Port 25 (SMTP) traffic needs to be directed to your PerfectMail product should be forwarded to your PerfectMail product from the Internet.

It is best to create a one-to-one NAT mapping port 25 on the Internet facing IP address and your PerfectMail product. Problems can arise when the incoming SMTP IP address and the outgoing SMTP IP address do not match. In this situation incoming SMTP traffic is properly configured, however the outgoing SMTP traffic is sent on an unexpected port (usually the default outgoing IP address is used).

When sending e-mail to the Internet remote anti-spam servers will verify the domain name, hostname and reverse address of the sending IP address against your DNS records. Often the DNS records are not configured to support the default outbound IP address.

Anti-spam servers will compare the name reported by the server itself (i.e. the hostname), the address record (A record) from DNS and the reverse DNS record (PTR record). Anti-spam servers will score and possibly even reject messages for discrepencies between these records. This is further complicated by firewall port forwarding issues. The best way is if you have a 1-1 NAT for your e-mail so both incoming and outgoing mail use the same IP number. Failing that the names should all match up on the outgoing side of things.

We strongly recommend updating your firewall to restrict all outgoing SMTP (port 25) traffic. Only PerfectMail and other mail servers should be able to send e-mail directly to the Internet. PC's compromised by viruses, Trojans, etc. may send e-mail directly to the Internet which may result in your entire organization being blacklisted by RBL sites such as Spamhaus. (Especially if you have only one Internet facing IP address.)

Following are two examples of how to configure PerfectMail within your firewalled infrastructure.

Firewall Configuration: Green Zone + Internet

If you have a simple firewall configuration, with your internal network (Green Zone) being protected from the Internet, place your PerfectMail product in the internal network (Green Zone) and configure your firewall to allow the following network traffic.

Incoming Ports:

[Note: Using non-standard ports for support access (i.e. SSH and HTTPS) is acceptable as long as these are port forwarded to the appropriate ports on the PerfectMail server.]

Outgoing Ports:

Firewall Configuration: Green Zone + DMZ + Internet

If you have a firewall configuration that includes a DMZ, with your internal network (Green Zone) being protected from the Internet, place your PerfectMail product in the DMZ network and configure your firewall to allow the following network traffic.

Between Internet and the DMZ - Incoming Ports:

[Note: Using non-standard ports for support access (i.e. SSH and HTTPS) is acceptable as long as these are port forwarded to the appropriate ports on the PerfectMail server.]

Between Internet and the DMZ - Outgoing Ports:

Between the DMZ and the Green Zone - Incoming Ports, to Green Zone:

Between the DMZ and the Green Zone - Outgoing Ports, from Green Zone: