English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
Recommendations for Mdaemon
-
Hello,
We are currently testing SG, which is installed on a separate server. This server is on the same subnet and has the same public IP as MDaemon.
I have been researching and watching videos, but I haven't found any recommended settings for using SG with MDaemon, especially when they are on different servers. My question is: Should I disable features like Outbreak and Anti-spam on MDaemon?
I am using the MDaemon API for user import, and it has been working well so far.
Thank you!
-
Every environment tends to be a little bit different, but in general, there is no need for MDaemon (or any other server that SecurityGateway is sitting in front of) to be rechecking all the security stuff for an inbound email that was just checked by SecurityGateway. If MDaemon can be accessed on port 25, 465, or 366 from the internet, then you'll want to leave security in place and exclude connections from SecurityGateway.
Here is what I reccomend that you do.
1. Make sure SecurityGateway Authenticates with MDaemon when sending mail to it. The easiest way to configure this in SecurityGateway is to go to Setup / Users | Mail Configuration | Domain Mail Servers | Select your Domain Mail Server | Edit, check the box for Requires SMTP Authentication and enter a valid username and password.
2. Configure Security Gateway to add an ARC seal to messages and configure MDaemon to trust that ARC seal. In SecurityGateway go to Security | Anti-Spoofing | DKIM Signing, check the box for "Sign eligible messages using ARC". In MDaemon go to Security | Sender Authentication | ARC Settings, check the box to enable ARC verification and add yoru domain to the list of Trusted ARC sealers.
You may also want to configure MDaemon to sign eligible outbound messages using ARC, done on the same dialog. And configure SecurityGateway to trust MDaemon's ARC seal. (Security | Anti-Spoofing | DMARC Verification).
Basically, ARC enables MDaemon to trust the data that SecurityGateway writes to the Authentication-Results header.
Here is some additional information from MDaemon and SecurityGateway's help file.
https://help.mdaemon.com/MDaemon/en/security--arc_settings.html
https://help.mdaemon.com/SecurityGateway/en/dkim_signing.html
https://help.mdaemon.com/SecurityGateway/en/dmarc_verification.html
Assuming that MDaemon is available on the internet for webmail, remote administration, DAV server, ActiveSync server, POP, IMAP, or any other protocol I missed, you'll want to still leave some security in place. For example, I'd reccomend leaving location screening enabled and block access from any connections from any country that should not be trying to login to your server. I'd also leave dynamic screening, account hijack detection, SMTP authentication requirements, AntiVirus, Relay Control, and SSL/TLS requirements enabled. There may be other security features that you should leave enabled that I missed. Just be cautious as the server is still available on the internet so you don't want to turn off all security. The more security you can leave in place, the better off you will be.
Things like Backscatter and From Header replacement should be enabled in SecurityGateway or MDaemon, but in general you do not want both servers trying to implement these features.
-
Hi Arron,
Thank you for this information, it is what I was needed. When I set up SG I had authentication errors, and I could not solve them until I disabled the authentication for my domain in SG and ticked the "...unless message is from a domain mail server".
I am going to follow your recommendations. Just one question, should I have another selector for ARC in SG? I am already using it in Mdaemon, and the selector is enabled there.
Thank you!
Abel Herrera
-
I'd suggest using the same selector you have configured in SecurityGateway for DKIM signing. You can create a new selector in SecurityGateway if you'd like, just make sure that you publish the selector in DNS.
If you use the selector from MDaemon, be sure to import it into SecurityGateway so that MDaemon and SecurityGateway are using the same public/private key pair, otherwise you will have issues with verification.
-
When I try to import in DKIM Signing in SG I am getting the following error: Exception: Error while [Loading XSL: sign_selector_impoert.xsl]: Reason: The system cannot locate the object specified. Line: 0, Position: 0
If this is the first time you have seen this exception, wait a moment and try clicking the link again. If there continues to be a problem please contact the administrator.What can I do here?
Thank you!
-
For now you'll have to use a selector created by SecurityGateway.
I've submitted a bug for the development team to review.
