Mailserver changes to only accept from the filter systems

To avoid spammers being able to directly deliver the spam to your mailservers without being scanned first, you have to make sure your mailserver only accepts email that origin ate from the filtering systems.

For redundancy reason our hosted servers are located in many different networks/datacenters, and therefore do not share a single IP range. Because the cluster is regularly expanded new IPs may be added. If you can only whitelist based on the reverse DNS you should allow *.webhostingireland.ie and *.hostingireland.ie. Alternatively if these are no options, you could also change your destin ation mailserver to listen on a different port (for example 2525) and configure your route in our system to deliver to this alternative port.

* Reverse DNS based authorization: *.hostingireland.ie and *.webhostingireland.ie

Microsoft Exchange

More information can be found on the Microsoft website: http://support.microsoft.com/kb/319356. Microsoft Exchange 2003 uses the whitelist based on the reverse DNS, therefore you can simply add "*.hostingireland.ie" and "*.webhostingireland.ie" to the "Domain" field, which you find when following the instructions "How to Configure IP Address Restrictions".

cPanel

In WHM:

  1. Enable Service Configuration, Exim Configuration Editor, Whitelist: Trusted Mail Hosts/IP Blocks (bypass all SMTP time checks except recipient verifications)
  2. Edit the list of Trusted Mail Hosts to add the filtering server(s) ("*.webhostingireland.ie" if you use our hosted service)
  3. Change Service Configuration, Exim Configuration Editor, Advanced Editor

Find the RCPT ACL section part:

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.

Add directly hereafter:

  accept authenticated = *
accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}
{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
deny
domains = +local_domains
!hosts = localhost: +relay_hosts: +trustedmailhosts
message = Please deliver mail to the address specified in the MX records for this domain.
$sender_fullhost is not allowed to do this.

So the result will be:

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.

accept authenticated = *
accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}
{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
deny
domains = +local_domains
!hosts = localhost: +relay_hosts: +trustedmailhosts
message = Please deliver mail to the address specified in the MX records for this domain.
$sender_fullhost is not allowed to do this.

Exim

To configure Exim to only allow email from the filter servers for certain domains, you have to set in the RCPT ACL:

deny
domains = +spamfilter_domains
!hosts = *.webhostingireland.ie : localhost
message = Please deliver mail to the address specified in the MX records for this domain.

You can setup the spamfilter_domains list earlier, reading it from a file, or database, or even hard-coding it.

Postfix

1. Create a file /etc/postfix/access with the content:

.webhostingireland.ie OK
.hostingireland.ie OK

2. Create the hash-file used by Postfix: postmap /etc/postfix/access

3. Add the following to /etc/postfix/main.cf

smtpd_client_restrictions = hash:/etc/postfix/access, permit_mynetworks, reject

Or, if you already have smtpd_client_restrictions defined, insert hash:/etc/postfix/access at the beginning of your definition, and replace permit with reject and the end of definition.

4. Restart Postfix: /etc/init.d/postfix restart

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Domain Aliasing

If you have multiple domains, you can make use of the domain aliasing option. Domain...

Web Based Control Panel

Domain level features The following features are directly available from the webinterface:...

Sender whitelist/blacklist

To allow the domain administrator to remain in control over the filtering, it's possible to...

Reseller Branding

Various Branding options are available to Resellers. Branding Management Select the 'Branding...

Encryption with SSL/TLS

The system fully supports incoming unsecured connections and connections protected using SSL/TLS.