Knowledge Center

Mail Delivery

General

You can set up general SMTP-related limits on users' login and inbound/outbound mail delivery.

  1. Go to Mail Delivery > General.
  2. Select Enable SMTP authentication. When connecting to Synology MailPlus Server via SMTP, clients will have to provide user credentials for login.
    Two more authentication options are available:
    • Skip authentication for local network connections from terminal: Without login credentials, clients in Synology MailPlus Server's local network can directly receive and send emails using a terminal.
    • Check if the sender's email addresses belong to the login accounts: When sending emails, the logged-in user has to use a sender's email address that belongs to the login account.
  3. Prohibit plaintext authentication over unencrypted connection: Using plaintext authentication increases the vulnerability because the credentials might be exposed especially on an insecure connection. Tick the checkbox to disallow plaintext authentication methods on an insecure connection.
  4. Set up an SMTP profile for Synology MailPlus Server:
    • Hostname (FQDN): Specify the hostname of Synology MailPlus Server in FQDN format. Make sure that the hostname matches the IP address in the DNS server.
    • SMTP banner: Specify the texts that will show up on an SMTP client's Telnet terminal.
    • Max recipients per message: Set the maximum number of recipients in an inbound/outbound message. A message exceeding the limit will be rejected.
    • Max message hops: Set the maximum number of hops (i.e., mail relays) made by an inbound/outbound message. A message exceeding the limit will be rejected.
    • Maximum size per email (MB): Set the maximum size of an inbound/outbound message. A message exceeding the limit will be rejected.
  5. Click the External Postmaster button and then the plus icon to add email addresses for external postmasters. External postmaster is set to receive system emails sent to Mailer-daemon and Postmaster aliases from other mail servers.
  6. Click Apply to save the settings.

Delivery

Synology MailPlus Server can send emails through other mail servers while not being exposed to the Internet and subject to possible attacks.

To set up a general delivery rule:

You can set up a common rule for email delivery flow. Emails can be sent either directly from your Synology MailPlus Server or through a single relay host.

  1. Go to Mail Delivery > Delivery > Relay Settings.
  2. Select a rule type:
    • Send emails directly from this server: All emails will be sent by Synology MailPlus Server directly.
    • All mails are sent through a single relay host: All emails will be relayed through a designated relay host. Specify all of the following settings of the designated relay host:
      • Server: Specify the IP address or hostname of a relay server for Synology MailPlus Server.
      • Port: Specify the port of the relay server to receive emails from Synology MailPlus Server.
      • Always use a secure connection (STARTTLS): Enable this option to relay emails through a STARTTLS-protected connection.
      • Authentication required: When the relay server requires a login, enable this option and enter your relay server username and password.
  3. Click Apply to save the settings.

To set up specific delivery rules:

You can set up dedicated rules for specific email addresses or domains. When an email fits a rule, it will be sent through the designated relay server.

  1. Go to Mail Delivery > Delivery > Relay Exceptions.
  2. Click Relay Host List.
  3. Specify rule type:
    • Recipient Rule: Emails sent to specific email addresses or domains will be sent through a designated relay server.
    • Sender Rule: Emails sent from specific email addresses or domains will be sent through a designated relay server.
  4. Click Create.
  5. Enter the rule name and configure all the settings of the designated relay host. Select the target type and specify the targets in Recipient List or Sender List.

Relay Control

Synology MailPlus Server can send or receive emails for other mail servers.

To relay outbound mails for other mail servers:

  1. Go to Mail Delivery > Relay Control. In the Relay Outbound Mails section, click Trusted List.
  2. Click Create.
  3. Enter a rule name and specify the IP address or subnet mask of other mail servers.
  4. Click OK to save the settings.

To relay inbound mails for other mail servers:

Please set up a DNS record first and go to Domain List to add the mail server. Please refer to the following steps:

  1. Set up an external DNS server for Synology MailPlus Server.
  2. Enter your domain name in the MX record on the external DNS server and enter the IP address of Synology MailPlus Server in the A record. In this way, other mail servers will be able to send emails to MailPlus Server based on these DNS records.
  3. Set up an internal DNS server for Synology MailPlus Server to find your main mail server.
  4. Enter your domain name in the MX record on the internal DNS server and enter the IP address of the domain in the A record. The priority of the DNS records on the internal DNS server must be higher than that on the external DNS server.
  5. Go to DSM > Control Panel > Network > General. Tick the Manually configure DNS server checkbox, enter the IP address of the internal DNS server in the Preferred DNS Server field, and enter the IP address of the external DNS server in the Alternative DNS Server field to make sure the internal and external connections of Synology MailPlus Server can work properly. After Synology MailPlus Server receives emails, it will check the MX records of the two DNS servers and send emails to the mail server with a higher priority.
    Note: The Alternative DNS Server field is not available when the domain server type is AD domain or LDAP.
  6. Launch Synology MailPlus Server and go to Mail Delivery > Relay Control. In the Relay Inbound Mails section, click Domain List.
  7. Click Create.
  8. Enter the rule name and domain.
  9. Click OK to save the settings.

