How can I set up external mail relay?

[coolemail]

I have a client for whom we provide broadband. Their domain is NOT hosted with us yet. They have a Small Business Server on site and they are asking for SMTP server details for their outgoing emails. We do not want to use the DSL provider's one as it not very white label. But with Plesk 10, surely we can set up our own relay to give to the client.

We have Plesk 10, and smtp authorization is required under Relay options.

So their domain is client1.com. Our domain is hostname.com. We wish to allow their outgoing mail to go through our mail server.

I would like to create smtp.hostname.com and then give them a username/password that will allow the outgoing mail to be sent.

It would seem sensible to create smtp.hostname.com as a sub-domain or DNS record. Then I would want to create allow their outgoing mail to be relayed.

Questions:
How do I do the above?
Would they fail on SPF records for their own domain then?

I'm sure that there must be an easier way to achieve this and hope that someone can help.

EDIT: Not sure if this helps, but could it be linked to smtproutes - http://kb.parallels.com/1242. Not sure how/why/when we added something to that with just some IP addresses:

[root@plesk3 ~]# cat /var/qmail/control/smtproutes
client2.co.uk:111.222.333.444
client3.co.uk:222.333.444.555

and if we used that, what settings would we give the client?

[faris]

You may be confusing incoming and outgoing relaying

the /var/qmail/smtproutes settings are used to tell your qmail server to forward any email received for domain X to IP address Y rather than store it locally (unless IP address Y is down, in which case it will store locally until it comes up).

To allow your customer to use your hosting server to send email, the method you use will depend on your requirements. By whitelisting their IP in the appropriate place in Plesk (same place as 127.0.0.1 is whitelisted), no authentication will be required, end of story.

If you do want authentication, then they will need to use a username and password. To keep it whitelabel, you'd probably want to set up a full hosting account in order to be able to give them a username of them@smtp.hostname.com but equally you could always just create them@hostname.com -- why bother with the smtp? In either case, set the mailbox size to 0, or disable the mailbox, so that incoming mail gets rejected.

With SPF, just make sure the IP of your server gets added to the appropriate record.
Note that if their IP is balcklisted (e.g. marked as a dyndns or just generally blacklisted due to it belongong to an ISP), your server may mark their outgoing messages with a spam tag, or may reject completely if they are on a blacklist used by your server for incoming email. Use port 587 with authentication and no blacklisting to get around most of this. You may need to add some spamassassin rules to whitelist, or at least add a minus score, so email sent from their domain (fake-able) or IP address.

I hope this helps -- sorry for lack of detail.

[coolemail]

Thanks as ever faris,

The detail and explanation on what I was unclear on is most appreciated.

Simply whitelisting the IP address of where the mail server is is working perfectly, and exactly what we wanted to achieve, so THANK YOU. For anyone else wanting to do it on Plesk 10, this is under Settings > Mail Server Settings > White List.

So client has been given broadband and has a static IP address. Their domain is not hosted by us. By whitelisting their IP address, any email eminating from their mail server will be authenticated and sent. Risk is that if they get an infected machine which then sends Spam, that would go from our server, but we could then easily remove the IP address. And work now on hosting their domain, naturally, as they could do authentication without having to revert to the ISP to do it!

[faris]

We will shortly be adding a contractual item with a set fine of $XXX plus $YYY per hour which will apply to any customer authorised to use our smtp servers who allows their systems to get infected and send bulk email of any sort.

The bottom line is that we go to great lengths to secure our servers, prevent spam, etc etc, and customers who pay us for smtp services expect them to be first class. if another customer then causes problems, e.g. by causing one or more of our IPs to get blacklisted, they will have to pay the penalty for the time and effort that it will take us to resolve the problem.

[scott]

As a backup security control you could implement qmail-scanner which can scan outbound messages for spam & malware

[coolemail]

Thank you faris and Scott,

Great idea about charging policy, Scott and we will likely do the same - thanks for the suggestion.

Scott,
We have qmail-scanner on the server anyway. In fact, we have spamassassin (I think from your repository and no longer the Plesk-shipped version, but is there a way to confirm that?)
We did install spamdyke as well which worked well but then something happened a few months ago which resolved itself when we removed spamdyke. We have not been brave enough to re-install it. And as result we have more Spam getting into the server than we would like. What is the suggested best-practice combination to rid ourselves of all Spam? Maybe that should be a separate new thread?

[scott]

Yeah a new spam research thread would probably be a good start. I honestly havent stayed on top of newer methods in anti-spam for a while now. I'm pretty happy with what Im using now, but that doesn't mean that we should stop looking for new tools & methods.