-
Hi Arrron,
I've followed your recommendations and created the selector in SG, as well as added the TXT record to my DNS (now I have two selectors TXT in my DNS, Mdeamon and SG). My domain is on trusted ARC, and my emails are being signed. However, I'm still encountering authentication errors when authentication is enabled in Domain Mail Servers. Can you please clarify the correct setup? I have SMTP Authentication enabled in the Anti-Abuse settings.
Thank you!
-
Please post a log snippet that shows the authentication issue occurring. It would be helpful to see the session from MDaemon's log as well as the session from SecurityGateway's logs.
-
This is the log from SG with one email: Mon 2026-03-30 17:23:34: Attempting TCP connection to [192.168.50.14 : 25]
Mon 2026-03-30 17:23:34: Socket connection established (192.168.50.22 : 53652 -> 192.168.50.14 : 25)
Mon 2026-03-30 17:23:34: Waiting for protocol initiation...
Mon 2026-03-30 17:23:34: <-- 220 motivatingraphics.com ESMTP Mon, 30 Mar 2026 17:23:34 -0500
Mon 2026-03-30 17:23:34: --> EHLO motivatingraphics.com
Mon 2026-03-30 17:23:34: <-- 250-motivatingraphics.com Hello motivatingraphics.com [192.168.50.22], pleased to meet you
Mon 2026-03-30 17:23:34: <-- 250-ETRN
Mon 2026-03-30 17:23:34: <-- 250-AUTH LOGIN CRAM-MD5 PLAIN
Mon 2026-03-30 17:23:34: <-- 250-8BITMIME
Mon 2026-03-30 17:23:34: <-- 250-ENHANCEDSTATUSCODES
Mon 2026-03-30 17:23:34: <-- 250-PIPELINING
Mon 2026-03-30 17:23:34: <-- 250-CHUNKING
Mon 2026-03-30 17:23:34: <-- 250-STARTTLS
Mon 2026-03-30 17:23:34: <-- 250 SIZE 51200000
Mon 2026-03-30 17:23:34: --> STARTTLS
Mon 2026-03-30 17:23:34: <-- 220 2.7.0 Ready to start TLS
Mon 2026-03-30 17:23:34: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Mon 2026-03-30 17:23:34: --> EHLO motivatingraphics.com
Mon 2026-03-30 17:23:34: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Mon 2026-03-30 17:23:34: <-- 250-motivatingraphics.com Hello motivatingraphics.com [192.168.50.22], pleased to meet you
Mon 2026-03-30 17:23:34: <-- 250-ETRN
Mon 2026-03-30 17:23:34: <-- 250-AUTH LOGIN CRAM-MD5 PLAIN
Mon 2026-03-30 17:23:34: <-- 250-8BITMIME
Mon 2026-03-30 17:23:34: <-- 250-ENHANCEDSTATUSCODES
Mon 2026-03-30 17:23:34: <-- 250-PIPELINING
Mon 2026-03-30 17:23:34: <-- 250-CHUNKING
Mon 2026-03-30 17:23:34: <-- 250-REQUIRETLS
Mon 2026-03-30 17:23:34: <-- 250 SIZE 51200000
Mon 2026-03-30 17:23:34: --> AUTH LOGIN
Mon 2026-03-30 17:23:34: <-- 334 VXNlcm5hbWU6
Mon 2026-03-30 17:23:34: --> ******
Mon 2026-03-30 17:23:34: <-- 334 UGFzc3dvcmQ6
Mon 2026-03-30 17:23:34: --> ******
Mon 2026-03-30 17:23:34: <-- 235 2.7.0 Authentication successful
Mon 2026-03-30 17:23:34: --> MAIL From:<dwffleetscheduling@walmart.com> SIZE=33663
Mon 2026-03-30 17:23:34: <-- 250 2.1.0 Sender OK
