reverse proxy for multiple SMTP / IMAP servers

email smtp reverse-proxy imap
6,142

There is no need to put nginx or any other form of load balancer in front of your border SMTP servers. If you don't get the configuration right, it is likely to hurt your ability to successfully deliver mail. Just put your servers in your DMZ.

Incoming traffic will be part way through a conversation before you can route it appropriately. IMAP users will be attempting to login. SMTP servers will be at the RCPT TO command, and may be attempting to deliver the same message to different domains for which you are listed as the MX.

It is common to use names like smtp01.example.com for farms of servers. For each of these servers. The domain you use for your mail server(s) rarely matches the server name. For common services like SMTP, Web, IMAP, POP and other it is common to publish and use service names in addition (or instead of) host names. Load balance your MX servers by publishing them at the same priority.

  1. Publish an A record in DNS for your mail server's IP address. Also add an AAAA record for the mail server's IPv6 IP. if you want to support IPv6. (You will need two PTR records if you are configuring both IPv4 and IPv6 support.)
  2. Have you IP provider configure the PTR record to return the service (SMTP) name of the server. This will enable reverse DNS (rDNS) validation to work.
  3. Configure your mail server to bind to the above address(es) when sending email.
  4. Configure the mail server to use the service name as its identity. This will allow rDNS validation to work on the HELO or EHLO command.

Consider adding an SPF record like v=spf1 a -all to the DNS entries for each SMTP server. This will allow recipients to verify that this server is intended to send mail. (SPF can be used to verify the server as well as the sender.)

While it is common for the MX servers to also be the outbound mail servers, it is not necessary. List the outbound SMTP servers in the SPF record for the domains used in email addresses (usually example.com rather than george.example.com).

Your SMTP servers should belong to one domain. The MX servers for a domain do not have to be in the same domain. If you are configuring multiple domains, pick one for the mail servers and use that for all the domains.

In larger installations, it is common for the border (externally facing) SMTP servers to forward to internal mail servers for final delivery of incoming mail. All outgoing mail should be sent to the border servers for delivery. If you have split your incoming MX (mail exchange) servers from outgoing MTA (Mail Transfer Agent) servers outgoing messages should be sent via the outgoing MTAs rather than the MX servers. It is a good idea to include MX in the SPF records anyway. This will allow your MX servers to send delayed delivery notifications without the message being considered spam.

For roaming users you may need authenticated SMTP access to allow the users to send email. This is best done on the Submission port (587) rather than the SMTP port (25). This should be secured with TLS (SSL) using the startTLS command after connecting. Authentication should only be allows on encrypted connections. This can be offered on the servers configured above, or on the servers providing IMAP access.

Depending on your needs you can use an IMAP server that supports proxying connections, or just allow the users to connect to the server for their domain. It is common to use a service domain for this purpose, usually imap.example.com or mail.example.com. These can be configured in DNS as A records or CNAMES. Many mail clients will auto-configure correctly to the common service accounts for the domain. If [email protected] is entered as the user during configuration, the software is likely to find service domains like mail.example.com, imap.example.com, pop.example.com and smtp.example.com. It is relatively common to use different service names for IMAP and STMP traffic.

Share:
6,142

Related videos on Youtube

Ueli
Author by

Ueli

Updated on September 18, 2022

Comments

  • Ueli
    Ueli almost 2 years

    Instead of giving our clients server name's like beta.example.com as IMAP / SMTP servers, we'd like to use smtp.example.com.

    We have a database of all domains / e-mail servers and corresponding mail server's. Is there a way to use nginx (or another server/service) as a reverse proxy? nginx then should forward the request to the correct server.

    Thank you very much

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Test mail() function of PHP on localhost with Windows 8.1
Mail Server: system requirements
Are the emails inside the outbox folder stored locally on the machine where the mail was sent
Why can`t I authenticate to my gmail account neither from my printer, nor from my manually configured mail user agent?
Centos - How to install an SMTP server, POP3 and IMAP to send email to Gmail, Yahoo, Hotmail, Live, Yandex?
Why sending Mail with Apple Mail takes too long
Postfix Relay Access Denied When Sending To Gmail With Telnet
The simplest way to set up a secure, IMAP, email server?
Claws Mail SMTP issue; cannot send
Forwarding an email with python smtplib