block incoming mail in exim for specific domains except from 1 ip

hostmedic

Well-Known Member
Apr 30, 2003
543
0
166
Washington Court House, Ohio, United States
cPanel Access Level
DataCenter Provider
Greetings friends:

After a nice long search - both here and some other forums - I am just not sure of the fix - so figured I would come here and ask...

We are now providing an Anti-Spam appliance above our shared servers.
For clients that purchase this service - we want to do the following

1. Change the Clients mx record to use the anti-spam appliance (easy enough)
2. block all incoming mail that comes direct to the server unless it is within an ip range and/also the anti-spam appliance.

The trick of just blocking port 25 will not work - because the mail server will be used by other domains that are not subscribing to the anti-spam service.
 

hostmedic

Well-Known Member
Apr 30, 2003
543
0
166
Washington Court House, Ohio, United States
cPanel Access Level
DataCenter Provider
depends on what firewall your using -

in short - just block all access to port 25
and then whitelist the ip you want mail from

That would bypass your firewall setting of course...

what firewall are you using - be easiest then to tell you the rule


If iptables this should help



SMTP is used to send mail. Sendmail, & Exim (both on cPanel) use the TCP port 25. Following two iptable rule allows incoming SMTP request on port 25 for server IP address 1.2.3.4 (open port 25):

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
In order to block port 25 simply use target REJECT instead of ACCEPT in above rules.

And following two iptables rules allows outgoing SMTP server request for server IP address 1.2.3.4:

iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 1.2.3.4 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

this should work as well - but just simply blocks completely

Code:
iptables -A INPUT -s 0.0.0.0 --dport 25 -j DROP
 

4u123

Well-Known Member
PartnerNOC
Jan 2, 2006
939
22
168
We use an Exim ACL.

Directly under the line "check_recipient:" in advanced Exim conf...

deny message = You may not make direct SMTP connections to this host
log_message = untrusted host
domains = +local_domains
!hosts = 1.1.1.1 : 2.2.2.2 : 3.3.3.3 : 4.4.4.4 : 127.0.0.1
!authenticated = *
Has been working great for a couple of years now. Any host trying to make a direct connection will receive a "550 You may not make direct SMTP connections to this host" and it will be logged in exim log file as "untrusted host". It allows authenticated users to relay through and those IP's specified.