by   March 03 2015   
SmarterTools Email Server matched with your XTM 330 Firewall by Watchguard. Making your Reverse, Banner, DNS match the way it should with the correct settings that still make you safe. You can stop your Servers Replies and make your Firewall do the talking. This should be a good starting point before I start to compare how you handle your postal mail at home to that of your corporate office. No worries, it will be fun and only painful to IT.

Your free or paid version of SmarterMail Server.

 Large Rectangle (336 x 280)

Email Server Introduction:

It's about keeping your communications safe, secure and possibly encrypted.
My goal is to share with you some of the tings I have learned over the years.

I'll continue the "Email Server Introduction" at the bottom of this page. 

SmarterMail by SmarterTools 

Your SmarterMail by SmarterTools.com people will help you, the forums are good, just don't read into personalities too much because a few "Know It All" types do tend not to give you the time of day when you are just learning. Even a veteran of email can be abused a bit if the question is worded wrong. I tend to follow those that can prove they know their stuff, run their own systems, monitor their own configurations and read log reports over coffee each and every day. I'm not one to listen to a "Microsoft Says to do XYZ" type of person, and if you think real world IT is easy. Well, I'll say you learned the right way the first time. 

My Email server experience goes back a few decades. I've kept up with most of the changes and try to keep my level of professionalism high enough to configure enterprise systems for some contract jobs.

I always recommend visiting your vendors, manufacturers website and ask them questions before you venture out into the vast technology world of answers. Help Files, Knowledge Based Articles and Forums over at SmarterTools.Com will give you all that you need to start.

Let's get busy and get your custom system working. 

Network Overview:

Computer / Server: Currently I run SmarterMail 13.x on a Virtual Server Windows 2008 R2 and have a Virtual Hard Drive attached to store my DOMAIN email. The VHD is Bitlocker protected. The Smartermail software runs from the Virtual Servers main OS drive and stores all domain files to the VHD. This keeps things portable.
I started on a Pentium 4 D desktop computer with Windows XP and the Free version of SmarterMail. 

Network / Router / Firewall: Watchguard XTM330 Fireware v 11.9.x, I bridge my connection to my Hyper-V server to manage the connections. Using a single port bridged seemed to give better response times to the IIS, FTP, SMTP, POP, WebDAV, etc servers that all use that single interface. I'm sure a VLAN QoS environment would be good to use but I wanted to keep the Administrators System Configuration Log book under 50 pages. 

To do side by side comparisons and also so I can show you I am really talking from experience here's my favorite current IP for my mail.mysmallcloud.com address. 
The Reverse DNS is going point to my job site but it's all going to show you how it is setup. 

You can use my email server to test against. 
You wont need to login, just run the MXToolbox.com tests so I know it's coming from a safe/ish location. 

IP 98.175.19.132
PTR and DNS domain is mail.mnworks.net
Test on mail.mysmallcloud.com

Remember that this configuration is for Micro Enterprise Networks. We often see only one (1) static IP in this type of setup so everything needs to be managed as if one IP is available. 

Using MXToolBox.Com run your tests against your SMTP, POP domain and your IP address. (DO NOT run a PORT SCAN from MXToolBox.Com unless you have your Firewall set to not block and auto-block the IP.)

My Top SmarterMail Starter list.

Using MxToolBox.com and CheckTLS.com on your own IP or SMTP domain test your TLS server to Server SMTP settings. If you have a self signed cert it's OK, read the results, it will show TLS will still encrypt your message between servers even if the certificate, hostname, domain name are not valid.
As for MXToolBox.Com we want to have all results pass OK. That means sure we have 0, ZERO, NO ERRORS of ANY KIND and it's POSSIBLE so don't believe anyone that says otherwise. 

Step 1, IP, DNS, PTR, Reverse DNS setup from your ISP and DNS provider.

1. Get your PTR Pointed to your Domain. This is called Reverse DNS. Many Email Servers require a DNS entry to match the IP. Call your ISP to have this done if your DNS management console doesn't offer this option. 

If you are running several domains on one IP with Self Signed Certificates you're not alone. Honestly, between email and we domains the costs could be high. I'll get into the certs later. 

I have several domains, mail.mysmallcloud.com, mail.xtremecomputer.com using the hostname mail.mnworks.net on a single IP address that seems to work just fine.
Sure it would be nice to have individual IPs for every service all with valid certs but we are right now building our Micro Enterprise Network and that means Micro Budgets as well.

Reverse DNS points to my busiest domain. No matter what you do, the Reverse DNS is going to want to see something even if it's your raw charter.com, cox.com or att.com address. You're going to want something that is registered in the DNS server from your ISP that points to that name. 

Here's my Example and I hope this helps you as much as it did me to set it up. 

We start with a static IP, in my case: 98.175.19.132 which points to a canonical name of wsip-98-175-19-132.br.br.cox.net and registered to cox.net.

When we register our Domain Name and configure our Host A Record we use our domain name, in my case MySmallCloud.com and point it toward our IP address: 98.175.19.132. This works great for WWW Servers, but for Email Servers some Spam prevention practices want a PTR or Reverse DNS entry, a Reverse DNS that matches a Hostname in the email server. So we call our ISP and ask for a PTR or Reverse DNS name. After our ISP takes care of that issue (for free) our PTR / Reverse DNS results looks closer to what we need it to be. In my case using www.Network-Tools.Com the results from IP Address 98.175.19.132 canonical name: mail.mnworks.net Registered Domain: mnworks.net

Even when I use a different email domain like mail.mysmallcloud.com the Reverse DNS IP all match my Hostname and Banner Header which is what the antispam apps need. 

Step 2, XTM 330 Firewall Fireware 11.9.x Setup.

The XTM I believe by default will not return all your server responses. Your XTM is not setup out of the box for anything more than a simple internet connection. 

You can read the help files at Watchgaurd.Com and get your basics then come on back to get the advanced configuration settings between your XTM and SmarterMail Server. 

You need to edit the proxy action of your SMTP server. 
The Default proxy for your SMTP can not be edited so you need to clone it. 
SMTP-Incoming.1 is what I call mine.
Start from General > General Settings > Hide Email Server 
You have a few options here. But I have selected only "Server Replies, Rewrite Banner Domain". Enter the FQDN (Fully Qualified Domain Name) that matches your hostname you entered in your smartermail server. In my case it's mail.mnworks.net. This will match the Reverse DNS lookup from my Authority Server which is my ISP. (I believe)

Step 3, SmarterMail Hostname to PTR or Reverse DNS name setup. 

From SmarterMail logon as Admin. 

  • Go to General Settings.
  • From the Server Info Tab enter the same name you placed in your firewall into the hostname field. In my example it would be mail.mnworks.net .

Now you're set for your SMTP Banner Check and your SMTP Reverse DNS Mismatch check.

Step 4, Additional Configuration that is required in today's world.

Steps 1,2,3 got you to pass thousands of email servers requirements just to connect. Now let's start working on making that communications between your server and the other email server secure. Once your logs show you sent the email over 100% SSL or TLS connections what happens on the other end has nothing to do with you.

My Story: I'd like to share a bit of information with you from some of my readings online. 
It appears that since my days of testing Session Connected Remote Desktop services there always seems to be someone or something in the middle of our conversations. I don't know who or what but I can say I saw the mouse writing on the wall and that's all it took to not trust a single server outside of my physical reach. 

I want you to use SSL and TLS at all times, even if you have to create your own certificate you need to always have that data that is transfered encrypted. It might not mean anything more than a few hours to decrypt it or maybe a few years but it's going to take time and effort so do your part to keep yourself safe from that thing in the middle.

On your server you can create a self signed certificate, you might have to download an app if you're using older software. Google Creating a Self Signed Certificate on Windows. 

Every connection to your SmarterMail needs to be SSL or TLS. 
No plan text or unsecured connections, never, get it out of your head right now.

SMTP TLS set your smartermail port 25 SMTP Defualt TLS
IMAP TLS Set your port 143 IMAP to TLS
SMTP SSL Set your port 465 to SSL
Submission Port TLS Port 587 TLS
SMTP TLS Port 587 SMTP TLS
POP SSL Port 995 SSL
XMPP Port 5222 TLS

When you are finished with your ports you should see that all ports are either SSL or TLS. 
You may have one exception and that could by your Active Directory but all others are SSL or TLS. 

Microsoft IIS SSL Port 443: Because SmarterMail interfaces with your Microsoft IIS server your certificate should be easy to build, older computers may have to download the SDK 6.0 for IIS 6. If you have a hard time finding it email me and I'll see if I can locate my old copy. But Microsoft should have it on their site still.

SSL TLS Setup Protocol

  • Go to your Protocol Settings and make sure you enable the TLS if supported by remote server.
  • Use your Domain IP then fail-safe is your primary IP.
    (That's if you have static IPs)
  • Make sure you test your connection time, transaction time and do not allow relay unless authenticated.

