block incoming mail in exim for specific domains except from 1 ip

[hostmedic]

Greetings friends:

After a nice long search - both here and some other forums - I am just not sure of the fix - so figured I would come here and ask...

We are now providing an Anti-Spam appliance above our shared servers.
For clients that purchase this service - we want to do the following

1. Change the Clients mx record to use the anti-spam appliance (easy enough)
2. block all incoming mail that comes direct to the server unless it is within an ip range and/also the anti-spam appliance.

The trick of just blocking port 25 will not work - because the mail server will be used by other domains that are not subscribing to the anti-spam service.

[hostmedic]

funny - found this old posting.
A simple firewall setting worked just fine.

[chuza]

funny - found this old posting.
A simple firewall setting worked just fine.

wats the exact rule you applied

[hostmedic]

in short - just block all access to port 25
and then whitelist the ip you want mail from

That would bypass your firewall setting of course...

what firewall are you using - be easiest then to tell you the rule


If iptables this should help



SMTP is used to send mail. Sendmail, & Exim (both on cPanel) use the TCP port 25. Following two iptable rule allows incoming SMTP request on port 25 for server IP address 1.2.3.4 (open port 25):

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

In order to block port 25 simply use target REJECT instead of ACCEPT in above rules.

And following two iptables rules allows outgoing SMTP server request for server IP address 1.2.3.4:

iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 1.2.3.4 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

this should work as well - but just simply blocks completely

Code:

iptables -A INPUT -s 0.0.0.0 --dport 25 -j DROP

[4u123]

We use an Exim ACL.

Directly under the line "check_recipient:" in advanced Exim conf...

deny message = You may not make direct SMTP connections to this host
log_message = untrusted host
domains = +local_domains
!hosts = 1.1.1.1 : 2.2.2.2 : 3.3.3.3 : 4.4.4.4 : 127.0.0.1
!authenticated = *

Has been working great for a couple of years now. Any host trying to make a direct connection will receive a "550 You may not make direct SMTP connections to this host" and it will be logged in exim log file as "untrusted host". It allows authenticated users to relay through and those IP's specified.