Solido Smtp Proxy - Administrator's Guide

Kasper J. Jeppesen
Software Developer, Solido Systems

This document is based on v5.0 build 51.d1.

Installation and Updates

The easiest way to install the solido smtp proxy is to use the jar-based installer. For more information about this, see the general installation documentation.

The jar-based installer can also be used to update the package if you kept the installed components in their default locations. Otherwise, you will have to upgrade your installation manually by downloading the latest solidoemail.jar and solidoutil.jar and placing them in the customized installation directory. The default location for these two files is /usr/loca/solido/smtpproxy/jar/

Configuration

There are two primary configuration files for the smtp proxy: proxy.config and proxymap.config. In the default installation, these are both located in /usr/local/solido/smtpproxy/etc/. If you installed the proxy using sudo, you will probably need sudo again to edit these documents.

Let's start out by looking at proxymap.config. This is the only configuration file you really need to edit before you start the proxy. The default contents of the file when you install the smtp proxy are as follows:

# ip:port > targethost:port

Any line that starts with # is regarded as a comment, so the file is basically empty. The proxymap file is the configuration file that you use to set up your proxy mappings—i.e., what sources it should listen for and where it should forward connections. Let's take a look at an example. Let's say you are running the smtp proxy on a server you have placed in your DMZ—somewhere less restricted than behind your firewall—and behind your firewall you have your actual mail server running on a separate machine. Let's assume that your proxy server has the IP 10.0.0.128 and that your email server the IP 10.0.0.129. In your proxymap configuration file you would write the following line to forward all connections received on port 25 to port 25 on your email server:

10.0.0.128:25 > 10.0.0.129:25

Easy, right? You can add as many maps from one IP to another in the proxymap configuration file as you wish, but remember that only one proxy binding can listen on any ip:port pair—i.e., you can listen to several IP's on the proxy server and have them proxy connections to the same backend email server, but you can't listen to the same ip:port pair more than once. You can, however, have more than one target server for each ip:port pair you are listening to. Let's imagine that you have two email servers behind your firewall: 10.0.0.129 and 10.0.0.130. Each of them is part of a the same little redundant email cluster, meaning that you can deliver emails to the same users on either server. The following configuration line in the proxymap configuration file will make the smtp proxy load balance between the two email servers:

10.0.0.128:25 > 10.0.0.129:25 , 10.0.0.130:25

If everything is operating normally, it will divide all connections between the two servers so that they each get about half the traffic. However, if one server stops responding, the proxy will start sending all connections to the other server without the clients ever noticing. Once the server comes back up, it will start dividing the load between them again. You can have as many target servers as you like for each entry.

Now lets move on to proxy.config. This is the general configuration file specifying how the smtp proxy should do its work. The following shows the default proxy.config configuration file:

connection-ident=Solido SMTP
connect-timeout=15
timeout=60
connections=64
threads=16
hostname=localhost
max-mail-size=64000000
use-spamfilter=false
spamfilter-ip=127.0.0.1
spamfilter-port=12788
tag-headers=true
tag-subject=false

The only option that you really should change here is the hostname. This should be set to the correct name for the server you are running the proxy on. For the best results, it is recommended that you also ensure that this is the correct reverse lookup name for the IP. If you have no idea what the name of your server is or what a reverse name is, then leave it as localhost for now.

Each of the configuration parameters is explained further in the following subsections.

Connection-Ident

This value is used as an identification string given to connecting clients to let them know what type of SMTP service they are connecting to. If you are very concerned about securing your setup, we recommend that you set this value to SMTP Service or something anonymous like that. This makes it nearly impossible for connecting clients to figure out what type of SMTP server they are communicating with, thus making it harder to look for known security exploits.

Connect-Timeout

This value must be an integer. It represents the timeout in seconds for opening new connections to your target server. Be aware that this is not the general timeout setting, but rather specifies the amount of time the proxy will wait for a connection to be opened.

Timeout

This is the general timeout setting for all connections. Any connection that has been idle for this amount of time in seconds will be closed, no matter what side of the connection we are waiting for. If you set this value too low, you might encounter problems if you receive connections from unusually slow clients or if your target server is slow to respond. On the other hand, if you set it too large, you will waste resources by having too many open connections that are left hanging by poorly written smtp clients.

Connections

This sets the maximum number of open connections at one time. If you set it too low, especially in combination with a high timeout, you risk having your proxy completely idle at times while it waits for idle connections to time out. On the other hand, if you set it too high, you risk overburdening your proxy and loosing performance by having too many simultaneous connections.

Threads

This sets the number of threads which are used to handle proxy connections. We have found that 8 connections per core seems to work well. If your machine is doing nothing but acting as a proxy for smtp connections, you might want to set it higher.

