Overview
A Perimeter SMTP Server is the first email server that receives emails from the internet. If the MailEssentials server is NOT the first SMTP server that receives the email from the internet (i.e. the MX Record is NOT pointing to the machine where MailEssentials is installed), one or more Perimeter SMTP Servers have to be entered in the MailEssentials configuration.
If the Perimeter SMTP Servers are not correctly entered the checks performed by the DNS dependent modules might fail including IP DNS Blocklist, Sender Policy Framework (SPF), IP Whitelist, IP Blocklist and Spamrazer.
When Perimeter Servers are enabled and configured in MailEssentials, the modules specified above will check the IP addresses in the Received lines. If the IP address is found in the Perimeter servers, the IP address in the next Received line is checked. This process continues until the first IP address which is not part of the Perimeter servers is found.
Solution
GFI MailEssentials makes use of perimeter servers to identify which external server sent the email to the local email server. The IP address of the external server is then used by SpamRazer (including SPF), IP DNS Blocklist and IP Whitelist.
Perimeter servers should be configured depending on the type of network setup. Listed below are three common scenarios present in most networks:
GFI MailEssentials is the Only Perimeter Server
In this scenario, the mail server where GFI MailEssentials is installed acts as the only perimeter server. The perimeter servers do not need to be configured since GFI MailEssentials verifies the IP address by default.
Gateway Perimeter
In this scenario:
- The email received from external servers is first received in an email gateway and then forwarded to the local mail server, where GFI MailEssentials is installed.
- GFI MailEssentials must have the IP address of the email gateway configured in the perimeter servers list.
- If no perimeter servers are configured in GFI MailEssentials, it would consider the IP address of the email gateway as the perimeter server.
- This makes it incapable of identifying the IP addresses of the external servers, which may potentially be sending spam email.
Two Perimeter Servers
In this scenario, there are two perimeter servers receiving email from external servers:
- Email Gateway 1: Forwards all email to Email Gateway 2 without sending an email directly to the local mail server.
- Email Gateway 2: Sends all received email, both from the internet and from Email Gateway 1, directly to the local mail server where GFI MailEssentials is installed.
Notes:
- GFI MailEssentials should have the IP address of both email gateways configured in the perimeter servers. The perimeter server is checked when processing an email by identifying the route back from the local mail server to the first external mail server IP address.
- If an email is routed through 'Email Gateway 1', GFI MailEssentials would identify the IP of the mail server which sent to 'Email Gateway 1', not the IP which sent to 'Email Gateway 2' (which would be 'Email Gateway 1').
Perimeter SMTP Server Settings
The perimeter servers are configured from the GFI MailEssentials > Anti-Spam > Anti-Spam Settings > Perimeter SMTP Servers tab when MailEssentials is installed on the same machine running Exchange, otherwise you access the configuration page by navigating to GFI MailEssentials > General Settings > Perimeter SMTP Servers.
- If GFI MailEssentials is installed on the only perimeter server, choose This is the only SMTP server which receives emails from the internet.
- If GFI MailEssentials is not installed on the perimeter server and receives email from other perimeter servers, choose The following SMTP servers receive email directly from the internet and forward them to this server and specify the IP addresses of the perimeter servers.
- If GFI MailEssentials is installed on a perimeter server, and the same server receives incoming emails from other mail servers, choose The following SMTP servers receive email directly from the internet and forward them to this server, and specify the IP addresses of the other mail servers in the list of perimeter servers.
- Alternatively, use the Detect button to resolve the MX records of the Inbound Email Domains configured in GFI MailEssentials. Normally, the MX records of these domains would be the perimeter servers for the domains.
Note:
Having no perimeter servers configured will cause adverse effects to the Anti-Spam modules which make use of the Perimeter server list. For example, the DNS Blacklist filter will not block any spam.