Mon 2026-03-30 17:23:34: --> RCPT To:<rosemarym@motivatingraphics.com>
Mon 2026-03-30 17:23:34: <-- 250 2.1.5 Recipient OK
Mon 2026-03-30 17:23:34: --> DATA
Mon 2026-03-30 17:23:34: <-- 354 Enter mail, end with <CRLF>.<CRLF>
Mon 2026-03-30 17:23:34: Sending <C:\Program Files\MDaemon Technologies\SecurityGateway\Temp\60f2769c32fb44beb630bfab82f4e609.tmp> to [192.168.50.14]
Mon 2026-03-30 17:23:34: <-- 550 5.7.0 Authentication rejected
Mon 2026-03-30 17:23:34: --> QUIT
Mon 2026-03-30 17:23:34: <-- 221 2.0.0 See ya in cyberspace
Mon 2026-03-30 17:23:34: ** SMTP session terminated (Bytes in/out: 792/34428)This is the same email from Mdaemon:
Mon 2026-03-30 17:23:34.444: 05: Accepting SMTP connection from 192.168.50.22:53652 to 192.168.50.14:25
Mon 2026-03-30 17:23:34.444: 03: --> 220 motivatingraphics.com ESMTP Mon, 30 Mar 2026 17:23:34 -0500
Mon 2026-03-30 17:23:34.446: 02: <-- EHLO motivatingraphics.com
Mon 2026-03-30 17:23:34.468: 03: --> 250-motivatingraphics.com Hello motivatingraphics.com [192.168.50.22], pleased to meet you
Mon 2026-03-30 17:23:34.468: 03: --> 250-ETRN
Mon 2026-03-30 17:23:34.468: 03: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Mon 2026-03-30 17:23:34.468: 03: --> 250-8BITMIME
Mon 2026-03-30 17:23:34.468: 03: --> 250-ENHANCEDSTATUSCODES
Mon 2026-03-30 17:23:34.468: 03: --> 250-PIPELINING
Mon 2026-03-30 17:23:34.468: 03: --> 250-CHUNKING
Mon 2026-03-30 17:23:34.468: 03: --> 250-STARTTLS
Mon 2026-03-30 17:23:34.468: 03: --> 250 SIZE 51200000
Mon 2026-03-30 17:23:34.469: 02: <-- STARTTLS
Mon 2026-03-30 17:23:34.469: 03: --> 220 2.7.0 Ready to start TLS
Mon 2026-03-30 17:23:34.491: 01: SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
Mon 2026-03-30 17:23:34.491: 02: <-- EHLO motivatingraphics.com
Mon 2026-03-30 17:23:34.507: 03: --> 250-motivatingraphics.com Hello motivatingraphics.com [192.168.50.22], pleased to meet you
Mon 2026-03-30 17:23:34.507: 03: --> 250-ETRN
Mon 2026-03-30 17:23:34.507: 03: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Mon 2026-03-30 17:23:34.507: 03: --> 250-8BITMIME
Mon 2026-03-30 17:23:34.507: 03: --> 250-ENHANCEDSTATUSCODES
Mon 2026-03-30 17:23:34.507: 03: --> 250-PIPELINING
Mon 2026-03-30 17:23:34.507: 03: --> 250-CHUNKING
Mon 2026-03-30 17:23:34.507: 03: --> 250-REQUIRETLS
Mon 2026-03-30 17:23:34.507: 03: --> 250 SIZE 51200000
Mon 2026-03-30 17:23:34.508: 02: <-- AUTH LOGIN
Mon 2026-03-30 17:23:34.508: 03: --> 334 VXNlcm5hbWU6
Mon 2026-03-30 17:23:34.508: 02: <-- c2VjdXJpdHlnYXRld2F5QG1vdGl2YXRpbmdyYXBoaWNzLmNvbQ==
Mon 2026-03-30 17:23:34.508: 03: --> 334 UGFzc3dvcmQ6
Mon 2026-03-30 17:23:34.508: 02: <-- ******
Mon 2026-03-30 17:23:34.508: 01: Authenticating securitygateway@motivatingraphics.com...
