max) Also called “concurrency remote”, tells qmail the maximum number of outbound connections (i.e. qmail-remote processes) that it can have open at any one time.
Response Timeout This setting changes how long qmail will wait for a response to outgoing communications before closing a connection.
Connect Timeout Use this to set the number of seconds qmail will wait for an outbound connection to establish.
Queue Lifetime This defines the number of seconds a message can stay in the queue. The default is 604800 (one week). During this period, qmail will periodically attempt to re-send the message. After this time expires, qmail-send will try sending any message remaining in the queue once more, but it will treat any temporary delivery failures as permanent failures and bounce the message back to the user.[L][L]Messages will only stay in queue if the message is deferred - i.e. qmail is able to determine the IP address of the remote MX server and either the connection timesout, or qmail is able to connect but the remote server rejects the message saying try again later. This is typical when a mail server gets black-listed by free webmail providers like GMail or Hotmail. If the remote server responds that the user doesn’t exist, qmail can’t determine the mx server of the host portion of the address, or the delivery is local and the user doesn’t exist, qmail will immediately bounce the message back since those are considered permanent failures.

4.6.1 SMTP Routes

SMTP Routes This sets artificial SMTP routes.
This might not mean much to you, but essentially this setting[M][M]It’s not really a setting - it’s a file on disk that qmail reads from in /var/qmail/control allows you to “override” the default behavior of the mail server to do a DNS lookup for a domain’s MX record and instead force delivery to a specific MX server. From qmail-remote’s man page and made more eloquent by us: Each route has the form domain:relay, without any extra spaces. If domain matches the host portion of an address, qmail-remote will connect to relay, as if the host had relay as its only MX. (It will also avoid doing any CNAME lookups on the recipient).
Relay may include a colon and a port number to use instead of the normal SMTP port, 25:
  • domain.tld:relay.tld:26
relay may be empty; this tells qmail-remote to look up MX records as usual.
  • domain.tld:
smtproutes may include wildcards:
  • :relay.tld
You can optionally combine an empty relay and wildcard to do interesting things like the following:
  • .domain.tld:
Here any address ending with .domain.tld (but not domain.tld itself) is routed by its MX records; any other address is artificially routed to relay.tld.
Worth noting is that qmail does not protect you if you create an artificial mail loop between machines. However, you are always safe using smtproutes if you do not accept mail from the network (i.e. mail only goes one-way).
 Chapter 3: Quick Start Up Main page Chapter 5: Configuring Mail Delivery Agents 

(C) 2019 by InterWorx LLC