This is something we'll be wanting to do soon and I thought I'd post here for any tips before putting the research into it. If anyone knows how to do this and can offer any tips (or would like it as a paid one off job even) feel free to post.
We'd like to block regular SMTP on Exim (as bundled with cPanel) so that third party servers cannot connect to pass over email to domains we host. Authenticated SMTP via the server when hosted clients are sending email should still be permitted (via smtpauth, not pop-before-smtp).
Why are we doing this? All domains will have their MX set to our incoming email server which handles email filtering jobs then relays the clean email over to the server - this is the only server which will connect to the hosting servers to pass email. Spammers tend to ignore this though and connect direct to the domain A record so this needs to be stopped. The mx server is not used for outgoing email and our clients will still need to use the regular hosting/exim install to send their email.
Blocking port 25 at firewall level and asking clients to use smtp on another port is not an option. Something we have considered is bringing back pop-before-smtp and somehow tying this in with iptables to only allow port 25 traffic to ip's authenticated via pop. Ideally we'll be able to do it at MTA level but this hasn't been researched yet, hence this post.
Any thoughts?
We'd like to block regular SMTP on Exim (as bundled with cPanel) so that third party servers cannot connect to pass over email to domains we host. Authenticated SMTP via the server when hosted clients are sending email should still be permitted (via smtpauth, not pop-before-smtp).
Why are we doing this? All domains will have their MX set to our incoming email server which handles email filtering jobs then relays the clean email over to the server - this is the only server which will connect to the hosting servers to pass email. Spammers tend to ignore this though and connect direct to the domain A record so this needs to be stopped. The mx server is not used for outgoing email and our clients will still need to use the regular hosting/exim install to send their email.
Blocking port 25 at firewall level and asking clients to use smtp on another port is not an option. Something we have considered is bringing back pop-before-smtp and somehow tying this in with iptables to only allow port 25 traffic to ip's authenticated via pop. Ideally we'll be able to do it at MTA level but this hasn't been researched yet, hence this post.
Any thoughts?