Synology MailPlus for Home Users – Using a 3rd Party Relay Service

Re

This guide is based on my experience of implementing MailPlus Server in my home, using a third party relay agent to provide authentication and spam filtering.

As I learn more, and other people provide better solutions. I will update this article.  If you have suggestions please feel free to leave comments or use the Contact option in the menu.

Version 2.2 – 19 Jan 2018

Before you start

Before you start installing anything, you should have read and implemented the steps laid out in the getting started guide. Please also read this guide thoroughly before you start.

The complete process can and should be viewed in the process diagram that appears in a separate post (opens in a new window) that lets you follow along as you perform each step.  If you would prefer to work from a printed copy of the flow chart, here’s a link to a PDF copy:

Download Process Diagram 

The rest of this article explains those parts of the installation process that need it and provides some next steps.  To help you navigate the content is presented in expanding / collapsing sections.

At this point you need to be looking primarily at the process flow.  The following detailed notes relate to that process flow and, as is the nature of these the written word they follow a slightly different order to the process flow.  The sequence of the process flow takes precedence.
Download two packages from The Synology Package Centre:

  1. MailPlus Server – which handles the incoming and outgoing mail.  This package may download some additional prerequisite packages.  If the MailServer Plus package is not visible in Package Center, your DiskStation Model does not support the app.  Don’t confuse it with plain Mail Server.  That’s a totally different and legacy product, and is the only option on low end models.

  2. MailServer – which the users will use to access their mailbox. (There are mobile apps too, which I will describe later.)

On your router, you will need to create some port forwarding rules to direct incoming traffic that arrives at your router to the correct service on your DiskStation (and even to the correct DiskStation if you have more than one)  How you do this depends on which router you use but the principles are broadly similar.

You need to create a rule that tells the router to accept connections from the internet on public port xx and redirect it to internal (private) port xx on the DiskStation. Here’s an example from Synology’s own router the RT2600ac:

… and these are the ports you will need to forward

We are going to be using Comodo mail relay service so configuring MailPlus Server is much easier than it would otherwise be because we can omit all the functions that Comodo will perform on their servers such as scanning for viruses, checking for SPAM, white and black lists etc.  We just have to focus on getting connectivity to their server, and leave all the arcane stuff to them.

When you run MailPlus Server for the first time you will be guided through some steps:

In the next screen enter your domain name and accept the calculated name placed in the Hostname field

.

>Next you will see a summary which you can check and accept, or go back to amend

Once you press apply the system will start to set up MailPlus, until all four sections show a green check mark.  Press Finish.

Now you have to do some limited configuration so that MailServer Plus can communicate with Comodo.

All other sections on the screen above should be left unselected as Comodo will take over these functions.

On the next screen enable various protocols to deliver and receive emails. It’s a good idea to enable full text search. I’m not aware what impact this has on system resources but as we won’t be using virus and spam detection engines, that will free up a lot of resources.  If you’re running one of the lower powered devices and you find CPU and RAM running high, try switching off full text search.

To enable the postmaster account without using a licence, go to Mail Delivery > Alias, and set one up on the root account with an external mail box or postmaster@<you domain> and assign it to the users that manage the system.

You will need to sign up for the 60 day trial of Comodo ASG and obtain your user credentials.

Do NOT attempt to add a domain to the system at this stage.
You need to adjust two settings in your Domain’s settings.  The affected settings are the A and MX records. 

Your Domain Name host will have provided you with access to a control panel where these settings can be found.  Each provider’s pages will look different but do essentially the same thing.

Link to Comodo Page with Gateway Addresses – opens in new tab. You can ignore the references in that page to setting up a Smart Host.  In this setup that’s not needed.

You MUST complete this step before proceeding to the next. But you have to be to be patient because it can take up to 48 hours for the changes you made in your control panel to propagate across all the DNS servers around the world.  In practice it’s always quicker than that.

6.1 Add the Domain:

6.2 Settings

The default settings are a reasonable starting point but I have highlighted a few you may wish to select.  For example, the default setting for Spam threshold is so low that when you try to save the record you get a warning!

Outgoing mail users

The most obvious way to control outgoing email users would be to enter their names, create passwords and require authentication.  But there’s a problem –  MailPlus Server authenticates at server level but Comodo at user level.

Fortunately, Comodo has another method – authorising an entire domain – illustrated below.  You enter your static IP address as the user name, then your domain name, and leave the password field blank.  In conjunction with the MailPlus Server settings (above), this will allow the traffic to flow.

