SMTP relay
Because Mail Manager is deployed between your email environment (such as Microsoft 365, Google Workspace, or On-Premise Exchange) and the internet, Mail Manager uses SMTP relays to route incoming emails that are processed by Mail Manager to your email environment. It can also route outbound emails to another email infrastructure such as another Exchange server or a third-party email gateway before sending to end recipients.
A SMTP relay is a vital component of your email infrastructure, responsible for efficiently routing emails between servers when designated by a rule action defined in a rule set.
Specifically, a SMTP relay can redirect incoming email between SES Mail Manager and an external email infrastructure such as Exchange, on-premise or third-party email gateways, and others. Incoming emails to an ingress endpoint will be processed by a rule that will route specified email to the designated SMTP relay, which in turn, will pass it on to the external email infrastructure defined in the SMTP relay.
When your ingress endpoint receives email, it uses a traffic policy to determine which emails to block or allow. The email you allow in passes to a rule set that applies conditional rules to execute the actions you've defined for specific types of email. One of the rule actions you can define is SMTPRelay action—if you select this action, the email will be passed along to the external SMTP server defined in your SMTP relay.
For example, you could use the SMTPRelay action to send email from your ingress endpoint to your on-premise Microsoft Exchange Server. You would set up your Exchange server to have a public SMTP endpoint that can only be accessed using certain credentials. When you create the SMTP relay, you enter the server name, port, and credentials of your Exchange server and give your SMTP relay a unique name, say, "RelayToMyExchangeServer". Then, you create a rule in your ingress endpoint's rule set that says, "When From address contains 'gmail.com', then perform SMTPRelay action using the SMTP relay called RelayToMyExchangeServer".
Now, when email from gmail.com arrives to your ingress endpoint, the rule will trigger the SMTPRelay action and contact your Exchange server using the credentials you provided when creating your SMTP relay and deliver the email to your Exchange server. Thus, email received from gmail.com is relayed to your Exchange server.
You must first create an SMTP relay before it can be designated in a rule action. The procedure in the next section will walk you through creating an SMTP relay in the SES console.
Creating an SMTP relay in the SES console
The following procedure shows you how to use the SMTP relays page in the SES console to create SMTP relays and manage the ones you've already created.
To create and manage SMTP relays using the console
Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/
. -
In the left navigation panel, choose SMTP relays under Mail Manager.
-
On the SMTP relays page, select Create SMTP relay.
-
On the Create SMTP relay page, enter a unique name for your SMTP relay.
-
Depending on whether you want to configure an inbound (non-authenticated) or outbound (authenticated) SMTP relay, follow the respective instructions:
-
Select Create SMTP relay.
-
You can view and manage the SMTP relays you've already created from the SMTP relays page. If there's an SMTP relay you want to remove, select it's radio button followed by Delete.
-
To edit an SMTP relay, select its name. On the details page, you can change the relay's name, the external SMTP server's name, port, and login credentials by selecting the corresponding Edit or Update button followed by Save changes.
Setting up Google Workspaces for inbound (non-authenticated) SMTP relay
The following walkthrough example shows you how to setup Google Workspaces to work with a Mail Manager inbound (non-authenticated) SMTP relay.
Prerequisites
-
Access to the Google administrator console (Google administrator console
> Apps > Google Workspace > Gmail). -
Access to the domain nameserver hosting the MX records for the domains which will be used for Mail Manager setup.
To setup Google Workspaces to work with an inbound SMTP relay
-
Add Mail Manager IP addresses to the Inbound gateway configuration
-
In the Google administrator console
, go to Apps > Google Workspace > Gmail. -
Select Spam, Phishing, and Malware, then go to Inbound gateway configuration.
-
Enable Inbound gateway, and configure it with the following details:
-
In Gateway IPs, select Add , and add the ingress endpoint IPs specific to your region from the following table:
Region IP range eu-west-1/DUB
206.55.133.0/24
eu-central-1/FRA
206.55.132.0/24
us-west-2/PDX
206.55.131.0/24
ap-northeast-1/NRT
206.55.130.0/24
us-east-1/IAD
206.55.129.0/24
ap-southeast-2/SYD
206.55.128.0/24
-
Select Automatically detect external IP.
-
Select Require TLS for connections from the email gateways listed above.
-
Select Save at the bottom of the dialog box to save the configuration. Once saved, the administrator console will show the Inbound gateway as enabled.
-
-
Setting up Microsoft Office 365 for inbound (non-authenticated) SMTP relay
The following walkthrough example shows you how to setup Microsoft Office 365 to work with a Mail Manager inbound (non-authenticated) SMTP relay.
Prerequisites
-
Access to the Microsoft Security admin center (Microsoft Security admin center
> Email & collaboration > Policies & Rules > Threat policies). -
Access to the domain nameserver hosting the MX records for the domains which will be used for Mail Manager setup.
To setup Microsoft Office 365 to work with an inbound SMTP relay
-
Add Mail Manager IP addresses to the Allow list
-
In the Microsoft Security admin center
, go to Email & collaboration > Policies & Rules > Threat policies. -
Select Anti-spam under Polices.
-
Select Connection filter policy followed by Edit connection filter policy.
-
In the Always allow messages from the following IP addresses or address range dialog, add the ingress endpoint IPs specific to your region from the following table:
Region IP range eu-west-1/DUB
206.55.133.0/24
eu-central-1/FRA
206.55.132.0/24
us-west-2/PDX
206.55.131.0/24
ap-northeast-1/NRT
206.55.130.0/24
us-east-1/IAD
206.55.129.0/24
ap-southeast-2/SYD
206.55.128.0/24
-
Select Save.
-
-
Return to the Anti-spam option and choose Anti-spam inbound policy.
-
At the bottom of the dialog, select Edit spam threshold and properties:
-
Scroll to Mark as spam and ensure that SPF record: hard fail is set to Off.
-
Select Save.
-
-
-
Enhanced Filtering configuration (recommended)
This option will allow Microsoft Office 365 to properly identify the original connecting IP before the message was received by SES Mail Manager.
-
Create an inbound connector
-
Login to the new Exchange admin center
and go to Mail flow > Connectors. -
Select Add a connector.
-
In Connection from, select Partner organization followed by Next.
-
Fill in the fields as follows:
-
Name – Simple Email Service Mail Manager connector
-
Description – Connector for filtering
-
-
Select Next.
-
In Authenticating sent email, select By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization and add the ingress endpoint IPs specific to your region from the following table:
Region IP range eu-west-1/DUB
206.55.133.0/24
eu-central-1/FRA
206.55.132.0/24
us-west-2/PDX
206.55.131.0/24
ap-northeast-1/NRT
206.55.130.0/24
us-east-1/IAD
206.55.129.0/24
ap-southeast-2/SYD
206.55.128.0/24
-
Select Next.
-
In Security restrictions, accept the default Reject email messages if they aren’t sent over TLS setting, followed by Next.
-
Review your settings and select Create connector.
-
-
Enable enhanced filtering
Now that the inbound connector has been configured, you will need to enable the enhanced filtering configuration of the connector in the Microsoft Security admin center.
-
In the Microsoft Security admin center
, go to Email & collaboration > Policies & Rules > Threat policies. -
Select Enhanced filtering under Rules.
-
Select the Simple Email Service Mail Manager connector that you created previously to edit its configuration parameters.
-
Select both Automatically detect and skip the last IP address and Apply to entire organization.
-
Select Save.
-
-