How do we setup the mail relay when we have clients located externally that need to send SMTP mail through the internal mail server?

Article #: Product Castle


Options for setting the mail relay for externally related clients needing to send SMTP mail through an internal mail server.


The mail relay system is designed to filter incoming SMTP feeds and outgoing SMTP and POP3 traffic. The relay was not designed to allow external clients to send mail through it as if it was a mail server.


The only way that the relay can determine if a client is allowed to send mail through it is by looking at the IP list in the outgoing section of the email configuration (Email > SMTP > Outgoing).

The addresses entered here will normally be the IP of the internal mail server (as all internal clients are sending mails via the internal server) or, in the case of using an external SMTP server for the clients, the whole LAN subnet.

There are three cases of external clients or senders:

Client is sending from a known IP address

There are no problems as the client IP address can be entered in the outgoing section, allowing the sending of mail through the relay from the client IP.

Client is sending from a known subnet

The entire subnet could be put into the outgoing section - be careful of using that option as all IP addresses within the subnet will be allowed to relay mail.

Client is sending from an unknown IP or subnet

In this case there is a problem; if we do not know where the client is coming from, the only way to allow them to send mail through is to allow all IP addresses access to relay mail through by entering as an allowed subnet. This is not desirable as it would effectively configure the email relay to be open, allowing anyone could use to send emails through.

There are two possible options that will allow external clients from unknown IP addresses to send SMTP Mails via the INTERNAL mail server:

  • Use another port than 25 — As all incoming mails sent to port 25 are sent through the relay, using another port than 25 will circumvent this. Forward the port to the internal mail server on port 25.
  • Use another IP addresses — Use an external alias or an additional external connection on the Smoothwall firewall, and configure the clients to use this address as the SMTP server. Forward the TCP port 25 from the external IP to the internal mail server. Note that this requires a direct port forward to the internal mail server. Make sure the mail server authenticates users or has other checks in place to avoid turning the mail server into an open relay.


Last updated: Author: Contributions by:
07 September 2016   Tanja