SmarterMail and Network Address Translation (NAT)

Every few months we get tickets from customers who are trying to set up Network Address Translation (NAT) for SmarterMail installations that are set up behind firewalls. While setting up SmarterMail, or any application, behind a firewall and limiting access to public IPs is a great practice, it's not always practical.

Therefore, when we're asked if SmarterMail can be accessed using NAT, we generally give people a guarded "it can be, though it's not recommended." Our experience is that using NAT with a mail server is tricky, and requires someone who is very proficient at network routing and DNS set up in order for it to be successful. In addition, it may impact the features available within SmarterMail which, in turn, can leave your server, and your users, vulnerable to spam and phishing attacks.

An email server has a number of moving parts and communicates with outside servers and services in a number of different ways. As such, the importance of having clear, unimpeded access to IP addresses is of paramount importance. DNS checks (DKIM, SPF, etc.), access to antispam lists, services and servers, communication between senders and recipients, blacklist and whitelist checks, incoming/outgoing gateway communication and much more go on when using an email server. Giving access to each and every one of those requires a complex set of communication back-and-forth, and any interruption can make using email difficult, if not downright impossible. 

If the IPs for your email server are locked behind a firewall, making sure those IPs are routed properly is not as simple as a basic port forward. In addition, different firewalls have different settings and set ups that require a vast amount of know-how to set up properly. Even then, there may be limitations to what, exactly, can and will continue to work even if NAT is set up properly.