Email servers which are hosted locally, send emails to a hosted email service or directly to the Internet. If there is an issue where emails aren't delivered, or occasionally bounce back with an error. This article explains Cato best practices for SMTP traffic and troubleshooting steps.
Best Practices for Local SMTP Servers
Internet Firewall Allows SMTP
We recommend that you configure the Internet firewall to allow access to SMTP traffic. For more information, see How to allow SMB/SMTP outbound traffic (or any other service).
Egress Rule for SMTP
Allocate an IP address from Cato’s IP pool and configure an egress rule for the SMTP traffic. We recommend this configuration because it limits personnel who can send email traffic from your assigned IP addresses, this will ensure no black list shall happen.
Troubleshooting Local SMTP Servers
These are some suggestions to help troubleshoot issues related to email delivery with internal email servers.
Reviewing Email Logs for Blacklisting the Cato IPs
If your email is not being delivered, you need to determine why the email is getting blocked. The log messages for emails can indicate the reason for the email failure. In some instances, the failure can be caused by an online service blacklisting the Cato IP range (for example, Spamhaus).
- To confirm the backlisting by an online service, visit the specific website and check if the Cato IP address is listed there.
- If the Cato egress IP address is listed on any of the blacklists, you can request from the service to remove the IP address. Most websites like Spamhaus will have a simple online form that can be submitted to have the IP removed.
Verifying DNS PTR Record
Verify the egress IP for the SMTP traffic has a DNS PTR record (reverse DNS) associated with it. If the egress IP address does not have a DNS PTR record, contact Cato Support.
Verifying SPF Records
Verify if any SPF records exist for the email domain. An SPF record is a way to advertise which IP addresses are allowed to send an email for a given domain. Other SMTP servers can reference the record and if they receive traffic from an IP not on that list, they might reject the email.