This method has another advantage.  With individual addresses on the Gateway you have to remember that for each user you add in MailPlus Server, you have to echo those accounts on the Comodo Server.  With a domain account you don’t.  But the advantage is only for outgoing mail.

Incoming mail users

For incoming mail, we do need to create user accounts on Comodo.  This is so Comodo quarantine messages can be sent to the individuals.

The subject link will take the user to the Comodo gateway where they can:

  • Request release and whitelisting of the sender if it’s from a genuine sender
  • Request blacklisting of the sender, and delete the quarantined item if it’s not from a genuine sender

However, with this step, the process has become  more complex than is really suitable for a home user.  The email account that I used to sign up for, and therefore administer the account, is the same as the email to which the example shown above was sent.  But that address also has to be listed in the incoming mail users’ list, where it acquires a separate identity.  Therefore when I follow the link in the quarantine notice, my persona is that of a user.  I can request that the item be blacklisted and deleted, but I then have to login to my other identically named account on the gateway to release it, which is extremely cumbersome.  There are two choices:

  1. Change the setting on what to do with quarantined messages from accept to reject.  This would prevent quarantined message notices as there would be nothing to blacklist and delete.  But there would be no opportunity to whitelist and release any incorrectly quarantined genuine messages.  They would be rejected too.
  2. Reduce the aggressiveness of the spam trap to reduce the risk of genuine being quarantined but that would result in more spam getting through.
Neither of these options is very attractive.
 
A workaround is to delete the quarantine message in MailPlus as it arrives and just use it as an alert to go into the gateway as administrator and process the quarantined.  Other users would get quarantine notices which could be handled by placing a filter rule in each of their MailPlus settings to forward the mail to the postmaster and delete it from their inbox:
 

Although this would work, things are starting to get complicated.  One of the reasons for using a 3rd Party relay was to simplify email service management.  This doesn’t feel simple.  “Simple” would be if the Comodo gateway had an option to send periodic quarantine alerts to the postmaster account, but it doesn’t.  The fact is, Comodo is an enterprise system where such controls are needed, and we are bending it to the needs of the home user.

You will need to update your backup settings to include MailPlus Server.  I wish that when you installed a new app in DSM, and you have active Hyper Backup settings, that DSM would prompt you to add (or delete as appropriate) the application.  But it doesn’t.  So remember to do it.  In fact, do it NOW.
This is available to all MailPlus Server activated users from the Main Menu, and can be dragged or right clicked onto the user DSM Desktop

MailPlus looks like many web based email clients but Synology have added their own twist. I prefer MailPlus to Gmail. The three column / preview capability is a standard feature rather then the Lab extra, and they have also done a great job in simplifying things like user preferences, focusing on what most users need most often, and leaving out the arcane stuff. There are pages of Gmail settings that many people will not understand.  I don’t

The group of commands that appear column three when you select an item in column two is an improvement on the icon hunt you have to do in Gmail although with the space available it’s a shame that obvious operation such as “Mark as unread” are placed beneath a pull down menu:

Note that the notification box that pops up in the bottom right of your screen when a new mail arrives is not available in Firefox.
Available for Android and iOS from the appropriate store, there really is not much to say about theses apps because mail on mobile devices is more generic than on desktops and MailPlus  performs just like any other.  

To quote from the Synology Help:

To log in to MailPlus:

  1. Enter the following information on the login page:

    • Account and Password: Enter your DSM account login credentials.

  2. Tap Login.

One of the expected benefits of using a commercial relay service such as Comodo was that it would relieve you of the need to learn the arcane science that is email.  It has therefore been something of a disappointment to me that I have found myself having to do just that, even if it is on a slightly reduced scale.

If your experience mirrors mine you will become very familiar with the CASG admin console and the following sections:

The Spam threshold and Probable spam threshold fields are a mystery.  The help system tells us little more than the two values should be close and the second must be lower than the first.  But no guidance is given as to the practical effect of these two settings nor what constitutes good or bad settings.  It’s another example of a help system that assumes you know what is meant.

The default values of these fields are 0.45 and 0.1 respectively.  At those levels, mail that Gmail allowed to flow routinely with minimal erroneous spam flagging, got routinely caught by CASG.  I have therefore been playing around with the settings.  For example at 0.45 mail from my Gmail to my domain addresses would get caught and, through trial and error I discovered i had to set it at 0.8 to get the mail to flow from me to me.  Even Whitelisting my address made no difference,

The settings permutations of these two fields is > 5,000.  I have asked CASG support for their advice on some settings that would be similar to what a user might expect of Gmail – please throw us a crumb!

