Mail Configuration
Under Mail Configuration, all central gateway settings are controlled. Changes are immediately replicated to all cluster nodes.
Postfix Core Settings
| Setting |
Description |
| Hostname |
Server FQDN (e.g. mail.example.com) |
| Listen Address |
IP address Postfix listens on (0.0.0.0 = all) |
| Submission Port |
Port for client SMTP auth (default: 587) |
| My Networks |
Trusted CIDR ranges (no filtering for outbound mail from these IPs) |
TLS
| Setting |
Description |
| TLS Mode |
may (opportunistic) or encrypt (enforced) |
| TLS Minimum Version |
TLSv1.2 or TLSv1.3 |
| Certificate Path |
Path to the .crt file |
| Key Path |
Path to the .key file |
Limits
| Setting |
Description |
Default |
| Max Message Size |
In bytes (e.g. 50 MB = 52428800) |
52428800 |
| Connection Rate |
Max SMTP connections per client per minute |
30 |
| Message Rate |
Max messages per client per minute |
100 |
| Max Queue Lifetime |
Time in queue before bounce (seconds) |
432000 (5 days) |
| Max Recipients |
Max recipients per message |
100 |
Spam Thresholds
| Threshold |
Description |
Default |
| Quarantine |
Score at which mail goes to quarantine |
6.0 |
| Reject |
Score at which mail is hard rejected |
15.0 |
| Add Header |
Score at which X-Spam header is added |
4.0 |
| Greylisting |
Score at which greylisting activates |
3.0 |
Postscreen
Postscreen is a pre-filter before Postfix that rejects simple spam bots based on DNSBL lists and SMTP protocol tests.
| Setting |
Description |
| Enabled |
Enable/disable Postscreen |
| DNSBL Threshold |
Score at which the connection is rejected |
| Greet Wait |
Seconds Postscreen waits for premature SMTP greeting |
| DNSBL Action |
enforce (reject) or drop (silent drop) |
rspamd Features
| Feature |
Description |
| Greylisting |
Temporary rejection of unknown senders (DNSWL entries are skipped) |
| DKIM |
Enable outbound DKIM signing |
| ARC |
ARC signing for forwarded mails |
| RBL |
Check DNS blocklists |
| SPF |
Enable SPF checking |
| DMARC |
DMARC evaluation and reporting |
| DKIM Pubkey Check |
Verify DKIM keys against DNS |
Antivirus
ClamAV
| Setting |
Description |
| Mode |
clamav, icap, or off |
| ClamAV Host |
IP/hostname of clamd socket (127.0.0.1) |
| ClamAV Port |
Default: 3310 |
| On Virus |
reject, quarantine, or discard |
| Extended Signatures |
Load additional signature databases (e.g. Sanesecurity) |
ICAP (Optional)
An external ICAP server (e.g. Sophos, F-Secure) can be used as an alternative:
| Setting |
Description |
| ICAP Server URL |
icap://host:port/service |
| ICAP Timeout |
Seconds (default: 10) |
| On Virus |
Action on positive ICAP result |
YARA Sandbox
| Setting |
Description |
| YARA Enabled |
Enable YARA sandbox for attachments and URLs |
| Update Interval |
Hours between YARA rule updates (default: 24) |
VirusTotal
| Setting |
Description |
| API Key |
VirusTotal API key for attachment hash lookups |
Attachment Filter
| Setting |
Description |
| Enabled |
Enable/disable the attachment filter |
| Blocked Extensions |
Comma-separated list (e.g. .exe,.bat,.vbs,.js) |
| Blocked MIME Types |
Comma-separated list (e.g. application/x-msdownload) |
Neural Network
| Setting |
Description |
Default |
| Enabled |
Use neural network in rspamd |
on |
| Min Ham Training |
Minimum training entries for ham |
1000 |
| Min Spam Training |
Minimum training entries for spam |
1000 |
| Learning Rate |
Network learning rate |
0.001 |
Autolearn
Automatic Bayes training based on spam score:
| Setting |
Description |
| Spam Threshold |
Score above which a mail is trained as spam |
| Ham Threshold |
Score below which a mail is trained as ham |
Advanced Detections
| Feature |
Description |
| MX Check |
Verify sender domain has a valid MX record |
| Phishing |
URL-based phishing detection (rspamd built-in) |
| SURBL |
Spam URI blocklist |
| Fuzzy |
Fuzzy hash matching against spam database |
| Reputation |
Sender reputation scoring |
