Every environment tends to be a little bit different, but in general, there is no need for MDaemon (or any other server that SecurityGateway is sitting in front of) to be rechecking all the security stuff for an inbound email that was just checked by SecurityGateway. If MDaemon can be accessed on port 25, 465, or 366 from the internet, then you'll want to leave security in place and exclude connections from SecurityGateway.
Here is what I reccomend that you do.
1. Make sure SecurityGateway Authenticates with MDaemon when sending mail to it. The easiest way to configure this in SecurityGateway is to go to Setup / Users | Mail Configuration | Domain Mail Servers | Select your Domain Mail Server | Edit, check the box for Requires SMTP Authentication and enter a valid username and password.
2. Configure Security Gateway to add an ARC seal to messages and configure MDaemon to trust that ARC seal. In SecurityGateway go to Security | Anti-Spoofing | DKIM Signing, check the box for "Sign eligible messages using ARC". In MDaemon go to Security | Sender Authentication | ARC Settings, check the box to enable ARC verification and add yoru domain to the list of Trusted ARC sealers.
You may also want to configure MDaemon to sign eligible outbound messages using ARC, done on the same dialog. And configure SecurityGateway to trust MDaemon's ARC seal. (Security | Anti-Spoofing | DMARC Verification).
Basically, ARC enables MDaemon to trust the data that SecurityGateway writes to the Authentication-Results header.
Here is some additional information from MDaemon and SecurityGateway's help file.
https://help.mdaemon.com/MDaemon/en/security--arc_settings.html
https://help.mdaemon.com/SecurityGateway/en/dkim_signing.html
https://help.mdaemon.com/SecurityGateway/en/dmarc_verification.html
Assuming that MDaemon is available on the internet for webmail, remote administration, DAV server, ActiveSync server, POP, IMAP, or any other protocol I missed, you'll want to still leave some security in place. For example, I'd reccomend leaving location screening enabled and block access from any connections from any country that should not be trying to login to your server. I'd also leave dynamic screening, account hijack detection, SMTP authentication requirements, AntiVirus, Relay Control, and SSL/TLS requirements enabled. There may be other security features that you should leave enabled that I missed. Just be cautious as the server is still available on the internet so you don't want to turn off all security. The more security you can leave in place, the better off you will be.
Things like Backscatter and From Header replacement should be enabled in SecurityGateway or MDaemon, but in general you do not want both servers trying to implement these features.
English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
