Google Apps Host routing


OK, nearly there with Google Apps, but now I get to learn about SMTP which I've never really groked:

  • We are trying to migrate a single user and have everyone elses mail forwarded to the legacy mail server.
  • When I turned this on, some of the mail seemed to get through, but the forwards didn't see to work. Specifically, for some mail, I get an "550 Authentication Required"

So off to Wikipedia to figure this out how SMTP really works

  • First thing to notice is that there is something called an MTA
  • There is a Mail User Agent (which is something like Outlook or Apple Mail) talks to an MSA. The MSA rewrites and corrects mail. It's normal port is 587 and should only be used for submitting mail from the local users. You normally authenticate to an MSA with your user name and password. That makes sense since it is only for local users. For this purpose, the question is how does Google Apps mail route work. Does it need to have the user name and password of everyone, or does it need to talk to the MSA, so it looks like random mail just arriving from the internet.

There the is another beast called the MTA.

  • An MTA or mail transfer agent accepts mail from anyone on the internet and its main job is to deliver.
  • Normally MTA to MTA communications is on port 25 with no authentication kind of by definition. Each time an MTA gets a message, it added a "Received By' so you can see what is happening.
  • If the addressee is local, the MTA called the MDA (Mail delivery agent) to send it to the local user
  • Because it has no idea who is sending, it has lots more policies and heuristics. Be definition, it is taking mail from responsible sites like but also from so it normally doesn't allow relays (otherwise a spammer would push through), but does allow deliver into the local accounts and has to have all kinds of filters and ip blocking to work.
  • Because of Spam, most ISPs now block port 25 and if they see a new MTA popup, they immediate blacklist it assuming, that this is a spammer bringing up an MTA.

Net, net in theory deliver to port 25 of the mail server should work. I tried 587 and as predicted Google routing failed for lack of authentication.
There are two other entries, using TLS so that the mail is secured and checking the certificate.

Related Posts