| ASN |
Autonomous System Number scoring |
| Spoof Protection |
Header-based spoofing protection (score configurable) |
| Spamtrap |
Spamtrap addresses (comma-separated) — hit = instant spam |
| Ratelimit |
Rate limiting per sender domain (burst + rate configurable) |
Quarantine Settings
| Setting |
Description |
| Enabled |
Enable/disable quarantine |
| Retention |
Days before quarantined mails are automatically deleted |
| Max Size |
Max size of a single quarantined mail |
| Portal Domain |
FQDN of the quarantine portal for end users |
| Portal Active |
Enable the end-user quarantine portal |
Digest (Quarantine Summary)
| Setting |
Description |
| Enabled |
Daily email summary of quarantine contents |
| Interval |
daily or weekly |
| Send Time |
Time of day to send the digest (e.g. 08:00) |
| Subject |
Subject line of the digest mail |
Relay Clients (Outbound IP Allow-List)
In the Relay Clients tab, IP addresses and CIDR blocks are entered that are allowed to send outbound mail through nmg without SMTP authentication (e.g. internal mail servers, multifunction printers, monitoring systems).
Two-stage outbound auth
Relay clients are the first stage: trusted IPs. SMTP auth (permit_sasl_authenticated) is the second stage. Relay clients take effect before the SASL check.
| Field |
Description |
| CIDR |
IP address or CIDR block (e.g. 192.168.1.0/24) |
| Label |
Free-text label (e.g. Printer Room 3) |
| Allowed Sender Domains |
Comma-separated list of allowed envelope-from domains — prevents domain spoofing by the relay client |
| Active |
Enable/disable the relay client |
Changes are immediately replicated to all cluster nodes and activated in Postfix.
ClamAV Signature Sources
In the Antivirus → Signature Sources tab, additional ClamAV signature databases are managed (e.g. Sanesecurity, SecuriteInfo).
| Column |
Description |
| Name |
Label for the signature source |
| URL |
Download URL of the signature database |
| API Key |
Optional API key (for commercial sources) |
| Built-in |
Pre-installed sources (can be disabled, but not deleted) |
| Active |
Enable/disable the source |
Click Refresh Now to trigger freshclam immediately on all cluster nodes — without waiting for the normal update cycle.
Force Actions
Certain mail types can be hard rejected regardless of score:
| Setting |
Description |
| Always reject viruses |
Viruses are always rejected with SMTP 550, even if the quarantine threshold is not reached |
| Always reject phishing |
Detected phishing mails are always rejected |
Max Score Caps
Limits the maximum score contribution of individual filter categories — prevents excessive penalties from a single category:
| Setting |
Description |
| Max Score Antivirus |
Cap on ClamAV/YARA score contribution |
| Max Score RBL |
Cap on DNS blocklist contribution |
| Max Score Reputation |
Cap on sender reputation contribution |
| Max Score HFilter |
Cap on header filter contribution |
Statistics Retention
| Setting |
Description |
| Stats Retention (Years) |
How many years aggregated mail statistics are kept (0 = unlimited) |
Portal SSL (Let's Encrypt)
When the quarantine portal runs under its own domain, Let's Encrypt can be configured directly here:
| Setting |
Description |
| Certificate Status |
Current status of the portal certificate (valid/expired/missing) |
| Issue Now |
Request a Let's Encrypt certificate for the portal domain immediately |
Portal node
In a cluster, the node that sends quarantine digests (Portal Node) can be specified — useful when only one node has a public IP.
BCC Archive Encryption Status
When BCC archiving with at-rest encryption is configured, a banner shows the encryption key status (valid / missing / invalid). Without a valid key, no new archives are encrypted.
Score Tuning
The Score Tuning tab allows adjusting the weights of individual rspamd symbols without editing the rspamd configuration directly. Changes take effect immediately.