Open-Xchange

Prerequisite: Step 1, Domain & DNS Setup is complete and all four DNS checks are green.

What happens here: The OX MTA, the Postfix stack under Open-Xchange, is configured to use Conbool as its smart host. Inbound connections from Conbool are allowed. Loop protection and spam classification run via mailfilter Sieve rules. In the Setup Assistant, the Manual configuration mode is chosen.

Effort: 30 to 60 minutes.

Step A. Outbound Smart Host in OX

Navigation: OX server administration → Mail server configuration, or directly in the Postfix configuration.

Step B. Allow Inbound Connections from Conbool

So that Conbool may deliver mail to OX, the Conbool IP addresses are added as a trusted relay source.

1. Receiving MTA: Make port 25 for SMTP reachable from the Conbool IP addresses. Conbool provides the IP list.
2. Recipient whitelist: Accept only the domains hosted in OX, i.e. standard recipient restrictions.
3. TLS: Require for inbound connections from Conbool.
4. Certificate validation: Allow TLS certificate name mail.conbool.com.

Firewall: Port 25 (SMTP) must be open from the Conbool IP addresses to the OX MTA. If running behind a load balancer, maintain the whitelist there as well.

Step C. Loop Protection and Spam in mailfilter Sieve Rules

OX has no central transport rule engine like Exchange. The logic is implemented via mailfilter Sieve rules per tenant or global, or via Postfix header checks.

• Loop protection. Messages with X-Conbool-<YourDomain>: true (e.g. X-Conbool-example-com: true) must not be sent through Conbool again. Deliver directly via the regular MX.
• Spam classification. Messages with X-Conbool-Flag: YES go to the Spam folder. Sieve action fileinto "Spam" or marker X-Spam-Flag: YES.
• Calendaring and empty Return-Path. Calendaring messages and Return-Path: <> are excluded from smart-host routing.

If an OX-internal connector module or a third-party mail-routing plugin is used, apply the conditions above as exceptions in its rule set.

Step D. Release Bypass

Ensures that mail released from the Conbool quarantine is delivered directly, without being marked as spam again or routed through Conbool a second time. On release, Conbool sets the header X-Conbool-Released: yes.

Two places where the bypass is implemented:

1. Loop protection in the MTA / Sieve (analog to Step C): in addition to the X-Conbool-<YourDomain>: true condition, the same bypass logic applies to X-Conbool-Released: yes. Such mails are delivered directly to the mailbox, not sent through mail.conbool.com again.

2. Spam bypass in the Sieve filter:

   if header :is "X-Conbool-Released" "yes" {
     fileinto "INBOX";
     stop;
   }
   

   Released mail lands in the inbox instead of the spam folder, and all subsequent filters are skipped.

Why this matters: Without the rule, released mails either end up in quarantine again, in the spam folder, or get routed through Conbool a second time (loop). The bypass rule turns the Released header into a trust marker.

Scope (optional)

If only some mailboxes should use Conbool, the smart-host path can be narrowed:

• Postfix sender_dependent_relayhost_maps: only selected senders get mail.conbool.com as relay:

  sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
  

• Per-tenant mailfilter Sieve rule: enable the smart host only in the Sieve rules of the chosen mailboxes.
• OX tenant separation: on multi-domain installations, switch individual tenants to Conbool while others remain unchanged.

Done When

Back in the Setup Assistant at the Mail Server step. Enter the relay host of the OX inbound MTA, for example mx-internal.yourcompany.com, then click Test Connection. Status "SMTP reachable" means the connection is established.

Continue with the connection test and completion.