Stop Incoming Email Except from External Spam Filter

[ndian]

I'll try to describe my problem as best as possible. I've tried searching but couldn't find anything that quite matched my situation.

I'm running a dedicated server offsite with at least 40 domain's email running through an exim mail server. Recently, we purchased a Barracuda to place onsite, and I pointed all MX records to the Barracuda, which then pushes the email from our network to the offsite server.

My problem is this: I run all of the domain's incoming mail through the barracuda, but spammers are still targeting our mail server directly, thus bypassing the filtering. Outgoing mail from our server does not pass through the barracuda.

My question: How would I configure the exim mail server to only accept incoming mail from the barracuda, or basically, stop the incoming spam hitting our server directly?

This is the first time I've routed email from a local filter to an external server, so specific instructions would be MUCH appreciated.

Running Exim 4, WHM 11, CPanel 11

Thanks!

[cPanelMattCurry]

Hello,

I do see what you are trying to do, however it appears as though you are trying a customization that we could not support directly. Although that is not to say it can't be done. I would recommend taking a look at this site:
43.Â****System-wide message filtering
I hope that helps, please let me know if there is anything else I can do for you.

Thank you,
Matthew Curry

[Spiral]

Is there some reason you can't just simply limit incoming connections to Port 25 (SMTP) to just the single service / IP you want to receive from and reject anything else that is incoming?

Code:

# iptables -A INPUT -s ! x.x.x.x -p tcp --dport 25 -j REJECT

(In the above, 'x.x.x.x' is the IP address or CIDR range you wish to allow incoming access)

PS: Don't forget the exclamation point, else the filter will do the exact opposite!

[cpanelstephen]

You can accomplish this by going to WHM -> Exim Configuration Editor -> Advanced Editor, and adding the following to the very top of the 'acl_connect' ACL (before [% ACL_CONNECT_BLOCK %]).

Code:

    accept hosts = :
    deny  
        !hosts = @[] : net-iplsearch;/etc/trustedmailhosts 
        message = This server does not handle mail directly

This assumes that you have the IP for the external spam filter in /etc/trustedmailhosts. The '@[]' instructs exim that you'd like to also accept mail from all local IPs. If this is not the case, you can remove the '@[] :', leaving only the netip-lsearch for /etc/trustedmailhosts.

The first line 'accept hosts = :' indicates that messages which originate locally from a non-tcp source should be accepted as well (e.g. calling exim directly from the command line or a script).

This will cause the following message to be output when any non-trusted hosts connect:

root@toothpick [~]# exim -oMa 4.2.2.1 -bs
550 This server does not handle mail directly
root@toothpick [~]#

[ndian]

Thanks for the tips!

Is there some reason you can't just simply limit incoming connections to Port 25 (SMTP) to just the single service / IP you want to receive from and reject anything else that is incoming?

Reason being, I have clients from all over connecting to my server with their mail clients. Their outgoing mail does not send through the barracuda box, only through the server. Therein lies the problem: If I block port 25, the incoming mail will be fine, but (the way i understand it) outgoing mail would all be blocked.

@cpanelstephen: Thanks! I think that may be the exact thing I need in order to block incoming, yet allow outgoing mail for my local IPs . I'll give that a try today and report back to see how it works!

[DomineauX]

Closing incoming on port 25 would have been ok if you have all the clients send through an alternate smtp port for exim but Stephen's answer sounds like the best way to go.

[ndian]

I've implemented the method suggested by Stephen, and so far it seems to be running perfectly. I'll have to wait until tomorrow to see if some of the usual spam comes through, but THANK YOU so much.

Closing incoming on port 25 would have been ok if you have all the clients send through an alternate smtp port for exim but Stephen's answer sounds like the best way to go.

I could have done that, but it would have been a daunting task to contact 500 email users to change their outgoing port :P. I'd be getting calls for days from 20 different people who can't follow directions..

[DomineauX]

Just to let you know, Stephen ended up using this as an example in the Exim Debugging (and a bit of advanced configuring) session at the CPanel conference today.

Thanks for giving him a good idea to utilize.

[ndian]

Thanks for giving him a good idea to utilize.

Glad he got something out of it! I'm honored lol.

[tallalkazmi]

I am working on developing an algorithm to stop spam on the server side. I have gone through many approaches but i need to choose the best approach available. I need some suggestions to go on with the project on which technique to choose. A quick reply is appreciated.

[santrix]

Sorry for relaunching this thread, but I have a similar but slightly more complex requirement.

We accept mail for a number of domains (but not all) via an external spam filter. Obviously, for those domains, I only want to accept mail from the filtering servers, and not from anyone else.

I can't see a way to achieve this at the IP level as it means establishing the connection and looking inside the mail headers.

I expect this belongs somewhere after the ACL CONNECT block in exim.conf, but I'm currently clueless as to where. exim.conf isn't currently one of my comfort zones!

I need a rule that says something like

If [recipient domain] is in[list] and HOST != [safehostlist] then reject [with or without message]

Steve

[santrix]

OK, moving on... I created two files

/etc/filterip containing a list of ip address of the filter machines
/etc/filterdomains containing a list of domains that must come via the filter machines

Then, at the top of exim.conf I add

Code:

hostlist filter_hosts = net-lsearch;/etc/filterip :  net-lsearch;/etc/relayhosts
domainlist filter_domains = lsearch;/etc/filterdomains

So far so good.. but then I think I need to add something like this in the check_recipient block after 'accept hosts = :' line:

deny
!hosts = +filter_hosts
domains = +filter_domains
message = Please use the proper domain MX record

However, I'm not sure this is right, or if there is any way to get this in there using advanced editor... it doesn't allow me to insert (in a sticky fashion) anything into that exact area... unless of course I can find where the internal cpanel templates are kept and update those after each upcp...

I think I'm close to the answer - someone please help!

[santrix]

OK, for anyone who is interested, I have documented the procedure I followed to achieve this here:

How to Configure Exim to receive email for domain only from specific IP addresses « Revert to Type

This allows me to filter incoming mail connections to exim for specific domains, limiting them to a specified list of safe incoming relays.

I'm no exim guru (not by far), so please feel free to comment on any caveats or improvements that should be noted - I will of course credit any such help.

[DF-Duncan]

Thanks for sharing this, and for the great documentation.

** Just realised very old thread, sorry for the bump, but wanted to say thx for the info on this **