Transcom Group MxGuard Help — Smarthost setup

Smarthost setup

The smarthost relays your outbound mail through MxGuard's reputation-managed IPs with SPF, DKIM, and DMARC authentication. This guide explains who benefits, how to set it up on different platforms, and how to troubleshoot.

Who should use the smarthost

You'll benefit if any of these apply:

  • Your mail lands in spam folders despite being legitimate.
  • Your hosting provider blocks outbound port 25.
  • Your office has a dynamic IP address.
  • You can't easily set up SPF, DKIM, and PTR records.
  • You want centralised audit logs and rate limits for outbound mail.
  • You need to maintain a clean sender reputation.

Before you start

  1. Smarthost enabled on your account — visit your smarthost page.
  2. SMTP credentials — click + new credential. Password is shown once.
  3. SPF updated on each sending domain to include _spf.mxguard.uk: 
    v=spf1 include:_spf.mxguard.uk -all

Connection details

Serversmtp.mxguard.uk
Port587
SecuritySTARTTLS (required)
AuthenticationSASL — PLAIN or LOGIN
Username / Passwordfrom your credential

Setup by platform

Plesk

  1. Plesk → Tools & Settings → Mail Server Settings → Smarthost.
  2. Tick Send users' mail via a smarthost.
  3. Hostname: [smtp.mxguard.uk] (square brackets required).
  4. Port: 587, Authentication required: tick, enter credentials.
  5. Encrypted connection: Required.
  6. Click Check connection then OK.

Important: Plesk routes all outbound mail through the smarthost — every domain on the server needs _spf.mxguard.uk in its SPF, or mail will SPF-fail.

Plain Postfix

cp /etc/postfix/main.cf /etc/postfix/main.cf.bak-$(date +%Y%m%d-%H%M%S)

postconf -e "relayhost = [smtp.mxguard.uk]:587"
postconf -e "smtp_sasl_auth_enable = yes"
postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd"
postconf -e "smtp_sasl_security_options = noanonymous"
postconf -e "smtp_tls_security_level = encrypt"
postconf -e "smtp_sasl_tls_security_options = noanonymous"

# AlmaLinux/RHEL/CentOS:
postconf -e "smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt"
# Ubuntu/Debian:
postconf -e "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt"

cat > /etc/postfix/sasl_passwd <<EOF
[smtp.mxguard.uk]:587  YOUR_USERNAME:YOUR_PASSWORD
EOF
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

postfix check
systemctl reload postfix

Microsoft 365 / Exchange Online

Create a Send Connector. Most M365 customers don't need smarthost (M365 outbound IPs have good reputation by default).

Via PowerShell:

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

New-OutboundConnector \
    -Name "MxGuard Smarthost" \
    -ConnectorType Partner \
    -SmartHosts "smtp.mxguard.uk" \
    -TlsSettings EncryptionOnly \
    -UseMxRecord $false \
    -RecipientDomains "*"

M365 connectors authenticate by source IP, not SASL. Microsoft's outbound IPs aren't predictable enough for IP allowlisting. Contact support for the right pattern for your deployment.

On-premises Exchange Server

New-SendConnector \
    -Name "MxGuard Smarthost" \
    -AddressSpaces "*" \
    -SmartHosts "smtp.mxguard.uk" \
    -SmartHostAuthMechanism BasicAuthRequireTLS \
    -RequireTLS $true \
    -Port 587 \
    -DNSRoutingEnabled $false \
    -SourceTransportServers "EXCHANGE-SERVER-NAME"

$cred = Get-Credential
Set-SendConnector -Identity "MxGuard Smarthost" -AuthenticationCredential $cred

cPanel / WHM (Exim)

WHM → Exim Configuration Manager → Advanced Editor.

ROUTERS section:

smarthost:
  driver = manualroute
  domains = ! +local_domains
  transport = smarthost_smtp
  route_list = "* smtp.mxguard.uk::587 byname"
  no_more

TRANSPORTS section:

smarthost_smtp:
  driver = smtp
  hosts_require_auth = *
  hosts_require_tls = *
  port = 587

AUTHENTICATORS section:

smarthost_login:
  driver = plaintext
  public_name = LOGIN
  client_send = ": YOUR_USERNAME : YOUR_PASSWORD"

From code

Python:

with smtplib.SMTP("smtp.mxguard.uk", 587) as s:
    s.starttls()
    s.login("YOUR_USERNAME", "YOUR_PASSWORD")
    s.send_message(msg)

PHP (PHPMailer):

$mail->isSMTP();
$mail->Host = 'smtp.mxguard.uk';
$mail->Port = 587;
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
$mail->SMTPAuth = true;
$mail->Username = 'YOUR_USERNAME';
$mail->Password = 'YOUR_PASSWORD';

Node.js (nodemailer):

nodemailer.createTransport({
  host: 'smtp.mxguard.uk',
  port: 587,
  secure: false,
  requireTLS: true,
  auth: { user: 'YOUR_USERNAME', pass: 'YOUR_PASSWORD' },
});

Any language: host smtp.mxguard.uk, port 587, STARTTLS, SASL PLAIN or LOGIN. Not port 465.

Testing

swaks --server smtp.mxguard.uk --port 587 --tls \
  --auth-user YOUR_USERNAME --auth-password 'YOUR_PASSWORD' \
  --from you@yourdomain.com --to test@example.com \
  --header "Subject: smarthost test" \
  --body "Test message" --tls-verify

Success: 250 2.0.0 Ok: queued as .... Auth working: 235 Authentication successful.

Troubleshooting

535 authentication failed
Wrong credentials or revoked. Check the smarthost page. Username is case-sensitive.
554 Sender address rejected
The From: domain isn't on your account. Add it first.
530 Must issue STARTTLS first
Client didn't negotiate TLS before AUTH. Enable STARTTLS.
421 Daily message limit exceeded
Daily quota hit. Contact support to raise the limit.
Mail sends but lands in spam
SPF doesn't include _spf.mxguard.uk, or DMARC alignment fails.
Connection refused / timeout
Port 587 blocked at your network. Test from a different network.

Getting help

Email admin@mxguard.uk with platform, exact error, and your account email.