Mon 2026-03-30 17:23:34.534: 01: Authenticated as securitygateway@motivatingraphics.com
Mon 2026-03-30 17:23:34.534: 03: --> 235 2.7.0 Authentication successful
Mon 2026-03-30 17:23:34.536: 02: <-- MAIL From:<dwffleetscheduling@walmart.com> SIZE=33663
Mon 2026-03-30 17:23:34.537: 03: --> 250 2.1.0 Sender OK
Mon 2026-03-30 17:23:34.537: 02: <-- RCPT To:<rosemarym@motivatingraphics.com>
Mon 2026-03-30 17:23:34.538: 03: --> 250 2.1.5 Recipient OK
Mon 2026-03-30 17:23:34.538: 02: <-- DATA
Mon 2026-03-30 17:23:34.545: 03: --> 354 Enter mail, end with <CRLF>.<CRLF>
Mon 2026-03-30 17:23:34.547: 01: Message size: 33663 bytes
Mon 2026-03-30 17:23:34.556: 03: --> 550 5.7.0 Authentication rejected
Mon 2026-03-30 17:23:34.556: 01: Authentication does not match address found in FROM header (dwffleetscheduling@walmart.com)
Mon 2026-03-30 17:23:34.583: 02: <-- QUIT
Mon 2026-03-30 17:23:34.583: 03: --> 221 2.0.0 See ya in cyberspace
Mon 2026-03-30 17:23:34.584: 04: SMTP session terminated (Bytes in/out: 34824/4578)Thank you!
-
MDaemon is conifgured to require the credentials used to match the value in the FROM header. To exclude SecurityGateway from this requirement login to MDaemon Remote Administration as a global administrator and go to Security | Sender Authentication | SMTP Authentication, click the button for Exempt list and add the IP address of the SecurityGateway server (192.168.50.22). Save your changes and it should correct the issue.
-
Ah! I see, and in SG, how should SMTP Authentication be setup in security settings? I have currently enabled authentication in Domain Mail Servers.
Thank you!
-
In SecurityGateway under Security | Anti-Abuse | SMTP Authentication, I would check all the boxes except "unless message is to a local account", , "unless message is from a domain mail server" and "unless message is from a allowlisted IP address or host" however, it really depends on how you want SecurityGateway to behave. If you do not want MDaemon to authenticate with SecurityGateway then check the box for "unless message is from a domain mail serverr."
In general I reccomend having all clients send mail to the mail server, then let the mail server route it to SecurityGateway. In addition SecurityGateway should authenticate with MDaemon when sending mail and MDaemon should authenticate with SecurityGateway when sending mail. But there are many different valid reasons for why you may not want to configure it this way.
-
It is working fine now.
Thanks a lot for your help.
-
Hi Arron,
Again, another question, I have 3 domains in Mdaemon, and now SG is giving an authentication error in SG for the others domains (not the main one).
Tue 2026-03-31 16:08:59: ========== Processing RCPT scripts for recipient: sylvia@texstarint.comTue 2026-03-31 16:08:59: -- Executing: Blocklist --Tue 2026-03-31 16:08:59: -- End: Blocklist (0.000012 seconds) --Tue 2026-03-31 16:08:59: -- Executing: Tarpitting --Tue 2026-03-31 16:08:59: * Enabling TarpittingTue 2026-03-31 16:08:59: -- End: Tarpitting (0.000062 seconds) --Tue 2026-03-31 16:08:59: -- Executing: Relaying Denied --Tue 2026-03-31 16:08:59: ** Reject 550 This server will not relay mail for external domainsTue 2026-03-31 16:08:59: -- End: Relaying Denied (0.000006 seconds) --Tue 2026-03-31 16:08:59: ========== End RCPT scriptsTue 2026-03-31 16:08:59: --> 550 This server will not relay mail for external domainsTue 2026-03-31 16:08:59: <-- QUITTue 2026-03-31 16:08:59: --> 221 See ya in cyberspaceTue 2026-03-31 16:08:59: SMTP session successful (Bytes in/out: 160/3714)Tue 2026-03-31 16:08:59: ----------What can I do here?Edit: I found the issue, in SG Mail Domain Server the domain texstarint.com is mispelled, it is using textarint.com. I already fixed itThank you!
-
Great, thank for letting us know you were able to fix the issue.
Please login to reply to this topic!
Search
Latest topics
Forum statistics
- Page views (24h):
- 783
- Page views (30d):
- 10,078
- Topics:
- 601
- Posts:
- 3,741
- Members:
- 747