Hostname

This is the hostname the server will use to identify itself. It should match the actual hostname for the server. For best results, you should ensure that there is a correct reverse lookup setup for the server's IP.

Max-Mail-Size

The smtp proxy does not write anything to disk except for log files. This means that it needs to hold all emails in memory until the email has been transfered to the target server. You should choose a good maximum mail size—one that will not be too small for your user's expectations but also one that will not likely burden the proxy server when you consider the maximum amount of open connections allowed.

Use-Spamfilter

If you have installed the Solido spam filter and wish to filter the mail going through the proxy, set this value to true.

Spamfilter-Ip

The IP address of the solido spam filter. You only need to set this value if you have activated the spamfilter using the Use-Spamfilter configuration setting.

Spamfilter-Port

The port of the solido spam filter. You only need to set this value if you have activated the spamfilter using the Use-Spamfilter configuration setting.

Tag-Headers

Setting this to true will tag spam mails in a set of x headers if the spamfilter is activated.

Tag-Subject

Setting this to true will tag spam mails with [SPAM] in their subject if the spamfilter is activated.

Record-Folder

If you specify a record folder, the proxy will create a file for each connection received. The file will contain data which can later be played back using the proxyreplay tool. The record folder value must be an existing, writable folder.

Sink-Mode

You activate sink mode by setting it to true. This will make the proxy stop forwarding connections to the specified target servers. Instead, everything delivered by incoming connections will be accepted as long as it's valid SMTP. You typically use this mode to simulate target servers in a test setup.

Log-Mode

You can set log-mode to either full or compact. In full you will get a step by step logging of all smtp sessions, in compact you will only get senders, recipients, data transfered and mails successfully delivered.

Degrade-Bad-Rcpt

If you turn this setting on, the proxy will idle longer and longer between responses for each bad recipient given. This will make it difficult for spambots to harvest email addresses. Be aware that connections which are held in their idle state due to degrade-bad-rcpt still count towards the number of open connections set by the connections parameter. If you choose to use this feature, you should make sure that you set your connection limit high enough to compensate.

Dns-Block-List

This setting allows you to specify a comma separated list of DNS based black lists. Any connection who's Ip is listed in these lists will be closed immediately. These DNS lists should be set up as a traditional RBL list.

Allow-List

This setting allows you to specify a comma separated list of IP's who are allowed to connect to this proxy. If you do not use the allow setting, all connections are by default allowed to connect, unless they are listed in a block list configured for the proxy. If you do specify an allow list, all IP's must be listed in this list to be allowed to connect.

Block-List

This setting allows you to specify a comma separated list of IP's who are not allowed to connect to this proxy. Any IP in this list will not be allowed to connect, even if it is also specified in the allow list.

Allow-File

This setting has the same meaning as the allow list, but instead of specifying the IP's directly, you specify the full path to a text file which contains the IP's you wish to allow. The text file must contain nothing but IP addresses, with each IP on a line by itself.

Block-File

This setting has the same meaning as the block list, but instead of specifying the IP's directly, you specify the full path to a text file which contains the IP's you wish to block. The text file must contain nothing but IP addresses, with each IP on a line by itself.

Refuse-Spam

Setting this to true will cause the proxy to reject all mail data which the filter deems spam.

Block-Threshold

Setting this to any other value than -1 will cause the proxy to reject all mail data which the filter rates as spam above the given threshold. Setting this value to 0.98 or larger can give you a vastly reduced mailflow with very few false positives. Emails that have a lower spam rating will still be send through with an x-header specifying their rating.

Use-Clamav

Setting this to true will cause the proxy to scan all maildata through clamav. Clam must be listening on a tcp socket.

Clamav-ip

The ip for the clam daemon.

Clamav-port

The port for the clam daemon.

Refuse-vira

Setting this to false will make the proxy insert x headers with the clam results rather than block these emails. The default value for this is false.

Grey-List

Setting this to true will activate grey listing. Use grey-list-data to specify how grey listing is handled.

Grey-List-Data

This setting specifies which values are used for grey listing. Valid settings are: FromTo, IpTo, FromIpTo, DomainIpTo, DomainTo.

Grey-List-Cluster

If you are using grey listing and running more than one proxy, you should set this to a comma separated list of the ip's of all machines in your proxy cluster. This will make them share their grey list data.

Rate limiting

These preferences can be used to limit the rate of spam, virus, connections in general or mails to or from specific addresses. Each rate limiter is configured with an interval in minutes and the threshold for what will be allowed within that interval.

Rate-Limit-Spam

Sets the limit for the number of spam emails that will be accepted before connections from the given ip is blocked. Set to -1 to turn off rate limiting on spam.