The next issue is quarantining.  I’m fine with the concept.  I’m fine with the practice.  But so far, despite all profile and domain settings I can find, I have not received a single quarantine alert from CASG.  A simple email is all that’s needed.  Instead I have to remember to visit the console from time to time to see what needs to be released.

This issue is ongoing with CASG Support and i will update this article with the resolution.

The Audit Log is invaluable as it tracks every incoming message, allows you to see whether it was accepted or not and whether, for example, any qualifiers such as “[Probable Spam]” were added to the Subject.  It will also show you any changes that were made to the settings.  It’s a godsend when you are fault-finding.

Whitelists and black lists are crucial to mail filtering, particularly blacklists.  If an address is on your blacklist it won’t be passed through to you MailPlus Server, regardless of the content.  Blacklist entries can be created manually or as an option when rejecting mail that has been quarantined and held at the CSAG gateway. If you accidentally blacklist something you will need to delete the entry from the blacklist manually.

Blacklist entries override the rest of the spam filters but Whitelists do not.  If an address is whitelisted but fails the spam filters for other reasons, it will be blocked by the gateway, which is logical. A blacklist entry means “I don’t care how good the filters think the message is, I don’t want anything from this sender,” while the Whitelist entry says “I trust this sender, but please protect me from malicious content in their mails.”

I have experimented with various solutions to this, using POP3 mostly but that protocol isn’t recommended due to its lack of multiple device support.

If you use other email services, the simplest way to get them to integrate with MailPlus server, and therefore to be managed in MailPlus Server’s IMAP function, is to set up a rule on the other service to forward incoming mail to your domain email address. This is Gmail’s setting page:

This option will mark the external copy as read, but keep it on the server.  Then if you suspect you have some missing mail you can check to see if it arrived and was forwarded (i.e. marked as read).  Later, you might decide to delete the original after it has been forwarded so that your external inbox is always empty.

It’s possible your IP has been blacklisted. To check, visit this site.

If your IP is blacklisted you will need to apply for it to be removed,  Click the Contact button top right of the Comodo KoruMail Reputation  screen.  Unfortunately it will take several days for your request to be actioned.  But, to quote Comodo support:

However, please note that you do have the possibility to disable Comodo RBL from Incoming > Spam Detection Settings section. The incoming traffic will then be filtered based mostly on the spam score and for the cases that require special attention you can always choose to create custom blacklist rules using the Domain Rules section

If you are migrating to MailPlus from another email client you will probably have been accustomed to working with a spam folder, viewing its content, and marking items as spam / not spam.

One of the downsides of handling spam in an email relay service is that the scrubbing is done before the mail reaches the MailPlus Server and the server’s spam detection is turned off, so the mail is delivered directly to the user’s Inbox just like any other mail.  There is no separation of spam mail into the dedicated spam folder.

Fortunately  there is a workaround that will mimic most of that functionality. It will deliver the spam mail to the Spam folder.  It will let you use MailPlus’s “Not Spam” function that will automatically move the mail to the inbox.  What it won’t do is remove the [Probable Spam] tag that Comodo insert in the message’s Subject.

To enable this workaround, write an incoming mail filter that will direct spam items to the Spam Folder.  It’s very easy.  In MailPlus client (not server) click your user name in the top right corner and select Settings > Filter and follow the screen shots below.

Note there’s a label mismatch in the setup.  Selecting the Spam folder will create a rule that refers to the Junk folder.  They’re the same thing,with different labels.

With this rule in place mail will now be delivered to the Spam folder where you can delete it, if it is spam or use the MailPlus “Not Spam” control, if it isn’t spam, which will move it to the inbox:

Gotchas
  1. Marking mail as “not spam” does not teach the Comodo server anything about your mail traffic, because there is no connection back to the Comodo server, and MailServer Plus spam filtering engine is disabled. 
  2. If you want to prevent future emails from the same sender being tagged as spam / placed in your spam folder  you have three choices:
    1. Add them to the whitelist (may not work if their messages are still considered dubious by Comodo.)
    2. Adjust the spam threshold so the mail does not get tagged.
    3. Write an exception rule in MailPlus > Settings > Filter > Edit Filter to exclude their email address from being placed in the spam folder. 4. The [Probable Spam] tag that was added to the subject by Comodo will not be removed by the MailPlus client “not spam” function.

And Finally…

I hope you found this guide useful. I try to update it when I discover more about the products involved.  If you have any comments or better solutions, I’d love to hear from you. You can use the Comments area below or the Contact link in the top menu.

Paul Barrett

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>