SMTP Relay
Mail server variant for any SMTP-capable MTA such as Postfix, Sendmail, Zimbra or Kerio. Smart host plus header-based loop protection.
Prerequisite: Step 1, Domain & DNS Setup is complete and all four DNS checks are green.
What happens here: The MTA (Postfix, Sendmail, Zimbra, Kerio or similar) is configured to use Conbool as its smart host. Inbound connections from Conbool are allowed. Loop protection and spam classification are added in the MTA's own rule language. In the Setup Assistant, the Manual configuration mode is chosen.
Effort: 30 to 60 minutes.
Step A. Outbound Smart Host
In the MTA, set the following routing:
| Field | Value |
|---|---|
| Relay host or smart host | mail.conbool.com |
| Port | 25 |
| Authentication | None, TLS-certificate based |
| TLS | Required, domain validation against mail.conbool.com |
| MX lookup | Disabled |
| Scope | All hosted domains, or specific domains |
The typical knobs per MTA:
- Postfix:
relayhost = [mail.conbool.com]:25,smtp_tls_security_level = encrypt,smtp_tls_secure_cert_match = nexthop - Sendmail:
define(\SMART_HOST', `mail.conbool.com')with activeSTARTTLS` and certificate validation - Zimbra: Global Outbound SMTP settings → smart host
mail.conbool.com, TLS = Required - Kerio Connect: SMTP server → Relay SMTP server →
mail.conbool.com, Use SSL/TLS
Step B. Allow Inbound Connections from Conbool
- Allow port
25for SMTP only from the Conbool IP addresses, i.e. firewall plus MTA restrictions. - Set the recipient whitelist to the hosted domains.
- Require TLS for inbound connections, accept the certificate name
mail.conbool.com.
Step C. Loop Protection and Spam Classification
In the MTA's rule language (header check, routing rule, filter plugin), implement:
- Messages with
X-Conbool-<YourDomain>: trueare not sent through the smart host but delivered directly. - Messages with
X-Conbool-Flag: YESgo to the Spam folder, e.g. set an SCL equivalent or addX-Spam-Flag: YES. - Calendaring messages and messages with
Return-Path: <>are excluded from smart-host routing.
Step D. Release Bypass
Ensures that mail released from the Conbool quarantine is delivered directly, without being marked as spam again or routed through Conbool a second time. On release, Conbool sets the header X-Conbool-Released: yes. The MTA evaluates this header:
- Loop protection (analog to Step C): in addition to the
X-Conbool-<YourDomain>: truecondition, the same bypass applies toX-Conbool-Released: yes. Such mails are delivered directly, not sent throughmail.conbool.comagain. - Spam bypass / SCL equivalent: mails with
X-Conbool-Released: yesare marked as trusted, no additional spam scoring.
Examples per MTA:
- Postfix via
header_checks:/^X-Conbool-Released:\s*yes$/ FILTER smtp:[mailbox-direct]:25
Plus in the routing logic: with this header, nosender_dependent_relayhostto Conbool. - Sendmail:
KCheckHeaderhash with header match → custom mailer tag that skips the Conbool routing rule. - Zimbra: filter rule at system or domain level → mail with header lands directly in the inbox, skipping spam filters.
- Kerio Connect: content filter "Header contains X-Conbool-Released: yes" → action "Skip spam filter" + "Deliver directly".
Why this matters: Without this rule, released mails either end up in quarantine again, in the spam folder, or get routed through Conbool a second time (loop). The Released header is the trust marker.
Scope (optional)
If only some senders should use Conbool, the smart-host path can be narrowed:
- Postfix: sender-dependent routing via
sender_dependent_relayhost_maps. Only listed senders getmail.conbool.comas smart host:sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
Other senders keep their existing routing. - Sendmail:
mailertablewith per-sender mapping or routing viaaccessDB. - Zimbra: per-domain or per-COS routing profile — switch individual COS to Conbool while others remain unchanged.
- Kerio Connect: mail routing rules with sender match on individual addresses or distribution lists.
Done When
Back in the Setup Assistant at the Mail Server step. Enter the relay host of the inbound MTA, for example mx-internal.yourcompany.com, then click Test Connection. Status "SMTP reachable" means the connection is established.
Continue with the connection test and completion.