Hello Brad,
Am 18.10.2022 um 15:04 schrieb Brad Stone <bvstone@xxxxxxxxx>:
I know people think email is simple, but it's not.
Yes and no. Allow me to expand on your valid claims: You *can* make email easy but you also can make it overly complicated. From my European PoV, the main issue I observe in this group is "Big Company" IT staff trying to abuse "end user services" like Gmail, MSO365, Yahoo and the likes for relaying purposes. These are meant to be used with an email application on an end user device and not a server!
Add this fact to the limited capabilities of the SMTP server within IBM i — primarily thought of as a database vehicle and not a proper mail server — to get an idea why this combination is very likely to give you headaches.
I often see blue-eyed assumptions about simple SMTP without any twists about authentication and absolutely no Anti-Spam measures (such as DNS checks for forward-PTR-consistency and the like) being active. Which nowadays just isn't the case anymore.
This is where people usually start complaining that "it doesn't work". Including some ignorance about complaining without checking the MSF journals for clues first (when using integrated IBM i SMTP support).
To me, this seems a typical case of not adhering to the five P: Proper preparation prevents poor performance, and covers a much larger area than just sending mail with IBM i.
In Germany, the larger the company, the less it's interested in hosting email externally. It's about having control where data assets reside. Seems to be very different in the US.
My proven to work recommendations: Get a static IP for internet access. Make sure Forward/PTR-DNS is consistent. Set up SPF in DNS properly. On this static IP address, a proper Mail gateway should listen on Port 25 for inbound mail, and send to the internet via DNS MX and A(AAA) records. (IBM i SMTP is *not* a proper mail gateway, nor is MS Exchange! And NAT is very especially not a mail gateway at all! Use Linux with Postfix. The general availability of LPARS and VMs make this a minor challenge to establish.) It shall not be multihomed (only one NIC, only one IP address, in a DMZ). Its HELO/EHLO configuration should match the DNS name for said IP address. Configure Letsencrypt, or use a proper TLS certificate with the name being the same as PTR and HELO (or wildcard). Outbound mails' envelope (mail from statement in SMTP) MUST be sent with a domain name being referenced in DNS externally either by A(AAA), or MX records, this is the duty of the internal server.
Subdomains/Hostnames are working perfectly if properly configured in public-facing DNS.
Configure relaying from internal machines either by SMTP AUTH or just by source IP address on that gateway. Direct internal machines (including those running IBM i) to send mail to this gateway. Setup SMTP routes, or internal DNS for the mail gateway with MX records, so inbound mail to the gateway can be successfully directed to the originating internal system.
Most often, this gateway is (supposed to) also doing Antispam and Anti-Malware checking. So it's needed anyway. Establish a list of valid "internal" addresses on this mail gateway to not become a victim of backscatter attacks.
Did successfully clean up several companies' mail flow over many years to now see it best practice, because it eventually solved each and every "mail doesn't get through" problem for once and ever.
Btw., the gateway doesn't need to be on premises. Its only requirement is that it must be reachable from internal and external ("internet") networks and is able to see the difference if tcp connections come from internal or external networks.
:wq! PoC
midrange.com
