Home Synology users will find that many of the packaged applications they use are end-user oriented and just work, out of the box. Office, Drive, Moments, Note Station, Photo Station, Audio Station, and the mobile apps – they “install and go.” Email is more complicated because of authentication, and the need to filter out malicious content using some very technical functions.
I created these guides because, as a novice, I found that the Synology Knowledge Base materials didn’t cover everything I needed to know; and when I added all the Synology resources to the external ones the information was so fragmented that it made it even harder to follow. I decided that if I couldn’t describe it, I wouldn’t understand it; and having described it, it made sense to share it.
I have documented what worked for me. If you have suggestions to improve the processes I’d be delighted to hear about them so I can update and improve these guides.
One invaluable source of information was the Facebook group Synology Admins & Users. Join now. I have listed below the names of people from that group who have contributed in some way to these articles by commenting on my endless questions.
To complicate things further, there are several ways to implement MailPlus Server. The two primary methods are:
- To offload the responsibility for mail filtering to a 3rd party, to avoid the complexities of SPF, DKIM and DMARC functions. I implemented this approach first
- To do an all out end-to-end Synology MailPlus Server installation where all mail filtering is carried out by MailPlus Server. This has a much steeper learning curve.
Each method is covered by a separate article but there are decisions to be made and preparation steps to complete, which is what the remainder of this article is about.
If you own a Synology DiskStation you are already invested in the technology and you have a private cloud that you own.
You may, like me, distrust cloud services and want to take control of your data.
MailServer Plus and its client MailServer are free (up to 5 email accounts – after that you have to pay for user licences.)
MailServer is part of an integrated set of Synology apps – Office, Note Station, Contacts, Calendar that is a good substitute for G Suite or Office 365. It is not as full featured, yet, but is already good enough for home use. (And I say that as an advanced user of Microsoft Office and G Suite.)
- Because you can. 🙂
|Static IP Address||Approx £5, one off|
|Domain Name||From £1.20 for first year and £12 per year thereafter|
|Email Relay Service (doesn't apply if you use a complete end-to-end MailPlus Server approach.)||Dependent on the provider you use, approx £35 a year|
You need to decide whether this small outlay is justified for gaining direct control over your data. If you are going to use a relay service, you may be able to find cheaper service. Shop around.
You may be required by local laws to have a postmaster account (although I suspect that may be for corporate email systems and bulk mailers.) To avoid having to dedicate a licence to postmaster (admin) addresses, create an alias that points the user “postmaster” to the account(s) that administer the system.
Remember that if you go the full hosted rote, with no relay server, you will have to run the anti virus and spam filter engines, which add to the server load
You need to check that your ISP provides true static IPs. Some use a technique where IP addresses come from a reserved pool of dynamic address, and some email servers will treat those IPs as dynamic, and untrustworthy. If your ISP can’t provide a true static IP you may have to look for another provider that does, or abandon self hosting.
Update: Actually that’s not quite true. If you go for SpamHero as your 3rd Party Relay service, they support dynamic IPs, but it’s more expensive. (see “Choose an Email Relay / Gateway Service”)
Ideally the domain registrar will give you control panel access to Domain Name Services (“DNS Settings”) as you’ll need to make changes here and having to email support and wait a week is a real pain.
If you’re new to all of this, here’s a good place to start:
Reverse DNS is like the return address on an envelope. It allows us to see where the mail in the envelope originated and, in the case of email, the receiving server can query the originating server to make sure it’s genuine. If a Reverse DNS entry is not available, then the receiving mail server can’t validate the address and may quarantine or even discard the mail as suspicious.
But there’s a problem. Few ISPs allow static IPs and even fewer support reverse DNS on a residential line.
Update: I have since discovered that my ISP automatically assigns a PTR record and by default points it to a site based on the user’s name on their servers. This fact is clearly not common knowledge as the technician (not a call centre agent, but a technician) had never heard of a PTR record.
Synology Knowledge Base – How to setup MailPlus Server is quite intimidating on its own, and it is liberally sprinkled with technical terms. But that’s just the surface. If you open the Help system inside MailPlus Server / Mail Plus you will discover an even richer seam of technical topics that you need to get to grips with.
There’s a lot to take on board and it’s not a one-time, setup-and-forget thing. Email remains a prime target for malicious attacks. You will need to keep on top of developments in the latest filtering needs or risk becoming a juicy target for criminals who are continually developing inventive new ways to exploit weaknesses in email systems.
The alternative is to use a commercial email relay service / gateway through which your incoming and outgoing mail is routed. This has some benefits:
Your incoming mail will be screened using commercial grade filters that are maintained by experts so that SPAM and malicious mails are identified / quarantined.
If your NAS is down for maintenance, e.g. performing a DSM update, incoming mail will be queued at the gateway until connection is restored, instead of perhaps being discarded. The sending server will normally retry for a period before giving up, but insurance is no bad thing.
You will not have to spend time trying to keep your email server secure.
- They handle both in- and outgoing traffic,
- They have a 60 day trial period that doesn’t require you to enter payment card details up front
- They have a price plan that is suitable for residential users.
They have dozens of products on their site – you need Comodo Antispam Gateway. Don’t be put off by the fact that it’s designed for corporate mail servers. That’s a good thing.
An alternative service is SpamHero. It’s more expensive than Comodo, especially if you want outbound relaying but it has the advantage of supporting:
- Non standard ports, which is useful if your ISP blocks the standard ports 25 and 587
- Dynamic IP addresses, if you can’t get a static IP
During installation you will need to test settings. There are several services you can use to do this. Every email expert seems to have their favourite.
As a novice I found two tools to be very user-friendly:
- During setup, when I needed to test individual components MX Toolbox
- After go live, when i needed to check my email wasn’t setting off alarms in recipients’ servers Mail-Tester. This one is particularly user-friendly s it rates every aspect of your email, scores it, tells you what’s wrong and sometimes, how to fix it.
If you made it this far you should be ready to proceed with installation. There are three steps you need to perform whichever of the two solutions you decide to adopt. They are widely covered elsewhere so I won’t go into detail here:
- Assign a static LAN IP address to the DiskStation that will host MailPlus Server so that external calls to your router are always directed to the correct place.
- Set up port forwarding rules on your router to direct external ports 25, 143, 465, 587 and 993 to your DiskStation.
- Apply a free security certificate to your DiskStation using DSM’s wizard for “Let’s Encrypt” that will help you do this in a couple of minutes. Tip: In the window with the field “Subject Alternate Name,” enter the DiskStation’s LAN IP address. This will allow you to access the DiskStation using the LAN IP address without causing security alerts to appear in your browser.
OK. Ready? Choose a button and hold on to your hat!