SSL TLS Setup, Domain Defaults. 

  • TLS is Enabled
  • SRS is Use Server Default
  • Exclude IP from Receive line.

Your XTM needs to know that you want to use TLS. Configure your TLS from your Proxy Action Configuration. (Maybe one day we can get into the different setups. Maybe when I'm so damn weathly I don't know what to do with the gold. Or maybe just ask.)

Tech Tip: SmarterMail CER Setup: If you test your TLS with one of my other favoite testing grounds "CheckTLS" (STARTTLS command rejected = BAD CERT) you might find your firewall cert expired, or the cert you use in your SmarterMail. Because I have it pull certs from the firewall, follow the guide I gave you here. Your SSL Self Signed Certificate you created in IIS 7.x for your https://email server is different from the Watchguard Self Created and Signed SSL Certificate you have in your XTM device that points to your IIS server. You will find some tests show the certificate status of your firebox and not your https website. It's all good, when you Watchguard Cert expires (which mine did this year) just go back into the Authentication section, Certificates and Save it again, you might need to add or remove a domain name then save but all you want to do is have the box generate a new cert. You'll log off, refresh your browser and log on. All will be as it was and that "Expired" under System > Certificates will returned to "Signed" as it should be.

Every year or every 2 years you have to repeat this process, so put it in your Admin Reminders. MMC > Computer Account > Certificates (Local Computer) Look for your server name and the certs you created. Make sure they are still valid, remove any old out of date certs you created. Here's a note on using the MMC console root.

That's it for this part. You should be able to connect, send, receive from any valid email server in the world.

If you have any issues send me your IP, Domain, Email and I'll see if I can help you narrow down the issue. 

Notes about the Micro Enterprise Network Email to Firewall.

Don't panic when you get 550 email Unavailable which actual means "non-existent email address" .
It will be rare that this happens and it's not your fault. I've seen some real lazy email server setups and they allow a 500 error to tell you they think you're spam.

I see many online resources saying 550 errors are "Permission Denied" or "Connection Refused" which are not technically correct. 500 errors are system errors and responding with the Mailbox Unavailable is just wrong.

Here's why it's wrong, your new customer just sent Sales@yourstaffsales .com and now they see a 550 error with the message Email Unavailable. That means, bad email address. They look on your contact page, see the same address and think you don't have your online contact information in order and if that's the case I don't know if I can trust you with my order. 

My Example: 

Failed Recipient: ask@.com
Reason: The recipient does not exist

No code errors, just a simple message. The email address is old but active and not accepting any new email.

Now, if you used the proper codes like, 451 or 471 you could then detail "Anti Spam filters detected a problem. Please use a different email address or use our contact form here".

See how one could actually help educate and keep your potential customer from leaving?
I've had battles with IT Admin's over their email servers spam settings in the past, I've hosted my own servers for years and never have I had to block an email in such a way the person had no choice but to leave my domain's realm. Bad business practices and don't let your IT people run business away. 

 

Continued from the TOP:

Email Server Introduction:

Free is NOT SECURE so no personal information should be stored on any public email server.

Even if you pay for your email service your emails should be encrypted and saved to a bitlocker enabled hard drive often. Never leave anything to chance, if you do your part in keeping your information secure you'll only need to worry about the hundreds of companies and departments that have your information now and the thousands of people working in those companies accessing your data.

Let's learn from what we read in the news and at the FBI's website.

  • Not all Network Security Administrators are trustworthy.
  • Not all Cash register Software is designed to keep you secure.
  • Store cameras often see more than you would want them to see.
  • Not all laptops stolen from cars, offices, park benches have had their hard drives or data encrypted. (Even if they claim it was.)
  • Not many cloud services know who really has access to your data.
    Ask for a name and the hard drives physical location, you'll get some crap about, It's the Cloud, It's in Motion, It's Everywhere. That should do it. Feeling safer?

I take data security so strongly I refuse to work with any data other than my own.
But, that doesn't mean I don't setup encrypted networks, it only means I don't touch the data. Why, it's my job to make it invisible and untouchable.

Anyway, I'm here to help you setup your own Micro Enterprise Network so you can be responsible for your own data. 

 

 

 

SmarterTools Email Server matched with your XTM 330 Firewall by Watchguard. Making your Reverse, Banner, DNS match the way it should with the correct settings that still make you safe. You can stop your Servers Replies and make your Firewall do the talking. This should be a good starting point before I start to compare how you handle your postal mail at home to that of your corporate office. No worries, it will be fun and only painful to IT.