Note:

  • If you tick the Check if the senders' email addresses belong to the login accounts checkbox in the General tab, emails from Trusted List might be rejected by Synology MailPlus Server. You can go to the General tab, and tick the Skip the check for sender's email address to see if it belongs to the login account for emails sent from trusted networks checkbox to skip the check. If you tick the Skip authentication for local network connections from terminal checkbox in the General section, emails from local networks will not be blocked by Synology MailPlus Server.
  • For more information on how to set up a DNS record, please refer to Synology MailPlus Server Administrator's Guide.

Security

To create blacklist and whitelist:

With the blacklist and whitelist, the system will reject, discard, or allow certain messages based on various criteria.

  1. Go to Mail Delivery > Security > Blacklist and Whitelist.
  2. Click Blacklist & Whitelist.
  3. Select either rule type:
    • Blacklist: Set rules to reject/discard matching email messages.
    • Whitelist: Set rules to allow matching email messages.
  4. Click Create.
  5. Name the rule and specify its criteria:
    • Sender: Specify a sender address (e.g., 123@abc.com).
    • Recipient: Specify a recipient address (e.g., 456@abc.com).
    • IP: Specify a sender IP address (e.g., 192.163.1.1).
    • IP/subnet mask: Specify a sender IP address and its subnet mask (e.g., 192.163.1.1/255.100.10.1).
    • Domain (for whitelist rules): Specify a sender domain (e.g., abc.com).
    • Do this (for blacklist rules): Select the action against a matching message:
      • Discard it: Abandon a matching message without informing the sender.
      • Reject it: Ban a matching message from passing through Synology MailPlus Server.
  6. Click OK to save the rule.

Note:

  • Emails matching any whitelist rule might be blocked if they do not pass other security tests (e.g., DNSBL, antivirus scans, and DKIM). The table below shows the security tests that will be skipped based on different whitelist settings. You can adjust settings according to this table to ensure important messages can be received.
    • DNSBL SPF Antivirus Scan DKIM DMARC
    IP
    IP/subnet mask
    Sender
    Recipient
    Domain
  • To always allow matching emails to pass through, whitelist rules should be created based on IP addresses. Matching emails will not be blocked by other kinds of rules like DKIM.

To create sender policies:

You can set policies to block emails from senders from unidentifiable domains.

  1. Go to Mail Delivery > Security > Sender Policy.
  2. Enable the following options to suit your needs:
    • Reject senders without fully qualified domain name (FQDN): Bounce emails when senders are from a domain without an FQDN.
    • Reject senders using unknown domains: Bounce emails when intended recipients are not existing Synology MailPlus Server users and when the sender domain does not have a valid DNS entry.
  3. Click Apply to save the settings.

To create connection policies:

You can set policies to block client hosts that cannot be identified or may cause Synology MailPlus Server to overload.

  1. Go to Mail Delivery > Security > Connection Policy.
  2. Enable the following options to suit your needs:
    • Reject unknown client hostnames: Block client connections from a host without an analyzable IP or hostname.
    • Keeping more concurrent connections than the limit: Set the maximum number of concurrent connections from a client host. When the limit is reached, extra connections will be blocked.
    • Sending more messages than the limit in one minute: Set the maximum number of outbound messages sent from a client host in one minute. When the limit is reached, the client host will be blocked until the next minute.
    • Building more connections than the limit in one minute: Set the maximum number of connections built by a client host in one minute. When the limit is reached, the client host will be blocked until the next minute.
  3. Click Apply to save the settings.

To create advanced security rules:

  1. Go to Mail Delivery > Security > Advanced.
  2. Enable the following options to suit your needs:
    • Reject unauthorized pipelining requests: Block client connections that keep sending SMTP commands to avoid system overload.
    • Reject HELO hostnames without fully qualified domain name (FQDN): Reject connections from hosts that send a HELO/EHLO command and do not have an FQDN hostname.
    • Reject unknown HELO hostnames: Reject connections from hosts that send a HELO/EHLO command and do not have a valid DNS entry.
    • Block any IP emailing more non-existent accounts than the limit: Set the maximum number of non-existent Synology MailPlus Server accounts that an IP can send emails to. When the limit is reached, the IP will be blocked until the next day.
    • Max junk commands per session: Set the maximum number of junk commands (i.e., noop, vrfy, etrn, and rset) that a client connection can send before sending emails. Every 10 junk commands will cause a one-second delay on mail delivery.
  3. Click Apply to save the settings.
General
Delivery
Relay Control
Security