Open with table of contents

Manage SMTP Connections

Connection Profiles (connections) manage the way an SMTP conversation is established and authenticated. Using the Manage Connections page, you can:

• Add Client Hosts to define the host machine(s) to which the connection applies. You can add internal email servers or external hosts.
• Add Sender Domains to define the domains to which the connection applies. If a Connection Profile does not match on host name or IP, it attempts to match on sender email domain name. These restrictions only apply to inbound mandatory TLS.
  If you wish to select Connection Profiles by Sender Domains, you must enable Opportunistic TLS.
• Configure a Relay control to manage the way the connection relays mail.
• Configure TLS Settings to allow the Connection Profile to establish a TLS connection.
• Apply SMTP Authentication to specify the authentication mechanism that is required for inbound SMTP traffic using the Connection Profile.

The Manage Connections page displays the list of configured Connection Profiles.

How do I...

• Create a Connection Profile?

  1. Click the System tab and under SMTP Settings, click Connections.

  2. Do one of the following:

     • On the Connections toolbar, click New.
     • In the Task panel, click New Connection.
  3. Change the settings in the Overview section to rename the connection.
• Add a client host?

  1. Create a new connection, or select a connection and click Edit.
  2. Add a new client host by doing one of the following:
     • Click the Client Hosts tab and click New.
     • Click New Client Host in the Task panel.

  3. Enter the IP address of the server (or range of servers) or the host fully qualified domain name (FQDN) to which this Connection Profile applies. You can use a wildcard (*) to specify a host on a Connection Profile, which allows the profile to match anything that doesn't match another profile.
     

     You can specify the host name, a wildcarded host name, an IP address, or a wildcarded IP address. Wildcarded IP addresses only support trailing wildcards for whole terms, for example, 1.2.3.* or 1.2.*. You cannot insert wildcards in the middle of the IP address, for example 1.2.3* or 1.*.3.4.

     If mandatory inbound TLS is configured on this profile, this takes precedence over the global opportunistic setting. However, if mandatory inbound TLS is not configured on this profile, the global opportunistic setting is used.
     

     For an inbound connection, the Gateway first tries to match the IP address, then the host name, and finally the sender domain name. The host name/IP is also used for relay and authentication. However, the sender domain is only used for inbound TLS, and does not enforce relay or authentication.

  4. Click Add.

  5. Click Close.

• Add a sender domain?

  1. Create a new connection, or select a connection and click Edit.
  2. Add a new sender domain by doing one of the following:
     • Click the Sender Domains tab and click New.
     • Click New Sender Domain in the Task panel.

  3. Enter the sender domain name to which this Connection Profile applies.
     If mandatory inbound TLS is configured on this profile, this takes precedence over the global opportunistic setting. However, if mandatory inbound TLS is not configured on this profile, the global opportunistic setting is used.
     

  4. Click Add.

  5. Click Close.

• Add relay control?

  1. Click the Relay tab.

     Change the settings in the Inbound Relay Control section.

  2. Select the type of Relay Control you require for your configured Hosts.

     Inbound Relay Control	Description
     None	No relay control configured for this Connection profile.
     Full	This Connection profile represents internal corporate mail servers. Connection Hosts can send mail to any domain. Messages are not checked for spam.*
     Restricted External	This Connection Profile represents hosts that may send mail to any configured Hosted Domain. Messages are checked for spam.
     Restricted Internal	This Connection Profile represents hosts that may send mail to any configured Hosted Domain. Messages are not checked for spam.*
     Blocked	No messages are accepted from this Connection Profile. Note: Mail that is sent and received inside your Hosted Domain is not blocked, unless Spoof Detection is enabled. See Configuring spoof detection settings for more information.

     *Messages will be checked for spam if the spam checks on outbound messagesPolicy> SpamLogic Settings. Select the Spam Policy tab. You can "Perform spam checks on outbound messages". option in SpamLogic Settings is enabled.

  3. Click Save.
• Apply TLS settings to an Inbound Connection?

  1. Click the TLS Settings tab.

  2. Configure Inbound (When Acting as a Server).

  3. Edit the settings used when the Email Gateway receives inbound mail through TLS (when acting as a server).

     Show me

     Area	Setting	Description
     Default	Use Mandatory TLS for this connection profile	If enabled, the Email Gateway must establish a TLS connection that meets the requirements set. If TLS is not advertised, the connection is not established and no email is received. If TLS is advertised, but does not meet one of the requirements of the configured connection, no email is received.
     Encryption strength	Encryption should meet or exceed	Enter the minimum number of bits to use for encryption, in the range 40-256. This is in addition to the global cipher strength setting. Any incoming connection must meet both the global cipher strength and the number of bits criteria.
     Client certificate validation	Require valid client certificate	Select this option if you want the certificates of connecting clients and servers to validate successfully for the communication to continue. A successful validation requires a valid CA signing certificate to be present in the certificate store. If you enable this but don't want Common Name (CN) checking to be enabled, the Email Gateway does basic certificate checks, such as chain-of-trust and expiration.
     	CN of the certificate must match	The Common Name (CN) of the certificate must match what you enter in the text box. If you select this option but do not specify a CN, the host name of the client is used. You can use a wildcard (*) to match the CN to the host name but if the host name cannot be determined, a match is not attempted.
     	CN of the certificate issuer must match	The Common Name (CN) of the certificate issuer must match what you enter in the text box.

     Example: Wildcard matching

     The client certificate validation can be made to match the client host name or a specified value.

     If the host name from a reverse-lookup is host.domain.com, a match occurs if the CN is formatted as *.domain.com or *.host.domain.com. It does not match for simply domain.com.

     If validation of the CN should match a specified value, for example *.domain.com, a match occurs on values formatted as domain.com, *.domain.com, and sub.domain.com. It does not match abcdomain.com.

• Apply TLS settings to an Outbound Connection?

  1. Click the TLS Settings tab.

  2. Edit the settings used when the Email Gateway sends outbound mail through TLS (when acting as a client).

     Show me

     Area	Setting	Description
     Default	Use Mandatory TLS for this connection profile	If enabled, the Email Gateway must establish a TLS connection that meets the requirements set. If TLS is not advertised the connection is not established and no email is delivered. If TLS is advertised, but does not meet one of the requirements of the configured connection, no email is delivered.
     Supported protocols	TLS versions in use for this connection	Select the version(s) of TLS required for this connection or use the global settings.
     Encryption Strength	Minimum Cipher Strength	Select the encryption strength (high, medium, any) required for this connection, or use the global settings.
     Certificate Issuer Validation	Server certificate validation	Select the SAN/CN matching criteria. Subject Alternate Names (SANs) are checked first. You can also add a recipient domain to the SAN/CN field. If you select the option Validate the receiving server SAN/CN, you may encounter difficulties using a fixed IP address for routing. You need to either retrieve the host name of the server or use the DNS in order to avoid issues using this setting.

• Force the connection to require SMTP authentication?

  1. Click the Authentication tab.
  2. Edit the settings and select Enable SMTP Authentication on inbound connections.

  3. Enter the SMTP Authentication credentials required to complete the connection. Confirm your password.

  4. Click Save.

  When setting up the user name and password on a Connection Profile, be aware that the user names apply across all Connection Profiles and can, therefore, only be used once.

• Provide SMTP authentication credentials to outbound messages?

  You can apply SMTP authentication credentials to outgoing mail, provided you know the appropriate user name and password. See Specifying Routing of Email for more information.

See also...

• Specifying Routing of Email
• Specifying Hosted Domains
• Enable TLS communication
• Viewing SpamLogic Settings
• Apply the new configuration

© 1995–2018 Clearswift Ltd.